[kirkstone] python3-requests: fix CVE-2024-47081

Message ID	20250612053247.1280470-1-jiaying.song.cn@windriver.com
State	Superseded
Delegated to:	Steve Sakoman
Headers	show Return-Path: <Jiaying.Song.CN@windriver.com> ip: 205.220.166.238, mailfrom: prvs=82586972f3=jiaying.song.cn@windriver.com) From: <jiaying.song.cn@windriver.com> To: <openembedded-core@lists.openembedded.org> CC: <changqing.li@windriver.com> Subject: [kirkstone][PATCH] python3-requests: fix CVE-2024-47081 Date: Thu, 12 Jun 2025 13:32:47 +0800 Message-ID: <20250612053247.1280470-1-jiaying.song.cn@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[kirkstone] python3-requests: fix CVE-2024-47081 \| expand [kirkstone] python3-requests: fix CVE-2024-47081

Message ID

20250612053247.1280470-1-jiaying.song.cn@windriver.com

State

Superseded

Delegated to:

Steve Sakoman

Headers

From: <jiaying.song.cn@windriver.com>
To: <openembedded-core@lists.openembedded.org>
CC: <changqing.li@windriver.com>
Subject: [kirkstone][PATCH] python3-requests: fix CVE-2024-47081
Date: Thu, 12 Jun 2025 13:32:47 +0800
Message-ID: <20250612053247.1280470-1-jiaying.song.cn@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[kirkstone] python3-requests: fix CVE-2024-47081 | expand

Commit Message

Song, Jiaying (CN) June 12, 2025, 5:32 a.m. UTC

From: Jiaying Song <jiaying.song.cn@windriver.com>

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-47081

Upstream patch:
https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
---
 .../python3-requests/CVE-2024-47081.patch     | 35 +++++++++++++++++++
 .../python/python3-requests_2.27.1.bb         |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch

Comments

patchtest@automation.yoctoproject.org June 12, 2025, 5:46 a.m. UTC | #1

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/kirkstone-python3-requests-fix-CVE-2024-47081.patch

FAIL: test Signed-off-by presence: A patch file has been added without a Signed-off-by tag: 'CVE-2024-47081.patch' (test_patch.TestPatch.test_signed_off_by_presence)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch
new file mode 100644
index 0000000000..b2fa344594
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-47081.patch
@@ -0,0 +1,35 @@ 
+From c664b4415baf1b237a8d74f5e880179e69ee764c Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+CVE: CVE-2024-47081
+
+Upstream-Status: Backport
+[https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef]
+---
+ requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/requests/utils.py b/requests/utils.py
+index 153776c7..eae72959 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -208,13 +208,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
index 689a1dffb7..6f7c47abac 100644
--- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
@@ -5,6 +5,7 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
 
 SRC_URI += "file://CVE-2023-32681.patch \
             file://CVE-2024-35195.patch \
+            file://CVE-2024-47081.patch \
            "
 
 SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61"