python3: Fix CVE-2026-3644 and CVE-2026-0672

Apply the upstream v3.13 fix [1], as referenced in [2], to address CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(), the |= operator, and unpickling paths. CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as Morsel.update(), |=, and unpickling could bypass input validation. The fix also adds output validation to BaseCookie.js_output(), matching the control-character safeguards already present in BaseCookie.output(). [1] d16ecc6c36 [2] https://security-tracker.debian.org/tracker/CVE-2026-3644 References: https://security-tracker.debian.org/tracker/CVE-2026-3644 https://security-tracker.debian.org/tracker/CVE-2026-0672 https://nvd.nist.gov/vuln/detail/CVE-2026-3644 https://nvd.nist.gov/vuln/detail/CVE-2026-0672 (From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-27 11:13:38 +02:00 · 2026-06-13 03:11:35 -07:00
parent 327a87fffb
commit 703b680089
2 changed files with 155 additions and 0 deletions
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-test_readline-skip-limited-history-test.patch \
           file://CVE-2026-1502.patch \
           file://CVE-2026-6100.patch \
+           file://CVE-2026-3644_CVE-2026-0672.patch \
           "

 SRC_URI:append:class-native = " \