CVE-2018-7537

Advisory

Django 2.0.3, 1.8.19 and 1.11.11 include a fix for CVE-2018-7537: An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

============================

*March 6, 2018*

Django 1.11.11 fixes two security issues in 1.11.10.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.

CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.

The backtracking problem in the regular expression is fixed.


============================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7537
• https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
• https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html
• http://www.securityfocus.com/bid/103357
• https://usn.ubuntu.com/3591-1/
• https://www.debian.org/security/2018/dsa-4161
• https://access.redhat.com/errata/RHSA-2018:2927
• https://access.redhat.com/errata/RHSA-2019:0265