diff mbox series

[meta-python,kirkstone,4/9] python3-django: Fix CVE-2024-41989

Message ID 20250110131802.2774557-5-soumya.sambu@windriver.com
State New
Headers show
Series [meta-python,kirkstone,1/9] python3-django: Fix CVE-2024-38875 | expand

Commit Message

ssambu Jan. 10, 2025, 1:17 p.m. UTC
From: Soumya Sambu <soumya.sambu@windriver.com>

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The
floatformat template filter is subject to significant memory consumption when
given a string representation of a number in scientific notation with a large
exponent.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41989

Upstream-patches:
https://github.com/django/django/commit/08c5a787262c1ae57f6517d4574b54a5fcaad124
https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c
https://github.com/django/django/commit/dcd974698301a38081c141ccba6dcafa5ed2c80e
https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 .../python3-django/CVE-2024-41989-0001.patch  | 48 +++++++++++
 .../python3-django/CVE-2024-41989-0002.patch  | 48 +++++++++++
 .../python3-django/CVE-2024-41989-0003.patch  | 57 +++++++++++++
 .../python3-django/CVE-2024-41989-0004.patch  | 81 +++++++++++++++++++
 .../python/python3-django_2.2.28.bb           |  4 +
 5 files changed, 238 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch
new file mode 100644
index 000000000..04c0cf91e
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0001.patch
@@ -0,0 +1,48 @@ 
+From 08c5a787262c1ae57f6517d4574b54a5fcaad124 Mon Sep 17 00:00:00 2001
+From: Vlastimil Zíma <ziima@users.noreply.github.com>
+Date: Mon, 24 Oct 2022 12:59:34 +0200
+Subject: [PATCH] Fixed #34098 -- Fixed loss of precision for Decimal values in
+  floatformat filter.
+
+Regression in 12f7928f5a455e330c0a7f19bc86b37baca12811.
+
+CVE: CVE-2024-41989
+
+Upstream-Status: Backport [https://github.com/django/django/commit/08c5a787262c1ae57f6517d4574b54a5fcaad124]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/template/defaultfilters.py                     | 2 +-
+ tests/template_tests/filter_tests/test_floatformat.py | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
+index a1d77f5..9ca530c 100644
+--- a/django/template/defaultfilters.py
++++ b/django/template/defaultfilters.py
+@@ -123,7 +123,7 @@ def floatformat(text, arg=-1):
+     of that value.
+     """
+     try:
+-        input_val = repr(text)
++        input_val = str(text)
+         d = Decimal(input_val)
+     except InvalidOperation:
+         try:
+diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
+index cfc3eaf..acad66d 100644
+--- a/tests/template_tests/filter_tests/test_floatformat.py
++++ b/tests/template_tests/filter_tests/test_floatformat.py
+@@ -44,6 +44,10 @@ class FunctionTests(SimpleTestCase):
+         self.assertEqual(floatformat(0.12345, 2), '0.12')
+         self.assertEqual(floatformat(Decimal('555.555'), 2), '555.56')
+         self.assertEqual(floatformat(Decimal('09.000')), '9')
++        self.assertEqual(
++            floatformat(Decimal("123456.123456789012345678901"), 21),
++            "123456.123456789012345678901",
++        )
+         self.assertEqual(floatformat('foo'), '')
+         self.assertEqual(floatformat(13.1031, 'bar'), '13.1031')
+         self.assertEqual(floatformat(18.125, 2), '18.13')
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch
new file mode 100644
index 000000000..51cf79ffb
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch
@@ -0,0 +1,48 @@ 
+From 4b066bde692078b194709d517b27e55defae787c Mon Sep 17 00:00:00 2001
+From: David Wobrock <david.wobrock@gmail.com>
+Date: Wed, 18 Jan 2023 22:54:17 +0100
+Subject: [PATCH] Fixed #34272 -- Fixed floatformat crash on zero with trailing
+ zeros to zero decimal places.
+
+Regression in 08c5a787262c1ae57f6517d4574b54a5fcaad124.
+
+Thanks Andrii Lahuta for the report.
+
+CVE: CVE-2024-41989
+
+Upstream-Status: Backport [https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/template/defaultfilters.py                     | 2 +-
+ tests/template_tests/filter_tests/test_floatformat.py | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
+index 9ca530c..e72593b 100644
+--- a/django/template/defaultfilters.py
++++ b/django/template/defaultfilters.py
+@@ -140,7 +140,7 @@ def floatformat(text, arg=-1):
+     except (ValueError, OverflowError, InvalidOperation):
+         return input_val
+
+-    if not m and p < 0:
++    if not m and p <= 0:
+         return mark_safe(formats.number_format('%d' % (int(d)), 0))
+
+     exp = Decimal(1).scaleb(-abs(p))
+diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
+index acad66d..538f501 100644
+--- a/tests/template_tests/filter_tests/test_floatformat.py
++++ b/tests/template_tests/filter_tests/test_floatformat.py
+@@ -65,6 +65,8 @@ class FunctionTests(SimpleTestCase):
+         self.assertEqual(floatformat(0, 7), '0.0000000')
+         self.assertEqual(floatformat(0, 10), '0.0000000000')
+         self.assertEqual(floatformat(0.000000000000000000015, 20), '0.00000000000000000002')
++        self.assertEqual(floatformat("0.00", 0), "0")
++        self.assertEqual(floatformat(Decimal("0.00"), 0), "0")
+
+     def test_infinity(self):
+         pos_inf = float(1e30000)
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch
new file mode 100644
index 000000000..649a58f82
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0003.patch
@@ -0,0 +1,57 @@ 
+From dcd974698301a38081c141ccba6dcafa5ed2c80e Mon Sep 17 00:00:00 2001
+From: "Panagiotis H.M. Issaris" <takis@issaris.com>
+Date: Wed, 22 Feb 2023 20:46:16 +0100
+Subject: [PATCH] Fixed #34363 -- Fixed floatformat crash on zero with trailing
+ zeros.
+
+Regression in 08c5a787262c1ae57f6517d4574b54a5fcaad124.
+Follow up to 4b066bde692078b194709d517b27e55defae787c.
+
+CVE: CVE-2024-41989
+
+Upstream-Status: Backport [https://github.com/django/django/commit/dcd974698301a38081c141ccba6dcafa5ed2c80e]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/template/defaultfilters.py                     | 3 ++-
+ tests/template_tests/filter_tests/test_floatformat.py | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
+index e72593b..1aba321 100644
+--- a/django/template/defaultfilters.py
++++ b/django/template/defaultfilters.py
+@@ -2,7 +2,7 @@
+ import random as random_module
+ import re
+ import types
+-from decimal import ROUND_HALF_UP, Context, Decimal, InvalidOperation
++from decimal import ROUND_HALF_UP, Context, Decimal, InvalidOperation, getcontext
+ from functools import wraps
+ from operator import itemgetter
+ from pprint import pformat
+@@ -149,6 +149,7 @@ def floatformat(text, arg=-1):
+     units = len(tupl[1])
+     units += -tupl[2] if m else tupl[2]
+     prec = abs(p) + units + 1
++    prec = max(getcontext().prec, prec)
+
+     # Avoid conversion to scientific notation by accessing `sign`, `digits`,
+     # and `exponent` from Decimal.as_tuple() directly.
+diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
+index 538f501..413ba4b 100644
+--- a/tests/template_tests/filter_tests/test_floatformat.py
++++ b/tests/template_tests/filter_tests/test_floatformat.py
+@@ -67,6 +67,10 @@ class FunctionTests(SimpleTestCase):
+         self.assertEqual(floatformat(0.000000000000000000015, 20), '0.00000000000000000002')
+         self.assertEqual(floatformat("0.00", 0), "0")
+         self.assertEqual(floatformat(Decimal("0.00"), 0), "0")
++        self.assertEqual(floatformat("0.0000", 2), "0.00")
++        self.assertEqual(floatformat(Decimal("0.0000"), 2), "0.00")
++        self.assertEqual(floatformat("0.000000", 4), "0.0000")
++        self.assertEqual(floatformat(Decimal("0.000000"), 4), "0.0000")
+
+     def test_infinity(self):
+         pos_inf = float(1e30000)
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch
new file mode 100644
index 000000000..1cd99df8b
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0004.patch
@@ -0,0 +1,81 @@ 
+From fc76660f589ac07e45e9cd34ccb8087aeb11904b Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Fri, 12 Jul 2024 11:38:34 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory
+ consumption in floatformat.
+
+Thanks Elias Myllymäki for the report.
+
+Co-authored-by: Shai Berger <shai@platonix.com>
+
+CVE: CVE-2024-41989
+
+Upstream-Status: Backport [https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/template/defaultfilters.py               | 13 +++++++++++++
+ .../filter_tests/test_floatformat.py            | 17 +++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
+index a1d77f5..4884852 100644
+--- a/django/template/defaultfilters.py
++++ b/django/template/defaultfilters.py
+@@ -135,6 +135,19 @@ def floatformat(text, arg=-1):
+     except ValueError:
+         return input_val
+
++    _, digits, exponent = d.as_tuple()
++    try:
++        number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
++    except TypeError:
++        # Exponent values can be "F", "n", "N".
++        number_of_digits_and_exponent_sum = 0
++
++    # Values with more than 200 digits, or with a large exponent, are returned "as is"
++    # to avoid high memory consumption and potential denial-of-service attacks.
++    # The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
++    if number_of_digits_and_exponent_sum > 200:
++        return input_val
++
+     try:
+         m = int(d) - d
+     except (ValueError, OverflowError, InvalidOperation):
+diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
+index cfc3eaf..bd0a998 100644
+--- a/tests/template_tests/filter_tests/test_floatformat.py
++++ b/tests/template_tests/filter_tests/test_floatformat.py
+@@ -55,6 +55,7 @@ class FunctionTests(SimpleTestCase):
+         self.assertEqual(floatformat(1.5e-15, 20), '0.00000000000000150000')
+         self.assertEqual(floatformat(1.5e-15, -20), '0.00000000000000150000')
+         self.assertEqual(floatformat(1.00000000000000015, 16), '1.0000000000000002')
++        self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
+
+     def test_zero_values(self):
+         self.assertEqual(floatformat(0, 6), '0.000000')
+@@ -68,6 +69,22 @@ class FunctionTests(SimpleTestCase):
+         self.assertEqual(floatformat(pos_inf), 'inf')
+         self.assertEqual(floatformat(neg_inf), '-inf')
+         self.assertEqual(floatformat(pos_inf / pos_inf), 'nan')
++        self.assertEqual(floatformat("inf"), "inf")
++        self.assertEqual(floatformat("NaN"), "NaN")
++
++    def test_too_many_digits_to_render(self):
++        cases = [
++            "1e200",
++            "1E200",
++            "1E10000000000000000",
++            "-1E10000000000000000",
++            "1e10000000000000000",
++            "-1e10000000000000000",
++            "1" + "0" * 1_000_000,
++        ]
++        for value in cases:
++            with self.subTest(value=value):
++                self.assertEqual(floatformat(value), value)
+
+     def test_float_dunder_method(self):
+         class FloatWrapper:
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index d06f48b1b..dc7e12ad7 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -15,6 +15,10 @@  SRC_URI += "file://CVE-2023-31047.patch \
             file://CVE-2024-38875.patch \
             file://CVE-2023-23969.patch \
             file://CVE-2024-39614.patch \
+            file://CVE-2024-41989-0001.patch \
+            file://CVE-2024-41989-0002.patch \
+            file://CVE-2024-41989-0003.patch \
+            file://CVE-2024-41989-0004.patch \
            "
 
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"