!35 [sync] PR-27: Fix CVE-2024-36039

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
Fix CVE-2024-36039
2024-05-24 06:43:47 +00:00 · 2024-05-24 10:34:13 +08:00 · 2022-06-16 08:46:54 +00:00 · 2022-06-15 07:56:24 +00:00 · 2021-08-27 03:31:58 +00:00 · 2021-08-27 11:25:49 +08:00
2 changed files with 43 additions and 25 deletions
--- a/CVE-2024-36039.patch
+++ b/CVE-2024-36039.patch
@ -0,0 +1,28 @@
 From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001
 From: Inada Naoki <songofacandy@gmail.com>
 Date: Sat, 18 May 2024 11:33:30 +0900
 Subject: [PATCH] forbid dict parameter
 Origin: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
 ---
 pymysql/converters.py | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)
 diff --git a/pymysql/converters.py b/pymysql/converters.py
 index 1adac752..dbf97ca7 100644
 --- a/pymysql/converters.py
 +++ b/pymysql/converters.py
@@ -28,11 +28,7 @@ def escape_item(val, charset, mapping=None):
     return val
 def escape_dict(val, charset, mapping=None):
 -    n = {}
 -    for k, v in val.items():
 -        quoted = escape_item(v, charset, mapping)
 -        n[k] = quoted
 -    return n
 +    raise TypeError("dict can not be used as parameter")
 def escape_sequence(val, charset, mapping=None):
     n = []
--- a/python-PyMySQL.spec
+++ b/python-PyMySQL.spec
@ -1,12 +1,12 @@
 Name:           python-PyMySQL
 Version:        0.9.3
-Release:        1
+Release:        4
 Summary:        Pure Python MySQL Client
 License:        MIT
 URL:            https://pypi.python.org/pypi/PyMySQL/
 Source0:        https://files.pythonhosted.org/packages/source/P/PyMySQL/PyMySQL-%{version}.tar.gz
 Patch0:         CVE-2024-36039.patch
 BuildRequires:  python2-cryptography python2-devel python2-setuptools
 BuildRequires:  python3-cryptography python3-devel python3-setuptools
 BuildArch:      noarch
@ -15,20 +15,6 @@ BuildArch:      noarch
 This package contains a pure-Python MySQL client library, based on PEP 249.
 Most public APIs are compatible with mysqlclient and MySQLdb.
 NOTE: PyMySQL doesn't support low level APIs _mysql provides like data_seek,
 store_result, and use_result. You should use high level APIs defined in PEP 249.
 But some APIs like autocommit and ping are supported because PEP 249 doesn't
 cover their usecase.
 %package -n python2-PyMySQL
 Summary:  Pure Python2 MySQL Client
 Requires: python2-cryptography
 %{?python_provide:%python_provide python2-PyMySQL}
 %description -n python2-PyMySQL
 This package contains a pure-Python MySQL client library, based on PEP 249.
 Most public APIs are compatible with mysqlclient and MySQLdb.
 %package -n python3-PyMySQL
 Summary:  Pure Python3 MySQL client
 Requires: python3-cryptography
@ -43,19 +29,11 @@ Most public APIs are compatible with mysqlclient and MySQLdb.
 %autosetup -n PyMySQL-%{version} -p1
 %build
 %py2_build
 %py3_build
 %install
 %py2_install
 %py3_install
 %files -n python2-PyMySQL
 %doc README.rst
 %license LICENSE
 %{python2_sitelib}/*
 %files -n python3-PyMySQL
 %doc README.rst
 %license LICENSE
@ -63,7 +41,19 @@ Most public APIs are compatible with mysqlclient and MySQLdb.
 %changelog
-* Jul Thu 16 2020 yanglongkang <yanglongkang@huawei.com> - 0.9.3-1
+* Fri May 24 2024 wangkai <13474090681@163.com> - 0.9.3-4
 - Fix CVE-2024-36039
 * Wed Aug 25 2021 OpenStack_SIG <openstack@openeuler.org> - 0.9.3-3
 - Revert the version to 0.9.3, because python3-aiomysql depends on the python-PyMySQL vertion ranging form 0.9 to 0.9.3
 * Mon Aug 09 2021 OpenStack_SIG <openstack@openeuler.org> - 1.0.2-1
 - Update version to 1.0.2, because of the dependence of Openstack Wallaby
 * Fri Oct 30 2020 yanglongkang <yanglongkang@huawei.com> - 0.9.3-2
 - remove python2 dependency
 * Thu Jul 16 2020 yanglongkang <yanglongkang@huawei.com> - 0.9.3-1
 - update package to 0.9.3
 * Fri Feb 14 2020 hy-euler <eulerstoragemt@huawei.com> - 0.9.2-3
Author	SHA1	Message	Date
openeuler-ci-bot	5a9871b416	!35 [sync] PR-27: Fix CVE-2024-36039 From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530	2024-05-24 06:43:47 +00:00
wk333	c59b48d363	Fix CVE-2024-36039 (cherry picked from commit 1cfe31ba26fd922e0d9b586132ddc5c349458929)	2024-05-24 10:34:13 +08:00
openeuler-ci-bot	4663b54200	!13 【轻量级 PR】：fix bad date in %changelog From: @loong-C Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu	2022-06-16 08:46:54 +00:00
loong-C	761b12e116	fix bad date in %changelog ![输入图片说明](https://images.gitee.com/uploads/images/2022/0615/155546_33478f25_9884780.png "屏幕截图.png")	2022-06-15 07:56:24 +00:00
openeuler-ci-bot	6cec6532fe	!9 [sync] PR-8: Revert the version to 0.9.3, because python3-aiomysql depends on the python-PyMySQL vertion ranging form 0.9 to 0.9.3 From: @openeuler-sync-bot Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl	2021-08-27 03:31:58 +00:00
FFrog	9731382e7d	Revert the version to 0.9.3, because python3-aiomysql depends on the python-PyMySQL vertion ranging form 0.9 to 0.9.3 (cherry picked from commit a8cb9fdb9412df44c954d738936a4a3aedc26026)	2021-08-27 11:25:49 +08:00
openeuler-ci-bot	6294ae57dc	!7 [sync] PR-6: update version to 1.0.2 From: @openeuler-sync-bot Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl	2021-08-20 02:02:47 +00:00
FFrog	6e46da5e2e	update version to 1.0.2, due to dependence of openstack wallaby (cherry picked from commit 873c148c3b3435cd8d6bbd03c609f9a06eff30c9)	2021-08-20 09:55:23 +08:00
openeuler-ci-bot	48a531c443	!5 remove python2 dependency From: @xinghe_1 Reviewed-by: @small_leek Signed-off-by: @small_leek	2020-10-30 15:44:12 +08:00
jinzhimin369	10cda34ea6	remove python2 dependency	2020-10-30 14:22:19 +08:00