diff --git a/CVE-2023-46695.patch b/CVE-2023-46695.patch new file mode 100644 index 0000000..88d0902 --- /dev/null +++ b/CVE-2023-46695.patch @@ -0,0 +1,61 @@ +From 048a9ebb6ea468426cb4e57c71572cbbd975517f Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Tue, 17 Oct 2023 11:48:32 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in + UsernameField on Windows. + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. +--- + django/contrib/auth/forms.py | 10 +++++++++- + tests/auth_tests/test_forms.py | 7 +++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py +index eaae0bf..061dc81 100644 +--- a/django/contrib/auth/forms.py ++++ b/django/contrib/auth/forms.py +@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field): + + class UsernameField(forms.CharField): + def to_python(self, value): +- return unicodedata.normalize("NFKC", super().to_python(value)) ++ value = super().to_python(value) ++ if self.max_length is not None and len(value) > self.max_length: ++ # Normalization can increase the string length (e.g. ++ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no ++ # point in normalizing invalid data. Moreover, Unicode ++ # normalization is very slow on Windows and can be a DoS attack ++ # vector. ++ return value ++ return unicodedata.normalize("NFKC", value) + + def widget_attrs(self, widget): + return { +diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py +index 7a80adb..81c56a4 100644 +--- a/tests/auth_tests/test_forms.py ++++ b/tests/auth_tests/test_forms.py +@@ -14,6 +14,7 @@ from django.contrib.auth.forms import ( + SetPasswordForm, + UserChangeForm, + UserCreationForm, ++ UsernameField, + ) + from django.contrib.auth.models import User + from django.contrib.auth.signals import user_login_failed +@@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase): + self.assertNotEqual(user.username, ohm_username) + self.assertEqual(user.username, "testΩ") # U+03A9 GREEK CAPITAL LETTER OMEGA + ++ def test_invalid_username_no_normalize(self): ++ field = UsernameField(max_length=254) ++ # Usernames are not normalized if they are too long. ++ self.assertEqual(field.to_python("½" * 255), "½" * 255) ++ self.assertEqual(field.to_python("ff" * 254), "ff" * 254) ++ + def test_duplicate_normalized_unicode(self): + """ + To prevent almost identical usernames, visually identical but differing +-- +2.30.0 + diff --git a/python-django.spec b/python-django.spec index b7eef5f..0c63c3a 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 4.2.3 -Release: 3 +Release: 4 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -9,6 +9,8 @@ Source0: https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca7 Patch0: CVE-2023-41164.patch # https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473 Patch1: CVE-2023-43665.patch +# https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f +Patch2: CVE-2023-46695.patch BuildArch: noarch %description @@ -75,6 +77,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Nov 06 2023 yaoxin - 4.2.3-4 +- Fix CVE-2023-46695 + * Sun Oct 08 2023 yaoxin - 4.2.3-3 - Fix CVE-2023-43665