What branch is this for? It doesn’t apply to master, I’m guessing kirkstone? Is the same fix needed for other branches?
Ross > On 11 Jul 2023, at 04:53, vkumbhar via lists.openembedded.org > <[email protected]> wrote: > > Signed-off-by: Vivek Kumbhar <[email protected]> > --- > .../python/python3/CVE-2023-24329.patch | 81 +++++++++++++++++++ > .../recipes-devtools/python/python3_3.8.14.bb | 1 + > 2 files changed, 82 insertions(+) > create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > new file mode 100644 > index 0000000000..a0902e7be2 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > @@ -0,0 +1,81 @@ > +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 > +From: "Miss Islington (bot)" > + <[email protected]> > +Date: Sun, 13 Nov 2022 11:00:25 -0800 > +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme > + must begin with an alphabetical ASCII character. (GH-99421) > + > +Prevent urllib.parse.urlparse from accepting schemes that don't begin with > an alphabetical ASCII character. > + > +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" > / "-" / "." )` > +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` > + > +The WHATWG URL spec defines a scheme like this: > +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of > ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` > +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) > + > +Co-authored-by: Ben Kallus <[email protected]> > + > +Upstream-Status: Backport > [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9] > +CVE: CVE-2023-24329 > +Signed-off-by: Vivek Kumbhar <[email protected]> > +--- > + Lib/test/test_urlparse.py | 18 ++++++++++++++++++ > + Lib/urllib/parse.py | 2 +- > + ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ > + 3 files changed, 21 insertions(+), 1 deletion(-) > + create mode 100644 > Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > + > +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py > +index 0f99130..03b5da1 100644 > +--- a/Lib/test/test_urlparse.py > ++++ b/Lib/test/test_urlparse.py > +@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase): > + with self.assertRaises(ValueError): > + p.port > + > ++ def test_attributes_bad_scheme(self): > ++ """Check handling of invalid schemes.""" > ++ for bytes in (False, True): > ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): > ++ for scheme in (".", "+", "-", "0", "http&", "६http"): > ++ with self.subTest(bytes=bytes, parse=parse, > scheme=scheme): > ++ url = scheme + "://www.example.net" > ++ if bytes: > ++ if url.isascii(): > ++ url = url.encode("ascii") > ++ else: > ++ continue > ++ p = parse(url) > ++ if bytes: > ++ self.assertEqual(p.scheme, b"") > ++ else: > ++ self.assertEqual(p.scheme, "") > ++ > + def test_attributes_without_netloc(self): > + # This example is straight from RFC 3261. It looks like it > + # should allow the username, hostname, and port to be filled > +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py > +index f0d9d4d..0e388cb 100644 > +--- a/Lib/urllib/parse.py > ++++ b/Lib/urllib/parse.py > +@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True): > + clear_cache() > + netloc = query = fragment = '' > + i = url.find(':') > +- if i > 0: > ++ if i > 0 and url[0].isascii() and url[0].isalpha(): > + if url[:i] == 'http': # optimize the common case > + url = url[i+1:] > + if url[:2] == '//': > +diff --git > a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > +new file mode 100644 > +index 0000000..0a06e7c > +--- /dev/null > ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > +@@ -0,0 +1,2 @@ > ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin > ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb > b/meta/recipes-devtools/python/python3_3.8.14.bb > index 960e41aced..88ed8f4077 100644 > --- a/meta/recipes-devtools/python/python3_3.8.14.bb > +++ b/meta/recipes-devtools/python/python3_3.8.14.bb > @@ -36,6 +36,7 @@ SRC_URI = > "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > file://makerace.patch \ > file://CVE-2022-45061.patch \ > file://CVE-2022-37454.patch \ > + file://CVE-2023-24329.patch \ > " > > SRC_URI_append_class-native = " \ > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184124): https://lists.openembedded.org/g/openembedded-core/message/184124 Mute This Topic: https://lists.openembedded.org/mt/100072511/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
