rpms/python3

Fork 0

[security][HIGH] python3 3.12.12: CVE-2026-4519 require triage #1

New issue

Closed

opened 2026-04-29 04:40:20 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:40:20 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: python3
Version: 3.12.12
EVR: 3.12.12-2
Category: toolchain
Policy class: core-system
NiceOS policy class: -
Owner: toolchain-team
Severity: HIGH
Max CVSS: 7.0
CVE count: 1

LLM recommendation / Рекомендация LLM

RU

Уязвимость в API webbrowser.open() пакета python3, позволяющая обрабатывать ведущие дефисы в URL как командные опции браузеров, что может привести к выполнению несанкционированных команд.

Немедленно обновить пакет python3 до версии, содержащей исправление, или временно запретить использование функции webbrowser.open() с непроверенными URL в приложениях дистрибутива.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: 1. Проверить наличие уязвимости в текущей версии python3 (3.12.12) путем попытки вызвать webbrowser.open() с URL, начинающимся с дефиса (например, '-http://example.com').
2. Проверить, возвращает ли функция ошибку или корректно обрабатывает URL без дефисов.
3. Установить тестовую версию с патчем и убедиться, что поведение изменено (отказ в обработке URL с дефисами).

Риски: Взломщик может сформировать вредоносный URL с ведущим дефисом, который будет интерпретирован браузером как опция командной строки. Это может привести к запуску локальных утилит или скриптов с правами пользователя, вызвавшего функцию, что нарушает принцип наименьших привилегий и может привести к компрометации системы.

EN

Vulnerability in the webbrowser.open() API of the python3 package allowing leading dashes in URLs to be interpreted as command-line options for certain browsers, potentially leading to unauthorized command execution.

Immediately update the python3 package to a version containing the fix, or temporarily disable the use of the webbrowser.open() function with untrusted URLs in distribution applications.

Recommended action: needs_triage

Target version hint: -

Tests: 1. Verify the vulnerability in the current python3 version (3.12.12) by attempting to call webbrowser.open() with a URL starting with a dash (e.g., '-http://example.com').
2. Verify if the function returns an error or handles URLs without dashes correctly.
3. Install a patched test version and ensure the behavior has changed (rejection of URLs with leading dashes).

Risks: An attacker could craft a malicious URL with a leading dash that is interpreted by the browser as a command-line option. This could lead to the execution of local utilities or scripts with the privileges of the user who called the function, violating the principle of least privilege and potentially compromising the system.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-4519	HIGH	7.0	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-4519

The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-4519"
  ],
  "fingerprint": "682a0b0f1ab208ffa62d",
  "generated_at": "2026-04-29T01:40:19Z",
  "package": "python3",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "3.12.12"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `python3` - Version: `3.12.12` - EVR: `3.12.12-2` - Category: `toolchain` - Policy class: `core-system` - NiceOS policy class: `-` - Owner: `toolchain-team` - Severity: `HIGH` - Max CVSS: `7.0` - CVE count: `1` ## LLM recommendation / Рекомендация LLM ### RU Уязвимость в API webbrowser.open() пакета python3, позволяющая обрабатывать ведущие дефисы в URL как командные опции браузеров, что может привести к выполнению несанкционированных команд. Немедленно обновить пакет python3 до версии, содержащей исправление, или временно запретить использование функции webbrowser.open() с непроверенными URL в приложениях дистрибутива. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** 1. Проверить наличие уязвимости в текущей версии python3 (3.12.12) путем попытки вызвать webbrowser.open() с URL, начинающимся с дефиса (например, '-http://example.com'). 2. Проверить, возвращает ли функция ошибку или корректно обрабатывает URL без дефисов. 3. Установить тестовую версию с патчем и убедиться, что поведение изменено (отказ в обработке URL с дефисами). **Риски:** Взломщик может сформировать вредоносный URL с ведущим дефисом, который будет интерпретирован браузером как опция командной строки. Это может привести к запуску локальных утилит или скриптов с правами пользователя, вызвавшего функцию, что нарушает принцип наименьших привилегий и может привести к компрометации системы. ### EN Vulnerability in the webbrowser.open() API of the python3 package allowing leading dashes in URLs to be interpreted as command-line options for certain browsers, potentially leading to unauthorized command execution. Immediately update the python3 package to a version containing the fix, or temporarily disable the use of the webbrowser.open() function with untrusted URLs in distribution applications. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** 1. Verify the vulnerability in the current python3 version (3.12.12) by attempting to call webbrowser.open() with a URL starting with a dash (e.g., '-http://example.com'). 2. Verify if the function returns an error or handles URLs without dashes correctly. 3. Install a patched test version and ensure the behavior has changed (rejection of URLs with leading dashes). **Risks:** An attacker could craft a malicious URL with a leading dash that is interpreted by the browser as a command-line option. This could lead to the execution of local utilities or scripts with the privileges of the user who called the function, violating the principle of least privilege and potentially compromising the system. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-4519 | HIGH | 7.0 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-4519 The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-4519" ], "fingerprint": "682a0b0f1ab208ffa62d", "generated_at": "2026-04-29T01:40:19Z", "package": "python3", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "3.12.12" } ```

sbelikov added the

labels

2026-04-29 04:40:20 +03:00

sbelikov commented

2026-04-29 19:07:37 +03:00

Author

Owner

Triage result for NiceOS 5.2:

python3 3.12.12-2 should be treated as affected by CVE-2026-4519 unless the downstream package already carries the upstream gh-143930 webbrowser patch.

This issue affects webbrowser.open(): URLs beginning with - could be passed to selected browsers in a way that may be interpreted as command-line options. The fixed behavior is to reject URLs with leading dashes.

NiceOS policy decision:

Keep Python within the stable NiceOS 5.2 runtime series: 3.12.x.
Do not jump to 3.13.x / 3.14.x for this security update.
Preferred target: python3 3.12.13 plus the upstream CVE-2026-4519 / gh-143930 backport patch, unless a newer official 3.12.x security release containing this fix is available.
Alternative minimal fix: keep 3.12.12 and bump the RPM release with the same backported patch.

Important note:

Python 3.12.13 is an official security release for the legacy 3.12 series, but it predates the public CVE-2026-4519 publication and does not appear to list this CVE in its release security content. Therefore 3.12.13 alone should not be assumed to fix this issue. The downstream package must either include the gh-143930 fix explicitly or update to a later 3.12.x release that includes it.

Suggested policy entry:

pinned_versions:
  python3:
    version_prefix: "3.12."
    reason: "NiceOS 5.2 stable policy: keep Python within the 3.12.x runtime series; cross-series updates require toolchain and reverse-dependency rebuild review"

Validation before closing:

python3 --version
python3 -m test test_webbrowser -v

python3 - <<'PY'
import webbrowser

bad = ["-http://example.com", "--browser-option", " -http://example.com"]
for url in bad:
    try:
        webbrowser.open(url)
    except Exception as e:
        print(url, "REJECTED", type(e).__name__, str(e))
    else:
        raise SystemExit(f"VULNERABLE: {url!r} was accepted")

print("CVE-2026-4519 webbrowser leading-dash test: OK")
PY

Close this issue as fixed only after rpms/python3, Core/python3, and niceos-package-index confirm the fixed RPM build, and the leading-dash webbrowser.open() test rejects malicious input.

Triage result for NiceOS 5.2: `python3 3.12.12-2` should be treated as affected by `CVE-2026-4519` unless the downstream package already carries the upstream `gh-143930` webbrowser patch. This issue affects `webbrowser.open()`: URLs beginning with `-` could be passed to selected browsers in a way that may be interpreted as command-line options. The fixed behavior is to reject URLs with leading dashes. NiceOS policy decision: * Keep Python within the stable NiceOS 5.2 runtime series: `3.12.x`. * Do not jump to `3.13.x` / `3.14.x` for this security update. * Preferred target: `python3 3.12.13` plus the upstream `CVE-2026-4519` / `gh-143930` backport patch, unless a newer official `3.12.x` security release containing this fix is available. * Alternative minimal fix: keep `3.12.12` and bump the RPM release with the same backported patch. Important note: `Python 3.12.13` is an official security release for the legacy `3.12` series, but it predates the public `CVE-2026-4519` publication and does not appear to list this CVE in its release security content. Therefore `3.12.13` alone should not be assumed to fix this issue. The downstream package must either include the `gh-143930` fix explicitly or update to a later `3.12.x` release that includes it. Suggested policy entry: ```yaml pinned_versions: python3: version_prefix: "3.12." reason: "NiceOS 5.2 stable policy: keep Python within the 3.12.x runtime series; cross-series updates require toolchain and reverse-dependency rebuild review" ``` Validation before closing: ```bash python3 --version python3 -m test test_webbrowser -v python3 - <<'PY' import webbrowser bad = ["-http://example.com", "--browser-option", " -http://example.com"] for url in bad: try: webbrowser.open(url) except Exception as e: print(url, "REJECTED", type(e).__name__, str(e)) else: raise SystemExit(f"VULNERABLE: {url!r} was accepted") print("CVE-2026-4519 webbrowser leading-dash test: OK") PY ``` Close this issue as fixed only after `rpms/python3`, `Core/python3`, and `niceos-package-index` confirm the fixed RPM build, and the leading-dash `webbrowser.open()` test rejects malicious input.

sbelikov closed this issue

2026-04-29 19:07:37 +03:00