fix CVE-2025-26699

2025-02-18 09:36:04 +08:00 · 2025-02-18 09:36:04 +08:00 · 9d83407ca9
commit 9d83407ca9
parent 48ae12b320
2 changed files with 110 additions and 1 deletions
--- a/CVE-2025-26699.patch
+++ b/CVE-2025-26699.patch
@ -0,0 +1,102 @@
+From 4f2765232336b8ad0afd8017d9d912ae93470017 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 25 Feb 2025 09:40:54 +0100
+Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
+ wordwrap template filter.
+
+Thanks sw0rd1ight for the report.
+
+Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
+---
+ django/utils/text.py                          | 28 +++++++------------
+ docs/releases/2.2.27.txt                      |  8 +++++-
+ .../filter_tests/test_wordwrap.py             | 11 ++++++++
+ 3 files changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 6631a00..c44d452 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -1,6 +1,7 @@
+ import html.entities
+ import re
+ import unicodedata
+import textwrap
+ from gzip import GzipFile
+ from io import BytesIO
+ 
+@@ -88,24 +89,15 @@ def wrap(text, width):
+     Don't wrap long words, thus the output text may have lines longer than
+     ``width``.
+     """
+-    def _generator():
+-        for line in text.splitlines(True):  # True keeps trailing linebreaks
+-            max_width = min((line.endswith('\n') and width + 1 or width), width)
+-            while len(line) > max_width:
+-                space = line[:max_width + 1].rfind(' ') + 1
+-                if space == 0:
+-                    space = line.find(' ') + 1
+-                    if space == 0:
+-                        yield line
+-                        line = ''
+-                        break
+-                yield '%s\n' % line[:space - 1]
+-                line = line[space:]
+-                max_width = min((line.endswith('\n') and width + 1 or width), width)
+-            if line:
+-                yield line
+-    return ''.join(_generator())
+-
+    wrapper = textwrap.TextWrapper(
+        width=width,
+        break_long_words=False,
+        break_on_hyphens=False,
+    )
+    result = []
+    for line in text.splitlines(True):
+        result.extend(wrapper.wrap(line))
+    return "\n".join(result)
+ 
+ class Truncator(SimpleLazyObject):
+     """
+diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
+index 688a482..f34bef8 100644
+--- a/docs/releases/2.2.27.txt
+++ b/docs/releases/2.2.27.txt
+@@ -4,7 +4,13 @@ Django 2.2.27 release notes
+ 
+ *February 1, 2022*
+ 
+-Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
+Django 2.2.27 fixes three security issues with severity "medium" in 2.2.26.
+
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
+=========================================================================================
+
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
+potential denial-of-service attack when used with very long strings.
+ 
+ CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+ =============================================================
+diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
+index 02f8605..f61842c 100644
+--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
+@@ -51,3 +51,14 @@ class FunctionTests(SimpleTestCase):
+             ), 14),
+             'this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\nI\'m afraid',
+         )
+
+    def test_wrap_long_text(self):
+        long_text = (
+            "this is a long paragraph of text that really needs"
+            " to be wrapped I'm afraid " * 20_000
+        )
+        self.assertIn(
+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
+            "I'm afraid",
+            wordwrap(long_text, 10),
+        )
+-- 
+2.46.0
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	2.2.27
-Release:	14
+Release:	15
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
 URL:		https://www.djangoproject.com/
@ -38,6 +38,7 @@ Patch19:        CVE-2024-45230.patch
 Patch20:        CVE-2024-45231.patch
 Patch21:        CVE-2024-53907.patch
 Patch22:        CVE-2024-56374.patch
+Patch23:        CVE-2025-26699.patch

 BuildArch:	noarch
 %description
@ -104,6 +105,12 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 2.2.27-15
+- Type:CVE
+- CVE:CVE-2025-26699
+- SUG:NA
+- DESC:fix CVE-2025-26699
+
 * Fri Jan 17 2025 caodongxia <caodongxia@h-partners.com> - 2.2.27-14
 - Fix CVE-2024-56374