Debian Bug report logs - #550457
Remote denial of service via pathological performance of regular expressions

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django.

Reported by: Chris Lamb <lamby@debian.org>

Date: Sat, 10 Oct 2009 09:51:01 UTC

Severity: serious

Tags: security

Found in versions python-django/1.0.2-1+lenny1, python-django/1.1-4

Fixed in versions python-django/1.1.1-1, python-django/1.0.2-1+lenny2

Done: Chris Lamb <lamby@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#550457; Package python-django. (Sat, 10 Oct 2009 09:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Sat, 10 Oct 2009 09:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: submit@bugs.debian.org
Subject: Remote denial of service via pathological performance of regular expressions
Date: Sat, 10 Oct 2009 10:39:20 +0100
[Message part 1 (text/plain, inline)]
Package: python-django
Version: 1.0.2-1+lenny1
Severity: serious
Tags: security

> Django's forms library included field types which perform
> regular-expression based validation of email addresses and URLs. Certain
> addresses/URLs could trigger a pathological performance case in this
> regular expression, resulting in the server process/thread becoming
> unresponsive, and consuming excessive CPU over an extended period of time.
> If deliberately triggered, this could result in an effective
> denial-of-service attack.
[..]
> This issue was disclosed publicly by a third party on a high-traffic
> mailing list, and attempts have been made to exploit it against live Django
> installations.

   <http://www.djangoproject.com/weblog/2009/oct/09/security/>


Does not affect unstable (once 1.1.1-1 lands).


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Brett Parker <iDunno@sommitrealweird.co.uk>:
Bug#550457; Package python-django. (Sat, 10 Oct 2009 10:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Brett Parker <iDunno@sommitrealweird.co.uk>. (Sat, 10 Oct 2009 10:24:02 GMT) Full text and rfc822 format available.

Message #10 received at 550457@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: 550457@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#550457: Remote denial of service via pathological performance of regular expressions
Date: Sat, 10 Oct 2009 11:21:50 +0100
[Message part 1 (text/plain, inline)]
Chris Lamb wrote:

> > This issue was disclosed publicly by a third party on a high-traffic
> > mailing list, and attempts have been made to exploit it against live
> > Django installations.

Packages for stable-security are available at:

  http://people.debian.org/~lamby/550457/

I can't find any CVE numbers, but am not used to looking.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-
[signature.asc (application/pgp-signature, attachment)]

Bug Marked as found in versions python-django/1.1-4. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 10 Oct 2009 18:15:03 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions python-django/1.1.1-1. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 10 Oct 2009 18:15:04 GMT) Full text and rfc822 format available.

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Sun, 11 Oct 2009 20:30:12 GMT) Full text and rfc822 format available.

Notification sent to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer. (Sun, 11 Oct 2009 20:30:13 GMT) Full text and rfc822 format available.

Message #19 received at 550457-close@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: 550457-close@bugs.debian.org
Subject: Bug#550457: fixed in python-django 1.0.2-1+lenny2
Date: Sun, 11 Oct 2009 19:57:55 +0000
Source: python-django
Source-Version: 1.0.2-1+lenny2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive:

python-django_1.0.2-1+lenny2.diff.gz
  to pool/main/p/python-django/python-django_1.0.2-1+lenny2.diff.gz
python-django_1.0.2-1+lenny2.dsc
  to pool/main/p/python-django/python-django_1.0.2-1+lenny2.dsc
python-django_1.0.2-1+lenny2_all.deb
  to pool/main/p/python-django/python-django_1.0.2-1+lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550457@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 10 Oct 2009 10:33:24 +0100
Source: python-django
Binary: python-django
Architecture: source all
Version: 1.0.2-1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Brett Parker <iDunno@sommitrealweird.co.uk>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 python-django - A high-level Python Web framework
Closes: 550457
Changes: 
 python-django (1.0.2-1+lenny2) stable-security; urgency=high
 .
   * Add patch to fix remote denial of service by exploiting pathological
     performance of regular expressions (Closes: #550457)
 .
     Upstream writes:
 .
       SECURITY ALERT: Corrected regular expressions for URL and email fields.
 .
       Certain email addresses/URLs could trigger a catastrophic backtracking
       situation, causing 100% CPU and server overload. If deliberately triggered, this
       could be the basis of a denial-of-service attack.
 .
            <http://www.djangoproject.com/weblog/2009/oct/09/security/>
Checksums-Sha1: 
 466095f33104f5379f4a00619c37404cc48a9875 1606 python-django_1.0.2-1+lenny2.dsc
 f2d9088f17aff47ea17e5767740cab67b2a73b6b 4649433 python-django_1.0.2.orig.tar.gz
 f9e69917b7555014724957707f1fe775fd11e5aa 15789 python-django_1.0.2-1+lenny2.diff.gz
 648979e26b4d850626538d27f6365942acd26048 4706950 python-django_1.0.2-1+lenny2_all.deb
Checksums-Sha256: 
 4848234afbdb076d8dc4156b1424df1d12f30a218038030cefc214cb19a7bbd0 1606 python-django_1.0.2-1+lenny2.dsc
 50a5d228743a69a682899b20141194bf8fd3fd75eaf33ba5f2932f43ea93ea0d 4649433 python-django_1.0.2.orig.tar.gz
 27239a86821dde3e9e843ebc744040a0515c81b362273d9d8cc962c8e83b3076 15789 python-django_1.0.2-1+lenny2.diff.gz
 e1e5258f4ac75e42c9ade6eb68fe537ac52fe5500c6a6bc605253e5476cb67a6 4706950 python-django_1.0.2-1+lenny2_all.deb
Files: 
 7d335038ed1c10264a8ae9089574397c 1606 python optional python-django_1.0.2-1+lenny2.dsc
 89353e3749668778f1370d2e444f3adc 4649433 python optional python-django_1.0.2.orig.tar.gz
 586cdeaa9d99dc74240a16d1c40803fb 15789 python optional python-django_1.0.2-1+lenny2.diff.gz
 f01133963dbac73a87e9a209f85cb38d 4706950 python optional python-django_1.0.2-1+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrQXksACgkQ5/8uW2NPmiDlWQCeOn6qOAvqreyQ9eO+xGpvHUpO
QvgAoJaqaz1XTSydUpu8ce9YrwS3yK9L
=kWDt
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Chris Lamb <lamby@debian.org>:
Bug#550457; Package python-django. (Wed, 21 Oct 2009 09:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Scheurich aka MUFTI <rusmufti@helpdesk.bera.rus.uni-stuttgart.de>:
Extra info received and forwarded to list. Copy sent to Chris Lamb <lamby@debian.org>. (Wed, 21 Oct 2009 09:03:07 GMT) Full text and rfc822 format available.

Message #24 received at 550457@bugs.debian.org (full text, mbox):

From: Joerg Scheurich aka MUFTI <rusmufti@helpdesk.bera.rus.uni-stuttgart.de>
To: Philippe Coval <rzr@users.sf.net>, 550457@bugs.debian.org
Subject: Re: Bug#550459: [whitedune] Segmentation fault at start up
Date: Wed, 21 Oct 2009 10:51:21 +0200
Hi,

Manolo Díaz found out, that the 0.28.14-1 version of whitedune needs the 
helvetica font (font size 12) to start (current versions of whitedune 
can fall back to the "fixed" font and support a X11 style "-fn" commandline 
option).

It looks like, the package "xfonts-100dpi" would install a helvetica font 
with font size 12, so it should be added to the "Depends".

so long
MUFTI
-- 
Anwendungen das "Works with Windows Vista" Logo von verdient haben
Unternehmen                             Produktname   Version
Gesetzerzwingungssoftwareloesungen       FIRMA	      1.0.0
            Micro$oft Knowledge Base  Artikel-ID:933305 Version:4.1




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:37:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 05:21:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.