Skip to content

Commit a11ba1c

Browse files
CBL-Mariner-Botazurelinux-security
CBL-Mariner-Bot
and
azurelinux-security
authored
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch python3 for CVE-2026-4519 [HIGH] - branch 3.0-dev" #16304
Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
1 parent cbbfbef commit a11ba1c

6 files changed

Lines changed: 157 additions & 21 deletions

File tree

SPECS/python3/CVE-2026-4519.patch

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
From 64423d38b3b27b8f6cb479c554138b6a4d94830a Mon Sep 17 00:00:00 2001
2+
From: Seth Michael Larson <seth@python.org>
3+
Date: Fri, 20 Mar 2026 09:47:13 -0500
4+
Subject: [PATCH 1/2] gh-143930: Reject leading dashes in webbrowser URLs
5+
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
6+
7+
---
8+
Lib/test/test_webbrowser.py | 5 +++++
9+
Lib/webbrowser.py | 12 ++++++++++++
10+
.../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 +
11+
3 files changed, 18 insertions(+)
12+
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
13+
14+
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
15+
index 2d695bc..60f094f 100644
16+
--- a/Lib/test/test_webbrowser.py
17+
+++ b/Lib/test/test_webbrowser.py
18+
@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
19+
options=[],
20+
arguments=[URL])
21+
22+
+ def test_reject_dash_prefixes(self):
23+
+ browser = self.browser_class(name=CMD_NAME)
24+
+ with self.assertRaises(ValueError):
25+
+ browser.open(f"--key=val {URL}")
26+
+
27+
28+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
29+
30+
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
31+
index 13b9e85..ab66519 100755
32+
--- a/Lib/webbrowser.py
33+
+++ b/Lib/webbrowser.py
34+
@@ -158,6 +158,12 @@ class BaseBrowser(object):
35+
def open_new_tab(self, url):
36+
return self.open(url, 2)
37+
38+
+ @staticmethod
39+
+ def _check_url(url):
40+
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
41+
+ if url and url.lstrip().startswith("-"):
42+
+ raise ValueError(f"Invalid URL {url!r}: URLs must not start with '-' after leading whitespace")
43+
+
44+
45+
class GenericBrowser(BaseBrowser):
46+
"""Class for all browsers started with a command
47+
@@ -175,6 +181,7 @@ class GenericBrowser(BaseBrowser):
48+
49+
def open(self, url, new=0, autoraise=True):
50+
sys.audit("webbrowser.open", url)
51+
+ self._check_url(url)
52+
cmdline = [self.name] + [arg.replace("%s", url)
53+
for arg in self.args]
54+
try:
55+
@@ -195,6 +202,7 @@ class BackgroundBrowser(GenericBrowser):
56+
cmdline = [self.name] + [arg.replace("%s", url)
57+
for arg in self.args]
58+
sys.audit("webbrowser.open", url)
59+
+ self._check_url(url)
60+
try:
61+
if sys.platform[:3] == 'win':
62+
p = subprocess.Popen(cmdline)
63+
@@ -260,6 +268,7 @@ class UnixBrowser(BaseBrowser):
64+
65+
def open(self, url, new=0, autoraise=True):
66+
sys.audit("webbrowser.open", url)
67+
+ self._check_url(url)
68+
if new == 0:
69+
action = self.remote_action
70+
elif new == 1:
71+
@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
72+
73+
def open(self, url, new=0, autoraise=True):
74+
sys.audit("webbrowser.open", url)
75+
+ self._check_url(url)
76+
# XXX Currently I know no way to prevent KFM from opening a new win.
77+
if new == 2:
78+
action = "newTab"
79+
@@ -554,6 +564,7 @@ if sys.platform[:3] == "win":
80+
class WindowsDefault(BaseBrowser):
81+
def open(self, url, new=0, autoraise=True):
82+
sys.audit("webbrowser.open", url)
83+
+ self._check_url(url)
84+
try:
85+
os.startfile(url)
86+
except OSError:
87+
@@ -638,6 +649,7 @@ if sys.platform == 'darwin':
88+
89+
def open(self, url, new=0, autoraise=True):
90+
sys.audit("webbrowser.open", url)
91+
+ self._check_url(url)
92+
if self.name == 'default':
93+
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
94+
else:
95+
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
96+
new file mode 100644
97+
index 0000000..0f27eae
98+
--- /dev/null
99+
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
100+
@@ -0,0 +1 @@
101+
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
102+
--
103+
2.45.4
104+
105+
106+
From 83c608b5ece9ad2aa88866dee9b52f8895156671 Mon Sep 17 00:00:00 2001
107+
From: Pinky <pinky00ch@gmail.com>
108+
Date: Wed, 25 Mar 2026 00:01:36 +0530
109+
Subject: [PATCH 2/2] Simplify error message for invalid URL- backport
110+
111+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
112+
Upstream-reference: https://github.com/python/cpython/pull/146360.patch
113+
---
114+
Lib/webbrowser.py | 2 +-
115+
1 file changed, 1 insertion(+), 1 deletion(-)
116+
117+
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
118+
index ab66519..0bdb644 100755
119+
--- a/Lib/webbrowser.py
120+
+++ b/Lib/webbrowser.py
121+
@@ -162,7 +162,7 @@ class BaseBrowser(object):
122+
def _check_url(url):
123+
"""Ensures that the URL is safe to pass to subprocesses as a parameter"""
124+
if url and url.lstrip().startswith("-"):
125+
- raise ValueError(f"Invalid URL {url!r}: URLs must not start with '-' after leading whitespace")
126+
+ raise ValueError(f"Invalid URL: {url}")
127+
128+
129+
class GenericBrowser(BaseBrowser):
130+
--
131+
2.45.4
132+

SPECS/python3/python3.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
Summary: A high-level scripting language
77
Name: python3
88
Version: 3.12.9
9-
Release: 9%{?dist}
9+
Release: 10%{?dist}
1010
License: PSF
1111
Vendor: Microsoft Corporation
1212
Distribution: Azure Linux
@@ -30,6 +30,7 @@ Patch10: CVE-2025-11468.patch
3030
Patch11: CVE-2026-0672.patch
3131
Patch12: CVE-2026-0865.patch
3232
Patch13: CVE-2026-1299.patch
33+
Patch14: CVE-2026-4519.patch
3334

3435
BuildRequires: bzip2-devel
3536
BuildRequires: expat-devel >= 2.1.0
@@ -252,6 +253,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
252253
%{_libdir}/python%{majmin}/test/*
253254

254255
%changelog
256+
* Wed Mar 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.12.9-10
257+
- Patch for CVE-2026-4519
258+
255259
* Mon Feb 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.12.9-9
256260
- Patch for CVE-2026-1299
257261

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -244,9 +244,9 @@ ca-certificates-base-3.0.0-14.azl3.noarch.rpm
244244
ca-certificates-3.0.0-14.azl3.noarch.rpm
245245
dwz-0.14-2.azl3.aarch64.rpm
246246
unzip-6.0-22.azl3.aarch64.rpm
247-
python3-3.12.9-9.azl3.aarch64.rpm
248-
python3-devel-3.12.9-9.azl3.aarch64.rpm
249-
python3-libs-3.12.9-9.azl3.aarch64.rpm
247+
python3-3.12.9-10.azl3.aarch64.rpm
248+
python3-devel-3.12.9-10.azl3.aarch64.rpm
249+
python3-libs-3.12.9-10.azl3.aarch64.rpm
250250
python3-setuptools-69.0.3-5.azl3.noarch.rpm
251251
python3-pygments-2.7.4-2.azl3.noarch.rpm
252252
which-2.21-8.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -244,9 +244,9 @@ ca-certificates-base-3.0.0-14.azl3.noarch.rpm
244244
ca-certificates-3.0.0-14.azl3.noarch.rpm
245245
dwz-0.14-2.azl3.x86_64.rpm
246246
unzip-6.0-22.azl3.x86_64.rpm
247-
python3-3.12.9-9.azl3.x86_64.rpm
248-
python3-devel-3.12.9-9.azl3.x86_64.rpm
249-
python3-libs-3.12.9-9.azl3.x86_64.rpm
247+
python3-3.12.9-10.azl3.x86_64.rpm
248+
python3-devel-3.12.9-10.azl3.x86_64.rpm
249+
python3-libs-3.12.9-10.azl3.x86_64.rpm
250250
python3-setuptools-69.0.3-5.azl3.noarch.rpm
251251
python3-pygments-2.7.4-2.azl3.noarch.rpm
252252
which-2.21-8.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -531,19 +531,19 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
531531
pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
532532
python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm
533533
python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
534-
python3-3.12.9-9.azl3.aarch64.rpm
534+
python3-3.12.9-10.azl3.aarch64.rpm
535535
python3-audit-3.1.2-1.azl3.aarch64.rpm
536536
python3-cracklib-2.9.11-1.azl3.aarch64.rpm
537-
python3-curses-3.12.9-9.azl3.aarch64.rpm
537+
python3-curses-3.12.9-10.azl3.aarch64.rpm
538538
python3-Cython-3.0.5-2.azl3.aarch64.rpm
539-
python3-debuginfo-3.12.9-9.azl3.aarch64.rpm
540-
python3-devel-3.12.9-9.azl3.aarch64.rpm
539+
python3-debuginfo-3.12.9-10.azl3.aarch64.rpm
540+
python3-devel-3.12.9-10.azl3.aarch64.rpm
541541
python3-flit-core-3.9.0-1.azl3.noarch.rpm
542542
python3-gpg-1.23.2-2.azl3.aarch64.rpm
543543
python3-jinja2-3.1.2-3.azl3.noarch.rpm
544544
python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
545545
python3-libmount-2.40.2-3.azl3.aarch64.rpm
546-
python3-libs-3.12.9-9.azl3.aarch64.rpm
546+
python3-libs-3.12.9-10.azl3.aarch64.rpm
547547
python3-libxml2-2.11.5-9.azl3.aarch64.rpm
548548
python3-lxml-4.9.3-1.azl3.aarch64.rpm
549549
python3-magic-5.45-1.azl3.noarch.rpm
@@ -555,8 +555,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm
555555
python3-rpm-4.18.2-1.azl3.aarch64.rpm
556556
python3-rpm-generators-14-11.azl3.noarch.rpm
557557
python3-setuptools-69.0.3-5.azl3.noarch.rpm
558-
python3-test-3.12.9-9.azl3.aarch64.rpm
559-
python3-tools-3.12.9-9.azl3.aarch64.rpm
558+
python3-test-3.12.9-10.azl3.aarch64.rpm
559+
python3-tools-3.12.9-10.azl3.aarch64.rpm
560560
python3-wheel-0.43.0-1.azl3.noarch.rpm
561561
readline-8.2-2.azl3.aarch64.rpm
562562
readline-debuginfo-8.2-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -539,19 +539,19 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
539539
pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
540540
python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm
541541
python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
542-
python3-3.12.9-9.azl3.x86_64.rpm
542+
python3-3.12.9-10.azl3.x86_64.rpm
543543
python3-audit-3.1.2-1.azl3.x86_64.rpm
544544
python3-cracklib-2.9.11-1.azl3.x86_64.rpm
545-
python3-curses-3.12.9-9.azl3.x86_64.rpm
545+
python3-curses-3.12.9-10.azl3.x86_64.rpm
546546
python3-Cython-3.0.5-2.azl3.x86_64.rpm
547-
python3-debuginfo-3.12.9-9.azl3.x86_64.rpm
548-
python3-devel-3.12.9-9.azl3.x86_64.rpm
547+
python3-debuginfo-3.12.9-10.azl3.x86_64.rpm
548+
python3-devel-3.12.9-10.azl3.x86_64.rpm
549549
python3-flit-core-3.9.0-1.azl3.noarch.rpm
550550
python3-gpg-1.23.2-2.azl3.x86_64.rpm
551551
python3-jinja2-3.1.2-3.azl3.noarch.rpm
552552
python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
553553
python3-libmount-2.40.2-3.azl3.x86_64.rpm
554-
python3-libs-3.12.9-9.azl3.x86_64.rpm
554+
python3-libs-3.12.9-10.azl3.x86_64.rpm
555555
python3-libxml2-2.11.5-9.azl3.x86_64.rpm
556556
python3-lxml-4.9.3-1.azl3.x86_64.rpm
557557
python3-magic-5.45-1.azl3.noarch.rpm
@@ -563,8 +563,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm
563563
python3-rpm-4.18.2-1.azl3.x86_64.rpm
564564
python3-rpm-generators-14-11.azl3.noarch.rpm
565565
python3-setuptools-69.0.3-5.azl3.noarch.rpm
566-
python3-test-3.12.9-9.azl3.x86_64.rpm
567-
python3-tools-3.12.9-9.azl3.x86_64.rpm
566+
python3-test-3.12.9-10.azl3.x86_64.rpm
567+
python3-tools-3.12.9-10.azl3.x86_64.rpm
568568
python3-wheel-0.43.0-1.azl3.noarch.rpm
569569
readline-8.2-2.azl3.x86_64.rpm
570570
readline-debuginfo-8.2-2.azl3.x86_64.rpm

0 commit comments

Comments
 (0)