new file mode 100644
@@ -0,0 +1,85 @@
+From 1bd7650f2978c0824772e3d12f6c8b3ecefa10e0 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 16:30:17 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in
+ strip_tags().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
+Howard for the reviews.
+
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+
+Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
+
+CVE: CVE-2025-32873
+Upstream-Status: Backport [https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c]
+(cherry picked from commit 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/utils/html.py | 6 ++++++
+ tests/utils_tests/test_html.py | 15 ++++++++++++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index a3a7238cba..84c37d1186 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -17,6 +17,9 @@ from django.utils.text import normalize_newlines
+ MAX_URL_LENGTH = 2048
+ MAX_STRIP_TAGS_DEPTH = 50
+
++# HTML tag that opens but has no closing ">" after 1k+ chars.
++long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
++
+
+ @keep_lazy(SafeString)
+ def escape(text):
+@@ -175,6 +178,9 @@ def _strip_once(value):
+ def strip_tags(value):
+ """Return the given HTML with all tags stripped."""
+ value = str(value)
++ for long_open_tag in long_open_tag_without_closing_re.finditer(value):
++ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
++ raise SuspiciousOperation
+ # Note: in typical case this loop executes _strip_once twice (the second
+ # execution does not remove any more tags).
+ strip_tags_depth = 0
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 579bb2a1e3..25168e2348 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -115,17 +115,30 @@ class TestUtilsHtml(SimpleTestCase):
+ ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
+ ("X<<<<br>br>br>br>X", "XX"),
+ ("<" * 50 + "a>" * 50, ""),
++ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
++ ("<" + "a" * 1_002, "<" + "a" * 1_002),
+ )
+ for value, output in items:
+ with self.subTest(value=value, output=output):
+ self.check_output(strip_tags, value, output)
+ self.check_output(strip_tags, lazystr(value), output)
+
+- def test_strip_tags_suspicious_operation(self):
++ def test_strip_tags_suspicious_operation_max_depth(self):
+ value = "<" * 51 + "a>" * 51, "<a>"
+ with self.assertRaises(SuspiciousOperation):
+ strip_tags(value)
+
++ def test_strip_tags_suspicious_operation_large_open_tags(self):
++ items = [
++ ">" + "<a" * 501,
++ "<a" * 50 + "a" * 950,
++ ]
++ for value in items:
++ with self.subTest(value=value):
++ with self.assertRaises(SuspiciousOperation):
++ strip_tags(value)
++
+ def test_strip_tags_files(self):
+ # Test with more lengthy content (also catching performance regressions)
+ for filename in ("strip_tags1.html", "strip_tags2.txt"):
@@ -3,6 +3,7 @@ inherit setuptools3
SRC_URI += " \
file://CVE-2025-26699.patch \
+ file://CVE-2025-32873.patch \
"
SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"
Details https://nvd.nist.gov/vuln/detail/CVE-2025-32873 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> --- .../CVE-2025-32873.patch | 85 +++++++++++++++++++ .../python/python3-django_4.2.20.bb | 1 + 2 files changed, 86 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-32873.patch