diff --git a/CVE-2024-36039.patch b/CVE-2024-36039.patch new file mode 100644 index 0000000000000000000000000000000000000000..381ae9db26de97784fb5ecc4214d871b358c1862 --- /dev/null +++ b/CVE-2024-36039.patch @@ -0,0 +1,28 @@ +From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001 +From: Inada Naoki +Date: Sat, 18 May 2024 11:33:30 +0900 +Subject: [PATCH] forbid dict parameter + +Origin: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c + +--- + pymysql/converters.py | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/pymysql/converters.py b/pymysql/converters.py +index 1adac752..dbf97ca7 100644 +--- a/pymysql/converters.py ++++ b/pymysql/converters.py +@@ -28,11 +28,7 @@ def escape_item(val, charset, mapping=None): + return val + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + def escape_sequence(val, charset, mapping=None): + n = [] diff --git a/python-PyMySQL.spec b/python-PyMySQL.spec index 510d405862446d1ae0de4e1d5db6b00f049ff5d7..f389d897909ab1474fb7cdf988fa3bf79577c615 100644 --- a/python-PyMySQL.spec +++ b/python-PyMySQL.spec @@ -1,10 +1,11 @@ Name: python-PyMySQL Version: 0.9.3 -Release: 3 +Release: 4 Summary: Pure Python MySQL Client License: MIT URL: https://pypi.python.org/pypi/PyMySQL/ Source0: https://files.pythonhosted.org/packages/source/P/PyMySQL/PyMySQL-%{version}.tar.gz +Patch0: CVE-2024-36039.patch BuildRequires: python3-cryptography python3-devel python3-setuptools @@ -40,6 +41,9 @@ Most public APIs are compatible with mysqlclient and MySQLdb. %changelog +* Fri May 24 2024 wangkai <13474090681@163.com> - 0.9.3-4 +- Fix CVE-2024-36039 + * Wed Aug 25 2021 OpenStack_SIG - 0.9.3-3 - Revert the version to 0.9.3, because python3-aiomysql depends on the python-PyMySQL vertion ranging form 0.9 to 0.9.3