This change is for python3-django_2.2.28. This patch is an extension for CVE-2024-27351.patch. The class that patch introduced wasn't completely suitable for this version of the recipe, because it was accessing a function of it that was not implemented (the upstream version that introduced this class did not use that function, it is specific to this old version).
This patch adds the missing implementation to avoid errors. Signed-off-by: Gyorgy Sarvari <[email protected]> --- ...implement-group-method-for-FakeMatch.patch | 42 +++++++++++++++++++ .../python/python3-django_2.2.28.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch diff --git a/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch new file mode 100644 index 0000000000..450788b0fc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch @@ -0,0 +1,42 @@ +From c78be5dd9f1772a22f3094d8c2cfe56bfb45b122 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Wed, 14 Jan 2026 00:24:12 +0100 +Subject: [PATCH] implement group method for FakeMatch + +FakeMatch class was introduced in a backported CVE patch for this +recipe (CVE-2024-27351). These objects are later accessed in +django/utils/text.py module, in Truncator._truncate_html() method. +It is treated as a regex.search() object. + +This function, at the time when the upstream project introduced this +CVE patch was using array-style access, with brackets, so it +worked, because the FakeMatch class implements the __getitem__() +method. However in version 2.x, it was using group() access to +access the matches - which is not implemented for this class, making +these accesses fail: + +AttributeError: 'FakeMatch' object has no attribute 'group' + +To avoid this issue, this patch implements this method for this class. + +Upstream-Status: Inappropriate [Backport-specific] + +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + django/utils/text.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/django/utils/text.py b/django/utils/text.py +index e104b60..5033937 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -66,6 +66,9 @@ class FakeMatch: + def __init__(self, text, end): + self._text, self._end = text, end + ++ def group(self, n): ++ return self[n] ++ + + # ----- End security-related performance workaround ----- + diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 72485295a7..3b5491cd5e 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb @@ -35,6 +35,7 @@ SRC_URI += "file://CVE-2023-31047.patch \ file://Fix-undefined-_lazy_re_compile.patch \ file://Fix-missing-JSONField-in-django.db.mo.patch \ file://0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch \ + file://0001-implement-group-method-for-FakeMatch.patch \ " SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123450): https://lists.openembedded.org/g/openembedded-devel/message/123450 Mute This Topic: https://lists.openembedded.org/mt/117257843/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
