From 08b114f54cbed15fa236cc057dd9d5ac0466f435 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 13 Feb 2023 20:15:06 +0800 Subject: [PATCH] Fix CVE-2023-23969 (cherry picked from commit 0aaf520a2401b0732d6f9a1b1d6f53668a1094a7) --- CVE-2023-23969.patch | 100 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 6 ++- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-23969.patch diff --git a/CVE-2023-23969.patch b/CVE-2023-23969.patch new file mode 100644 index 0000000..80d53e0 --- /dev/null +++ b/CVE-2023-23969.patch @@ -0,0 +1,100 @@ +From 9c679aa0189c11bfe62e136380960247af77df18 Mon Sep 17 00:00:00 2001 +From: starlet-dx <15929766099@163.com> +Date: Mon, 13 Feb 2023 20:10:27 +0800 +Subject: [PATCH 1/1] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathologi cal values for Accept-Language. + +The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. + +Accept-Language headers are now limited to a maximum length in order to avoid this issue. +--- + django/utils/translation/trans_real.py | 32 +++++++++++++++++++++++++- + tests/i18n/tests.py | 12 ++++++++++ + 2 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py +index 486b2b2..ecd701f 100644 +--- a/django/utils/translation/trans_real.py ++++ b/django/utils/translation/trans_real.py +@@ -29,6 +29,11 @@ _default = None + # magic gettext number to separate context from message + CONTEXT_SEPARATOR = "\x04" + ++# Maximum number of characters that will be parsed from the Accept-Language ++# header to prevent possible denial of service or memory exhaustion attacks. ++# About 10x longer than the longest value shown on MDN’s Accept-Language page. ++ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500 ++ + # Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9 + # and RFC 3066, section 2.1 + accept_language_re = re.compile(r''' +@@ -560,7 +565,7 @@ def get_language_from_request(request, check_path=False): + + + @functools.lru_cache(maxsize=1000) +-def parse_accept_lang_header(lang_string): ++def _parse_accept_lang_header(lang_string): + """ + Parse the lang_string, which is the body of an HTTP Accept-Language + header, and return a tuple of (lang, q-value), ordered by 'q' values. +@@ -582,3 +587,28 @@ def parse_accept_lang_header(lang_string): + result.append((lang, priority)) + result.sort(key=lambda k: k[1], reverse=True) + return tuple(result) ++ ++ ++def parse_accept_lang_header(lang_string): ++ """ ++ Parse the value of the Accept-Language header up to a maximum length. ++ ++ The value of the header is truncated to a maximum length to avoid potential ++ denial of service and memory exhaustion attacks. Excessive memory could be ++ used if the raw value is very large as it would be cached due to the use of ++ functools.lru_cache() to avoid repetitive parsing of common header values. ++ """ ++ # If the header value doesn't exceed the maximum allowed length, parse it. ++ if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH: ++ return _parse_accept_lang_header(lang_string) ++ ++ # If there is at least one comma in the value, parse up to the last comma ++ # before the max length, skipping any truncated parts at the end of the ++ # header value. ++ index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH) ++ if index > 0: ++ return _parse_accept_lang_header(lang_string[:index]) ++ ++ # Don't attempt to parse if there is only one language-range value which is ++ # longer than the maximum allowed length and so truncated. ++ return () +diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py +index 7381cb9..6efc3a5 100644 +--- a/tests/i18n/tests.py ++++ b/tests/i18n/tests.py +@@ -1282,6 +1282,14 @@ class MiscTests(SimpleTestCase): + ('de;q=0.', [('de', 0.0)]), + ('en; q=1,', [('en', 1.0)]), + ('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]), ++ ( ++ 'en' + '-x' * 20, ++ [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)], ++ ), ++ ( ++ ', '.join(['en; q=1.0'] * 20), ++ [('en', 1.0)] * 20, ++ ), + # Bad headers + ('en-gb;q=1.0000', []), + ('en;q=0.1234', []), +@@ -1297,6 +1305,10 @@ class MiscTests(SimpleTestCase): + ('12-345', []), + ('', []), + ('en;q=1e0', []), ++ # Invalid as language-range value too long. ++ ('xxxxxxxx' + '-xxxxxxxx' * 500, []), ++ # Header value too long, only parse up to limit. ++ (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45), + ] + for value, expected in tests: + with self.subTest(value=value): +-- +2.30.0 + diff --git a/python-django.spec b/python-django.spec index 35636fb..e2da052 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 2.2.27 -Release: 2 +Release: 3 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT URL: https://www.djangoproject.com/ @@ -11,6 +11,7 @@ Source0: https://github.com/django/django/archive/refs/tags/2.2.27.tar.gz Patch0: CVE-2022-28346.patch #https://github.com/django/django/commit/29a6c98b4c13af82064f993f0acc6e8fafa4d3f5 Patch1: CVE-2022-28347.patch +Patch2: CVE-2023-23969.patch BuildArch: noarch %description @@ -77,6 +78,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Feb 13 2023 yaoxin - 2.2.27-3 +- Fix CVE-2023-23969 + * Thu Apr 21 2022 yaoxin - 2.2.27-2 - Fix CVE-2022-28346 CVE-2022-28347