diff --git a/CVE-2024-36039.patch b/CVE-2024-36039.patch new file mode 100644 index 0000000..d4aef5e --- /dev/null +++ b/CVE-2024-36039.patch @@ -0,0 +1,17 @@ +diff --git a/pymysql/converters.py b/pymysql/converters.py +index 1adac75..dbf97ca 100644 +--- a/pymysql/converters.py ++++ b/pymysql/converters.py +@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None): + + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + + def escape_sequence(val, charset, mapping=None): diff --git a/python3.12-PyMySQL.spec b/python3.12-PyMySQL.spec index e99e8ea..9f2bc5b 100644 --- a/python3.12-PyMySQL.spec +++ b/python3.12-PyMySQL.spec @@ -5,7 +5,7 @@ Name: python%{python3_pkgversion}-%{pypi_name} Version: 1.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Pure-Python MySQL client library License: MIT @@ -13,6 +13,11 @@ URL: https://pypi.python.org/pypi/%{pypi_name}/ Source0: %pypi_source Source1: setup.py +# Security fix for CVE-2024-36039: SQL injection if used with untrusted JSON input +# Resolved upstream: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c +# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2282821 +Patch0: CVE-2024-36039.patch + BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel @@ -35,7 +40,7 @@ and Jython. %prep -%setup -qn %{pypi_name}-%{version} +%autosetup -n %{pypi_name}-%{version} -p1 rm -rf %{pypi_name}.egg-info # Remove tests files so they are not installed globally. rm -rf tests @@ -62,6 +67,10 @@ cp %{SOURCE1} . %{python3_sitelib}/pymysql/ %changelog +* Fri May 31 2024 Charalampos Stratakis - 1.1.0-3 +- Security fix for CVE-2024-36039 +Resolves: RHEL-38366 + * Tue Jan 23 2024 Miro HronĨok - 1.1.0-2 - Rebuilt for timestamp .pyc invalidation mode