- Add CVE-2022-0391-urllib_parse-newline-parsing.patch

(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs containing ASCII newline and tabs in urlparse. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=312
2022-02-09 16:52:05 +00:00
parent 430843dcc5
commit e29abdcb89
3 changed files with 181 additions and 0 deletions
--- a/python-base.spec
+++ b/python-base.spec
@@ -125,6 +125,10 @@ Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
 # Make ftplib not trust the PASV response. (gh#python/cpython#24838)
 Patch68:        CVE-2021-4189-ftplib-trust-PASV-resp.patch
+# PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com
+# whole long discussion is on bpo#43882
+# fix for santization URLs containing ASCII newline and tabs in urllib.parse
+Patch69:        CVE-2022-0391-urllib_parse-newline-parsing.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -260,6 +264,7 @@ other applications.
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
+%patch69 -p1

 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar