This is for dunfell-nut branch. Kind regards, Vivek
On Tue, Jul 11, 2023 at 4:14 PM Ross Burton <[email protected]> wrote: > What branch is this for? It doesn’t apply to master, I’m guessing > kirkstone? Is the same fix needed for other branches? > > Ross > > > On 11 Jul 2023, at 04:53, vkumbhar via lists.openembedded.org <vkumbhar= > [email protected]> wrote: > > > > Signed-off-by: Vivek Kumbhar <[email protected]> > > --- > > .../python/python3/CVE-2023-24329.patch | 81 +++++++++++++++++++ > > .../recipes-devtools/python/python3_3.8.14.bb | 1 + > > 2 files changed, 82 insertions(+) > > create mode 100644 > meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > > > diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > new file mode 100644 > > index 0000000000..a0902e7be2 > > --- /dev/null > > +++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > @@ -0,0 +1,81 @@ > > +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 > > +From: "Miss Islington (bot)" > > + <[email protected]> > > +Date: Sun, 13 Nov 2022 11:00:25 -0800 > > +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a > scheme > > + must begin with an alphabetical ASCII character. (GH-99421) > > + > > +Prevent urllib.parse.urlparse from accepting schemes that don't begin > with an alphabetical ASCII character. > > + > > +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / > "+" / "-" / "." )` > > +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` > > + > > +The WHATWG URL spec defines a scheme like this: > > +`"A URL-scheme string must be one ASCII alpha, followed by zero or more > of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` > > +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) > > + > > +Co-authored-by: Ben Kallus <[email protected] > > > > + > > +Upstream-Status: Backport [ > https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 > ] > > +CVE: CVE-2023-24329 > > +Signed-off-by: Vivek Kumbhar <[email protected]> > > +--- > > + Lib/test/test_urlparse.py | 18 ++++++++++++++++++ > > + Lib/urllib/parse.py | 2 +- > > + ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ > > + 3 files changed, 21 insertions(+), 1 deletion(-) > > + create mode 100644 > Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > > + > > +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py > > +index 0f99130..03b5da1 100644 > > +--- a/Lib/test/test_urlparse.py > > ++++ b/Lib/test/test_urlparse.py > > +@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase): > > + with self.assertRaises(ValueError): > > + p.port > > + > > ++ def test_attributes_bad_scheme(self): > > ++ """Check handling of invalid schemes.""" > > ++ for bytes in (False, True): > > ++ for parse in (urllib.parse.urlsplit, > urllib.parse.urlparse): > > ++ for scheme in (".", "+", "-", "0", "http&", "६http"): > > ++ with self.subTest(bytes=bytes, parse=parse, > scheme=scheme): > > ++ url = scheme + "://www.example.net" > > ++ if bytes: > > ++ if url.isascii(): > > ++ url = url.encode("ascii") > > ++ else: > > ++ continue > > ++ p = parse(url) > > ++ if bytes: > > ++ self.assertEqual(p.scheme, b"") > > ++ else: > > ++ self.assertEqual(p.scheme, "") > > ++ > > + def test_attributes_without_netloc(self): > > + # This example is straight from RFC 3261. It looks like it > > + # should allow the username, hostname, and port to be filled > > +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py > > +index f0d9d4d..0e388cb 100644 > > +--- a/Lib/urllib/parse.py > > ++++ b/Lib/urllib/parse.py > > +@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True): > > + clear_cache() > > + netloc = query = fragment = '' > > + i = url.find(':') > > +- if i > 0: > > ++ if i > 0 and url[0].isascii() and url[0].isalpha(): > > + if url[:i] == 'http': # optimize the common case > > + url = url[i+1:] > > + if url[:2] == '//': > > +diff --git > a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > > +new file mode 100644 > > +index 0000000..0a06e7c > > +--- /dev/null > > ++++ > b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > > +@@ -0,0 +1,2 @@ > > ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that > begin > > ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb > b/meta/recipes-devtools/python/python3_3.8.14.bb > > index 960e41aced..88ed8f4077 100644 > > --- a/meta/recipes-devtools/python/python3_3.8.14.bb > > +++ b/meta/recipes-devtools/python/python3_3.8.14.bb > > @@ -36,6 +36,7 @@ SRC_URI = " > http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > > file://makerace.patch \ > > file://CVE-2022-45061.patch \ > > file://CVE-2022-37454.patch \ > > + file://CVE-2023-24329.patch \ > > " > > > > SRC_URI_append_class-native = " \ > > -- > > 2.25.1 > > > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184127): https://lists.openembedded.org/g/openembedded-core/message/184127 Mute This Topic: https://lists.openembedded.org/mt/100072511/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
