Bug 1549779 (CVE-2018-7537)

Summary: CVE-2018-7537 django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html'
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bcourt, bkearney, cbillett, chrisw, jakub.dornak, jal233, jjoyce, jmatthew, jschluet, kbasil, lhh, lpeer, markmc, mburns, mhroncok, michel, mmccune, mrike, mrunge, ohadlevy, rbryant, rchan, rhos-maint, sclewis, security-response-team, sgallagh, sisharma, slinaber, srevivo, ssaha, tdecacqu, tomckay, tsanders, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 2.0.3, Django 1.11.11, Django 1.8.19 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:41:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1549907, 1549908, 1552177, 1552178, 1552179, 1552306, 1554696, 1557457, 1557458, 1557459    
Bug Blocks: 1549781    

Description Pedro Sampaio 2018-02-27 20:07:42 UTC 
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html``
and ``truncatewords_html`` template filters
============================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to
implement the ``truncatechars_html`` and ``truncatewords_html`` template
filters, which were thus vulnerable.

The backtracking problem in the regular expression is fixed.
Comment 5 Adam Mariš 2018-03-06 16:14:24 UTC 
Acknowledgments:

Name: the Django project
Comment 6 Adam Mariš 2018-03-06 16:14:42 UTC 
External References:

https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
Comment 7 Adam Mariš 2018-03-06 16:17:25 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1552178]
Affects: epel-7 [bug 1552179]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1552177]
Comment 11 Andrej Nemec 2018-05-14 15:22:33 UTC 
Statement:

This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 12 errata-xmlrpc 2018-10-16 15:20:58 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
Comment 13 errata-xmlrpc 2019-02-04 07:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265