python3-django: fix CVE-2025-26699

Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-26699 Upstream-patch: https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860 Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> 2025-11-30 17:05:23 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-11-30 15:16:30 +0100
commit: 540b79e3eeec268bfbc49ad1fe227cc385005bf4 (patch)
tree: 2f31f9b32eab84ea23a279e980ecf4b8357ecd52 /meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
parent: 666ec505b4a90a1c02d1d9205a9c6840b9adf528 (diff)
download: meta-openembedded-540b79e3eeec268bfbc49ad1fe227cc385005bf4.tar.gz
1 files changed, 107 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
new file mode 100644
index 0000000000..44e182057a
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
@@ -0,0 +1,107 @@
+From e88f7376fe68dbf4ebaf11fad1513ce700b45860 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Tue, 25 Feb 2025 09:40:54 +0100
+Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap
+ template filter.
+Thanks sw0rd1ight for the report.
+Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
+CVE: CVE-2025-26699
+Upstream-Status: Backport
+https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
+Signed-off-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+%% original patch: CVE-2025-26699.patch
+---
+ django/utils/text.py                          | 28 ++++++++-----------
+ docs/releases/2.2.28.txt                      |  6 ++++
+ .../filter_tests/test_wordwrap.py             | 12 ++++++++
+ 3 files changed, 29 insertions(+), 17 deletions(-)
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 2c4040e..c474d56 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -1,5 +1,6 @@
+ import html.entities
+ import re
+import textwrap
+ import unicodedata
+ from gzip import GzipFile
+ from io import BytesIO
+@@ -88,23 +89,16 @@ def wrap(text, width):
+     Don't wrap long words, thus the output text may have lines longer than
+     ``width``.
+     """
+-    def _generator():
+-        for line in text.splitlines(True):  # True keeps trailing linebreaks
+-            max_width = min((line.endswith('\n') and width + 1 or width), width)
+-            while len(line) > max_width:
+-                space = line[:max_width + 1].rfind(' ') + 1
+-                if space == 0:
+-                    space = line.find(' ') + 1
+-                    if space == 0:
+-                        yield line
+-                        line = ''
+-                        break
+-                yield '%s\n' % line[:space - 1]
+-                line = line[space:]
+-                max_width = min((line.endswith('\n') and width + 1 or width), width)
+-            if line:
+-                yield line
+-    return ''.join(_generator())
+
+    wrapper = textwrap.TextWrapper(
+        width=width,
+        break_long_words=False,
+        break_on_hyphens=False,
+    )
+    result = []
+    for line in text.splitlines(True):
+        result.extend(wrapper.wrap(line))
+    return "\n".join(result)
+ 
+ 
+ class Truncator(SimpleLazyObject):
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 7227452..7096d13 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -99,3 +99,9 @@ CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils
+ regular expression denial-of-service attack using a suitably crafted string
+ (follow up to :cve:`2019-14232` and :cve:`2023-43665`).
+ 
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
+=========================================================================================
+
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
+potential denial-of-service attack when used with very long strings.
+
+diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
+index 02f8605..e6f2afb 100644
+--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
+@@ -51,3 +51,15 @@ class FunctionTests(SimpleTestCase):
+             ), 14),
+             'this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\nI\'m afraid',
+         )
+
+    def test_wrap_long_text(self):
+        long_text = (
+            "this is a long paragraph of text that really needs"
+            " to be wrapped I'm afraid " * 20_000
+        )
+        self.assertIn(
+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
+            "I'm afraid",
+            wordwrap(long_text, 10),
+        )
+
+-- 
+2.40.0
author	Saravanan <saravanan.kadambathursubramaniyam@windriver.com>	2025-11-30 17:05:23 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-11-30 15:16:30 +0100
commit	540b79e3eeec268bfbc49ad1fe227cc385005bf4 (patch)
tree	2f31f9b32eab84ea23a279e980ecf4b8357ecd52 /meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
parent	666ec505b4a90a1c02d1d9205a9c6840b9adf528 (diff)
download	meta-openembedded-540b79e3eeec268bfbc49ad1fe227cc385005bf4.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch new file mode 100644 index 0000000000..44e182057a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
@@ -0,0 +1,107 @@
	1	From e88f7376fe68dbf4ebaf11fad1513ce700b45860 Mon Sep 17 00:00:00 2001
	2	From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
	3	Date: Tue, 25 Feb 2025 09:40:54 +0100
	4	Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap
	5	template filter.
	6
	7	Thanks sw0rd1ight for the report.
	8
	9	Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
	10
	11	CVE: CVE-2025-26699
	12
	13	Upstream-Status: Backport
	14	https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
	15
	16	Signed-off-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
	17	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
	18
	19	%% original patch: CVE-2025-26699.patch
	20	---
	21	django/utils/text.py \| 28 ++++++++-----------
	22	docs/releases/2.2.28.txt \| 6 ++++
	23	.../filter_tests/test_wordwrap.py \| 12 ++++++++
	24	3 files changed, 29 insertions(+), 17 deletions(-)
	25
	26	diff --git a/django/utils/text.py b/django/utils/text.py
	27	index 2c4040e..c474d56 100644
	28	--- a/django/utils/text.py
	29	+++ b/django/utils/text.py
	30	@@ -1,5 +1,6 @@
	31	import html.entities
	32	import re
	33	+import textwrap
	34	import unicodedata
	35	from gzip import GzipFile
	36	from io import BytesIO
	37	@@ -88,23 +89,16 @@ def wrap(text, width):
	38	Don't wrap long words, thus the output text may have lines longer than
	39	``width``.
	40	"""
	41	- def _generator():
	42	- for line in text.splitlines(True): # True keeps trailing linebreaks
	43	- max_width = min((line.endswith('\n') and width + 1 or width), width)
	44	- while len(line) > max_width:
	45	- space = line[:max_width + 1].rfind(' ') + 1
	46	- if space == 0:
	47	- space = line.find(' ') + 1
	48	- if space == 0:
	49	- yield line
	50	- line = ''
	51	- break
	52	- yield '%s\n' % line[:space - 1]
	53	- line = line[space:]
	54	- max_width = min((line.endswith('\n') and width + 1 or width), width)
	55	- if line:
	56	- yield line
	57	- return ''.join(_generator())
	58	+
	59	+ wrapper = textwrap.TextWrapper(
	60	+ width=width,
	61	+ break_long_words=False,
	62	+ break_on_hyphens=False,
	63	+ )
	64	+ result = []
	65	+ for line in text.splitlines(True):
	66	+ result.extend(wrapper.wrap(line))
	67	+ return "\n".join(result)
	68
	69
	70	class Truncator(SimpleLazyObject):
	71	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
	72	index 7227452..7096d13 100644
	73	--- a/docs/releases/2.2.28.txt
	74	+++ b/docs/releases/2.2.28.txt
	75	@@ -99,3 +99,9 @@ CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils
	76	regular expression denial-of-service attack using a suitably crafted string
	77	(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
	78
	79	+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
	80	+=========================================================================================
	81	+
	82	+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
	83	+potential denial-of-service attack when used with very long strings.
	84	+
	85	diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
	86	index 02f8605..e6f2afb 100644
	87	--- a/tests/template_tests/filter_tests/test_wordwrap.py
	88	+++ b/tests/template_tests/filter_tests/test_wordwrap.py
	89	@@ -51,3 +51,15 @@ class FunctionTests(SimpleTestCase):
	90	), 14),
	91	'this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\nI\'m afraid',
	92	)
	93	+
	94	+ def test_wrap_long_text(self):
	95	+ long_text = (
	96	+ "this is a long paragraph of text that really needs"
	97	+ " to be wrapped I'm afraid " * 20_000
	98	+ )
	99	+ self.assertIn(
	100	+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
	101	+ "I'm afraid",
	102	+ wordwrap(long_text, 10),
	103	+ )
	104	+
	105	--
	106	2.40.0
	107