diff options
-rw-r--r-- | meta/recipes-devtools/python/python3/cve-2023-24329.patch | 50 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.10.9.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 0000000000..d47425d239 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Miss Islington (bot)" | ||
3 | <31488909+miss-islington@users.noreply.github.com> | ||
4 | Date: Sun, 13 Nov 2022 11:00:25 -0800 | ||
5 | Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme | ||
6 | must begin with an alphabetical ASCII character. (GH-99421) | ||
7 | |||
8 | Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. | ||
9 | |||
10 | RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` | ||
11 | RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` | ||
12 | |||
13 | The WHATWG URL spec defines a scheme like this: | ||
14 | `"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` | ||
15 | (cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) | ||
16 | |||
17 | Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> | ||
18 | --- end original header --- | ||
19 | |||
20 | CVE: CVE-2023-24329 | ||
21 | |||
22 | Upstream-Status: Backport [see below] | ||
23 | |||
24 | Taken from https://github.com/python/cpython.git | ||
25 | commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 | ||
26 | |||
27 | CVE fix extracted; test case and update to NEWS abandoned. | ||
28 | Defuzzed. | ||
29 | |||
30 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
31 | --- | ||
32 | Lib/urllib/parse.py | 2 +- | ||
33 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
34 | |||
35 | diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py | ||
36 | index 26ddf30..1c53acb 100644 | ||
37 | --- a/Lib/urllib/parse.py | ||
38 | +++ b/Lib/urllib/parse.py | ||
39 | @@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
40 | clear_cache() | ||
41 | netloc = query = fragment = '' | ||
42 | i = url.find(':') | ||
43 | - if i > 0: | ||
44 | + if i > 0 and url[0].isascii() and url[0].isalpha(): | ||
45 | for c in url[:i]: | ||
46 | if c not in scheme_chars: | ||
47 | break | ||
48 | -- | ||
49 | 2.25.1 | ||
50 | |||
diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb b/meta/recipes-devtools/python/python3_3.10.9.bb index d6b7a618c1..867958c0fb 100644 --- a/meta/recipes-devtools/python/python3_3.10.9.bb +++ b/meta/recipes-devtools/python/python3_3.10.9.bb | |||
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
35 | file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ | 35 | file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ |
36 | file://deterministic_imports.patch \ | 36 | file://deterministic_imports.patch \ |
37 | file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ | 37 | file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ |
38 | file://cve-2023-24329.patch \ | ||
38 | " | 39 | " |
39 | 40 | ||
40 | SRC_URI:append:class-native = " \ | 41 | SRC_URI:append:class-native = " \ |