[Buildroot] [git commit branch/2025.08.x] package/python-webpy: bump version to 0.70 and add upstream commit to fix CVE-2025-3818

Arnout Vandecappelle arnout at rnout.be
Thu Oct 30 08:17:41 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=62037e4e9e702c6bbc255f6225e67fe6b8722376
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.08.x

Release notes: https://github.com/webpy/webpy/releases/tag/webpy-0.70

Switched _SITE to github because version 0.70 was not released to
pypi.org: https://pypi.org/project/web.py/#history

Added upstream commit to fix CVE-2025-3818.

This bump includes
https://github.com/webpy/webpy/commit/f7540bef650bce7227af796728136d41e44cdd0e
which removes the deprecated cgi module which was removed in Python 3.13
and causes build errors since buildroot bumped python3 to 3.13.2 with
commit d63e207eb869063f82c867658676c2903beb08cb.

Fixes:
https://autobuild.buildroot.net/results/5a7/5a7382250d33ddfd49de2c7996fb54aaf20dd62c/

Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
Signed-off-by: Arnout Vandecappelle <arnout at rnout.be>
(cherry picked from commit d05e2f785de6e0e51590160e002d1fd6e143d403)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 .../python-webpy/0001-Address-CVE-2025-3818.patch  | 42 ++++++++++++++++++++++
 package/python-webpy/python-webpy.hash             |  5 ++-
 package/python-webpy/python-webpy.mk               |  5 ++-
 3 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/package/python-webpy/0001-Address-CVE-2025-3818.patch b/package/python-webpy/0001-Address-CVE-2025-3818.patch
new file mode 100644
index 0000000000..d8373cbac6
--- /dev/null
+++ b/package/python-webpy/0001-Address-CVE-2025-3818.patch
@@ -0,0 +1,42 @@
+From 3ba1b40e5a828a26a1df1b49cdc87395f3274c81 Mon Sep 17 00:00:00 2001
+From: Mek <michael.karpeles at gmail.com>
+Date: Wed, 7 May 2025 15:14:44 -0400
+Subject: [PATCH] Address CVE-2025-3818 (#807)
+
+* Address CVE-2025-3818
+
+Co-authored-by: Scott Barnes <scottreidbarnes at gmail.com>
+
+Upstream: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81
+
+Fixes CVE-2025-3818: https://github.com/advisories/GHSA-9g47-36rw-gjh2
+
+Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
+---
+ web/db.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/web/db.py b/web/db.py
+index 5284f8d0..ba3e12c5 100644
+--- a/web/db.py
++++ b/web/db.py
+@@ -1198,10 +1198,18 @@ def _process_insert_query(self, query, tablename, seqname):
+                 seqname = None
+ 
+         if seqname:
+-            query += "; SELECT currval('%s')" % seqname
++            query += self.get_sequence_query(seqname)
+ 
+         return query
+ 
++    def get_sequence_query(self, seqname):
++        import re
++        # Ensure the sequence name is valid
++        if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname):
++            raise ValueError(f"Invalid sequence name: {seqname}")
++        return SQLQuery("; SELECT currval(%s)", seqname)
++
++
+     def _get_all_sequences(self):
+         """Query postgres to find names of all sequences used in this database."""
+         if self._sequences is None:
diff --git a/package/python-webpy/python-webpy.hash b/package/python-webpy/python-webpy.hash
index 540771a244..0fb39170c7 100644
--- a/package/python-webpy/python-webpy.hash
+++ b/package/python-webpy/python-webpy.hash
@@ -1,3 +1,2 @@
-# md5, sha256 from https://pypi.org/pypi/web.py/json
-md5  cd2c0296ceffa1acb96ae5315214eb42  web.py-0.62.tar.gz
-sha256  5ce684caa240654cae5950da8b4b7bc178812031e08f990518d072bd44ab525e  web.py-0.62.tar.gz
+# Locally computed
+sha256  eee36e423b5e85463145159d94735e3c3a4c1c8078555042d8139348350b0022  python-webpy-0.70.tar.gz
diff --git a/package/python-webpy/python-webpy.mk b/package/python-webpy/python-webpy.mk
index 06d4ae039b..62b2331c08 100644
--- a/package/python-webpy/python-webpy.mk
+++ b/package/python-webpy/python-webpy.mk
@@ -4,9 +4,8 @@
 #
 ################################################################################
 
-PYTHON_WEBPY_VERSION = 0.62
-PYTHON_WEBPY_SOURCE = web.py-$(PYTHON_WEBPY_VERSION).tar.gz
-PYTHON_WEBPY_SITE = https://files.pythonhosted.org/packages/cd/6e/338a060bb5b52ee8229bdada422eaa5f71b13f8d33467f37f870ed2cae4b
+PYTHON_WEBPY_VERSION = 0.70
+PYTHON_WEBPY_SITE = $(call github,webpy,webpy,webpy-$(PYTHON_WEBPY_VERSION))
 PYTHON_WEBPY_SETUP_TYPE = setuptools
 PYTHON_WEBPY_LICENSE = Public Domain

More information about the buildroot mailing list