diff --git a/103213-fetch-CONFIG_ARGS.patch b/103213-fetch-CONFIG_ARGS.patch deleted file mode 100644 index 05e487a..0000000 --- a/103213-fetch-CONFIG_ARGS.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d3217d12eee9eefad8444e80545b82b2a8c2be4c Mon Sep 17 00:00:00 2001 -From: Ijtaba Hussain -Date: Mon, 3 Apr 2023 17:28:32 +0500 -Subject: [PATCH 1/3] Fetch CONFIG_ARGS from original python instance - -instead of fetching from intermediate instance. As "make clean" is called -against the intermediate instance, the build directory is cleared and the -config arguments lookup fails with a ModuleNotFoundError ---- - Misc/NEWS.d/next/Tools-Demos/2023-04-05-07-19-36.gh-issue-103186.yEozgK.rst | 2 ++ - Tools/freeze/test/freeze.py | 3 +-- - 2 files changed, 3 insertions(+), 2 deletions(-) - ---- /dev/null -+++ b/Misc/NEWS.d/next/Tools-Demos/2023-04-05-07-19-36.gh-issue-103186.yEozgK.rst -@@ -0,0 +1,2 @@ -+``freeze`` now fetches ``CONFIG_ARGS`` from the original CPython instance -+the Makefile uses to call utility scripts. Patch by Ijtaba Hussain. ---- a/Tools/freeze/test/freeze.py -+++ b/Tools/freeze/test/freeze.py -@@ -96,7 +96,6 @@ def copy_source_tree(newroot, oldroot): - if os.path.exists(os.path.join(newroot, 'Makefile')): - _run_quiet([MAKE, 'clean'], newroot) - -- - def get_makefile_var(builddir, name): - regex = re.compile(rf'^{name} *=\s*(.*?)\s*$') - filename = os.path.join(builddir, 'Makefile') -@@ -153,7 +152,7 @@ def prepare(script=None, outdir=None): - print(f'configuring python in {builddir}...') - cmd = [ - os.path.join(srcdir, 'configure'), -- *shlex.split(get_config_var(srcdir, 'CONFIG_ARGS') or ''), -+ *shlex.split(get_config_var(SRCDIR, 'CONFIG_ARGS') or ''), - ] - ensure_opt(cmd, 'cache-file', os.path.join(outdir, 'python-config.cache')) - prefix = os.path.join(outdir, 'python-installation') diff --git a/CVE-2023-27043-email-parsing-errors.patch b/CVE-2023-27043-email-parsing-errors.patch index 4e19292..4fad530 100644 --- a/CVE-2023-27043-email-parsing-errors.patch +++ b/CVE-2023-27043-email-parsing-errors.patch @@ -1,74 +1,189 @@ --- - Doc/library/email.utils.rst | 26 +++ - Lib/email/utils.py | 63 +++++++ - Lib/test/test_email/test_email.py | 81 +++++++++- - Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 - 4 files changed, 164 insertions(+), 10 deletions(-) + Doc/library/email.utils.rst | 19 - + Lib/email/utils.py | 151 +++++++- + Lib/test/test_email/test_email.py | 187 +++++++++- + Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8 + 4 files changed, 344 insertions(+), 21 deletions(-) -Index: Python-3.11.4/Doc/library/email.utils.rst +Index: Python-3.11.8/Doc/library/email.utils.rst =================================================================== ---- Python-3.11.4.orig/Doc/library/email.utils.rst -+++ Python-3.11.4/Doc/library/email.utils.rst -@@ -67,6 +67,11 @@ of the new API. +--- Python-3.11.8.orig/Doc/library/email.utils.rst ++++ Python-3.11.8/Doc/library/email.utils.rst +@@ -60,13 +60,18 @@ of the new API. + begins with angle brackets, they are stripped off. + + +-.. function:: parseaddr(address) ++.. function:: parseaddr(address, *, strict=True) + + Parse address -- which should be the value of some address-containing field such + as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and *email address* parts. Returns a tuple of that information, unless the parse fails, in which case a 2-tuple of ``('', '')`` is returned. -+ .. versionchanged:: 3.12 -+ For security reasons, addresses that were ambiguous and could parse into -+ multiple different addresses now cause ``('', '')`` to be returned -+ instead of only one of the *potential* addresses. ++ If *strict* is true, use a strict parser which rejects malformed inputs. ++ ++ .. versionchanged:: 3.13 ++ Add *strict* optional parameter and reject malformed inputs by default. + .. function:: formataddr(pair, charset='utf-8') -@@ -89,7 +94,7 @@ of the new API. +@@ -84,12 +89,15 @@ of the new API. + Added the *charset* option. + + +-.. function:: getaddresses(fieldvalues) ++.. function:: getaddresses(fieldvalues, *, strict=True) + This method returns a list of 2-tuples of the form returned by ``parseaddr()``. *fieldvalues* is a sequence of header field values as might be returned by - :meth:`Message.get_all `. Here's a simple +- :meth:`Message.get_all `. Here's a simple - example that gets all the recipients of a message:: -+ example that gets all the recipients of a message: ++ :meth:`Message.get_all `. ++ ++ If *strict* is true, use a strict parser which rejects malformed inputs. ++ ++ Here's a simple example that gets all the recipients of a message:: from email.utils import getaddresses -@@ -99,6 +104,25 @@ of the new API. +@@ -99,6 +107,9 @@ of the new API. resent_ccs = msg.get_all('resent-cc', []) all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) -+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` -+ is returned in its place. Other errors in parsing the list of -+ addresses such as a fieldvalue seemingly parsing into multiple -+ addresses may result in a list containing a single empty 2-tuple -+ ``[('', '')]`` being returned rather than returning potentially -+ invalid output. -+ -+ Example malformed input parsing: -+ -+ .. doctest:: -+ -+ >>> from email.utils import getaddresses -+ >>> getaddresses(['alice@example.com ', 'me@example.com']) -+ [('', '')] -+ -+ .. versionchanged:: 3.12 -+ The 2-tuple of ``('', '')`` in the returned values when parsing -+ fails were added as to address a security issue. ++ .. versionchanged:: 3.13 ++ Add *strict* optional parameter and reject malformed inputs by default. + .. function:: parsedate(date) -Index: Python-3.11.4/Lib/email/utils.py +Index: Python-3.11.8/Lib/email/utils.py =================================================================== ---- Python-3.11.4.orig/Lib/email/utils.py -+++ Python-3.11.4/Lib/email/utils.py -@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'): +--- Python-3.11.8.orig/Lib/email/utils.py ++++ Python-3.11.8/Lib/email/utils.py +@@ -48,6 +48,7 @@ TICK = "'" + specialsre = re.compile(r'[][\\()<>@,:;".]') + escapesre = re.compile(r'[\\"]') + ++ + def _has_surrogates(s): + """Return True if s may contain surrogate-escaped binary data.""" + # This check is based on the fact that unless there are surrogates, utf8 +@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'): return address ++def _iter_escaped_chars(addr): ++ pos = 0 ++ escape = False ++ for pos, ch in enumerate(addr): ++ if escape: ++ yield (pos, '\\' + ch) ++ escape = False ++ elif ch == '\\': ++ escape = True ++ else: ++ yield (pos, ch) ++ if escape: ++ yield (pos, '\\') ++ ++ ++def _strip_quoted_realnames(addr): ++ """Strip real names between quotes.""" ++ if '"' not in addr: ++ # Fast path ++ return addr ++ ++ start = 0 ++ open_pos = None ++ result = [] ++ for pos, ch in _iter_escaped_chars(addr): ++ if ch == '"': ++ if open_pos is None: ++ open_pos = pos ++ else: ++ if start != open_pos: ++ result.append(addr[start:open_pos]) ++ start = pos + 1 ++ open_pos = None + +-def getaddresses(fieldvalues): +- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" +- all = COMMASPACE.join(str(v) for v in fieldvalues) +- a = _AddressList(all) +- return a.addresslist ++ if start < len(addr): ++ result.append(addr[start:]) ++ ++ return ''.join(result) ++ ++ ++supports_strict_parsing = True ++ ++def getaddresses(fieldvalues, *, strict=True): ++ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. ++ ++ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in ++ its place. ++ ++ If strict is true, use a strict parser which rejects malformed inputs. ++ """ ++ ++ # If strict is true, if the resulting list of parsed addresses is greater ++ # than the number of fieldvalues in the input list, a parsing error has ++ # occurred and consequently a list containing a single empty 2-tuple [('', ++ # '')] is returned in its place. This is done to avoid invalid output. ++ # ++ # Malformed input: getaddresses(['alice@example.com ']) ++ # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')] ++ # Safe output: [('', '')] ++ ++ if not strict: ++ all = COMMASPACE.join(str(v) for v in fieldvalues) ++ a = _AddressList(all) ++ return a.addresslist ++ ++ fieldvalues = [str(v) for v in fieldvalues] ++ fieldvalues = _pre_parse_validation(fieldvalues) ++ addr = COMMASPACE.join(fieldvalues) ++ a = _AddressList(addr) ++ result = _post_parse_validation(a.addresslist) ++ ++ # Treat output as invalid if the number of addresses is not equal to the ++ # expected number of addresses. ++ n = 0 ++ for v in fieldvalues: ++ # When a comma is used in the Real Name part it is not a deliminator. ++ # So strip those out before counting the commas. ++ v = _strip_quoted_realnames(v) ++ # Expected number of addresses: 1 + number of commas ++ n += 1 + v.count(',') ++ if len(result) != n: ++ return [('', '')] ++ ++ return result ++ ++ ++def _check_parenthesis(addr): ++ # Ignore parenthesis in quoted real names. ++ addr = _strip_quoted_realnames(addr) ++ ++ opens = 0 ++ for pos, ch in _iter_escaped_chars(addr): ++ if ch == '(': ++ opens += 1 ++ elif ch == ')': ++ opens -= 1 ++ if opens < 0: ++ return False ++ return (opens == 0) ++ ++ +def _pre_parse_validation(email_header_fields): + accepted_values = [] + for v in email_header_fields: -+ s = v.replace('\\(', '').replace('\\)', '') -+ if s.count('(') != s.count(')'): ++ if not _check_parenthesis(v): + v = "('', '')" + accepted_values.append(v) + @@ -85,46 +200,32 @@ Index: Python-3.11.4/Lib/email/utils.py + accepted_values.append(v) + + return accepted_values -+ - - def getaddresses(fieldvalues): -- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" -- all = COMMASPACE.join(str(v) for v in fieldvalues) -+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. -+ -+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in -+ its place. -+ -+ If the resulting list of parsed address is not the same as the number of -+ fieldvalues in the input list a parsing error has occurred. A list -+ containing a single empty 2-tuple [('', '')] is returned in its place. -+ This is done to avoid invalid output. -+ """ -+ fieldvalues = [str(v) for v in fieldvalues] -+ fieldvalues = _pre_parse_validation(fieldvalues) -+ all = COMMASPACE.join(v for v in fieldvalues) - a = _AddressList(all) -- return a.addresslist -+ result = _post_parse_validation(a.addresslist) -+ -+ n = 0 -+ for v in fieldvalues: -+ n += v.count(',') + 1 -+ -+ if len(result) != n: -+ return [('', '')] -+ -+ return result def _format_timetuple_and_zone(timetuple, zone): -@@ -212,9 +254,18 @@ def parseaddr(addr): +@@ -205,16 +321,33 @@ def parsedate_to_datetime(data): + tzinfo=datetime.timezone(datetime.timedelta(seconds=tz))) + + +-def parseaddr(addr): ++def parseaddr(addr, *, strict=True): + """ + Parse addr into its constituent realname and email address parts. + Return a tuple of realname and email address, unless the parse fails, in which case return a 2-tuple of ('', ''). ++ ++ If strict is True, use a strict parser which rejects malformed inputs. """ - addrs = _AddressList(addr).addresslist - if not addrs: - return '', '' ++ if not strict: ++ addrs = _AddressList(addr).addresslist ++ if not addrs: ++ return ('', '') ++ return addrs[0] ++ + if isinstance(addr, list): + addr = addr[0] + @@ -140,110 +241,229 @@ Index: Python-3.11.4/Lib/email/utils.py return addrs[0] -Index: Python-3.11.4/Lib/test/test_email/test_email.py +Index: Python-3.11.8/Lib/test/test_email/test_email.py =================================================================== ---- Python-3.11.4.orig/Lib/test/test_email/test_email.py -+++ Python-3.11.4/Lib/test/test_email/test_email.py -@@ -3320,15 +3320,90 @@ Foo +--- Python-3.11.8.orig/Lib/test/test_email/test_email.py ++++ Python-3.11.8/Lib/test/test_email/test_email.py +@@ -17,6 +17,7 @@ from unittest.mock import patch + + import email + import email.policy ++import email.utils + + from email.charset import Charset + from email.generator import Generator, DecodedGenerator, BytesGenerator +@@ -3321,15 +3322,137 @@ Foo [('Al Person', 'aperson@dom.ain'), ('Bud Person', 'bperson@dom.ain')]) -+ def test_getaddresses_parsing_errors(self): -+ """Test for parsing errors from CVE-2023-27043""" -+ eq = self.assertEqual -+ eq(utils.getaddresses(['alice@example.org(']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org)']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org<']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org>']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org@']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org,']), -+ [('', 'alice@example.org'), ('', 'bob@example.com')]) -+ eq(utils.getaddresses(['alice@example.org;']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org:']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org.']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org"']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org[']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org]']), -+ [('', '')]) ++ def test_parsing_errors(self): ++ """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056""" ++ alice = 'alice@example.org' ++ bob = 'bob@example.com' ++ empty = ('', '') + -+ def test_parseaddr_parsing_errors(self): -+ """Test for parsing errors from CVE-2023-27043""" -+ eq = self.assertEqual -+ eq(utils.parseaddr(['alice@example.org(']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org)']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org<']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org>']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org@']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org,']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org;']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org:']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org.']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org"']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org[']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org]']), -+ ('', '')) ++ # Test utils.getaddresses() and utils.parseaddr() on malformed email ++ # addresses: default behavior (strict=True) rejects malformed address, ++ # and strict=False which tolerates malformed address. ++ for invalid_separator, expected_non_strict in ( ++ ('(', [(f'<{bob}>', alice)]), ++ (')', [('', alice), empty, ('', bob)]), ++ ('<', [('', alice), empty, ('', bob), empty]), ++ ('>', [('', alice), empty, ('', bob)]), ++ ('[', [('', f'{alice}[<{bob}>]')]), ++ (']', [('', alice), empty, ('', bob)]), ++ ('@', [empty, empty, ('', bob)]), ++ (';', [('', alice), empty, ('', bob)]), ++ (':', [('', alice), ('', bob)]), ++ ('.', [('', alice + '.'), ('', bob)]), ++ ('"', [('', alice), ('', f'<{bob}>')]), ++ ): ++ address = f'{alice}{invalid_separator}<{bob}>' ++ with self.subTest(address=address): ++ self.assertEqual(utils.getaddresses([address]), ++ [empty]) ++ self.assertEqual(utils.getaddresses([address], strict=False), ++ expected_non_strict) ++ ++ self.assertEqual(utils.parseaddr([address]), ++ empty) ++ self.assertEqual(utils.parseaddr([address], strict=False), ++ ('', address)) ++ ++ # Comma (',') is treated differently depending on strict parameter. ++ # Comma without quotes. ++ address = f'{alice},<{bob}>' ++ self.assertEqual(utils.getaddresses([address]), ++ [('', alice), ('', bob)]) ++ self.assertEqual(utils.getaddresses([address], strict=False), ++ [('', alice), ('', bob)]) ++ self.assertEqual(utils.parseaddr([address]), ++ empty) ++ self.assertEqual(utils.parseaddr([address], strict=False), ++ ('', address)) ++ ++ # Real name between quotes containing comma. ++ address = '"Alice, alice@example.org" ' ++ expected_strict = ('Alice, alice@example.org', 'bob@example.com') ++ self.assertEqual(utils.getaddresses([address]), [expected_strict]) ++ self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict]) ++ self.assertEqual(utils.parseaddr([address]), expected_strict) ++ self.assertEqual(utils.parseaddr([address], strict=False), ++ ('', address)) ++ ++ # Valid parenthesis in comments. ++ address = 'alice@example.org (Alice)' ++ expected_strict = ('Alice', 'alice@example.org') ++ self.assertEqual(utils.getaddresses([address]), [expected_strict]) ++ self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict]) ++ self.assertEqual(utils.parseaddr([address]), expected_strict) ++ self.assertEqual(utils.parseaddr([address], strict=False), ++ ('', address)) ++ ++ # Invalid parenthesis in comments. ++ address = 'alice@example.org )Alice(' ++ self.assertEqual(utils.getaddresses([address]), [empty]) ++ self.assertEqual(utils.getaddresses([address], strict=False), ++ [('', 'alice@example.org'), ('', ''), ('', 'Alice')]) ++ self.assertEqual(utils.parseaddr([address]), empty) ++ self.assertEqual(utils.parseaddr([address], strict=False), ++ ('', address)) ++ ++ # Two addresses with quotes separated by comma. ++ address = '"Jane Doe" , "John Doe" ' ++ self.assertEqual(utils.getaddresses([address]), ++ [('Jane Doe', 'jane@example.net'), ++ ('John Doe', 'john@example.net')]) ++ self.assertEqual(utils.getaddresses([address], strict=False), ++ [('Jane Doe', 'jane@example.net'), ++ ('John Doe', 'john@example.net')]) ++ self.assertEqual(utils.parseaddr([address]), empty) ++ self.assertEqual(utils.parseaddr([address], strict=False), ++ ('', address)) ++ ++ # Test email.utils.supports_strict_parsing attribute ++ self.assertEqual(email.utils.supports_strict_parsing, True) + def test_getaddresses_nasty(self): - eq = self.assertEqual - eq(utils.getaddresses(['foo: ;']), [('', '')]) +- eq = self.assertEqual +- eq(utils.getaddresses(['foo: ;']), [('', '')]) - eq(utils.getaddresses( - ['[]*-- =~$']), - [('', ''), ('', ''), ('', '*--')]) -+ eq(utils.getaddresses(['[]*-- =~$']), [('', '')]) - eq(utils.getaddresses( - ['foo: ;', '"Jason R. Mastaler" ']), - [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) -+ eq(utils.getaddresses( -+ [r'Pete(A nice \) chap) ']), -+ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]) -+ eq(utils.getaddresses( -+ ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']), -+ [('', '')]) -+ eq(utils.getaddresses( -+ ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']), -+ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]) -+ eq(utils.getaddresses( -+ ['John Doe ']), -+ [('John Doe (comment)', 'jdoe@machine.example')]) -+ eq(utils.getaddresses( -+ ['"Mary Smith: Personal Account" ']), -+ [('Mary Smith: Personal Account', 'smith@home.example')]) -+ eq(utils.getaddresses( -+ ['Undisclosed recipients:;']), -+ [('', '')]) -+ eq(utils.getaddresses( -+ [r', "Giant; \"Big\" Box" ']), -+ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]) +- eq(utils.getaddresses( +- ['foo: ;', '"Jason R. Mastaler" ']), +- [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) ++ for addresses, expected in ( ++ (['"Sürname, Firstname" '], ++ [('Sürname, Firstname', 'to@example.com')]), ++ ++ (['foo: ;'], ++ [('', '')]), ++ ++ (['foo: ;', '"Jason R. Mastaler" '], ++ [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]), ++ ++ ([r'Pete(A nice \) chap) '], ++ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]), ++ ++ (['(Empty list)(start)Undisclosed recipients :(nobody(I know))'], ++ [('', '')]), ++ ++ (['Mary <@machine.tld:mary@example.net>, , jdoe@test . example'], ++ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]), ++ ++ (['John Doe '], ++ [('John Doe (comment)', 'jdoe@machine.example')]), ++ ++ (['"Mary Smith: Personal Account" '], ++ [('Mary Smith: Personal Account', 'smith@home.example')]), ++ ++ (['Undisclosed recipients:;'], ++ [('', '')]), ++ ++ ([r', "Giant; \"Big\" Box" '], ++ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]), ++ ): ++ with self.subTest(addresses=addresses): ++ self.assertEqual(utils.getaddresses(addresses), ++ expected) ++ self.assertEqual(utils.getaddresses(addresses, strict=False), ++ expected) ++ ++ addresses = ['[]*-- =~$'] ++ self.assertEqual(utils.getaddresses(addresses), ++ [('', '')]) ++ self.assertEqual(utils.getaddresses(addresses, strict=False), ++ [('', ''), ('', ''), ('', '*--')]) def test_getaddresses_embedded_comment(self): """Test proper handling of a nested comment""" -Index: Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst +@@ -3520,6 +3643,54 @@ multipart/report + m = cls(*constructor, policy=email.policy.default) + self.assertIs(m.policy, email.policy.default) + ++ def test_iter_escaped_chars(self): ++ self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')), ++ [(0, 'a'), ++ (2, '\\\\'), ++ (3, 'b'), ++ (5, '\\"'), ++ (6, 'c'), ++ (8, '\\\\'), ++ (9, '"'), ++ (10, 'd')]) ++ self.assertEqual(list(utils._iter_escaped_chars('a\\')), ++ [(0, 'a'), (1, '\\')]) ++ ++ def test_strip_quoted_realnames(self): ++ def check(addr, expected): ++ self.assertEqual(utils._strip_quoted_realnames(addr), expected) ++ ++ check('"Jane Doe" , "John Doe" ', ++ ' , ') ++ check(r'"Jane \"Doe\"." ', ++ ' ') ++ ++ # special cases ++ check(r'before"name"after', 'beforeafter') ++ check(r'before"name"', 'before') ++ check(r'b"name"', 'b') # single char ++ check(r'"name"after', 'after') ++ check(r'"name"a', 'a') # single char ++ check(r'"name"', '') ++ ++ # no change ++ for addr in ( ++ 'Jane Doe , John Doe ', ++ 'lone " quote', ++ ): ++ self.assertEqual(utils._strip_quoted_realnames(addr), addr) ++ ++ ++ def test_check_parenthesis(self): ++ addr = 'alice@example.net' ++ self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)')) ++ self.assertFalse(utils._check_parenthesis(f'{addr} )Alice(')) ++ self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))')) ++ self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)')) ++ ++ # Ignore real name between quotes ++ self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}')) ++ + + # Test the iterator/generators + class TestIterators(TestEmailBase): +Index: Python-3.11.8/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst =================================================================== --- /dev/null -+++ Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -@@ -0,0 +1,4 @@ -+CVE-2023-27043: Prevent :func:`email.utils.parseaddr` -+and :func:`email.utils.getaddresses` from returning the realname portion of an -+invalid RFC2822 email header in the email address portion of the 2-tuple -+returned after being parsed by :class:`email._parseaddr.AddressList`. ++++ Python-3.11.8/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst +@@ -0,0 +1,8 @@ ++:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now ++return ``('', '')`` 2-tuples in more situations where invalid email ++addresses are encountered instead of potentially inaccurate values. Add ++optional *strict* parameter to these two functions: use ``strict=False`` to ++get the old behavior, accept malformed inputs. ++``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check ++if the *strict* paramater is available. Patch by Thomas Dwyer and Victor ++Stinner to improve the CVE-2023-27043 fix. diff --git a/CVE-2023-6597-TempDir-cleaning-symlink.patch b/CVE-2023-6597-TempDir-cleaning-symlink.patch new file mode 100644 index 0000000..ccb4e52 --- /dev/null +++ b/CVE-2023-6597-TempDir-cleaning-symlink.patch @@ -0,0 +1,165 @@ +--- + Lib/tempfile.py | 16 + + Lib/test/test_tempfile.py | 113 ++++++++++ + Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst | 2 + 3 files changed, 131 insertions(+) + +--- a/Lib/tempfile.py ++++ b/Lib/tempfile.py +@@ -286,6 +286,22 @@ def _resetperms(path): + _dont_follow_symlinks(chflags, path, 0) + _dont_follow_symlinks(_os.chmod, path, 0o700) + ++def _dont_follow_symlinks(func, path, *args): ++ # Pass follow_symlinks=False, unless not supported on this platform. ++ if func in _os.supports_follow_symlinks: ++ func(path, *args, follow_symlinks=False) ++ elif _os.name == 'nt' or not _os.path.islink(path): ++ func(path, *args) ++ ++def _resetperms(path): ++ try: ++ chflags = _os.chflags ++ except AttributeError: ++ pass ++ else: ++ _dont_follow_symlinks(chflags, path, 0) ++ _dont_follow_symlinks(_os.chmod, path, 0o700) ++ + + # User visible interfaces. + +--- a/Lib/test/test_tempfile.py ++++ b/Lib/test/test_tempfile.py +@@ -1673,6 +1673,103 @@ class TestTemporaryDirectory(BaseTestCas + new_flags = os.stat(dir1).st_flags + self.assertEqual(new_flags, old_flags) + ++ @os_helper.skip_unless_symlink ++ def test_cleanup_with_symlink_modes(self): ++ # cleanup() should not follow symlinks when fixing mode bits (#91133) ++ with self.do_create(recurse=0) as d2: ++ file1 = os.path.join(d2, 'file1') ++ open(file1, 'wb').close() ++ dir1 = os.path.join(d2, 'dir1') ++ os.mkdir(dir1) ++ for mode in range(8): ++ mode <<= 6 ++ with self.subTest(mode=format(mode, '03o')): ++ def test(target, target_is_directory): ++ d1 = self.do_create(recurse=0) ++ symlink = os.path.join(d1.name, 'symlink') ++ os.symlink(target, symlink, ++ target_is_directory=target_is_directory) ++ try: ++ os.chmod(symlink, mode, follow_symlinks=False) ++ except NotImplementedError: ++ pass ++ try: ++ os.chmod(symlink, mode) ++ except FileNotFoundError: ++ pass ++ os.chmod(d1.name, mode) ++ d1.cleanup() ++ self.assertFalse(os.path.exists(d1.name)) ++ ++ with self.subTest('nonexisting file'): ++ test('nonexisting', target_is_directory=False) ++ with self.subTest('nonexisting dir'): ++ test('nonexisting', target_is_directory=True) ++ ++ with self.subTest('existing file'): ++ os.chmod(file1, mode) ++ old_mode = os.stat(file1).st_mode ++ test(file1, target_is_directory=False) ++ new_mode = os.stat(file1).st_mode ++ self.assertEqual(new_mode, old_mode, ++ '%03o != %03o' % (new_mode, old_mode)) ++ ++ with self.subTest('existing dir'): ++ os.chmod(dir1, mode) ++ old_mode = os.stat(dir1).st_mode ++ test(dir1, target_is_directory=True) ++ new_mode = os.stat(dir1).st_mode ++ self.assertEqual(new_mode, old_mode, ++ '%03o != %03o' % (new_mode, old_mode)) ++ ++ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags') ++ @os_helper.skip_unless_symlink ++ def test_cleanup_with_symlink_flags(self): ++ # cleanup() should not follow symlinks when fixing flags (#91133) ++ flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK ++ self.check_flags(flags) ++ ++ with self.do_create(recurse=0) as d2: ++ file1 = os.path.join(d2, 'file1') ++ open(file1, 'wb').close() ++ dir1 = os.path.join(d2, 'dir1') ++ os.mkdir(dir1) ++ def test(target, target_is_directory): ++ d1 = self.do_create(recurse=0) ++ symlink = os.path.join(d1.name, 'symlink') ++ os.symlink(target, symlink, ++ target_is_directory=target_is_directory) ++ try: ++ os.chflags(symlink, flags, follow_symlinks=False) ++ except NotImplementedError: ++ pass ++ try: ++ os.chflags(symlink, flags) ++ except FileNotFoundError: ++ pass ++ os.chflags(d1.name, flags) ++ d1.cleanup() ++ self.assertFalse(os.path.exists(d1.name)) ++ ++ with self.subTest('nonexisting file'): ++ test('nonexisting', target_is_directory=False) ++ with self.subTest('nonexisting dir'): ++ test('nonexisting', target_is_directory=True) ++ ++ with self.subTest('existing file'): ++ os.chflags(file1, flags) ++ old_flags = os.stat(file1).st_flags ++ test(file1, target_is_directory=False) ++ new_flags = os.stat(file1).st_flags ++ self.assertEqual(new_flags, old_flags) ++ ++ with self.subTest('existing dir'): ++ os.chflags(dir1, flags) ++ old_flags = os.stat(dir1).st_flags ++ test(dir1, target_is_directory=True) ++ new_flags = os.stat(dir1).st_flags ++ self.assertEqual(new_flags, old_flags) ++ + @support.cpython_only + def test_del_on_collection(self): + # A TemporaryDirectory is deleted when garbage collected +@@ -1847,6 +1944,22 @@ class TestTemporaryDirectory(BaseTestCas + + def check_flags(self, flags): + # skip the test if these flags are not supported (ex: FreeBSD 13) ++ filename = os_helper.TESTFN ++ try: ++ open(filename, "w").close() ++ try: ++ os.chflags(filename, flags) ++ except OSError as exc: ++ # "OSError: [Errno 45] Operation not supported" ++ self.skipTest(f"chflags() doesn't support flags " ++ f"{flags:#b}: {exc}") ++ else: ++ os.chflags(filename, 0) ++ finally: ++ os_helper.unlink(filename) ++ ++ def check_flags(self, flags): ++ # skip the test if these flags are not supported (ex: FreeBSD 13) + filename = os_helper.TESTFN + try: + open(filename, "w").close() +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst +@@ -0,0 +1,2 @@ ++Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no longer ++dereferences symlinks when working around file system permission errors. diff --git a/F00251-change-user-install-location.patch b/F00251-change-user-install-location.patch index 92f3235..cfbe541 100644 --- a/F00251-change-user-install-location.patch +++ b/F00251-change-user-install-location.patch @@ -13,8 +13,10 @@ Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe Lib/site.py | 9 ++++++++- 2 files changed, 21 insertions(+), 3 deletions(-) ---- a/Lib/distutils/command/install.py -+++ b/Lib/distutils/command/install.py +Index: Python-3.11.8/Lib/distutils/command/install.py +=================================================================== +--- Python-3.11.8.orig/Lib/distutils/command/install.py ++++ Python-3.11.8/Lib/distutils/command/install.py @@ -441,8 +441,19 @@ class install(Command): raise DistutilsOptionError( "must not supply exec-prefix without prefix") @@ -37,9 +39,11 @@ Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe else: if self.exec_prefix is None: ---- a/Lib/site.py -+++ b/Lib/site.py -@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None): +Index: Python-3.11.8/Lib/site.py +=================================================================== +--- Python-3.11.8.orig/Lib/site.py ++++ Python-3.11.8/Lib/site.py +@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): diff --git a/Python-3.11.5.tar.xz b/Python-3.11.5.tar.xz deleted file mode 100644 index 19824da..0000000 --- a/Python-3.11.5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:85cd12e9cf1d6d5a45f17f7afe1cebe7ee628d3282281c492e86adf636defa3f -size 20053580 diff --git a/Python-3.11.5.tar.xz.asc b/Python-3.11.5.tar.xz.asc deleted file mode 100644 index aa1a63d..0000000 --- a/Python-3.11.5.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmTnS9sACgkQ/+h0BBaL -2EeG8g//Q6EC79SSFl4BPb064d8X1q8agfLN+D07N6ULsaOL1baOClLbMxiCgquQ -R1CVzEXc0osL25Xw/7rTIBO0tCSS2yNcQ3GMuetBO4wfofDvs9V2ydaVQdrIHEQm -OTOveioF9TOaQ/zozi9Hecl4RY289kCD64sWNkwPYBJzO9KQD/UGRS/b5a4CGKyP -GSQEFdfevYsuLxLtwNh1z8af1LKRGhuWoZOBhDgpz4foH4EQdz80sssXzm2vG3tS -hAeniPphjZyRfl8kC1C86M/hH08S3h4bf/LF/OQ0OYUrwOquqOsLlz03XzJ+COGK -nBa/CGsFrxeby2oI/XF8YZrFzt9LKyWYc2p+AIU+u2EnYwOmAkrE4QaczqOV8ldD -UvfZLTeMVG/Q6JGkNS/OyM3SZoVKDdGJlg5yVAQtbQjdsB5QjVDcysLhhZ+qnuJv -pnQ6anbbX5r4X4ji/2Uar5cwO/jf7QenTKLtgGY67Q2oRE20w6F5rbYHEdO4a4MM -OkI/0pUaU5MGRJfowwtcD5AbWPKo1XXqw2UY8p+biEaVQOj+kWhoB8YA5Qz1utHJ -GiPP69oDIjfn3sPMxB/C1pBdB/m3i8za58b+G3aYtAWWP1q0abaHqPusACotvxPp -3IvB3ryLlTyUYqqTiDp9wgYh2Nr+a9b6i6yW0ptcdycnzDWC1/E= -=Lzjg ------END PGP SIGNATURE----- diff --git a/Python-3.11.8.tar.xz b/Python-3.11.8.tar.xz new file mode 100644 index 0000000..89025e4 --- /dev/null +++ b/Python-3.11.8.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e06008c8901924395bc1da303eac567a729ae012baa182ab39269f650383bb3 +size 20041256 diff --git a/Python-3.11.8.tar.xz.asc b/Python-3.11.8.tar.xz.asc new file mode 100644 index 0000000..0b5cdd3 --- /dev/null +++ b/Python-3.11.8.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmXCppEACgkQ/+h0BBaL +2Edi6g//dRagLHlrmPyCrch7ZqAazLMXTHb3cerXg41QEqfwIl7osk1HnqObBgVN +w8vgXy9ZlxWwv+cWvwrNLY1AWEfarhwRzWLkikHwycBIIgep1HmSvyU4wLKaN7mI +c/LxGHfQZ6suu3gCVmRFBoB/ACpT0P5qvDpoUehrADE6wCqs0vbRiW/InLCTUpOy +zZ+5ncK302JtafJkjIGf2VNB4yQATk/v7fO/z43sEQqhvzgtlWlXNmtCKshGBIt1 +mJpLEs8gCq97jObfbN7FkC3Ti/kEan7PbjDzsDKcBv/jJudvWywHtMzplgbjtOYG +AgBM8bXbVC119BwmfBpvAxgsVKmmGi9d2McJUPOcIHKiHCb17fU0srRbSV47rE9N +PWEHgQC2ICbdT9N1oimOEp16eYt5omFWfDy5C91oqUnBFtz8wqiNmyeQimegMgBe +cDpOY73C2H7Vi6rX9EbyrG+LOkfJ6Vt5rTCa+zbAPy2ihz/ajA7UNH72t1uuzFQZ +pPdUBNhtGxr5EB3zAqBxDuoh9DMOmDZACbT+npHR3Y7KaXTHYIe7Ot8CCrLpH+Ra +8Yt6/CCD7KnsCWz6pfyH+ulIL4vw+dPnC809+neiXhiUuM5qiIr9K7HidzXi0Lwj +sb8MVErS8dURFZP48e1dfbyJqsAvAosiGmjDDqbrlAC5attKjg8= +=VFx6 +-----END PGP SIGNATURE----- diff --git a/Revert-gh105127-left-tests.patch b/Revert-gh105127-left-tests.patch deleted file mode 100644 index 4472f5b..0000000 --- a/Revert-gh105127-left-tests.patch +++ /dev/null @@ -1,283 +0,0 @@ -From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001 -From: "Gregory P. Smith" -Date: Thu, 20 Jul 2023 20:30:52 -0700 -Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address - parsing errors ... (GH-105127)" (GH-106733) - -This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00. -Adds a regression test from the issue. - -See https://github.com/python/cpython/issues/106669.. -(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d) - -Co-authored-by: Gregory P. Smith ---- - Doc/library/email.utils.rst | 26 -- - Lib/email/utils.py | 63 ------ - Lib/test/test_email/test_email.py | 96 +--------- - Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 5 - 4 files changed, 31 insertions(+), 159 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst - -Index: Python-3.11.4/Doc/library/email.utils.rst -=================================================================== ---- Python-3.11.4.orig/Doc/library/email.utils.rst -+++ Python-3.11.4/Doc/library/email.utils.rst -@@ -67,11 +67,6 @@ of the new API. - *email address* parts. Returns a tuple of that information, unless the parse - fails, in which case a 2-tuple of ``('', '')`` is returned. - -- .. versionchanged:: 3.12 -- For security reasons, addresses that were ambiguous and could parse into -- multiple different addresses now cause ``('', '')`` to be returned -- instead of only one of the *potential* addresses. -- - - .. function:: formataddr(pair, charset='utf-8') - -@@ -94,7 +89,7 @@ of the new API. - This method returns a list of 2-tuples of the form returned by ``parseaddr()``. - *fieldvalues* is a sequence of header field values as might be returned by - :meth:`Message.get_all `. Here's a simple -- example that gets all the recipients of a message: -+ example that gets all the recipients of a message:: - - from email.utils import getaddresses - -@@ -104,25 +99,6 @@ of the new API. - resent_ccs = msg.get_all('resent-cc', []) - all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) - -- When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` -- is returned in its place. Other errors in parsing the list of -- addresses such as a fieldvalue seemingly parsing into multiple -- addresses may result in a list containing a single empty 2-tuple -- ``[('', '')]`` being returned rather than returning potentially -- invalid output. -- -- Example malformed input parsing: -- -- .. doctest:: -- -- >>> from email.utils import getaddresses -- >>> getaddresses(['alice@example.com ', 'me@example.com']) -- [('', '')] -- -- .. versionchanged:: 3.12 -- The 2-tuple of ``('', '')`` in the returned values when parsing -- fails were added as to address a security issue. -- - - .. function:: parsedate(date) - -Index: Python-3.11.4/Lib/email/utils.py -=================================================================== ---- Python-3.11.4.orig/Lib/email/utils.py -+++ Python-3.11.4/Lib/email/utils.py -@@ -106,54 +106,12 @@ def formataddr(pair, charset='utf-8'): - return address - - --def _pre_parse_validation(email_header_fields): -- accepted_values = [] -- for v in email_header_fields: -- s = v.replace('\\(', '').replace('\\)', '') -- if s.count('(') != s.count(')'): -- v = "('', '')" -- accepted_values.append(v) -- -- return accepted_values -- -- --def _post_parse_validation(parsed_email_header_tuples): -- accepted_values = [] -- # The parser would have parsed a correctly formatted domain-literal -- # The existence of an [ after parsing indicates a parsing failure -- for v in parsed_email_header_tuples: -- if '[' in v[1]: -- v = ('', '') -- accepted_values.append(v) -- -- return accepted_values -- - - def getaddresses(fieldvalues): -- """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. -- -- When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in -- its place. -- -- If the resulting list of parsed address is not the same as the number of -- fieldvalues in the input list a parsing error has occurred. A list -- containing a single empty 2-tuple [('', '')] is returned in its place. -- This is done to avoid invalid output. -- """ -- fieldvalues = [str(v) for v in fieldvalues] -- fieldvalues = _pre_parse_validation(fieldvalues) -- all = COMMASPACE.join(v for v in fieldvalues) -+ """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" -+ all = COMMASPACE.join(str(v) for v in fieldvalues) - a = _AddressList(all) -- result = _post_parse_validation(a.addresslist) -- -- n = 0 -- for v in fieldvalues: -- n += v.count(',') + 1 -- -- if len(result) != n: -- return [('', '')] -- -- return result -+ return a.addresslist - - - def _format_timetuple_and_zone(timetuple, zone): -@@ -254,18 +212,9 @@ def parseaddr(addr): - Return a tuple of realname and email address, unless the parse fails, in - which case return a 2-tuple of ('', ''). - """ -- if isinstance(addr, list): -- addr = addr[0] -- -- if not isinstance(addr, str): -- return ('', '') -- -- addr = _pre_parse_validation([addr])[0] -- addrs = _post_parse_validation(_AddressList(addr).addresslist) -- -- if not addrs or len(addrs) > 1: -- return ('', '') -- -+ addrs = _AddressList(addr).addresslist -+ if not addrs: -+ return '', '' - return addrs[0] - - -Index: Python-3.11.4/Lib/test/test_email/test_email.py -=================================================================== ---- Python-3.11.4.orig/Lib/test/test_email/test_email.py -+++ Python-3.11.4/Lib/test/test_email/test_email.py -@@ -3320,90 +3320,32 @@ Foo - [('Al Person', 'aperson@dom.ain'), - ('Bud Person', 'bperson@dom.ain')]) - -- def test_getaddresses_parsing_errors(self): -- """Test for parsing errors from CVE-2023-27043""" -- eq = self.assertEqual -- eq(utils.getaddresses(['alice@example.org(']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org)']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org<']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org>']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org@']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org,']), -- [('', 'alice@example.org'), ('', 'bob@example.com')]) -- eq(utils.getaddresses(['alice@example.org;']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org:']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org.']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org"']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org[']), -- [('', '')]) -- eq(utils.getaddresses(['alice@example.org]']), -- [('', '')]) -- -- def test_parseaddr_parsing_errors(self): -- """Test for parsing errors from CVE-2023-27043""" -- eq = self.assertEqual -- eq(utils.parseaddr(['alice@example.org(']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org)']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org<']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org>']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org@']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org,']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org;']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org:']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org.']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org"']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org[']), -- ('', '')) -- eq(utils.parseaddr(['alice@example.org]']), -- ('', '')) -+ def test_getaddresses_comma_in_name(self): -+ """GH-106669 regression test.""" -+ self.assertEqual( -+ utils.getaddresses( -+ [ -+ '"Bud, Person" ', -+ 'aperson@dom.ain (Al Person)', -+ '"Mariusz Felisiak" ', -+ ] -+ ), -+ [ -+ ('Bud, Person', 'bperson@dom.ain'), -+ ('Al Person', 'aperson@dom.ain'), -+ ('Mariusz Felisiak', 'to@example.com'), -+ ], -+ ) - - def test_getaddresses_nasty(self): - eq = self.assertEqual - eq(utils.getaddresses(['foo: ;']), [('', '')]) -- eq(utils.getaddresses(['[]*-- =~$']), [('', '')]) -+ eq(utils.getaddresses( -+ ['[]*-- =~$']), -+ [('', ''), ('', ''), ('', '*--')]) - eq(utils.getaddresses( - ['foo: ;', '"Jason R. Mastaler" ']), - [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) -- eq(utils.getaddresses( -- [r'Pete(A nice \) chap) ']), -- [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]) -- eq(utils.getaddresses( -- ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']), -- [('', '')]) -- eq(utils.getaddresses( -- ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']), -- [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]) -- eq(utils.getaddresses( -- ['John Doe ']), -- [('John Doe (comment)', 'jdoe@machine.example')]) -- eq(utils.getaddresses( -- ['"Mary Smith: Personal Account" ']), -- [('Mary Smith: Personal Account', 'smith@home.example')]) -- eq(utils.getaddresses( -- ['Undisclosed recipients:;']), -- [('', '')]) -- eq(utils.getaddresses( -- [r', "Giant; \"Big\" Box" ']), -- [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]) - - def test_getaddresses_embedded_comment(self): - """Test proper handling of a nested comment""" -Index: Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -=================================================================== ---- Python-3.11.4.orig/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -+++ Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -@@ -1,3 +1,8 @@ -+Reverted the :mod:`email.utils` security improvement change released in -+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail -+to parse email addresses with a comma in the quoted name field. -+See :gh:`106669`. -+ - CVE-2023-27043: Prevent :func:`email.utils.parseaddr` - and :func:`email.utils.getaddresses` from returning the realname portion of an - invalid RFC2822 email header in the email address portion of the 2-tuple diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch index e79cb57..c060211 100644 --- a/bpo-31046_ensurepip_honours_prefix.patch +++ b/bpo-31046_ensurepip_honours_prefix.patch @@ -13,20 +13,22 @@ Co-Authored-By: Xavier de Gaye 5 files changed, 34 insertions(+), 9 deletions(-) create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst ---- a/Doc/library/ensurepip.rst -+++ b/Doc/library/ensurepip.rst -@@ -59,8 +59,9 @@ is at least as recent as the one availab +Index: Python-3.11.8/Doc/library/ensurepip.rst +=================================================================== +--- Python-3.11.8.orig/Doc/library/ensurepip.rst ++++ Python-3.11.8/Doc/library/ensurepip.rst +@@ -59,7 +59,9 @@ is at least as recent as the one availab By default, ``pip`` is installed into the current virtual environment (if one is active) or into the system site packages (if there is no active virtual environment). The installation location can be controlled -through two additional command line options: +through some additional command line options: - ++ +* ``--prefix ``: Installs ``pip`` using the given directory prefix. - * ``--root ``: Installs ``pip`` relative to the given root directory + + * :samp:`--root {dir}`: Installs ``pip`` relative to the given root directory rather than the root of the currently active virtual environment (if any) - or the default root for the current Python installation. -@@ -92,7 +93,7 @@ Module API +@@ -92,7 +94,7 @@ Module API Returns a string specifying the available version of pip that will be installed when bootstrapping an environment. @@ -35,7 +37,7 @@ Co-Authored-By: Xavier de Gaye altinstall=False, default_pip=False, \ verbosity=0) -@@ -102,6 +103,8 @@ Module API +@@ -102,6 +104,8 @@ Module API If *root* is ``None``, then installation uses the default install location for the current environment. @@ -44,7 +46,7 @@ Co-Authored-By: Xavier de Gaye *upgrade* indicates whether or not to upgrade an existing installation of an earlier version of ``pip`` to the available version. -@@ -122,6 +125,8 @@ Module API +@@ -122,6 +126,8 @@ Module API *verbosity* controls the level of output to :data:`sys.stdout` from the bootstrapping operation. @@ -53,8 +55,10 @@ Co-Authored-By: Xavier de Gaye .. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap .. note:: ---- a/Lib/ensurepip/__init__.py -+++ b/Lib/ensurepip/__init__.py +Index: Python-3.11.8/Lib/ensurepip/__init__.py +=================================================================== +--- Python-3.11.8.orig/Lib/ensurepip/__init__.py ++++ Python-3.11.8/Lib/ensurepip/__init__.py @@ -122,27 +122,27 @@ def _disable_pip_configuration_settings( os.environ['PIP_CONFIG_FILE'] = os.devnull @@ -117,8 +121,10 @@ Co-Authored-By: Xavier de Gaye upgrade=args.upgrade, user=args.user, verbosity=args.verbosity, ---- a/Lib/test/test_ensurepip.py -+++ b/Lib/test/test_ensurepip.py +Index: Python-3.11.8/Lib/test/test_ensurepip.py +=================================================================== +--- Python-3.11.8.orig/Lib/test/test_ensurepip.py ++++ Python-3.11.8/Lib/test/test_ensurepip.py @@ -112,6 +112,17 @@ class TestBootstrap(EnsurepipMixin, unit unittest.mock.ANY, ) @@ -137,9 +143,11 @@ Co-Authored-By: Xavier de Gaye def test_bootstrapping_with_user(self): ensurepip.bootstrap(user=True) ---- a/Makefile.pre.in -+++ b/Makefile.pre.in -@@ -1756,7 +1756,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni +Index: Python-3.11.8/Makefile.pre.in +=================================================================== +--- Python-3.11.8.orig/Makefile.pre.in ++++ Python-3.11.8/Makefile.pre.in +@@ -1761,7 +1761,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni install|*) ensurepip="" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -148,7 +156,7 @@ Co-Authored-By: Xavier de Gaye fi altinstall: commoninstall -@@ -1766,7 +1766,7 @@ altinstall: commoninstall +@@ -1771,7 +1771,7 @@ altinstall: commoninstall install|*) ensurepip="--altinstall" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -157,7 +165,9 @@ Co-Authored-By: Xavier de Gaye fi commoninstall: check-clean-src @FRAMEWORKALTINSTALLFIRST@ \ +Index: Python-3.11.8/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst +=================================================================== --- /dev/null -+++ b/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst ++++ Python-3.11.8/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst @@ -0,0 +1 @@ +A directory prefix can now be specified when using :mod:`ensurepip`. diff --git a/distutils-reproducible-compile.patch b/distutils-reproducible-compile.patch index 6cd1ef9..227af64 100644 --- a/distutils-reproducible-compile.patch +++ b/distutils-reproducible-compile.patch @@ -2,8 +2,10 @@ Lib/distutils/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---- a/Lib/distutils/util.py -+++ b/Lib/distutils/util.py +Index: Python-3.11.8/Lib/distutils/util.py +=================================================================== +--- Python-3.11.8.orig/Lib/distutils/util.py ++++ Python-3.11.8/Lib/distutils/util.py @@ -436,7 +436,7 @@ byte_compile(files, optimize=%r, force=% else: from py_compile import compile diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index 1f51535..af713d6 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -3,36 +3,40 @@ Misc/NEWS | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) ---- a/Doc/using/configure.rst -+++ b/Doc/using/configure.rst +Index: Python-3.11.8/Doc/using/configure.rst +=================================================================== +--- Python-3.11.8.orig/Doc/using/configure.rst ++++ Python-3.11.8/Doc/using/configure.rst @@ -41,7 +41,6 @@ General Options See :data:`sys.int_info.bits_per_digit `. --.. cmdoption:: --with-cxx-main - .. cmdoption:: --with-cxx-main=COMPILER +-.. option:: --with-cxx-main + .. option:: --with-cxx-main=COMPILER Compile the Python ``main()`` function and link Python executable with C++ @@ -527,13 +526,11 @@ macOS Options See ``Mac/README.rst``. --.. cmdoption:: --enable-universalsdk - .. cmdoption:: --enable-universalsdk=SDKDIR +-.. option:: --enable-universalsdk + .. option:: --enable-universalsdk=SDKDIR Create a universal binary build. *SDKDIR* specifies which macOS SDK should be used to perform the build (default is no). --.. cmdoption:: --enable-framework - .. cmdoption:: --enable-framework=INSTALLDIR +-.. option:: --enable-framework + .. option:: --enable-framework=INSTALLDIR Create a Python.framework rather than a traditional Unix install. Optional ---- a/Misc/NEWS -+++ b/Misc/NEWS -@@ -8105,7 +8105,7 @@ C API +Index: Python-3.11.8/Misc/NEWS +=================================================================== +--- Python-3.11.8.orig/Misc/NEWS ++++ Python-3.11.8/Misc/NEWS +@@ -9411,7 +9411,7 @@ C API - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name + - bpo-43795: The list in :ref:`limited-api-list` now shows the public name - :c:struct:`PyFrameObject` rather than ``_frame``. The non-existing entry + :c:type:`PyFrameObject` rather than ``_frame``. The non-existing entry ``_node`` no longer appears in the list. diff --git a/libexpat260.patch b/libexpat260.patch new file mode 100644 index 0000000..c9e6f4e --- /dev/null +++ b/libexpat260.patch @@ -0,0 +1,108 @@ +From f2eebf3c38eae77765247791576b437ec25ccfe2 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Sun, 11 Feb 2024 12:08:39 +0200 +Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 + (GH-115164) + +Feeding the parser by too small chunks defers parsing to prevent +CVE-2023-52425. Future versions of Expat may be more reactive. +(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) + +Co-authored-by: Serhiy Storchaka +--- + Lib/test/test_xml_etree.py | 58 ++++++++++++------- + ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 + + 2 files changed, 38 insertions(+), 22 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst + +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index 267982a8233c92..fa03f381fac92a 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -13,6 +13,7 @@ + import operator + import os + import pickle ++import pyexpat + import sys + import textwrap + import types +@@ -120,6 +121,10 @@ + + """ + ++fails_with_expat_2_6_0 = (unittest.expectedFailure ++ if pyexpat.version_info >= (2, 6, 0) else ++ lambda test: test) ++ + def checkwarnings(*filters, quiet=False): + def decorator(test): + def newtest(*args, **kwargs): +@@ -1400,28 +1405,37 @@ def assert_event_tags(self, parser, expected, max_events=None): + self.assertEqual([(action, elem.tag) for action, elem in events], + expected) + +- def test_simple_xml(self): +- for chunk_size in (None, 1, 5): +- with self.subTest(chunk_size=chunk_size): +- parser = ET.XMLPullParser() +- self.assert_event_tags(parser, []) +- self._feed(parser, "\n", chunk_size) +- self.assert_event_tags(parser, []) +- self._feed(parser, +- "\n text\n", chunk_size) +- self.assert_event_tags(parser, [('end', 'element')]) +- self._feed(parser, "texttail\n", chunk_size) +- self._feed(parser, "\n", chunk_size) +- self.assert_event_tags(parser, [ +- ('end', 'element'), +- ('end', 'empty-element'), +- ]) +- self._feed(parser, "\n", chunk_size) +- self.assert_event_tags(parser, [('end', 'root')]) +- self.assertIsNone(parser.close()) ++ def test_simple_xml(self, chunk_size=None): ++ parser = ET.XMLPullParser() ++ self.assert_event_tags(parser, []) ++ self._feed(parser, "\n", chunk_size) ++ self.assert_event_tags(parser, []) ++ self._feed(parser, ++ "\n text\n", chunk_size) ++ self.assert_event_tags(parser, [('end', 'element')]) ++ self._feed(parser, "texttail\n", chunk_size) ++ self._feed(parser, "\n", chunk_size) ++ self.assert_event_tags(parser, [ ++ ('end', 'element'), ++ ('end', 'empty-element'), ++ ]) ++ self._feed(parser, "\n", chunk_size) ++ self.assert_event_tags(parser, [('end', 'root')]) ++ self.assertIsNone(parser.close()) ++ ++ @fails_with_expat_2_6_0 ++ def test_simple_xml_chunk_1(self): ++ self.test_simple_xml(chunk_size=1) ++ ++ @fails_with_expat_2_6_0 ++ def test_simple_xml_chunk_5(self): ++ self.test_simple_xml(chunk_size=5) ++ ++ def test_simple_xml_chunk_22(self): ++ self.test_simple_xml(chunk_size=22) + + def test_feed_while_iterating(self): + parser = ET.XMLPullParser() +diff --git a/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst +new file mode 100644 +index 00000000000000..6f1015235cc25d +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst +@@ -0,0 +1,2 @@ ++Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat ++2.6.0. diff --git a/python-3.3.0b1-fix_date_time_compiler.patch b/python-3.3.0b1-fix_date_time_compiler.patch index 6629d97..3bd27df 100644 --- a/python-3.3.0b1-fix_date_time_compiler.patch +++ b/python-3.3.0b1-fix_date_time_compiler.patch @@ -2,9 +2,11 @@ Makefile.pre.in | 7 +++++++ 1 file changed, 7 insertions(+) ---- a/Makefile.pre.in -+++ b/Makefile.pre.in -@@ -1235,11 +1235,18 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ +Index: Python-3.11.8/Makefile.pre.in +=================================================================== +--- Python-3.11.8.orig/Makefile.pre.in ++++ Python-3.11.8/Makefile.pre.in +@@ -1240,11 +1240,18 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ $(DTRACE_OBJS) \ $(srcdir)/Modules/getbuildinfo.c $(CC) -c $(PY_CORE_CFLAGS) \ diff --git a/python-3.3.0b1-localpath.patch b/python-3.3.0b1-localpath.patch index f6cac49..af2d841 100644 --- a/python-3.3.0b1-localpath.patch +++ b/python-3.3.0b1-localpath.patch @@ -1,7 +1,9 @@ ---- a/Lib/site.py -+++ b/Lib/site.py -@@ -76,7 +76,7 @@ import _sitebuiltins - import io +Index: Python-3.11.8/Lib/site.py +=================================================================== +--- Python-3.11.8.orig/Lib/site.py ++++ Python-3.11.8/Lib/site.py +@@ -77,7 +77,7 @@ import io + import stat # Prefixes for site-packages; add additional prefixes like /usr/local here -PREFIXES = [sys.prefix, sys.exec_prefix] diff --git a/python-3.3.0b1-test-posix_fadvise.patch b/python-3.3.0b1-test-posix_fadvise.patch index 183a92a..a931d5a 100644 --- a/python-3.3.0b1-test-posix_fadvise.patch +++ b/python-3.3.0b1-test-posix_fadvise.patch @@ -2,9 +2,11 @@ Lib/test/test_posix.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---- a/Lib/test/test_posix.py -+++ b/Lib/test/test_posix.py -@@ -428,7 +428,7 @@ class PosixTester(unittest.TestCase): +Index: Python-3.11.8/Lib/test/test_posix.py +=================================================================== +--- Python-3.11.8.orig/Lib/test/test_posix.py ++++ Python-3.11.8/Lib/test/test_posix.py +@@ -430,7 +430,7 @@ class PosixTester(unittest.TestCase): def test_posix_fadvise(self): fd = os.open(os_helper.TESTFN, os.O_RDONLY) try: diff --git a/python311.changes b/python311.changes index 05ad51b..2e9d819 100644 --- a/python311.changes +++ b/python311.changes @@ -1,3 +1,702 @@ +------------------------------------------------------------------- +Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl + +- (bsc#1219666, CVE-2023-6597) Add + CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from + gh#python/cpython!99930) fixing symlink bug in cleanup of + tempfile.TemporaryDirectory. + +------------------------------------------------------------------- +Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl + +- Remove double definition of /usr/bin/idle%%{version} in + %%files. + +------------------------------------------------------------------- +Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia + +- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser + with Expat 2.6.0, gh#python/cpython#115289 + +------------------------------------------------------------------- +Thu Feb 8 07:27:40 UTC 2024 - Daniel Garcia + +- Update to 3.11.8: + - Security + - gh-113659: Skip .pth files with names starting with a dot or + hidden file attribute. + - Core and Builtins + - gh-114887: Changed socket type validation in + create_datagram_endpoint() to accept all non-stream sockets. + This fixes a regression in compatibility with raw sockets. + - gh-114388: Fix a RuntimeWarning emitted when assign an + integer-like value that is not an instance of int to an + attribute that corresponds to a C struct member of type T_UINT + and T_ULONG. Fix a double RuntimeWarning emitted when assign a + negative integer value to an attribute that corresponds to a C + struct member of type T_UINT. + - gh-89811: Check for a valid tp_version_tag before performing + bytecode specializations that rely on this value being usable. + - gh-113602: Fix an error that was causing the parser to try to + overwrite existing errors and crashing in the process. Patch by + Pablo Galindo + - gh-113566: Fix a 3.11-specific crash when the repr of a Future + is requested after the module has already been + garbage-collected. + - gh-106905: Use per AST-parser state rather than global state to + track recursion depth within the AST parser to prevent potential + race condition due to simultaneous parsing. + - The issue primarily showed up in 3.11 by multithreaded users of + ast.parse(). In 3.12 a change to when garbage collection can be + triggered prevented the race condition from occurring. + - gh-112716: Fix SystemError in the import statement and in + __reduce__() methods of builtin types when __builtins__ is not a + dict. + - gh-105967: Workaround a bug in Apple’s macOS platform zlib + library where zlib.crc32() and binascii.crc32() could produce + incorrect results on multi-gigabyte inputs. Including when using + zipfile on zips containing large data. + - gh-94606: Fix UnicodeEncodeError when + email.message.get_payload() reads a message with a Unicode + surrogate character and the message content is not well-formed + for surrogateescape encoding. Patch by Sidney Markowitz. + - Library + - gh-114965: Update bundled pip to 24.0 + - gh-114959: tarfile no longer ignores errors when trying to + extract a directory on top of a file. + - gh-109475: Fix support of explicit option value “–” in argparse + (e.g. --option=--). + - gh-110190: Fix ctypes structs with array on Windows ARM64 + platform by setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by + Diego Russo + - gh-113280: Fix a leak of open socket in rare cases when error + occurred in ssl.SSLSocket creation. + - gh-77749: email.policy.EmailPolicy.fold() now always encodes + non-ASCII characters in headers if utf8 is false. + - gh-114492: Make the result of termios.tcgetattr() reproducible + on Alpine Linux. Previously it could leave a random garbage in + some fields. + - gh-75128: Ignore an OSError in + asyncio.BaseEventLoop.create_server() when IPv6 is available but + the interface cannot actually support it. + - gh-114257: Dismiss the FileNotFound error in + ctypes.util.find_library() and just return None on Linux. + - gh-101438: Avoid reference cycle in ElementTree.iterparse. The + iterator returned by ElementTree.iterparse may hold on to a file + descriptor. The reference cycle prevented prompt clean-up of the + file descriptor if the returned iterator was not exhausted. + - gh-104522: OSError raised when run a subprocess now only has + filename attribute set to cwd if the error was caused by a + failed attempt to change the current directory. + - gh-109534: Fix a reference leak in + asyncio.selector_events.BaseSelectorEventLoop when SSL + handshakes fail. Patch contributed by Jamie Phan. + - gh-114077: Fix possible OverflowError in + socket.socket.sendfile() when pass count larger than 2 GiB on + 32-bit platform. + - gh-114014: Fixed a bug in fractions.Fraction where an invalid + string using d in the decimals part creates a different error + compared to other invalid letters/characters. Patch by Jeremiah + Gabriel Pascual. + - gh-113951: Fix the behavior of tag_unbind() methods of + tkinter.Text and tkinter.Canvas classes with three arguments. + Previously, widget.tag_unbind(tag, sequence, funcid) destroyed + the current binding for sequence, leaving sequence unbound, and + deleted the funcid command. Now it removes only funcid from the + binding for sequence, keeping other commands, and deletes the + funcid command. It leaves sequence unbound only if funcid was + the last bound command. + - gh-113877: Fix tkinter method winfo_pathname() on 64-bit + Windows. + - gh-113781: Silence unraisable AttributeError when warnings are + emitted during Python finalization. + - gh-113594: Fix UnicodeEncodeError in email when re-fold lines + that contain unknown-8bit encoded part followed by + non-unknown-8bit encoded part. + - gh-113538: In asyncio.StreamReaderProtocol.connection_made(), + there is callback that logs an error if the task wrapping the + “connected callback” fails. This callback would itself fail if + the task was cancelled. Prevent this by checking whether the + task was cancelled first. If so, close the transport but don’t + log an error. + - gh-85567: Fix resource warnings for unclosed files in pickle and + pickletools command line interfaces. + - gh-101225: Increase the backlog for + multiprocessing.connection.Listener objects created by + multiprocessing.manager and multiprocessing.resource_sharer to + significantly reduce the risk of getting a connection refused + error when creating a multiprocessing.connection.Connection to + them. + - gh-113543: Make sure that webbrowser.MacOSXOSAScript sends + webbrowser.open audit event. + - gh-113028: When a second reference to a string appears in the + input to pickle, and the Python implementation is in use, we are + guaranteed that a single copy gets pickled and a single object + is shared when reloaded. Previously, in protocol 0, when a + string contained certain characters (e.g. newline) it resulted + in duplicate objects. + - gh-113421: Fix multiprocessing logger for %(filename)s. + - gh-113358: Fix rendering tracebacks for exceptions with a broken + __getattr__. + - gh-113214: Fix an AttributeError during asyncio SSL protocol + aborts in SSL-over-SSL scenarios. + - gh-113246: Update bundled pip to 23.3.2. + - gh-113199: Make http.client.HTTPResponse.read1 and + http.client.HTTPResponse.readline close IO after reading all + data when content length is known. Patch by Illia Volochii. + - gh-113188: Fix shutil.copymode() and shutil.copystat() on + Windows. Previously they worked differenly if dst is a symbolic + link: they modified the permission bits of dst itself rather + than the file it points to if follow_symlinks is true or src is + not a symbolic link, and did not modify the permission bits if + follow_symlinks is false and src is a symbolic link. + - gh-61648: Detect line numbers of properties in doctests. + - gh-112559: signal.signal() and signal.getsignal() no longer call + repr on callable handlers. asyncio.run() and + asyncio.Runner.run() no longer call repr on the task results. + Patch by Yilei Yang. + - gh-110190: Fix ctypes structs with array on PPC64LE platform by + setting MAX_STRUCT_SIZE to 64 in stgdict. Patch by Diego Russo. + - gh-79429: Ignore FileNotFoundError when remove a temporary + directory in the multiprocessing finalizer. + - gh-79325: Fix an infinite recursion error in + tempfile.TemporaryDirectory() cleanup on Windows. + - gh-110190: Fix ctypes structs with array on Arm platform by + setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo. + - gh-81194: Fix a crash in socket.if_indextoname() with specific + value (UINT_MAX). Fix an integer overflow in + socket.if_indextoname() on 64-bit non-Windows platforms. + - gh-75666: Fix the behavior of tkinter widget’s unbind() method + with two arguments. Previously, widget.unbind(sequence, funcid) + destroyed the current binding for sequence, leaving sequence + unbound, and deleted the funcid command. Now it removes only + funcid from the binding for sequence, keeping other commands, + and deletes the funcid command. It leaves sequence unbound only + if funcid was the last bound command. + - gh-110345: Show the Tcl/Tk patchlevel (rather than version) in + tkinter._test(). + - gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now + raises BadZipFile when try to read an entry that overlaps with + other entry or central directory. + - gh-38807: Fix race condition in trace. Instead of checking if a + directory exists and creating it, directly call os.makedirs() + with the kwarg exist_ok=True. + - gh-75705: Set unixfrom envelope in mailbox.mbox and + mailbox.MMDF. + - gh-105102: Allow ctypes.Union to be nested in ctypes.Structure + when the system endianness is the opposite of the classes. + - gh-104282: Fix null pointer dereference in + lzma._decode_filter_properties() due to improper handling of BCJ + filters with properties of zero length. Patch by Radislav + Chugunov. + - gh-102512: When os.fork() is called from a foreign thread (aka + _DummyThread), the type of the thread in a child process is + changed to _MainThread. Also changed its name and daemonic + status, it can be now joined. + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working around + file system permission errors. + - bpo-43153: On Windows, tempfile.TemporaryDirectory previously + masked a PermissionError with NotADirectoryError during + directory cleanup. It now correctly raises PermissionError if + errors are not ignored. Patch by Andrei Kulakov and Ken Jin. + - bpo-35332: The shutil.rmtree() function now ignores errors when + calling os.close() when ignore_errors is True, and os.close() no + longer retried after error. + - bpo-35928: io.TextIOWrapper now correctly handles the decoding + buffer after read() and write(). + - bpo-26791: shutil.move() now moves a symlink into a directory + when that directory is the target of the symlink. This provides + the same behavior as the mv shell command. The previous behavior + raised an exception. Patch by Jeffrey Kintscher. + - bpo-36959: Fix some error messages for invalid ISO format string + combinations in strptime() that referred to directives not + contained in the format string. Patch by Gordon P. Hemsley. + - bpo-18060: Fixed a class inheritance issue that can cause + segfaults when deriving two or more levels of subclasses from a + base class of Structure or Union. + - Documentation + - gh-110746: Improved markup for valid options/values for methods + ttk.treeview.column and ttk.treeview.heading, and for Layouts. + - gh-95649: Document that the asyncio module contains code taken + from v0.16.0 of the uvloop project, as well as the required MIT + licensing information. + - Tests + - gh-109980: Fix test_tarfile_vs_tar in test_shutil for macOS, + where system tar can include more information in the archive + than shutil.make_archive. + - gh-112769: The tests now correctly compare zlib version when + zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For + example zlib-ng defines the version as 1.3.0.zlib-ng. + - gh-105089: Fix + test.test_zipfile.test_core.TestWithDirectory.test_create_directory_with_write + test in AIX by doing a bitwise AND of 0xFFFF on mode , so that + it will be in sync with zinfo.external_attr + - bpo-40648: Test modes that file can get with chmod() on Windows. + - Build + - gh-101778: Fix build error when there’s a dangling symlink in + the directory containing ffi.h. + - gh-112305: Fixed the check-clean-src step performed on out of + tree builds to detect errant $(srcdir)/Python/frozen_modules/*.h + files and recommend appropriate source tree cleanup steps to get + a working build again. + - bpo-11102: The os.major(), os.makedev(), and os.minor() + functions are now available on HP-UX v3. + - bpo-36351: Do not set ipv6type when cross-compiling. + - IDLE + - gh-96905: In idlelib code, stop redefining built-ins ‘dict’ and + ‘object’. + - gh-72284: Improve the lists of features, editor key bindings, + and shell key bingings in the IDLE doc. + - gh-113903: Fix rare failure of test.test_idle, in + test_configdialog. + - gh-113729: Fix the “Help -> IDLE Doc” menu bug in 3.11.7 and + 3.12.1. + - gh-113269: Fix test_editor hang on macOS Catalina. + - gh-112898: Fix processing unsaved files when quitting IDLE on + macOS. + - gh-103820: Revise IDLE bindings so that events from mouse button + 4/5 on non-X11 windowing systems (i.e. Win32 and Aqua) are not + mistaken for scrolling. + - bpo-13586: Enter the selected text when opening the “Replace” + dialog. + - Tools/Demos + - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13 and + multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1. + - gh-115015: Fix a bug in Argument Clinic that generated incorrect + code for methods with no parameters that use the METH_METHOD | + METH_FASTCALL | METH_KEYWORDS calling convention. Only the + positional parameter count was checked; any keyword argument + passed would be silently accepted. + +- Refresh all patches: + - CVE-2023-27043-email-parsing-errors.patch + - F00251-change-user-install-location.patch + - bpo-31046_ensurepip_honours_prefix.patch + - distutils-reproducible-compile.patch + - fix_configure_rst.patch + - python-3.3.0b1-fix_date_time_compiler.patch + - python-3.3.0b1-localpath.patch + - python-3.3.0b1-test-posix_fadvise.patch + - skip_if_buildbot-extend.patch + - subprocess-raise-timeout.patch + - support-expat-CVE-2022-25236-patched.patch + +------------------------------------------------------------------- +Tue Dec 19 16:34:50 UTC 2023 - Daniel Garcia + +- Update patch fix_configure_rst.patch +- Update to 3.11.7: + - Core and Builtins + - gh-112625: Fixes a bug where a bytearray object could be cleared + while iterating over an argument in the bytearray.join() method + that could result in reading memory after it was freed. + - gh-112388: Fix an error that was causing the parser to try to + overwrite tokenizer errors. Patch by pablo Galindo + - gh-112387: Fix error positions for decoded strings with + backwards tokenize errors. Patch by Pablo Galindo + - gh-112266: Change docstrings of __dict__ and __weakref__. + - gh-109181: Speed up Traceback object creation by lazily compute + the line number. Patch by Pablo Galindo + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - gh-111366: Fix an issue in the codeop that was causing + SyntaxError exceptions raised in the presence of invalid syntax + to not contain precise error messages. Patch by Pablo Galindo + - gh-111380: Fix a bug that was causing SyntaxWarning to appear + twice when parsing if invalid syntax is encountered later. Patch + by Pablo galindo + - gh-88116: Traceback location ranges involving wide unicode + characters (like emoji and asian characters) now are properly + highlighted. Patch by Batuhan Taskaya and Pablo Galindo. + - gh-94438: Fix a regression that prevented jumping across is None + and is not None when debugging. Patch by Savannah Ostrowski. + - gh-110696: Fix incorrect error message for invalid argument + unpacking. Patch by Pablo Galindo + - gh-110237: Fix missing error checks for calls to PyList_Append + in _PyEval_MatchClass. + - gh-109216: Fix possible memory leak in BUILD_MAP. + + - Library + - gh-112618: Fix a caching bug relating to typing.Annotated. + Annotated[str, True] is no longer identical to Annotated[str, + 1]. + - gh-112509: Fix edge cases that could cause a key to be present + in both the __required_keys__ and __optional_keys__ attributes + of a typing.TypedDict. Patch by Jelle Zijlstra. + - gh-94722: Fix bug where comparison between instances of DocTest + fails if one of them has None as its lineno. + - gh-112105: Make readline.set_completer_delims() work with + libedit + - gh-111942: Fix SystemError in the TextIOWrapper constructor with + non-encodable “errors” argument in non-debug mode. + - gh-109538: Issue warning message instead of having RuntimeError + be displayed when event loop has already been closed at + StreamWriter.__del__(). + - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when + pass invalid arguments, e.g. non-string encoding. + - gh-111804: Remove posix.fallocate() under WASI as the underlying + posix_fallocate() is not available in WASI preview2. + - gh-111841: Fix truncating arguments on an embedded null + character in os.putenv() and os.unsetenv() on Windows. + - gh-111541: Fix doctest for SyntaxError not-builtin subclasses. + - gh-110894: Call loop exception handler for exceptions in + client_connected_cb of asyncio.start_server() so that + applications can handle it. Patch by Kumar Aditya. + - gh-111531: Fix reference leaks in bind_class() and bind_all() + methods of tkinter widgets. + - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and + io.IncrementalNewlineDecoder to io.__all__. + - gh-68166: Remove mention of not supported “vsapi” element type + in tkinter.ttk.Style.element_create(). Add tests for + element_create() and other ttk.Style methods. Add examples for + element_create() in the documentation. + - gh-111251: Fix _blake2 not checking for errors when + initializing. + - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly + for empty BytesIO. + - gh-111187: Postpone removal version for + locale.getdefaultlocale() to Python 3.15. + - gh-111159: Fix doctest output comparison for exceptions with + notes. + - gh-110910: Fix invalid state handling in asyncio.TaskGroup and + asyncio.Timeout. They now raise proper RuntimeError if they are + improperly used and are left in consistent state after this. + - gh-111092: Make turtledemo run without default root enabled. + - gh-110590: Fix a bug in _sre.compile() where TypeError would be + overwritten by OverflowError when the code argument was a list + of non-ints. + - gh-65052: Prevent pdb from crashing when trying to display + undisplayable objects + - gh-110519: Deprecation warning about non-integer number in + gettext now alwais refers to the line in the user code where + gettext function or method is used. Previously it could refer to + a line in gettext code. + - gh-110378: contextmanager() and asynccontextmanager() context + managers now close an invalid underlying generator object that + yields more then one value. + - gh-110365: Fix termios.tcsetattr() bug that was overwritting + existing errors during parsing integers from term list. + - gh-110196: Add __reduce__ method to IPv6Address in order to keep + scope_id + - gh-109747: Improve errors for unsupported look-behind patterns. + Now re.error is raised instead of OverflowError or RuntimeError + for too large width of look-behind pattern. + - gh-109786: Fix possible reference leaks and crash when re-enter + the __next__() method of itertools.pairwise. + - gh-108791: Improved error handling in pdb command line + interface, making it produce more concise error messages. + - gh-73561: Omit the interface scope from an IPv6 address when + used as Host header by http.client. + - gh-86826: zipinfo now supports the full range of values in the + TZ string determined by RFC 8536 and detects all invalid + formats. Both Python and C implementations now raise exceptions + of the same type on invalid data. + - bpo-41422: Fixed memory leaks of pickle.Pickler and + pickle.Unpickler involving cyclic references via the internal + memo mapping. + - bpo-40262: The ssl.SSLSocket.recv_into() method no longer + requires the buffer argument to implement __len__ and supports + buffers with arbitrary item size. + - bpo-35191: Fix unexpected integer truncation in + socket.setblocking() which caused it to interpret multiples of + 2**32 as False. + + - Documentation + - gh-108826: dis module command-line interface is now mentioned in + documentation. + + - Tests + - gh-110367: Make regrtest --verbose3 option compatible with + --huntrleaks -jN options. The ./python -m test -j1 -R 3:3 + --verbose3 command now works as expected. Patch by Victor + Stinner. + - gh-111309: distutils tests can now be run via unittest. + - gh-111165: Remove no longer used functions run_unittest() and + run_doctest() and class BasicTestRunner from the test.support + module. + - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment + variable is defined: use the variable value as the random seed. + Patch by Victor Stinner. + - gh-110995: test_gdb: Fix detection of gdb built without Python + scripting support. Patch by Victor Stinner. + - gh-110918: Test case matching patterns specified by options + --match, --ignore, --matchfile and --ignorefile are now tested + in the order of specification, and the last match determines + whether the test case be run or ignored. + - gh-110647: Fix test_stress_modifying_handlers() of test_signal. + Patch by Victor Stinner. + - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make + distclean” instead of “make clean” in the copied source + directory to remove also the “python” program. Patch by Victor + Stinner. + - gh-110167: Fix a deadlock in test_socket when server fails with + a timeout but the client is still running in its thread. Don’t + hold a lock to call cleanup functions in doCleanups(). One of + the cleanup function waits until the client completes, whereas + the client could deadlock if it called addCleanup() in such + situation. Patch by Victor Stinner. + - gh-110388: Add tests for tty. + - gh-81002: Add tests for termios. + - gh-110267: Add tests for pickling and copying PyStructSequence + objects. Patched by Xuehai Pan. + - gh-109974: Fix race conditions in test_threading lock tests. + Wait until a condition is met rather than using time.sleep() + with a hardcoded number of seconds. Patch by Victor Stinner. + - gh-109972: Split test_gdb.py file into a test_gdb package made + of multiple tests, so tests can now be run in parallel. Patch by + Victor Stinner. + - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on + Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt” + command output to detect when gdb fails to retrieve the + traceback. For example, skip a test if Backtrace stopped: frame + did not save the PC is found. Patch by Victor Stinner. + - gh-108927: Fixed order dependence in running tests in the same + process when a test that has submodules (e.g. test_importlib) + follows a test that imports its submodule (e.g. + test_importlib.util) and precedes a test (e.g. test_unittest or + test_compileall) that uses that submodule. + + - Build + - gh-103053: “make check-clean-src” now also checks if the + “python” program is found in the source directory: fail with an + error if it does exist. Patch by Victor Stinner. + - gh-109191: Fix compile error when building with recent versions + of libedit. + + - IDLE + - bpo-35668: Add docstrings to the IDLE debugger module. Fix two + bugs: initialize Idb.botframe (should be in Bdb); in + Idb.in_rpc_code, check whether prev_frame is None before trying + to use it. Greatly expand test_debugger. + + - C API + - gh-112438: Fix support of format units “es”, “et”, “es#”, and + “et#” in nested tuples in PyArg_ParseTuple()-like functions. + - gh-109521: PyImport_GetImporter() now sets RuntimeError if it + fails to get sys.path_hooks or sys.path_importer_cache or they + are not list and dict correspondingly. Previously it could + return NULL without setting error in obscure cases, crash or + raise SystemError if these attributes have wrong type. +------------------------------------------------------------------- +Mon Dec 18 16:20:58 UTC 2023 - Matej Cepl + +- Refresh CVE-2023-27043-email-parsing-errors.patch to + gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). +- Thus we can remove Revert-gh105127-left-tests.patch, which is + now useless. + +------------------------------------------------------------------- +Wed Nov 15 09:06:16 UTC 2023 - Daniel Garcia + +- Remove not needed patch 103213-fetch-CONFIG_ARGS.patch +- Refresh patches: + - bpo-31046_ensurepip_honours_prefix.patch + - fix_configure_rst.patch + +- Update to 3.11.6: + - Core and Builtins + - gh-109351: Fix crash when compiling an invalid AST involving a + named (walrus) expression. + - gh-109207: Fix a SystemError in __repr__ of symtable entry + object. + - gh-109179: Fix bug where the C traceback display drops notes + from SyntaxError. + - gh-88943: Improve syntax error for non-ASCII character that + follows a numerical literal. It now points on the invalid + non-ASCII character, not on the valid numerical literal. + - gh-108959: Fix caret placement for error locations for subscript + and binary operations that involve non-semantic parentheses and + spaces. Patch by Pablo Galindo + - gh-108520: Fix + multiprocessing.synchronize.SemLock.__setstate__() to properly + initialize multiprocessing.synchronize.SemLock._is_fork_ctx. + This fixes a regression when passing a SemLock accross nested + processes. + - Rename multiprocessing.synchronize.SemLock.is_fork_ctx to + multiprocessing.synchronize.SemLock._is_fork_ctx to avoid + exposing it as public API. + - Library + - gh-110036: On Windows, multiprocessing Popen.terminate() now + catchs PermissionError and get the process exit code. If the + process is still running, raise again the PermissionError. + Otherwise, the process terminated as expected: store its exit + code. Patch by Victor Stinner. + - gh-110038: Fixed an issue that caused KqueueSelector.select() to + not return all the ready events in some cases when a file + descriptor is registered for both read and write. + - gh-109631: re functions such as re.findall(), re.split(), + re.search() and re.sub() which perform short repeated matches + can now be interrupted by user. + - gh-109593: Avoid deadlocking on a reentrant call to the + multiprocessing resource tracker. Such a reentrant call, though + unlikely, can happen if a GC pass invokes the finalizer for a + multiprocessing object such as SemLock. + - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for + exceptions. Previously, on Python built in debug mode, these + functions could trigger a fatal Python error (and abort the + process) when a function succeeded with an exception set. Patch + by Victor Stinner. + - gh-109375: The pdb alias command now prevents registering + aliases without arguments. + - gh-107219: Fix a race condition in concurrent.futures. When a + process in the process pool was terminated abruptly (while the + future was running or pending), close the connection write end. + If the call queue is blocked on sending bytes to a worker + process, closing the connection write end interrupts the send, + so the queue can be closed. Patch by Victor Stinner. + - gh-50644: Attempts to pickle or create a shallow or deep copy of + codecs streams now raise a TypeError. Previously, copying failed + with a RecursionError, while pickling produced wrong results + that eventually caused unpickling to fail with a RecursionError. + - gh-108987: Fix _thread.start_new_thread() race condition. If a + thread is created during Python finalization, the newly spawned + thread now exits immediately instead of trying to access freed + memory and lead to a crash. Patch by Victor Stinner. + - gh-108843: Fix an issue in ast.unparse() when unparsing + f-strings containing many quote types. + - gh-108682: Enum: raise TypeError if super().__new__() is called + from a custom __new__. + - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock + - gh-64662: Fix support for virtual tables in + sqlite3.Connection.iterdump(). Patch by Aviv Palivoda. + - gh-107913: Fix possible losses of errno and winerror values in + OSError exceptions if they were cleared or modified by the + cleanup code before creating the exception object. + - gh-104372: On Linux where subprocess can use the vfork() syscall + for faster spawning, prevent the parent process from blocking + other threads by dropping the GIL while it waits for the + vfork’ed child process exec() outcome. This prevents spawning a + binary from a slow filesystem from blocking the rest of the + application. + - gh-84867: unittest.TestLoader no longer loads test cases from + exact unittest.TestCase and unittest.FunctionTestCase classes. + - Documentation + - gh-109209: The minimum Sphinx version required for the + documentation is now 4.2. + - gh-105052: Update timeit doc to specify that time in seconds is + just the default. + - gh-102823: Document the return type of x // y when x and y have + type float. + - Tests + - gh-110031: Skip test_threading tests using thread+fork if Python + is built with Address Sanitizer (ASAN). Patch by Victor Stinner. + - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum + duration, a test should not measure a CI performance. Only + measure the minimum duration when a task has a timeout or delay. + Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner. + - gh-110033: Fix test_interprocess_signal() of test_signal. Make + sure that the subprocess.Popen object is deleted before the test + raising an exception in a signal handler. Otherwise, + Popen.__del__() can get the exception which is logged as + Exception ignored in: ... and the test fails. Patch by Victor + Stinner. + - gh-109594: Fix test_timeout() of + test_concurrent_futures.test_wait. Remove the future which may + or may not complete depending if it takes longer than the + timeout ot not. Keep the second future which does not complete + before wait() timeout. Patch by Victor Stinner. + - gh-109748: Fix test_zippath_from_non_installed_posix() of + test_venv: don’t copy __pycache__/ sub-directories, because they + can be modified by other Python tests running in parallel. Patch + by Victor Stinner. + - gh-103053: Skip test_freeze_simple_script() of + test_tools.test_freeze if Python is built with ./configure + --enable-optimizations, which means with Profile Guided + Optimization (PGO): it just makes the test too slow. The freeze + tool is tested by many other CIs with other (faster) compiler + flags. Patch by Victor Stinner. + - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a + longer key: FIPS mode requires at least of at least 112 bits. + The previous key was only 32 bits. Patch by Victor Stinner. + - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on + Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt” + command output to detect when gdb fails to retrieve the + traceback. For example, skip a test if Backtrace stopped: frame + did not save the PC is found. Patch by Victor Stinner. + - gh-109237: Fix test_site.test_underpth_basic() when the working + directory contains at least one non-ASCII character: encode the + ._pth file to UTF-8 and enable the UTF-8 Mode to use UTF-8 for + the child process stdout. Patch by Victor Stinner. + - gh-109230: Fix test_pyexpat.test_exception(): it can now be run + from a directory different than Python source code directory. + Before, the test failed in this case. Skip the test if + Modules/pyexpat.c source is not available. Skip also the test on + Python implementations other than CPython. Patch by Victor + Stinner. + - gh-109015: Fix test_asyncio, test_imaplib and test_socket tests + on FreeBSD if the TCP blackhole is enabled (sysctl + net.inet.tcp.blackhole). Skip the few tests which failed with + ETIMEDOUT which such non standard configuration. Currently, the + FreeBSD GCP image enables TCP and UDP blackhole (sysctl + net.inet.tcp.blackhole=2 and sysctl net.inet.udp.blackhole=1). + Patch by Victor Stinner. + - gh-91960: Skip test_gdb if gdb is unable to retrieve Python + frame objects: if a frame is . When Python is + built with “clang -Og”, gdb can fail to retrive the frame + parameter of _PyEval_EvalFrameDefault(). In this case, tests + like py_bt() are likely to fail. Without getting access to + Python frames, python-gdb.py is mostly clueless on retrieving + the Python traceback. Moreover, test_gdb is no longer skipped on + macOS if Python is built with Clang. Patch by Victor Stinner. + - gh-108962: Skip test_tempfile.test_flags() if chflags() fails + with “OSError: [Errno 45] Operation not supported” (ex: on + FreeBSD 13). Patch by Victor Stinner. + - gh-89392: Removed support of test_main() function in tests. They + now always use normal unittest test runner. + - gh-108851: Fix test_tomllib recursion tests for WASI buildbots: + reduce the recursion limit and compute the maximum nested + array/dict depending on the current available recursion limit. + Patch by Victor Stinner. + - gh-108851: Add get_recursion_available() and + get_recursion_depth() functions to the test.support module. + Patch by Victor Stinner. + - gh-108822: regrtest now computes statistics on all tests: + successes, failures and skipped. test_netrc, test_pep646_syntax + and test_xml_etree now return results in their test_main() + function. Patch by Victor Stinner and Alex Waygood. + - gh-108388: Convert test_concurrent_futures to a package of 7 + sub-tests. Patch by Victor Stinner. + - gh-108388: Split test_multiprocessing_fork, + test_multiprocessing_forkserver and test_multiprocessing_spawn + into test packages. Each package is made of 4 sub-tests: + processes, threads, manager and misc. It allows running more + tests in parallel and so reduce the total test duration. Patch + by Victor Stinner. + - gh-101634: When running the Python test suite with -jN option, + if a worker stdout cannot be decoded from the locale encoding + report a failed testn so the exitcode is non-zero. Patch by + Victor Stinner. + - gh-100086: The Python test runner (libregrtest) now logs Python + build information like “debug” vs “release” build, or LTO and + PGO optimizations. Patch by Victor Stinner. + - gh-98903: The Python test suite now fails wit exit code 4 if no + tests ran. It should help detecting typos in test names and test + methods. + - gh-95027: On Windows, when the Python test suite is run with the + -jN option, the ANSI code page is now used as the encoding for + the stdout temporary file, rather than using UTF-8 which can + lead to decoding errors. Patch by Victor Stinner. + - gh-93353: regrtest now checks if a test leaks temporary files or + directories if run with -jN option. Patch by Victor Stinner. + - Build + - gh-63760: Fix Solaris build: no longer redefine the + gethostname() function. Solaris defines the function since 2005. + Patch by Victor Stinner, original patch by Jakub Kulík. + - gh-108740: Fix a race condition in make regen-all. The + deepfreeze.c source and files generated by Argument Clinic are + now generated or updated before generating “global objects”. + Previously, some identifiers may miss depending on the order in + which these files were generated. Patch by Victor Stinner. + - Windows + - gh-109991: Update Windows build to use OpenSSL 3.0.11. + - gh-107565: Update Windows build to use OpenSSL 3.0.10. + - macOS + - gh-109991: Update macOS installer to use OpenSSL 3.0.11. + - Tools/Demos + - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and + multissltests to use 1.1.1w, 3.0.11, and 3.1.3. + ------------------------------------------------------------------- Wed Sep 6 07:52:11 UTC 2023 - Daniel Garcia diff --git a/python311.spec b/python311.spec index 8437624..002a178 100644 --- a/python311.spec +++ b/python311.spec @@ -1,7 +1,7 @@ # -# spec file +# spec file for package python311 # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -94,7 +94,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.11.5 +Version: 3.11.8 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -158,9 +158,6 @@ Patch35: fix_configure_rst.patch # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com # Makes Python resilient to changes of API of libexpat Patch36: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM 103213-fetch-CONFIG_ARGS.patch gh#python/cpython#103053 mcepl@suse.com -# Fetch CONFIG_ARGS from original python instance -Patch38: 103213-fetch-CONFIG_ARGS.patch # PATCH-FIX-UPSTREAM skip_if_buildbot-extend.patch gh#python/cpython#103053 mcepl@suse.com # Skip test_freeze_simple_script Patch39: skip_if_buildbot-extend.patch @@ -168,9 +165,12 @@ Patch39: skip_if_buildbot-extend.patch # Detect email address parsing errors and return empty tuple to # indicate the parsing error (old API) Patch40: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com -# Partially revert previous patch -Patch41: Revert-gh105127-left-tests.patch +# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289 +# Fix tests for XMLPullParser with Expat 2.6.0 +Patch41: libexpat260.patch +# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com +# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930) +Patch42: CVE-2023-6597-TempDir-cleaning-symlink.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -413,26 +413,26 @@ other applications. %prep %setup -q -n %{tarname} -%patch02 -p1 +%patch -P 02 -p1 -%patch06 -p1 -%patch07 -p1 -%patch08 -p1 -%patch09 -p1 -%patch15 -p1 -%patch29 -p1 +%patch -P 06 -p1 +%patch -P 07 -p1 +%patch -P 08 -p1 +%patch -P 09 -p1 +%patch -P 15 -p1 +%patch -P 29 -p1 %if 0%{?suse_version} <= 1500 -%patch33 -p1 +%patch -P 33 -p1 %endif %if 0%{?sle_version} && 0%{?sle_version} <= 150300 -%patch34 -p1 +%patch -P 34 -p1 %endif -%patch35 -p1 -%patch36 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 -%patch41 -p1 +%patch -P 35 -p1 +%patch -P 36 -p1 +%patch -P 39 -p1 +%patch -P 40 -p1 +%patch -P 41 -p1 +%patch -P 42 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac @@ -816,7 +816,6 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo %{sitedir}/idlelib %dir %{_sysconfdir}/idle%{python_version} %config %{_sysconfdir}/idle%{python_version}/* -%doc Lib/idlelib/NEWS.txt %doc Lib/idlelib/README.txt %doc Lib/idlelib/TODO.txt %doc Lib/idlelib/extend.txt @@ -830,7 +829,6 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo %dir %{_datadir}/icons/hicolor/32x32 %dir %{_datadir}/icons/hicolor/48x48 %dir %{_datadir}/icons/hicolor/*/apps -%attr(755, root, root) %{_bindir}/idle%{python_version} # endif for if general %endif diff --git a/skip_if_buildbot-extend.patch b/skip_if_buildbot-extend.patch index 635943c..0af72b6 100644 --- a/skip_if_buildbot-extend.patch +++ b/skip_if_buildbot-extend.patch @@ -2,9 +2,11 @@ Lib/test/support/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---- a/Lib/test/support/__init__.py -+++ b/Lib/test/support/__init__.py -@@ -388,7 +388,7 @@ def skip_if_buildbot(reason=None): +Index: Python-3.11.8/Lib/test/support/__init__.py +=================================================================== +--- Python-3.11.8.orig/Lib/test/support/__init__.py ++++ Python-3.11.8/Lib/test/support/__init__.py +@@ -383,7 +383,7 @@ def skip_if_buildbot(reason=None): if not reason: reason = 'not suitable for buildbots' try: diff --git a/subprocess-raise-timeout.patch b/subprocess-raise-timeout.patch index 986699e..2f74527 100644 --- a/subprocess-raise-timeout.patch +++ b/subprocess-raise-timeout.patch @@ -2,9 +2,11 @@ Lib/test/test_subprocess.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) ---- a/Lib/test/test_subprocess.py -+++ b/Lib/test/test_subprocess.py -@@ -279,7 +279,8 @@ class ProcessTestCase(BaseTestCase): +Index: Python-3.11.8/Lib/test/test_subprocess.py +=================================================================== +--- Python-3.11.8.orig/Lib/test/test_subprocess.py ++++ Python-3.11.8/Lib/test/test_subprocess.py +@@ -280,7 +280,8 @@ class ProcessTestCase(BaseTestCase): "time.sleep(3600)"], # Some heavily loaded buildbots (sparc Debian 3.x) require # this much time to start and print. diff --git a/support-expat-CVE-2022-25236-patched.patch b/support-expat-CVE-2022-25236-patched.patch index deb896c..f1f22ca 100644 --- a/support-expat-CVE-2022-25236-patched.patch +++ b/support-expat-CVE-2022-25236-patched.patch @@ -27,8 +27,10 @@ Co-authored-by: Sebastian Pipping 1 file changed, 9 insertions(+), 14 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst ---- a/Lib/test/test_minidom.py -+++ b/Lib/test/test_minidom.py +Index: Python-3.11.8/Lib/test/test_minidom.py +=================================================================== +--- Python-3.11.8.orig/Lib/test/test_minidom.py ++++ Python-3.11.8/Lib/test/test_minidom.py @@ -6,7 +6,6 @@ import io from test import support import unittest