From: Anil Dongare <[email protected]> Upstream Repository: https://github.com/django/django.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26699 Type: Security Fix CVE: CVE-2025-26699 Score: 7.5 Patch: https://github.com/django/django/commit/e88f7376fe68 Signed-off-by: Anil Dongare <[email protected]> --- .../python3-django/CVE-2025-26699.patch | 100 ++++++++++++++++++ .../python/python3-django_5.0.11.bb | 2 + 2 files changed, 102 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch new file mode 100644 index 0000000000..bba65eaee3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch @@ -0,0 +1,100 @@ +From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <[email protected]> +Date: Tue, 25 Feb 2025 09:40:54 +0100 +Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in + wordwrap template filter. + +Thanks sw0rd1ight for the report. + +Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. + +CVE: CVE-2025-26699 +Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68] + +Backport Changes: +- The fix has been adapted from the upstream Django v4.2.20 patch for + CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe. + +- The upstream patch includes changes to a 4.2.20.txt release-note file. + This file does not exist in the Django 5.0.11 source tree, so it was + intentionally omitted from this backport. + +- Only the relevant code changes from the upstream patch were applied. + No functional differences exist in the vulnerable logic between + Django 4.2.x and 5.0.x. + +(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860) +Signed-off-by: Anil Dongare <[email protected]> +--- + django/utils/text.py | 28 +++++++------------ + .../filter_tests/test_wordwrap.py | 11 ++++++++ + 2 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index d992f80dd2..36ab6a9efc 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -1,6 +1,7 @@ + import gzip + import re + import secrets ++import textwrap + import unicodedata + from gzip import GzipFile + from gzip import compress as gzip_compress +@@ -97,24 +98,15 @@ def wrap(text, width): + ``width``. + """ + +- def _generator(): +- for line in text.splitlines(True): # True keeps trailing linebreaks +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- while len(line) > max_width: +- space = line[: max_width + 1].rfind(" ") + 1 +- if space == 0: +- space = line.find(" ") + 1 +- if space == 0: +- yield line +- line = "" +- break +- yield "%s\n" % line[: space - 1] +- line = line[space:] +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- if line: +- yield line +- +- return "".join(_generator()) ++ wrapper = textwrap.TextWrapper( ++ width=width, ++ break_long_words=False, ++ break_on_hyphens=False, ++ ) ++ result = [] ++ for line in text.splitlines(True): ++ result.extend(wrapper.wrap(line)) ++ return "\n".join(result) + + + def add_truncation_text(text, truncate=None): +diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py +index 88fbd274da..4afa1dd234 100644 +--- a/tests/template_tests/filter_tests/test_wordwrap.py ++++ b/tests/template_tests/filter_tests/test_wordwrap.py +@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): + "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" + "I'm afraid", + ) ++ ++ def test_wrap_long_text(self): ++ long_text = ( ++ "this is a long paragraph of text that really needs" ++ " to be wrapped I'm afraid " * 20_000 ++ ) ++ self.assertIn( ++ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" ++ "I'm afraid", ++ wordwrap(long_text, 10), ++ ) +-- +2.43.5 + diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.11.bb index 43be30c7ec..0d26c7928d 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.11.bb @@ -4,6 +4,8 @@ inherit setuptools3 # Windows-specific DoS via NFKC normalization, not applicable to Linux CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows" +SRC_URI = "file://CVE-2025-26699.patch \ + " SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65" RDEPENDS:${PN} += "\ -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121374): https://lists.openembedded.org/g/openembedded-devel/message/121374 Mute This Topic: https://lists.openembedded.org/mt/116170195/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
