Version in base suite: 3.2.19-1 Base version: python-django_3.2.19-1 Target version: python-django_3.2.19-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-django/python-django_3.2.19-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-django/python-django_3.2.19-1+deb12u1.dsc changelog | 13 + gbp.conf | 2 gitlab-ci.yml | 3 patches/0013-fix-url-validator.patch | 54 +++++++ patches/CVE-2023-36053.patch | 242 +++++++++++++++++++++++++++++++++++ patches/series | 2 6 files changed, 312 insertions(+), 4 deletions(-) diff -Nru python-django-3.2.19/debian/changelog python-django-3.2.19/debian/changelog --- python-django-3.2.19/debian/changelog 2023-05-03 16:32:59.000000000 +0000 +++ python-django-3.2.19/debian/changelog 2023-07-28 13:24:04.000000000 +0000 @@ -1,3 +1,16 @@ +python-django (3:3.2.19-1+deb12u1) bookworm-security; urgency=high + + * CVE-2023-36053: Potential regular expression denial of service + vulnerability in EmailValidator/URLValidator. + + EmailValidator and URLValidator were subject to potential regular + expression denial of service attack via a very large number of domain name + labels of emails and URLs. (Closes: #1040225) + + * Add/apply the URLValidator patch from sid. + + -- Chris Lamb Fri, 28 Jul 2023 14:24:04 +0100 + python-django (3:3.2.19-1) unstable; urgency=medium * New upstream security release. diff -Nru python-django-3.2.19/debian/gbp.conf python-django-3.2.19/debian/gbp.conf --- python-django-3.2.19/debian/gbp.conf 2023-05-03 16:32:59.000000000 +0000 +++ python-django-3.2.19/debian/gbp.conf 2023-07-28 13:24:04.000000000 +0000 @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch=upstream/3.x -debian-branch=debian/sid +debian-branch=debian/bookworm pristine-tar=True [pq] diff -Nru python-django-3.2.19/debian/gitlab-ci.yml python-django-3.2.19/debian/gitlab-ci.yml --- python-django-3.2.19/debian/gitlab-ci.yml 2023-05-03 16:32:59.000000000 +0000 +++ python-django-3.2.19/debian/gitlab-ci.yml 2023-07-28 13:24:04.000000000 +0000 @@ -3,6 +3,3 @@ lintian: allow_failure: true - -reprotest: - allow_failure: true diff -Nru python-django-3.2.19/debian/patches/0013-fix-url-validator.patch python-django-3.2.19/debian/patches/0013-fix-url-validator.patch --- python-django-3.2.19/debian/patches/0013-fix-url-validator.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-django-3.2.19/debian/patches/0013-fix-url-validator.patch 2023-07-28 13:24:04.000000000 +0000 @@ -0,0 +1,54 @@ +From: Pedro Schlickmann Mendes +Date: Thu, 20 Jul 2023 12:59:59 +0100 +Subject: Fixed URLValidator crash in some edge cases + +Origin: upstream, https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c +Bug: https://code.djangoproject.com/ticket/33367 +Last-Update: 2021-12-15 +--- + django/core/validators.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/django/core/validators.py b/django/core/validators.py +index 731ccf2d4690..6b28eef08dd2 100644 +--- a/django/core/validators.py ++++ b/django/core/validators.py +@@ -110,15 +110,16 @@ class URLValidator(RegexValidator): + raise ValidationError(self.message, code=self.code, params={'value': value}) + + # Then check full URL ++ try: ++ splitted_url = urlsplit(value) ++ except ValueError: ++ raise ValidationError(self.message, code=self.code, params={'value': value}) + try: + super().__call__(value) + except ValidationError as e: + # Trivial case failed. Try for possible IDN domain + if value: +- try: +- scheme, netloc, path, query, fragment = urlsplit(value) +- except ValueError: # for example, "Invalid IPv6 URL" +- raise ValidationError(self.message, code=self.code, params={'value': value}) ++ scheme, netloc, path, query, fragment = splitted_url + try: + netloc = punycode(netloc) # IDN -> ACE + except UnicodeError: # invalid domain part +@@ -129,7 +130,7 @@ class URLValidator(RegexValidator): + raise + else: + # Now verify IPv6 in the netloc part +- host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc) ++ host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc) + if host_match: + potential_ip = host_match[1] + try: +@@ -141,7 +142,7 @@ class URLValidator(RegexValidator): + # section 3.1. It's defined to be 255 bytes or less, but this includes + # one byte for the length of the name and one byte for the trailing dot + # that's used to indicate absolute names in DNS. +- if len(urlsplit(value).hostname) > 253: ++ if splitted_url.hostname is None or len(splitted_url.hostname) > 253: + raise ValidationError(self.message, code=self.code, params={'value': value}) + + diff -Nru python-django-3.2.19/debian/patches/CVE-2023-36053.patch python-django-3.2.19/debian/patches/CVE-2023-36053.patch --- python-django-3.2.19/debian/patches/CVE-2023-36053.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-django-3.2.19/debian/patches/CVE-2023-36053.patch 2023-07-28 13:24:04.000000000 +0000 @@ -0,0 +1,242 @@ +From: Mariusz Felisiak +Date: Wed, 14 Jun 2023 12:23:06 +0200 +Subject: [PATCH] [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in + EmailValidator and URLValidator. + +Thanks Seokchan Yoon for reports. +--- + django/core/validators.py | 7 +++++-- + django/forms/fields.py | 3 +++ + docs/ref/forms/fields.txt | 7 ++++++- + docs/ref/validators.txt | 25 +++++++++++++++++++++++- + tests/forms_tests/field_tests/test_emailfield.py | 5 ++++- + tests/forms_tests/tests/test_forms.py | 19 ++++++++++++------ + tests/validators/tests.py | 11 +++++++++++ + 7 files changed, 66 insertions(+), 11 deletions(-) + +diff --git a/django/core/validators.py b/django/core/validators.py +index 6b28eef08dd2..52ebddac6345 100644 +--- a/django/core/validators.py ++++ b/django/core/validators.py +@@ -93,6 +93,7 @@ class URLValidator(RegexValidator): + message = _('Enter a valid URL.') + schemes = ['http', 'https', 'ftp', 'ftps'] + unsafe_chars = frozenset('\t\r\n') ++ max_length = 2048 + + def __init__(self, schemes=None, **kwargs): + super().__init__(**kwargs) +@@ -100,7 +101,7 @@ class URLValidator(RegexValidator): + self.schemes = schemes + + def __call__(self, value): +- if not isinstance(value, str): ++ if not isinstance(value, str) or len(value) > self.max_length: + raise ValidationError(self.message, code=self.code, params={'value': value}) + if self.unsafe_chars.intersection(value): + raise ValidationError(self.message, code=self.code, params={'value': value}) +@@ -211,7 +212,9 @@ class EmailValidator: + self.domain_allowlist = allowlist + + def __call__(self, value): +- if not value or '@' not in value: ++ # The maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ if not value or '@' not in value or len(value) > 320: + raise ValidationError(self.message, code=self.code, params={'value': value}) + + user_part, domain_part = value.rsplit('@', 1) +diff --git a/django/forms/fields.py b/django/forms/fields.py +index 0214d60c1cf1..8adb09e38294 100644 +--- a/django/forms/fields.py ++++ b/django/forms/fields.py +@@ -540,6 +540,9 @@ class EmailField(CharField): + default_validators = [validators.validate_email] + + def __init__(self, **kwargs): ++ # The default maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ kwargs.setdefault("max_length", 320) + super().__init__(strip=True, **kwargs) + + +diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt +index 9438214a28ce..5b485f215384 100644 +--- a/docs/ref/forms/fields.txt ++++ b/docs/ref/forms/fields.txt +@@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify + * Error message keys: ``required``, ``invalid`` + + Has three optional arguments ``max_length``, ``min_length``, and +- ``empty_value`` which work just as they do for :class:`CharField`. ++ ``empty_value`` which work just as they do for :class:`CharField`. The ++ ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`). ++ ++ .. versionchanged:: 3.2.20 ++ ++ The default value for ``max_length`` was changed to 320 characters. + + ``FileField`` + ------------- +diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt +index 50761e5a425c..b22762b17b93 100644 +--- a/docs/ref/validators.txt ++++ b/docs/ref/validators.txt +@@ -130,6 +130,11 @@ to, or in lieu of custom ``field.clean()`` methods. + :param code: If not ``None``, overrides :attr:`code`. + :param allowlist: If not ``None``, overrides :attr:`allowlist`. + ++ An :class:`EmailValidator` ensures that a value looks like an email, and ++ raises a :exc:`~django.core.exceptions.ValidationError` with ++ :attr:`message` and :attr:`code` if it doesn't. Values longer than 320 ++ characters are always considered invalid. ++ + .. attribute:: message + + The error message used by +@@ -158,13 +163,19 @@ to, or in lieu of custom ``field.clean()`` methods. + The undocumented ``domain_whitelist`` attribute is deprecated. Use + ``domain_allowlist`` instead. + ++ .. versionchanged:: 3.2.20 ++ ++ In older versions, values longer than 320 characters could be ++ considered valid. ++ + ``URLValidator`` + ---------------- + + .. class:: URLValidator(schemes=None, regex=None, message=None, code=None) + + A :class:`RegexValidator` subclass that ensures a value looks like a URL, +- and raises an error code of ``'invalid'`` if it doesn't. ++ and raises an error code of ``'invalid'`` if it doesn't. Values longer than ++ :attr:`max_length` characters are always considered invalid. + + Loopback addresses and reserved IP spaces are considered valid. Literal + IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both +@@ -181,6 +192,18 @@ to, or in lieu of custom ``field.clean()`` methods. + + .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + ++ .. attribute:: max_length ++ ++ .. versionadded:: 3.2.20 ++ ++ The maximum length of values that could be considered valid. Defaults ++ to 2048 characters. ++ ++ .. versionchanged:: 3.2.20 ++ ++ In older versions, values longer than 2048 characters could be ++ considered valid. ++ + ``validate_email`` + ------------------ + +diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py +index 8b85e4dcc144..19d315205d7e 100644 +--- a/tests/forms_tests/field_tests/test_emailfield.py ++++ b/tests/forms_tests/field_tests/test_emailfield.py +@@ -9,7 +9,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase): + + def test_emailfield_1(self): + f = EmailField() +- self.assertWidgetRendersTo(f, '') ++ self.assertEqual(f.max_length, 320) ++ self.assertWidgetRendersTo( ++ f, '' ++ ) + with self.assertRaisesMessage(ValidationError, "'This field is required.'"): + f.clean('') + with self.assertRaisesMessage(ValidationError, "'This field is required.'"): +diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py +index 26f8ecafea44..82a32af403a0 100644 +--- a/tests/forms_tests/tests/test_forms.py ++++ b/tests/forms_tests/tests/test_forms.py +@@ -422,11 +422,18 @@ class FormsTestCase(SimpleTestCase): + get_spam = BooleanField() + + f = SignupForm(auto_id=False) +- self.assertHTMLEqual(str(f['email']), '') ++ self.assertHTMLEqual( ++ str(f["email"]), ++ '', ++ ) + self.assertHTMLEqual(str(f['get_spam']), '') + + f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False) +- self.assertHTMLEqual(str(f['email']), '') ++ self.assertHTMLEqual( ++ str(f["email"]), ++ '", ++ ) + self.assertHTMLEqual( + str(f['get_spam']), + '', +@@ -2824,7 +2831,7 @@ Good luck picking a username that doesn't already exist.

+ + + +-
    • ++
    • +
    • This field is required.
    +
    • """ + ) +@@ -2840,7 +2847,7 @@ Good luck picking a username that doesn't already exist.

    + + +

    +-

    ++

    +
    • This field is required.
    +

    +

    """ +@@ -2859,7 +2866,7 @@ Good luck picking a username that doesn't already exist.

    + + + +- ++ + +
    • This field is required.
    + """ +@@ -3489,7 +3496,7 @@ Good luck picking a username that doesn't already exist.

    + f = CommentForm(data, auto_id=False, error_class=DivErrorList) + self.assertHTMLEqual(f.as_p(), """

    Name:

    +
    Enter a valid email address.
    +-

    Email:

    ++

    Email:

    +
    This field is required.
    +

    Comment:

    """) + +diff --git a/tests/validators/tests.py b/tests/validators/tests.py +index e39d0e3a1cef..1065727a974e 100644 +--- a/tests/validators/tests.py ++++ b/tests/validators/tests.py +@@ -59,6 +59,7 @@ TEST_DATA = [ + + (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError), + (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError), ++ (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError), + (validate_email, None, ValidationError), + (validate_email, '', ValidationError), + (validate_email, 'abc', ValidationError), +@@ -246,6 +247,16 @@ TEST_DATA = [ + (URLValidator(), None, ValidationError), + (URLValidator(), 56, ValidationError), + (URLValidator(), 'no_scheme', ValidationError), ++ ( ++ URLValidator(), ++ "http://example." + ("a" * 63 + ".") * 1000 + "com", ++ ValidationError, ++ ), ++ ( ++ URLValidator(), ++ "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com", ++ None, ++ ), + # Newlines and tabs are not accepted. + (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), + (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), diff -Nru python-django-3.2.19/debian/patches/series python-django-3.2.19/debian/patches/series --- python-django-3.2.19/debian/patches/series 2023-05-03 16:32:59.000000000 +0000 +++ python-django-3.2.19/debian/patches/series 2023-07-28 13:24:04.000000000 +0000 @@ -9,3 +9,5 @@ 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch 0011-Moved-RequestSite-import-to-the-toplevel.patch 0012-Add-Python-3.11-support-for-tests.patch +0013-fix-url-validator.patch +CVE-2023-36053.patch