Bug#922027: python-django: Django security release
On Mon, Feb 11, 2019 at 03:07:36PM +0100, Chris Lamb wrote: > [Adding t...@security.debian.org to CC] > > Chris Lamb wrote: > > > retitle 922027 CVE-2019-6975: Memory exhaustion in > > django.utils.numberformat.format() > > severity 922027 grave > > found 922027 1:1.10.7-2+deb9u3 > > tags 922027 + security > > thanks > > Security team, may I upload this to stretch-security? Diff attached. This doesn't warrant a DSA, let's postpone this until more severe comes up. Cheers, Moritz
Bug#922027: python-django: Django security release
Hi Moritz, > > Security team, may I upload this to stretch-security? Diff attached. > > This doesn't warrant a DSA, let's postpone this until more severe comes up. Noted. Can you update data/CVE/list? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#922027: python-django: Django security release
Chris Lamb wrote: > [Adding t...@security.debian.org to CC] > > > retitle 922027 CVE-2019-6975: Memory exhaustion in > > django.utils.numberformat.format() > > severity 922027 grave > > found 922027 1:1.10.7-2+deb9u3 > > tags 922027 + security > > thanks > > Security team, may I upload this to stretch-security? Diff attached. Gentle ping on this? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#922027: python-django: Django security release
[Adding t...@security.debian.org to CC] Chris Lamb wrote: > retitle 922027 CVE-2019-6975: Memory exhaustion in > django.utils.numberformat.format() > severity 922027 grave > found 922027 1:1.10.7-2+deb9u3 > tags 922027 + security > thanks Security team, may I upload this to stretch-security? Diff attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `- diff --git a/debian/changelog b/debian/changelog index fa89c8b21..55d1fc21b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high + + * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format(). +(Closes: #922027) + + -- Chris Lamb Mon, 11 Feb 2019 15:01:30 +0100 + python-django (1:1.10.7-2+deb9u4) stretch-security; urgency=high * CVE-2019-3498: Prevent a content-spoofing vulnerability in the default diff --git a/debian/patches/0019-CVE-2019-6795.patch b/debian/patches/0019-CVE-2019-6795.patch new file mode 100644 index 0..39c2f864c --- /dev/null +++ b/debian/patches/0019-CVE-2019-6795.patch @@ -0,0 +1,69 @@ +From: Carlton Gibson +Date: Mon, 11 Feb 2019 11:15:45 +0100 +Subject: Fixed CVE-2019-6975 -- Fixed memory exhaustion in + utils.numberformat.format(). + +Thanks Sjoerd Job Postmus for the report and initial patch. +Thanks Michael Manfre, Tim Graham, and Florian Apolloner for review. + +Backport of 402c0caa851e265410fbcaa55318f22d2bf22ee2 from master. +--- + django/utils/numberformat.py | 15 ++- + tests/utils_tests/test_numberformat.py | 18 ++ + 2 files changed, 32 insertions(+), 1 deletion(-) + +diff --git a/django/utils/numberformat.py b/django/utils/numberformat.py +index 6667d82..8b4d228 100644 +--- a/django/utils/numberformat.py b/django/utils/numberformat.py +@@ -27,7 +27,20 @@ def format(number, decimal_sep, decimal_pos=None, grouping=0, thousand_sep='', + # sign + sign = '' + if isinstance(number, Decimal): +-str_number = '{:f}'.format(number) ++# Format values with more than 200 digits (an arbitrary cutoff) using ++# scientific notation to avoid high memory usage in {:f}'.format(). ++_, digits, exponent = number.as_tuple() ++if abs(exponent) + len(digits) > 200: ++number = '{:e}'.format(number) ++coefficient, exponent = number.split('e') ++# Format the coefficient. ++coefficient = format( ++coefficient, decimal_sep, decimal_pos, grouping, ++thousand_sep, force_grouping, ++) ++return '{}e{}'.format(coefficient, exponent) ++else: ++str_number = '{:f}'.format(number) + else: + str_number = six.text_type(number) + if str_number[0] == '-': +diff --git a/tests/utils_tests/test_numberformat.py b/tests/utils_tests/test_numberformat.py +index 3dd1b06..769406c 100644 +--- a/tests/utils_tests/test_numberformat.py b/tests/utils_tests/test_numberformat.py +@@ -60,6 +60,24 @@ class TestNumberFormat(TestCase): + self.assertEqual(nformat(Decimal('1234'), '.', grouping=2, thousand_sep=',', force_grouping=True), '12,34') + self.assertEqual(nformat(Decimal('-1234.33'), '.', decimal_pos=1), '-1234.3') + self.assertEqual(nformat(Decimal('0.0001'), '.', decimal_pos=8), '0.0001') ++# Very large & small numbers. ++tests = [ ++('9e', None, '9e+'), ++('9e', 3, '9.000e+'), ++('9e201', None, '9e+201'), ++('9e200', None, '9e+200'), ++('1.2345e999', 2, '1.23e+999'), ++('9e-999', None, '9e-999'), ++('1e-7', 8, '0.0010'), ++('1e-8', 8, '0.0001'), ++('1e-9', 8, '0.'), ++('1e-10', 8, '0.'), ++('1e-11', 8, '0.'), ++('1' + ('0' * 300), 3, '1.000e+300'), ++('0.{}1234'.format('0' * 299), 3, '1.234e-300'), ++] ++for value, decimal_pos, expected_value in tests: ++self.assertEqual(nformat(Decimal(value), '.', decimal_pos), expected_value) + + def test_decimal_subclass(self): + class EuroDecimal(Decimal): diff --git a/debian/patches/series b/debian/patches/series index 5bda383eb..ad6685673 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ fix-test-middleware-classes-headers.patch 0016-CVE-2017-12794.patch 0006-Default-to-supporting-Spatialite-4.2.patch 0017-CVE-2019-3498.patch +0018-CVE-2019-6975.patch
Bug#922027: python-django: Django security release
retitle 922027 CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() severity 922027 grave found 922027 1:1.10.7-2+deb9u3 tags 922027 + security thanks Hi, Noted that upstream might re-release. Will hold off for the time being: https://code.djangoproject.com/ticket/30175#comment:4 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#922027: python-django: Django security release
On Mon, 11 Feb 2019 10:15:54 -0200 Herbert Fortes wrote: > Package: python-django > Version: Django 2.2, 1.11 > Severity: normal > > > CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() > > If django.utils.numberformat.format() -- used by contrib.admin as well as the > the floatformat, filesizeformat, and intcomma templates filters -- received a > Decimal with a large number of digits or a large exponent, it could lead to > significant memory usage due to a call to '{:f}'.format(). > > To avoid this, decimals with more than 200 digits are now formatted using > scientific notation. > > Thanks Sjoerd Job Postmus for reporting this issue. > Affected supported versions > > Django master branch > Django 2.2 (which will be released in a separate blog post later today) > Django 2.1 > Django 2.0 > Django 1.11 > > Per our supported versions policy, Django 1.10 and older are no longer > supported. > > https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ > Broken django 1.11.19 release for python2.7 It looks like the distributed django 1.11.19 release does not match the code in 1.11.19 tag. Component: Uncategorized → Core (Other) Triage Stage: Unreviewed → Accepted Type: Uncategorized → Bug https://code.djangoproject.com/ticket/30175
Bug#922027: python-django: Django security release
Package: python-django Version: Django 2.2, 1.11 Severity: normal CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. Thanks Sjoerd Job Postmus for reporting this issue. Affected supported versions Django master branch Django 2.2 (which will be released in a separate blog post later today) Django 2.1 Django 2.0 Django 1.11 Per our supported versions policy, Django 1.10 and older are no longer supported. https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ Regards, Herbert