1 files changed, 111 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch
new file mode 100644
index 0000000000..c302c0df18
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch
@@ -0,0 +1,111 @@
+From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
+From: Michael Manfre <mike@manfre.net>
+Date: Fri, 14 Jun 2024 22:12:58 -0400
+Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
+ verify_password() when checking unusuable passwords.
+Refs #20760.
+Thanks Michael Manfre for the fix and to Adam Johnson for the review.
+CVE: CVE-2024-39329
+Upstream-Status: Backport
+https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
+Signed-off-by: Michael Manfre <mike@manfre.net>
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/contrib/auth/hashers.py   | 10 ++++++++--
+ docs/releases/2.2.28.txt         |  7 +++++++
+ tests/auth_tests/test_hashers.py | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
+index 1e8d754..4acb81d 100644
+--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
+@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
+     If setter is specified, it'll be called when you need to
+     regenerate the password.
+     """
+-    if password is None or not is_password_usable(encoded):
+-        return False
+    fake_runtime = password is None or not is_password_usable(encoded)
+ 
+     preferred = get_hasher(preferred)
+     try:
+         hasher = identify_hasher(encoded)
+     except ValueError:
+         # encoded is gibberish or uses a hasher that's no longer installed.
+        fake_runtime = True
+
+    if fake_runtime:
+        # Run the default password hasher once to reduce the timing difference
+        # between an existing user with an unusable password and a nonexistent
+        # user or missing hasher (similar to #20760).
+        make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
+         return False
+ 
+     hasher_changed = hasher.algorithm != preferred.algorithm
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index f3fb298..22fa80e 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -124,3 +124,10 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
+ using a suitably crafted dictionary, with dictionary expansion, as the
+ ``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
+ 
+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
+================================================================================================
+
+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
+allowed remote attackers to enumerate users via a timing attack involving login
+requests for users with unusable passwords.
+
+diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
+index ee6441b..391b3cc 100644
+--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
+@@ -433,6 +433,38 @@ class TestUtilsHashPass(SimpleTestCase):
+             check_password('wrong_password', encoded)
+             self.assertEqual(hasher.harden_runtime.call_count, 1)
+ 
+    def test_check_password_calls_make_password_to_fake_runtime(self):
+        hasher = get_hasher("default")
+        cases = [
+            (None, None, None),  # no plain text password provided
+            ("foo", make_password(password=None), None),  # unusable encoded
+            ("letmein", make_password(password="letmein"), ValueError),  # valid encoded
+        ]
+        for password, encoded, hasher_side_effect in cases:
+            with (
+                self.subTest(encoded=encoded),
+                mock.patch(
+                    "django.contrib.auth.hashers.identify_hasher",
+                    side_effect=hasher_side_effect,
+                ) as mock_identify_hasher,
+                mock.patch(
+                    "django.contrib.auth.hashers.make_password"
+                ) as mock_make_password,
+                mock.patch(
+                    "django.contrib.auth.hashers.get_random_string",
+                    side_effect=lambda size: "x" * size,
+                ),
+                mock.patch.object(hasher, "verify"),
+            ):
+                # Ensure make_password is called to standardize timing.
+                check_password(password, encoded)
+                self.assertEqual(hasher.verify.call_count, 0)
+                self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
+                self.assertEqual(
+                    mock_make_password.mock_calls,
+                    [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
+                )
+
+ 
+ class BasePasswordHasherTests(SimpleTestCase):
+     not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
+-- 
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch new file mode 100644 index 0000000000..c302c0df18 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-39329.patch
@@ -0,0 +1,111 @@
	1	From 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 Mon Sep 17 00:00:00 2001
	2	From: Michael Manfre <mike@manfre.net>
	3	Date: Fri, 14 Jun 2024 22:12:58 -0400
	4	Subject: [PATCH] Fixed CVE-2024-39329 -- Standarized timing of
	5	verify_password() when checking unusuable passwords.
	6
	7	Refs #20760.
	8
	9	Thanks Michael Manfre for the fix and to Adam Johnson for the review.
	10
	11	CVE: CVE-2024-39329
	12
	13	Upstream-Status: Backport
	14	https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
	15
	16	Signed-off-by: Michael Manfre <mike@manfre.net>
	17	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
	18	---
	19	django/contrib/auth/hashers.py \| 10 ++++++++--
	20	docs/releases/2.2.28.txt \| 7 +++++++
	21	tests/auth_tests/test_hashers.py \| 32 ++++++++++++++++++++++++++++++++
	22	3 files changed, 47 insertions(+), 2 deletions(-)
	23
	24	diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
	25	index 1e8d754..4acb81d 100644
	26	--- a/django/contrib/auth/hashers.py
	27	+++ b/django/contrib/auth/hashers.py
	28	@@ -36,14 +36,20 @@ def check_password(password, encoded, setter=None, preferred='default'):
	29	If setter is specified, it'll be called when you need to
	30	regenerate the password.
	31	"""
	32	- if password is None or not is_password_usable(encoded):
	33	- return False
	34	+ fake_runtime = password is None or not is_password_usable(encoded)
	35
	36	preferred = get_hasher(preferred)
	37	try:
	38	hasher = identify_hasher(encoded)
	39	except ValueError:
	40	# encoded is gibberish or uses a hasher that's no longer installed.
	41	+ fake_runtime = True
	42	+
	43	+ if fake_runtime:
	44	+ # Run the default password hasher once to reduce the timing difference
	45	+ # between an existing user with an unusable password and a nonexistent
	46	+ # user or missing hasher (similar to #20760).
	47	+ make_password(get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH))
	48	return False
	49
	50	hasher_changed = hasher.algorithm != preferred.algorithm
	51	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
	52	index f3fb298..22fa80e 100644
	53	--- a/docs/releases/2.2.28.txt
	54	+++ b/docs/releases/2.2.28.txt
	55	@@ -124,3 +124,10 @@ CVE-2025-57833: Potential SQL injection in ``FilteredRelation`` column aliases
	56	using a suitably crafted dictionary, with dictionary expansion, as the
	57	``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias`.
	58
	59	+CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
	60	+================================================================================================
	61	+
	62	+The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
	63	+allowed remote attackers to enumerate users via a timing attack involving login
	64	+requests for users with unusable passwords.
	65	+
	66	diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
	67	index ee6441b..391b3cc 100644
	68	--- a/tests/auth_tests/test_hashers.py
	69	+++ b/tests/auth_tests/test_hashers.py
	70	@@ -433,6 +433,38 @@ class TestUtilsHashPass(SimpleTestCase):
	71	check_password('wrong_password', encoded)
	72	self.assertEqual(hasher.harden_runtime.call_count, 1)
	73
	74	+ def test_check_password_calls_make_password_to_fake_runtime(self):
	75	+ hasher = get_hasher("default")
	76	+ cases = [
	77	+ (None, None, None), # no plain text password provided
	78	+ ("foo", make_password(password=None), None), # unusable encoded
	79	+ ("letmein", make_password(password="letmein"), ValueError), # valid encoded
	80	+ ]
	81	+ for password, encoded, hasher_side_effect in cases:
	82	+ with (
	83	+ self.subTest(encoded=encoded),
	84	+ mock.patch(
	85	+ "django.contrib.auth.hashers.identify_hasher",
	86	+ side_effect=hasher_side_effect,
	87	+ ) as mock_identify_hasher,
	88	+ mock.patch(
	89	+ "django.contrib.auth.hashers.make_password"
	90	+ ) as mock_make_password,
	91	+ mock.patch(
	92	+ "django.contrib.auth.hashers.get_random_string",
	93	+ side_effect=lambda size: "x" * size,
	94	+ ),
	95	+ mock.patch.object(hasher, "verify"),
	96	+ ):
	97	+ # Ensure make_password is called to standardize timing.
	98	+ check_password(password, encoded)
	99	+ self.assertEqual(hasher.verify.call_count, 0)
	100	+ self.assertEqual(mock_identify_hasher.mock_calls, [mock.call(encoded)])
	101	+ self.assertEqual(
	102	+ mock_make_password.mock_calls,
	103	+ [mock.call("x" * UNUSABLE_PASSWORD_SUFFIX_LENGTH)],
	104	+ )
	105	+
	106
	107	class BasePasswordHasherTests(SimpleTestCase):
	108	not_implemented_msg = 'subclasses of BasePasswordHasher must provide %s() method'
	109	--
	110	2.40.0
	111