From b23b9314d5a93a6f3ee2c21223bc88d93e84d4a5 Mon Sep 17 00:00:00 2001 From: Penglai Code Date: Wed, 1 Jul 2026 16:52:02 +0800 Subject: [PATCH] Fix CVE-2023-46695: Django UsernameField NFKC normalization DoS vulnerability Add max_length check before NFKC normalization in UsernameField.to_python() to prevent DoS attacks via inputs with very large number of Unicode characters. Upstream fix: https://github.com/django/django/commit/6833a01a7e54d5b24c90e0c2b58b5a9b1b6dcf6b --- ...-CVE-2023-46695-issue-was-discovered.patch | 24 +++++++++++++++++++ python-django.spec | 10 +++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-46695-CVE-2023-46695-issue-was-discovered.patch diff --git a/CVE-2023-46695-CVE-2023-46695-issue-was-discovered.patch b/CVE-2023-46695-CVE-2023-46695-issue-was-discovered.patch new file mode 100644 index 0000000..942ea28 --- /dev/null +++ b/CVE-2023-46695-CVE-2023-46695-issue-was-discovered.patch @@ -0,0 +1,24 @@ +From: Penglai Code +Subject: [PATCH] CVE-2023-46695: An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NF + +CVE: CVE-2023-46695 +Upstream: Django official GitHub repository (django/django) and Django security releases weblog +Reference: https://github.com/django/django/commit/6833a01a7e54d5b24c90e0c2b58b5a9b1b6dcf6b +Bug: CVE-2023-46695 + +--- + +--- a/django/contrib/auth/forms.py ++++ b/django/contrib/auth/forms.py +@@ -71,7 +71,10 @@ class ReadOnlyPasswordHashField(forms.Field): + + class UsernameField(forms.CharField): + def to_python(self, value): +- return unicodedata.normalize("NFKC", super().to_python(value)) ++ value = super().to_python(value) ++ if self.max_length is not None and len(value) > self.max_length: ++ return value ++ return unicodedata.normalize("NFKC", value) + + def widget_attrs(self, widget): + return { diff --git a/python-django.spec b/python-django.spec index fccdeb6..af1b517 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global pkgname Django Name: python-django @@ -9,6 +9,10 @@ Summary: A high-level Python Web framework License: BSD URL: https://www.djangoproject.com/ Source0: %{pypi_source %{pkgname} %{version}} +# CVE-2023-46695 +# Upstream: Django official GitHub repository (django/django) and Django security releases weblog +# Reference: https://github.com/django/django/commit/6833a01a7e54d5b24c90e0c2b58b5a9b1b6dcf6b +Patch0001: CVE-2023-46695-CVE-2023-46695-issue-was-discovered.patch BuildArch: noarch @@ -131,6 +135,10 @@ cd tests %{_mandir}/man1/django-admin.1* %changelog +* Wed Jul 01 2026 Penglai Code - 4.1.9-2 +- Fix CVE-2023-46695 (BZ#2023) + Upstream patch: https://github.com/django/django/commit/6833a01a7e54d5b24c90e0c2b58b5a9b1b6dcf6b + * Thu May 25 2023 Funda Wang - 4.1.9-1 - New version 4.1.9 -- Gitee