python3-django: fix CVE-2025-64459

The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() were subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64459 https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html Upstream-patch: https://github.com/django/django/commit/98e642c69181c942d60a10ca0085d48c6b3068bb Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Haixiao Yan <haixiao.yan.cn@windriver.com> 2025-12-18 10:43:31 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-18 09:10:52 +0100
commit: 0d509157592d7dae633276bac651c1edaf2e0f08 (patch)
tree: 41246894ce0302c0cc18a0d6941d779e74f36d42
parent: 8611f92c20ba3aab57f3586a6a2e3b9cd1fe00c7 (diff)
download: meta-openembedded-0d509157592d7dae633276bac651c1edaf2e0f08.tar.gz
2 files changed, 61 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch
new file mode 100644
index 0000000000..3f906ad54f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch
@@ -0,0 +1,60 @@
+From b8db807fc4a287d80e37e0786bf054db8016721d Mon Sep 17 00:00:00 2001
+From: Jacob Walls <jacobtylerwalls@gmail.com>
+Date: Wed, 24 Sep 2025 15:54:51 -0400
+Subject: [PATCH] Fixed CVE-2025-64459 -- Prevented SQL injections in
+ Q/QuerySet via the _connector kwarg.
+Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
+Charette, and Jake Howard for the reviews.
+CVE: CVE-2025-64459
+Upstream-Status: Backport [https://github.com/django/django/commit/98e642c]
+Remove XOR, which was introduced in v4.1, and omit this operator from this version.
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ django/db/models/query_utils.py | 10 +++++++++-
+ tests/queries/test_q.py         |  6 ++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
+index f6bc0bd030de..eb62df83dac7 100644
+--- a/django/db/models/query_utils.py
+++ b/django/db/models/query_utils.py
+@@ -54,9 +54,17 @@ class Q(tree.Node):
+     OR = 'OR'
+     default = AND
+     conditional = True
+    connectors = (None, AND, OR)
+ 
+     def __init__(self, *args, _connector=None, _negated=False, **kwargs):
+-        super().__init__(children=[*args, *sorted(kwargs.items())], connector=_connector, negated=_negated)
+        if _connector not in self.connectors:
+            connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
+            raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
+        super().__init__(
+            children=[*args, *sorted(kwargs.items())],
+            connector=_connector,
+            negated=_negated,
+        )
+ 
+     def _combine(self, other, conn):
+         if not isinstance(other, Q):
+diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
+index 9adff07ef2f3..765715961bf3 100644
+--- a/tests/queries/test_q.py
+++ b/tests/queries/test_q.py
+@@ -103,3 +103,9 @@ class QTests(SimpleTestCase):
+         q = q1 & q2
+         path, args, kwargs = q.deconstruct()
+         self.assertEqual(Q(*args, **kwargs), q)
+
+    def test_connector_validation(self):
+        msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, or None."
+        with self.assertRaisesMessage(ValueError, msg):
+            Q(_connector="evil")
+
+-- 
+2.34.1
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 87830e4bc3..24b86a3e26 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2024-39329.patch \
            file://CVE-2024-39330.patch \
            file://CVE-2025-32873.patch \
+            file://CVE-2025-64459.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
author	Haixiao Yan <haixiao.yan.cn@windriver.com>	2025-12-18 10:43:31 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-18 09:10:52 +0100
commit	0d509157592d7dae633276bac651c1edaf2e0f08 (patch)
tree	41246894ce0302c0cc18a0d6941d779e74f36d42
parent	8611f92c20ba3aab57f3586a6a2e3b9cd1fe00c7 (diff)
download	meta-openembedded-0d509157592d7dae633276bac651c1edaf2e0f08.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch new file mode 100644 index 0000000000..3f906ad54f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-64459.patch
@@ -0,0 +1,60 @@
		1	From b8db807fc4a287d80e37e0786bf054db8016721d Mon Sep 17 00:00:00 2001
		2	From: Jacob Walls <jacobtylerwalls@gmail.com>
		3	Date: Wed, 24 Sep 2025 15:54:51 -0400
		4	Subject: [PATCH] Fixed CVE-2025-64459 -- Prevented SQL injections in
		5	Q/QuerySet via the _connector kwarg.
		6
		7	Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
		8	Charette, and Jake Howard for the reviews.
		9
		10	CVE: CVE-2025-64459
		11
		12	Upstream-Status: Backport [https://github.com/django/django/commit/98e642c]
		13	Remove XOR, which was introduced in v4.1, and omit this operator from this version.
		14
		15	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
		16	---
		17	django/db/models/query_utils.py \| 10 +++++++++-
		18	tests/queries/test_q.py \| 6 ++++++
		19	2 files changed, 15 insertions(+), 1 deletion(-)
		20
		21	diff --git a/django/db/models/query_utils.py b/django/db/models/query_utils.py
		22	index f6bc0bd030de..eb62df83dac7 100644
		23	--- a/django/db/models/query_utils.py
		24	+++ b/django/db/models/query_utils.py
		25	@@ -54,9 +54,17 @@ class Q(tree.Node):
		26	OR = 'OR'
		27	default = AND
		28	conditional = True
		29	+ connectors = (None, AND, OR)
		30
		31	def __init__(self, args, _connector=None, _negated=False, *kwargs):
		32	- super().__init__(children=[args, sorted(kwargs.items())], connector=_connector, negated=_negated)
		33	+ if _connector not in self.connectors:
		34	+ connector_reprs = ", ".join(f"{conn!r}" for conn in self.connectors[1:])
		35	+ raise ValueError(f"_connector must be one of {connector_reprs}, or None.")
		36	+ super().__init__(
		37	+ children=[args, sorted(kwargs.items())],
		38	+ connector=_connector,
		39	+ negated=_negated,
		40	+ )
		41
		42	def _combine(self, other, conn):
		43	if not isinstance(other, Q):
		44	diff --git a/tests/queries/test_q.py b/tests/queries/test_q.py
		45	index 9adff07ef2f3..765715961bf3 100644
		46	--- a/tests/queries/test_q.py
		47	+++ b/tests/queries/test_q.py
		48	@@ -103,3 +103,9 @@ class QTests(SimpleTestCase):
		49	q = q1 & q2
		50	path, args, kwargs = q.deconstruct()
		51	self.assertEqual(Q(args, *kwargs), q)
		52	+
		53	+ def test_connector_validation(self):
		54	+ msg = f"_connector must be one of {Q.AND!r}, {Q.OR!r}, or None."
		55	+ with self.assertRaisesMessage(ValueError, msg):
		56	+ Q(_connector="evil")
		57	+
		58	--
		59	2.34.1
		60


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 87830e4bc3..24b86a3e26 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -31,6 +31,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
31	file://CVE-2024-39329.patch \	31	file://CVE-2024-39329.patch \
32	file://CVE-2024-39330.patch \	32	file://CVE-2024-39330.patch \
33	file://CVE-2025-32873.patch \	33	file://CVE-2025-32873.patch \
		34	file://CVE-2025-64459.patch \
34	"	35	"
35		36
36	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	37	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"