diff mbox series

[meta-oe,krikstone] python3-django: fix CVE-2025-64459

Message ID 20251217064521.288044-1-haixiao.yan.cn@windriver.com
State New
Headers show
Series [meta-oe,krikstone] python3-django: fix CVE-2025-64459 | expand

Commit Message

Haixiao Yan Dec. 17, 2025, 6:45 a.m. UTC 
From: Haixiao Yan <haixiao.yan.cn@windriver.com>

The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Upstream-patch:
https://github.com/django/django/commit/98e642c69181c942d60a10ca0085d48c6b3068bb

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
 .../python3-django/CVE-2025-64459.patch       | 62 +++++++++++++++++++
 .../python/python3-django_2.2.28.bb           |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch

Comments

Gyorgy Sarvari Dec. 17, 2025, 8:31 a.m. UTC | #1 
On 12/17/25 07:45, Yan, Haixiao (CN) via lists.openembedded.org wrote:
> +---
> + django/db/models/query_utils.py | 11 ++++++++++-
> + tests/queries/test_q.py         |  6 ++++++
> + 2 files changed, 16 insertions(+), 1 deletion(-)
> +
> +diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
> +index f6bc0bd030de..e612ee8b1a44 100644
> +--- a/django/db/models/query_utils.py
> ++++ b/django/db/models/query_utils.py
> +@@ -52,11 +52,20 @@ class Q(tree.Node):
> +     # Connection types
> +     AND = 'AND'
> +     OR = 'OR'
> ++    XOR = 'XOR'
> +     default = AND
> +     conditional = True
> ++    connectors = (None, AND, OR, XOR)

Thank you for this. I think it needs a bit of modification:
xor support was added in 4.1, so I believe it would be appropriate to
adapt the patch by omitting this operator from this version of the
recipe. What do you think?
Haixiao Yan Dec. 17, 2025, 9:13 a.m. UTC | #2 
On 2025/12/17 16:31, Gyorgy Sarvari wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On 12/17/25 07:45, Yan, Haixiao (CN) via lists.openembedded.org wrote:
>> +---
>> + django/db/models/query_utils.py | 11 ++++++++++-
>> + tests/queries/test_q.py         |  6 ++++++
>> + 2 files changed, 16 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
>> +index f6bc0bd030de..e612ee8b1a44 100644
>> +--- a/django/db/models/query_utils.py
>> ++++ b/django/db/models/query_utils.py
>> +@@ -52,11 +52,20 @@ class Q(tree.Node):
>> +     # Connection types
>> +     AND = 'AND'
>> +     OR = 'OR'
>> ++    XOR = 'XOR'
>> +     default = AND
>> +     conditional = True
>> ++    connectors = (None, AND, OR, XOR)
> Thank you for this. I think it needs a bit of modification:
> xor support was added in 4.1, so I believe it would be appropriate to
> adapt the patch by omitting this operator from this version of the
> recipe. What do you think?
>
I will remove XOR and sent the v2.

Thanks,

Haixiao
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch
new file mode 100644
index 000000000000..98b484ab8fb1
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch
@@ -0,0 +1,62 @@ 
+From 3e356194ee1f5e144a9e9ec082b4331a8c0bbf7f Mon Sep 17 00:00:00 2001
+From: Jacob Walls <jacobtylerwalls@gmail.com>
+Date: Wed, 24 Sep 2025 15:54:51 -0400
+Subject: [PATCH] Fixed CVE-2025-64459 -- Prevented SQL injections in
+ Q/QuerySet via the _connector kwarg.
+
+Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
+Charette, and Jake Howard for the reviews.
+
+CVE: CVE-2025-64459
+
+Upstream-Status: Backport [https://github.com/django/django/commit/98e642c]
+
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ django/db/models/query_utils.py | 11 ++++++++++-
+ tests/queries/test_q.py         |  6 ++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
+index f6bc0bd030de..e612ee8b1a44 100644
+--- a/django/db/models/query_utils.py
++++ b/django/db/models/query_utils.py
+@@ -52,11 +52,20 @@ class Q(tree.Node):
+     # Connection types
+     AND = 'AND'
+     OR = 'OR'
++    XOR = 'XOR'
+     default = AND
+     conditional = True
++    connectors = (None, AND, OR, XOR)
+ 
+     def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+-        super().__init__(children=[*args, *sorted(kwargs.items())], connector=_connector, negated=_negated)
++        if _connector not in self.connectors:
++            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
++            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
++        super().__init__(
++            children=[*args, *sorted(kwargs.items())],
++            connector=_connector,
++            negated=_negated,
++        )
+ 
+     def _combine(self, other, conn):
+         if not isinstance(other, Q):
+diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
+index 9adff07ef2f3..0895be8535ba 100644
+--- a/tests/queries/test_q.py
++++ b/tests/queries/test_q.py
+@@ -103,3 +103,9 @@ class QTests(SimpleTestCase):
+         q = q1 & q2
+         path, args, kwargs = q.deconstruct()
+         self.assertEqual(Q(*args, **kwargs), q)
++
++    def test_connector_validation(self):
++        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, {Q.XOR!r}, or None."
++        with self.assertRaisesMessage(ValueError, msg):
++            Q(_connector="evil")
++
+-- 
+2.34.1
+
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 0478fd3883fa..71186203e17a 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -24,6 +24,7 @@  SRC_URI += "file://CVE-2023-31047.patch \
             file://CVE-2024-45230.patch \
             file://CVE-2024-45231.patch \
             file://CVE-2024-53907.patch \
+            file://CVE-2025-64459.patch \
            "
 
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"