From 853013d6530d69e9874a96e9927e12b32402232c Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 7 Feb 2024 10:36:35 +0800 Subject: [PATCH] Fix CVE-2024-24680 (cherry picked from commit 37202e3c3308fb05888e2544ed2bf8c5e457ff0d) --- CVE-2024-24680.patch | 204 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 +- 2 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-24680.patch diff --git a/CVE-2024-24680.patch b/CVE-2024-24680.patch new file mode 100644 index 0000000..3d8ab4d --- /dev/null +++ b/CVE-2024-24680.patch @@ -0,0 +1,204 @@ +From c1171ffbd570db90ca206c30f8e2b9f691243820 Mon Sep 17 00:00:00 2001 +From: Adam Johnson +Date: Mon, 22 Jan 2024 13:21:13 +0000 +Subject: [PATCH] [3.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in + intcomma template filter. + +Thanks Seokchan Yoon for the report. + +Co-authored-by: Mariusz Felisiak +Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> +Co-authored-by: Shai Berger +--- + .../contrib/humanize/templatetags/humanize.py | 13 +- + tests/humanize_tests/tests.py | 140 ++++++++++++++++-- + 2 files changed, 135 insertions(+), 18 deletions(-) + +diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py +index 753a0d9..238aaf2 100644 +--- a/django/contrib/humanize/templatetags/humanize.py ++++ b/django/contrib/humanize/templatetags/humanize.py +@@ -70,12 +70,13 @@ def intcomma(value, use_l10n=True): + return intcomma(value, False) + else: + return number_format(value, use_l10n=True, force_grouping=True) +- orig = str(value) +- new = re.sub(r"^(-?\d+)(\d{3})", r'\g<1>,\g<2>', orig) +- if orig == new: +- return new +- else: +- return intcomma(new, use_l10n) ++ result = str(value) ++ match = re.match(r"-?\d+", result) ++ if match: ++ prefix = match[0] ++ prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1] ++ result = prefix_with_commas + result[len(prefix) :] ++ return result + + + # A tuple of standard large number to their converters +diff --git a/tests/humanize_tests/tests.py b/tests/humanize_tests/tests.py +index a0d16bb..3c22787 100644 +--- a/tests/humanize_tests/tests.py ++++ b/tests/humanize_tests/tests.py +@@ -66,28 +66,144 @@ class HumanizeTests(SimpleTestCase): + + def test_intcomma(self): + test_list = ( +- 100, 1000, 10123, 10311, 1000000, 1234567.25, '100', '1000', +- '10123', '10311', '1000000', '1234567.1234567', +- Decimal('1234567.1234567'), None, ++ 100, ++ -100, ++ 1000, ++ -1000, ++ 10123, ++ -10123, ++ 10311, ++ -10311, ++ 1000000, ++ -1000000, ++ 1234567.25, ++ -1234567.25, ++ "100", ++ "-100", ++ "1000", ++ "-1000", ++ "10123", ++ "-10123", ++ "10311", ++ "-10311", ++ "1000000", ++ "-1000000", ++ "1234567.1234567", ++ "-1234567.1234567", ++ Decimal("1234567.1234567"), ++ Decimal("-1234567.1234567"), ++ None, ++ "1234567", ++ "-1234567", ++ "1234567.12", ++ "-1234567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + result_list = ( +- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.25', +- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.1234567', +- '1,234,567.1234567', None, ++ "100", ++ "-100", ++ "1,000", ++ "-1,000", ++ "10,123", ++ "-10,123", ++ "10,311", ++ "-10,311", ++ "1,000,000", ++ "-1,000,000", ++ "1,234,567.25", ++ "-1,234,567.25", ++ "100", ++ "-100", ++ "1,000", ++ "-1,000", ++ "10,123", ++ "-10,123", ++ "10,311", ++ "-10,311", ++ "1,000,000", ++ "-1,000,000", ++ "1,234,567.1234567", ++ "-1,234,567.1234567", ++ "1,234,567.1234567", ++ "-1,234,567.1234567", ++ None, ++ "1,234,567", ++ "-1,234,567", ++ "1,234,567.12", ++ "-1,234,567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + with translation.override('en'): + self.humanize_tester(test_list, result_list, 'intcomma') + + def test_l10n_intcomma(self): + test_list = ( +- 100, 1000, 10123, 10311, 1000000, 1234567.25, '100', '1000', +- '10123', '10311', '1000000', '1234567.1234567', +- Decimal('1234567.1234567'), None, ++ 100, ++ -100, ++ 1000, ++ -1000, ++ 10123, ++ -10123, ++ 10311, ++ -10311, ++ 1000000, ++ -1000000, ++ 1234567.25, ++ -1234567.25, ++ "100", ++ "-100", ++ "1000", ++ "-1000", ++ "10123", ++ "-10123", ++ "10311", ++ "-10311", ++ "1000000", ++ "-1000000", ++ "1234567.1234567", ++ "-1234567.1234567", ++ Decimal("1234567.1234567"), ++ -Decimal("1234567.1234567"), ++ None, ++ "1234567", ++ "-1234567", ++ "1234567.12", ++ "-1234567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + result_list = ( +- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.25', +- '100', '1,000', '10,123', '10,311', '1,000,000', '1,234,567.1234567', +- '1,234,567.1234567', None, ++ "100", ++ "-100", ++ "1,000", ++ "-1,000", ++ "10,123", ++ "-10,123", ++ "10,311", ++ "-10,311", ++ "1,000,000", ++ "-1,000,000", ++ "1,234,567.25", ++ "-1,234,567.25", ++ "100", ++ "-100", ++ "1,000", ++ "-1,000", ++ "10,123", ++ "-10,123", ++ "10,311", ++ "-10,311", ++ "1,000,000", ++ "-1,000,000", ++ "1,234,567.1234567", ++ "-1,234,567.1234567", ++ "1,234,567.1234567", ++ "-1,234,567.1234567", ++ None, ++ "1,234,567", ++ "-1,234,567", ++ "1,234,567.12", ++ "-1,234,567.12", ++ "the quick brown fox jumped over the lazy dog", + ) + with self.settings(USE_L10N=True, USE_THOUSAND_SEPARATOR=False): + with translation.override('en'): +-- +2.33.0 + diff --git a/python-django.spec b/python-django.spec index e562ce0..9fd3dcc 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 3.2.12 -Release: 8 +Release: 9 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -19,6 +19,8 @@ Patch6: CVE-2023-41164.patch Patch7: CVE-2023-43665.patch # https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b Patch8: CVE-2023-46695.patch +# https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820 +Patch9: CVE-2024-24680.patch BuildArch: noarch %description @@ -85,6 +87,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Wed Feb 07 2024 yaoxin - 3.2.12-9 +- Fix CVE-2024-24680 + * Mon Nov 06 2023 yaoxin - 3.2.12-8 - Fix CVE-2023-46695 -- Gitee