diff options
| author | Jiaying Song <jiaying.song.cn@windriver.com> | 2025-06-12 13:54:52 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-06-20 08:06:29 -0700 |
| commit | d5fa84385a719a07338e350121b61aae701657ca (patch) | |
| tree | 7fe74a92ddc8207e343b659edfe724b067b15d1b | |
| parent | 241a617374f95dba23cc7837128df8faaf8ac9ba (diff) | |
| download | poky-d5fa84385a719a07338e350121b61aae701657ca.tar.gz | |
python3-requests: fix CVE-2024-47081
Requests is a HTTP library. Due to a URL parsing issue, Requests
releases prior to 2.32.4 may leak .netrc credentials to third parties
for specific maliciously-crafted URLs. Users should upgrade to version
2.32.4 to receive a fix. For older versions of Requests, use of the
.netrc file can be disabled with `trust_env=False` on one's Requests
Session.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-47081
Upstream patch:
https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
(From OE-Core rev: 37d746033710509ffabc244e0130d20fd81d9673)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch | 37 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python3-requests_2.27.1.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch new file mode 100644 index 0000000000..1d465cc594 --- /dev/null +++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From c664b4415baf1b237a8d74f5e880179e69ee764c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nate Prewitt <nate.prewitt@gmail.com> | ||
| 3 | Date: Wed, 25 Sep 2024 08:03:20 -0700 | ||
| 4 | Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc | ||
| 5 | |||
| 6 | CVE: CVE-2024-47081 | ||
| 7 | |||
| 8 | Upstream-Status: Backport | ||
| 9 | [https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef] | ||
| 10 | |||
| 11 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 12 | --- | ||
| 13 | requests/utils.py | 8 +------- | ||
| 14 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
| 15 | |||
| 16 | diff --git a/requests/utils.py b/requests/utils.py | ||
| 17 | index 153776c7..eae72959 100644 | ||
| 18 | --- a/requests/utils.py | ||
| 19 | +++ b/requests/utils.py | ||
| 20 | @@ -208,13 +208,7 @@ def get_netrc_auth(url, raise_errors=False): | ||
| 21 | return | ||
| 22 | |||
| 23 | ri = urlparse(url) | ||
| 24 | - | ||
| 25 | - # Strip port numbers from netloc. This weird `if...encode`` dance is | ||
| 26 | - # used for Python 3.2, which doesn't support unicode literals. | ||
| 27 | - splitstr = b':' | ||
| 28 | - if isinstance(url, str): | ||
| 29 | - splitstr = splitstr.decode('ascii') | ||
| 30 | - host = ri.netloc.split(splitstr)[0] | ||
| 31 | + host = ri.hostname | ||
| 32 | |||
| 33 | try: | ||
| 34 | _netrc = netrc(netrc_path).authenticators(host) | ||
| 35 | -- | ||
| 36 | 2.34.1 | ||
| 37 | |||
diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb index 689a1dffb7..6f7c47abac 100644 --- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb +++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb | |||
| @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" | |||
| 5 | 5 | ||
| 6 | SRC_URI += "file://CVE-2023-32681.patch \ | 6 | SRC_URI += "file://CVE-2023-32681.patch \ |
| 7 | file://CVE-2024-35195.patch \ | 7 | file://CVE-2024-35195.patch \ |
| 8 | file://CVE-2024-47081.patch \ | ||
| 8 | " | 9 | " |
| 9 | 10 | ||
| 10 | SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61" | 11 | SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61" |