diff options
| author |   Joe Slater <joe.slater@windriver.com> | 2023-03-16 08:54:09 -0700 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2023-03-16 06:29:35 -1000 |
| commit | 37defd828cc6a8267139928730d766167905d21a (patch) | |
| tree | 0c26e1e26713219f1b1a33013f8800fa1fc5e4fc | |
| parent | 5c156d8c06267b7a733aca11c53c2905e03e4a58 (diff) | |
| download | openembedded-core-contrib-37defd828cc6a8267139928730d766167905d21a.tar.gz | |
python3: fix CVE-2023-24329
Backport fix from cpython 3.11 branch.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-devtools/python/python3/cve-2023-24329.patch | 50 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python3_3.10.9.bb | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 0000000000..d47425d239 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch @@ -0,0 +1,50 @@ +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 13 Nov 2022 11:00:25 -0800 +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (GH-99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) + +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> +--- end original header --- + +CVE: CVE-2023-24329 + +Upstream-Status: Backport [see below] + +Taken from https://github.com/python/cpython.git +commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 + +CVE fix extracted; test case and update to NEWS abandoned. +Defuzzed. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + Lib/urllib/parse.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 26ddf30..1c53acb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + for c in url[:i]: + if c not in scheme_chars: + break +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb b/meta/recipes-devtools/python/python3_3.10.9.bb index d6b7a618c1..867958c0fb 100644 --- a/meta/recipes-devtools/python/python3_3.10.9.bb +++ b/meta/recipes-devtools/python/python3_3.10.9.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ + file://cve-2023-24329.patch \ " SRC_URI:append:class-native = " \ |