new file mode 100644
@@ -0,0 +1,110 @@
+From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+Date: Wed, 30 Apr 2025 10:34:27 -0400
+Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in
+ strip_tags().
+
+Thanks to Elias Myllymaki for the report, and Shai Berger and Jake
+Howard for the reviews.
+
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+
+Backport of 9f3419b from main.
+
+CVE: CVE-2025-32873
+
+Upstream-Status: Backport
+https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/
+
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/utils/html.py | 6 ++++++
+ docs/releases/3.2.25.txt | 11 +++++++++++
+ tests/utils_tests/test_html.py | 15 ++++++++++++++-
+ 3 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index 5887bf1..1a3033e 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -33,6 +33,9 @@ simple_url_2_re = _lazy_re_compile(
+ MAX_URL_LENGTH = 2048
+ MAX_STRIP_TAGS_DEPTH = 50
+
++# HTML tag that opens but has no closing ">" after 1k+ chars.
++long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
++
+
+ @keep_lazy(str, SafeString)
+ def escape(text):
+@@ -184,6 +187,9 @@ def _strip_once(value):
+ def strip_tags(value):
+ """Return the given HTML with all tags stripped."""
+ value = str(value)
++ for long_open_tag in long_open_tag_without_closing_re.finditer(value):
++ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
++ raise SuspiciousOperation
+ # Note: in typical case this loop executes _strip_once twice (the second
+ # execution does not remove any more tags).
+ strip_tags_depth = 0
+diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
+index f21bb47..2e113cc 100644
+--- a/docs/releases/3.2.25.txt
++++ b/docs/releases/3.2.25.txt
+@@ -82,6 +82,17 @@ Remember that absolutely NO guarantee is provided about the results of
+ ``strip_tags()`` call without escaping it first, for example with
+ :func:`django.utils.html.escape`.
+
++CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
++=================================================================
++
++:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
++containing large sequences of incomplete HTML tags. This function is used to
++implement the :tfilter:`striptags` template filter, which was thus also
++vulnerable.
++
++:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
++exception if it encounters an unusually large number of unclosed opening tags.
++
+ Bugfixes
+ ========
+
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 231f5d8..5c2de01 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -94,17 +94,30 @@ class TestUtilsHtml(SimpleTestCase):
+ ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
+ ('X<<<<br>br>br>br>X', 'XX'),
+ ("<" * 50 + "a>" * 50, ""),
++ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
++ ("<" + "a" * 1_002, "<" + "a" * 1_002),
+ )
+ for value, output in items:
+ with self.subTest(value=value, output=output):
+ self.check_output(strip_tags, value, output)
+ self.check_output(strip_tags, lazystr(value), output)
+
+- def test_strip_tags_suspicious_operation(self):
++ def test_strip_tags_suspicious_operation_max_depth(self):
+ value = "<" * 51 + "a>" * 51, "<a>"
+ with self.assertRaises(SuspiciousOperation):
+ strip_tags(value)
+
++ def test_strip_tags_suspicious_operation_large_open_tags(self):
++ items = [
++ ">" + "<a" * 501,
++ "<a" * 50 + "a" * 950,
++ ]
++ for value in items:
++ with self.subTest(value=value):
++ with self.assertRaises(SuspiciousOperation):
++ strip_tags(value)
++
+ def test_strip_tags_files(self):
+ # Test with more lengthy content (also catching performance regressions)
+ for filename in ('strip_tags1.html', 'strip_tags2.txt'):
+--
+2.40.0
+
new file mode 100644
@@ -0,0 +1,107 @@
+From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+Date: Wed, 30 Apr 2025 10:34:27 -0400
+Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in
+ strip_tags().
+
+Thanks to Elias Myllymaki for the report, and Shai Berger and Jake
+Howard for the reviews.
+
+Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
+
+Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
+
+CVE: CVE-2025-32873
+
+Upstream-Status: Backport
+https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c
+
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/utils/html.py | 6 ++++++
+ docs/releases/2.2.28.txt | 11 +++++++++++
+ tests/utils_tests/test_html.py | 15 ++++++++++++++-
+ 3 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index 0d5ffd2..858a517 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -37,6 +37,9 @@ _html_escapes = {
+ ord("'"): ''',
+ }
+
++# HTML tag that opens but has no closing ">" after 1k+ chars.
++long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
++
+
+ @keep_lazy(str, SafeText)
+ def escape(text):
+@@ -188,6 +191,9 @@ def _strip_once(value):
+ def strip_tags(value):
+ """Return the given HTML with all tags stripped."""
+ value = str(value)
++ for long_open_tag in long_open_tag_without_closing_re.finditer(value):
++ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
++ raise SuspiciousOperation
+ # Note: in typical case this loop executes _strip_once twice (the second
+ # execution does not remove any more tags).
+ strip_tags_depth = 0
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 3503f38..1676bbd 100644
+--- a/docs/releases/2.2.28.txt
++++ b/docs/releases/2.2.28.txt
+@@ -143,3 +143,14 @@ directory-traversal via certain inputs when calling :meth:`save()
+
+ Built-in ``Storage`` sub-classes were not affected by this vulnerability.
+
++CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
++=================================================================
++
++:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
++containing large sequences of incomplete HTML tags. This function is used to
++implement the :tfilter:`striptags` template filter, which was thus also
++vulnerable.
++
++:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
++exception if it encounters an unusually large number of unclosed opening tags.
++
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 2f412e1..653deb2 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -92,17 +92,30 @@ class TestUtilsHtml(SimpleTestCase):
+ ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
+ ('X<<<<br>br>br>br>X', 'XX'),
+ ("<" * 50 + "a>" * 50, ""),
++ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
++ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
++ ("<" + "a" * 1_002, "<" + "a" * 1_002),
+ )
+ for value, output in items:
+ with self.subTest(value=value, output=output):
+ self.check_output(strip_tags, value, output)
+ self.check_output(strip_tags, lazystr(value), output)
+
+- def test_strip_tags_suspicious_operation(self):
++ def test_strip_tags_suspicious_operation_max_depth(self):
+ value = "<" * 51 + "a>" * 51, "<a>"
+ with self.assertRaises(SuspiciousOperation):
+ strip_tags(value)
+
++ def test_strip_tags_suspicious_operation_large_open_tags(self):
++ items = [
++ ">" + "<a" * 501,
++ "<a" * 50 + "a" * 950,
++ ]
++ for value in items:
++ with self.subTest(value=value):
++ with self.assertRaises(SuspiciousOperation):
++ strip_tags(value)
++
+ def test_strip_tags_files(self):
+ # Test with more lengthy content (also catching performance regressions)
+ for filename in ('strip_tags1.html', 'strip_tags2.txt'):
+--
+2.40.0
+
@@ -30,6 +30,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
file://CVE-2025-57833.patch \
file://CVE-2024-39329.patch \
file://CVE-2024-39330.patch \
+ file://CVE-2025-32873.patch \
"
SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
@@ -14,6 +14,7 @@ SRC_URI += "\
file://CVE-2024-39330.patch \
file://CVE-2024-41991.patch \
file://CVE-2024-53907.patch \
+ file://CVE-2025-32873.patch \
"
# Set DEFAULT_PREFERENCE so that the LTS version of django is built by
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32873 Upstream-patch: https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/ Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> --- .../CVE-2025-32873.patch | 110 ++++++++++++++++++ .../python3-django/CVE-2025-32873.patch | 107 +++++++++++++++++ .../python/python3-django_2.2.28.bb | 1 + .../python/python3-django_3.2.25.bb | 1 + 4 files changed, 219 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2025-32873.patch create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2025-32873.patch