packages/python-PyMySQL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!28 [sync] PR-24: Fix CVE-2024-36039

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-05-24 06:43:14 +00:00 committed by Gitee
commit 0c783dd230
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2024-36039.patch Normal file
View File

@ -0,0 +1,29 @@
From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Sat, 18 May 2024 11:33:30 +0900
Subject: [PATCH] forbid dict parameter
---
pymysql/converters.py | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/pymysql/converters.py b/pymysql/converters.py
index 1adac75..dbf97ca 100644
--- a/pymysql/converters.py
+++ b/pymysql/converters.py
@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
def escape_dict(val, charset, mapping=None):
- n = {}
- for k, v in val.items():
- quoted = escape_item(v, charset, mapping)
- n[k] = quoted
- return n
+ raise TypeError("dict can not be used as parameter")
def escape_sequence(val, charset, mapping=None):
--
2.41.0

9
python-PyMySQL.spec
View File

@ -1,13 +1,15 @@
%global _empty_manifest_terminate_build 0
Name: python-PyMySQL
Version: 1.1.0
Release: 1
Release: 2
Summary: Pure Python MySQL Client
License: MIT
URL: https://pypi.python.org/pypi/PyMySQL/
Source0: https://files.pythonhosted.org/packages/41/9d/ee68dee1c8821c839bb31e6e5f40e61035a5278f7c1307dde758f0c90452/PyMySQL-1.1.0.tar.gz
BuildArch: noarch
Patch01: CVE-2024-36039.patch
%description
This package contains a pure-Python MySQL client library, based on PEP 249.
Most public APIs are compatible with mysqlclient and MySQLdb.
@ -32,7 +34,7 @@ This package contains a pure-Python MySQL client library, based on PEP 249.
Most public APIs are compatible with mysqlclient and MySQLdb.
%prep
%autosetup -n PyMySQL-%{version}
%autosetup -n PyMySQL-%{version} -p1
%build
%pyproject_build
@ -52,6 +54,9 @@ if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
%{_docdir}/*
%changelog
* Thu May 23 2024 yinyongkang <yinyongkang@kylinos.cn> - 1.1.0-2
- Fix CVE-2024-36039
* Tue Jul 04 2023 chenzixuan <chenzixuan@kylinos.cn> - 1.1.0-1
- Update package to version 1.1.0