diff mbox series

[meta-openembedded,scarthgap,2/2] python3-django 5.0.11: Fix CVE-2025-26699

Message ID 20251107102116.924586-2-adongare@cisco.com
State New
Headers show
Series [meta-openembedded,scarthgap,1/2] python3-django 5.0.11: ignore CVE-2025-27556 | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) Nov. 7, 2025, 10:21 a.m. UTC 
From: Anil Dongare <adongare@cisco.com>

Upstream Repository: https://github.com/django/django.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26699
Type: Security Fix
CVE: CVE-2025-26699
Score: 7.5
Patch: https://github.com/django/django/commit/e88f7376fe68

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 .../python3-django/CVE-2025-26699.patch       | 100 ++++++++++++++++++
 .../python/python3-django_5.0.11.bb           |   2 +
 2 files changed, 102 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
new file mode 100644
index 0000000000..bba65eaee3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
@@ -0,0 +1,100 @@ 
+From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 25 Feb 2025 09:40:54 +0100
+Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
+ wordwrap template filter.
+
+Thanks sw0rd1ight for the report.
+
+Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
+
+CVE: CVE-2025-26699
+Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68]
+
+Backport Changes:
+- The fix has been adapted from the upstream Django v4.2.20 patch for
+  CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe.
+
+- The upstream patch includes changes to a 4.2.20.txt release-note file.
+  This file does not exist in the Django 5.0.11 source tree, so it was
+  intentionally omitted from this backport.
+
+- Only the relevant code changes from the upstream patch were applied.
+  No functional differences exist in the vulnerable logic between
+  Django 4.2.x and 5.0.x.
+
+(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ django/utils/text.py                          | 28 +++++++------------
+ .../filter_tests/test_wordwrap.py             | 11 ++++++++
+ 2 files changed, 21 insertions(+), 18 deletions(-)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index d992f80dd2..36ab6a9efc 100644
+--- a/django/utils/text.py
++++ b/django/utils/text.py
+@@ -1,6 +1,7 @@
+ import gzip
+ import re
+ import secrets
++import textwrap
+ import unicodedata
+ from gzip import GzipFile
+ from gzip import compress as gzip_compress
+@@ -97,24 +98,15 @@ def wrap(text, width):
+     ``width``.
+     """
+ 
+-    def _generator():
+-        for line in text.splitlines(True):  # True keeps trailing linebreaks
+-            max_width = min((line.endswith("\n") and width + 1 or width), width)
+-            while len(line) > max_width:
+-                space = line[: max_width + 1].rfind(" ") + 1
+-                if space == 0:
+-                    space = line.find(" ") + 1
+-                    if space == 0:
+-                        yield line
+-                        line = ""
+-                        break
+-                yield "%s\n" % line[: space - 1]
+-                line = line[space:]
+-                max_width = min((line.endswith("\n") and width + 1 or width), width)
+-            if line:
+-                yield line
+-
+-    return "".join(_generator())
++    wrapper = textwrap.TextWrapper(
++        width=width,
++        break_long_words=False,
++        break_on_hyphens=False,
++    )
++    result = []
++    for line in text.splitlines(True):
++        result.extend(wrapper.wrap(line))
++    return "\n".join(result)
+ 
+ 
+ def add_truncation_text(text, truncate=None):
+diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
+index 88fbd274da..4afa1dd234 100644
+--- a/tests/template_tests/filter_tests/test_wordwrap.py
++++ b/tests/template_tests/filter_tests/test_wordwrap.py
+@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
+             "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
+             "I'm afraid",
+         )
++
++    def test_wrap_long_text(self):
++        long_text = (
++            "this is a long paragraph of text that really needs"
++            " to be wrapped I'm afraid " * 20_000
++        )
++        self.assertIn(
++            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
++            "I'm afraid",
++            wordwrap(long_text, 10),
++        )
+-- 
+2.43.5
+
diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
index 43be30c7ec..0d26c7928d 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
@@ -4,6 +4,8 @@  inherit setuptools3
 # Windows-specific DoS via NFKC normalization, not applicable to Linux
 CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"
 
+SRC_URI = "file://CVE-2025-26699.patch \
+           "
 SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65"
 
 RDEPENDS:${PN} += "\