2 files changed, 1 insertions, 103 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
deleted file mode 100644
index bba65eaee3..0000000000
--- a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001
-From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
-Date: Tue, 25 Feb 2025 09:40:54 +0100
-Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
- wordwrap template filter.
-Thanks sw0rd1ight for the report.
-Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
-CVE: CVE-2025-26699
-Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68]
-Backport Changes:
- The fix has been adapted from the upstream Django v4.2.20 patch for
-  CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe.
- The upstream patch includes changes to a 4.2.20.txt release-note file.
-  This file does not exist in the Django 5.0.11 source tree, so it was
-  intentionally omitted from this backport.
- Only the relevant code changes from the upstream patch were applied.
-  No functional differences exist in the vulnerable logic between
-  Django 4.2.x and 5.0.x.
-(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860)
-Signed-off-by: Anil Dongare <adongare@cisco.com>
---
- django/utils/text.py                          | 28 +++++++------------
- .../filter_tests/test_wordwrap.py             | 11 ++++++++
- 2 files changed, 21 insertions(+), 18 deletions(-)
-diff --git a/django/utils/text.py b/django/utils/text.py
-index d992f80dd2..36ab6a9efc 100644
--- a/django/utils/text.py
-+++ b/django/utils/text.py
-@@ -1,6 +1,7 @@
- import gzip
- import re
- import secrets
-+import textwrap
- import unicodedata
- from gzip import GzipFile
- from gzip import compress as gzip_compress
-@@ -97,24 +98,15 @@ def wrap(text, width):
-     ``width``.
-     """
- 
-    def _generator():
-        for line in text.splitlines(True):  # True keeps trailing linebreaks
-            max_width = min((line.endswith("\n") and width + 1 or width), width)
-            while len(line) > max_width:
-                space = line[: max_width + 1].rfind(" ") + 1
-                if space == 0:
-                    space = line.find(" ") + 1
-                    if space == 0:
-                        yield line
-                        line = ""
-                        break
-                yield "%s\n" % line[: space - 1]
-                line = line[space:]
-                max_width = min((line.endswith("\n") and width + 1 or width), width)
-            if line:
-                yield line
-
-    return "".join(_generator())
-+    wrapper = textwrap.TextWrapper(
-+        width=width,
-+        break_long_words=False,
-+        break_on_hyphens=False,
-+    )
-+    result = []
-+    for line in text.splitlines(True):
-+        result.extend(wrapper.wrap(line))
-+    return "\n".join(result)
- 
- 
- def add_truncation_text(text, truncate=None):
-diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
-index 88fbd274da..4afa1dd234 100644
--- a/tests/template_tests/filter_tests/test_wordwrap.py
-+++ b/tests/template_tests/filter_tests/test_wordwrap.py
-@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
-             "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
-             "I'm afraid",
-         )
-+
-+    def test_wrap_long_text(self):
-+        long_text = (
-+            "this is a long paragraph of text that really needs"
-+            " to be wrapped I'm afraid " * 20_000
-+        )
-+        self.assertIn(
-+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
-+            "I'm afraid",
-+            wordwrap(long_text, 10),
-+        )
-- 
-2.43.5
diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
index 0d26c7928d..d176123893 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
@@ -4,9 +4,7 @@ inherit setuptools3
 # Windows-specific DoS via NFKC normalization, not applicable to Linux
 CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"
-SRC_URI = "file://CVE-2025-26699.patch \
+SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
-           "
-SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65"
 RDEPENDS:${PN} += "\
    python3-sqlparse \

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch deleted file mode 100644 index bba65eaee3..0000000000 --- a/meta-python/recipes-devtools/python/python3-django/CVE-2025-26699.patch +++ /dev/null
@@ -1,100 +0,0 @@
1	From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001
2	From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
3	Date: Tue, 25 Feb 2025 09:40:54 +0100
4	Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
5	wordwrap template filter.
6
7	Thanks sw0rd1ight for the report.
8
9	Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
10
11	CVE: CVE-2025-26699
12	Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68]
13
14	Backport Changes:
15	- The fix has been adapted from the upstream Django v4.2.20 patch for
16	CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe.
17
18	- The upstream patch includes changes to a 4.2.20.txt release-note file.
19	This file does not exist in the Django 5.0.11 source tree, so it was
20	intentionally omitted from this backport.
21
22	- Only the relevant code changes from the upstream patch were applied.
23	No functional differences exist in the vulnerable logic between
24	Django 4.2.x and 5.0.x.
25
26	(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860)
27	Signed-off-by: Anil Dongare <adongare@cisco.com>
28	---
29	django/utils/text.py \| 28 +++++++------------
30	.../filter_tests/test_wordwrap.py \| 11 ++++++++
31	2 files changed, 21 insertions(+), 18 deletions(-)
32
33	diff --git a/django/utils/text.py b/django/utils/text.py
34	index d992f80dd2..36ab6a9efc 100644
35	--- a/django/utils/text.py
36	+++ b/django/utils/text.py
37	@@ -1,6 +1,7 @@
38	import gzip
39	import re
40	import secrets
41	+import textwrap
42	import unicodedata
43	from gzip import GzipFile
44	from gzip import compress as gzip_compress
45	@@ -97,24 +98,15 @@ def wrap(text, width):
46	``width``.
47	"""
48
49	- def _generator():
50	- for line in text.splitlines(True): # True keeps trailing linebreaks
51	- max_width = min((line.endswith("\n") and width + 1 or width), width)
52	- while len(line) > max_width:
53	- space = line[: max_width + 1].rfind(" ") + 1
54	- if space == 0:
55	- space = line.find(" ") + 1
56	- if space == 0:
57	- yield line
58	- line = ""
59	- break
60	- yield "%s\n" % line[: space - 1]
61	- line = line[space:]
62	- max_width = min((line.endswith("\n") and width + 1 or width), width)
63	- if line:
64	- yield line
65	-
66	- return "".join(_generator())
67	+ wrapper = textwrap.TextWrapper(
68	+ width=width,
69	+ break_long_words=False,
70	+ break_on_hyphens=False,
71	+ )
72	+ result = []
73	+ for line in text.splitlines(True):
74	+ result.extend(wrapper.wrap(line))
75	+ return "\n".join(result)
76
77
78	def add_truncation_text(text, truncate=None):
79	diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
80	index 88fbd274da..4afa1dd234 100644
81	--- a/tests/template_tests/filter_tests/test_wordwrap.py
82	+++ b/tests/template_tests/filter_tests/test_wordwrap.py
83	@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
84	"this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
85	"I'm afraid",
86	)
87	+
88	+ def test_wrap_long_text(self):
89	+ long_text = (
90	+ "this is a long paragraph of text that really needs"
91	+ " to be wrapped I'm afraid " * 20_000
92	+ )
93	+ self.assertIn(
94	+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
95	+ "I'm afraid",
96	+ wordwrap(long_text, 10),
97	+ )
98	--
99	2.43.5
100


diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb index 0d26c7928d..d176123893 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.11.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.14.bb
@@ -4,9 +4,7 @@ inherit setuptools3
4	# Windows-specific DoS via NFKC normalization, not applicable to Linux	4	# Windows-specific DoS via NFKC normalization, not applicable to Linux
5	CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"	5	CVE_STATUS[CVE-2025-27556] = "not-applicable-platform: Issue only applies on Windows"
6		6
7	SRC_URI = "file://CVE-2025-26699.patch \	7	SRC_URI[sha256sum] = "29019a5763dbd48da1720d687c3522ef40d1c61be6fb2fad27ed79e9f655bc11"
8	"
9	SRC_URI[sha256sum] = "e7d98fa05ce09cb3e8d5ad6472fb602322acd1740bfdadc29c8404182d664f65"
10		8
11	RDEPENDS:${PN} += "\	9	RDEPENDS:${PN} += "\
12	python3-sqlparse \	10	python3-sqlparse \