python3-django: Fix CVE-2024-41989

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The
floatformat template filter is subject to significant memory consumption when
given a string representation of a number in scientific notation with a large
exponent.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41989

Upstream-patches:
https://github.com/django/django/commit/08c5a787262c1ae57f6517d4574b54a5fcaad124
https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c
https://github.com/django/django/commit/dcd974698301a38081c141ccba6dcafa5ed2c80e
https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

1 files changed, 48 insertions, 0 deletions

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch
new file mode 100644
index 0000000000..51cf79ffbd
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41989-0002.patch
@@ -0,0 +1,48 @@
+From 4b066bde692078b194709d517b27e55defae787c Mon Sep 17 00:00:00 2001
+From: David Wobrock <david.wobrock@gmail.com>
+Date: Wed, 18 Jan 2023 22:54:17 +0100
+Subject: [PATCH] Fixed #34272 -- Fixed floatformat crash on zero with trailing
+ zeros to zero decimal places.
+
+Regression in 08c5a787262c1ae57f6517d4574b54a5fcaad124.
+
+Thanks Andrii Lahuta for the report.
+
+CVE: CVE-2024-41989
+
+Upstream-Status: Backport [https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/template/defaultfilters.py                     | 2 +-
+ tests/template_tests/filter_tests/test_floatformat.py | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
+index 9ca530c..e72593b 100644
+--- a/django/template/defaultfilters.py
++++ b/django/template/defaultfilters.py
+@@ -140,7 +140,7 @@ def floatformat(text, arg=-1):
+     except (ValueError, OverflowError, InvalidOperation):
+         return input_val
+
+-    if not m and p < 0:
++    if not m and p <= 0:
+         return mark_safe(formats.number_format('%d' % (int(d)), 0))
+
+     exp = Decimal(1).scaleb(-abs(p))
+diff --git a/tests/template_tests/filter_tests/test_floatformat.py b/tests/template_tests/filter_tests/test_floatformat.py
+index acad66d..538f501 100644
+--- a/tests/template_tests/filter_tests/test_floatformat.py
++++ b/tests/template_tests/filter_tests/test_floatformat.py
+@@ -65,6 +65,8 @@ class FunctionTests(SimpleTestCase):
+         self.assertEqual(floatformat(0, 7), '0.0000000')
+         self.assertEqual(floatformat(0, 10), '0.0000000000')
+         self.assertEqual(floatformat(0.000000000000000000015, 20), '0.00000000000000000002')
++        self.assertEqual(floatformat("0.00", 0), "0")
++        self.assertEqual(floatformat(Decimal("0.00"), 0), "0")
+
+     def test_infinity(self):
+         pos_inf = float(1e30000)
+--
+2.40.0