From: Joe Slater Date: Thu, 16 Mar 2023 15:54:09 +0000 (-0700) Subject: python3: fix CVE-2023-24329 X-Git-Tag: yocto-4.0.9~60 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37defd828cc6a8267139928730d766167905d21a;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git python3: fix CVE-2023-24329 Backport fix from cpython 3.11 branch. Signed-off-by: Joe Slater Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 00000000000..d47425d239b --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch @@ -0,0 +1,50 @@ +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 13 Nov 2022 11:00:25 -0800 +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (GH-99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) + +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> +--- end original header --- + +CVE: CVE-2023-24329 + +Upstream-Status: Backport [see below] + +Taken from https://github.com/python/cpython.git +commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 + +CVE fix extracted; test case and update to NEWS abandoned. +Defuzzed. + +Signed-off-by: Joe Slater +--- + Lib/urllib/parse.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 26ddf30..1c53acb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + for c in url[:i]: + if c not in scheme_chars: + break +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb b/meta/recipes-devtools/python/python3_3.10.9.bb index d6b7a618c1b..867958c0fbf 100644 --- a/meta/recipes-devtools/python/python3_3.10.9.bb +++ b/meta/recipes-devtools/python/python3_3.10.9.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ + file://cve-2023-24329.patch \ " SRC_URI:append:class-native = " \