new file mode 100644
@@ -0,0 +1,72 @@
+From c757b620cd8099d17e202c0f5582bbab5564056c Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 16 Sep 2025 17:13:36 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial
+ directory-traversal via archive.extract().
+
+Thanks stackered for the report.
+
+Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
+
+Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
+
+CVE: CVE-2025-59682
+Upstream-Status: Backport [https://github.com/django/django/commit/9504bbaa392c9fe37eee9291f5b4c29eb6037619]
+(cherry picked from commit 9504bbaa392c9fe37eee9291f5b4c29eb6037619)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ django/utils/archive.py | 6 +++++-
+ tests/utils_tests/test_archive.py | 19 +++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/archive.py b/django/utils/archive.py
+index 71ec2d0015..e8af690e27 100644
+--- a/django/utils/archive.py
++++ b/django/utils/archive.py
+@@ -144,7 +144,11 @@ class BaseArchive:
+ def target_filename(self, to_path, name):
+ target_path = os.path.abspath(to_path)
+ filename = os.path.abspath(os.path.join(target_path, name))
+- if not filename.startswith(target_path):
++ try:
++ if os.path.commonpath([target_path, filename]) != target_path:
++ raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
++ except ValueError:
++ # Different drives on Windows raises ValueError.
+ raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+ return filename
+
+diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py
+index 8cd107063f..8063dafb65 100644
+--- a/tests/utils_tests/test_archive.py
++++ b/tests/utils_tests/test_archive.py
+@@ -3,6 +3,7 @@ import stat
+ import sys
+ import tempfile
+ import unittest
++import zipfile
+
+ from django.core.exceptions import SuspiciousOperation
+ from django.test import SimpleTestCase
+@@ -96,3 +97,21 @@ class TestArchiveInvalid(SimpleTestCase):
+ with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir:
+ with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path):
+ archive.extract(os.path.join(archives_dir, entry), tmpdir)
++
++ def test_extract_function_traversal_startswith(self):
++ with tempfile.TemporaryDirectory() as tmpdir:
++ base = os.path.abspath(tmpdir)
++ tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False)
++ tar_path = tarfile_handle.name
++ tarfile_handle.close()
++ self.addCleanup(os.remove, tar_path)
++
++ malicious_member = os.path.join(base + "abc", "evil.txt")
++ with zipfile.ZipFile(tar_path, "w") as zf:
++ zf.writestr(malicious_member, "evil\n")
++ zf.writestr("test.txt", "data\n")
++
++ with self.assertRaisesMessage(
++ SuspiciousOperation, "Archive contains invalid path"
++ ):
++ archive.extract(tar_path, base)
@@ -12,6 +12,7 @@ SRC_URI += " \
file://CVE-2025-48432-6.patch \
file://CVE-2025-57833.patch \
file://CVE-2025-59681.patch \
+ file://CVE-2025-59682.patch \
"
SRC_URI[sha256sum] = "92bac5b4432a64532abb73b2ac27203f485e40225d2640a7fbef2b62b876e789"
Details https://nvd.nist.gov/vuln/detail/CVE-2025-59682 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> --- .../CVE-2025-59682.patch | 72 +++++++++++++++++++ .../python/python3-django_4.2.20.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-4.2.20/CVE-2025-59682.patch