python3-django: fix CVE-2025-59681

QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods on MySQL and MariaDB. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-59681 Upstream-patch: https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Haixiao Yan <haixiao.yan.cn@windriver.com> 2026-04-10 15:05:07 +0800
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15 14:12:18 +0530
commit: 9757d0151b92601c4c6fd05baf7e328afa000213 (patch)
tree: 81f0600f78ce53bb03ec284351b4032b044c5bff /meta-python
parent: 838ca228086821cf82b3de83fb78412c6d2784c8 (diff)
download: meta-openembedded-9757d0151b92601c4c6fd05baf7e328afa000213.tar.gz
2 files changed, 179 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch
new file mode 100644
index 0000000000..87d609bc0d
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch
@@ -0,0 +1,178 @@
+From 3626cf164dd785625a5f8402c621019707094782 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Wed, 10 Sep 2025 09:53:52 +0200
+Subject: [PATCH 2/2] [4.2.x] Fixed CVE-2025-59681 -- Protected
+ QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection
+ in column aliases on MySQL/MariaDB.
+Thanks sw0rd1ight for the report.
+Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
+Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
+CVE: CVE-2025-59681
+Upstream-Status: Backport [https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5]
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ django/db/models/sql/query.py             |  8 ++++----
+ tests/aggregation/tests.py                |  4 ++--
+ tests/annotations/tests.py                | 23 ++++++++++++-----------
+ tests/expressions/test_queryset_values.py |  8 ++++----
+ tests/queries/tests.py                    |  4 ++--
+ 5 files changed, 24 insertions(+), 23 deletions(-)
+diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
+index 6a86a184d8b4..aa348ddf5ff8 100644
+--- a/django/db/models/sql/query.py
+++ b/django/db/models/sql/query.py
+@@ -47,9 +47,9 @@ from django.utils.tree import Node
+ 
+ __all__ = ["Query", "RawQuery"]
+ 
+-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
+# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
+ # SQL comments are forbidden in column aliases.
+-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/")
+FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/")
+ 
+ # Inspired from
+ # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+@@ -1188,8 +1188,8 @@ class Query(BaseExpression):
+     def check_alias(self, alias):
+         if FORBIDDEN_ALIAS_PATTERN.search(alias):
+             raise ValueError(
+-                "Column aliases cannot contain whitespace characters, quotation marks, "
+-                "semicolons, or SQL comments."
+                "Column aliases cannot contain whitespace characters, hashes, "
+                "quotation marks, semicolons, or SQL comments."
+             )
+ 
+     def add_annotation(self, annotation, alias, select=True):
+diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
+index 48266d97746b..277c0507f7d9 100644
+--- a/tests/aggregation/tests.py
+++ b/tests/aggregation/tests.py
+@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase):
+     def test_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "aggregation_author"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Author.objects.aggregate(**{crafted_alias: Avg("age")})
+diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
+index 01fa6958db7b..ac40408977ae 100644
+--- a/tests/annotations/tests.py
+++ b/tests/annotations/tests.py
+@@ -1127,8 +1127,8 @@ class NonAggregateAnnotationTestCase(TestCase):
+     def test_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.annotate(**{crafted_alias: Value(1)})
+@@ -1136,8 +1136,8 @@ class NonAggregateAnnotationTestCase(TestCase):
+     def test_alias_filtered_relation_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
+@@ -1154,13 +1154,14 @@ class NonAggregateAnnotationTestCase(TestCase):
+             "ali/*as",
+             "alias*/",
+             "alias;",
+-            # [] are used by MSSQL.
+            # [] and # are used by MSSQL.
+             "alias[",
+             "alias]",
+            "ali#as",
+         ]
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         for crafted_alias in tests:
+             with self.subTest(crafted_alias):
+@@ -1439,8 +1440,8 @@ class AliasTests(TestCase):
+     def test_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.alias(**{crafted_alias: Value(1)})
+@@ -1448,8 +1449,8 @@ class AliasTests(TestCase):
+     def test_alias_filtered_relation_sql_injection(self):
+         crafted_alias = """injected_name" from "annotations_book"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
+diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
+index 47bd1358de54..080ee06183dc 100644
+--- a/tests/expressions/test_queryset_values.py
+++ b/tests/expressions/test_queryset_values.py
+@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
+     def test_values_expression_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "expressions_company"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Company.objects.values(**{crafted_alias: F("ceo__salary")})
+@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
+     def test_values_expression_alias_sql_injection_json_field(self):
+         crafted_alias = """injected_name" from "expressions_company"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             JSONFieldModel.objects.values(f"data__{crafted_alias}")
+diff --git a/tests/queries/tests.py b/tests/queries/tests.py
+index 5df231949194..91dce6170361 100644
+--- a/tests/queries/tests.py
+++ b/tests/queries/tests.py
+@@ -1942,8 +1942,8 @@ class Queries5Tests(TestCase):
+     def test_extra_select_alias_sql_injection(self):
+         crafted_alias = """injected_name" from "queries_note"; --"""
+         msg = (
+-            "Column aliases cannot contain whitespace characters, quotation marks, "
+-            "semicolons, or SQL comments."
+            "Column aliases cannot contain whitespace characters, hashes, quotation "
+            "marks, semicolons, or SQL comments."
+         )
+         with self.assertRaisesMessage(ValueError, msg):
+             Note.objects.extra(select={crafted_alias: "1"})
+-- 
+2.34.1
diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
index 0f6a55a0b3..8a7cd2be16 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2025-64460.patch \
            file://CVE-2025-64459-1.patch \
            file://CVE-2025-64459-2.patch \
            file://CVE-2025-57833.patch \
+            file://CVE-2025-59681.patch \
           "
 SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
author	Haixiao Yan <haixiao.yan.cn@windriver.com>	2026-04-10 15:05:07 +0800
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-15 14:12:18 +0530
commit	9757d0151b92601c4c6fd05baf7e328afa000213 (patch)
tree	81f0600f78ce53bb03ec284351b4032b044c5bff /meta-python
parent	838ca228086821cf82b3de83fb78412c6d2784c8 (diff)
download	meta-openembedded-9757d0151b92601c4c6fd05baf7e328afa000213.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch new file mode 100644 index 0000000000..87d609bc0d --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-5.0.14/CVE-2025-59681.patch
@@ -0,0 +1,178 @@
		1	From 3626cf164dd785625a5f8402c621019707094782 Mon Sep 17 00:00:00 2001
		2	From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
		3	Date: Wed, 10 Sep 2025 09:53:52 +0200
		4	Subject: [PATCH 2/2] [4.2.x] Fixed CVE-2025-59681 -- Protected
		5	QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection
		6	in column aliases on MySQL/MariaDB.
		7
		8	Thanks sw0rd1ight for the report.
		9
		10	Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
		11
		12	Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
		13
		14	CVE: CVE-2025-59681
		15
		16	Upstream-Status: Backport [https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5]
		17
		18	Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
		19	---
		20	django/db/models/sql/query.py \| 8 ++++----
		21	tests/aggregation/tests.py \| 4 ++--
		22	tests/annotations/tests.py \| 23 ++++++++++++-----------
		23	tests/expressions/test_queryset_values.py \| 8 ++++----
		24	tests/queries/tests.py \| 4 ++--
		25	5 files changed, 24 insertions(+), 23 deletions(-)
		26
		27	diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py
		28	index 6a86a184d8b4..aa348ddf5ff8 100644
		29	--- a/django/db/models/sql/query.py
		30	+++ b/django/db/models/sql/query.py
		31	@@ -47,9 +47,9 @@ from django.utils.tree import Node
		32
		33	__all__ = ["Query", "RawQuery"]
		34
		35	-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline
		36	+# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline
		37	# SQL comments are forbidden in column aliases.
		38	-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]\|--\|/\\|\/")
		39	+FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]\|#\|--\|/\\|\/")
		40
		41	# Inspired from
		42	# https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
		43	@@ -1188,8 +1188,8 @@ class Query(BaseExpression):
		44	def check_alias(self, alias):
		45	if FORBIDDEN_ALIAS_PATTERN.search(alias):
		46	raise ValueError(
		47	- "Column aliases cannot contain whitespace characters, quotation marks, "
		48	- "semicolons, or SQL comments."
		49	+ "Column aliases cannot contain whitespace characters, hashes, "
		50	+ "quotation marks, semicolons, or SQL comments."
		51	)
		52
		53	def add_annotation(self, annotation, alias, select=True):
		54	diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py
		55	index 48266d97746b..277c0507f7d9 100644
		56	--- a/tests/aggregation/tests.py
		57	+++ b/tests/aggregation/tests.py
		58	@@ -2090,8 +2090,8 @@ class AggregateTestCase(TestCase):
		59	def test_alias_sql_injection(self):
		60	crafted_alias = """injected_name" from "aggregation_author"; --"""
		61	msg = (
		62	- "Column aliases cannot contain whitespace characters, quotation marks, "
		63	- "semicolons, or SQL comments."
		64	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		65	+ "marks, semicolons, or SQL comments."
		66	)
		67	with self.assertRaisesMessage(ValueError, msg):
		68	Author.objects.aggregate(**{crafted_alias: Avg("age")})
		69	diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py
		70	index 01fa6958db7b..ac40408977ae 100644
		71	--- a/tests/annotations/tests.py
		72	+++ b/tests/annotations/tests.py
		73	@@ -1127,8 +1127,8 @@ class NonAggregateAnnotationTestCase(TestCase):
		74	def test_alias_sql_injection(self):
		75	crafted_alias = """injected_name" from "annotations_book"; --"""
		76	msg = (
		77	- "Column aliases cannot contain whitespace characters, quotation marks, "
		78	- "semicolons, or SQL comments."
		79	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		80	+ "marks, semicolons, or SQL comments."
		81	)
		82	with self.assertRaisesMessage(ValueError, msg):
		83	Book.objects.annotate(**{crafted_alias: Value(1)})
		84	@@ -1136,8 +1136,8 @@ class NonAggregateAnnotationTestCase(TestCase):
		85	def test_alias_filtered_relation_sql_injection(self):
		86	crafted_alias = """injected_name" from "annotations_book"; --"""
		87	msg = (
		88	- "Column aliases cannot contain whitespace characters, quotation marks, "
		89	- "semicolons, or SQL comments."
		90	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		91	+ "marks, semicolons, or SQL comments."
		92	)
		93	with self.assertRaisesMessage(ValueError, msg):
		94	Book.objects.annotate(**{crafted_alias: FilteredRelation("author")})
		95	@@ -1154,13 +1154,14 @@ class NonAggregateAnnotationTestCase(TestCase):
		96	"ali/*as",
		97	"alias*/",
		98	"alias;",
		99	- # [] are used by MSSQL.
		100	+ # [] and # are used by MSSQL.
		101	"alias[",
		102	"alias]",
		103	+ "ali#as",
		104	]
		105	msg = (
		106	- "Column aliases cannot contain whitespace characters, quotation marks, "
		107	- "semicolons, or SQL comments."
		108	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		109	+ "marks, semicolons, or SQL comments."
		110	)
		111	for crafted_alias in tests:
		112	with self.subTest(crafted_alias):
		113	@@ -1439,8 +1440,8 @@ class AliasTests(TestCase):
		114	def test_alias_sql_injection(self):
		115	crafted_alias = """injected_name" from "annotations_book"; --"""
		116	msg = (
		117	- "Column aliases cannot contain whitespace characters, quotation marks, "
		118	- "semicolons, or SQL comments."
		119	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		120	+ "marks, semicolons, or SQL comments."
		121	)
		122	with self.assertRaisesMessage(ValueError, msg):
		123	Book.objects.alias(**{crafted_alias: Value(1)})
		124	@@ -1448,8 +1449,8 @@ class AliasTests(TestCase):
		125	def test_alias_filtered_relation_sql_injection(self):
		126	crafted_alias = """injected_name" from "annotations_book"; --"""
		127	msg = (
		128	- "Column aliases cannot contain whitespace characters, quotation marks, "
		129	- "semicolons, or SQL comments."
		130	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		131	+ "marks, semicolons, or SQL comments."
		132	)
		133	with self.assertRaisesMessage(ValueError, msg):
		134	Book.objects.alias(**{crafted_alias: FilteredRelation("authors")})
		135	diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py
		136	index 47bd1358de54..080ee06183dc 100644
		137	--- a/tests/expressions/test_queryset_values.py
		138	+++ b/tests/expressions/test_queryset_values.py
		139	@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase):
		140	def test_values_expression_alias_sql_injection(self):
		141	crafted_alias = """injected_name" from "expressions_company"; --"""
		142	msg = (
		143	- "Column aliases cannot contain whitespace characters, quotation marks, "
		144	- "semicolons, or SQL comments."
		145	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		146	+ "marks, semicolons, or SQL comments."
		147	)
		148	with self.assertRaisesMessage(ValueError, msg):
		149	Company.objects.values(**{crafted_alias: F("ceo__salary")})
		150	@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase):
		151	def test_values_expression_alias_sql_injection_json_field(self):
		152	crafted_alias = """injected_name" from "expressions_company"; --"""
		153	msg = (
		154	- "Column aliases cannot contain whitespace characters, quotation marks, "
		155	- "semicolons, or SQL comments."
		156	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		157	+ "marks, semicolons, or SQL comments."
		158	)
		159	with self.assertRaisesMessage(ValueError, msg):
		160	JSONFieldModel.objects.values(f"data__{crafted_alias}")
		161	diff --git a/tests/queries/tests.py b/tests/queries/tests.py
		162	index 5df231949194..91dce6170361 100644
		163	--- a/tests/queries/tests.py
		164	+++ b/tests/queries/tests.py
		165	@@ -1942,8 +1942,8 @@ class Queries5Tests(TestCase):
		166	def test_extra_select_alias_sql_injection(self):
		167	crafted_alias = """injected_name" from "queries_note"; --"""
		168	msg = (
		169	- "Column aliases cannot contain whitespace characters, quotation marks, "
		170	- "semicolons, or SQL comments."
		171	+ "Column aliases cannot contain whitespace characters, hashes, quotation "
		172	+ "marks, semicolons, or SQL comments."
		173	)
		174	with self.assertRaisesMessage(ValueError, msg):
		175	Note.objects.extra(select={crafted_alias: "1"})
		176	--
		177	2.34.1
		178


diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb index 0f6a55a0b3..8a7cd2be16 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.14.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
@@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2025-64460.patch \
8	file://CVE-2025-64459-1.patch \	8	file://CVE-2025-64459-1.patch \
9	file://CVE-2025-64459-2.patch \	9	file://CVE-2025-64459-2.patch \
10	file://CVE-2025-57833.patch \	10	file://CVE-2025-57833.patch \
		11	file://CVE-2025-59681.patch \
11	"	12	"
12	SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"	13	SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
13		14