[AutoPR- Security] Patch python3 for CVE-2026-4519 [HIGH] (#16281)

Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: azurelinux-security

SPECS/python3/CVE-2026-4519.patch

@@ -0,0 +1,123 @@
+From 3be471c77789110b81fe47160c504a3960e8ce4f Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 20 Mar 2026 09:47:13 -0500
+Subject: [PATCH] gh-143930: Reject leading dashes in webbrowser URLs (cherry
+ picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/python/cpython/pull/146359.patch
+---
+ Lib/test/test_webbrowser.py                        |  5 +++++
+ Lib/webbrowser.py                                  | 14 ++++++++++++++
+ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst |  1 +
+ 3 files changed, 20 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 519a943..f8e9234 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -55,6 +55,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open(f"--key=val {URL}")
++
+ 
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 6023c1e..f5349db 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -154,6 +154,12 @@ class BaseBrowser(object):
+     def open_new_tab(self, url):
+         return self.open(url, 2)
+ 
++    @staticmethod
++    def _check_url(url):
++        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
++        if url and url.lstrip().startswith("-"):
++            raise ValueError(f"Invalid URL: {url}")
++
+ 
+ class GenericBrowser(BaseBrowser):
+     """Class for all browsers started with a command
+@@ -171,6 +177,7 @@ class GenericBrowser(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -191,6 +198,7 @@ class BackgroundBrowser(GenericBrowser):
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         try:
+             if sys.platform[:3] == 'win':
+                 p = subprocess.Popen(cmdline)
+@@ -256,6 +264,7 @@ class UnixBrowser(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         # XXX Currently I know no way to prevent KFM from opening a new win.
+         if new == 2:
+             action = "newTab"
+@@ -441,6 +451,7 @@ class Grail(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         if new:
+             ok = self._remote("LOADNEW " + url)
+         else:
+@@ -599,6 +610,7 @@ if sys.platform[:3] == "win":
+     class WindowsDefault(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
++            self._check_url(url)
+             try:
+                 os.startfile(url)
+             except OSError:
+@@ -629,6 +641,7 @@ if sys.platform == 'darwin':
+ 
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
++            self._check_url(url)
+             assert "'" not in url
+             # hack for local urls
+             if not ':' in url:
+@@ -666,6 +679,7 @@ if sys.platform == 'darwin':
+             self._name = name
+ 
+         def open(self, url, new=0, autoraise=True):
++            self._check_url(url)
+             if self._name == 'default':
+                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
+             else:
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+new file mode 100644
+index 0000000..0f27eae
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+@@ -0,0 +1 @@
++Reject leading dashes in URLs passed to :func:`webbrowser.open`
+-- 
+2.45.4
+

SPECS/python3/python3.spec

@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -54,6 +54,7 @@ Patch1004:      CVE-2024-37891.patch
 Patch1005:      CVE-2025-50181.patch
 Patch1006:      CVE-2023-5752.patch
 Patch1007:      CVE-2023-45803.patch
+Patch1008:      CVE-2026-4519.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@@ -387,6 +388,9 @@ make test TESTOPTS="-x test_multiprocessing_spawn -x test_socket -x test_email"
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Wed Mar 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.9.19-20
+- Patch for CVE-2026-4519
+
 * Fri Jan 30 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.9.19-19
 - Patch for CVE-2026-0865, CVE-2025-12084
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-25.cm2.noarch.rpm
 ca-certificates-2.0.0-25.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-22.cm2.aarch64.rpm
-python3-3.9.19-19.cm2.aarch64.rpm
-python3-devel-3.9.19-19.cm2.aarch64.rpm
-python3-libs-3.9.19-19.cm2.aarch64.rpm
-python3-setuptools-3.9.19-19.cm2.noarch.rpm
+python3-3.9.19-20.cm2.aarch64.rpm
+python3-devel-3.9.19-20.cm2.aarch64.rpm
+python3-libs-3.9.19-20.cm2.aarch64.rpm
+python3-setuptools-3.9.19-20.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-25.cm2.noarch.rpm
 ca-certificates-2.0.0-25.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-22.cm2.x86_64.rpm
-python3-3.9.19-19.cm2.x86_64.rpm
-python3-devel-3.9.19-19.cm2.x86_64.rpm
-python3-libs-3.9.19-19.cm2.x86_64.rpm
-python3-setuptools-3.9.19-19.cm2.noarch.rpm
+python3-3.9.19-20.cm2.x86_64.rpm
+python3-devel-3.9.19-20.cm2.x86_64.rpm
+python3-libs-3.9.19-20.cm2.x86_64.rpm
+python3-setuptools-3.9.19-20.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.19-19.cm2.aarch64.rpm
+python3-3.9.19-20.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.19-19.cm2.aarch64.rpm
+python3-curses-3.9.19-20.cm2.aarch64.rpm
 python3-Cython-0.29.33-2.cm2.aarch64.rpm
-python3-debuginfo-3.9.19-19.cm2.aarch64.rpm
-python3-devel-3.9.19-19.cm2.aarch64.rpm
+python3-debuginfo-3.9.19-20.cm2.aarch64.rpm
+python3-devel-3.9.19-20.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-7.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.19-19.cm2.aarch64.rpm
+python3-libs-3.9.19-20.cm2.aarch64.rpm
 python3-libxml2-2.10.4-11.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.19-19.cm2.noarch.rpm
+python3-pip-3.9.19-20.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.19-19.cm2.noarch.rpm
-python3-test-3.9.19-19.cm2.aarch64.rpm
-python3-tools-3.9.19-19.cm2.aarch64.rpm
+python3-setuptools-3.9.19-20.cm2.noarch.rpm
+python3-test-3.9.19-20.cm2.aarch64.rpm
+python3-tools-3.9.19-20.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.19-19.cm2.x86_64.rpm
+python3-3.9.19-20.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.19-19.cm2.x86_64.rpm
+python3-curses-3.9.19-20.cm2.x86_64.rpm
 python3-Cython-0.29.33-2.cm2.x86_64.rpm
-python3-debuginfo-3.9.19-19.cm2.x86_64.rpm
-python3-devel-3.9.19-19.cm2.x86_64.rpm
+python3-debuginfo-3.9.19-20.cm2.x86_64.rpm
+python3-devel-3.9.19-20.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-7.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.19-19.cm2.x86_64.rpm
+python3-libs-3.9.19-20.cm2.x86_64.rpm
 python3-libxml2-2.10.4-11.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.19-19.cm2.noarch.rpm
+python3-pip-3.9.19-20.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.19-19.cm2.noarch.rpm
-python3-test-3.9.19-19.cm2.x86_64.rpm
-python3-tools-3.9.19-19.cm2.x86_64.rpm
+python3-setuptools-3.9.19-20.cm2.noarch.rpm
+python3-test-3.9.19-20.cm2.x86_64.rpm
+python3-tools-3.9.19-20.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm