CVE-2018-7536

Advisory

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. See: CVE-2018-7536.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========================

*March 6, 2018*

Django 1.8.19 fixes two security issues in 1.18.18.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expression is replaced with parsing logic that behaves
similarly.

CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.

The backtracking problem in the regular expression is fixed.


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7536
• https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
• https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
• http://www.securityfocus.com/bid/103361
• https://usn.ubuntu.com/3591-1/
• https://www.debian.org/security/2018/dsa-4161
• https://access.redhat.com/errata/RHSA-2018:2927
• https://access.redhat.com/errata/RHSA-2019:0082
• https://access.redhat.com/errata/RHSA-2019:0051
• https://access.redhat.com/errata/RHSA-2019:0265
• https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2
• https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
• https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8