diff --git a/CVE-2024-36039.patch b/CVE-2024-36039.patch new file mode 100644 index 0000000000000000000000000000000000000000..09adc27bf6c9f364aaa441ba674585a68c1bd390 --- /dev/null +++ b/CVE-2024-36039.patch @@ -0,0 +1,29 @@ +From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001 +From: Inada Naoki +Date: Sat, 18 May 2024 11:33:30 +0900 +Subject: [PATCH] forbid dict parameter + +Origin: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c + +--- + pymysql/converters.py | 6 +----- + pymysql/tests/test_connection.py | 7 +++++-- + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/pymysql/converters.py b/pymysql/converters.py +index 1adac752..dbf97ca7 100644 +--- a/pymysql/converters.py ++++ b/pymysql/converters.py +@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None): + + + def escape_dict(val, charset, mapping=None): +- n = {} +- for k, v in val.items(): +- quoted = escape_item(v, charset, mapping) +- n[k] = quoted +- return n ++ raise TypeError("dict can not be used as parameter") + + + def escape_sequence(val, charset, mapping=None): diff --git a/python-PyMySQL.spec b/python-PyMySQL.spec index 87f655364df942a5530b799c3443266172ebd0f6..e476091175e095bf7ea8e90692ed082168e3e7f5 100644 --- a/python-PyMySQL.spec +++ b/python-PyMySQL.spec @@ -1,11 +1,12 @@ %global _empty_manifest_terminate_build 0 Name: python-PyMySQL Version: 1.1.0 -Release: 1 +Release: 2 Summary: Pure Python MySQL Client License: MIT URL: https://pypi.python.org/pypi/PyMySQL/ Source0: https://files.pythonhosted.org/packages/41/9d/ee68dee1c8821c839bb31e6e5f40e61035a5278f7c1307dde758f0c90452/PyMySQL-1.1.0.tar.gz +Patch0: CVE-2024-36039.patch BuildArch: noarch %description @@ -32,7 +33,7 @@ This package contains a pure-Python MySQL client library, based on PEP 249. Most public APIs are compatible with mysqlclient and MySQLdb. %prep -%autosetup -n PyMySQL-%{version} +%autosetup -n PyMySQL-%{version} -p1 %build %pyproject_build @@ -52,6 +53,9 @@ if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi %{_docdir}/* %changelog +* Fri May 24 2024 wangkai <13474090681@163.com> - 1.1.0-2 +- Fix CVE-2024-36039 + * Tue Jul 04 2023 chenzixuan - 1.1.0-1 - Update package to version 1.1.0