1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-18 16:37:03 +00:00

python3: Fix CVE-2026-4519 and CVE-2026-4786

Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
[2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
[3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
[4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Sudhir Dumbhare
2026-06-13 03:11:37 -07:00
committed by Paul Barker
parent 703b680089
commit 1401e6e003
4 changed files with 335 additions and 0 deletions
@@ -37,6 +37,9 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2026-1502.patch \
file://CVE-2026-6100.patch \
file://CVE-2026-3644_CVE-2026-0672.patch \
file://CVE-2026-4519_p1.patch \
file://CVE-2026-4519_p2.patch \
file://CVE-2026-4519_CVE-2026-4786.patch \
"
SRC_URI:append:class-native = " \