From fd6e5068c9661c6ecbb81cb524adc6953b8592b3 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 7 Feb 2024 11:03:20 +0800 Subject: [PATCH] Fix CVE-2024-24680 --- CVE-2024-24680.patch | 191 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 +- 2 files changed, 197 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-24680.patch diff --git a/CVE-2024-24680.patch b/CVE-2024-24680.patch new file mode 100644 index 0000000..551aeca --- /dev/null +++ b/CVE-2024-24680.patch @@ -0,0 +1,191 @@ +From 572ea07e84b38ea8de0551f4b4eda685d91d09d2 Mon Sep 17 00:00:00 2001 +From: Adam Johnson +Date: Mon, 22 Jan 2024 13:21:13 +0000 +Subject: [PATCH] [4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in + intcomma template filter. + +Thanks Seokchan Yoon for the report. + +Co-authored-by: Mariusz Felisiak +Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> +Co-authored-by: Shai Berger +--- + .../contrib/humanize/templatetags/humanize.py | 13 ++-- + tests/humanize_tests/tests.py | 64 +++++++++++++++++++ + 2 files changed, 71 insertions(+), 6 deletions(-) + +diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py +index 2322477..2c26f89 100644 +--- a/django/contrib/humanize/templatetags/humanize.py ++++ b/django/contrib/humanize/templatetags/humanize.py +@@ -75,12 +75,13 @@ def intcomma(value, use_l10n=True): + return intcomma(value, False) + else: + return number_format(value, use_l10n=True, force_grouping=True) +- orig = str(value) +- new = re.sub(r"^(-?\d+)(\d{3})", r"\g<1>,\g<2>", orig) +- if orig == new: +- return new +- else: +- return intcomma(new, use_l10n) ++ result = str(value) ++ match = re.match(r"-?\d+", result) ++ if match: ++ prefix = match[0] ++ prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1] ++ result = prefix_with_commas + result[len(prefix) :] ++ return result + + + # A tuple of standard large number to their converters +diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py +index cf29f58..a78bbad 100644 +--- a/tests/humanize_tests/tests.py ++++ b/tests/humanize_tests/tests.py +@@ -116,39 +116,71 @@ class HumanizeTests(SimpleTestCase): + def test_intcomma(self): + test_list = ( + 100, ++ -100, + 1000, ++ -1000, + 10123, ++ -10123, + 10311, ++ -10311, + 1000000, ++ -1000000, + 1234567.25, ++ -1234567.25, + "100", ++ "-100", + "1000", ++ "-1000", + "10123", ++ "-10123", + "10311", ++ "-10311", + "1000000", ++ "-1000000", + "1234567.1234567", ++ "-1234567.1234567", + Decimal("1234567.1234567"), ++ Decimal("-1234567.1234567"), + None, + "1234567", ++ "-1234567", + "1234567.12", ++ "-1234567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + result_list = ( + "100", ++ "-100", + "1,000", ++ "-1,000", + "10,123", ++ "-10,123", + "10,311", ++ "-10,311", + "1,000,000", ++ "-1,000,000", + "1,234,567.25", ++ "-1,234,567.25", + "100", ++ "-100", + "1,000", ++ "-1,000", + "10,123", ++ "-10,123", + "10,311", ++ "-10,311", + "1,000,000", ++ "-1,000,000", + "1,234,567.1234567", ++ "-1,234,567.1234567", + "1,234,567.1234567", ++ "-1,234,567.1234567", + None, + "1,234,567", ++ "-1,234,567", + "1,234,567.12", ++ "-1,234,567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + with translation.override("en"): + self.humanize_tester(test_list, result_list, "intcomma") +@@ -156,39 +188,71 @@ class HumanizeTests(SimpleTestCase): + def test_l10n_intcomma(self): + test_list = ( + 100, ++ -100, + 1000, ++ -1000, + 10123, ++ -10123, + 10311, ++ -10311, + 1000000, ++ -1000000, + 1234567.25, ++ -1234567.25, + "100", ++ "-100", + "1000", ++ "-1000", + "10123", ++ "-10123", + "10311", ++ "-10311", + "1000000", ++ "-1000000", + "1234567.1234567", ++ "-1234567.1234567", + Decimal("1234567.1234567"), ++ -Decimal("1234567.1234567"), + None, + "1234567", ++ "-1234567", + "1234567.12", ++ "-1234567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + result_list = ( + "100", ++ "-100", + "1,000", ++ "-1,000", + "10,123", ++ "-10,123", + "10,311", ++ "-10,311", + "1,000,000", ++ "-1,000,000", + "1,234,567.25", ++ "-1,234,567.25", + "100", ++ "-100", + "1,000", ++ "-1,000", + "10,123", ++ "-10,123", + "10,311", ++ "-10,311", + "1,000,000", ++ "-1,000,000", + "1,234,567.1234567", ++ "-1,234,567.1234567", + "1,234,567.1234567", ++ "-1,234,567.1234567", + None, + "1,234,567", ++ "-1,234,567", + "1,234,567.12", ++ "-1,234,567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + with self.settings(USE_THOUSAND_SEPARATOR=False): + with translation.override("en"): +-- +2.33.0 + diff --git a/python-django.spec b/python-django.spec index 6d190c3..63bad5f 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 4.2.3 -Release: 5 +Release: 6 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -11,6 +11,8 @@ Patch0: CVE-2023-41164.patch Patch1: CVE-2023-43665.patch # https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f Patch2: CVE-2023-46695.patch +# https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2 +Patch3: CVE-2024-24680.patch BuildArch: noarch %description @@ -77,6 +79,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Wed Feb 07 2024 yaoxin - 4.2.3-6 +- Fix CVE-2024-24680 + * Fri Sep 15 2023 xu_ping <707078654@qq.com> - 4.2.3-5 - Fix changelog bad date