Backport fix from cpython 3.11 branch. Signed-off-by: Joe Slater <[email protected]> --- .../python/python3/cve-2023-24329.patch | 50 +++++++++++++++++++ .../recipes-devtools/python/python3_3.10.9.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/cve-2023-24329.patch
diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 0000000000..d47425d239 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch @@ -0,0 +1,50 @@ +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <[email protected]> +Date: Sun, 13 Nov 2022 11:00:25 -0800 +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (GH-99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) + +Co-authored-by: Ben Kallus <[email protected]> +--- end original header --- + +CVE: CVE-2023-24329 + +Upstream-Status: Backport [see below] + +Taken from https://github.com/python/cpython.git +commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 + +CVE fix extracted; test case and update to NEWS abandoned. +Defuzzed. + +Signed-off-by: Joe Slater <[email protected]> +--- + Lib/urllib/parse.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 26ddf30..1c53acb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + for c in url[:i]: + if c not in scheme_chars: + break +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb b/meta/recipes-devtools/python/python3_3.10.9.bb index d6b7a618c1..867958c0fb 100644 --- a/meta/recipes-devtools/python/python3_3.10.9.bb +++ b/meta/recipes-devtools/python/python3_3.10.9.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ + file://cve-2023-24329.patch \ " SRC_URI:append:class-native = " \ -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#178707): https://lists.openembedded.org/g/openembedded-core/message/178707 Mute This Topic: https://lists.openembedded.org/mt/97653518/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
