From 6a330e606b422e3e6d2d2760c10cfc295779f1b8 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Mon, 27 Apr 2026 11:37:08 -0400
Subject: [PATCH] import UBI python3.12-3.12.12-4.el9_7.3

---
 SOURCES/00480-cve-2026-4786.patch | 64 +++++++++++++++++++++++++++++++
 SOURCES/00482-cve-2026-6100.patch | 61 +++++++++++++++++++++++++++++
 SPECS/python3.12.spec             | 18 ++++++++-
 3 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/00480-cve-2026-4786.patch
 create mode 100644 SOURCES/00482-cve-2026-6100.patch

diff --git a/SOURCES/00480-cve-2026-4786.patch b/SOURCES/00480-cve-2026-4786.patch
new file mode 100644
index 0000000..73e4e13
--- /dev/null
+++ b/SOURCES/00480-cve-2026-4786.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 20:02:52 +0100
+Subject: 00480: CVE-2026-4786
+
+Fix webbrowser `%action` substitution bypass of dash-prefix check
+---
+ Lib/test/test_webbrowser.py                              | 9 +++++++++
+ Lib/webbrowser.py                                        | 5 +++--
+ .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst       | 2 ++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 60f094fd6a..e900c0212b 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -99,6 +99,15 @@ def test_open_new_tab(self):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_action_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open('%action--incognito')
++        # new=1: action is "--new-window", so "%action" itself expands to
++        # a dash-prefixed flag even with no dash in the original URL.
++        with self.assertRaises(ValueError):
++            browser.open('%action', new=1)
++
+ 
+ class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 0bdb644d7d..79d410bcae 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -268,7 +268,6 @@ def _invoke(self, args, remote, autoraise, url=None):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+-        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -282,7 +281,9 @@ def open(self, url, new=0, autoraise=True):
+             raise Error("Bad 'new' parameter to open(); " +
+                         "expected 0, 1, or 2, got %s" % new)
+ 
+-        args = [arg.replace("%s", url).replace("%action", action)
++        self._check_url(url.replace("%action", action))
++
++        args = [arg.replace("%action", action).replace("%s", url)
+                 for arg in self.remote_args]
+         args = [arg for arg in args if arg]
+         success = self._invoke(args, True, autoraise, url)
+diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+new file mode 100644
+index 0000000000..45cdeebe1b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+@@ -0,0 +1,2 @@
++A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
++the dash-prefix safety check.
diff --git a/SOURCES/00482-cve-2026-6100.patch b/SOURCES/00482-cve-2026-6100.patch
new file mode 100644
index 0000000..5656e3d
--- /dev/null
+++ b/SOURCES/00482-cve-2026-6100.patch
@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 02:14:54 +0100
+Subject: 00482: CVE-2026-6100
+
+Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
+ Modules/_bz2module.c                                         | 1 +
+ Modules/_lzmamodule.c                                        | 1 +
+ Modules/zlibmodule.c                                         | 1 +
+ 4 files changed, 8 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 0000000000..9502189ab1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
++when memory allocation fails with :exc:`MemoryError`, which could let a
++subsequent :meth:`!decompress` call read or write through a stale pointer to
++the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 97bd44b4ac..a732e89d55 100644
+--- a/Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    bzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 7bbd6569aa..103a6ef86c 100644
+--- a/Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1114,6 +1114,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    lzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
+index f94c57e4c8..9759593b6a 100644
+--- a/Modules/zlibmodule.c
++++ b/Modules/zlibmodule.c
+@@ -1645,6 +1645,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
+     return result;
+ 
+ error:
++    self->zst.next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
diff --git a/SPECS/python3.12.spec b/SPECS/python3.12.spec
index e365187..9d037a3 100644
--- a/SPECS/python3.12.spec
+++ b/SPECS/python3.12.spec
@@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 4%{?dist}.2
+Release: 4%{?dist}.3
 License: Python-2.0.1
 
 
@@ -460,6 +460,18 @@ Patch476: 00476-cve-2026-1299.patch
 # Reject leading dashes in webbrowser URLs (GH-146360)
 Patch478: 00478-cve-2026-4519.patch
 
+# 00480 # 6f4eef3ba4d9818a53698e994550ee8db17a1e2e
+# CVE-2026-4786
+#
+# Fix webbrowser `%%action` substitution bypass of dash-prefix check
+Patch480: 00480-cve-2026-4786.patch
+
+# 00482 # 69f14bc306fc62400d45565faa980b77858b9151
+# CVE-2026-6100
+#
+# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+Patch482: 00482-cve-2026-6100.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1775,6 +1787,10 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Thu Apr 16 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.12.12-4.3
+- Security fixes for CVE-2026-4786, CVE-2026-6100
+Resolves: RHEL-168156, RHEL-167914
+
 * Fri Mar 27 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-4.2
 - Security fix for CVE-2026-4519
 Resolves: RHEL-158051