From 075d2a05542cae6f9def8aa32a9b41d14991371f Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Thu, 23 May 2024 10:17:26 +0800
Subject: [PATCH] Fix CVE-2024-36039

(cherry picked from commit 4fc6700836e1eeb14a1f4c7455a3e83bee2239fb)
---
 CVE-2024-36039.patch | 29 +++++++++++++++++++++++++++++
 python-PyMySQL.spec  |  9 +++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-36039.patch

diff --git a/CVE-2024-36039.patch b/CVE-2024-36039.patch
new file mode 100644
index 0000000..ae1ae16
--- /dev/null
+++ b/CVE-2024-36039.patch
@@ -0,0 +1,29 @@
+From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001
+From: Inada Naoki <songofacandy@gmail.com>
+Date: Sat, 18 May 2024 11:33:30 +0900
+Subject: [PATCH] forbid dict parameter
+
+---
+ pymysql/converters.py | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/pymysql/converters.py b/pymysql/converters.py
+index 1adac75..dbf97ca 100644
+--- a/pymysql/converters.py
++++ b/pymysql/converters.py
+@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
+ 
+ 
+ def escape_dict(val, charset, mapping=None):
+-    n = {}
+-    for k, v in val.items():
+-        quoted = escape_item(v, charset, mapping)
+-        n[k] = quoted
+-    return n
++    raise TypeError("dict can not be used as parameter")
+ 
+ 
+ def escape_sequence(val, charset, mapping=None):
+-- 
+2.41.0
+
diff --git a/python-PyMySQL.spec b/python-PyMySQL.spec
index 87f6553..644791a 100644
--- a/python-PyMySQL.spec
+++ b/python-PyMySQL.spec
@@ -1,13 +1,15 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-PyMySQL
 Version:	1.1.0
-Release:	1
+Release:	2
 Summary:	Pure Python MySQL Client
 License:	MIT
 URL:		https://pypi.python.org/pypi/PyMySQL/
 Source0:	https://files.pythonhosted.org/packages/41/9d/ee68dee1c8821c839bb31e6e5f40e61035a5278f7c1307dde758f0c90452/PyMySQL-1.1.0.tar.gz
 BuildArch:	noarch
 
+Patch01:        CVE-2024-36039.patch
+
 %description
 This package contains a pure-Python MySQL client library, based on PEP 249.
 Most public APIs are compatible with mysqlclient and MySQLdb.
@@ -32,7 +34,7 @@ This package contains a pure-Python MySQL client library, based on PEP 249.
 Most public APIs are compatible with mysqlclient and MySQLdb.
 
 %prep
-%autosetup -n PyMySQL-%{version}
+%autosetup -n PyMySQL-%{version} -p1
 
 %build
 %pyproject_build
@@ -52,6 +54,9 @@ if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
 %{_docdir}/*
 
 %changelog
+* Thu May 23 2024 yinyongkang <yinyongkang@kylinos.cn> - 1.1.0-2
+- Fix CVE-2024-36039
+
 * Tue Jul 04 2023 chenzixuan <chenzixuan@kylinos.cn> - 1.1.0-1
 - Update package to version 1.1.0
 
-- 
Gitee