import UBI python3.11-3.11.13-7.el8_10
This commit is contained in:
AlmaLinux RelEng Bot
parent
e5d301e258
commit
5fdc044ba2
63
SOURCES/00480-cve-2026-4786.patch
Normal file
63
SOURCES/00480-cve-2026-4786.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stan Ulbrych <stan@python.org>
|
||||||
|
Date: Mon, 13 Apr 2026 22:41:51 +0100
|
||||||
|
Subject: 00480: CVE-2026-4786
|
||||||
|
|
||||||
|
Fix webbrowser `%action` substitution bypass of dash-prefix check
|
||||||
|
---
|
||||||
|
Lib/test/test_webbrowser.py | 8 ++++++++
|
||||||
|
Lib/webbrowser.py | 5 +++--
|
||||||
|
.../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst | 2 ++
|
||||||
|
3 files changed, 13 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
|
||||||
|
index 0ac985f56c..d629f889db 100644
|
||||||
|
--- a/Lib/test/test_webbrowser.py
|
||||||
|
+++ b/Lib/test/test_webbrowser.py
|
||||||
|
@@ -99,6 +99,14 @@ def test_open_new_tab(self):
|
||||||
|
options=[],
|
||||||
|
arguments=[URL])
|
||||||
|
|
||||||
|
+ def test_reject_action_dash_prefixes(self):
|
||||||
|
+ browser = self.browser_class(name=CMD_NAME)
|
||||||
|
+ with self.assertRaises(ValueError):
|
||||||
|
+ browser.open('%action--incognito')
|
||||||
|
+ # new=1: action is "--new-window", so "%action" itself expands to
|
||||||
|
+ # a dash-prefixed flag even with no dash in the original URL.
|
||||||
|
+ with self.assertRaises(ValueError):
|
||||||
|
+ browser.open('%action', new=1)
|
||||||
|
|
||||||
|
class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
|
||||||
|
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
|
||||||
|
index 0fd0aeb3c1..026bdfbd7b 100755
|
||||||
|
--- a/Lib/webbrowser.py
|
||||||
|
+++ b/Lib/webbrowser.py
|
||||||
|
@@ -265,7 +265,6 @@ def _invoke(self, args, remote, autoraise, url=None):
|
||||||
|
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
- self._check_url(url)
|
||||||
|
if new == 0:
|
||||||
|
action = self.remote_action
|
||||||
|
elif new == 1:
|
||||||
|
@@ -279,7 +278,9 @@ def open(self, url, new=0, autoraise=True):
|
||||||
|
raise Error("Bad 'new' parameter to open(); " +
|
||||||
|
"expected 0, 1, or 2, got %s" % new)
|
||||||
|
|
||||||
|
- args = [arg.replace("%s", url).replace("%action", action)
|
||||||
|
+ self._check_url(url.replace("%action", action))
|
||||||
|
+
|
||||||
|
+ args = [arg.replace("%action", action).replace("%s", url)
|
||||||
|
for arg in self.remote_args]
|
||||||
|
args = [arg for arg in args if arg]
|
||||||
|
success = self._invoke(args, True, autoraise, url)
|
||||||
|
diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..45cdeebe1b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
|
||||||
|
+the dash-prefix safety check.
|
||||||
48
SOURCES/00482-cve-2026-6100.patch
Normal file
48
SOURCES/00482-cve-2026-6100.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stan Ulbrych <stan@python.org>
|
||||||
|
Date: Mon, 13 Apr 2026 22:42:36 +0100
|
||||||
|
Subject: 00482: CVE-2026-6100
|
||||||
|
|
||||||
|
Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
|
||||||
|
---
|
||||||
|
.../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++
|
||||||
|
Modules/_bz2module.c | 1 +
|
||||||
|
Modules/_lzmamodule.c | 1 +
|
||||||
|
3 files changed, 7 insertions(+)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
|
||||||
|
|
||||||
|
diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..349d1cf3ca
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
|
||||||
|
@@ -0,0 +1,5 @@
|
||||||
|
+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
|
||||||
|
+and :class:`bz2.BZ2Decompressor`
|
||||||
|
+when memory allocation fails with :exc:`MemoryError`, which could let a
|
||||||
|
+subsequent :meth:`!decompress` call read or write through a stale pointer to
|
||||||
|
+the already-released caller buffer.
|
||||||
|
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
|
||||||
|
index 798e9efc62..b08ac5e44e 100644
|
||||||
|
--- a/Modules/_bz2module.c
|
||||||
|
+++ b/Modules/_bz2module.c
|
||||||
|
@@ -595,6 +595,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
error:
|
||||||
|
+ bzs->next_in = NULL;
|
||||||
|
Py_XDECREF(result);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
|
||||||
|
index 97453a2808..51106a6a07 100644
|
||||||
|
--- a/Modules/_lzmamodule.c
|
||||||
|
+++ b/Modules/_lzmamodule.c
|
||||||
|
@@ -1105,6 +1105,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
error:
|
||||||
|
+ lzs->next_in = NULL;
|
||||||
|
Py_XDECREF(result);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
@ -20,7 +20,7 @@ URL: https://www.python.org/
|
|||||||
#global prerel ...
|
#global prerel ...
|
||||||
%global upstream_version %{general_version}%{?prerel}
|
%global upstream_version %{general_version}%{?prerel}
|
||||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
|
|
||||||
|
|
||||||
@ -462,6 +462,18 @@ Patch476: 00476-cve-2026-1299.patch
|
|||||||
# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146364)
|
# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146364)
|
||||||
Patch478: 00478-cve-2026-4519.patch
|
Patch478: 00478-cve-2026-4519.patch
|
||||||
|
|
||||||
|
# 00480 # 9f4b1483ecfbc8c08117133c239fba544fcb42e7
|
||||||
|
# CVE-2026-4786
|
||||||
|
#
|
||||||
|
# Fix webbrowser `%%action` substitution bypass of dash-prefix check
|
||||||
|
Patch480: 00480-cve-2026-4786.patch
|
||||||
|
|
||||||
|
# 00482 # 2a21454e658935990766df8c3c48af9363e8422a
|
||||||
|
# CVE-2026-6100
|
||||||
|
#
|
||||||
|
# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
|
||||||
|
Patch482: 00482-cve-2026-6100.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
@ -1919,6 +1931,10 @@ fi
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-7
|
||||||
|
- Security fixes for CVE-2026-4786, CVE-2026-6100
|
||||||
|
Resolves: RHEL-168129, RHEL-167891
|
||||||
|
|
||||||
* Thu Mar 26 2026 Lukáš Zachar <lzachar@redhat.com> - 3.11.13-6
|
* Thu Mar 26 2026 Lukáš Zachar <lzachar@redhat.com> - 3.11.13-6
|
||||||
- Security fix for CVE-2026-4519
|
- Security fix for CVE-2026-4519
|
||||||
Resolves: RHEL-158028
|
Resolves: RHEL-158028
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user