Add AlmaLinux to supported distros

2026-04-28 05:36:41 +00:00 · 2026-04-28 05:36:41 +00:00 · 033ee8e3e8
commit 033ee8e3e8
parent 4cb1c9bd59 53a7082225
3 changed files with 139 additions and 2 deletions
--- a/SOURCES/00480-cve-2026-4786.patch
+++ b/SOURCES/00480-cve-2026-4786.patch
@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 22:41:53 +0100
+Subject: 00480: CVE-2026-4786
+
+Fix webbrowser `%action` substitution bypass of dash-prefix check
+
+Backported from Python 3.10
+---
+ Lib/test/test_webbrowser.py                               | 8 ++++++++
+ Lib/webbrowser.py                                         | 5 +++--
+ .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst        | 2 ++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index ec4ba2f7ac..362572e312 100644
+--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
+@@ -93,6 +93,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
+                    options=[],
+                    arguments=[URL])
+ 
+    def test_reject_action_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open('%action--incognito')
+        # new=1: action is "--new-window", so "%action" itself expands to
+        # a dash-prefixed flag even with no dash in the original URL.
+        with self.assertRaises(ValueError):
+            browser.open('%action', new=1)
+ 
+ class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index f00f1a712a..9345f785e0 100755
+--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
+@@ -227,7 +227,6 @@ class UnixBrowser(BaseBrowser):
+             return not p.wait()
+ 
+     def open(self, url, new=0, autoraise=True):
+-        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -241,7 +240,9 @@ class UnixBrowser(BaseBrowser):
+             raise Error("Bad 'new' parameter to open(); " +
+                         "expected 0, 1, or 2, got %s" % new)
+ 
+-        args = [arg.replace("%s", url).replace("%action", action)
+        self._check_url(url.replace("%action", action))
+
+        args = [arg.replace("%action", action).replace("%s", url)
+                 for arg in self.remote_args]
+         args = [arg for arg in args if arg]
+         success = self._invoke(args, True, autoraise)
+diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+new file mode 100644
+index 0000000000..45cdeebe1b
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+@@ -0,0 +1,2 @@
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
+the dash-prefix safety check.
--- a/SOURCES/00482-cve-2026-6100.patch
+++ b/SOURCES/00482-cve-2026-6100.patch
@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 22:42:24 +0100
+Subject: 00482: CVE-2026-6100
+
+Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+
+Backported from Python 3.10
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
+ Modules/_bz2module.c                                         | 1 +
+ Modules/_lzmamodule.c                                        | 1 +
+ 3 files changed, 7 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 0000000000..b095329bd9
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
+:class:`bz2.BZ2Decompressor`
+when memory allocation fails with :exc:`MemoryError`, which could let a
+subsequent :meth:`!decompress` call read or write through a stale pointer to
+the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index fe06953ec4..394ed22540 100644
+--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
+@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
+    bzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 3d3645af92..0157dce83a 100644
+--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
+@@ -1053,6 +1053,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
+    lzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
--- a/SPECS/python3.spec
+++ b/SPECS/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 75%{?dist}.alma.1
+Release: 76%{?dist}.alma.1
 License: Python


@ -1001,6 +1001,22 @@ Patch476: 00476-cve-2026-1299.patch
 # Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
 Patch478: 00478-cve-2026-4519.patch

+# 00480 # 2fdcb1ee7535bec67f807eb9a1ea1477cccbb86d
+# CVE-2026-4786
+#
+# Fix webbrowser `%%action` substitution bypass of dash-prefix check
+#
+# Backported from Python 3.10
+Patch480: 00480-cve-2026-4786.patch
+
+# 00482 # 51e25e8a804257b707e2021655037d07dcfa9cd6
+# CVE-2026-6100
+#
+# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+#
+# Backported from Python 3.10
+Patch482: 00482-cve-2026-6100.patch
+
 # AlmaLinux Patch
 Patch1000: python-3.6-almalinux_support.patch

@ -1382,6 +1398,8 @@ GIT_DIR=$PWD git apply %{PATCH351}
 %patch475 -p1
 %patch476 -p1
 %patch478 -p1
+%patch480 -p1
+%patch482 -p1

 # Applying AlmaLinux Patch
 %patch1000 -p1 -b .python-36-almalinux_support
@ -2316,9 +2334,13 @@ fi
 # ======================================================

 %changelog
-* Thu Apr 02 2026 Eduard Abdullin <eabdullin@almalinux.org> - 3.6.8-75.alma.1
+* Tue Apr 28 2026 Eduard Abdullin <eabdullin@almalinux.org> - 3.6.8-76.alma.1
 - Add AlmaLinux to supported distros

+* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-76
+- Security fixes for CVE-2026-4786, CVE-2026-6100
+Resolves: RHEL-167890, RHEL-168128
+
 * Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-75
 - Security fix for CVE-2026-4519
 Resolves: RHEL-158077