From patchwork Sun Nov 30 11:25:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Saravanan X-Patchwork-Id: 75598 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13A25CFD376 for ; Sun, 30 Nov 2025 11:25:34 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2562.1764501926462031515 for ; Sun, 30 Nov 2025 03:25:28 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@windriver.com header.s=PPS06212021 header.b=DEqJBc0P; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=4429d7dc3a=saravanan.kadambathursubramaniyam@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AUB7Nhr3011761 for ; Sun, 30 Nov 2025 03:25:26 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=MtwCUBAqR5OSnCd81aXr kqKZLj5FvD1ZIhOy8TEX0SU=; b=DEqJBc0PnGV2rB7s3bZlb9vs7uoqxObPLmB7 FxmzN7xsKJTeVy7CqV6rNBo719wbEA5Sir57c1BVHXKjyGTRhpPnmsdgKH7xBs9F mUwxd3vty7ic1T1gbp3b7jiSx+smJaxnLz9JiWk/fyox/eS3v2tr0ymsQ4w46AOn oYgM4kLJwglCRqAARb8cdOwaUiteSKnLuHCQNwhoZdtDexqg7kDI0qJlUxlzSOvd hV/K88i/Eixyc+YAFEcBBXI87R3ahSa+QAByOjY2/DgEHUMQdi/ut2wDkBLv3Sb0 VHCq/vUzIfSiwtWg5/7tY5JvCcoa3xyEy524X8q7L0eU18r6Zg== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4ar17mrjf3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sun, 30 Nov 2025 03:25:25 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Sun, 30 Nov 2025 03:25:25 -0800 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.61 via Frontend Transport; Sun, 30 Nov 2025 03:25:24 -0800 From: Saravanan To: Subject: [oe][meta-oe][kirkstone][PATCH 1/1] python3-django: fix CVE-2024-27351 Date: Sun, 30 Nov 2025 16:55:22 +0530 Message-ID: <20251130112522.3014049-1-saravanan.kadambathursubramaniyam@windriver.com> X-Mailer: git-send-email 2.35.5 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: PyG6hnuitHjStrO3uOizpemuSyCIAQpq X-Authority-Analysis: v=2.4 cv=Ws4m8Nfv c=1 sm=1 tr=0 ts=692c29a5 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=IkcTkHD0fZMA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=JUY6PVayAAAA:8 a=pGLkceISAAAA:8 a=c0yhFJxcVFanX9hEbzcA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=32l4pQc4xq9dSJlKNEIc:22 X-Proofpoint-GUID: PyG6hnuitHjStrO3uOizpemuSyCIAQpq X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTMwMDA5NyBTYWx0ZWRfXyfUMdxMg7G+u HJbSujjQEo8ZPY0XOZleP4UrgJXNIUVBEBglxpB8Z2JeD7KbljPWuECGj7SspO/0xBfkkmH5aVG efVVtET8NXAHRNEanb2rSJcbp/FobQ5Fs7AnUZc/KTLBmD4GUS7W5Dk/cD8Joymkb3Dz4x3y+ef wn+yOfKEq5WPeOBRPd+RuPmaatIJekyvxyh65omj71ZU07iAZzX6gFm0bKkR+zv36HySSP2/TBR ivtXszbJHjrZUI5aQbBZ1f8WJYUhijAy9d1Z98tdhlUQFQwUQ+KfRZScqzHjBEYo3ydkK1UQigj 2/h6b2k06LEeJtUlXB0+Tj8XhjTrTAhn6b7j4UEmYG1mtIfYnTG9/SsUy/qixYcWC+TrC4v2TsK gOiZ6ylelBF01SKElCO50+kRKUmjVQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-28_08,2025-11-27_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 spamscore=0 phishscore=0 suspectscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511300097 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 5AUB7Nhr3011761 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Nov 2025 11:25:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122164 Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-27351 Upstream-patch: https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Signed-off-by: Saravanan --- .../python3-django/CVE-2024-27351.patch | 149 ++++++++++++++++++ .../python/python3-django_2.2.28.bb | 1 + 2 files changed, 150 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch new file mode 100644 index 0000000000..a341897ebe --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-27351.patch @@ -0,0 +1,149 @@ +From 072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Mon Sep 17 00:00:00 2001 +From: Shai Berger +Date: Mon, 19 Feb 2024 13:56:37 +0100 +Subject: [PATCH] Fixed CVE-2024-27351 -- Prevented potential ReDoS in + Truncator.words(). + +Thanks Seokchan Yoon for the report. + +CVE: CVE-2024-27351 + +Upstream-Status: Backport +https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 + +Signed-off-by: Shai Berger +Co-Authored-By: Mariusz Felisiak +Signed-off-by: Saravanan + +%% original patch: CVE-2024-27351.patch +--- + django/utils/text.py | 57 ++++++++++++++++++++++++++++++++-- + docs/releases/2.2.28.txt | 9 ++++++ + tests/utils_tests/test_text.py | 26 ++++++++++++++++ + 3 files changed, 90 insertions(+), 2 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 06a377b..2c4040e 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -15,8 +15,61 @@ def capfirst(x): + return x and str(x)[0].upper() + str(x)[1:] + + +-# Set up regular expressions +-re_words = re.compile(r'<[^>]+?>|([^<>\s]+)', re.S) ++# ----- Begin security-related performance workaround ----- ++ ++# We used to have, below ++# ++# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S) ++# ++# But it was shown that this regex, in the way we use it here, has some ++# catastrophic edge-case performance features. Namely, when it is applied to ++# text with only open brackets "<<<...". The class below provides the services ++# and correct answers for the use cases, but in these edge cases does it much ++# faster. ++re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S) ++re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S) ++ ++ ++class WordsRegex: ++ @staticmethod ++ def search(text, pos): ++ # Look for "<" or a non-tag word. ++ partial = re_prt.search(text, pos) ++ if partial is None or partial[1] is not None: ++ return partial ++ ++ # "<" was found, look for a closing ">". ++ end = text.find(">", partial.end(0)) ++ if end < 0: ++ # ">" cannot be found, look for a word. ++ return re_notag.search(text, pos + 1) ++ else: ++ # "<" followed by a ">" was found -- fake a match. ++ end += 1 ++ return FakeMatch(text[partial.start(0): end], end) ++ ++ ++class FakeMatch: ++ __slots__ = ["_text", "_end"] ++ ++ def end(self, group=0): ++ assert group == 0, "This specific object takes only group=0" ++ return self._end ++ ++ def __getitem__(self, group): ++ if group == 1: ++ return None ++ assert group == 0, "This specific object takes only group in {0,1}" ++ return self._text ++ ++ def __init__(self, text, end): ++ self._text, self._end = text, end ++ ++ ++# ----- End security-related performance workaround ----- ++ ++# Set up regular expressions. ++re_words = WordsRegex + re_chars = re.compile(r'<[^>]+?>|(.)', re.S) + re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S) + re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index c653cb6..7227452 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -90,3 +90,12 @@ large number of Unicode characters. + In order to avoid the vulnerability, invalid values longer than + ``UsernameField.max_length`` are no longer normalized, since they cannot pass + validation anyway. ++ ++CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()`` ++========================================================================================================= ++ ++``django.utils.text.Truncator.words()`` method (with ``html=True``) and ++:tfilter:`truncatewords_html` template filter were subject to a potential ++regular expression denial-of-service attack using a suitably crafted string ++(follow up to :cve:`2019-14232` and :cve:`2023-43665`). ++ +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index cb3063d..7e9f2b3 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -156,6 +156,32 @@ class TestUtilsText(SimpleTestCase): + truncator = text.Truncator('

I <3 python, what about you?

') + self.assertEqual('

I <3 python,…

', truncator.words(3, html=True)) + ++ # Only open brackets. ++ test = "<" * 60_000 ++ truncator = text.Truncator(test) ++ self.assertEqual(truncator.words(1, html=True), test) ++ ++ # Tags with special chars in attrs. ++ truncator = text.Truncator( ++ """Hello, my dear lady!""" ++ ) ++ self.assertEqual( ++ """Hello, my dear…""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Tags with special non-latin chars in attrs. ++ truncator = text.Truncator("""

Hello, my dear lady!

""") ++ self.assertEqual( ++ """

Hello, my dear…

""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Misplaced brackets. ++ truncator = text.Truncator("hello >< world") ++ self.assertEqual(truncator.words(1, html=True), "hello…") ++ self.assertEqual(truncator.words(2, html=True), "hello >< world") ++ + @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) + def test_truncate_words_html_size_limit(self): + max_len = text.Truncator.MAX_LENGTH_HTML +-- +2.40.0 + diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 0478fd3883..f394397453 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb @@ -24,6 +24,7 @@ SRC_URI += "file://CVE-2023-31047.patch \ file://CVE-2024-45230.patch \ file://CVE-2024-45231.patch \ file://CVE-2024-53907.patch \ + file://CVE-2024-27351.patch \ " SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"