!29 [sync] PR-24: Fix CVE-2024-36039

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
Fix CVE-2024-36039
2024-06-06 09:19:38 +00:00 · 2024-05-24 10:32:55 +08:00 · 2023-07-06 09:44:49 +00:00 · 2023-07-04 04:48:11 +08:00 · 2023-05-06 02:09:07 +00:00 · 2023-05-06 09:55:00 +08:00
4 changed files with 77 additions and 18 deletions
--- a/CVE-2024-36039.patch
+++ b/CVE-2024-36039.patch
@ -0,0 +1,29 @@
+From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001
+From: Inada Naoki <songofacandy@gmail.com>
+Date: Sat, 18 May 2024 11:33:30 +0900
+Subject: [PATCH] forbid dict parameter
+
+---
+ pymysql/converters.py | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/pymysql/converters.py b/pymysql/converters.py
+index 1adac75..dbf97ca 100644
+--- a/pymysql/converters.py
+++ b/pymysql/converters.py
+@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
+ 
+ 
+ def escape_dict(val, charset, mapping=None):
+-    n = {}
+-    for k, v in val.items():
+-        quoted = escape_item(v, charset, mapping)
+-        n[k] = quoted
+-    return n
+    raise TypeError("dict can not be used as parameter")
+ 
+ 
+ def escape_sequence(val, charset, mapping=None):
+-- 
+2.41.0
+
--- a/PyMySQL-0.9.3.tar.gz
+++ b/PyMySQL-0.9.3.tar.gz
--- a/PyMySQL-1.1.0.tar.gz
+++ b/PyMySQL-1.1.0.tar.gz
--- a/python-PyMySQL.spec
+++ b/python-PyMySQL.spec
@ -1,45 +1,74 @@
-Name:           python-PyMySQL
-Version:        0.9.3
-Release:        3
-Summary:        Pure Python MySQL Client
-License:        MIT
-URL:            https://pypi.python.org/pypi/PyMySQL/
-Source0:        https://files.pythonhosted.org/packages/source/P/PyMySQL/PyMySQL-%{version}.tar.gz
+%global _empty_manifest_terminate_build 0
+Name:		python-PyMySQL
+Version:	1.1.0
+Release:	2
+Summary:	Pure Python MySQL Client
+License:	MIT
+URL:		https://pypi.python.org/pypi/PyMySQL/
+Source0:	https://files.pythonhosted.org/packages/41/9d/ee68dee1c8821c839bb31e6e5f40e61035a5278f7c1307dde758f0c90452/PyMySQL-1.1.0.tar.gz
+BuildArch:	noarch

-BuildRequires:  python3-cryptography python3-devel python3-setuptools
-
-BuildArch:      noarch
+Patch01:        CVE-2024-36039.patch

 %description
 This package contains a pure-Python MySQL client library, based on PEP 249.
 Most public APIs are compatible with mysqlclient and MySQLdb.

 %package -n python3-PyMySQL
-Summary:  Pure Python3 MySQL client
-Requires: python3-cryptography
-%{?python_provide:%python_provide python3-PyMySQL}
-
+Summary:	Pure Python MySQL Client
+Provides:	python-PyMySQL = %{version}-%{release}
+BuildRequires:	python3-cryptography
+BuildRequires:	python3-devel
+BuildRequires:	python3-pip
+BuildRequires:	python3-wheel
+Requires:	python3-cryptography
 %description -n python3-PyMySQL
 This package contains a pure-Python MySQL client library, based on PEP 249.
 Most public APIs are compatible with mysqlclient and MySQLdb.

+%package help
+Summary:	Development documents and examples for pymysql
+Provides:	python3-PyMySQL-doc
+%description help
+This package contains a pure-Python MySQL client library, based on PEP 249.
+Most public APIs are compatible with mysqlclient and MySQLdb.

 %prep
 %autosetup -n PyMySQL-%{version} -p1

 %build
-%py3_build
+%pyproject_build

 %install
-%py3_install
+%pyproject_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi

 %files -n python3-PyMySQL
-%doc README.rst
-%license LICENSE
 %{python3_sitelib}/*

+%files help
+%{_docdir}/*

 %changelog
+* Thu May 23 2024 yinyongkang <yinyongkang@kylinos.cn> - 1.1.0-2
+- Fix CVE-2024-36039
+
+* Tue Jul 04 2023 chenzixuan <chenzixuan@kylinos.cn> - 1.1.0-1
+- Update package to version 1.1.0
+
+* Sat May 6 2023 Ge Wang <wang__ge@126.com> - 1.0.3-2
+- Replace compilation method form setuptools to pyproject
+
+* Thu Apr 6 2023 wubijie <wubijie@kylinos.cn> - 1.0.3-1
+- Update package to version 1.0.3
+
+* Tue Nov 22 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 1.0.2-1
+- Update package to version 1.0.2
+
 * Wed Aug 25 2021 OpenStack_SIG <openstack@openeuler.org> - 0.9.3-3
 - Revert the version to 0.9.3, because python3-aiomysql depends on the python-PyMySQL vertion ranging form 0.9 to 0.9.3

@ -54,3 +83,4 @@ Most public APIs are compatible with mysqlclient and MySQLdb.

 * Fri Feb 14 2020 hy-euler <eulerstoragemt@huawei.com> - 0.9.2-3
 - Package Initialization
+
Author	SHA1	Message	Date
openeuler-ci-bot	4c012cf088	!29 [sync] PR-24: Fix CVE-2024-36039 From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530	2024-06-06 09:19:38 +00:00
yinyongkang	d3b83e6510	Fix CVE-2024-36039 (cherry picked from commit 4fc6700836e1eeb14a1f4c7455a3e83bee2239fb)	2024-05-24 10:32:55 +08:00
openeuler-ci-bot	affc77db41	!21 更新至最新的1.1.0版本 From: @Jason_828e Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl	2023-07-06 09:44:49 +00:00
Jason_828e	0d1ef75687	updated to latest 1.1.0 version	2023-07-04 04:48:11 +08:00
openeuler-ci-bot	18fb240365	!19 Replace compilation method from setuptools to pyproject From: @wang--ge Reviewed-by: @cherry530 Signed-off-by: @cherry530	2023-05-06 02:09:07 +00:00
wang--ge	b05d64674a	replace Compilation method form setuptools to pyproject	2023-05-06 09:55:00 +08:00
openeuler-ci-bot	440002cc09	!18 Update package to version 1.0.3 From: @wubijie123 Reviewed-by: @yangzhao_kl Signed-off-by: @yangzhao_kl	2023-05-05 15:17:52 +00:00
wubijie	99532baf4d	Update package to version 1.0.3	2023-04-13 22:43:18 +08:00
openeuler-ci-bot	b64d4bcbb3	!17 Update package to version 1.0.2 From: @jxy_git Reviewed-by: @myeuler Signed-off-by: @myeuler	2022-11-22 14:31:46 +00:00
jxy_git	efd17073e2	Update package to version 1.0.2	2022-11-22 17:15:05 +08:00