diff --git a/SOURCES/CVE-2024-36039.patch b/SOURCES/CVE-2024-36039.patch new file mode 100644 index 0000000..d4aef5e --- /dev/null +++ b/SOURCES/CVE-2024-36039.patch @@ -0,0 +1,17 @@ +diff --git a/pymysql/converters.py b/pymysql/converters.py +index 1adac75..dbf97ca 100644 +--- a/pymysql/converters.py ++++ b/pymysql/converters.py +@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None): + + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + + def escape_sequence(val, charset, mapping=None): diff --git a/SPECS/python3.12-PyMySQL.spec b/SPECS/python3.12-PyMySQL.spec index af73781..6bb9806 100644 --- a/SPECS/python3.12-PyMySQL.spec +++ b/SPECS/python3.12-PyMySQL.spec @@ -5,7 +5,7 @@ Name: python%{python3_pkgversion}-%{pypi_name} Version: 1.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Pure-Python MySQL client library License: MIT @@ -13,6 +13,11 @@ URL: https://pypi.python.org/pypi/%{pypi_name}/ Source0: %pypi_source Source1: setup.py +# Security fix for CVE-2024-36039: SQL injection if used with untrusted JSON input +# Resolved upstream: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c +# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2282821 +Patch0: CVE-2024-36039.patch + BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel @@ -35,7 +40,7 @@ and Jython. %prep -%setup -qn %{pypi_name}-%{version} +%autosetup -n %{pypi_name}-%{version} -p1 rm -rf %{pypi_name}.egg-info # Remove tests files so they are not installed globally. rm -rf tests @@ -62,6 +67,10 @@ cp %{SOURCE1} . %{python3_sitelib}/pymysql/ %changelog +* Fri May 31 2024 Charalampos Stratakis - 1.1.0-3 +- Security fix for CVE-2024-36039 +Resolves: RHEL-38371 + * Thu Mar 28 2024 MSVSphere Packaging Team - 1.1.0-2 - Rebuilt for MSVSphere 9.4 beta