[meta-python,scarthgap,6/8] python3-django: patch CVE-2025-59681

Message ID	20251022061803.887676-6-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.214.181, mailfrom: ankur.tyagi85@gmail.com) From: Ankur Tyagi <ankur.tyagi85@gmail.com> To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [oe][meta-python][scarthgap][PATCH 6/8] python3-django: patch CVE-2025-59681 Date: Wed, 22 Oct 2025 19:17:57 +1300 Message-ID: <20251022061803.887676-6-ankur.tyagi85@gmail.com> In-Reply-To: <20251022061803.887676-1-ankur.tyagi85@gmail.com> References: <20251022061803.887676-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-python,scarthgap,1/8] python3-django: upgrade 4.2.18 -> 4.2.20 \| expand [meta-python,scarthgap,1/8] python3-django: upgrade 4.2.18 -> 4.2.20 [meta-python,scarthgap,2/8] python3-django: patch CVE-2025-26699 [meta-python,scarthgap,3/8] python3-django: patch CVE-2025-32873 [meta-python,scarthgap,4/8] python3-django: patch CVE-2025-48432 [meta-python,scarthgap,5/8] python3-django: patch CVE-2025-57833 [meta-python,scarthgap,6/8] python3-django: patch CVE-2025-59681 [meta-python,scarthgap,7/8] python3-django: patch CVE-2025-59682 [meta-python,scarthgap,8/8] python3-django: upgrade 5.0.11 -> 5.0.14

diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch new file mode 100644 index 0000000000..681638ac4f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59681.patch @@ -0,0 +1,174 @@ +From af61d1752df85a1ba1c320282128f2fccdad0107 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Date: Wed, 10 Sep 2025 09:53:52 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2025-59681 -- Protected + QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection + in column aliases on MySQL/MariaDB. + +Thanks sw0rd1ight for the report. + +Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. + +Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. + +CVE: CVE-2025-59681 +Upstream-Status: Backport [https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5] +(cherry picked from commit 38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5) +Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> +--- + django/db/models/sql/query.py | 8 ++++---- + tests/aggregation/tests.py | 4 ++-- + tests/annotations/tests.py | 23 ++++++++++++----------- + tests/expressions/test_queryset_values.py | 8 ++++---- + tests/queries/tests.py | 4 ++-- + 5 files changed, 24 insertions(+), 23 deletions(-) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 5a1b68507b..3b8071eab4 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -46,9 +46,9 @@ from django.utils.tree import Node + + __all__ = ["Query", "RawQuery"] + +-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline ++# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline + # SQL comments are forbidden in column aliases. +-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") ++FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") + + # Inspired from + # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS +@@ -1123,8 +1123,8 @@ class Query(BaseExpression): + def check_alias(self, alias): + if FORBIDDEN_ALIAS_PATTERN.search(alias): + raise ValueError( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, " ++ "quotation marks, semicolons, or SQL comments." + ) + + def add_annotation(self, annotation, alias, select=True): +diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py +index 48266d9774..277c0507f7 100644 +--- a/tests/aggregation/tests.py ++++ b/tests/aggregation/tests.py +@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "aggregation_author"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Author.objects.aggregate(**{crafted_alias: Avg("age")}) +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index a8474abc77..4879f19a78 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -1116,8 +1116,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) +@@ -1125,8 +1125,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) +@@ -1143,13 +1143,14 @@ class NonAggregateAnnotationTestCase(TestCase): + "ali/*as", + "alias*/", + "alias;", +- # [] are used by MSSQL. ++ # [] and # are used by MSSQL. + "alias[", + "alias]", ++ "ali#as", + ] + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + for crafted_alias in tests: + with self.subTest(crafted_alias): +@@ -1428,8 +1429,8 @@ class AliasTests(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) +@@ -1437,8 +1438,8 @@ class AliasTests(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) +diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py +index 47bd1358de..080ee06183 100644 +--- a/tests/expressions/test_queryset_values.py ++++ b/tests/expressions/test_queryset_values.py +@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Company.objects.values(**{crafted_alias: F("ceo__salary")}) +@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") +diff --git a/tests/queries/tests.py b/tests/queries/tests.py +index a6a2b252eb..b8488fef75 100644 +--- a/tests/queries/tests.py ++++ b/tests/queries/tests.py +@@ -1943,8 +1943,8 @@ class Queries5Tests(TestCase): + def test_extra_select_alias_sql_injection(self): + crafted_alias = """injected_name" from "queries_note"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Note.objects.extra(select={crafted_alias: "1"}) diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb index 4aca046b71..67f704f9cf 100644 --- a/meta-python/recipes-devtools/python/python3-django_4.2.20.bb +++ b/meta-python/recipes-devtools/python/python3-django_4.2.20.bb @@ -11,6 +11,7 @@ SRC_URI += " \ file://CVE-2025-48432-5.patch \ file://CVE-2025-48432-6.patch \ file://CVE-2025-57833.patch \ + file://CVE-2025-59681.patch \ " SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"

[meta-python,scarthgap,6/8] python3-django: patch CVE-2025-59681

Commit Message

Patch