[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Review of python-django 2:2.2.28-1~deb11u5



Hello friends,

Due to the issue with the recent ~deb11u4 upload of python-django [0],
I'm sending over a draft of an (unrelated) ~deb11u5 upload (see below)

Best wishes,

Chris

[0] https://salsa.debian.org/python-team/packages/python-django/-/commit/6cefef4021211bc573db75b2d0ba1eb4d4954a53


--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-


diff --git debian/changelog debian/changelog
index 99c9b921f..c2ee3e699 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,13 @@
+python-django (2:2.2.28-1~deb11u5) bullseye-security; urgency=high
+
+  * CVE-2024-56374: The lack of upper-bound limit enforcement in IPv6
+    validation could have led to a potential denial-of-service attack. The
+    undocumented and private clean_ipv6_address and is_valid_ipv6_address
+    functions were vulnerable, as was the GenericIPAddressField form field.
+    (Closes: #1093049)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 21 Jan 2025 12:32:26 +0000
+
 python-django (2:2.2.28-1~deb11u4) bullseye-security; urgency=high
 
   * The fix for CVE-2024-6923 in the python3.9 source package (released
diff --git debian/patches/CVE-2024-56374.patch debian/patches/CVE-2024-56374.patch
new file mode 100644
index 000000000..0af969b4c
--- /dev/null
+++ debian/patches/CVE-2024-56374.patch
@@ -0,0 +1,245 @@
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 6 Jan 2025 15:51:45 -0300
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-56374 -- Mitigated potential DoS in
+  IPv6 validation.
+
+Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz
+Felisiak for the reviews.
+
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+---
+ django/db/models/fields/__init__.py                |  6 ++--
+ django/forms/fields.py                             |  5 ++--
+ django/utils/ipv6.py                               | 15 ++++++++--
+ docs/ref/forms/fields.txt                          |  9 ++++--
+ .../field_tests/test_genericipaddressfield.py      | 35 +++++++++++++++++++++-
+ tests/utils_tests/test_ipv6.py                     | 17 ++++++++++-
+ 6 files changed, 75 insertions(+), 12 deletions(-)
+
+diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
+index e2d1846ad625..b368361f3695 100644
+--- a/django/db/models/fields/__init__.py
++++ b/django/db/models/fields/__init__.py
+@@ -26,7 +26,7 @@ from django.utils.dateparse import (
+ )
+ from django.utils.duration import duration_microseconds, duration_string
+ from django.utils.functional import Promise, cached_property
+-from django.utils.ipv6 import clean_ipv6_address
++from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH, clean_ipv6_address
+ from django.utils.itercompat import is_iterable
+ from django.utils.text import capfirst
+ from django.utils.translation import gettext_lazy as _
+@@ -1904,7 +1904,7 @@ class GenericIPAddressField(Field):
+         self.default_validators, invalid_error_message = \
+             validators.ip_address_validators(protocol, unpack_ipv4)
+         self.default_error_messages['invalid'] = invalid_error_message
+-        kwargs['max_length'] = 39
++        kwargs['max_length'] = MAX_IPV6_ADDRESS_LENGTH
+         super().__init__(verbose_name, name, *args, **kwargs)
+ 
+     def check(self, **kwargs):
+@@ -1931,7 +1931,7 @@ class GenericIPAddressField(Field):
+             kwargs['unpack_ipv4'] = self.unpack_ipv4
+         if self.protocol != "both":
+             kwargs['protocol'] = self.protocol
+-        if kwargs.get("max_length") == 39:
++        if kwargs.get("max_length") == self.max_length:
+             del kwargs['max_length']
+         return name, path, args, kwargs
+ 
+diff --git a/django/forms/fields.py b/django/forms/fields.py
+index 1185bfc77403..a4b9d8693266 100644
+--- a/django/forms/fields.py
++++ b/django/forms/fields.py
+@@ -29,7 +29,7 @@ from django.forms.widgets import (
+ from django.utils import formats
+ from django.utils.dateparse import parse_duration
+ from django.utils.duration import duration_string
+-from django.utils.ipv6 import clean_ipv6_address
++from django.utils.ipv6 import clean_ipv6_address, MAX_IPV6_ADDRESS_LENGTH
+ from django.utils.translation import gettext_lazy as _, ngettext_lazy
+ 
+ __all__ = (
+@@ -1162,6 +1162,7 @@ class GenericIPAddressField(CharField):
+     def __init__(self, *, protocol='both', unpack_ipv4=False, **kwargs):
+         self.unpack_ipv4 = unpack_ipv4
+         self.default_validators = validators.ip_address_validators(protocol, unpack_ipv4)[0]
++        kwargs.setdefault("max_length", MAX_IPV6_ADDRESS_LENGTH)
+         super().__init__(**kwargs)
+ 
+     def to_python(self, value):
+@@ -1169,7 +1170,7 @@ class GenericIPAddressField(CharField):
+             return ''
+         value = value.strip()
+         if value and ':' in value:
+-            return clean_ipv6_address(value, self.unpack_ipv4)
++            return clean_ipv6_address(value, self.unpack_ipv4, max_length=self.max_length)
+         return value
+ 
+ 
+diff --git a/django/utils/ipv6.py b/django/utils/ipv6.py
+index ddb8c8091d2f..beca70f06653 100644
+--- a/django/utils/ipv6.py
++++ b/django/utils/ipv6.py
+@@ -3,9 +3,18 @@ import ipaddress
+ from django.core.exceptions import ValidationError
+ from django.utils.translation import gettext_lazy as _
+ 
++MAX_IPV6_ADDRESS_LENGTH = 39
++
++def _ipv6_address_from_str(ip_str, max_length=MAX_IPV6_ADDRESS_LENGTH):
++    if len(ip_str) > max_length:
++        raise ValueError(
++            f"Unable to convert {ip_str} to an IPv6 address (value too long)."
++        )
++    return ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
++
+ 
+ def clean_ipv6_address(ip_str, unpack_ipv4=False,
+-                       error_message=_("This is not a valid IPv6 address.")):
++                       error_message=_("This is not a valid IPv6 address."), max_length=MAX_IPV6_ADDRESS_LENGTH):
+     """
+     Clean an IPv6 address string.
+ 
+@@ -23,7 +32,7 @@ def clean_ipv6_address(ip_str, unpack_ipv4=False,
+     Return a compressed IPv6 address or the same value.
+     """
+     try:
+-        addr = ipaddress.IPv6Address(int(ipaddress.IPv6Address(ip_str)))
++        addr = _ipv6_address_from_str(ip_str, max_length)
+     except ValueError:
+         raise ValidationError(error_message, code='invalid')
+ 
+@@ -40,7 +49,7 @@ def is_valid_ipv6_address(ip_str):
+     Return whether or not the `ip_str` string is a valid IPv6 address.
+     """
+     try:
+-        ipaddress.IPv6Address(ip_str)
++        _ipv6_address_from_str(ip_str)
+     except ValueError:
+         return False
+     return True
+diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
+index 6f76d0d6ed89..592f47b6004d 100644
+--- a/docs/ref/forms/fields.txt
++++ b/docs/ref/forms/fields.txt
+@@ -684,6 +684,11 @@ For each field, we describe the default widget used if you don't specify
+     Takes two optional arguments for validation, ``max_value`` and ``min_value``.
+     These control the range of values permitted in the field.
+ 
++    .. attribute:: max_length
++
++        Defaults to 39, and behaves the same way as it does for
++        :class:`CharField`.
++
+ ``ImageField``
+ --------------
+ 
+@@ -787,7 +792,7 @@ For each field, we describe the default widget used if you don't specify
+     * Empty value: ``''`` (an empty string)
+     * Normalizes to: A string. IPv6 addresses are normalized as described below.
+     * Validates that the given value is a valid IP address.
+-    * Error message keys: ``required``, ``invalid``
++    * Error message keys: ``required``, ``invalid``, ``max_length``
+ 
+     The IPv6 address normalization follows :rfc:`4291#section-2.2` section 2.2,
+     including using the IPv4 format suggested in paragraph 3 of that section, like
+@@ -795,7 +800,7 @@ For each field, we describe the default widget used if you don't specify
+     ``2001::1``, and ``::ffff:0a0a:0a0a`` to ``::ffff:10.10.10.10``. All characters
+     are converted to lowercase.
+ 
+-    Takes two optional arguments:
++    Takes three optional arguments:
+ 
+     .. attribute:: protocol
+ 
+diff --git a/tests/forms_tests/field_tests/test_genericipaddressfield.py b/tests/forms_tests/field_tests/test_genericipaddressfield.py
+index 97a83e38aedd..2acc103c3c29 100644
+--- a/tests/forms_tests/field_tests/test_genericipaddressfield.py
++++ b/tests/forms_tests/field_tests/test_genericipaddressfield.py
+@@ -1,5 +1,6 @@
+ from django.forms import GenericIPAddressField, ValidationError
+ from django.test import SimpleTestCase
++from django.utils.ipv6 import MAX_IPV6_ADDRESS_LENGTH
+ 
+ 
+ class GenericIPAddressFieldTest(SimpleTestCase):
+@@ -89,6 +90,35 @@ class GenericIPAddressFieldTest(SimpleTestCase):
+         with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
+             f.clean('1:2')
+ 
++    def test_generic_ipaddress_max_length_custom(self):
++        # Valid IPv4-mapped IPv6 address, len 45.
++        addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
++        f = GenericIPAddressField(max_length=len(addr))
++        f.clean(addr)
++
++    def test_generic_ipaddress_max_length_validation_error(self):
++        # Valid IPv4-mapped IPv6 address, len 45.
++        addr = "0000:0000:0000:0000:0000:ffff:192.168.100.228"
++
++        cases = [
++            ({}, MAX_IPV6_ADDRESS_LENGTH),  # Default value.
++            ({"max_length": len(addr) - 1}, len(addr) - 1),
++        ]
++        for kwargs, max_length in cases:
++            max_length_plus_one = max_length + 1
++            msg = (
++                f"Ensure this value has at most {max_length} characters (it has "
++                f"{max_length_plus_one}).'"
++            )
++            with self.subTest(max_length=max_length):
++                f = GenericIPAddressField(**kwargs)
++                with self.assertRaisesMessage(ValidationError, msg):
++                    f.clean("x" * max_length_plus_one)
++                with self.assertRaisesMessage(
++                    ValidationError, "This is not a valid IPv6 address."
++                ):
++                    f.clean(addr)
++
+     def test_generic_ipaddress_as_generic_not_required(self):
+         f = GenericIPAddressField(required=False)
+         self.assertEqual(f.clean(''), '')
+@@ -103,7 +133,10 @@ class GenericIPAddressFieldTest(SimpleTestCase):
+         with self.assertRaisesMessage(ValidationError, "'Enter a valid IPv4 or IPv6 address.'"):
+             f.clean('256.125.1.5')
+         self.assertEqual(f.clean(' fe80::223:6cff:fe8a:2e8a '), 'fe80::223:6cff:fe8a:2e8a')
+-        self.assertEqual(f.clean(' 2a02::223:6cff:fe8a:2e8a '), '2a02::223:6cff:fe8a:2e8a')
++        self.assertEqual(
++            f.clean(" " * MAX_IPV6_ADDRESS_LENGTH + " 2a02::223:6cff:fe8a:2e8a "),
++            "2a02::223:6cff:fe8a:2e8a",
++        )
+         with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
+             f.clean('12345:2:3:4')
+         with self.assertRaisesMessage(ValidationError, "'This is not a valid IPv6 address.'"):
+diff --git a/tests/utils_tests/test_ipv6.py b/tests/utils_tests/test_ipv6.py
+index 4e434f3c3aa0..5a612d8f0bb2 100644
+--- a/tests/utils_tests/test_ipv6.py
++++ b/tests/utils_tests/test_ipv6.py
+@@ -1,6 +1,7 @@
+ import unittest
+ 
+-from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address
++from django.core.exceptions import ValidationError
++from django.utils.ipv6 import clean_ipv6_address, is_valid_ipv6_address, MAX_IPV6_ADDRESS_LENGTH
+ 
+ 
+ class TestUtilsIPv6(unittest.TestCase):
+@@ -55,3 +56,17 @@ class TestUtilsIPv6(unittest.TestCase):
+         self.assertEqual(clean_ipv6_address('::ffff:0a0a:0a0a', unpack_ipv4=True), '10.10.10.10')
+         self.assertEqual(clean_ipv6_address('::ffff:1234:1234', unpack_ipv4=True), '18.52.18.52')
+         self.assertEqual(clean_ipv6_address('::ffff:18.52.18.52', unpack_ipv4=True), '18.52.18.52')
++
++    def test_address_too_long(self):
++        addresses = [
++            "0000:0000:0000:0000:0000:ffff:192.168.100.228",  # IPv4-mapped IPv6 address
++            "0000:0000:0000:0000:0000:ffff:192.168.100.228%123456",  # % scope/zone
++            "fe80::223:6cff:fe8a:2e8a:1234:5678:00000",  # MAX_IPV6_ADDRESS_LENGTH + 1
++        ]
++        msg = "This is the error message."
++        value_error_msg = "Unable to convert %s to an IPv6 address (value too long)."
++        for addr in addresses:
++            self.assertGreater(len(addr), MAX_IPV6_ADDRESS_LENGTH)
++            self.assertEqual(is_valid_ipv6_address(addr), False)
++            with self.assertRaises(ValidationError):
++                clean_ipv6_address(addr)
diff --git debian/patches/series debian/patches/series
index d49479315..62fcadf33 100644
--- debian/patches/series
+++ debian/patches/series
@@ -14,3 +14,4 @@ CVE-2023-24580.patch
 CVE-2023-23969.patch
 CVE-2024-53907.patch
 0008-Workaround-changes-in-CVE-2024-6923.patch
+CVE-2024-56374.patch


Reply to: