Hello friends, Due to the issue with the recent ~deb11u4 upload of python-django [0], I'm sending over a draft of an (unrelated) ~deb11u5 upload (see below)
Best wishes, Chris [0] https://salsa.debian.org/python-team/packages/python-django/-/commit/6cefef4021211bc573db75b2d0ba1eb4d4954a53 -- ,''`. : :' : Chris Lamb `. `'` [email protected] 🍥 chris-lamb.co.uk `- diff --git debian/changelog debian/changelog index 99c9b921f..c2ee3e699 100644 --- debian/changelog +++ debian/changelog @@ -1,3 +1,13 @@ +python-django (2:2.2.28-1~deb11u5) bullseye-security; urgency=high + + * CVE-2024-56374: The lack of upper-bound limit enforcement in IPv6 + validation could have led to a potential denial-of-service attack. The + undocumented and private clean_ipv6_address and is_valid_ipv6_address + functions were vulnerable, as was the GenericIPAddressField form field. + (Closes: #1093049) + + -- Chris Lamb <[email protected]> Tue, 21 Jan 2025 12:32:26 +0000 + python-django (2:2.2.28-1~deb11u4) bullseye-security; urgency=high * The fix for CVE-2024-6923 in the python3.9 source package (released diff --git debian/patches/CVE-2024-56374.patch debian/patches/CVE-2024-56374.patch new file mode 100644 index 000000000..0af969b4c --- /dev/null +++ debian/patches/CVE-2024-56374.patch @@ -0,0 +1,245 @@ +From: Natalia <[email protected]> +Date: Mon, 6 Jan 2025 15:51:45 -0300 +Subject: [PATCH] [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in + IPv6 validation. + +Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz +Felisiak for the reviews. + +Co-authored-by: Natalia <[email protected]> +--- + django/db/models/fields/__init__.py | 6 ++-- + django/forms/fields.py | 5 ++-- + django/utils/ipv6.py | 15 ++++++++-- + docs/ref/forms/fields.txt | 9 ++++-- + .../field_tests/test_genericipaddressfield.py | 35 +++++++++++++++++++++- + tests/utils_tests/test_ipv6.py | 17 ++++++++++- + 6 files changed, 75 insertions(+), 12 deletions(-) + +diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py +index e2d1846ad625..b368361f3695 100644 +--- a/django/db/models/fields/__init__.py ++++ b/django/db/models/fields/__init__.py +@@ -26,7 +26,7 @@ from django.utils.dateparse import ( + ) + from django.utils.duration import duration_microseconds, duration_string + from django.utils.functional import Promise, cached_property +-from django.utils.ipv6 import clean_ipv6_address ++from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address + from django.utils.itercompat import is_iterable + from django.utils.text import capfirst + from django.utils.translation import gettext_lazy as _ +@@ -1904,7 +1904,7 @@ class GenericIPAddressField(Field): + self.default_validators, invalid_error_message = \ + validators.ip_address_validators(protocol, unpack_ipv4) + self.default_error_messages['invalid'] = invalid_error_message +- kwargs['max_length'] = 39 ++ kwargs['max_length'] = MAX_IPV6_ADDRESS_LENGTH + super().__init__(verbose_name, name, *args, **kwargs) + + def check(self, **kwargs): +@@ -1931,7 +1931,7 @@ class GenericIPAddressField(Field): + kwargs['unpack_ipv4'] = self.unpack_ipv4 + if self.protocol != "both": + kwargs['protocol'] = self.protocol +- if kwargs.get("max_length") == 39: ++ if kwargs.get("max_length") == self.max_length: + del kwargs['max_length'] + return name, path, args, kwargs + +diff --git a/django/forms/fields.py b/django/forms/fields.py +index 1185bfc77403..a4b9d8693266 100644 +--- a/django/forms/fields.py ++++ b/django/forms/fields.py +@@ -29,7 +29,7 @@ from django.forms.widgets import ( + from django.utils import formats + from django.utils.dateparse import parse_duration + from django.utils.duration import duration_string +-from django.utils.ipv6 import clean_ipv6_address ++from django.utils.ipv6 import clean_ipv6_address, MAX_IPV6_ADDRESS_LENGTH + from django.utils.translation import gettext_lazy as _, ngettext_lazy + + __all__ = ( +@@ -1162,6 +1162,7 @@ class GenericIPAddressField(CharField): + def __init__(self, *, protocol='both', unpack_ipv4=False, **kwargs): + self.unpack_ipv4 = unpack_ipv4 + self.default_validators = validators.ip_address_validators(protocol, unpack_ipv4)[0] ++ kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH) + super().__init__(**kwargs) + + def to_python(self, value): +@@ -1169,7 +1170,7 @@ class GenericIPAddressField(CharField): + return '' + value = value.strip() + if value and ':' in value: +- return clean_ipv6_address(value, self.unpack_ipv4) ++ return clean_ipv6_address(value, self.unpack_ipv4, max_length=self.max_length) + return value + + +diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py +index ddb8c8091d2f..beca70f06653 100644 +--- a/django/utils/ipv6.py ++++ b/django/utils/ipv6.py +@@ -3,9 +3,18 @@ import ipaddress + from django.core.exceptions import ValidationError + from django.utils.translation import gettext_lazy as _ + ++MAX_IPV6_ADDRESS_LENGTH = 39 ++ ++def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH): ++ if len(ip_str) > max_length: ++ raise ValueError( ++ f"Unable to convert {ip_str} to an IPv6 address (value too long)." ++ ) ++ return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str))) ++ + + def clean_ipv6_address(ip_str, unpack_ipv4=False, +- error_message=_("This is not a valid IPv6 address.")): ++ error_message=_("This is not a valid IPv6 address."), max_length=MAX_IPV6_ADDRESS_LENGTH): + """ + Clean an IPv6 address string. + +@@ -23,7 +32,7 @@ def clean_ipv6_address(ip_str, unpack_ipv4=False, + Return a compressed IPv6 address or the same value. + """ + try: +- addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str))) ++ addr = _ipv6_address_from_str(ip_str, max_length) + except ValueError: + raise ValidationError(error_message, code='invalid') + +@@ -40,7 +49,7 @@ def is_valid_ipv6_address(ip_str): + Return whether or not the `ip_str` string is a valid IPv6 address. + """ + try: +- ipaddress.IPv6Address(ip_str) ++ _ipv6_address_from_str(ip_str) + except ValueError: + return False + return True +diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt +index 6f76d0d6ed89..592f47b6004d 100644 +--- a/docs/ref/forms/fields.txt ++++ b/docs/ref/forms/fields.txt +@@ -684,6 +684,11 @@ For each field, we describe the default widget used if you don't specify + Takes two optional arguments for validation, ``max_value`` and ``min_value``. + These control the range of values permitted in the field. + ++ .. attribute:: max_length ++ ++ Defaults to 39, and behaves the same way as it does for ++ :class:`CharField`. ++ + ``ImageField`` + -------------- + +@@ -787,7 +792,7 @@ For each field, we describe the default widget used if you don't specify + * Empty value: ``''`` (an empty string) + * Normalizes to: A string. IPv6 addresses are normalized as described below. + * Validates that the given value is a valid IP address. +- * Error message keys: ``required``, ``invalid`` ++ * Error message keys: ``required``, ``invalid``, ``max_length`` + + The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2, + including using the IPv4 format suggested in paragraph 3 of that section, like +@@ -795,7 +800,7 @@ For each field, we describe the default widget used if you don't specify + ``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters + are converted to lowercase. + +- Takes two optional arguments: ++ Takes three optional arguments: + + .. attribute:: protocol + +diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py +index 97a83e38aedd..2acc103c3c29 100644 +--- a/tests/forms_tests/field_tests/test_genericipaddressfield.py ++++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py +@@ -1,5 +1,6 @@ + from django.forms import GenericIPAddressField, ValidationError + from django.test import SimpleTestCase ++from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH + + + class GenericIPAddressFieldTest(SimpleTestCase): +@@ -89,6 +90,35 @@ class GenericIPAddressFieldTest(SimpleTestCase): + with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"): + f.clean('1:2') + ++ def test_generic_ipaddress_max_length_custom(self): ++ # Valid IPv4-mapped IPv6 address, len 45. ++ addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228" ++ f = GenericIPAddressField(max_length=len(addr)) ++ f.clean(addr) ++ ++ def test_generic_ipaddress_max_length_validation_error(self): ++ # Valid IPv4-mapped IPv6 address, len 45. ++ addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228" ++ ++ cases = [ ++ ({}, MAX_IPV6_ADDRESS_LENGTH), # Default value. ++ ({"max_length": len(addr) - 1}, len(addr) - 1), ++ ] ++ for kwargs, max_length in cases: ++ max_length_plus_one = max_length + 1 ++ msg = ( ++ f"Ensure this value has at most {max_length} characters (it has " ++ f"{max_length_plus_one}).'" ++ ) ++ with self.subTest(max_length=max_length): ++ f = GenericIPAddressField(**kwargs) ++ with self.assertRaisesMessage(ValidationError, msg): ++ f.clean("x" * max_length_plus_one) ++ with self.assertRaisesMessage( ++ ValidationError, "This is not a valid IPv6 address." ++ ): ++ f.clean(addr) ++ + def test_generic_ipaddress_as_generic_not_required(self): + f = GenericIPAddressField(required=False) + self.assertEqual(f.clean(''), '') +@@ -103,7 +133,10 @@ class GenericIPAddressFieldTest(SimpleTestCase): + with self.assertRaisesMessage(ValidationError, "'Enter a valid IPv4 or IPv6 address.'"): + f.clean('256.125.1.5') + self.assertEqual(f.clean(' fe80::223:6cff:fe8a:2e8a '), 'fe80::223:6cff:fe8a:2e8a') +- self.assertEqual(f.clean(' 2a02::223:6cff:fe8a:2e8a '), '2a02::223:6cff:fe8a:2e8a') ++ self.assertEqual( ++ f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "), ++ "2a02::223:6cff:fe8a:2e8a", ++ ) + with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"): + f.clean('12345:2:3:4') + with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"): +diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py +index 4e434f3c3aa0..5a612d8f0bb2 100644 +--- a/tests/utils_tests/test_ipv6.py ++++ b/tests/utils_tests/test_ipv6.py +@@ -1,6 +1,7 @@ + import unittest + +-from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address ++from django.core.exceptions import ValidationError ++from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address, MAX_IPV6_ADDRESS_LENGTH + + + class TestUtilsIPv6(unittest.TestCase): +@@ -55,3 +56,17 @@ class TestUtilsIPv6(unittest.TestCase): + self.assertEqual(clean_ipv6_address('::ffff:0a0a:0a0a', unpack_ipv4=True), '10.10.10.10') + self.assertEqual(clean_ipv6_address('::ffff:1234:1234', unpack_ipv4=True), '18.52.18.52') + self.assertEqual(clean_ipv6_address('::ffff:18.52.18.52', unpack_ipv4=True), '18.52.18.52') ++ ++ def test_address_too_long(self): ++ addresses = [ ++ "0000:0000:0000:0000:0000:ffff:192.168.100.228", # IPv4-mapped IPv6 address ++ "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456", # % scope/zone ++ "fe80::223:6cff:fe8a:2e8a:1234:5678:00000", # MAX_IPV6_ADDRESS_LENGTH + 1 ++ ] ++ msg = "This is the error message." ++ value_error_msg = "Unable to convert %s to an IPv6 address (value too long)." ++ for addr in addresses: ++ self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH) ++ self.assertEqual(is_valid_ipv6_address(addr), False) ++ with self.assertRaises(ValidationError): ++ clean_ipv6_address(addr) diff --git debian/patches/series debian/patches/series index d49479315..62fcadf33 100644 --- debian/patches/series +++ debian/patches/series @@ -14,3 +14,4 @@ CVE-2023-24580.patch CVE-2023-23969.patch CVE-2024-53907.patch 0008-Workaround-changes-in-CVE-2024-6923.patch +CVE-2024-56374.patch
