import CS git python3-3.6.8-75.el8_10

SOURCES/00478-cve-2026-4519.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: tomcruiseqi <tom33qi@gmail.com>
+Date: Wed, 25 Mar 2026 02:23:45 +0800
+Subject: 00478: CVE-2026-4519
+
+Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
+
+(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+---
+ Lib/test/test_webbrowser.py                        |  5 +++++
+ Lib/webbrowser.py                                  | 14 ++++++++++++++
+ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst |  1 +
+ 3 files changed, 20 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 7cbb8d0a29..ec4ba2f7ac 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -53,6 +53,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open(f"--key=val {URL}")
++
+ 
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 1a553f0e65..f00f1a712a 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -120,6 +120,12 @@ class BaseBrowser(object):
+     def open_new_tab(self, url):
+         return self.open(url, 2)
+ 
++    @staticmethod
++    def _check_url(url):
++        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
++        if url and url.lstrip().startswith("-"):
++            raise ValueError(f"Invalid URL: {url}")
++
+ 
+ class GenericBrowser(BaseBrowser):
+     """Class for all browsers started with a command
+@@ -136,6 +142,7 @@ class GenericBrowser(BaseBrowser):
+         self.basename = os.path.basename(self.name)
+ 
+     def open(self, url, new=0, autoraise=True):
++        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -153,6 +160,7 @@ class BackgroundBrowser(GenericBrowser):
+        background."""
+ 
+     def open(self, url, new=0, autoraise=True):
++        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -219,6 +227,7 @@ class UnixBrowser(BaseBrowser):
+             return not p.wait()
+ 
+     def open(self, url, new=0, autoraise=True):
++        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -319,6 +328,7 @@ class Konqueror(BaseBrowser):
+     """
+ 
+     def open(self, url, new=0, autoraise=True):
++        self._check_url(url)
+         # XXX Currently I know no way to prevent KFM from opening a new win.
+         if new == 2:
+             action = "newTab"
+@@ -402,6 +412,7 @@ class Grail(BaseBrowser):
+         return 1
+ 
+     def open(self, url, new=0, autoraise=True):
++        self._check_url(url)
+         if new:
+             ok = self._remote("LOADNEW " + url)
+         else:
+@@ -508,6 +519,7 @@ if os.environ.get("TERM"):
+ if sys.platform[:3] == "win":
+     class WindowsDefault(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
++            self._check_url(url)
+             try:
+                 os.startfile(url)
+             except OSError:
+@@ -551,6 +563,7 @@ if sys.platform == 'darwin':
+             self.name = name
+ 
+         def open(self, url, new=0, autoraise=True):
++            self._check_url(url)
+             assert "'" not in url
+             # hack for local urls
+             if not ':' in url:
+@@ -588,6 +601,7 @@ if sys.platform == 'darwin':
+             self._name = name
+ 
+         def open(self, url, new=0, autoraise=True):
++            self._check_url(url)
+             if self._name == 'default':
+                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
+             else:
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+new file mode 100644
+index 0000000000..0f27eae99a
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+@@ -0,0 +1 @@
++Reject leading dashes in URLs passed to :func:`webbrowser.open`

SPECS/python3.spec

@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 74%{?dist}
+Release: 75%{?dist}
 License: Python
 
 
@@ -992,6 +992,15 @@ Patch475: 00475-cve-2025-15367.patch
 # (cherry-picked from commit 45b2f8893c1b7ab3b3981a966f82e42beea82106)
 Patch476: 00476-cve-2026-1299.patch
 
+# 00478 #
+# CVE-2026-4519
+#
+# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
+#
+#
+# Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
+Patch478: 00478-cve-2026-4519.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1369,6 +1378,7 @@ GIT_DIR=$PWD git apply %{PATCH351}
 %patch474 -p1
 %patch475 -p1
 %patch476 -p1
+%patch478 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -2300,6 +2310,10 @@ fi
 # ======================================================
 
 %changelog
+* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-75
+- Security fix for CVE-2026-4519
+Resolves: RHEL-158077
+
 * Fri Mar 06 2026 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-74
 - Security fix for CVE-2025-0938
 Resolves: RHEL-153235