From ce459faaa73bd96a320eedc18c417b68c72242b4 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 3 Jul 2024 03:19:59 +0300 Subject: [PATCH] import python3.12-PyMySQL-1.1.0-3.el8_10 --- .gitignore | 1 + .python3.12-PyMySQL.metadata | 1 + SOURCES/CVE-2024-36039.patch | 17 +++++++ SOURCES/setup.py | 6 +++ SPECS/python3.12-PyMySQL.spec | 89 +++++++++++++++++++++++++++++++++++ 5 files changed, 114 insertions(+) create mode 100644 .gitignore create mode 100644 .python3.12-PyMySQL.metadata create mode 100644 SOURCES/CVE-2024-36039.patch create mode 100644 SOURCES/setup.py create mode 100644 SPECS/python3.12-PyMySQL.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cac64ba --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/PyMySQL-1.1.0.tar.gz diff --git a/.python3.12-PyMySQL.metadata b/.python3.12-PyMySQL.metadata new file mode 100644 index 0000000..7365292 --- /dev/null +++ b/.python3.12-PyMySQL.metadata @@ -0,0 +1 @@ +6d1caef3b6f1b699816a578a1033d98a436627a9 SOURCES/PyMySQL-1.1.0.tar.gz diff --git a/SOURCES/CVE-2024-36039.patch b/SOURCES/CVE-2024-36039.patch new file mode 100644 index 0000000..d4aef5e --- /dev/null +++ b/SOURCES/CVE-2024-36039.patch @@ -0,0 +1,17 @@ +diff --git a/pymysql/converters.py b/pymysql/converters.py +index 1adac75..dbf97ca 100644 +--- a/pymysql/converters.py ++++ b/pymysql/converters.py +@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None): + + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + + def escape_sequence(val, charset, mapping=None): diff --git a/SOURCES/setup.py b/SOURCES/setup.py new file mode 100644 index 0000000..fa61477 --- /dev/null +++ b/SOURCES/setup.py @@ -0,0 +1,6 @@ +# We need this for the build to work, but everything will be done +# by setuptools from pyproject.toml + +from setuptools import setup + +setup() diff --git a/SPECS/python3.12-PyMySQL.spec b/SPECS/python3.12-PyMySQL.spec new file mode 100644 index 0000000..9f2bc5b --- /dev/null +++ b/SPECS/python3.12-PyMySQL.spec @@ -0,0 +1,89 @@ +%global __python3 /usr/bin/python3.12 +%global python3_pkgversion 3.12 + +%global pypi_name PyMySQL + +Name: python%{python3_pkgversion}-%{pypi_name} +Version: 1.1.0 +Release: 3%{?dist} +Summary: Pure-Python MySQL client library + +License: MIT +URL: https://pypi.python.org/pypi/%{pypi_name}/ +Source0: %pypi_source +Source1: setup.py + +# Security fix for CVE-2024-36039: SQL injection if used with untrusted JSON input +# Resolved upstream: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c +# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2282821 +Patch0: CVE-2024-36039.patch + +BuildArch: noarch + +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-rpm-macros +BuildRequires: python%{python3_pkgversion}-setuptools +# rsa extra +BuildRequires: python%{python3_pkgversion}-cryptography +%if ! 0%{?rhel} +# ed25519 extra +BuildRequires: python%{python3_pkgversion}-pynacl +%endif + +%description +This package contains a pure-Python MySQL client library. The goal of PyMySQL is +to be a drop-in replacement for MySQLdb and work on CPython, PyPy, IronPython +and Jython. + + +%{?python_extras_subpkg:%python_extras_subpkg -n python%{python3_pkgversion}-%{pypi_name} -i %{python3_sitelib}/*.egg-info rsa %{?!rhel:ed25519}} + + +%prep +%autosetup -n %{pypi_name}-%{version} -p1 +rm -rf %{pypi_name}.egg-info +# Remove tests files so they are not installed globally. +rm -rf tests +cp %{SOURCE1} . + + +%build +%py3_build + + +%install +%py3_install + + +%check +# Tests cannot be launch on koji, they require a mysqldb running. +%py3_check_import pymysql + + +%files -n python%{python3_pkgversion}-%{pypi_name} +%license LICENSE +%doc README.md +%{python3_sitelib}/%{pypi_name}-%{version}-py%{python3_version}.egg-info/ +%{python3_sitelib}/pymysql/ + +%changelog +* Fri May 31 2024 Charalampos Stratakis - 1.1.0-3 +- Security fix for CVE-2024-36039 +Resolves: RHEL-38366 + +* Tue Jan 23 2024 Miro Hrončok - 1.1.0-2 +- Rebuilt for timestamp .pyc invalidation mode + +* Mon Oct 16 2023 Tomáš Hrnčiar - 1.1.0-4 +- Initial package +- Fedora contributions by: + Benjamin A. Beasley + Carl George + Damien Ciabrini + Haikel Guemar + Iryna Shcherbina + Itamar Reis Peixoto + Julien Enselme + Lumir Balhar + Miro Hrončok + Yaakov Selkowitz