Re: [OE-core] [scarthgap][PATCH] python3: fix for CVE-2026-1502

Yoann Congal via lists.openembedded.org Thu, 07 May 2026 14:23:43 -0700

On Wed Apr 29, 2026 at 11:12 AM CEST, Hitendra Prajapati via 
lists.openembedded.org wrote:
> Pick patch from [1] also mentioned at NVD report in [2]
>
> [1] 
> https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
> [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
> [3] https://security-tracker.debian.org/tracker/CVE-2026-1502
>
> Signed-off-by: Hitendra Prajapati <[email protected]>
> ---


Hello,

As fas as I can tell, this patch is also needed on master and wrynose.
I can't merge here until this is fixed on those branches.

Can you send a patch to fix this on these branches and then, ping back here?

Thanks!

>  .../python/python3/CVE-2026-1502.patch        | 113 ++++++++++++++++++
>  .../python/python3_3.12.13.bb                 |   1 +
>  2 files changed, 114 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-1502.patch
>
> diff --git a/meta/recipes-devtools/python/python3/CVE-2026-1502.patch 
> b/meta/recipes-devtools/python/python3/CVE-2026-1502.patch
> new file mode 100644
> index 0000000000..be6a8379a8
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2026-1502.patch
> @@ -0,0 +1,113 @@
> +From 05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 Mon Sep 17 00:00:00 2001
> +From: Seth Larson <[email protected]>
> +Date: Fri, 10 Apr 2026 10:21:42 -0500
> +Subject: [PATCH] gh-146211: Reject CR/LF in HTTP tunnel request headers
> + (#146212)
> +
> +Co-authored-by: Illia Volochii <[email protected]>
> +
> +CVE: CVE-2026-1502
> +Upstream-Status: Backport 
> [https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69]
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + Lib/http/client.py                            | 11 ++++-
> + Lib/test/test_httplib.py                      | 45 +++++++++++++++++++
> + ...-03-20-09-29-42.gh-issue-146211.PQVbs7.rst |  2 +
> + 3 files changed, 57 insertions(+), 1 deletion(-)
> + create mode 100644 
> Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
> +
> +diff --git a/Lib/http/client.py b/Lib/http/client.py
> +index 70451d6..7db4807 100644
> +--- a/Lib/http/client.py
> ++++ b/Lib/http/client.py
> +@@ -972,13 +972,22 @@ class HTTPConnection:
> +         return ip
> + 
> +     def _tunnel(self):
> ++        if _contains_disallowed_url_pchar_re.search(self._tunnel_host):
> ++            raise ValueError('Tunnel host can\'t contain control characters 
> %r'
> ++                             % (self._tunnel_host,))
> +         connect = b"CONNECT %s:%d %s\r\n" % (
> +             self._wrap_ipv6(self._tunnel_host.encode("idna")),
> +             self._tunnel_port,
> +             self._http_vsn_str.encode("ascii"))
> +         headers = [connect]
> +         for header, value in self._tunnel_headers.items():
> +-            headers.append(f"{header}: {value}\r\n".encode("latin-1"))
> ++            header_bytes = header.encode("latin-1")
> ++            value_bytes = value.encode("latin-1")
> ++            if not _is_legal_header_name(header_bytes):
> ++                raise ValueError('Invalid header name %r' % (header_bytes,))
> ++            if _is_illegal_header_value(value_bytes):
> ++                raise ValueError('Invalid header value %r' % (value_bytes,))
> ++            headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes))
> +         headers.append(b"\r\n")
> +         # Making a single send() call instead of one per line encourages
> +         # the host OS to use a more optimal packet size instead of
> +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
> +index e46dac0..e027d93 100644
> +--- a/Lib/test/test_httplib.py
> ++++ b/Lib/test/test_httplib.py
> +@@ -369,6 +369,51 @@ class HeaderTests(TestCase):
> +                 with self.assertRaisesRegex(ValueError, 'Invalid header'):
> +                     conn.putheader(name, value)
> + 
> ++    def test_invalid_tunnel_headers(self):
> ++        cases = (
> ++            ('Invalid\r\nName', 'ValidValue'),
> ++            ('Invalid\rName', 'ValidValue'),
> ++            ('Invalid\nName', 'ValidValue'),
> ++            ('\r\nInvalidName', 'ValidValue'),
> ++            ('\rInvalidName', 'ValidValue'),
> ++            ('\nInvalidName', 'ValidValue'),
> ++            (' InvalidName', 'ValidValue'),
> ++            ('\tInvalidName', 'ValidValue'),
> ++            ('Invalid:Name', 'ValidValue'),
> ++            (':InvalidName', 'ValidValue'),
> ++            ('ValidName', 'Invalid\r\nValue'),
> ++            ('ValidName', 'Invalid\rValue'),
> ++            ('ValidName', 'Invalid\nValue'),
> ++            ('ValidName', 'InvalidValue\r\n'),
> ++            ('ValidName', 'InvalidValue\r'),
> ++            ('ValidName', 'InvalidValue\n'),
> ++        )
> ++        for name, value in cases:
> ++            with self.subTest((name, value)):
> ++                conn = client.HTTPConnection('example.com')
> ++                conn.set_tunnel('tunnel', headers={
> ++                    name: value
> ++                })
> ++                conn.sock = FakeSocket('')
> ++                with self.assertRaisesRegex(ValueError, 'Invalid header'):
> ++                    conn._tunnel()  # Called in .connect()
> ++
> ++    def test_invalid_tunnel_host(self):
> ++        cases = (
> ++            'invalid\r.host',
> ++            '\ninvalid.host',
> ++            'invalid.host\r\n',
> ++            'invalid.host\x00',
> ++            'invalid host',
> ++        )
> ++        for tunnel_host in cases:
> ++            with self.subTest(tunnel_host):
> ++                conn = client.HTTPConnection('example.com')
> ++                conn.set_tunnel(tunnel_host)
> ++                conn.sock = FakeSocket('')
> ++                with self.assertRaisesRegex(ValueError, 'Tunnel host can\'t 
> contain control characters'):
> ++                    conn._tunnel()  # Called in .connect()
> ++
> +     def test_headers_debuglevel(self):
> +         body = (
> +             b'HTTP/1.1 200 OK\r\n'
> +diff --git 
> a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst 
> b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
> +new file mode 100644
> +index 0000000..4993633
> +--- /dev/null
> ++++ 
> b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
> +@@ -0,0 +1,2 @@
> ++Reject CR/LF characters in tunnel request headers for the
> ++HTTPConnection.set_tunnel() method.
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb 
> b/meta/recipes-devtools/python/python3_3.12.13.bb
> index 5fa25235fe..da7e3c604e 100644
> --- a/meta/recipes-devtools/python/python3_3.12.13.bb
> +++ b/meta/recipes-devtools/python/python3_3.12.13.bb
> @@ -34,6 +34,7 @@ SRC_URI = 
> "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
>          file://0001-test_deadlock-skip-problematic-test.patch \
>          file://0001-test_active_children-skip-problematic-test.patch \
>             file://0001-test_readline-skip-limited-history-test.patch \
> +           file://CVE-2026-1502.patch \
>             "
>  
>  SRC_URI:append:class-native = " \


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236622): 
https://lists.openembedded.org/g/openembedded-core/message/236622
Mute This Topic: https://lists.openembedded.org/mt/119061541/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [scarthgap][PATCH] python3: fix for CVE-2026-1502

Reply via email to