Security fix for CVE-2023-24329

Resolves: rhbz#2174013
2023-05-26 02:15:16 +02:00 · 2023-05-26 02:15:16 +02:00 · e7c9d4ecf1
commit e7c9d4ecf1
parent 7dc6fb6d8c
2 changed files with 240 additions and 1 deletions
--- a/python3.6.spec
+++ b/python3.6.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 15%{?dist}
+Release: 16%{?dist}
 # Python is Python
 # pip MIT is and bundles:
 #   appdirs: MIT
@ -609,6 +609,18 @@ Patch392: 00392-cve-2022-37454-fix-buffer-overflows-in-_sha3-module.patch
 # the behavior to linear.
 Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch

+# 00399 # dc0a803eea47d3b4f0657816b112b5a33491500f
+# CVE-2023-24329
+#
+# gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
+#
+# `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
+#
+# This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%%20any%%20leading%%20and%%20trailing%%20C0%%20control%%20or%%20space%%20from%%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
+#
+# Backported from Python 3.12
+Patch399: 00399-cve-2023-24329.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1858,6 +1870,10 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Fri May 26 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-16
+- Security fix for CVE-2023-24329
+- Resolves: rhbz#2174013
+
 * Mon Dec 19 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-15
 - Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
  Related: rhbz#2144072