From bca6ddaa0d791bd2a95bf72edca3bb70b03e8cce Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Wed, 14 Jan 2026 10:43:11 +0800 Subject: python3-django: Fix undefined _lazy_re_compile Fix the following error introduced by CVE-2024-27351.patch and CVE-2025-32873.patch: NameError: name '_lazy_re_compile' is not defined Signed-off-by: Haixiao Yan Signed-off-by: Gyorgy Sarvari --- .../Fix-undefined-_lazy_re_compile.patch | 49 ++++++++++++++++++++++ .../python/python3-django_2.2.28.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/Fix-undefined-_lazy_re_compile.patch (limited to 'meta-python/recipes-devtools/python') diff --git a/meta-python/recipes-devtools/python/python3-django/Fix-undefined-_lazy_re_compile.patch b/meta-python/recipes-devtools/python/python3-django/Fix-undefined-_lazy_re_compile.patch new file mode 100644 index 0000000000..226aaea07a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/Fix-undefined-_lazy_re_compile.patch @@ -0,0 +1,49 @@ +From f89fec5d58bc1684478fe23c29a34f17ca529b1a Mon Sep 17 00:00:00 2001 +From: Haixiao Yan +Date: Tue, 13 Jan 2026 14:14:02 +0800 +Subject: [PATCH] python3-django: Fix undefined _lazy_re_compile + +Fix the following error introduced by CVE-2024-27351.patch and +CVE-2025-32873.patch: + +NameError: name '_lazy_re_compile' is not defined + +Upstream-Status: Inappropriate [Fix the regression in the previous fix for CVE-2024-27351 and CVE-2025-32873] + +Signed-off-by: Haixiao Yan +--- + django/utils/html.py | 2 +- + django/utils/text.py | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/django/utils/html.py b/django/utils/html.py +index 858a517d92f8..6eb8bc3dbf38 100644 +--- a/django/utils/html.py ++++ b/django/utils/html.py +@@ -38,7 +38,7 @@ _html_escapes = { + } + + # HTML tag that opens but has no closing ">" after 1k+ chars. +-long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") ++long_open_tag_without_closing_re = re.compile(r"<[a-zA-Z][^>]{1000,}") + + + @keep_lazy(str, SafeText) +diff --git a/django/utils/text.py b/django/utils/text.py +index c474d5681eeb..e104b60c4f6c 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -27,8 +27,8 @@ def capfirst(x): + # text with only open brackets "<<<...". The class below provides the services + # and correct answers for the use cases, but in these edge cases does it much + # faster. +-re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S) +-re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S) ++re_notag = re.compile(r"([^<>\s]+)", re.S) ++re_prt = re.compile(r"<|([^<>\s]+)", re.S) + + + class WordsRegex: +-- +2.34.1 + diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 24b86a3e26..f2bb1de4f2 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb @@ -32,6 +32,7 @@ SRC_URI += "file://CVE-2023-31047.patch \ file://CVE-2024-39330.patch \ file://CVE-2025-32873.patch \ file://CVE-2025-64459.patch \ + file://Fix-undefined-_lazy_re_compile.patch \ " SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413" -- cgit v1.2.3-54-g00ecf