rpms/python3.9
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fixes for CVE-2026-4786 and CVE-2026-6100

Browse Source 
Resolves: RHEL-167919, RHEL-168161
This commit is contained in:
Charalampos Stratakis 2026-04-17 04:59:00 +02:00
parent a82a300625
commit f201478fdf
3 changed files with 128 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
00480-cve-2026-4786.patch Normal file
View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Mon, 13 Apr 2026 22:41:53 +0100
Subject: 00480: CVE-2026-4786
Fix webbrowser `%action` substitution bypass of dash-prefix check
---
Lib/test/test_webbrowser.py | 8 ++++++++
Lib/webbrowser.py | 5 +++--
.../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst | 2 ++
3 files changed, 13 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index f8e9234db8..9156ceec60 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -95,6 +95,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
options=[],
arguments=[URL])
+ def test_reject_action_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open('%action--incognito')
+ # new=1: action is "--new-window", so "%action" itself expands to
+ # a dash-prefixed flag even with no dash in the original URL.
+ with self.assertRaises(ValueError):
+ browser.open('%action', new=1)
class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index f5349dbce5..43ccddf330 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -264,7 +264,6 @@ class UnixBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
- self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -278,7 +277,9 @@ class UnixBrowser(BaseBrowser):
raise Error("Bad 'new' parameter to open(); " +
"expected 0, 1, or 2, got %s" % new)
- args = [arg.replace("%s", url).replace("%action", action)
+ self._check_url(url.replace("%action", action))
+
+ args = [arg.replace("%action", action).replace("%s", url)
for arg in self.remote_args]
args = [arg for arg in args if arg]
success = self._invoke(args, True, autoraise, url)
diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
new file mode 100644
index 0000000000..45cdeebe1b
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
@@ -0,0 +1,2 @@
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
+the dash-prefix safety check.

48
00482-cve-2026-6100.patch Normal file
View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Mon, 13 Apr 2026 22:42:24 +0100
Subject: 00482: CVE-2026-6100
Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
---
.../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++
Modules/_bz2module.c | 1 +
Modules/_lzmamodule.c | 1 +
3 files changed, 7 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
new file mode 100644
index 0000000000..b095329bd9
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
@@ -0,0 +1,5 @@
+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
+:class:`bz2.BZ2Decompressor`
+when memory allocation fails with :exc:`MemoryError`, which could let a
+subsequent :meth:`!decompress` call read or write through a stale pointer to
+the already-released caller buffer.
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
index 880632c623..9b17341e49 100644
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -559,6 +559,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
return result;
error:
+ bzs->next_in = NULL;
Py_XDECREF(result);
return NULL;
}
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
index 2a62a68356..dde81238ef 100644
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@@ -1039,6 +1039,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
return result;
error:
+ lzs->next_in = NULL;
Py_XDECREF(result);
return NULL;
}

18
python3.9.spec
View File

@ -17,7 +17,7 @@ URL: https://www.python.org/
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 6%{?dist}
Release: 7%{?dist}
License: Python
@ -484,6 +484,18 @@ Patch476: 00476-cve-2026-1299.patch
# Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
Patch478: 00478-cve-2026-4519.patch
# 00480 # 9f4b1483ecfbc8c08117133c239fba544fcb42e7
# CVE-2026-4786
#
# Fix webbrowser `%%action` substitution bypass of dash-prefix check
Patch480: 00480-cve-2026-4786.patch
# 00482 # 51e25e8a804257b707e2021655037d07dcfa9cd6
# CVE-2026-6100
#
# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
Patch482: 00482-cve-2026-6100.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1895,6 +1907,10 @@ CheckPython optimized
# ======================================================
%changelog
* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.9.25-7
- Security fixes for CVE-2026-4786 and CVE-2026-6100
Resolves: RHEL-167919, RHEL-168161
* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-6
- Security fix for CVE-2026-4519
Resolves: RHEL-158117