diff --git a/SOURCES/CVE-2024-36039.patch b/SOURCES/CVE-2024-36039.patch new file mode 100644 index 0000000..d4aef5e --- /dev/null +++ b/SOURCES/CVE-2024-36039.patch @@ -0,0 +1,17 @@ +diff --git a/pymysql/converters.py b/pymysql/converters.py +index 1adac75..dbf97ca 100644 +--- a/pymysql/converters.py ++++ b/pymysql/converters.py +@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None): + + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + + def escape_sequence(val, charset, mapping=None): diff --git a/SPECS/python3.11-PyMySQL.spec b/SPECS/python3.11-PyMySQL.spec index cadb396..12340ee 100644 --- a/SPECS/python3.11-PyMySQL.spec +++ b/SPECS/python3.11-PyMySQL.spec @@ -5,13 +5,18 @@ Name: python%{python3_pkgversion}-%{pypi_name} Version: 1.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Pure-Python MySQL client library License: MIT URL: https://pypi.python.org/pypi/%{pypi_name}/ Source0: %pypi_source +# Security fix for CVE-2024-36039: SQL injection if used with untrusted JSON input +# Resolved upstream: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c +# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2282821 +Patch0: CVE-2024-36039.patch + BuildArch: noarch @@ -33,7 +38,7 @@ and Jython. %prep -%setup -qn %{pypi_name}-%{version} +%autosetup -n %{pypi_name}-%{version} -p1 rm -rf %{pypi_name}.egg-info # Remove tests files so they are not installed globally. rm -rf tests @@ -58,6 +63,10 @@ rm -rf tests %{python3_sitelib}/pymysql/ %changelog +* Fri May 31 2024 Charalampos Stratakis - 1.0.2-2 +- Security fix for CVE-2024-36039 +Resolves: RHEL-38365 + * Wed Nov 30 2022 Charalampos Stratakis - 1.0.2-1 - Initial package - Fedora contributions by: