diff --git a/SOURCES/00478-cve-2026-4519.patch b/SOURCES/00478-cve-2026-4519.patch new file mode 100644 index 0000000..32e22c5 --- /dev/null +++ b/SOURCES/00478-cve-2026-4519.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: tomcruiseqi +Date: Wed, 25 Mar 2026 02:23:45 +0800 +Subject: 00478: CVE-2026-4519 + +Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359) + +(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) + +Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5 + +Co-authored-by: Seth Michael Larson +--- + Lib/test/test_webbrowser.py | 5 +++++ + Lib/webbrowser.py | 14 ++++++++++++++ + .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 + + 3 files changed, 20 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst + +diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py +index 7cbb8d0a29..ec4ba2f7ac 100644 +--- a/Lib/test/test_webbrowser.py ++++ b/Lib/test/test_webbrowser.py +@@ -53,6 +53,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): + options=[], + arguments=[URL]) + ++ def test_reject_dash_prefixes(self): ++ browser = self.browser_class(name=CMD_NAME) ++ with self.assertRaises(ValueError): ++ browser.open(f"--key=val {URL}") ++ + + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): + +diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py +index 1a553f0e65..f00f1a712a 100755 +--- a/Lib/webbrowser.py ++++ b/Lib/webbrowser.py +@@ -120,6 +120,12 @@ class BaseBrowser(object): + def open_new_tab(self, url): + return self.open(url, 2) + ++ @staticmethod ++ def _check_url(url): ++ """Ensures that the URL is safe to pass to subprocesses as a parameter""" ++ if url and url.lstrip().startswith("-"): ++ raise ValueError(f"Invalid URL: {url}") ++ + + class GenericBrowser(BaseBrowser): + """Class for all browsers started with a command +@@ -136,6 +142,7 @@ class GenericBrowser(BaseBrowser): + self.basename = os.path.basename(self.name) + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + cmdline = [self.name] + [arg.replace("%s", url) + for arg in self.args] + try: +@@ -153,6 +160,7 @@ class BackgroundBrowser(GenericBrowser): + background.""" + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + cmdline = [self.name] + [arg.replace("%s", url) + for arg in self.args] + try: +@@ -219,6 +227,7 @@ class UnixBrowser(BaseBrowser): + return not p.wait() + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + if new == 0: + action = self.remote_action + elif new == 1: +@@ -319,6 +328,7 @@ class Konqueror(BaseBrowser): + """ + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + # XXX Currently I know no way to prevent KFM from opening a new win. + if new == 2: + action = "newTab" +@@ -402,6 +412,7 @@ class Grail(BaseBrowser): + return 1 + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + if new: + ok = self._remote("LOADNEW " + url) + else: +@@ -508,6 +519,7 @@ if os.environ.get("TERM"): + if sys.platform[:3] == "win": + class WindowsDefault(BaseBrowser): + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + try: + os.startfile(url) + except OSError: +@@ -551,6 +563,7 @@ if sys.platform == 'darwin': + self.name = name + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + assert "'" not in url + # hack for local urls + if not ':' in url: +@@ -588,6 +601,7 @@ if sys.platform == 'darwin': + self._name = name + + def open(self, url, new=0, autoraise=True): ++ self._check_url(url) + if self._name == 'default': + script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser + else: +diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst +new file mode 100644 +index 0000000000..0f27eae99a +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst +@@ -0,0 +1 @@ ++Reject leading dashes in URLs passed to :func:`webbrowser.open` diff --git a/SPECS/python3.spec b/SPECS/python3.spec index 3767a20..5387555 100644 --- a/SPECS/python3.spec +++ b/SPECS/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 74%{?dist}.alma.1 +Release: 75%{?dist}.alma.1 License: Python @@ -992,6 +992,15 @@ Patch475: 00475-cve-2025-15367.patch # (cherry-picked from commit 45b2f8893c1b7ab3b3981a966f82e42beea82106) Patch476: 00476-cve-2026-1299.patch +# 00478 # +# CVE-2026-4519 +# +# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359) +# +# +# Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5 +Patch478: 00478-cve-2026-4519.patch + # AlmaLinux Patch Patch1000: python-3.6-almalinux_support.patch @@ -1372,6 +1381,7 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch474 -p1 %patch475 -p1 %patch476 -p1 +%patch478 -p1 # Applying AlmaLinux Patch %patch1000 -p1 -b .python-36-almalinux_support @@ -2306,9 +2316,13 @@ fi # ====================================================== %changelog -* Tue Mar 24 2026 Eduard Abdullin - 3.6.8-74.alma.1 +* Thu Apr 02 2026 Eduard Abdullin - 3.6.8-75.alma.1 - Add AlmaLinux to supported distros +* Thu Mar 26 2026 Lumír Balhar - 3.6.8-75 +- Security fix for CVE-2026-4519 +Resolves: RHEL-158077 + * Fri Mar 06 2026 Lumír Balhar - 3.6.8-74 - Security fix for CVE-2025-0938 Resolves: RHEL-153235