From e6be86f5f940f431e16d970b46ce95022da7d6cb Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Fri, 20 Sep 2024 21:44:53 +0800
Subject: [PATCH 1/2] fix CVE-2024-42005

---
 CVE-2024-42005.patch | 92 ++++++++++++++++++++++++++++++++++++++++++++
 python-django.spec   |  7 +++-
 2 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-42005.patch

diff --git a/CVE-2024-42005.patch b/CVE-2024-42005.patch
new file mode 100644
index 0000000..feb97aa
--- /dev/null
+++ b/CVE-2024-42005.patch
@@ -0,0 +1,92 @@
+From f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Mon Sep 17 00:00:00 2001
+From: Simon Charette <charette.s@gmail.com>
+Date: Fri, 20 Sep 2024 21:35:38 +0800
+Subject: [PATCH] Fixed CVE-2024-42005
+Mitigated QuerySet.values()
+SQL injection attacks against JSON fields.
+
+---
+ django/db/models/sql/query.py             |  2 ++
+ docs/releases/2.2.27.txt                  | 12 ++++++++++++
+ tests/expressions/models.py               |  7 +++++++
+ tests/expressions/test_queryset_values.py | 13 +++++++++++++
+ 4 files changed, 34 insertions(+)
+
+diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
+index 1e823cf..9b054bd 100644
+--- a/django/db/models/sql/query.py
++++ b/django/db/models/sql/query.py
+@@ -2019,6 +2019,8 @@ class Query:
+             self.clear_select_fields()
+ 
+         if fields:
++            for field in fields:
++                self.check_alias(field)
+             field_names = []
+             extra_names = []
+             annotation_names = []
+diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
+index 688a482..3beccff 100644
+--- a/docs/releases/2.2.27.txt
++++ b/docs/releases/2.2.27.txt
+@@ -2,6 +2,18 @@
+ Django 2.2.27 release notes
+ ===========================
+ 
++*Sep 25,2024*
++
++CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
++======================================================================================
++
++:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
++with a ``JSONField`` were subject to SQL injection in column aliases, via a
++crafted JSON object key as a passed ``*arg``.
++
++Bugfixes
++========
++
+ *February 1, 2022*
+ 
+ Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
+diff --git a/tests/expressions/models.py b/tests/expressions/models.py
+index 33f7850..fb80938 100644
+--- a/tests/expressions/models.py
++++ b/tests/expressions/models.py
+@@ -97,3 +97,10 @@ class UUID(models.Model):
+ 
+     def __str__(self):
+         return "%s" % self.uuid
++
++
++class JSONFieldModel(models.Model):
++    data = models.JSONField(null=True)
++
++    class Meta:
++        required_db_features = {"supports_json_field"}
+diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
+index 0804531..b07a068 100644
+--- a/tests/expressions/test_queryset_values.py
++++ b/tests/expressions/test_queryset_values.py
+@@ -36,6 +36,19 @@ class ValuesExpressionsTests(TestCase):
+         with self.assertRaisesMessage(ValueError, msg):
+             Company.objects.values(**{crafted_alias: F("ceo__salary")})
+ 
++     @skipUnlessDBFeature("supports_json_field")
++    def test_values_expression_alias_sql_injection_json_field(self):
++        crafted_alias = """injected_name" from "expressions_company"; --"""
++        msg = (
++            "Column aliases cannot contain whitespace characters, quotation marks, "
++            "semicolons, or SQL comments."
++        )
++        with self.assertRaisesMessage(ValueError, msg):
++            JSONFieldModel.objects.values(f"data__{crafted_alias}")
++
++        with self.assertRaisesMessage(ValueError, msg):
++            JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
++
+     def test_values_expression_group_by(self):
+         # values() applies annotate() first, so values selected are grouped by
+         # id, not firstname.
+-- 
+2.43.0
+
diff --git a/python-django.spec b/python-django.spec
index 16cfb51..b19ae1a 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	2.2.27
-Release:	11
+Release:	12
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
 URL:		https://www.djangoproject.com/
@@ -25,7 +25,7 @@ Patch8:         CVE-2023-46695.patch
 Patch9:         CVE-2024-24680.patch
 # https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
 Patch10:        CVE-2024-27351.patch
-
+Patch11:        CVE-2024-42005.patch
 BuildArch:	noarch
 %description
 A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
@@ -91,6 +91,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Wed Sep 25 2024 changtao <changtao@kylinos.cn> - 2.2.27-12
+- Fix CVE-2024-27351
+
 * Tue Mar 05 2024 yaoxin <yao_xin001@hoperun.com> - 2.2.27-11
 - Fix CVE-2024-27351
 
-- 
Gitee


From c325c5a3c4eed75531a2268809cbeb1b0e8d20bf Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Thu, 10 Oct 2024 11:34:11 +0000
Subject: [PATCH 2/2] =?UTF-8?q?update=20python-django.spec.=20=E4=BF=AE?=
 =?UTF-8?q?=E6=94=B9changelog?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: changtao <changtao@kylinos.cn>
---
 python-django.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python-django.spec b/python-django.spec
index b19ae1a..5fc3b35 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -92,7 +92,7 @@ mv %{buildroot}/doclist.lst .
 
 %changelog
 * Wed Sep 25 2024 changtao <changtao@kylinos.cn> - 2.2.27-12
-- Fix CVE-2024-27351
+- Fix CVE-2024-42005
 
 * Tue Mar 05 2024 yaoxin <yao_xin001@hoperun.com> - 2.2.27-11
 - Fix CVE-2024-27351
-- 
Gitee