diff -pruN 3:5.2.4-1/debian/changelog 3:5.2.4-1ubuntu2/debian/changelog --- 3:5.2.4-1/debian/changelog 2025-07-07 17:29:43.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/changelog 2025-10-01 16:49:58.000000000 +0000 @@ -1,3 +1,36 @@ +python-django (3:5.2.4-1ubuntu2) questing; urgency=medium + + * SECURITY UPDATE: Potential SQL injection + - debian/patches/CVE-2025-59681.patch: protect against SQL injection in + django/db/models/sql/query.py, tests/aggregation/tests.py, + tests/annotations/tests.py, + tests/expressions/test_queryset_values.py, tests/queries/tests.py. + - CVE-2025-59681 + * SECURITY UPDATE: Potential partial directory-traversal + - debian/patches/CVE-2025-59682.patch: validate path in + django/utils/archive.py, tests/utils_tests/test_archive.py. + - CVE-2025-59682 + + -- Marc Deslauriers Wed, 01 Oct 2025 12:49:58 -0400 + +python-django (3:5.2.4-1ubuntu1) questing; urgency=medium + + * SECURITY UPDATE: SQL injection + - debian/patches/CVE-2025-57833.patch: protected + FilteredRelation against SQL injection in column + aliases in django/db/models/sql/query.py, + tests/annotations/tests.py. + - debian/patches/fixing_test_stip_tags.patch: Adjusted + utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's + HTMLParser new behavior in tests/utils_test/test_html.py. + - debian/patches/fixing_test_parsing_errors.patch: Fixed + test_utils.tests.HTMLEqualTests.test_parsing_errors + following Python's HTMLParser fixed parsing in + tests/test_utils/tests.py. + - CVE-2025-57833 + + -- Leonidas Da Silva Barbosa Mon, 15 Sep 2025 09:13:25 -0300 + python-django (3:5.2.4-1) experimental; urgency=medium * New upstream bugfix release. diff -pruN 3:5.2.4-1/debian/control 3:5.2.4-1ubuntu2/debian/control --- 3:5.2.4-1/debian/control 2025-07-07 17:29:43.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/control 2025-09-15 12:13:25.000000000 +0000 @@ -1,7 +1,8 @@ Source: python-django Section: python Priority: optional -Maintainer: Debian Python Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Python Team Uploaders: Luke Faraone , Raphaƫl Hertzog , diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-57833.patch 3:5.2.4-1ubuntu2/debian/patches/CVE-2025-57833.patch --- 3:5.2.4-1/debian/patches/CVE-2025-57833.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/patches/CVE-2025-57833.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,74 @@ +From 88ff2b0ce9985476ea7d6d398d786272f97216d0 Mon Sep 17 00:00:00 2001 +From: Jake Howard +Date: Wed, 13 Aug 2025 14:13:42 +0200 +Subject: [PATCH] [5.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation + against SQL injection in column aliases. + +Thanks Eyal Gabay (EyalSec) for the report. + +Backport of 958ad4b7ccc356d7c50b4162c40ff5ad08d79850 from main. +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 92a09c5..a75d9e8 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -1696,6 +1696,7 @@ def _add_q( + return target_clause, needed_inner + + def add_filtered_relation(self, filtered_relation, alias): ++ self.check_alias(alias) + filtered_relation.alias = alias + relation_lookup_parts, relation_field_parts, _ = self.solve_lookup_type( + filtered_relation.relation_name +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index 6c0d7b6..060d632 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -14,6 +14,7 @@ + Exists, + ExpressionWrapper, + F, ++ FilteredRelation, + FloatField, + Func, + IntegerField, +@@ -1164,6 +1165,15 @@ def test_alias_sql_injection(self): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) ++ + def test_alias_forbidden_chars(self): + tests = [ + 'al"ias', +@@ -1189,6 +1199,11 @@ def test_alias_forbidden_chars(self): + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) + ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.annotate( ++ **{crafted_alias: FilteredRelation("authors")} ++ ) ++ + @skipUnless(connection.vendor == "postgresql", "PostgreSQL tests") + @skipUnlessDBFeature("supports_json_field") + def test_set_returning_functions(self): +@@ -1482,3 +1497,12 @@ def test_alias_sql_injection(self): + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) ++ ++ def test_alias_filtered_relation_sql_injection(self): ++ crafted_alias = """injected_name" from "annotations_book"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-59681.patch 3:5.2.4-1ubuntu2/debian/patches/CVE-2025-59681.patch --- 3:5.2.4-1/debian/patches/CVE-2025-59681.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/patches/CVE-2025-59681.patch 2025-10-01 16:49:52.000000000 +0000 @@ -0,0 +1,175 @@ +Backport of: + +From b4d3036c04ae71d611edecf5cfc7d4e5b5927f81 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Wed, 10 Sep 2025 09:53:52 +0200 +Subject: [PATCH 1/2] [5.2.x] Fixed CVE-2025-59681 -- Protected + QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection + in column aliases on MySQL/MariaDB. + +Thanks sw0rd1ight for the report. + +Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. +--- + django/db/models/sql/query.py | 8 ++++---- + docs/releases/4.2.25.txt | 9 ++++++++- + docs/releases/5.1.13.txt | 9 ++++++++- + docs/releases/5.2.7.txt | 9 +++++++++ + tests/aggregation/tests.py | 4 ++-- + tests/annotations/tests.py | 23 ++++++++++++----------- + tests/expressions/test_queryset_values.py | 8 ++++---- + tests/queries/tests.py | 4 ++-- + 8 files changed, 49 insertions(+), 25 deletions(-) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 5247616086..3a1cd73951 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -48,9 +48,9 @@ from django.utils.tree import Node + + __all__ = ["Query", "RawQuery"] + +-# Quotation marks ('"`[]), whitespace characters, semicolons, or inline ++# Quotation marks ('"`[]), whitespace characters, semicolons, hashes, or inline + # SQL comments are forbidden in column aliases. +-FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|--|/\*|\*/") ++FORBIDDEN_ALIAS_PATTERN = _lazy_re_compile(r"['`\"\]\[;\s]|#|--|/\*|\*/") + + # Inspired from + # https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS +@@ -1208,8 +1208,8 @@ class Query(BaseExpression): + def check_alias(self, alias): + if FORBIDDEN_ALIAS_PATTERN.search(alias): + raise ValueError( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, " ++ "quotation marks, semicolons, or SQL comments." + ) + + def add_annotation(self, annotation, alias, select=True): +diff --git a/tests/aggregation/tests.py b/tests/aggregation/tests.py +index bf44c4d25f..2e41f19947 100644 +--- a/tests/aggregation/tests.py ++++ b/tests/aggregation/tests.py +@@ -2136,8 +2136,8 @@ class AggregateTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "aggregation_author"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Author.objects.aggregate(**{crafted_alias: Avg("age")}) +diff --git a/tests/annotations/tests.py b/tests/annotations/tests.py +index 060d6324c7..7a12121224 100644 +--- a/tests/annotations/tests.py ++++ b/tests/annotations/tests.py +@@ -1159,8 +1159,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: Value(1)}) +@@ -1168,8 +1168,8 @@ class NonAggregateAnnotationTestCase(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.annotate(**{crafted_alias: FilteredRelation("author")}) +@@ -1186,13 +1186,14 @@ class NonAggregateAnnotationTestCase(TestCase): + "ali/*as", + "alias*/", + "alias;", +- # [] are used by MSSQL. ++ # [] and # are used by MSSQL. + "alias[", + "alias]", ++ "ali#as", + ] + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + for crafted_alias in tests: + with self.subTest(crafted_alias): +@@ -1492,8 +1493,8 @@ class AliasTests(TestCase): + def test_alias_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: Value(1)}) +@@ -1501,8 +1502,8 @@ class AliasTests(TestCase): + def test_alias_filtered_relation_sql_injection(self): + crafted_alias = """injected_name" from "annotations_book"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Book.objects.alias(**{crafted_alias: FilteredRelation("authors")}) +diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py +index 47bd1358de..080ee06183 100644 +--- a/tests/expressions/test_queryset_values.py ++++ b/tests/expressions/test_queryset_values.py +@@ -37,8 +37,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Company.objects.values(**{crafted_alias: F("ceo__salary")}) +@@ -47,8 +47,8 @@ class ValuesExpressionsTests(TestCase): + def test_values_expression_alias_sql_injection_json_field(self): + crafted_alias = """injected_name" from "expressions_company"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + JSONFieldModel.objects.values(f"data__{crafted_alias}") +diff --git a/tests/queries/tests.py b/tests/queries/tests.py +index 38b0a5ddfa..ffaabf48a0 100644 +--- a/tests/queries/tests.py ++++ b/tests/queries/tests.py +@@ -1961,8 +1961,8 @@ class Queries5Tests(TestCase): + def test_extra_select_alias_sql_injection(self): + crafted_alias = """injected_name" from "queries_note"; --""" + msg = ( +- "Column aliases cannot contain whitespace characters, quotation marks, " +- "semicolons, or SQL comments." ++ "Column aliases cannot contain whitespace characters, hashes, quotation " ++ "marks, semicolons, or SQL comments." + ) + with self.assertRaisesMessage(ValueError, msg): + Note.objects.extra(select={crafted_alias: "1"}) +-- +2.39.5 (Apple Git-154) + diff -pruN 3:5.2.4-1/debian/patches/CVE-2025-59682.patch 3:5.2.4-1ubuntu2/debian/patches/CVE-2025-59682.patch --- 3:5.2.4-1/debian/patches/CVE-2025-59682.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/patches/CVE-2025-59682.patch 2025-10-01 16:49:56.000000000 +0000 @@ -0,0 +1,76 @@ +Backport of: + +From 3a7091babcb19f213a25dd5bf8ad90fd63c3cba0 Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Tue, 16 Sep 2025 17:13:36 +0200 +Subject: [PATCH 2/2] [5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial + directory-traversal via archive.extract(). + +Thanks stackered for the report. + +Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. +--- + django/utils/archive.py | 6 +++++- + docs/releases/4.2.25.txt | 8 ++++++++ + docs/releases/5.1.13.txt | 8 ++++++++ + docs/releases/5.2.7.txt | 8 ++++++++ + tests/utils_tests/test_archive.py | 22 ++++++++++++++++++++++ + 5 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/django/utils/archive.py b/django/utils/archive.py +index 56f34c0038..c05fbcdc97 100644 +--- a/django/utils/archive.py ++++ b/django/utils/archive.py +@@ -145,7 +145,11 @@ class BaseArchive: + def target_filename(self, to_path, name): + target_path = os.path.abspath(to_path) + filename = os.path.abspath(os.path.join(target_path, name)) +- if not filename.startswith(target_path): ++ try: ++ if os.path.commonpath([target_path, filename]) != target_path: ++ raise SuspiciousOperation("Archive contains invalid path: '%s'" % name) ++ except ValueError: ++ # Different drives on Windows raises ValueError. + raise SuspiciousOperation("Archive contains invalid path: '%s'" % name) + return filename + +diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py +index 89a45bc072..24e60039a5 100644 +--- a/tests/utils_tests/test_archive.py ++++ b/tests/utils_tests/test_archive.py +@@ -3,6 +3,7 @@ import stat + import sys + import tempfile + import unittest ++import zipfile + + from django.core.exceptions import SuspiciousOperation + from django.test import SimpleTestCase +@@ -94,3 +95,24 @@ class TestArchiveInvalid(SimpleTestCase): + with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir: + with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path): + archive.extract(os.path.join(archives_dir, entry), tmpdir) ++ ++ def test_extract_function_traversal_startswith(self): ++ with tempfile.TemporaryDirectory() as tmpdir: ++ base = os.path.abspath(tmpdir) ++ tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False) ++ tar_path = tarfile_handle.name ++ ++ try: ++ tarfile_handle.close() ++ malicious_member = os.path.join(base + "abc", "evil.txt") ++ ++ with zipfile.ZipFile(tar_path, "w") as zf: ++ zf.writestr(malicious_member, "evil\n") ++ zf.writestr("test.txt", "data\n") ++ ++ with self.assertRaisesMessage( ++ SuspiciousOperation, "Archive contains invalid path" ++ ): ++ archive.extract(tar_path, base) ++ finally: ++ os.remove(tar_path) +-- +2.39.5 (Apple Git-154) + diff -pruN 3:5.2.4-1/debian/patches/fixing_test_parsing_errors.patch 3:5.2.4-1ubuntu2/debian/patches/fixing_test_parsing_errors.patch --- 3:5.2.4-1/debian/patches/fixing_test_parsing_errors.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/patches/fixing_test_parsing_errors.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,27 @@ +From e4515dad7a6d953c0bd2414127ba36e1446ff41a Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Mon, 21 Jul 2025 15:23:32 -0300 +Subject: [PATCH] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors + following Python's HTMLParser fixed parsing. + +Further details about Python changes can be found in: +https://github.com/python/cpython/commit/0243f97cbadec8d985e63b1daec5d1cbc850cae3. + +Thank you Clifford Gama for the thorough review! +--- + tests/test_utils/tests.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: python-django-5.2.4/tests/test_utils/tests.py +=================================================================== +--- python-django-5.2.4.orig/tests/test_utils/tests.py ++++ python-django-5.2.4/tests/test_utils/tests.py +@@ -948,7 +948,7 @@ class HTMLEqualTests(SimpleTestCase): + "('Unexpected end tag `div` (Line 1, Column 6)', (1, 6))" + ) + with self.assertRaisesMessage(AssertionError, error_msg): +- self.assertHTMLEqual("< div>", "
") ++ self.assertHTMLEqual("< div>", "
") + with self.assertRaises(HTMLParseError): + parse_html("

") + diff -pruN 3:5.2.4-1/debian/patches/fixing_test_strip_tags.patch 3:5.2.4-1ubuntu2/debian/patches/fixing_test_strip_tags.patch --- 3:5.2.4-1/debian/patches/fixing_test_strip_tags.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3:5.2.4-1ubuntu2/debian/patches/fixing_test_strip_tags.patch 2025-09-15 12:13:25.000000000 +0000 @@ -0,0 +1,64 @@ +From 2980627502c84a9fd09272e1349dc574a2ff1fb1 Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Mon, 14 Jul 2025 14:45:03 -0300 +Subject: [PATCH] Fixed #36499 -- Adjusted + utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's + HTMLParser new behavior. + +Python fixed a quadratic complexity processing for HTMLParser in: +https://github.com/python/cpython/commit/6eb6c5db. +--- + tests/utils_tests/test_html.py | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +Index: python-django-5.2.4/tests/utils_tests/test_html.py +=================================================================== +--- python-django-5.2.4.orig/tests/utils_tests/test_html.py ++++ python-django-5.2.4/tests/utils_tests/test_html.py +@@ -1,4 +1,5 @@ + import os ++import sys + from datetime import datetime + + from django.core.exceptions import SuspiciousOperation +@@ -117,6 +118,21 @@ class TestUtilsHtml(SimpleTestCase): + self.check_output(linebreaks, lazystr(value), output) + + def test_strip_tags(self): ++ # Python fixed a quadratic-time issue in HTMLParser in 3.13.6, 3.12.12, ++ # 3.11.14, 3.10.19, and 3.9.24. The fix slightly changes HTMLParser's ++ # output, so tests for particularly malformed input must handle both ++ # old and new results. The check below is temporary until all supported ++ # Python versions and CI workers include the fix. See: ++ # https://github.com/python/cpython/commit/6eb6c5db ++ min_fixed = { ++ (3, 14): (3, 14), ++ (3, 13): (3, 13, 6), ++ (3, 12): (3, 12, 12), ++ (3, 11): (3, 11, 14), ++ (3, 10): (3, 10, 19), ++ (3, 9): (3, 9, 24), ++ } ++ htmlparser_fixed = sys.version_info >= min_fixed[sys.version_info[:2]] + items = ( + ( + "

See: 'é is an apostrophe followed by e acute

", +@@ -144,10 +160,16 @@ class TestUtilsHtml(SimpleTestCase): + ("&gotcha&#;<>", "&gotcha&#;<>"), + ("ript>test</script>", "ript>test"), + ("&h", "alert()h"), +- (">" if htmlparser_fixed else ">br>br>br>X", "XX"), + ("<" * 50 + "a>" * 50, ""), +- (">" + "" + "" + "" if htmlparser_fixed else ">" + "