PR#1: Add patch for CVE-2025-69872 - rpms/python-diskcache

rpms / python-diskcache

#1 Add patch for CVE-2025-69872

Closed a month ago by fed500. Opened a month ago by samdoran.

rpms/ samdoran/python-diskcache patch-pickle into rawhide

Add patch for CVE-2025-69872

Sam Doran • a month ago

59e1e8b

0001-CVE-2025-69872-unsafe-pickle.patch

file added

+31

		`@@ -0,0 +1,31 @@`
		`+ diff --git diskcache/core.py diskcache/core.py`
		`+ index 7a3d23b..6901d96 100644`
		`+ --- diskcache/core.py`
		`+ +++ diskcache/core.py`
		`+ @@ -232,7 +232,7 @@ class Disk:`
		`+`
		`+ for count in range(1, 11):`
		`+ with cl.suppress(OSError):`
		`+ - os.makedirs(full_dir)`
		`+ + os.makedirs(full_dir, 0o700)`
		`+`
		`+ try:`
		`+ # Another cache may have deleted the directory before`
		`+ @@ -417,7 +417,7 @@ def args_to_key(base, args, kwargs, typed, ignore):`
		`+ class Cache:`
		`+ """Disk and file backed cache."""`
		`+`
		`+ - def __init__(self, directory=None, timeout=60, disk=Disk, **settings):`
		`+ + def __init__(self, directory=None, timeout=60, disk=JSONDisk, **settings):`
		`+ """Initialize cache instance.`
		`+`
		`+ :param str directory: cache directory`
		`+ @@ -444,7 +444,7 @@ class Cache:`
		`+`
		`+ if not op.isdir(directory):`
		`+ try:`
		`+ - os.makedirs(directory, 0o755)`
		`+ + os.makedirs(directory, 0o700)`
		`+ except OSError as error:`
		`+ if error.errno != errno.EEXIST:`
		`+ raise EnvironmentError(`

python-diskcache.spec

file modified

+6 -1

		`@@ -13,6 +13,11 @@`
		`# Pypi version does not have tests`
		`Source0: %{forgesource}`

		`+ # Mitigate the risk of unsafe pickel deserialization.`
		`+ # This is a modified version of the upstream patch that changes the default`
		`+ # to a safe alternative.`
		`+ # https://github.com/grantjenks/python-diskcache/pull/359.patch`
		`+ Patch: 0001-CVE-2025-69872-unsafe-pickle.patch`

		`BuildRequires: python3-devel`
		`BuildRequires: python3-tox`
		`@@ -52,7 +57,7 @@`

		`%files -n python3-%{srcname} -f %{pyproject_files}`
		`%doc README.rst`
		`-`
		`+`
		`%changelog`
		`* Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-11`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild`

samdoran commented a month ago

This is a slightly modified version of the upstream patch #359. The additional change in this patch sets the default disk to JSONDisk which is safer because it does not use pickle for storing cached values.

The upstream project is very dormant and I do not expect the patch to be merged any time soon. Patching in Fedora addresses the vulnerability for Fedora users.