From dc9c819ed882616d6570063fc21061265c3a3ce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 15 Nov 2024 10:48:45 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 python-PyMySQL revision 31b30d614ef9d0a834002db6263584db --- .gitattributes | 23 ++++ CVE-2024-36039.patch | 40 ++++++ PyMySQL-1.0.3.tar.gz | 3 + python-PyMySQL.changes | 291 +++++++++++++++++++++++++++++++++++++++++ python-PyMySQL.spec | 116 ++++++++++++++++ 5 files changed, 473 insertions(+) create mode 100644 .gitattributes create mode 100644 CVE-2024-36039.patch create mode 100644 PyMySQL-1.0.3.tar.gz create mode 100644 python-PyMySQL.changes create mode 100644 python-PyMySQL.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2024-36039.patch b/CVE-2024-36039.patch new file mode 100644 index 0000000..7e3ce6b --- /dev/null +++ b/CVE-2024-36039.patch @@ -0,0 +1,40 @@ +Index: PyMySQL-1.0.3/pymysql/converters.py +=================================================================== +--- PyMySQL-1.0.3.orig/pymysql/converters.py ++++ PyMySQL-1.0.3/pymysql/converters.py +@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=No + + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + + def escape_sequence(val, charset, mapping=None): +Index: PyMySQL-1.0.3/pymysql/tests/test_connection.py +=================================================================== +--- PyMySQL-1.0.3.orig/pymysql/tests/test_connection.py ++++ PyMySQL-1.0.3/pymysql/tests/test_connection.py +@@ -790,13 +790,16 @@ class TestEscape(base.PyMySQLTestCase): + + self.assertRaises(TypeError, con.escape, 42, {}) + +- def test_escape_dict_value(self): ++ def test_escape_dict_raise_typeerror(self): ++ """con.escape(dict) should raise TypeError""" + con = self.connect() + cur = con.cursor() + + mapping = con.encoders.copy() + mapping[Foo] = escape_foo +- self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"}) ++ # self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"}) ++ with self.assertRaises(TypeError): ++ con.escape({"foo": Foo()}) + + def test_escape_list_item(self): + con = self.connect() diff --git a/PyMySQL-1.0.3.tar.gz b/PyMySQL-1.0.3.tar.gz new file mode 100644 index 0000000..c7a2805 --- /dev/null +++ b/PyMySQL-1.0.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f2c51a64b59b169f8ee35f539cc7b2df5a89a042cac7d29d1ddd42c670700b06 +size 85371 diff --git a/python-PyMySQL.changes b/python-PyMySQL.changes new file mode 100644 index 0000000..c96000f --- /dev/null +++ b/python-PyMySQL.changes @@ -0,0 +1,291 @@ +------------------------------------------------------------------- +Mon Jun 17 11:36:25 UTC 2024 - Daniel Garcia + +- Add CVE-2024-36039.patch, forbid dict parameter + (bsc#1225070, gh#PyMySQL/PyMySQL@521e40050cb3) + +------------------------------------------------------------------- +Wed May 3 08:35:39 UTC 2023 - Dirk Müller + +- update to 1.0.3: + * Dropped support of end of life MySQL version 5.6 + * Dropped support of end of life MariaDB versions below 10.3 + * Dropped support of end of life Python version 3.6 + +------------------------------------------------------------------- +Thu Oct 13 06:38:41 UTC 2022 - Steve Kowalik + +- Skip a test that is failing due to character set fun and games. + +------------------------------------------------------------------- +Wed Jul 28 13:51:39 UTC 2021 - Matej Cepl + +- Fix databases.json used for tests. + +------------------------------------------------------------------- +Thu Apr 22 20:03:03 UTC 2021 - Dirk Müller + +- update to 1.0.2: + * Fix `user`, `password`, `host`, `database` are still positional arguments. + All arguments of `connect()` are now keyword-only. (#941) + * Stop emitting DeprecationWarning for use of ``db`` and ``passwd``. + Note that they are still deprecated. (#939) + * Add ``python_requires=">=3.6"`` to setup.py. (#936) + * Python 2.7 and 3.5 are not supported. + * ``connect()`` uses keyword-only arguments. User must use keyword argument. + * ``connect()`` kwargs ``db`` and ``passwd`` are now deprecated; Use ``database`` and ``password`` instead. + * old_password authentication method (used by MySQL older than 4.1) is not supported. + * MySQL 5.5 and MariaDB 5.5 are not officially supported, although it may still works. + * Removed ``escape_dict``, ``escape_sequence``, and ``escape_string`` from ``pymysql`` + module. They are still in ``pymysql.converters``. + * Connection supports context manager API. ``__exit__`` closes the connection. (#886) + * Add MySQL Connector/Python compatible TLS options (#903) + * Major code cleanup; PyMySQL now uses black and flake8. + +------------------------------------------------------------------- +Thu Nov 26 09:10:16 UTC 2020 - Dirk Mueller + +- udpate to 0.10.1: + * Fix missing import of ProgrammingError. (#878) + * Fix auth switch request handling. (#890) + +------------------------------------------------------------------- +Wed Sep 23 13:18:38 UTC 2020 - Hans-Peter Jansen + +- disable testing for Leaps + mariadb-rpm-macros not available or not sufficient + +------------------------------------------------------------------- +Wed Sep 16 11:01:32 UTC 2020 - Dirk Mueller + +- update to 0.10.0: + * MariaDB ed25519 auth is supported. + * Python 3.4 support is dropped. + * Context manager interface is removed from `Connection`. It will be added + with different meaning. + * MySQL warnings are not shown by default because many user report issue to + PyMySQL issue tracker when they see warning. You need to call "SHOW WARNINGS" + explicitly when you want to see warnings. + * Formatting of float object is changed from "3.14" to "3.14e0". + * Use cp1252 codec for latin1 charset. + * Fix decimal literal. + * TRUNCATED_WRONG_VALUE_FOR_FIELD, and ILLEGAL_VALUE_FOR_TYPE are now + DataError instead of InternalError. +- remove python-PyMySQL-no-unittest2.patch (upstream) + +------------------------------------------------------------------- +Thu Jun 4 09:21:14 UTC 2020 - pgajdos@suse.com + +- test package with mariadb +- added patches + https://github.com/PyMySQL/PyMySQL/commit/a500fcd64d4500417540a2a2ff7b16a88d1872ad + + python-PyMySQL-no-unittest2.patch + +------------------------------------------------------------------- +Wed Mar 6 09:11:17 UTC 2019 - Tomáš Chvátal + +- Update to 0.9.3: + * cryptography dependency is optional now. + * Fix old_password (used before MySQL 4.1) support. + * Deprecate old_password. + * Stop sending ``sys.argv[0]`` for connection attribute "program_name". + * Close connection when unknown error is happened. + * Deprecate context manager API of Connection object. + * Disalbled unintentinally enabled debug log + * Removed unintentionally installed tests + * Fixed caching_sha2_password and sha256_password raise TypeError on PY2 + (#700, #702) + * Change default charset from latin1 to utf8mb4. (because MySQL 8 changed) (#692) + * Support sha256_password and caching_sha2_password auth method (#682) + * Add cryptography dependency, because it's needed for new auth methods. + * Remove deprecated `no_delay` option (#694) + * Support connection attributes (#679) + * Map LOCK_DEADLOCK to OperationalError (#693) + +------------------------------------------------------------------- +Thu May 24 11:14:30 UTC 2018 - tchvatal@suse.com + +- Drop not really needed python-devel dependency + +------------------------------------------------------------------- +Thu May 24 09:48:52 CEST 2018 - kukuk@suse.de + +- use %license instead of %doc [bsc#1082318] +- update to latest version to solve MySQLdb interface problems with + salt-2018 +- update to 0.8.1 +* Reduce `cursor.callproc()` roundtrip time. (#636) +* Fixed `cursor.query()` is hunged after multi statement failed. (#647) +* WRONG_DB_NAME and WRONG_COLUMN_NAME is ProgrammingError for now. (#629) +* Many test suite improvements, especially adding MySQL 8.0 and using Docker. +* Droppped support for old Python and MySQL whih is not tested long time. +- update to 0.8 +* **BACKWARD INCOMPATIBLE** ``binary_prefix`` option is added and off + by default because of compatibility with mysqlclient. + When you need PyMySQL 0.7 behavior, you have to pass ``binary_prefix=True``. + (#549) +* **BACKWARD INCOMPATIBLE** ``MULTI_STATEMENTS`` client flag is no longer + set by default, while it was on PyMySQL 0.7. You need to pass + ``client_flag=CLIENT.MULTI_STATEMENTS`` when you connect to explicitly + enable multi-statement mode. (#590) +* Fixed AuthSwitch packet handling. +* Raise OperationalError for MariaDB's constraint error. (#607) +* executemany() accepts query without space between ``VALUES`` and ``(``. (#597) +* Support config file containing option without value. (#588) +* Fixed Connection.ping() returned unintended value. + +------------------------------------------------------------------- +Wed Aug 16 01:36:37 UTC 2017 - toddrme2178@gmail.com + +- Implement single-spec version +- update to 0.7.11 + * Fixed Connection.close() failed when failed to send COM_CLOSE packet. + * Cursor.executemany() accepts query ends with semicolon. + * ssl parameters can be read from my.cnf. +- update to 0.7.10 + * **SECURITY FIX**: Raise RuntimeError when received LOAD_LOCAL packet while + ``loacal_infile=False``. (Thanks to Bryan Helmig) + * Raise SERVER_LOST error for MariaDB's shutdown packet (#540) + * Change default connect_timeout to 10. + * Add bind_address option (#529) +- update to 0.7.9 + * Fix PyMySQL stop reading rows when first column is empty string (#513) + Reverts DEPRECATE_EOF introduced in 0.7.7. +- update to 0.7.8 + * Revert error message change in 0.7.7. + (SQLAlchemy parses error message, #507) +- update to 0.7.7 + * Add new unicode collation (#498) + * Fix conv option is not used for encoding objects. + * Experimental support for DEPRECATE_EOF protocol. + +------------------------------------------------------------------- +Tue Nov 15 10:30:55 UTC 2016 - dmueller@suse.com + +- update to 0.7.6: + * Fix SELECT JSON type cause UnicodeError + * Avoid float convertion while parsing microseconds + * Warning has number + * SSCursor supports warnings + * Fix exception raised while importing when getpwuid() fails (#472) + * SSCursor supports LOAD DATA LOCAL INFILE (#473) + * Fix encoding error happen for JSON type (#477) + * Fix test fail on Python 2.7 and MySQL 5.7 (#478) + +------------------------------------------------------------------- +Fri Jun 3 16:35:20 UTC 2016 - tbechtold@suse.com + +- update to 0.7.4: + * Fix AttributeError may happen while Connection.__del__ (#463) + * Fix SyntaxError in test_cursor. (#464) + * frozenset support for query value. (#461) + * Start using readthedocs.io + * Add read_timeout and write_timeout option. + * Support serialization customization by `conv` option. + * Unknown type is converted by `str()`, for MySQLdb compatibility. + * Support '%%' in `Cursor.executemany()` + * Support REPLACE statement in `Cursor.executemany()` + * Fix handling incomplete row caused by 'SHOW SLAVE HOSTS'. + * Fix decode error when use_unicode=False on PY3 + * Fix port option in my.cnf file is ignored. + +------------------------------------------------------------------- +Thu Mar 24 19:17:05 UTC 2016 - toddrme2178@gmail.com + +- Add license and docs + +------------------------------------------------------------------- +Thu Mar 24 19:12:11 UTC 2016 - toddrme2178@gmail.com + +- Update to 0.7.2 + * Fix misuse of `max_allowed_packet` parameter. (#426, #407 and #397) + * Add %(name)s plceholder support to `Cursor.executemany()`. (#427, thanks to + @WorldException) +- Update to 0.7.1 + * Fix auth fail with MySQL 5.1 + * Fix escaping unicode fails on Python 2 +- Update to 0.7 + * Faster binary escaping + * Add `"_binary" prefix` to string literal for binary types. + binary types are: `bytearray` on Python 2, `bytes` and `bytearray` on Python 3. + This is because recent MySQL show warnings when string literal is invalid for + connection encoding. + * `pymysql.Binary()` returns `bytearray` on Python 2. This is required to distinguish + binary and string. + * Auth plugin support. + * no_delay option is ignored. It will be removed in PyMySQL 0.8. +- Update to 0.6.7 + * Allow self signed certificate + * Add max_allowed_packet option + * Fix error when bytes in executemany + * Support geometry type + * Add coveralls badge to README + * Fix some bugs relating to warnings + * Add Cursor.mogrify() method + * no_delay option is deprecated and True by default + * Fix options from my.cnf overrides options from arguments + * Allow socket like object. (It's not feature for end users) + * Strip quotes while reading options from my.cnf file + * Fix encoding issue in executemany() + +------------------------------------------------------------------- +Mon May 11 16:53:18 UTC 2015 - benoit.monin@gmx.fr + +- update to version 0.6.6: + Add context manager to cursor + * Fix can't encode blob that is not utf-8 on PY3. (regression of + 0.6.4, Thanks to @wiggzz) +- additional changes from version 0.6.4 + * Support "LOAD LOCAL INFILE". Thanks @wraziens + * Show MySQL warnings after execute query. + * Fix MySQLError may be wrapped with OperationalError while + connectiong. (#274) + * SSCursor no longer attempts to expire un-collected rows within + __del__, delaying termination of an interrupted program; + cleanup of uncollected rows is left to the Connection on next + execute, which emits a warning at that time. (#287) + * Support datetime and time with microsecond. (#303) + * Use surrogateescape to format bytes on Python 3. + * OperationalError raised from connect() have information about + original exception. (#304) + * `init_command` now support multi statement. + * `Connection.escape()` method now accepts second argument + compatible to MySQL-Python. +- additional changes from version 0.6.3 + * Fixed multiple result sets with SSCursor. + * Fixed connection timeout. + * Fixed literal set syntax to work on Py2.6. + * Allow for mysql negative values with 0 hour timedelta. + * Added Connection.begin(). +- additional changes from version 0.6.2 + * Fixed old password on Python 3. + * Added support for bulk insert in Cursor.executemany(). + * Added support for microseconds in datetimes and dates before + 1900. + * Several other bug fixes. +- additional changes from version 0.6.1 + * Added cursor._last_executed for MySQLdb compatibility + * Cursor.fetchall() and .fetchmany now return list, not tuple + * Allow "length of auth-plugin-data" = 0 + * Cursor.connection references connection object without weakref +- remove unwanted shebang of python files in test_MySQLdb + +------------------------------------------------------------------- +Wed Oct 9 12:32:51 UTC 2013 - dmueller@suse.com + +- update to 0.6: + -Improved Py3k support + -Improved PyPy support + -Added IPv6 support + -Added Thing2Literal for Django/MySQLdb compatibility + -Removed errorhandler + -Fixed GC errors + -Improved test suite + -Many bug fixes + -Many performance improvements + +------------------------------------------------------------------- +Mon Jul 22 08:11:38 UTC 2013 - speilicke@suse.com + +- Initial version + diff --git a/python-PyMySQL.spec b/python-PyMySQL.spec new file mode 100644 index 0000000..2dbc6af --- /dev/null +++ b/python-PyMySQL.spec @@ -0,0 +1,116 @@ +# +# spec file for package python-PyMySQL +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# mariadb-rpm-macros is either not available or not sufficient for Leaps +%if 0%{?suse_version} > 1500 +%bcond_without tests +%else +%bcond_with tests +%endif + +%{?!python_module:%define python_module() python-%{**} python3-%{**}} +%global skip_python2 1 +Name: python-PyMySQL +Version: 1.0.3 +Release: 0 +Summary: Pure Python MySQL Driver +License: MIT +Group: Development/Languages/Python +URL: https://github.com/PyMySQL/PyMySQL/ +Source: https://github.com/PyMySQL/PyMySQL/archive/v%{version}.tar.gz#/PyMySQL-%{version}.tar.gz +# PATCH-FIX-UPSTREAM CVE-2024-36039.patch gh#PyMySQL/PyMySQL@521e40050cb3 +Patch1: CVE-2024-36039.patch +BuildRequires: %{python_module base >= 3.7} +BuildRequires: %{python_module cryptography} +BuildRequires: %{python_module pip} +BuildRequires: %{python_module pytest} +BuildRequires: %{python_module wheel} +%if %{with tests} +BuildRequires: mariadb-rpm-macros +%endif +# will be removed with next release +BuildRequires: fdupes +BuildRequires: python-rpm-macros +Requires: python-cryptography +BuildArch: noarch +%python_subpackages + +%description +This package contains a pure-Python MySQL client library. Documentation on the +MySQL client/server protocol can be found here: +http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol + +The goal of pymysql is to be a drop-in replacement for MySQLdb and work on +CPython 2.3+, Jython, IronPython, PyPy and Python 3. We test for compatibility +by simply changing the import statements in the Django MySQL backend and running +its unit tests as well as running it against the MySQLdb and myconnpy unit tests. + +%prep +%setup -q -n PyMySQL-%{version} +%patch -P 1 -p 1 +# remove unwanted shebang +sed -i '1 { /^#!/ d }' pymysql/tests/thirdparty/test_MySQLdb/*.py + +%build +%pyproject_wheel + +%install +%pyproject_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%if %{with tests} +%check +exit_code=0 +dbuser='db_user' +dbuserpw='db_user_secret' +dbname1='test1' +dbname2='test2' +# Needs mysql server +#%%python_expand PYTHONPATH=%{buildroot}%{$python_sitelib} py.test-%{$python_bin_suffix} -v +cconf=abuild-myclient.cnf +# +# start the mariadb server +# +%mysql_testserver_start -u $dbuser -p $dbuserpw -d $dbname1:$dbname2 -t 3306 +# +# creating client config, see base.py +# +cat << EOF > pymysql/tests/databases.json +[{"host":"localhost","user":"$dbuser","passwd":"$dbuserpw", + "database":"$dbname1", "use_unicode": true, "local_infile": true}, + {"host":"localhost","user":"$dbuser","passwd":"$dbuserpw","database":"$dbname2"}] +EOF +# +# running the test +# +export USER="$dbuser" +export PASSWORD="$dbuserpw" +%pytest pymysql/tests -k 'not test_stored_procedures' || exit_code=1 +# +# stopping mariadb +# +%mysql_testserver_stop +exit $exit_code +%endif + +%files %{python_files} +%license LICENSE +%doc CHANGELOG.md README.md +%{python_sitelib}/* + +%changelog