diff -pruN 3:5.2.4-1/debian/changelog 3:5.2.4-1ubuntu1/debian/changelog --- 3:5.2.4-1/debian/changelog 2025-07-07 17:29:43.000000000 +0000 +++ 3:5.2.4-1ubuntu1/debian/changelog 2025-09-15 12:13:25.000000000 +0000 @@ -1,3 +1,21 @@ +python-django (3:5.2.4-1ubuntu1) questing; urgency=medium + + * SECURITY UPDATE: SQL injection + - debian/patches/CVE-2025-57833.patch: protected + FilteredRelation against SQL injection in column + aliases in django/db/models/sql/query.py, + tests/annotations/tests.py. + - debian/patches/fixing_test_stip_tags.patch: Adjusted + utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's + HTMLParser new behavior in tests/utils_test/test_html.py. + - debian/patches/fixing_test_parsing_errors.patch: Fixed + test_utils.tests.HTMLEqualTests.test_parsing_errors + following Python's HTMLParser fixed parsing in + tests/test_utils/tests.py. + - CVE-2025-57833 + + -- Leonidas Da Silva Barbosa Mon, 15 Sep 2025 09:13:25 -0300 + python-django (3:5.2.4-1) experimental; urgency=medium * New upstream bugfix release. diff -pruN 3:5.2.4-1/debian/control 3:5.2.4-1ubuntu1/debian/control --- 3:5.2.4-1/debian/control 2025-07-07 17:29:43.000000000 +0000 +++ 3:5.2.4-1ubuntu1/debian/control 2025-09-15 12:13:25.000000000 +0000 @@ -1,7 +1,8 @@ Source: python-django Section: python Priority: optional -Maintainer: Debian Python Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Python Team Uploaders: Luke Faraone , Raphaƫl Hertzog , diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-57833.patch 3:5.2.4-1ubuntu1/debian/patches/CVE-2025-57833.patch --- 3:5.2.4-1/debian/patches/CVE-2025-57833.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu1/debian/patches/CVE-2025-57833.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,74 @@ +From 88ff2b0ce9985476ea7d6d398d786272f97216d0 Mon Sep 17 00:00:00 2001 +From: Jake Howard +Date: Wed, 13 Aug 2025 14:13:42 +0200 +Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation + against SQL injection in column aliases. + +Thanks Eyal Gabay (EyalSec) for the report. + +Backport of 958ad4b7ccc356d7c50b4162c40ff5ad08d79850 from main. +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 92a09c5..a75d9e8 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -1696,6 +1696,7 @@ def _add_q( + return target_clause, needed_inner + + def add_filtered_relation(self, filtered_relation, alias): ++ self.check_alias(alias) + filtered_relation.alias = alias + relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( + filtered_relation.relation_name +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index 6c0d7b6..060d632 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -14,6 +14,7 @@ + Exists, + ExpressionWrapper, + F, ++ FilteredRelation, + FloatField, + Func, + IntegerField, +@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) ++ + def test_alias_forbidden_chars(self): + tests = [ + 'al"ias', +@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate( ++ **{crafted_alias: FilteredRelation("authors")} ++ ) ++ + @skipUnless(connection.vendor == "postgresql", "PostgreSQL tests") + @skipUnlessDBFeature("supports_json_field") + def test_set_returning_functions(self): +@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self): + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) ++ ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) diff -pruN 3:5.2.4-1/debian/patches/fixing_test_parsing_errors.patch 3:5.2.4-1ubuntu1/debian/patches/fixing_test_parsing_errors.patch --- 3:5.2.4-1/debian/patches/fixing_test_parsing_errors.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu1/debian/patches/fixing_test_parsing_errors.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,27 @@ +From e4515dad7a6d953c0bd2414127ba36e1446ff41a Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Mon, 21 Jul 2025 15:23:32 -0300 +Subject: [PATCH] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors + following Python's HTMLParser fixed parsing. + +Further details about Python changes can be found in: +https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. + +Thank you Clifford Gama for the thorough review! +--- + tests/test_utils/tests.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: python-django-5.2.4/tests/test_utils/tests.py +=================================================================== +--- python-django-5.2.4.orig/tests/test_utils/tests.py ++++ python-django-5.2.4/tests/test_utils/tests.py +@@ -948,7 +948,7 @@ class HTMLEqualTests(SimpleTestCase): + "('Unexpected end tag `div` (Line 1, Column 6)', (1, 6))" + ) + with self.assertRaisesMessage(AssertionError, error_msg): +- self.assertHTMLEqual("< div>", "
") ++ self.assertHTMLEqual("< div>", "
") + with self.assertRaises(HTMLParseError): + parse_html("

") + diff -pruN 3:5.2.4-1/debian/patches/fixing_test_strip_tags.patch 3:5.2.4-1ubuntu1/debian/patches/fixing_test_strip_tags.patch --- 3:5.2.4-1/debian/patches/fixing_test_strip_tags.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu1/debian/patches/fixing_test_strip_tags.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,64 @@ +From 2980627502c84a9fd09272e1349dc574a2ff1fb1 Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Mon, 14 Jul 2025 14:45:03 -0300 +Subject: [PATCH] Fixed #36499 -- Adjusted + utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's + HTMLParser new behavior. + +Python fixed a quadratic complexity processing for HTMLParser in: +https://github.com/python/cpython/commit/6eb6c5db. +--- + tests/utils_tests/test_html.py | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +Index: python-django-5.2.4/tests/utils_tests/test_html.py +=================================================================== +--- python-django-5.2.4.orig/tests/utils_tests/test_html.py ++++ python-django-5.2.4/tests/utils_tests/test_html.py +@@ -1,4 +1,5 @@ + import os ++import sys + from datetime import datetime + + from django.core.exceptions import SuspiciousOperation +@@ -117,6 +118,21 @@ class TestUtilsHtml(SimpleTestCase): + self.check_output(linebreaks, lazystr(value), output) + + def test_strip_tags(self): ++ # Python fixed a quadratic-time issue in HTMLParser in 3.13.6, 3.12.12, ++ # 3.11.14, 3.10.19, and 3.9.24. The fix slightly changes HTMLParser's ++ # output, so tests for particularly malformed input must handle both ++ # old and new results. The check below is temporary until all supported ++ # Python versions and CI workers include the fix. See: ++ # https://github.com/python/cpython/commit/6eb6c5db ++ min_fixed = { ++ (3, 14): (3, 14), ++ (3, 13): (3, 13, 6), ++ (3, 12): (3, 12, 12), ++ (3, 11): (3, 11, 14), ++ (3, 10): (3, 10, 19), ++ (3, 9): (3, 9, 24), ++ } ++ htmlparser_fixed = sys.version_info >= min_fixed[sys.version_info[:2]] + items = ( + ( + "

See: 'é is an apostrophe followed by e acute

", +@@ -144,10 +160,16 @@ class TestUtilsHtml(SimpleTestCase): + ("&gotcha&#;<>", "&gotcha&#;<>"), + ("ript>test</script>", "ript>test"), + ("&h", "alert()h"), +- (">" if htmlparser_fixed else ">br>br>br>X", "XX"), + ("<" * 50 + "a>" * 50, ""), +- (">" + "" + "" + "" if htmlparser_fixed else ">" + "