From 44ec16aa422bb3c30085fa19d5d3279dfd787ee2 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 14 Jul 2026 12:02:18 -0400 Subject: [PATCH] import CS git python3-3.6.8-77.el8_10 --- SOURCES/00490-cve-2026-15308.patch | 116 +++++++++++++++++++++++++++++ SPECS/python3.spec | 18 ++++- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 SOURCES/00490-cve-2026-15308.patch diff --git a/SOURCES/00490-cve-2026-15308.patch b/SOURCES/00490-cve-2026-15308.patch new file mode 100644 index 0000000..b88f737 --- /dev/null +++ b/SOURCES/00490-cve-2026-15308.patch @@ -0,0 +1,116 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lum=C3=ADr=20Balhar?= +Date: Fri, 10 Jul 2026 08:12:50 +0000 +Subject: 00490: CVE-2026-15308 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031) (GH-153038) + +When an unterminated construct (e.g. a tag or comment) spanned many +feed() calls, rescanning the growing buffer and concatenating new data +onto it were both quadratic. New data is now accumulated in a list and +only joined and parsed once enough has piled up. +(cherry picked from commit bcf98ddbc40ec9b3ee87da0124a5660b19b7e606) + +Co-authored-by: Serhiy Storchaka +Co-authored-by: Claude Opus 4.8 +Co-authored-by: Lumír Balhar +--- + Lib/html/parser.py | 32 ++++++++++++++++++++++++++++++-- + Lib/test/test_htmlparser.py | 21 +++++++++++++++++++++ + 2 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/Lib/html/parser.py b/Lib/html/parser.py +index ef869bc72d..37bbadcc05 100644 +--- a/Lib/html/parser.py ++++ b/Lib/html/parser.py +@@ -99,6 +99,9 @@ class HTMLParser(_markupbase.ParserBase): + self.lasttag = '???' + self.interesting = interesting_normal + self.cdata_elem = None ++ self._pending = [] ++ self._pending_len = 0 ++ self._parse_threshold = 1 + _markupbase.ParserBase.reset(self) + + def feed(self, data): +@@ -107,11 +110,36 @@ class HTMLParser(_markupbase.ParserBase): + Call this as often as you want, with as little or as much text + as you want (may include '\n'). + """ +- self.rawdata = self.rawdata + data +- self.goahead(0) ++ # Accumulate new data in a list and only join and parse it once ++ # enough has piled up. Rescanning an unparsed buffer (e.g. an ++ # unterminated tag) and concatenating onto it on every call would ++ # both be quadratic in the input size. ++ self._pending_len += len(data) ++ if self._pending_len < self._parse_threshold: ++ self._pending.append(data) ++ else: ++ if not self._pending: ++ self.rawdata += data ++ else: ++ self._pending.append(data) ++ self.rawdata += ''.join(self._pending) ++ self._pending.clear() ++ self._pending_len = 0 ++ n = len(self.rawdata) ++ self.goahead(0) ++ if len(self.rawdata) < n: ++ # Some data was parsed; resume on the next call. ++ self._parse_threshold = 1 ++ else: ++ # Nothing was parsed; wait until the buffer doubles. ++ self._parse_threshold = len(self.rawdata) + + def close(self): + """Handle any buffered data.""" ++ if self._pending: ++ self.rawdata += ''.join(self._pending) ++ self._pending.clear() ++ self._pending_len = 0 + self.goahead(1) + + __starttag_text = None +diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py +index 326e34290f..a2916b9511 100644 +--- a/Lib/test/test_htmlparser.py ++++ b/Lib/test/test_htmlparser.py +@@ -3,6 +3,7 @@ + import html.parser + import pprint + import unittest ++from test import support + + + class EventCollector(html.parser.HTMLParser): +@@ -641,6 +642,26 @@ text + ('endtag', 'a'), ('data', ' bar & baz')] + ) + ++ @support.requires_resource('cpu') ++ def test_incremental_no_quadratic_complexity(self): ++ # An unterminated construct fed in many small chunks used to take ++ # quadratic time, both to rescan and to concatenate the buffer. ++ # Now it takes a fraction of a second. ++ def check(prefix, chunk, suffix): ++ parser = html.parser.HTMLParser() ++ parser.feed(prefix) ++ for _ in range(200_000): ++ parser.feed(chunk) ++ parser.feed(suffix) ++ parser.close() ++ chunk = "a" * 64 ++ check("") # comment ++ check("") # processing instruction ++ check("") # doctype ++ check("") # CDATA section ++ check("") # start tag ++ check("") # RAWTEXT element ++ + + class AttributesTestCase(TestCaseBase): + diff --git a/SPECS/python3.spec b/SPECS/python3.spec index 01c0865..dd1b332 100644 --- a/SPECS/python3.spec +++ b/SPECS/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 76%{?dist} +Release: 77%{?dist} License: Python @@ -1017,6 +1017,17 @@ Patch480: 00480-cve-2026-4786.patch # Backported from Python 3.10 Patch482: 00482-cve-2026-6100.patch +# 00490 # +# CVE-2026-15308 +# +# gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031) (GH-153038) +# +# When an unterminated construct (e.g. a tag or comment) spanned many +# feed() calls, rescanning the growing buffer and concatenating new data +# onto it were both quadratic. New data is now accumulated in a list and +# only joined and parsed once enough has piled up. +Patch490: 00490-cve-2026-15308.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1397,6 +1408,7 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch478 -p1 %patch480 -p1 %patch482 -p1 +%patch490 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2328,6 +2340,10 @@ fi # ====================================================== %changelog +* Fri Jul 10 2026 Lumír Balhar - 3.6.8-77 +- Security fix for CVE-2026-15308 +Resolves: RHEL-193772 + * Fri Apr 17 2026 Charalampos Stratakis - 3.6.8-76 - Security fixes for CVE-2026-4786, CVE-2026-6100 Resolves: RHEL-167890, RHEL-168128