1 files changed, 114 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch
new file mode 100644
index 0000000000..9f2883885f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch
@@ -0,0 +1,114 @@
+From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
+From: Michael Manfre <mike@manfre.net>
+Date: Fri, 14 Jun 2024 22:12:58 -0400
+Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
+ verify_password() when checking unusuable passwords.
+Refs #20760.
+Thanks Michael Manfre for the fix and to Adam Johnson for the review.
+CVE: CVE-2024-39329
+Upstream-Status: Backport
+https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
+Signed-off-by: Michael Manfre <mike@manfre.net>
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/contrib/auth/hashers.py   | 10 ++++++++--
+ docs/releases/3.2.25.txt         |  7 +++++++
+ tests/auth_tests/test_hashers.py | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
+index 86ae7f4..ee81b64 100644
+--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
+@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
+     If setter is specified, it'll be called when you need to
+     regenerate the password.
+     """
+-    if password is None or not is_password_usable(encoded):
+-        return False
+    fake_runtime = password is None or not is_password_usable(encoded)
+ 
+     preferred = get_hasher(preferred)
+     try:
+         hasher = identify_hasher(encoded)
+     except ValueError:
+         # encoded is gibberish or uses a hasher that's no longer installed.
+        fake_runtime = True
+
+    if fake_runtime:
+        # Run the default password hasher once to reduce the timing difference
+        # between an existing user with an unusable password and a nonexistent
+        # user or missing hasher (similar to #20760).
+        make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
+         return False
+ 
+     hasher_changed = hasher.algorithm != preferred.algorithm
+diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
+index a2a58b5..a613b08 100644
+--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
+@@ -40,6 +40,13 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
+ using a suitably crafted dictionary, with dictionary expansion, as the
+ ``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
+ 
+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
+================================================================================================
+
+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
+allowed remote attackers to enumerate users via a timing attack involving login
+requests for users with unusable passwords.
+
+ Bugfixes
+ ========
+ 
+diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
+index 8bc61bc..a1ae940 100644
+--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
+@@ -474,6 +474,38 @@ class TestUtilsHashPass(SimpleTestCase):
+             check_password('wrong_password', encoded)
+             self.assertEqual(hasher.harden_runtime.call_count, 1)
+ 
+    def test_check_password_calls_make_password_to_fake_runtime(self):
+        hasher = get_hasher("default")
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                mock.patch(
+                    "django.contrib.auth.hashers.identify_hasher",
+                    side_effect=hasher_side_effect,
+                ) as mock_identify_hasher,
+                mock.patch(
+                    "django.contrib.auth.hashers.make_password"
+                ) as mock_make_password,
+                mock.patch(
+                    "django.contrib.auth.hashers.get_random_string",
+                    side_effect=lambda size: "x" * size,
+                ),
+                mock.patch.object(hasher, "verify"),
+            ):
+                # Ensure make_password is called to standardize timing.
+                check_password(password, encoded)
+                self.assertEqual(hasher.verify.call_count, 0)
+                self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
+                self.assertEqual(
+                    mock_make_password.mock_calls,
+                    [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
+                )
+
+ 
+ class BasePasswordHasherTests(SimpleTestCase):
+     not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
+-- 
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch new file mode 100644 index 0000000000..9f2883885f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-39329.patch
@@ -0,0 +1,114 @@
	1	From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
	2	From: Michael Manfre <mike@manfre.net>
	3	Date: Fri, 14 Jun 2024 22:12:58 -0400
	4	Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
	5	verify_password() when checking unusuable passwords.
	6
	7	Refs #20760.
	8
	9	Thanks Michael Manfre for the fix and to Adam Johnson for the review.
	10
	11	CVE: CVE-2024-39329
	12
	13	Upstream-Status: Backport
	14	https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
	15
	16	Signed-off-by: Michael Manfre <mike@manfre.net>
	17	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
	18	---
	19	django/contrib/auth/hashers.py \| 10 ++++++++--
	20	docs/releases/3.2.25.txt \| 7 +++++++
	21	tests/auth_tests/test_hashers.py \| 32 ++++++++++++++++++++++++++++++++
	22	3 files changed, 47 insertions(+), 2 deletions(-)
	23
	24	diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
	25	index 86ae7f4..ee81b64 100644
	26	--- a/django/contrib/auth/hashers.py
	27	+++ b/django/contrib/auth/hashers.py
	28	@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
	29	If setter is specified, it'll be called when you need to
	30	regenerate the password.
	31	"""
	32	- if password is None or not is_password_usable(encoded):
	33	- return False
	34	+ fake_runtime = password is None or not is_password_usable(encoded)
	35
	36	preferred = get_hasher(preferred)
	37	try:
	38	hasher = identify_hasher(encoded)
	39	except ValueError:
	40	# encoded is gibberish or uses a hasher that's no longer installed.
	41	+ fake_runtime = True
	42	+
	43	+ if fake_runtime:
	44	+ # Run the default password hasher once to reduce the timing difference
	45	+ # between an existing user with an unusable password and a nonexistent
	46	+ # user or missing hasher (similar to #20760).
	47	+ make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
	48	return False
	49
	50	hasher_changed = hasher.algorithm != preferred.algorithm
	51	diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
	52	index a2a58b5..a613b08 100644
	53	--- a/docs/releases/3.2.25.txt
	54	+++ b/docs/releases/3.2.25.txt
	55	@@ -40,6 +40,13 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
	56	using a suitably crafted dictionary, with dictionary expansion, as the
	57	``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
	58
	59	+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
	60	+================================================================================================
	61	+
	62	+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
	63	+allowed remote attackers to enumerate users via a timing attack involving login
	64	+requests for users with unusable passwords.
	65	+
	66	Bugfixes
	67	========
	68
	69	diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
	70	index 8bc61bc..a1ae940 100644
	71	--- a/tests/auth_tests/test_hashers.py
	72	+++ b/tests/auth_tests/test_hashers.py
	73	@@ -474,6 +474,38 @@ class TestUtilsHashPass(SimpleTestCase):
	74	check_password('wrong_password', encoded)
	75	self.assertEqual(hasher.harden_runtime.call_count, 1)
	76
	77	+ def test_check_password_calls_make_password_to_fake_runtime(self):
	78	+ hasher = get_hasher("default")
	79	+ cases = [
	80	+ (None, None, None), # no plain text password provided
	81	+ ("foo", make_password(password=None), None), # unusable encoded
	82	+ ("letmein", make_password(password="letmein"), ValueError), # valid encoded
	83	+ ]
	84	+ for password, encoded, hasher_side_effect in cases:
	85	+ with (
	86	+ self.subTest(encoded=encoded),
	87	+ mock.patch(
	88	+ "django.contrib.auth.hashers.identify_hasher",
	89	+ side_effect=hasher_side_effect,
	90	+ ) as mock_identify_hasher,
	91	+ mock.patch(
	92	+ "django.contrib.auth.hashers.make_password"
	93	+ ) as mock_make_password,
	94	+ mock.patch(
	95	+ "django.contrib.auth.hashers.get_random_string",
	96	+ side_effect=lambda size: "x" * size,
	97	+ ),
	98	+ mock.patch.object(hasher, "verify"),
	99	+ ):
	100	+ # Ensure make_password is called to standardize timing.
	101	+ check_password(password, encoded)
	102	+ self.assertEqual(hasher.verify.call_count, 0)
	103	+ self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
	104	+ self.assertEqual(
	105	+ mock_make_password.mock_calls,
	106	+ [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
	107	+ )
	108	+
	109
	110	class BasePasswordHasherTests(SimpleTestCase):
	111	not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
	112	--
	113	2.40.0
	114