Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-3137

Source

Debian Bug report logs - #746322
python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)

Package: python-bottle; Maintainer for python-bottle is Federico Ceratto <federico@debian.org>; Source for python-bottle is src:python-bottle (PTS, buildd, popcon).

Reported by: Federico Ceratto <federico.ceratto@gmail.com>

Date: Mon, 28 Apr 2014 23:54:01 UTC

Severity: normal

Tags: security, upstream

Found in versions python-bottle/0.12.5-1, python-bottle/0.10.11-1

Fixed in versions python-bottle/0.12.6-1, python-bottle/0.10.11-1+deb7u1

Done: Federico Ceratto <federico.ceratto@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, federico.ceratto@gmail.com, marc@gsites.de, kartik@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>:
Bug#746322; Package python-bottle. (Mon, 28 Apr 2014 23:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Federico Ceratto <federico.ceratto@gmail.com>:
New Bug report received and forwarded. Copy sent to federico.ceratto@gmail.com, marc@gsites.de, kartik@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>. (Mon, 28 Apr 2014 23:54:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: python-bottle
Version: 0.12.5-1
Severity: normal
Tags: security upstream

Bottle parses a content-type like "text/plain;application/json" as JSON. This can be used to bypass security mechanisms.

The bug is tracked in https://github.com/defnull/bottle/issues/616

The bug affects versions 0.10.11-1 and 0.12.5-1 and is already fixed in 0.12.6-1


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-bottle depends on:
pn  python:any  <none>

python-bottle recommends no packages.

python-bottle suggests no packages.

-- no debconf information

Marked as found in versions python-bottle/0.10.11-1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Tue, 29 Apr 2014 00:00:08 GMT) (full text, mbox, link).

Marked as fixed in versions python-bottle/0.12.6-1. Request was from Federico Ceratto <federico.ceratto@gmail.com> to control@bugs.debian.org. (Tue, 29 Apr 2014 00:00:12 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#746322; Package python-bottle. (Thu, 01 May 2014 04:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to mmcallis@redhat.com:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>. (Thu, 01 May 2014 04:36:04 GMT) (full text, mbox, link).

Message #14 received at 746322@bugs.debian.org (full text, mbox, reply):

Hi,

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322 and 
https://github.com/defnull/bottle/issues/616 report an issue where 
Bottle treated "text/plain;application/json" as JSON, allowing security 
mechanisms to be bypassed.

From the upstream report, "For example Chrome will not allow 
cross-origin xmlhttprequests with the content type set to 
"application/json" but you can set it to "text/plain;application/json" 
instead and bottle will accept it."

Can a CVE please be assigned if one has not been already?

Thanks,

--
Murray McAllister / Red Hat Security Response Team

https://bugzilla.redhat.com/show_bug.cgi?id=1093255

Information forwarded to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#746322; Package python-bottle. (Thu, 01 May 2014 19:03:13 GMT) (full text, mbox, link).

Acknowledgement sent to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to David Paleino <dapal@debian.org>. (Thu, 01 May 2014 19:03:13 GMT) (full text, mbox, link).

Message #19 received at 746322@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322 and
> https://github.com/defnull/bottle/issues/616 report an issue where
> Bottle treated "text/plain;application/json" as JSON, allowing security
> mechanisms to be bypassed.

Use CVE-2014-3137.

The scope of this CVE does not include any behavior of Chrome that
could be interpreted as a Chrome vulnerability, e.g., "can make a
request with the content-type of text/plain;application/json (IMO this
is a bug in Chrome)" in 616. A later comment in 616 says "The original
reporter mentioned filing Chrome bugs." As suggested by the
http://www.google.com/about/appsecurity/ page, Chrome bugs are the
mechanism for getting CVE assignments from the Google CNA.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTYpkXAAoJEKllVAevmvmsfl8IAI6ITpAf9TshVu0Y9+fC73zr
jCEwMs3qy53bs7ongjU0qQluH68sX4ckkobldhZL/2OM0oLPhz8ZSXNxNsHx9pX5
V7rhUgpHsM0BLyJSr2Zpr/aN/SbPKlqZWJjmLRlfslc0+BJdpqp0v7vvqjZS6iXa
BWsDcxLCQ3yMk4cYqXssfodjBKcForeOzCPlRnUrEEwE5zYMib+qkXD2vSNxDfdO
on0gFbun5+ldTm+DiN5nnkH7s6pYuPZRcmL2/BqHWfun1s9kPzCI9Vsfvf9kHJD8
LCN1e7N6S3h4Zulg+jmJSqTWJsu3aaNu+Bc4FgTBmzuYIsc0FXaPxRDE3bkmp08=
=iVci
-----END PGP SIGNATURE-----

Changed Bug title to 'python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)' from 'python-bottle: JSON content-type not restrictive enough' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 01 May 2014 20:12:26 GMT) (full text, mbox, link).

Reply sent to Federico Ceratto <federico.ceratto@gmail.com>:
You have taken responsibility. (Sun, 15 Jun 2014 19:51:08 GMT) (full text, mbox, link).

Notification sent to Federico Ceratto <federico.ceratto@gmail.com>:
Bug acknowledged by developer. (Sun, 15 Jun 2014 19:51:08 GMT) (full text, mbox, link).

Message #26 received at 746322-close@bugs.debian.org (full text, mbox, reply):

Source: python-bottle
Source-Version: 0.10.11-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
python-bottle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 746322@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto <federico.ceratto@gmail.com> (supplier of updated python-bottle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 01 May 2014 21:19:50 +0100
Source: python-bottle
Binary: python-bottle python-bottle-doc
Architecture: source all
Version: 0.10.11-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: David Paleino <dapal@debian.org>
Changed-By: Federico Ceratto <federico.ceratto@gmail.com>
Description: 
 python-bottle - fast and simple WSGI-framework for Python
 python-bottle-doc - fast and simple WSGI-framework for Python - documentation
Closes: 746322
Changes: 
 python-bottle (0.10.11-1+deb7u1) wheezy-security; urgency=high
 .
   * Fix JSON content-type check vulnerability (Closes: #746322)
     - CVE-2014-3137
     - Upstream bug: https://github.com/defnull/bottle/issues/616
Checksums-Sha1: 
 2ce34670e24e18ade4a11f5e9eaf9f738fb66f16 2167 python-bottle_0.10.11-1+deb7u1.dsc
 c58adb15a613eb65adf18e453a83dfa32b064340 450732 python-bottle_0.10.11.orig.tar.gz
 26171a8261331d68afaf1e62c3a07afa9798c1ee 6502 python-bottle_0.10.11-1+deb7u1.debian.tar.gz
 dec5b84c6d04ededbd8067347300c3a914d62c2c 45198 python-bottle_0.10.11-1+deb7u1_all.deb
 040b575a5f2cb763f3ee0f6495ae5e71eef9e7a9 617456 python-bottle-doc_0.10.11-1+deb7u1_all.deb
Checksums-Sha256: 
 e97a6ab4dfd70ad748a254a75266a3aace4a61cfec71a3ff546e26868e21734b 2167 python-bottle_0.10.11-1+deb7u1.dsc
 5972d1d480f779dc664c91aa1d40d2de1d71792ddeff52849151256bbcff3275 450732 python-bottle_0.10.11.orig.tar.gz
 0178a55299943ee50e24850a542dbe2cc12cad1a45025ae3ff1e71915340a9cc 6502 python-bottle_0.10.11-1+deb7u1.debian.tar.gz
 3b6c483d2d0c220b10eddd55a058f884644ed9a337e461027150c893c3258829 45198 python-bottle_0.10.11-1+deb7u1_all.deb
 73347ecb0d46f962e8bcbcd77d53506f5679f0377abdb371272e50a15b27ebc8 617456 python-bottle-doc_0.10.11-1+deb7u1_all.deb
Files: 
 3e3263a9fc9e10f1a3d05f26fc439042 2167 python optional python-bottle_0.10.11-1+deb7u1.dsc
 ac10492b7643e5bd0d5e166588c616d1 450732 python optional python-bottle_0.10.11.orig.tar.gz
 4a98b621ddfd3b2c709c8581d203e1c4 6502 python optional python-bottle_0.10.11-1+deb7u1.debian.tar.gz
 1ceb3cb9f2bb97805dd0ace781982311 45198 python optional python-bottle_0.10.11-1+deb7u1_all.deb
 16d1c3cdbd7c8f1fec21d095df97ddcb 617456 doc optional python-bottle-doc_0.10.11-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTjVJeAAoJEAVMuPMTQ89EzOoP/1j2X4oKu50IvLhq3To4eZ+Z
XLCp330Cj9108MENt2sbzuo9q0f3szD26x/Dszl74X2tM8xbf9NIsfzYC8VFu8Zr
uDjWkXyknbgLT+qy7yzYZmDbVs2KFdmU6flnme1UXMYMUjBfR1RztBWcs/7YxclE
KfWZ6YxUbpD17kP8tVoctN3YzTnSD0XXPu0cUe6FN+2QPSKm7rsx0cL20Kio9hJe
n/d1B2ohQtMWAY6p0F3db4YG3kDUhqIHGk/PmR/QgvBFoJvrUQWKQvhohKo2g97u
/9HUTZZbmBqlmgKcsqFCyipc/+gAJJBgNLDr2OgzMhm7bU/VlS6AivRiTIXElKIx
JCnljBdCticTqfN5QsXEpQXz0fcfqr+W+/wpyzYWOawrEu1mi2IdeaEJzPX+eoFV
A53krIpOV6HT6F0aRM7HdEuN6mcPiVTiuFxQ9qryrNeAlAjDpDxkw1vkf6SdjDmC
tMOZKNhe1Zy+yMR88wynqbnXD2ufZCzXNvrceplzNqotG8srS7wTCSRH1zf7FkE7
LF4xxkccZyiVMpSkxssTQbezjzvu0YBYQm1aMtjEeBu1E31tE2K6Rk31wTDAlPnL
be0wf5Gbj1NRh8JN5XP8uvIvIDXwYfSrYvP45AthQ9IFHNe3T3LyqqQrKTdTapy+
QWckJquISvua0BWUw2PM
=TDze
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 14 Jul 2014 07:26:54 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:01:45 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)

Debian Bug report logs - #746322
python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)

Vulmon Search

About

Products

Connect

python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)

Debian Bug report logs - #746322 python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)

Vulmon Search

About

Products

Connect

Debian Bug report logs - #746322
python-bottle: JSON content-type not restrictive enough (CVE-2014-3137)