From ec10c430293d991b368583a2a5e25ffbcbaefec1 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <kbkanishk975@gmail.com>
Date: Thu, 6 Feb 2025 18:53:42 +0000
Subject: [PATCH] Address CVE-2025-0938.patch

---
 SPECS/python3/CVE-2025-0938.patch             | 50 +++++++++++++++++++
 SPECS/python3/python3.spec                    |  7 ++-
 .../manifests/package/pkggen_core_aarch64.txt |  8 +--
 .../manifests/package/pkggen_core_x86_64.txt  |  8 +--
 .../manifests/package/toolchain_aarch64.txt   | 18 +++----
 .../manifests/package/toolchain_x86_64.txt    | 18 +++----
 6 files changed, 82 insertions(+), 27 deletions(-)
 create mode 100644 SPECS/python3/CVE-2025-0938.patch

diff --git a/SPECS/python3/CVE-2025-0938.patch b/SPECS/python3/CVE-2025-0938.patch
new file mode 100644
index 00000000000..e4fa5e6a9ef
--- /dev/null
+++ b/SPECS/python3/CVE-2025-0938.patch
@@ -0,0 +1,50 @@
+From 753e79fd29bd6242575330d702caa95bc0a9f569 Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <kbkanishk975@gmail.com>
+Date: Thu, 6 Feb 2025 18:45:06 +0000
+Subject: [PATCH] Address CVE-2025-0938
+
+---
+ Lib/urllib/parse.py | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 2eb3448..dc0b71f 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -443,6 +443,23 @@ def _checknetloc(netloc):
+             raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+ 
++def _check_bracketed_netloc(netloc):
++    # Note that this function must mirror the splitting
++    # done in NetlocResultMixins._hostinfo().
++    hostname_and_port = netloc.rpartition('@')[2]
++    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
++    if have_open_br:
++        # No data is allowed before a bracket.
++        if before_bracket:
++            raise ValueError("Invalid IPv6 URL")
++        hostname, _, port = bracketed.partition(']')
++        # No data is allowed after the bracket but before the port delimiter.
++        if port and not port.startswith(":"):
++            raise ValueError("Invalid IPv6 URL")
++    else:
++        hostname, _, port = hostname_and_port.partition(':')
++    _check_bracketed_host(hostname)
++
+ # Valid bracketed hosts are defined in
+ # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
+ def _check_bracketed_host(hostname):
+@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+                 (']' in netloc and '[' not in netloc)):
+             raise ValueError("Invalid IPv6 URL")
+         if '[' in netloc and ']' in netloc:
+-            bracketed_host = netloc.partition('[')[2].partition(']')[0]
+-            _check_bracketed_host(bracketed_host)
++            _check_bracketed_netloc(netloc)
+     if allow_fragments and '#' in url:
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+-- 
+2.43.0
+
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
index 4f0652ee0ab..a66f15d82ec 100644
--- a/SPECS/python3/python3.spec
+++ b/SPECS/python3/python3.spec
@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,7 @@ Patch5:         CVE-2024-8088.patch
 Patch6:         CVE-2024-4032.patch
 Patch7:         CVE-2024-11168.patch
 Patch8:         CVE-2024-6923.patch
+Patch9:         CVE-2025-0938.patch
 # Patch for setuptools, resolved in 65.5.1
 Patch1000:      CVE-2022-40897.patch
 Patch1001:      CVE-2024-6345.patch
@@ -175,6 +176,7 @@ The test package contains all regression tests for Python as well as the modules
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 # Remove GCC specs and build environment linker scripts
@@ -330,6 +332,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Thu Feb 06 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.9.19-9
+- Patch CVE-2025-0938
+
 * Thu Nov 28 2024 Kanishk Bansal <kanbansal@microsoft.com> - 3.9.19-8
 - Address CVE-2024-6923
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 545262dc0e0..88362fbbce8 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm
 ca-certificates-2.0.0-19.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-21.cm2.aarch64.rpm
-python3-3.9.19-8.cm2.aarch64.rpm
-python3-devel-3.9.19-8.cm2.aarch64.rpm
-python3-libs-3.9.19-8.cm2.aarch64.rpm
-python3-setuptools-3.9.19-8.cm2.noarch.rpm
+python3-3.9.19-9.cm2.aarch64.rpm
+python3-devel-3.9.19-9.cm2.aarch64.rpm
+python3-libs-3.9.19-9.cm2.aarch64.rpm
+python3-setuptools-3.9.19-9.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index caf136d4d4e..654b286cb7f 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm
 ca-certificates-2.0.0-19.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-21.cm2.x86_64.rpm
-python3-3.9.19-8.cm2.x86_64.rpm
-python3-devel-3.9.19-8.cm2.x86_64.rpm
-python3-libs-3.9.19-8.cm2.x86_64.rpm
-python3-setuptools-3.9.19-8.cm2.noarch.rpm
+python3-3.9.19-9.cm2.x86_64.rpm
+python3-devel-3.9.19-9.cm2.x86_64.rpm
+python3-libs-3.9.19-9.cm2.x86_64.rpm
+python3-setuptools-3.9.19-9.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 8c8d7f7e2a4..af4c80f7aac 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.19-8.cm2.aarch64.rpm
+python3-3.9.19-9.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.19-8.cm2.aarch64.rpm
+python3-curses-3.9.19-9.cm2.aarch64.rpm
 python3-Cython-0.29.33-2.cm2.aarch64.rpm
-python3-debuginfo-3.9.19-8.cm2.aarch64.rpm
-python3-devel-3.9.19-8.cm2.aarch64.rpm
+python3-debuginfo-3.9.19-9.cm2.aarch64.rpm
+python3-devel-3.9.19-9.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-5.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.19-8.cm2.aarch64.rpm
+python3-libs-3.9.19-9.cm2.aarch64.rpm
 python3-libxml2-2.10.4-5.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.19-8.cm2.noarch.rpm
+python3-pip-3.9.19-9.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.19-8.cm2.noarch.rpm
-python3-test-3.9.19-8.cm2.aarch64.rpm
-python3-tools-3.9.19-8.cm2.aarch64.rpm
+python3-setuptools-3.9.19-9.cm2.noarch.rpm
+python3-test-3.9.19-9.cm2.aarch64.rpm
+python3-tools-3.9.19-9.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 5a637183e62..6255aa04740 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.19-8.cm2.x86_64.rpm
+python3-3.9.19-9.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.19-8.cm2.x86_64.rpm
+python3-curses-3.9.19-9.cm2.x86_64.rpm
 python3-Cython-0.29.33-2.cm2.x86_64.rpm
-python3-debuginfo-3.9.19-8.cm2.x86_64.rpm
-python3-devel-3.9.19-8.cm2.x86_64.rpm
+python3-debuginfo-3.9.19-9.cm2.x86_64.rpm
+python3-devel-3.9.19-9.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-5.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.19-8.cm2.x86_64.rpm
+python3-libs-3.9.19-9.cm2.x86_64.rpm
 python3-libxml2-2.10.4-5.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.19-8.cm2.noarch.rpm
+python3-pip-3.9.19-9.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.19-8.cm2.noarch.rpm
-python3-test-3.9.19-8.cm2.x86_64.rpm
-python3-tools-3.9.19-8.cm2.x86_64.rpm
+python3-setuptools-3.9.19-9.cm2.noarch.rpm
+python3-test-3.9.19-9.cm2.x86_64.rpm
+python3-tools-3.9.19-9.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm