Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915177 (CVE-2023-43665) - <dev-python/django-{4.2.6,4.1.12,3.2.22}: Denial-of-service possibility in ``django.utils.text.Truncator``
Summary: <dev-python/django-{4.2.6,4.1.12,3.2.22}: Denial-of-service possibility in ``...
Alias: CVE-2023-43665
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: C3 [noglsa]
Depends on: 915178 915180 915181
  Show dependency tree
Reported: 2023-10-04 16:51 UTC by Michał Górny
Modified: 2023-10-23 04:23 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-10-04 16:51:10 UTC
CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``

Following the fix for :cve:`2019-14232`, the regular expressions used in the
implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
methods (with ``html=True``) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.

The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus also vulnerable.

The input processed by ``Truncator``, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-10-04 18:37:16 UTC
cleanup done.
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-05 06:23:46 UTC
Thanks for the quick action.

GLSA vote: no.