From c4fc0b23d38f220a833886a6ddd88ea9ce94a5c7 Mon Sep 17 00:00:00 2001 From: wh02252983 Date: Tue, 11 Nov 2025 14:29:04 +0800 Subject: [PATCH] [CVE] add patch to fix CVE-2025-59682 To # N/A add patch to fix CVE-2025-59682 Project: TC2024080204 Signed-off-by: wh02252983 --- 0002-fix-CVE-2025-59682.patch | 67 +++++++++++++++++++++++++++++++++++ python-django.spec | 7 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 0002-fix-CVE-2025-59682.patch diff --git a/0002-fix-CVE-2025-59682.patch b/0002-fix-CVE-2025-59682.patch new file mode 100644 index 0000000..80e03e1 --- /dev/null +++ b/0002-fix-CVE-2025-59682.patch @@ -0,0 +1,67 @@ +From 9504bbaa392c9fe37eee9291f5b4c29eb6037619 Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Tue, 16 Sep 2025 17:13:36 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial + directory-traversal via archive.extract(). + +Thanks stackered for the report. + +Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. + +Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main. +--- + django/utils/archive.py | 6 +++++- + tests/utils_tests/test_archive.py | 19 +++++++++++++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/django/utils/archive.py b/django/utils/archive.py +index 71ec2d00155d..e8af690e275c 100644 +--- a/django/utils/archive.py ++++ b/django/utils/archive.py +@@ -144,7 +144,11 @@ def has_leading_dir(self, paths): + def target_filename(self, to_path, name): + target_path = os.path.abspath(to_path) + filename = os.path.abspath(os.path.join(target_path, name)) +- if not filename.startswith(target_path): ++ try: ++ if os.path.commonpath([target_path, filename]) != target_path: ++ raise SuspiciousOperation("Archive contains invalid path: '%s'" % name) ++ except ValueError: ++ # Different drives on Windows raises ValueError. + raise SuspiciousOperation("Archive contains invalid path: '%s'" % name) + return filename + +diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py +index 8cd107063f9c..8063dafb65e3 100644 +--- a/tests/utils_tests/test_archive.py ++++ b/tests/utils_tests/test_archive.py +@@ -3,6 +3,7 @@ + import sys + import tempfile + import unittest ++import zipfile + + from django.core.exceptions import SuspiciousOperation + from django.test import SimpleTestCase +@@ -96,3 +97,21 @@ def test_extract_function_traversal(self): + with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir: + with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path): + archive.extract(os.path.join(archives_dir, entry), tmpdir) ++ ++ def test_extract_function_traversal_startswith(self): ++ with tempfile.TemporaryDirectory() as tmpdir: ++ base = os.path.abspath(tmpdir) ++ tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False) ++ tar_path = tarfile_handle.name ++ tarfile_handle.close() ++ self.addCleanup(os.remove, tar_path) ++ ++ malicious_member = os.path.join(base + "abc", "evil.txt") ++ with zipfile.ZipFile(tar_path, "w") as zf: ++ zf.writestr(malicious_member, "evil\n") ++ zf.writestr("test.txt", "data\n") ++ ++ with self.assertRaisesMessage( ++ SuspiciousOperation, "Archive contains invalid path" ++ ): ++ archive.extract(tar_path, base) diff --git a/python-django.spec b/python-django.spec index 875f163..2a3d8d6 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global pkgname Django Name: python-django @@ -15,6 +15,8 @@ BuildArch: noarch # https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b Patch0001: 0001-fix-CVE-2024-53907.patch +# https://github.com/django/django/commit/9504bbaa392c9fe37eee9291f5b4c29eb6037619 +Patch0002: 0002-fix-CVE-2025-59682.patch %global _description %{expand: Django is a high-level Python Web framework that encourages rapid @@ -175,6 +177,9 @@ cd tests %changelog +* Tue Nov 11 2025 wh02252983 - 4.2.16-3 +- add patch to fix CVE-2025-59682 + * Tue Jun 10 2025 wenxin - 4.2.16-2 - Fix CVE-2024-53907 -- Gitee