Security fix for CVE-2024-36039

Resolves: RHEL-38371
This commit is contained in:
Charalampos Stratakis 2024-05-31 18:17:29 +02:00
parent a2f6f8c30b
commit 5d23a3d1a5
2 changed files with 28 additions and 2 deletions

17
CVE-2024-36039.patch Normal file
View File

@ -0,0 +1,17 @@
diff --git a/pymysql/converters.py b/pymysql/converters.py
index 1adac75..dbf97ca 100644
--- a/pymysql/converters.py
+++ b/pymysql/converters.py
@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
def escape_dict(val, charset, mapping=None):
- n = {}
- for k, v in val.items():
- quoted = escape_item(v, charset, mapping)
- n[k] = quoted
- return n
+ raise TypeError("dict can not be used as parameter")
def escape_sequence(val, charset, mapping=None):

View File

@ -5,7 +5,7 @@
Name: python%{python3_pkgversion}-%{pypi_name} Name: python%{python3_pkgversion}-%{pypi_name}
Version: 1.1.0 Version: 1.1.0
Release: 2%{?dist} Release: 3%{?dist}
Summary: Pure-Python MySQL client library Summary: Pure-Python MySQL client library
License: MIT License: MIT
@ -13,6 +13,11 @@ URL: https://pypi.python.org/pypi/%{pypi_name}/
Source0: %pypi_source Source0: %pypi_source
Source1: setup.py Source1: setup.py
# Security fix for CVE-2024-36039: SQL injection if used with untrusted JSON input
# Resolved upstream: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2282821
Patch0: CVE-2024-36039.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-devel
@ -35,7 +40,7 @@ and Jython.
%prep %prep
%setup -qn %{pypi_name}-%{version} %autosetup -n %{pypi_name}-%{version} -p1
rm -rf %{pypi_name}.egg-info rm -rf %{pypi_name}.egg-info
# Remove tests files so they are not installed globally. # Remove tests files so they are not installed globally.
rm -rf tests rm -rf tests
@ -62,6 +67,10 @@ cp %{SOURCE1} .
%{python3_sitelib}/pymysql/ %{python3_sitelib}/pymysql/
%changelog %changelog
* Fri May 31 2024 Charalampos Stratakis <cstratak@redhat.com> - 1.1.0-3
- Security fix for CVE-2024-36039
Resolves: RHEL-38371
* Tue Jan 23 2024 Miro Hrončok <mhroncok@redhat.com> - 1.1.0-2 * Tue Jan 23 2024 Miro Hrončok <mhroncok@redhat.com> - 1.1.0-2
- Rebuilt for timestamp .pyc invalidation mode - Rebuilt for timestamp .pyc invalidation mode