[kirkstone,02/21] python3: fix CVE-2023-24329

Message ID	37defd828cc6a8267139928730d766167905d21a.1679092796.git.steve@sakoman.com
State	Accepted, archived
Commit	37defd828cc6a8267139928730d766167905d21a
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.45, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/21] python3: fix CVE-2023-24329 Date: Fri, 17 Mar 2023 12:42:16 -1000 Message-Id: <37defd828cc6a8267139928730d766167905d21a.1679092796.git.steve@sakoman.com> In-Reply-To: <cover.1679092796.git.steve@sakoman.com> References: <cover.1679092796.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/21] pkgconf: fix CVE-2023-24056 \| expand [kirkstone,01/21] pkgconf: fix CVE-2023-24056 [kirkstone,02/21] python3: fix CVE-2023-24329 [kirkstone,03/21] python3-git: fix indent error [kirkstone,04/21] vim: upgrade to 9.0.1403 [kirkstone,05/21] vim: set modified-by to the recipe MAINTAINER [kirkstone,06/21] mdadm: Fix testcase 06wrmostly [kirkstone,07/21] mdadm: fix tests/02lineargrow [kirkstone,08/21] mdadm: Fix raid0 tests [kirkstone,09/21] staging: Separate out different multiconfig manifests [kirkstone,10/21] staging/multilib: Fix manifest corruption [kirkstone,11/21] glibc: Add missing binutils dependency [kirkstone,12/21] selftest/runtime_test/virgl: Disable for all Rocky Linux [kirkstone,13/21] selftest/recipetool: Stop test corrupting tinfoil class [kirkstone,14/21] cups: use BUILDROOT instead of DESTDIR [kirkstone,15/21] cups: check PACKAGECONFIG for pam feature [kirkstone,16/21] cups: add/fix web interface packaging [kirkstone,17/21] buildtools-tarball: Handle spaces within user $PATH [kirkstone,18/21] toolchain-scripts: Handle spaces within user $PATH [kirkstone,19/21] populate_sdk_ext: Handle spaces within user $PATH [kirkstone,20/21] dhcpcd: Fix install conflict when enable multilib. [kirkstone,21/21] base-files: Drop localhost.localdomain from hosts file

Message ID

37defd828cc6a8267139928730d766167905d21a.1679092796.git.steve@sakoman.com

State

Accepted, archived

Commit

37defd828cc6a8267139928730d766167905d21a

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/21] python3: fix CVE-2023-24329
Date: Fri, 17 Mar 2023 12:42:16 -1000
Message-Id: 
 <37defd828cc6a8267139928730d766167905d21a.1679092796.git.steve@sakoman.com>
In-Reply-To: <cover.1679092796.git.steve@sakoman.com>
References: <cover.1679092796.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/21] pkgconf: fix CVE-2023-24056 | expand

Commit Message

Steve Sakoman March 17, 2023, 10:42 p.m. UTC

From: Joe Slater <joe.slater@windriver.com>

Backport fix from cpython 3.11 branch.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/python3/cve-2023-24329.patch       | 50 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.10.9.bb |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/cve-2023-24329.patch

diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
new file mode 100644
index 0000000000..d47425d239
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
@@ -0,0 +1,50 @@ 
+From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 13 Nov 2022 11:00:25 -0800
+Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
+ must begin with an alphabetical ASCII character. (GH-99421)
+
+Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
+
+RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
+RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
+
+The WHATWG URL spec defines a scheme like this:
+`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
+(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
+
+Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
+--- end original header ---
+
+CVE: CVE-2023-24329
+
+Upstream-Status: Backport [see below]
+
+Taken from https://github.com/python/cpython.git
+commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
+
+CVE fix extracted; test case and update to NEWS abandoned.
+Defuzzed.
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ Lib/urllib/parse.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 26ddf30..1c53acb 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and url[0].isascii() and url[0].isalpha():
+         for c in url[:i]:
+             if c not in scheme_chars:
+                 break
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb b/meta/recipes-devtools/python/python3_3.10.9.bb
index d6b7a618c1..867958c0fb 100644
--- a/meta/recipes-devtools/python/python3_3.10.9.bb
+++ b/meta/recipes-devtools/python/python3_3.10.9.bb
@@ -35,6 +35,7 @@  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
            file://deterministic_imports.patch \
            file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
+           file://cve-2023-24329.patch \
            "
 
 SRC_URI:append:class-native = " \

[kirkstone,02/21] python3: fix CVE-2023-24329

Commit Message

Patch