From: Ankur Tyagi <[email protected]> Drop patch merged in the upstream.
Release notes: https://docs.djangoproject.com/en/dev/releases/5.0.12/ https://docs.djangoproject.com/en/dev/releases/5.0.13/ https://docs.djangoproject.com/en/dev/releases/5.0.14/ Signed-off-by: Ankur Tyagi <[email protected]> --- .../python3-django/CVE-2025-26699.patch | 100 ------------------ ...ngo_5.0.11.bb => python3-django_5.0.14.bb} | 4 +- 2 files changed, 1 insertion(+), 103 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch rename meta-python/recipes-devtools/python/{python3-django_5.0.11.bb => python3-django_5.0.14.bb} (65%) diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch deleted file mode 100644 index bba65eaee3..0000000000 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001 -From: Sarah Boyce <[email protected]> -Date: Tue, 25 Feb 2025 09:40:54 +0100 -Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in - wordwrap template filter. - -Thanks sw0rd1ight for the report. - -Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. - -CVE: CVE-2025-26699 -Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68] - -Backport Changes: -- The fix has been adapted from the upstream Django v4.2.20 patch for - CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe. - -- The upstream patch includes changes to a 4.2.20.txt release-note file. - This file does not exist in the Django 5.0.11 source tree, so it was - intentionally omitted from this backport. - -- Only the relevant code changes from the upstream patch were applied. - No functional differences exist in the vulnerable logic between - Django 4.2.x and 5.0.x. - -(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860) -Signed-off-by: Anil Dongare <[email protected]> ---- - django/utils/text.py | 28 +++++++------------ - .../filter_tests/test_wordwrap.py | 11 ++++++++ - 2 files changed, 21 insertions(+), 18 deletions(-) - -diff --git a/django/utils/text.py b/django/utils/text.py -index d992f80dd2..36ab6a9efc 100644 ---- a/django/utils/text.py -+++ b/django/utils/text.py -@@ -1,6 +1,7 @@ - import gzip - import re - import secrets -+import textwrap - import unicodedata - from gzip import GzipFile - from gzip import compress as gzip_compress -@@ -97,24 +98,15 @@ def wrap(text, width): - ``width``. - """ - -- def _generator(): -- for line in text.splitlines(True): # True keeps trailing linebreaks -- max_width = min((line.endswith("\n") and width + 1 or width), width) -- while len(line) > max_width: -- space = line[: max_width + 1].rfind(" ") + 1 -- if space == 0: -- space = line.find(" ") + 1 -- if space == 0: -- yield line -- line = "" -- break -- yield "%s\n" % line[: space - 1] -- line = line[space:] -- max_width = min((line.endswith("\n") and width + 1 or width), width) -- if line: -- yield line -- -- return "".join(_generator()) -+ wrapper = textwrap.TextWrapper( -+ width=width, -+ break_long_words=False, -+ break_on_hyphens=False, -+ ) -+ result = [] -+ for line in text.splitlines(True): -+ result.extend(wrapper.wrap(line)) -+ return "\n".join(result) - - - def add_truncation_text(text, truncate=None): -diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py -index 88fbd274da..4afa1dd234 100644 ---- a/tests/template_tests/filter_tests/test_wordwrap.py -+++ b/tests/template_tests/filter_tests/test_wordwrap.py -@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): - "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" - "I'm afraid", - ) -+ -+ def test_wrap_long_text(self): -+ long_text = ( -+ "this is a long paragraph of text that really needs" -+ " to be wrapped I'm afraid " * 20_000 -+ ) -+ self.assertIn( -+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" -+ "I'm afraid", -+ wordwrap(long_text, 10), -+ ) --- -2.43.5 - diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb similarity index 65% rename from meta-python/recipes-devtools/python/python3-django_5.0.11.bb rename to meta-python/recipes-devtools/python/python3-django_5.0.14.bb index 0d26c7928d..d176123893 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb @@ -4,9 +4,7 @@ inherit setuptools3 # Windows-specific DoS via NFKC normalization, not applicable to Linux CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows" -SRC_URI = "file://CVE-2025-26699.patch \ - " -SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65" +SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11" RDEPENDS:${PN} += "\ python3-sqlparse \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122384): https://lists.openembedded.org/g/openembedded-devel/message/122384 Mute This Topic: https://lists.openembedded.org/mt/116681395/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
