Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32873
Upstream-patch: https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/ Signed-off-by: Saravanan <[email protected]> --- .../CVE-2025-32873.patch | 110 ++++++++++++++++++ .../python3-django/CVE-2025-32873.patch | 107 +++++++++++++++++ .../python/python3-django_2.2.28.bb | 1 + .../python/python3-django_3.2.25.bb | 1 + 4 files changed, 219 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2025-32873.patch create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2025-32873.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2025-32873.patch new file mode 100644 index 0000000000..ae417c92c1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2025-32873.patch @@ -0,0 +1,110 @@ +From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001 +From: Marc Deslauriers <[email protected]> +Date: Wed, 30 Apr 2025 10:34:27 -0400 +Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in + strip_tags(). + +Thanks to Elias Myllymaki for the report, and Shai Berger and Jake +Howard for the reviews. + +Co-authored-by: Natalia <[email protected]> + +Backport of 9f3419b from main. + +CVE: CVE-2025-32873 + +Upstream-Status: Backport +https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/ + +Signed-off-by: Saravanan <[email protected]> +--- + django/utils/html.py | 6 ++++++ + docs/releases/3.2.25.txt | 11 +++++++++++ + tests/utils_tests/test_html.py | 15 ++++++++++++++- + 3 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/django/utils/html.py b/django/utils/html.py +index 5887bf1..1a3033e 100644 +--- a/django/utils/html.py ++++ b/django/utils/html.py +@@ -33,6 +33,9 @@ simple_url_2_re = _lazy_re_compile( + MAX_URL_LENGTH = 2048 + MAX_STRIP_TAGS_DEPTH = 50 + ++# HTML tag that opens but has no closing ">" after 1k+ chars. ++long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") ++ + + @keep_lazy(str, SafeString) + def escape(text): +@@ -184,6 +187,9 @@ def _strip_once(value): + def strip_tags(value): + """Return the given HTML with all tags stripped.""" + value = str(value) ++ for long_open_tag in long_open_tag_without_closing_re.finditer(value): ++ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH: ++ raise SuspiciousOperation + # Note: in typical case this loop executes _strip_once twice (the second + # execution does not remove any more tags). + strip_tags_depth = 0 +diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt +index f21bb47..2e113cc 100644 +--- a/docs/releases/3.2.25.txt ++++ b/docs/releases/3.2.25.txt +@@ -82,6 +82,17 @@ Remember that absolutely NO guarantee is provided about the results of + ``strip_tags()`` call without escaping it first, for example with + :func:`django.utils.html.escape`. + ++CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` ++================================================================= ++ ++:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs ++containing large sequences of incomplete HTML tags. This function is used to ++implement the :tfilter:`striptags` template filter, which was thus also ++vulnerable. ++ ++:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` ++exception if it encounters an unusually large number of unclosed opening tags. ++ + Bugfixes + ======== + +diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py +index 231f5d8..5c2de01 100644 +--- a/tests/utils_tests/test_html.py ++++ b/tests/utils_tests/test_html.py +@@ -94,17 +94,30 @@ class TestUtilsHtml(SimpleTestCase): + ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'), + ('X<<<<br>br>br>br>X', 'XX'), + ("<" * 50 + "a>" * 50, ""), ++ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"), ++ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951), ++ ("<" + "a" * 1_002, "<" + "a" * 1_002), + ) + for value, output in items: + with self.subTest(value=value, output=output): + self.check_output(strip_tags, value, output) + self.check_output(strip_tags, lazystr(value), output) + +- def test_strip_tags_suspicious_operation(self): ++ def test_strip_tags_suspicious_operation_max_depth(self): + value = "<" * 51 + "a>" * 51, "<a>" + with self.assertRaises(SuspiciousOperation): + strip_tags(value) + ++ def test_strip_tags_suspicious_operation_large_open_tags(self): ++ items = [ ++ ">" + "<a" * 501, ++ "<a" * 50 + "a" * 950, ++ ] ++ for value in items: ++ with self.subTest(value=value): ++ with self.assertRaises(SuspiciousOperation): ++ strip_tags(value) ++ + def test_strip_tags_files(self): + # Test with more lengthy content (also catching performance regressions) + for filename in ('strip_tags1.html', 'strip_tags2.txt'): +-- +2.40.0 + diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch new file mode 100644 index 0000000000..701f9b5746 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch @@ -0,0 +1,107 @@ +From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001 +From: Marc Deslauriers <[email protected]> +Date: Wed, 30 Apr 2025 10:34:27 -0400 +Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in + strip_tags(). + +Thanks to Elias Myllymaki for the report, and Shai Berger and Jake +Howard for the reviews. + +Co-authored-by: Natalia <[email protected]> + +Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main. + +CVE: CVE-2025-32873 + +Upstream-Status: Backport +https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c + +Signed-off-by: Saravanan <[email protected]> +--- + django/utils/html.py | 6 ++++++ + docs/releases/2.2.28.txt | 11 +++++++++++ + tests/utils_tests/test_html.py | 15 ++++++++++++++- + 3 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/django/utils/html.py b/django/utils/html.py +index 0d5ffd2..858a517 100644 +--- a/django/utils/html.py ++++ b/django/utils/html.py +@@ -37,6 +37,9 @@ _html_escapes = { + ord("'"): ''', + } + ++# HTML tag that opens but has no closing ">" after 1k+ chars. ++long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") ++ + + @keep_lazy(str, SafeText) + def escape(text): +@@ -188,6 +191,9 @@ def _strip_once(value): + def strip_tags(value): + """Return the given HTML with all tags stripped.""" + value = str(value) ++ for long_open_tag in long_open_tag_without_closing_re.finditer(value): ++ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH: ++ raise SuspiciousOperation + # Note: in typical case this loop executes _strip_once twice (the second + # execution does not remove any more tags). + strip_tags_depth = 0 +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 3503f38..1676bbd 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -143,3 +143,14 @@ directory-traversal via certain inputs when calling :meth:`save() + + Built-in ``Storage`` sub-classes were not affected by this vulnerability. + ++CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` ++================================================================= ++ ++:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs ++containing large sequences of incomplete HTML tags. This function is used to ++implement the :tfilter:`striptags` template filter, which was thus also ++vulnerable. ++ ++:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` ++exception if it encounters an unusually large number of unclosed opening tags. ++ +diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py +index 2f412e1..653deb2 100644 +--- a/tests/utils_tests/test_html.py ++++ b/tests/utils_tests/test_html.py +@@ -92,17 +92,30 @@ class TestUtilsHtml(SimpleTestCase): + ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'), + ('X<<<<br>br>br>br>X', 'XX'), + ("<" * 50 + "a>" * 50, ""), ++ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"), ++ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951), ++ ("<" + "a" * 1_002, "<" + "a" * 1_002), + ) + for value, output in items: + with self.subTest(value=value, output=output): + self.check_output(strip_tags, value, output) + self.check_output(strip_tags, lazystr(value), output) + +- def test_strip_tags_suspicious_operation(self): ++ def test_strip_tags_suspicious_operation_max_depth(self): + value = "<" * 51 + "a>" * 51, "<a>" + with self.assertRaises(SuspiciousOperation): + strip_tags(value) + ++ def test_strip_tags_suspicious_operation_large_open_tags(self): ++ items = [ ++ ">" + "<a" * 501, ++ "<a" * 50 + "a" * 950, ++ ] ++ for value in items: ++ with self.subTest(value=value): ++ with self.assertRaises(SuspiciousOperation): ++ strip_tags(value) ++ + def test_strip_tags_files(self): + # Test with more lengthy content (also catching performance regressions) + for filename in ('strip_tags1.html', 'strip_tags2.txt'): +-- +2.40.0 + diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index b5b2570ddb..87830e4bc3 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb @@ -30,6 +30,7 @@ SRC_URI += "file://CVE-2023-31047.patch \ file://CVE-2025-57833.patch \ file://CVE-2024-39329.patch \ file://CVE-2024-39330.patch \ + file://CVE-2025-32873.patch \ " SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413" diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb index 04dbe1cd19..68b60a784e 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb @@ -14,6 +14,7 @@ SRC_URI += "\ file://CVE-2024-39330.patch \ file://CVE-2024-41991.patch \ file://CVE-2024-53907.patch \ + file://CVE-2025-32873.patch \ " # Set DEFAULT_PREFERENCE so that the LTS version of django is built by -- 2.35.5
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122321): https://lists.openembedded.org/g/openembedded-devel/message/122321 Mute This Topic: https://lists.openembedded.org/mt/116611920/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
