2 files changed, 43 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch
new file mode 100644
index 0000000000..450788b0fc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch
@@ -0,0 +1,42 @@
+From c78be5dd9f1772a22f3094d8c2cfe56bfb45b122 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 14 Jan 2026 00:24:12 +0100
+Subject: [PATCH] implement group method for FakeMatch
+FakeMatch class was introduced in a backported CVE patch for this
+recipe (CVE-2024-27351). These objects are later accessed in
+django/utils/text.py module, in Truncator._truncate_html() method.
+It is treated as a regex.search() object.
+This function, at the time when the upstream project introduced this
+CVE patch was using array-style access, with brackets, so it
+worked, because the FakeMatch class implements the __getitem__()
+method. However in version 2.x, it was using group() access to
+access the matches - which is not implemented for this class, making
+these accesses fail:
+AttributeError: 'FakeMatch' object has no attribute 'group'
+To avoid this issue, this patch implements this method for this class.
+Upstream-Status: Inappropriate [Backport-specific]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ django/utils/text.py | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/django/utils/text.py b/django/utils/text.py
+index e104b60..5033937 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -66,6 +66,9 @@ class FakeMatch:
+     def __init__(self, text, end):
+         self._text, self._end = text, end
+ 
+    def group(self, n):
+        return self[n]
+
+ 
+ # ----- End security-related performance workaround -----
+ 
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 72485295a7..3b5491cd5e 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://Fix-undefined-_lazy_re_compile.patch \
            file://Fix-missing-JSONField-in-django.db.mo.patch \
            file://0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch \
+            file://0001-implement-group-method-for-FakeMatch.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"

diff --git a/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch new file mode 100644 index 0000000000..450788b0fc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch
@@ -0,0 +1,42 @@
		1	From c78be5dd9f1772a22f3094d8c2cfe56bfb45b122 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Wed, 14 Jan 2026 00:24:12 +0100
		4	Subject: [PATCH] implement group method for FakeMatch
		5
		6	FakeMatch class was introduced in a backported CVE patch for this
		7	recipe (CVE-2024-27351). These objects are later accessed in
		8	django/utils/text.py module, in Truncator._truncate_html() method.
		9	It is treated as a regex.search() object.
		10
		11	This function, at the time when the upstream project introduced this
		12	CVE patch was using array-style access, with brackets, so it
		13	worked, because the FakeMatch class implements the __getitem__()
		14	method. However in version 2.x, it was using group() access to
		15	access the matches - which is not implemented for this class, making
		16	these accesses fail:
		17
		18	AttributeError: 'FakeMatch' object has no attribute 'group'
		19
		20	To avoid this issue, this patch implements this method for this class.
		21
		22	Upstream-Status: Inappropriate [Backport-specific]
		23
		24	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		25	---
		26	django/utils/text.py \| 3 +++
		27	1 file changed, 3 insertions(+)
		28
		29	diff --git a/django/utils/text.py b/django/utils/text.py
		30	index e104b60..5033937 100644
		31	--- a/django/utils/text.py
		32	+++ b/django/utils/text.py
		33	@@ -66,6 +66,9 @@ class FakeMatch:
		34	def __init__(self, text, end):
		35	self._text, self._end = text, end
		36
		37	+ def group(self, n):
		38	+ return self[n]
		39	+
		40
		41	# ----- End security-related performance workaround -----
		42


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 72485295a7..3b5491cd5e 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
35	file://Fix-undefined-_lazy_re_compile.patch \	35	file://Fix-undefined-_lazy_re_compile.patch \
36	file://Fix-missing-JSONField-in-django.db.mo.patch \	36	file://Fix-missing-JSONField-in-django.db.mo.patch \
37	file://0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch \	37	file://0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch \
		38	file://0001-implement-group-method-for-FakeMatch.patch \
38	"	39	"
39		40
40	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	41	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"