Ubuntu
python-django package

SRU: Fix URLValidator crash in some edge cases

Bug #2025155 reported by Matthias Klose
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Undecided
Graham Inggs
Lunar
Fix Released
Undecided
Graham Inggs

Bug Description

[ Impact ]

 * Python 3.11.4 [1] includes the fix:
   * gh-103848: Add checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format.

 * Users wanting to rebuild the package locally will be unable to do so.

 * This will prevent migration of the Python 3.11.4 updates to lunar (LP: #2019538). Allowing this autopkgtest to regress will prevent us from detecting more serious regressions in future.

[ Test Plan ]

 * Verify that the package does not FTBFS when built with Python 3.11.4.

 * Verify that the autopkgtests are successful when tested with Python 3.11.4.

[ Where problems could occur ]

 * URLs that that were previously considered valid could now be considered invalid.

[ Other Info ]

 * This was fixed upstream [2] in December 2021 in the 4.x branch, but not yet included in a 3.x release.

 [1] https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4
 [2] https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c

See original description

CVE References

Graham Inggs (ginggs)
Changed in python-django (Ubuntu):
assignee: nobody → Graham Inggs (ginggs)
Changed in python-django (Ubuntu Lunar):
assignee: nobody → Graham Inggs (ginggs)
Changed in python-django (Ubuntu):
status: New → In Progress
Revision history for this message
Graham Inggs (ginggs) wrote :
Download full text (3.5 KiB)

python-django FTBFS with Python 3.11.4 with the following test failures:

======================================================================
ERROR: test_validators (validators.tests.TestValidators.test_validators) [URLValidator] (value='http://[::1:2::3]:8080/')
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/usr/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/<<PKGBUILDDIR>>/tests/validators/tests.py", line 354, in test_validators
    validator(value)
  File "/<<PKGBUILDDIR>>/django/core/validators.py", line 132, in __call__
    host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc)
    ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/urllib/parse.py", line 500, in urlsplit
    _check_bracketed_host(bracketed_host)
    ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/urllib/parse.py", line 446, in _check_bracketed_host
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
    ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ipaddress.py", line 54, in ip_address
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
      ^^^^^^^^^^^^^^^^^
ValueError: '::1:2::3' does not appear to be an IPv4 or IPv6 address

======================================================================
ERROR: test_value_placeholder_with_char_field (forms_tests.tests.test_validators.ValidatorCustomMessageTests.test_value_placeholder_with_char_field) [URLValidator] (value='http://[::1:2::3]/')
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python3.11/unittest/case.py", line 57, in testPartExecutor
    yield
  File "/usr/lib/python3.11/unittest/case.py", line 538, in subTest
    yield
  File "/<<PKGBUILDDIR>>/tests/forms_tests/tests/test_validators.py", line 108, in test_value_placeholder_with_char_field
    self.assertIs(form.is_valid(), False)
    ^^^^^^^^^^^^^^^^^
  File "/<<PKGBUILDDIR>>/django/forms/forms.py", line 175, in is_valid
    return self.is_bound and not self.errors
    ^^^^^^^^^^^^^^^^^
  File "/<<PKGBUILDDIR>>/django/forms/forms.py", line 170, in errors
    self.full_clean()
  File "/<<PKGBUILDDIR>>/django/forms/forms.py", line 372, in full_clean
    self._clean_fields()
    ^^^^^^^^^^^^^^^^^
  File "/<<PKGBUILDDIR>>/django/forms/forms.py", line 390, in _clean_fields
    value = field.clean(value)
    ^^^^^^^^^^^^^^^^^
  File "/<<PKGBUILDDIR>>/django/forms/fields.py", line 151, in clean
    self.run_validators(value)
    ^^^^^^^^^^^^^^^^^
  File "/<<PKGBUILDDIR>>/django/forms/fields.py", line 136, in run_validators
    v(value)
  File "/<<PKGBUILDDIR>>/django/core/validators.py", line 132, in __call__
    host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc)
    ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/urllib/parse.py", line 500, in urlsplit
    _check_bracketed_host(bracketed_host)
    ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/urllib/parse.py", line 446, in _check_bracketed_host
    ip = ipaddress.ip_ad...

Read more...

Graham Inggs (ginggs)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 3:3.2.19-1ubuntu3

---------------
python-django (3:3.2.19-1ubuntu3) mantic; urgency=medium

  * Drop 2eb1f37260f0e0b71ef3a77eb5522d2bb68d6489.patch and
    16729.patch, it seems these are no longer needed
  * Cherry-pick upstream commit to fix URLValidator crash in
    some edge cases (LP: #2025155)

 -- Graham Inggs <email address hidden> Wed, 28 Jun 2023 11:20:10 +0000

Changed in python-django (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 3:3.2.18-1ubuntu0.3

---------------
python-django (3:3.2.18-1ubuntu0.3) lunar-security; urgency=medium

  * SECURITY UPDATE: Potential ReDoS issues
    - debian/patches/CVE-2023-36053.patch: prevent potential ReDoS in
      EmailValidator and URLValidator in django/core/validators.py,
      django/forms/fields.py, docs/ref/forms/fields.txt,
      docs/ref/validators.txt,
      tests/forms_tests/field_tests/test_emailfield.py,
      tests/forms_tests/tests/test_forms.py, tests/validators/tests.py.
    - CVE-2023-36053
  * debian/patches/fix-url-validator.patch: Cherry-pick upstream commit to
    fix URLValidator crash in some edge cases (LP: #2025155)

 -- Marc Deslauriers <email address hidden> Tue, 27 Jun 2023 09:18:49 -0400

Changed in python-django (Ubuntu Lunar):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.