fix CVE-2025-26699

2025-02-17 22:54:01 +08:00 · 2025-02-17 22:54:01 +08:00 · b619d2140f
commit b619d2140f
parent 9e60fed136
2 changed files with 110 additions and 1 deletions
--- a/backport-CVE-2025-26699.patch
+++ b/backport-CVE-2025-26699.patch
@ -0,0 +1,102 @@
+From 4f2765232336b8ad0afd8017d9d912ae93470017 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 25 Feb 2025 09:40:54 +0100
+Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
+ wordwrap template filter.
+
+Thanks sw0rd1ight for the report.
+
+Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
+---
+ django/utils/text.py                          | 28 +++++++------------
+ docs/releases/4.2.15.txt                      |  7 +++++
+ .../filter_tests/test_wordwrap.py             | 12 ++++++++
+ 3 files changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index e1b835e..81ae88d 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -1,6 +1,7 @@
+ import gzip
+ import re
+ import secrets
+import textwrap
+ import unicodedata
+ from gzip import GzipFile
+ from gzip import compress as gzip_compress
+@@ -97,24 +98,15 @@ def wrap(text, width):
+     ``width``.
+     """
+ 
+-    def _generator():
+-        for line in text.splitlines(True):  # True keeps trailing linebreaks
+-            max_width = min((line.endswith("\n") and width + 1 or width), width)
+-            while len(line) > max_width:
+-                space = line[: max_width + 1].rfind(" ") + 1
+-                if space == 0:
+-                    space = line.find(" ") + 1
+-                    if space == 0:
+-                        yield line
+-                        line = ""
+-                        break
+-                yield "%s\n" % line[: space - 1]
+-                line = line[space:]
+-                max_width = min((line.endswith("\n") and width + 1 or width), width)
+-            if line:
+-                yield line
+-
+-    return "".join(_generator())
+    wrapper = textwrap.TextWrapper(
+        width=width,
+        break_long_words=False,
+        break_on_hyphens=False,
+    )
+    result = []
+    for line in text.splitlines(True):
+        result.extend(wrapper.wrap(line))
+    return "\n".join(result)
+ 
+ 
+ class Truncator(SimpleLazyObject):
+diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
+index b1d4684..4ee3882 100644
+--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
+@@ -7,6 +7,13 @@ Django 4.2.15 release notes
+ Django 4.2.15 fixes three security issues with severity "moderate", one
+ security issue with severity "high", and a regression in 4.2.14.
+ 
+
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
+=========================================================================================
+
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
+potential denial-of-service attack when used with very long strings.
+
+ CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+ ================================================================================
+ 
+diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
+index 88fbd27..7557153 100644
+--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
+@@ -78,3 +78,15 @@ class FunctionTests(SimpleTestCase):
+             "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
+             "I'm afraid",
+         )
+
+
+    def test_wrap_long_text(self):
+        long_text = (
+            "this is a long paragraph of text that really needs"
+            " to be wrapped I'm afraid " * 20_000
+        )
+        self.assertIn(
+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
+            "I'm afraid",
+            wordwrap(long_text, 10),
+        )
+-- 
+2.46.0
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.15
-Release:	4
+Release:	5
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -11,6 +11,7 @@ Patch1:		CVE-2024-45231.patch
 Patch2:		CVE-2024-53907.patch
 Patch3:		CVE-2024-53908.patch
 Patch4:		CVE-2024-56374.patch
+Patch5:		backport-CVE-2025-26699.patch 

 BuildArch:	noarch
 %description
@ -77,6 +78,12 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon Mar 10 2025 changtao <changtao@kylinos.cn> - 4.2.15-5
+- Type:CVE
+- CVE:CVE-2025-26699
+- SUG:NA
+- DESC:fix CVE-2025-26699
+
 * Fri Jan 17 2025 yaoxin <1024769339@qq.com> - 4.2.15-4
 - Fix CVE-2024-56374