Security fixes for CVE-2026-4786, CVE-2026-6100

Resolves: RHEL-167890, RHEL-168128
2026-04-17 05:32:56 +02:00 · 2026-04-17 05:32:56 +02:00 · e88de1ebb2
commit e88de1ebb2
parent ae979ed270
3 changed files with 138 additions and 1 deletions
--- a/00480-cve-2026-4786.patch
+++ b/00480-cve-2026-4786.patch
@ -0,0 +1,65 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stan Ulbrych <stan@python.org>
 Date: Mon, 13 Apr 2026 22:41:53 +0100
 Subject: 00480: CVE-2026-4786
 Fix webbrowser `%action` substitution bypass of dash-prefix check
 Backported from Python 3.10
 ---
 Lib/test/test_webbrowser.py                               | 8 ++++++++
 Lib/webbrowser.py                                         | 5 +++--
 .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst        | 2 ++
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
 diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
 index ec4ba2f7ac..362572e312 100644
 --- a/Lib/test/test_webbrowser.py
 +++ b/Lib/test/test_webbrowser.py
@@ -93,6 +93,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
                    options=[],
                    arguments=[URL])
 +    def test_reject_action_dash_prefixes(self):
 +        browser = self.browser_class(name=CMD_NAME)
 +        with self.assertRaises(ValueError):
 +            browser.open('%action--incognito')
 +        # new=1: action is "--new-window", so "%action" itself expands to
 +        # a dash-prefixed flag even with no dash in the original URL.
 +        with self.assertRaises(ValueError):
 +            browser.open('%action', new=1)
 class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
 diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
 index f00f1a712a..9345f785e0 100755
 --- a/Lib/webbrowser.py
 +++ b/Lib/webbrowser.py
@@ -227,7 +227,6 @@ class UnixBrowser(BaseBrowser):
             return not p.wait()
     def open(self, url, new=0, autoraise=True):
 -        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -241,7 +240,9 @@ class UnixBrowser(BaseBrowser):
             raise Error("Bad 'new' parameter to open(); " +
                         "expected 0, 1, or 2, got %s" % new)
 -        args = [arg.replace("%s", url).replace("%action", action)
 +        self._check_url(url.replace("%action", action))
 +
 +        args = [arg.replace("%action", action).replace("%s", url)
                 for arg in self.remote_args]
         args = [arg for arg in args if arg]
         success = self._invoke(args, True, autoraise)
 diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
 new file mode 100644
 index 0000000000..45cdeebe1b
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
@@ -0,0 +1,2 @@
 +A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
 +the dash-prefix safety check.
--- a/00482-cve-2026-6100.patch
+++ b/00482-cve-2026-6100.patch
@ -0,0 +1,50 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stan Ulbrych <stan@python.org>
 Date: Mon, 13 Apr 2026 22:42:24 +0100
 Subject: 00482: CVE-2026-6100
 Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
 Backported from Python 3.10
 ---
 .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
 Modules/_bz2module.c                                         | 1 +
 Modules/_lzmamodule.c                                        | 1 +
 3 files changed, 7 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
 diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
 new file mode 100644
 index 0000000000..b095329bd9
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
@@ -0,0 +1,5 @@
 +Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
 +:class:`bz2.BZ2Decompressor`
 +when memory allocation fails with :exc:`MemoryError`, which could let a
 +subsequent :meth:`!decompress` call read or write through a stale pointer to
 +the already-released caller buffer.
 diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
 index fe06953ec4..394ed22540 100644
 --- a/Modules/_bz2module.c
 +++ b/Modules/_bz2module.c
@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
     return result;
 error:
 +    bzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }
 diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
 index 3d3645af92..0157dce83a 100644
 --- a/Modules/_lzmamodule.c
 +++ b/Modules/_lzmamodule.c
@@ -1053,6 +1053,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     return result;
 error:
 +    lzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }
--- a/python3.spec
+++ b/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 75%{?dist}
+Release: 76%{?dist}
 License: Python
@ -1001,6 +1001,22 @@ Patch476: 00476-cve-2026-1299.patch
 # Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
 Patch478: 00478-cve-2026-4519.patch
 # 00480 # 2fdcb1ee7535bec67f807eb9a1ea1477cccbb86d
 # CVE-2026-4786
 #
 # Fix webbrowser `%%action` substitution bypass of dash-prefix check
 #
 # Backported from Python 3.10
 Patch480: 00480-cve-2026-4786.patch
 # 00482 # 51e25e8a804257b707e2021655037d07dcfa9cd6
 # CVE-2026-6100
 #
 # Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
 #
 # Backported from Python 3.10
 Patch482: 00482-cve-2026-6100.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1379,6 +1395,8 @@ GIT_DIR=$PWD git apply %{PATCH351}
 %patch475 -p1
 %patch476 -p1
 %patch478 -p1
 %patch480 -p1
 %patch482 -p1
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@ -2310,6 +2328,10 @@ fi
 # ======================================================
 %changelog
 * Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-76
 - Security fixes for CVE-2026-4786, CVE-2026-6100
 Resolves: RHEL-167890, RHEL-168128
 * Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-75
 - Security fix for CVE-2026-4519
 Resolves: RHEL-158077