From bab57e38724756976f372324297b4fa002132e9c Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 6 Nov 2023 11:36:11 +0800 Subject: [PATCH] Fix CVE-2023-46695 (cherry picked from commit ccee4996a1b6ce668da45275749e310a24023533) --- CVE-2023-46695.patch | 62 ++++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 ++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-46695.patch diff --git a/CVE-2023-46695.patch b/CVE-2023-46695.patch new file mode 100644 index 0000000..30f6c6f --- /dev/null +++ b/CVE-2023-46695.patch @@ -0,0 +1,62 @@ +From f9a7fb8466a7ba4857eaf930099b5258f3eafb2b Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Tue, 17 Oct 2023 11:48:32 +0200 +Subject: [PATCH] [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in + UsernameField on Windows. + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. +--- + django/contrib/auth/forms.py | 10 +++++++++- + tests/auth_tests/test_forms.py | 8 +++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py +index 20d8922..fb7cfda 100644 +--- a/django/contrib/auth/forms.py ++++ b/django/contrib/auth/forms.py +@@ -62,7 +62,15 @@ class ReadOnlyPasswordHashField(forms.Field): + + class UsernameField(forms.CharField): + def to_python(self, value): +- return unicodedata.normalize('NFKC', super().to_python(value)) ++ value = super().to_python(value) ++ if self.max_length is not None and len(value) > self.max_length: ++ # Normalization can increase the string length (e.g. ++ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no ++ # point in normalizing invalid data. Moreover, Unicode ++ # normalization is very slow on Windows and can be a DoS attack ++ # vector. ++ return value ++ return unicodedata.normalize("NFKC", value) + + def widget_attrs(self, widget): + return { +diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py +index 7a731be..c0e1975 100644 +--- a/tests/auth_tests/test_forms.py ++++ b/tests/auth_tests/test_forms.py +@@ -5,7 +5,7 @@ from unittest import mock + from django.contrib.auth.forms import ( + AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm, + PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget, +- SetPasswordForm, UserChangeForm, UserCreationForm, ++ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField, + ) + from django.contrib.auth.models import User + from django.contrib.auth.signals import user_login_failed +@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase): + self.assertNotEqual(user.username, ohm_username) + self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA + ++ def test_invalid_username_no_normalize(self): ++ field = UsernameField(max_length=254) ++ # Usernames are not normalized if they are too long. ++ self.assertEqual(field.to_python("½" * 255), "½" * 255) ++ self.assertEqual(field.to_python("ff" * 254), "ff" * 254) ++ + def test_duplicate_normalized_unicode(self): + """ + To prevent almost identical usernames, visually identical but differing +-- +2.30.0 + diff --git a/python-django.spec b/python-django.spec index 02fbbd4..e562ce0 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 3.2.12 -Release: 7 +Release: 8 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -17,6 +17,8 @@ Patch5: CVE-2023-36053.patch Patch6: CVE-2023-41164.patch # https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5 Patch7: CVE-2023-43665.patch +# https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b +Patch8: CVE-2023-46695.patch BuildArch: noarch %description @@ -83,6 +85,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Nov 06 2023 yaoxin - 3.2.12-8 +- Fix CVE-2023-46695 + * Sun Oct 08 2023 yaoxin - 3.2.12-7 - Fix CVE-2023-43665