Bug 1673642 (CVE-2019-6975) - CVE-2019-6975 python-django: memory exhaustion in django.utils.numberformat.format()
Summary: CVE-2019-6975 python-django: memory exhaustion in django.utils.numberformat.f...
Keywords:
Status: NEW
Alias: CVE-2019-6975
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1676326 1686074 1676321 1676322 1676323 1676324 1676325 1676327 1676328 1677295 1677296 1677297 1678264 1678265 1678266
Blocks: 1673649
TreeView+ depends on / blocked
 
Reported: 2019-02-07 16:43 UTC by Laura Pardo
Modified: 2020-12-17 11:06 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2019-02-07 16:43:23 UTC
A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format(), used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation.


References:
https://www.djangoproject.com/security/

Comment 1 Laura Pardo 2019-02-07 16:55:43 UTC
Acknowledgments:

Name: the Django project

Comment 2 Nick Tait 2019-02-11 16:47:48 UTC
The associated Django releases are now public https://www.djangoproject.com/weblog/2019/feb/11/security-releases/

Comment 3 Nick Tait 2019-02-12 01:20:21 UTC
All versions of python-django supplied by Red Hat OpenStack Platform (1.6.11, 1.8.14, 1.8.18, & 1.11.10) are susceptible.

Comment 6 Hardik Vyas 2019-02-14 13:39:52 UTC
Ceph and Gluster are affected since the shipped versions of python-django includes unpatched source code.

Ceph(2,3)  : python-django-1.8.18-1.el7ost
Gluster    : python-django-1.11.15-4.el7rhgs

Comment 8 Tomas Hoger 2019-02-18 11:50:41 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1678266]


Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1678265]
Affects: fedora-all [bug 1678264]

Comment 14 Richard Maciel Costa 2019-03-30 01:58:16 UTC
Statement:

This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code is not present.

Although Red Hat Satellite 6 uses the vulnerable component python-django, it does not use the module django.utils.numberformat, so it's not possible to trigger this vulnerability. Hence, Red Hat Satellite 6 is not vulnerable to this issue.


Note You need to log in before you can comment on or make changes to this bug.