From 46701493ac4201c76aad1aeaf28e9b35851398ec Mon Sep 17 00:00:00 2001 From: Soumya Sambu Date: Fri, 10 Jan 2025 13:17:57 +0000 Subject: python3-django: Fix CVE-2024-41989 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41989 Upstream-patches: https://github.com/django/django/commit/08c5a787262c1ae57f6517d4574b54a5fcaad124 https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c https://github.com/django/django/commit/dcd974698301a38081c141ccba6dcafa5ed2c80e https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster --- .../python3-django/CVE-2024-41989-0001.patch | 48 +++++++++++++ .../python3-django/CVE-2024-41989-0002.patch | 48 +++++++++++++ .../python3-django/CVE-2024-41989-0003.patch | 57 +++++++++++++++ .../python3-django/CVE-2024-41989-0004.patch | 81 ++++++++++++++++++++++ 4 files changed, 234 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch (limited to 'meta-python/recipes-devtools/python/python3-django') diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch new file mode 100644 index 0000000000..04c0cf91e0 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch @@ -0,0 +1,48 @@ +From 08c5a787262c1ae57f6517d4574b54a5fcaad124 Mon Sep 17 00:00:00 2001 +From: Vlastimil Zíma +Date: Mon, 24 Oct 2022 12:59:34 +0200 +Subject: [PATCH] Fixed #34098 -- Fixed loss of precision for Decimal values in + floatformat filter. + +Regression in 12f7928f5a455e330c0a7f19bc86b37baca12811. + +CVE: CVE-2024-41989 + +Upstream-Status: Backport [https://github.com/django/django/commit/08c5a787262c1ae57f6517d4574b54a5fcaad124] + +Signed-off-by: Soumya Sambu +--- + django/template/defaultfilters.py | 2 +- + tests/template_tests/filter_tests/test_floatformat.py | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py +index a1d77f5..9ca530c 100644 +--- a/django/template/defaultfilters.py ++++ b/django/template/defaultfilters.py +@@ -123,7 +123,7 @@ def floatformat(text, arg=-1): + of that value. + """ + try: +- input_val = repr(text) ++ input_val = str(text) + d = Decimal(input_val) + except InvalidOperation: + try: +diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py +index cfc3eaf..acad66d 100644 +--- a/tests/template_tests/filter_tests/test_floatformat.py ++++ b/tests/template_tests/filter_tests/test_floatformat.py +@@ -44,6 +44,10 @@ class FunctionTests(SimpleTestCase): + self.assertEqual(floatformat(0.12345, 2), '0.12') + self.assertEqual(floatformat(Decimal('555.555'), 2), '555.56') + self.assertEqual(floatformat(Decimal('09.000')), '9') ++ self.assertEqual( ++ floatformat(Decimal("123456.123456789012345678901"), 21), ++ "123456.123456789012345678901", ++ ) + self.assertEqual(floatformat('foo'), '') + self.assertEqual(floatformat(13.1031, 'bar'), '13.1031') + self.assertEqual(floatformat(18.125, 2), '18.13') +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch new file mode 100644 index 0000000000..51cf79ffbd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch @@ -0,0 +1,48 @@ +From 4b066bde692078b194709d517b27e55defae787c Mon Sep 17 00:00:00 2001 +From: David Wobrock +Date: Wed, 18 Jan 2023 22:54:17 +0100 +Subject: [PATCH] Fixed #34272 -- Fixed floatformat crash on zero with trailing + zeros to zero decimal places. + +Regression in 08c5a787262c1ae57f6517d4574b54a5fcaad124. + +Thanks Andrii Lahuta for the report. + +CVE: CVE-2024-41989 + +Upstream-Status: Backport [https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c] + +Signed-off-by: Soumya Sambu +--- + django/template/defaultfilters.py | 2 +- + tests/template_tests/filter_tests/test_floatformat.py | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py +index 9ca530c..e72593b 100644 +--- a/django/template/defaultfilters.py ++++ b/django/template/defaultfilters.py +@@ -140,7 +140,7 @@ def floatformat(text, arg=-1): + except (ValueError, OverflowError, InvalidOperation): + return input_val + +- if not m and p < 0: ++ if not m and p <= 0: + return mark_safe(formats.number_format('%d' % (int(d)), 0)) + + exp = Decimal(1).scaleb(-abs(p)) +diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py +index acad66d..538f501 100644 +--- a/tests/template_tests/filter_tests/test_floatformat.py ++++ b/tests/template_tests/filter_tests/test_floatformat.py +@@ -65,6 +65,8 @@ class FunctionTests(SimpleTestCase): + self.assertEqual(floatformat(0, 7), '0.0000000') + self.assertEqual(floatformat(0, 10), '0.0000000000') + self.assertEqual(floatformat(0.000000000000000000015, 20), '0.00000000000000000002') ++ self.assertEqual(floatformat("0.00", 0), "0") ++ self.assertEqual(floatformat(Decimal("0.00"), 0), "0") + + def test_infinity(self): + pos_inf = float(1e30000) +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch new file mode 100644 index 0000000000..649a58f822 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch @@ -0,0 +1,57 @@ +From dcd974698301a38081c141ccba6dcafa5ed2c80e Mon Sep 17 00:00:00 2001 +From: "Panagiotis H.M. Issaris" +Date: Wed, 22 Feb 2023 20:46:16 +0100 +Subject: [PATCH] Fixed #34363 -- Fixed floatformat crash on zero with trailing + zeros. + +Regression in 08c5a787262c1ae57f6517d4574b54a5fcaad124. +Follow up to 4b066bde692078b194709d517b27e55defae787c. + +CVE: CVE-2024-41989 + +Upstream-Status: Backport [https://github.com/django/django/commit/dcd974698301a38081c141ccba6dcafa5ed2c80e] + +Signed-off-by: Soumya Sambu +--- + django/template/defaultfilters.py | 3 ++- + tests/template_tests/filter_tests/test_floatformat.py | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py +index e72593b..1aba321 100644 +--- a/django/template/defaultfilters.py ++++ b/django/template/defaultfilters.py +@@ -2,7 +2,7 @@ + import random as random_module + import re + import types +-from decimal import ROUND_HALF_UP, Context, Decimal, InvalidOperation ++from decimal import ROUND_HALF_UP, Context, Decimal, InvalidOperation, getcontext + from functools import wraps + from operator import itemgetter + from pprint import pformat +@@ -149,6 +149,7 @@ def floatformat(text, arg=-1): + units = len(tupl[1]) + units += -tupl[2] if m else tupl[2] + prec = abs(p) + units + 1 ++ prec = max(getcontext().prec, prec) + + # Avoid conversion to scientific notation by accessing `sign`, `digits`, + # and `exponent` from Decimal.as_tuple() directly. +diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py +index 538f501..413ba4b 100644 +--- a/tests/template_tests/filter_tests/test_floatformat.py ++++ b/tests/template_tests/filter_tests/test_floatformat.py +@@ -67,6 +67,10 @@ class FunctionTests(SimpleTestCase): + self.assertEqual(floatformat(0.000000000000000000015, 20), '0.00000000000000000002') + self.assertEqual(floatformat("0.00", 0), "0") + self.assertEqual(floatformat(Decimal("0.00"), 0), "0") ++ self.assertEqual(floatformat("0.0000", 2), "0.00") ++ self.assertEqual(floatformat(Decimal("0.0000"), 2), "0.00") ++ self.assertEqual(floatformat("0.000000", 4), "0.0000") ++ self.assertEqual(floatformat(Decimal("0.000000"), 4), "0.0000") + + def test_infinity(self): + pos_inf = float(1e30000) +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch new file mode 100644 index 0000000000..1cd99df8b2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch @@ -0,0 +1,81 @@ +From fc76660f589ac07e45e9cd34ccb8087aeb11904b Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Fri, 12 Jul 2024 11:38:34 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory + consumption in floatformat. + +Thanks Elias Myllymäki for the report. + +Co-authored-by: Shai Berger + +CVE: CVE-2024-41989 + +Upstream-Status: Backport [https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b] + +Signed-off-by: Soumya Sambu +--- + django/template/defaultfilters.py | 13 +++++++++++++ + .../filter_tests/test_floatformat.py | 17 +++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py +index a1d77f5..4884852 100644 +--- a/django/template/defaultfilters.py ++++ b/django/template/defaultfilters.py +@@ -135,6 +135,19 @@ def floatformat(text, arg=-1): + except ValueError: + return input_val + ++ _, digits, exponent = d.as_tuple() ++ try: ++ number_of_digits_and_exponent_sum = len(digits) + abs(exponent) ++ except TypeError: ++ # Exponent values can be "F", "n", "N". ++ number_of_digits_and_exponent_sum = 0 ++ ++ # Values with more than 200 digits, or with a large exponent, are returned "as is" ++ # to avoid high memory consumption and potential denial-of-service attacks. ++ # The cut-off of 200 is consistent with django.utils.numberformat.floatformat(). ++ if number_of_digits_and_exponent_sum > 200: ++ return input_val ++ + try: + m = int(d) - d + except (ValueError, OverflowError, InvalidOperation): +diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py +index cfc3eaf..bd0a998 100644 +--- a/tests/template_tests/filter_tests/test_floatformat.py ++++ b/tests/template_tests/filter_tests/test_floatformat.py +@@ -55,6 +55,7 @@ class FunctionTests(SimpleTestCase): + self.assertEqual(floatformat(1.5e-15, 20), '0.00000000000000150000') + self.assertEqual(floatformat(1.5e-15, -20), '0.00000000000000150000') + self.assertEqual(floatformat(1.00000000000000015, 16), '1.0000000000000002') ++ self.assertEqual(floatformat("1e199"), "1" + "0" * 199) + + def test_zero_values(self): + self.assertEqual(floatformat(0, 6), '0.000000') +@@ -68,6 +69,22 @@ class FunctionTests(SimpleTestCase): + self.assertEqual(floatformat(pos_inf), 'inf') + self.assertEqual(floatformat(neg_inf), '-inf') + self.assertEqual(floatformat(pos_inf / pos_inf), 'nan') ++ self.assertEqual(floatformat("inf"), "inf") ++ self.assertEqual(floatformat("NaN"), "NaN") ++ ++ def test_too_many_digits_to_render(self): ++ cases = [ ++ "1e200", ++ "1E200", ++ "1E10000000000000000", ++ "-1E10000000000000000", ++ "1e10000000000000000", ++ "-1e10000000000000000", ++ "1" + "0" * 1_000_000, ++ ] ++ for value in cases: ++ with self.subTest(value=value): ++ self.assertEqual(floatformat(value), value) + + def test_float_dunder_method(self): + class FloatWrapper: +-- +2.40.0 -- cgit v1.2.3-54-g00ecf