ALP-pool/python311
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 python311 revision 8d78aa486c047ecd82aeb6a488bf6dcf

Browse Source
This commit is contained in:
Adrian Schröter 2024-03-05 18:06:37 +01:00
parent 023a601905
commit 78001c2cc3
21 changed files with 1486 additions and 584 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
103213-fetch-CONFIG_ARGS.patch
View File

@ -1,37 +0,0 @@
From d3217d12eee9eefad8444e80545b82b2a8c2be4c Mon Sep 17 00:00:00 2001
From: Ijtaba Hussain <ijtabahussain@live.com>
Date: Mon, 3 Apr 2023 17:28:32 +0500
Subject: [PATCH 1/3] Fetch CONFIG_ARGS from original python instance
instead of fetching from intermediate instance. As "make clean" is called
against the intermediate instance, the build directory is cleared and the
config arguments lookup fails with a ModuleNotFoundError
---
Misc/NEWS.d/next/Tools-Demos/2023-04-05-07-19-36.gh-issue-103186.yEozgK.rst | 2 ++
Tools/freeze/test/freeze.py | 3 +--
2 files changed, 3 insertions(+), 2 deletions(-)
--- /dev/null
+++ b/Misc/NEWS.d/next/Tools-Demos/2023-04-05-07-19-36.gh-issue-103186.yEozgK.rst
@@ -0,0 +1,2 @@
+``freeze`` now fetches ``CONFIG_ARGS`` from the original CPython instance
+the Makefile uses to call utility scripts. Patch by Ijtaba Hussain.
--- a/Tools/freeze/test/freeze.py
+++ b/Tools/freeze/test/freeze.py
@@ -96,7 +96,6 @@ def copy_source_tree(newroot, oldroot):
if os.path.exists(os.path.join(newroot, 'Makefile')):
_run_quiet([MAKE, 'clean'], newroot)
-
def get_makefile_var(builddir, name):
regex = re.compile(rf'^{name} *=\s*(.*?)\s*$')
filename = os.path.join(builddir, 'Makefile')
@@ -153,7 +152,7 @@ def prepare(script=None, outdir=None):
print(f'configuring python in {builddir}...')
cmd = [
os.path.join(srcdir, 'configure'),
- *shlex.split(get_config_var(srcdir, 'CONFIG_ARGS') or ''),
+ *shlex.split(get_config_var(SRCDIR, 'CONFIG_ARGS') or ''),
]
ensure_opt(cmd, 'cache-file', os.path.join(outdir, 'python-config.cache'))
prefix = os.path.join(outdir, 'python-installation')

548
CVE-2023-27043-email-parsing-errors.patch
View File

@ -1,74 +1,189 @@
--- ---
Doc/library/email.utils.rst | 26 +++ Doc/library/email.utils.rst | 19 -
Lib/email/utils.py | 63 +++++++ Lib/email/utils.py | 151 +++++++-
Lib/test/test_email/test_email.py | 81 +++++++++- Lib/test/test_email/test_email.py | 187 +++++++++-
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8
4 files changed, 164 insertions(+), 10 deletions(-) 4 files changed, 344 insertions(+), 21 deletions(-)
Index: Python-3.11.4/Doc/library/email.utils.rst Index: Python-3.11.8/Doc/library/email.utils.rst
=================================================================== ===================================================================
--- Python-3.11.4.orig/Doc/library/email.utils.rst --- Python-3.11.8.orig/Doc/library/email.utils.rst
+++ Python-3.11.4/Doc/library/email.utils.rst +++ Python-3.11.8/Doc/library/email.utils.rst
@@ -67,6 +67,11 @@ of the new API. @@ -60,13 +60,18 @@ of the new API.
begins with angle brackets, they are stripped off.
-.. function:: parseaddr(address)
+.. function:: parseaddr(address, *, strict=True)
Parse address -- which should be the value of some address-containing field such
as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
*email address* parts. Returns a tuple of that information, unless the parse *email address* parts. Returns a tuple of that information, unless the parse
fails, in which case a 2-tuple of ``('', '')`` is returned. fails, in which case a 2-tuple of ``('', '')`` is returned.
+ .. versionchanged:: 3.12 + If *strict* is true, use a strict parser which rejects malformed inputs.
+ For security reasons, addresses that were ambiguous and could parse into +
+ multiple different addresses now cause ``('', '')`` to be returned + .. versionchanged:: 3.13
+ instead of only one of the *potential* addresses. + Add *strict* optional parameter and reject malformed inputs by default.
+ +
.. function:: formataddr(pair, charset='utf-8') .. function:: formataddr(pair, charset='utf-8')
@@ -89,7 +94,7 @@ of the new API. @@ -84,12 +89,15 @@ of the new API.
Added the *charset* option.
-.. function:: getaddresses(fieldvalues)
+.. function:: getaddresses(fieldvalues, *, strict=True)
This method returns a list of 2-tuples of the form returned by ``parseaddr()``. This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
*fieldvalues* is a sequence of header field values as might be returned by *fieldvalues* is a sequence of header field values as might be returned by
:meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple - :meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple
- example that gets all the recipients of a message:: - example that gets all the recipients of a message::
+ example that gets all the recipients of a message: + :meth:`Message.get_all <email.message.Message.get_all>`.
+
+ If *strict* is true, use a strict parser which rejects malformed inputs.
+
+ Here's a simple example that gets all the recipients of a message::
from email.utils import getaddresses from email.utils import getaddresses
@@ -99,6 +104,25 @@ of the new API. @@ -99,6 +107,9 @@ of the new API.
resent_ccs = msg.get_all('resent-cc', []) resent_ccs = msg.get_all('resent-cc', [])
all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` + .. versionchanged:: 3.13
+ is returned in its place. Other errors in parsing the list of + Add *strict* optional parameter and reject malformed inputs by default.
+ addresses such as a fieldvalue seemingly parsing into multiple
+ addresses may result in a list containing a single empty 2-tuple
+ ``[('', '')]`` being returned rather than returning potentially
+ invalid output.
+
+ Example malformed input parsing:
+
+ .. doctest::
+
+ >>> from email.utils import getaddresses
+ >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
+ [('', '')]
+
+ .. versionchanged:: 3.12
+ The 2-tuple of ``('', '')`` in the returned values when parsing
+ fails were added as to address a security issue.
+ +
.. function:: parsedate(date) .. function:: parsedate(date)
Index: Python-3.11.4/Lib/email/utils.py Index: Python-3.11.8/Lib/email/utils.py
=================================================================== ===================================================================
--- Python-3.11.4.orig/Lib/email/utils.py --- Python-3.11.8.orig/Lib/email/utils.py
+++ Python-3.11.4/Lib/email/utils.py +++ Python-3.11.8/Lib/email/utils.py
@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'): @@ -48,6 +48,7 @@ TICK = "'"
specialsre = re.compile(r'[][\\()<>@,:;".]')
escapesre = re.compile(r'[\\"]')
+
def _has_surrogates(s):
"""Return True if s may contain surrogate-escaped binary data."""
# This check is based on the fact that unless there are surrogates, utf8
@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
return address return address
+def _iter_escaped_chars(addr):
+ pos = 0
+ escape = False
+ for pos, ch in enumerate(addr):
+ if escape:
+ yield (pos, '\\' + ch)
+ escape = False
+ elif ch == '\\':
+ escape = True
+ else:
+ yield (pos, ch)
+ if escape:
+ yield (pos, '\\')
+
+
+def _strip_quoted_realnames(addr):
+ """Strip real names between quotes."""
+ if '"' not in addr:
+ # Fast path
+ return addr
+
+ start = 0
+ open_pos = None
+ result = []
+ for pos, ch in _iter_escaped_chars(addr):
+ if ch == '"':
+ if open_pos is None:
+ open_pos = pos
+ else:
+ if start != open_pos:
+ result.append(addr[start:open_pos])
+ start = pos + 1
+ open_pos = None
-def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
- all = COMMASPACE.join(str(v) for v in fieldvalues)
- a = _AddressList(all)
- return a.addresslist
+ if start < len(addr):
+ result.append(addr[start:])
+
+ return ''.join(result)
+
+
+supports_strict_parsing = True
+
+def getaddresses(fieldvalues, *, strict=True):
+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+
+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+ its place.
+
+ If strict is true, use a strict parser which rejects malformed inputs.
+ """
+
+ # If strict is true, if the resulting list of parsed addresses is greater
+ # than the number of fieldvalues in the input list, a parsing error has
+ # occurred and consequently a list containing a single empty 2-tuple [('',
+ # '')] is returned in its place. This is done to avoid invalid output.
+ #
+ # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
+ # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
+ # Safe output: [('', '')]
+
+ if not strict:
+ all = COMMASPACE.join(str(v) for v in fieldvalues)
+ a = _AddressList(all)
+ return a.addresslist
+
+ fieldvalues = [str(v) for v in fieldvalues]
+ fieldvalues = _pre_parse_validation(fieldvalues)
+ addr = COMMASPACE.join(fieldvalues)
+ a = _AddressList(addr)
+ result = _post_parse_validation(a.addresslist)
+
+ # Treat output as invalid if the number of addresses is not equal to the
+ # expected number of addresses.
+ n = 0
+ for v in fieldvalues:
+ # When a comma is used in the Real Name part it is not a deliminator.
+ # So strip those out before counting the commas.
+ v = _strip_quoted_realnames(v)
+ # Expected number of addresses: 1 + number of commas
+ n += 1 + v.count(',')
+ if len(result) != n:
+ return [('', '')]
+
+ return result
+
+
+def _check_parenthesis(addr):
+ # Ignore parenthesis in quoted real names.
+ addr = _strip_quoted_realnames(addr)
+
+ opens = 0
+ for pos, ch in _iter_escaped_chars(addr):
+ if ch == '(':
+ opens += 1
+ elif ch == ')':
+ opens -= 1
+ if opens < 0:
+ return False
+ return (opens == 0)
+
+
+def _pre_parse_validation(email_header_fields): +def _pre_parse_validation(email_header_fields):
+ accepted_values = [] + accepted_values = []
+ for v in email_header_fields: + for v in email_header_fields:
+ s = v.replace('\\(', '').replace('\\)', '') + if not _check_parenthesis(v):
+ if s.count('(') != s.count(')'):
+ v = "('', '')" + v = "('', '')"
+ accepted_values.append(v) + accepted_values.append(v)
+ +
@ -85,46 +200,32 @@ Index: Python-3.11.4/Lib/email/utils.py
+ accepted_values.append(v) + accepted_values.append(v)
+ +
+ return accepted_values + return accepted_values
+
def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
- all = COMMASPACE.join(str(v) for v in fieldvalues)
+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+
+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+ its place.
+
+ If the resulting list of parsed address is not the same as the number of
+ fieldvalues in the input list a parsing error has occurred. A list
+ containing a single empty 2-tuple [('', '')] is returned in its place.
+ This is done to avoid invalid output.
+ """
+ fieldvalues = [str(v) for v in fieldvalues]
+ fieldvalues = _pre_parse_validation(fieldvalues)
+ all = COMMASPACE.join(v for v in fieldvalues)
a = _AddressList(all)
- return a.addresslist
+ result = _post_parse_validation(a.addresslist)
+
+ n = 0
+ for v in fieldvalues:
+ n += v.count(',') + 1
+
+ if len(result) != n:
+ return [('', '')]
+
+ return result
def _format_timetuple_and_zone(timetuple, zone): def _format_timetuple_and_zone(timetuple, zone):
@@ -212,9 +254,18 @@ def parseaddr(addr): @@ -205,16 +321,33 @@ def parsedate_to_datetime(data):
tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
-def parseaddr(addr):
+def parseaddr(addr, *, strict=True):
"""
Parse addr into its constituent realname and email address parts.
Return a tuple of realname and email address, unless the parse fails, in Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', ''). which case return a 2-tuple of ('', '').
+
+ If strict is True, use a strict parser which rejects malformed inputs.
""" """
- addrs = _AddressList(addr).addresslist - addrs = _AddressList(addr).addresslist
- if not addrs: - if not addrs:
- return '', '' - return '', ''
+ if not strict:
+ addrs = _AddressList(addr).addresslist
+ if not addrs:
+ return ('', '')
+ return addrs[0]
+
+ if isinstance(addr, list): + if isinstance(addr, list):
+ addr = addr[0] + addr = addr[0]
+ +
@ -140,110 +241,229 @@ Index: Python-3.11.4/Lib/email/utils.py
return addrs[0] return addrs[0]
Index: Python-3.11.4/Lib/test/test_email/test_email.py Index: Python-3.11.8/Lib/test/test_email/test_email.py
=================================================================== ===================================================================
--- Python-3.11.4.orig/Lib/test/test_email/test_email.py --- Python-3.11.8.orig/Lib/test/test_email/test_email.py
+++ Python-3.11.4/Lib/test/test_email/test_email.py +++ Python-3.11.8/Lib/test/test_email/test_email.py
@@ -3320,15 +3320,90 @@ Foo @@ -17,6 +17,7 @@ from unittest.mock import patch
import email
import email.policy
+import email.utils
from email.charset import Charset
from email.generator import Generator, DecodedGenerator, BytesGenerator
@@ -3321,15 +3322,137 @@ Foo
[('Al Person', 'aperson@dom.ain'), [('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')]) ('Bud Person', 'bperson@dom.ain')])
+ def test_getaddresses_parsing_errors(self): + def test_parsing_errors(self):
+ """Test for parsing errors from CVE-2023-27043""" + """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
+ eq = self.assertEqual + alice = 'alice@example.org'
+ eq(utils.getaddresses(['alice@example.org(<bob@example.com>']), + bob = 'bob@example.com'
+ [('', '')]) + empty = ('', '')
+ eq(utils.getaddresses(['alice@example.org)<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org<<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org><bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org@<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org,<bob@example.com>']),
+ [('', 'alice@example.org'), ('', 'bob@example.com')])
+ eq(utils.getaddresses(['alice@example.org;<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org:<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org.<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org"<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org[<bob@example.com>']),
+ [('', '')])
+ eq(utils.getaddresses(['alice@example.org]<bob@example.com>']),
+ [('', '')])
+ +
+ def test_parseaddr_parsing_errors(self): + # Test utils.getaddresses() and utils.parseaddr() on malformed email
+ """Test for parsing errors from CVE-2023-27043""" + # addresses: default behavior (strict=True) rejects malformed address,
+ eq = self.assertEqual + # and strict=False which tolerates malformed address.
+ eq(utils.parseaddr(['alice@example.org(<bob@example.com>']), + for invalid_separator, expected_non_strict in (
+ ('', '')) + ('(', [(f'<{bob}>', alice)]),
+ eq(utils.parseaddr(['alice@example.org)<bob@example.com>']), + (')', [('', alice), empty, ('', bob)]),
+ ('', '')) + ('<', [('', alice), empty, ('', bob), empty]),
+ eq(utils.parseaddr(['alice@example.org<<bob@example.com>']), + ('>', [('', alice), empty, ('', bob)]),
+ ('', '')) + ('[', [('', f'{alice}[<{bob}>]')]),
+ eq(utils.parseaddr(['alice@example.org><bob@example.com>']), + (']', [('', alice), empty, ('', bob)]),
+ ('', '')) + ('@', [empty, empty, ('', bob)]),
+ eq(utils.parseaddr(['alice@example.org@<bob@example.com>']), + (';', [('', alice), empty, ('', bob)]),
+ ('', '')) + (':', [('', alice), ('', bob)]),
+ eq(utils.parseaddr(['alice@example.org,<bob@example.com>']), + ('.', [('', alice + '.'), ('', bob)]),
+ ('', '')) + ('"', [('', alice), ('', f'<{bob}>')]),
+ eq(utils.parseaddr(['alice@example.org;<bob@example.com>']), + ):
+ ('', '')) + address = f'{alice}{invalid_separator}<{bob}>'
+ eq(utils.parseaddr(['alice@example.org:<bob@example.com>']), + with self.subTest(address=address):
+ ('', '')) + self.assertEqual(utils.getaddresses([address]),
+ eq(utils.parseaddr(['alice@example.org.<bob@example.com>']), + [empty])
+ ('', '')) + self.assertEqual(utils.getaddresses([address], strict=False),
+ eq(utils.parseaddr(['alice@example.org"<bob@example.com>']), + expected_non_strict)
+ ('', '')) +
+ eq(utils.parseaddr(['alice@example.org[<bob@example.com>']), + self.assertEqual(utils.parseaddr([address]),
+ ('', '')) + empty)
+ eq(utils.parseaddr(['alice@example.org]<bob@example.com>']), + self.assertEqual(utils.parseaddr([address], strict=False),
+ ('', '')) + ('', address))
+
+ # Comma (',') is treated differently depending on strict parameter.
+ # Comma without quotes.
+ address = f'{alice},<{bob}>'
+ self.assertEqual(utils.getaddresses([address]),
+ [('', alice), ('', bob)])
+ self.assertEqual(utils.getaddresses([address], strict=False),
+ [('', alice), ('', bob)])
+ self.assertEqual(utils.parseaddr([address]),
+ empty)
+ self.assertEqual(utils.parseaddr([address], strict=False),
+ ('', address))
+
+ # Real name between quotes containing comma.
+ address = '"Alice, alice@example.org" <bob@example.com>'
+ expected_strict = ('Alice, alice@example.org', 'bob@example.com')
+ self.assertEqual(utils.getaddresses([address]), [expected_strict])
+ self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
+ self.assertEqual(utils.parseaddr([address]), expected_strict)
+ self.assertEqual(utils.parseaddr([address], strict=False),
+ ('', address))
+
+ # Valid parenthesis in comments.
+ address = 'alice@example.org (Alice)'
+ expected_strict = ('Alice', 'alice@example.org')
+ self.assertEqual(utils.getaddresses([address]), [expected_strict])
+ self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
+ self.assertEqual(utils.parseaddr([address]), expected_strict)
+ self.assertEqual(utils.parseaddr([address], strict=False),
+ ('', address))
+
+ # Invalid parenthesis in comments.
+ address = 'alice@example.org )Alice('
+ self.assertEqual(utils.getaddresses([address]), [empty])
+ self.assertEqual(utils.getaddresses([address], strict=False),
+ [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
+ self.assertEqual(utils.parseaddr([address]), empty)
+ self.assertEqual(utils.parseaddr([address], strict=False),
+ ('', address))
+
+ # Two addresses with quotes separated by comma.
+ address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
+ self.assertEqual(utils.getaddresses([address]),
+ [('Jane Doe', 'jane@example.net'),
+ ('John Doe', 'john@example.net')])
+ self.assertEqual(utils.getaddresses([address], strict=False),
+ [('Jane Doe', 'jane@example.net'),
+ ('John Doe', 'john@example.net')])
+ self.assertEqual(utils.parseaddr([address]), empty)
+ self.assertEqual(utils.parseaddr([address], strict=False),
+ ('', address))
+
+ # Test email.utils.supports_strict_parsing attribute
+ self.assertEqual(email.utils.supports_strict_parsing, True)
+ +
def test_getaddresses_nasty(self): def test_getaddresses_nasty(self):
eq = self.assertEqual - eq = self.assertEqual
eq(utils.getaddresses(['foo: ;']), [('', '')]) - eq(utils.getaddresses(['foo: ;']), [('', '')])
- eq(utils.getaddresses( - eq(utils.getaddresses(
- ['[]*-- =~$']), - ['[]*-- =~$']),
- [('', ''), ('', ''), ('', '*--')]) - [('', ''), ('', ''), ('', '*--')])
+ eq(utils.getaddresses(['[]*-- =~$']), [('', '')]) - eq(utils.getaddresses(
eq(utils.getaddresses( - ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']), - [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
[('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) + for addresses, expected in (
+ eq(utils.getaddresses( + (['"Sürname, Firstname" <to@example.com>'],
+ [r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>']), + [('Sürname, Firstname', 'to@example.com')]),
+ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]) +
+ eq(utils.getaddresses( + (['foo: ;'],
+ ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']), + [('', '')]),
+ [('', '')]) +
+ eq(utils.getaddresses( + (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
+ ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']), + [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
+ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]) +
+ eq(utils.getaddresses( + ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
+ ['John Doe <jdoe@machine(comment). example>']), + [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
+ [('John Doe (comment)', 'jdoe@machine.example')]) +
+ eq(utils.getaddresses( + (['(Empty list)(start)Undisclosed recipients :(nobody(I know))'],
+ ['"Mary Smith: Personal Account" <smith@home.example>']), + [('', '')]),
+ [('Mary Smith: Personal Account', 'smith@home.example')]) +
+ eq(utils.getaddresses( + (['Mary <@machine.tld:mary@example.net>, , jdoe@test . example'],
+ ['Undisclosed recipients:;']), + [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
+ [('', '')]) +
+ eq(utils.getaddresses( + (['John Doe <jdoe@machine(comment). example>'],
+ [r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>']), + [('John Doe (comment)', 'jdoe@machine.example')]),
+ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]) +
+ (['"Mary Smith: Personal Account" <smith@home.example>'],
+ [('Mary Smith: Personal Account', 'smith@home.example')]),
+
+ (['Undisclosed recipients:;'],
+ [('', '')]),
+
+ ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
+ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
+ ):
+ with self.subTest(addresses=addresses):
+ self.assertEqual(utils.getaddresses(addresses),
+ expected)
+ self.assertEqual(utils.getaddresses(addresses, strict=False),
+ expected)
+
+ addresses = ['[]*-- =~$']
+ self.assertEqual(utils.getaddresses(addresses),
+ [('', '')])
+ self.assertEqual(utils.getaddresses(addresses, strict=False),
+ [('', ''), ('', ''), ('', '*--')])
def test_getaddresses_embedded_comment(self): def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment""" """Test proper handling of a nested comment"""
Index: Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst @@ -3520,6 +3643,54 @@ multipart/report
m = cls(*constructor, policy=email.policy.default)
self.assertIs(m.policy, email.policy.default)
+ def test_iter_escaped_chars(self):
+ self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
+ [(0, 'a'),
+ (2, '\\\\'),
+ (3, 'b'),
+ (5, '\\"'),
+ (6, 'c'),
+ (8, '\\\\'),
+ (9, '"'),
+ (10, 'd')])
+ self.assertEqual(list(utils._iter_escaped_chars('a\\')),
+ [(0, 'a'), (1, '\\')])
+
+ def test_strip_quoted_realnames(self):
+ def check(addr, expected):
+ self.assertEqual(utils._strip_quoted_realnames(addr), expected)
+
+ check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
+ ' <jane@example.net>, <john@example.net>')
+ check(r'"Jane \"Doe\"." <jane@example.net>',
+ ' <jane@example.net>')
+
+ # special cases
+ check(r'before"name"after', 'beforeafter')
+ check(r'before"name"', 'before')
+ check(r'b"name"', 'b') # single char
+ check(r'"name"after', 'after')
+ check(r'"name"a', 'a') # single char
+ check(r'"name"', '')
+
+ # no change
+ for addr in (
+ 'Jane Doe <jane@example.net>, John Doe <john@example.net>',
+ 'lone " quote',
+ ):
+ self.assertEqual(utils._strip_quoted_realnames(addr), addr)
+
+
+ def test_check_parenthesis(self):
+ addr = 'alice@example.net'
+ self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
+ self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
+ self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
+ self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
+
+ # Ignore real name between quotes
+ self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
+
# Test the iterator/generators
class TestIterators(TestEmailBase):
Index: Python-3.11.8/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst +++ Python-3.11.8/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
@@ -0,0 +1,4 @@ @@ -0,0 +1,8 @@
+CVE-2023-27043: Prevent :func:`email.utils.parseaddr` +:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
+and :func:`email.utils.getaddresses` from returning the realname portion of an +return ``('', '')`` 2-tuples in more situations where invalid email
+invalid RFC2822 email header in the email address portion of the 2-tuple +addresses are encountered instead of potentially inaccurate values. Add
+returned after being parsed by :class:`email._parseaddr.AddressList`. +optional *strict* parameter to these two functions: use ``strict=False`` to
+get the old behavior, accept malformed inputs.
+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
+Stinner to improve the CVE-2023-27043 fix.

165
CVE-2023-6597-TempDir-cleaning-symlink.patch Normal file
View File

@ -0,0 +1,165 @@
---
Lib/tempfile.py | 16 +
Lib/test/test_tempfile.py | 113 ++++++++++
Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst | 2
3 files changed, 131 insertions(+)
--- a/Lib/tempfile.py
+++ b/Lib/tempfile.py
@@ -286,6 +286,22 @@ def _resetperms(path):
_dont_follow_symlinks(chflags, path, 0)
_dont_follow_symlinks(_os.chmod, path, 0o700)
+def _dont_follow_symlinks(func, path, *args):
+ # Pass follow_symlinks=False, unless not supported on this platform.
+ if func in _os.supports_follow_symlinks:
+ func(path, *args, follow_symlinks=False)
+ elif _os.name == 'nt' or not _os.path.islink(path):
+ func(path, *args)
+
+def _resetperms(path):
+ try:
+ chflags = _os.chflags
+ except AttributeError:
+ pass
+ else:
+ _dont_follow_symlinks(chflags, path, 0)
+ _dont_follow_symlinks(_os.chmod, path, 0o700)
+
# User visible interfaces.
--- a/Lib/test/test_tempfile.py
+++ b/Lib/test/test_tempfile.py
@@ -1673,6 +1673,103 @@ class TestTemporaryDirectory(BaseTestCas
new_flags = os.stat(dir1).st_flags
self.assertEqual(new_flags, old_flags)
+ @os_helper.skip_unless_symlink
+ def test_cleanup_with_symlink_modes(self):
+ # cleanup() should not follow symlinks when fixing mode bits (#91133)
+ with self.do_create(recurse=0) as d2:
+ file1 = os.path.join(d2, 'file1')
+ open(file1, 'wb').close()
+ dir1 = os.path.join(d2, 'dir1')
+ os.mkdir(dir1)
+ for mode in range(8):
+ mode <<= 6
+ with self.subTest(mode=format(mode, '03o')):
+ def test(target, target_is_directory):
+ d1 = self.do_create(recurse=0)
+ symlink = os.path.join(d1.name, 'symlink')
+ os.symlink(target, symlink,
+ target_is_directory=target_is_directory)
+ try:
+ os.chmod(symlink, mode, follow_symlinks=False)
+ except NotImplementedError:
+ pass
+ try:
+ os.chmod(symlink, mode)
+ except FileNotFoundError:
+ pass
+ os.chmod(d1.name, mode)
+ d1.cleanup()
+ self.assertFalse(os.path.exists(d1.name))
+
+ with self.subTest('nonexisting file'):
+ test('nonexisting', target_is_directory=False)
+ with self.subTest('nonexisting dir'):
+ test('nonexisting', target_is_directory=True)
+
+ with self.subTest('existing file'):
+ os.chmod(file1, mode)
+ old_mode = os.stat(file1).st_mode
+ test(file1, target_is_directory=False)
+ new_mode = os.stat(file1).st_mode
+ self.assertEqual(new_mode, old_mode,
+ '%03o != %03o' % (new_mode, old_mode))
+
+ with self.subTest('existing dir'):
+ os.chmod(dir1, mode)
+ old_mode = os.stat(dir1).st_mode
+ test(dir1, target_is_directory=True)
+ new_mode = os.stat(dir1).st_mode
+ self.assertEqual(new_mode, old_mode,
+ '%03o != %03o' % (new_mode, old_mode))
+
+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags')
+ @os_helper.skip_unless_symlink
+ def test_cleanup_with_symlink_flags(self):
+ # cleanup() should not follow symlinks when fixing flags (#91133)
+ flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK
+ self.check_flags(flags)
+
+ with self.do_create(recurse=0) as d2:
+ file1 = os.path.join(d2, 'file1')
+ open(file1, 'wb').close()
+ dir1 = os.path.join(d2, 'dir1')
+ os.mkdir(dir1)
+ def test(target, target_is_directory):
+ d1 = self.do_create(recurse=0)
+ symlink = os.path.join(d1.name, 'symlink')
+ os.symlink(target, symlink,
+ target_is_directory=target_is_directory)
+ try:
+ os.chflags(symlink, flags, follow_symlinks=False)
+ except NotImplementedError:
+ pass
+ try:
+ os.chflags(symlink, flags)
+ except FileNotFoundError:
+ pass
+ os.chflags(d1.name, flags)
+ d1.cleanup()
+ self.assertFalse(os.path.exists(d1.name))
+
+ with self.subTest('nonexisting file'):
+ test('nonexisting', target_is_directory=False)
+ with self.subTest('nonexisting dir'):
+ test('nonexisting', target_is_directory=True)
+
+ with self.subTest('existing file'):
+ os.chflags(file1, flags)
+ old_flags = os.stat(file1).st_flags
+ test(file1, target_is_directory=False)
+ new_flags = os.stat(file1).st_flags
+ self.assertEqual(new_flags, old_flags)
+
+ with self.subTest('existing dir'):
+ os.chflags(dir1, flags)
+ old_flags = os.stat(dir1).st_flags
+ test(dir1, target_is_directory=True)
+ new_flags = os.stat(dir1).st_flags
+ self.assertEqual(new_flags, old_flags)
+
@support.cpython_only
def test_del_on_collection(self):
# A TemporaryDirectory is deleted when garbage collected
@@ -1847,6 +1944,22 @@ class TestTemporaryDirectory(BaseTestCas
def check_flags(self, flags):
# skip the test if these flags are not supported (ex: FreeBSD 13)
+ filename = os_helper.TESTFN
+ try:
+ open(filename, "w").close()
+ try:
+ os.chflags(filename, flags)
+ except OSError as exc:
+ # "OSError: [Errno 45] Operation not supported"
+ self.skipTest(f"chflags() doesn't support flags "
+ f"{flags:#b}: {exc}")
+ else:
+ os.chflags(filename, 0)
+ finally:
+ os_helper.unlink(filename)
+
+ def check_flags(self, flags):
+ # skip the test if these flags are not supported (ex: FreeBSD 13)
filename = os_helper.TESTFN
try:
open(filename, "w").close()
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst
@@ -0,0 +1,2 @@
+Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no longer
+dereferences symlinks when working around file system permission errors.

14
F00251-change-user-install-location.patch
View File

@ -13,8 +13,10 @@ Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
Lib/site.py | 9 ++++++++- Lib/site.py | 9 ++++++++-
2 files changed, 21 insertions(+), 3 deletions(-) 2 files changed, 21 insertions(+), 3 deletions(-)
--- a/Lib/distutils/command/install.py Index: Python-3.11.8/Lib/distutils/command/install.py
+++ b/Lib/distutils/command/install.py ===================================================================
--- Python-3.11.8.orig/Lib/distutils/command/install.py
+++ Python-3.11.8/Lib/distutils/command/install.py
@@ -441,8 +441,19 @@ class install(Command): @@ -441,8 +441,19 @@ class install(Command):
raise DistutilsOptionError( raise DistutilsOptionError(
"must not supply exec-prefix without prefix") "must not supply exec-prefix without prefix")
@ -37,9 +39,11 @@ Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
else: else:
if self.exec_prefix is None: if self.exec_prefix is None:
--- a/Lib/site.py Index: Python-3.11.8/Lib/site.py
+++ b/Lib/site.py ===================================================================
@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None): --- Python-3.11.8.orig/Lib/site.py
+++ Python-3.11.8/Lib/site.py
@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None):
return sitepackages return sitepackages
def addsitepackages(known_paths, prefixes=None): def addsitepackages(known_paths, prefixes=None):

BIN
Python-3.11.5.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

16
Python-3.11.5.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmTnS9sACgkQ/+h0BBaL
2EeG8g//Q6EC79SSFl4BPb064d8X1q8agfLN+D07N6ULsaOL1baOClLbMxiCgquQ
R1CVzEXc0osL25Xw/7rTIBO0tCSS2yNcQ3GMuetBO4wfofDvs9V2ydaVQdrIHEQm
OTOveioF9TOaQ/zozi9Hecl4RY289kCD64sWNkwPYBJzO9KQD/UGRS/b5a4CGKyP
GSQEFdfevYsuLxLtwNh1z8af1LKRGhuWoZOBhDgpz4foH4EQdz80sssXzm2vG3tS
hAeniPphjZyRfl8kC1C86M/hH08S3h4bf/LF/OQ0OYUrwOquqOsLlz03XzJ+COGK
nBa/CGsFrxeby2oI/XF8YZrFzt9LKyWYc2p+AIU+u2EnYwOmAkrE4QaczqOV8ldD
UvfZLTeMVG/Q6JGkNS/OyM3SZoVKDdGJlg5yVAQtbQjdsB5QjVDcysLhhZ+qnuJv
pnQ6anbbX5r4X4ji/2Uar5cwO/jf7QenTKLtgGY67Q2oRE20w6F5rbYHEdO4a4MM
OkI/0pUaU5MGRJfowwtcD5AbWPKo1XXqw2UY8p+biEaVQOj+kWhoB8YA5Qz1utHJ
GiPP69oDIjfn3sPMxB/C1pBdB/m3i8za58b+G3aYtAWWP1q0abaHqPusACotvxPp
3IvB3ryLlTyUYqqTiDp9wgYh2Nr+a9b6i6yW0ptcdycnzDWC1/E=
=Lzjg
-----END PGP SIGNATURE-----

BIN
Python-3.11.8.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
Python-3.11.8.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmXCppEACgkQ/+h0BBaL
2Edi6g//dRagLHlrmPyCrch7ZqAazLMXTHb3cerXg41QEqfwIl7osk1HnqObBgVN
w8vgXy9ZlxWwv+cWvwrNLY1AWEfarhwRzWLkikHwycBIIgep1HmSvyU4wLKaN7mI
c/LxGHfQZ6suu3gCVmRFBoB/ACpT0P5qvDpoUehrADE6wCqs0vbRiW/InLCTUpOy
zZ+5ncK302JtafJkjIGf2VNB4yQATk/v7fO/z43sEQqhvzgtlWlXNmtCKshGBIt1
mJpLEs8gCq97jObfbN7FkC3Ti/kEan7PbjDzsDKcBv/jJudvWywHtMzplgbjtOYG
AgBM8bXbVC119BwmfBpvAxgsVKmmGi9d2McJUPOcIHKiHCb17fU0srRbSV47rE9N
PWEHgQC2ICbdT9N1oimOEp16eYt5omFWfDy5C91oqUnBFtz8wqiNmyeQimegMgBe
cDpOY73C2H7Vi6rX9EbyrG+LOkfJ6Vt5rTCa+zbAPy2ihz/ajA7UNH72t1uuzFQZ
pPdUBNhtGxr5EB3zAqBxDuoh9DMOmDZACbT+npHR3Y7KaXTHYIe7Ot8CCrLpH+Ra
8Yt6/CCD7KnsCWz6pfyH+ulIL4vw+dPnC809+neiXhiUuM5qiIr9K7HidzXi0Lwj
sb8MVErS8dURFZP48e1dfbyJqsAvAosiGmjDDqbrlAC5attKjg8=
=VFx6
-----END PGP SIGNATURE-----

283
Revert-gh105127-left-tests.patch
View File

@ -1,283 +0,0 @@
From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Thu, 20 Jul 2023 20:30:52 -0700
Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address
parsing errors ... (GH-105127)" (GH-106733)
This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00.
Adds a regression test from the issue.
See https://github.com/python/cpython/issues/106669..
(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Doc/library/email.utils.rst | 26 --
Lib/email/utils.py | 63 ------
Lib/test/test_email/test_email.py | 96 +---------
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 5
4 files changed, 31 insertions(+), 159 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
Index: Python-3.11.4/Doc/library/email.utils.rst
===================================================================
--- Python-3.11.4.orig/Doc/library/email.utils.rst
+++ Python-3.11.4/Doc/library/email.utils.rst
@@ -67,11 +67,6 @@ of the new API.
*email address* parts. Returns a tuple of that information, unless the parse
fails, in which case a 2-tuple of ``('', '')`` is returned.
- .. versionchanged:: 3.12
- For security reasons, addresses that were ambiguous and could parse into
- multiple different addresses now cause ``('', '')`` to be returned
- instead of only one of the *potential* addresses.
-
.. function:: formataddr(pair, charset='utf-8')
@@ -94,7 +89,7 @@ of the new API.
This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
*fieldvalues* is a sequence of header field values as might be returned by
:meth:`Message.get_all <email.message.Message.get_all>`. Here's a simple
- example that gets all the recipients of a message:
+ example that gets all the recipients of a message::
from email.utils import getaddresses
@@ -104,25 +99,6 @@ of the new API.
resent_ccs = msg.get_all('resent-cc', [])
all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
- When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
- is returned in its place. Other errors in parsing the list of
- addresses such as a fieldvalue seemingly parsing into multiple
- addresses may result in a list containing a single empty 2-tuple
- ``[('', '')]`` being returned rather than returning potentially
- invalid output.
-
- Example malformed input parsing:
-
- .. doctest::
-
- >>> from email.utils import getaddresses
- >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
- [('', '')]
-
- .. versionchanged:: 3.12
- The 2-tuple of ``('', '')`` in the returned values when parsing
- fails were added as to address a security issue.
-
.. function:: parsedate(date)
Index: Python-3.11.4/Lib/email/utils.py
===================================================================
--- Python-3.11.4.orig/Lib/email/utils.py
+++ Python-3.11.4/Lib/email/utils.py
@@ -106,54 +106,12 @@ def formataddr(pair, charset='utf-8'):
return address
-def _pre_parse_validation(email_header_fields):
- accepted_values = []
- for v in email_header_fields:
- s = v.replace('\\(', '').replace('\\)', '')
- if s.count('(') != s.count(')'):
- v = "('', '')"
- accepted_values.append(v)
-
- return accepted_values
-
-
-def _post_parse_validation(parsed_email_header_tuples):
- accepted_values = []
- # The parser would have parsed a correctly formatted domain-literal
- # The existence of an [ after parsing indicates a parsing failure
- for v in parsed_email_header_tuples:
- if '[' in v[1]:
- v = ('', '')
- accepted_values.append(v)
-
- return accepted_values
-
def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-
- When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
- its place.
-
- If the resulting list of parsed address is not the same as the number of
- fieldvalues in the input list a parsing error has occurred. A list
- containing a single empty 2-tuple [('', '')] is returned in its place.
- This is done to avoid invalid output.
- """
- fieldvalues = [str(v) for v in fieldvalues]
- fieldvalues = _pre_parse_validation(fieldvalues)
- all = COMMASPACE.join(v for v in fieldvalues)
+ """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+ all = COMMASPACE.join(str(v) for v in fieldvalues)
a = _AddressList(all)
- result = _post_parse_validation(a.addresslist)
-
- n = 0
- for v in fieldvalues:
- n += v.count(',') + 1
-
- if len(result) != n:
- return [('', '')]
-
- return result
+ return a.addresslist
def _format_timetuple_and_zone(timetuple, zone):
@@ -254,18 +212,9 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', '').
"""
- if isinstance(addr, list):
- addr = addr[0]
-
- if not isinstance(addr, str):
- return ('', '')
-
- addr = _pre_parse_validation([addr])[0]
- addrs = _post_parse_validation(_AddressList(addr).addresslist)
-
- if not addrs or len(addrs) > 1:
- return ('', '')
-
+ addrs = _AddressList(addr).addresslist
+ if not addrs:
+ return '', ''
return addrs[0]
Index: Python-3.11.4/Lib/test/test_email/test_email.py
===================================================================
--- Python-3.11.4.orig/Lib/test/test_email/test_email.py
+++ Python-3.11.4/Lib/test/test_email/test_email.py
@@ -3320,90 +3320,32 @@ Foo
[('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')])
- def test_getaddresses_parsing_errors(self):
- """Test for parsing errors from CVE-2023-27043"""
- eq = self.assertEqual
- eq(utils.getaddresses(['alice@example.org(<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org)<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org<<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org><bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org@<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org,<bob@example.com>']),
- [('', 'alice@example.org'), ('', 'bob@example.com')])
- eq(utils.getaddresses(['alice@example.org;<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org:<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org.<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org"<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org[<bob@example.com>']),
- [('', '')])
- eq(utils.getaddresses(['alice@example.org]<bob@example.com>']),
- [('', '')])
-
- def test_parseaddr_parsing_errors(self):
- """Test for parsing errors from CVE-2023-27043"""
- eq = self.assertEqual
- eq(utils.parseaddr(['alice@example.org(<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org)<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org<<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org><bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org@<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org,<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org;<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org:<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org.<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org"<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org[<bob@example.com>']),
- ('', ''))
- eq(utils.parseaddr(['alice@example.org]<bob@example.com>']),
- ('', ''))
+ def test_getaddresses_comma_in_name(self):
+ """GH-106669 regression test."""
+ self.assertEqual(
+ utils.getaddresses(
+ [
+ '"Bud, Person" <bperson@dom.ain>',
+ 'aperson@dom.ain (Al Person)',
+ '"Mariusz Felisiak" <to@example.com>',
+ ]
+ ),
+ [
+ ('Bud, Person', 'bperson@dom.ain'),
+ ('Al Person', 'aperson@dom.ain'),
+ ('Mariusz Felisiak', 'to@example.com'),
+ ],
+ )
def test_getaddresses_nasty(self):
eq = self.assertEqual
eq(utils.getaddresses(['foo: ;']), [('', '')])
- eq(utils.getaddresses(['[]*-- =~$']), [('', '')])
+ eq(utils.getaddresses(
+ ['[]*-- =~$']),
+ [('', ''), ('', ''), ('', '*--')])
eq(utils.getaddresses(
['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
[('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
- eq(utils.getaddresses(
- [r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>']),
- [('Pete (A nice ) chap his account his host)', 'pete@silly.test')])
- eq(utils.getaddresses(
- ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']),
- [('', '')])
- eq(utils.getaddresses(
- ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']),
- [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')])
- eq(utils.getaddresses(
- ['John Doe <jdoe@machine(comment). example>']),
- [('John Doe (comment)', 'jdoe@machine.example')])
- eq(utils.getaddresses(
- ['"Mary Smith: Personal Account" <smith@home.example>']),
- [('Mary Smith: Personal Account', 'smith@home.example')])
- eq(utils.getaddresses(
- ['Undisclosed recipients:;']),
- [('', '')])
- eq(utils.getaddresses(
- [r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>']),
- [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')])
def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment"""
Index: Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
===================================================================
--- Python-3.11.4.orig/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+++ Python-3.11.4/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -1,3 +1,8 @@
+Reverted the :mod:`email.utils` security improvement change released in
+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail
+to parse email addresses with a comma in the quoted name field.
+See :gh:`106669`.
+
CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
and :func:`email.utils.getaddresses` from returning the realname portion of an
invalid RFC2822 email header in the email address portion of the 2-tuple

46
bpo-31046_ensurepip_honours_prefix.patch
View File

@ -13,20 +13,22 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
5 files changed, 34 insertions(+), 9 deletions(-) 5 files changed, 34 insertions(+), 9 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
--- a/Doc/library/ensurepip.rst Index: Python-3.11.8/Doc/library/ensurepip.rst
+++ b/Doc/library/ensurepip.rst ===================================================================
@@ -59,8 +59,9 @@ is at least as recent as the one availab --- Python-3.11.8.orig/Doc/library/ensurepip.rst
+++ Python-3.11.8/Doc/library/ensurepip.rst
@@ -59,7 +59,9 @@ is at least as recent as the one availab
By default, ``pip`` is installed into the current virtual environment By default, ``pip`` is installed into the current virtual environment
(if one is active) or into the system site packages (if there is no (if one is active) or into the system site packages (if there is no
active virtual environment). The installation location can be controlled active virtual environment). The installation location can be controlled
-through two additional command line options: -through two additional command line options:
+through some additional command line options: +through some additional command line options:
+
+* ``--prefix <dir>``: Installs ``pip`` using the given directory prefix. +* ``--prefix <dir>``: Installs ``pip`` using the given directory prefix.
* ``--root <dir>``: Installs ``pip`` relative to the given root directory
* :samp:`--root {dir}`: Installs ``pip`` relative to the given root directory
rather than the root of the currently active virtual environment (if any) rather than the root of the currently active virtual environment (if any)
or the default root for the current Python installation. @@ -92,7 +94,7 @@ Module API
@@ -92,7 +93,7 @@ Module API
Returns a string specifying the available version of pip that will be Returns a string specifying the available version of pip that will be
installed when bootstrapping an environment. installed when bootstrapping an environment.
@ -35,7 +37,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
altinstall=False, default_pip=False, \ altinstall=False, default_pip=False, \
verbosity=0) verbosity=0)
@@ -102,6 +103,8 @@ Module API @@ -102,6 +104,8 @@ Module API
If *root* is ``None``, then installation uses the default install location If *root* is ``None``, then installation uses the default install location
for the current environment. for the current environment.
@ -44,7 +46,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
*upgrade* indicates whether or not to upgrade an existing installation *upgrade* indicates whether or not to upgrade an existing installation
of an earlier version of ``pip`` to the available version. of an earlier version of ``pip`` to the available version.
@@ -122,6 +125,8 @@ Module API @@ -122,6 +126,8 @@ Module API
*verbosity* controls the level of output to :data:`sys.stdout` from the *verbosity* controls the level of output to :data:`sys.stdout` from the
bootstrapping operation. bootstrapping operation.
@ -53,8 +55,10 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
.. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap .. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap
.. note:: .. note::
--- a/Lib/ensurepip/__init__.py Index: Python-3.11.8/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py ===================================================================
--- Python-3.11.8.orig/Lib/ensurepip/__init__.py
+++ Python-3.11.8/Lib/ensurepip/__init__.py
@@ -122,27 +122,27 @@ def _disable_pip_configuration_settings( @@ -122,27 +122,27 @@ def _disable_pip_configuration_settings(
os.environ['PIP_CONFIG_FILE'] = os.devnull os.environ['PIP_CONFIG_FILE'] = os.devnull
@ -117,8 +121,10 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
upgrade=args.upgrade, upgrade=args.upgrade,
user=args.user, user=args.user,
verbosity=args.verbosity, verbosity=args.verbosity,
--- a/Lib/test/test_ensurepip.py Index: Python-3.11.8/Lib/test/test_ensurepip.py
+++ b/Lib/test/test_ensurepip.py ===================================================================
--- Python-3.11.8.orig/Lib/test/test_ensurepip.py
+++ Python-3.11.8/Lib/test/test_ensurepip.py
@@ -112,6 +112,17 @@ class TestBootstrap(EnsurepipMixin, unit @@ -112,6 +112,17 @@ class TestBootstrap(EnsurepipMixin, unit
unittest.mock.ANY, unittest.mock.ANY,
) )
@ -137,9 +143,11 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
def test_bootstrapping_with_user(self): def test_bootstrapping_with_user(self):
ensurepip.bootstrap(user=True) ensurepip.bootstrap(user=True)
--- a/Makefile.pre.in Index: Python-3.11.8/Makefile.pre.in
+++ b/Makefile.pre.in ===================================================================
@@ -1756,7 +1756,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni --- Python-3.11.8.orig/Makefile.pre.in
+++ Python-3.11.8/Makefile.pre.in
@@ -1761,7 +1761,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni
install|*) ensurepip="" ;; \ install|*) ensurepip="" ;; \
esac; \ esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@ -148,7 +156,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
fi fi
altinstall: commoninstall altinstall: commoninstall
@@ -1766,7 +1766,7 @@ altinstall: commoninstall @@ -1771,7 +1771,7 @@ altinstall: commoninstall
install|*) ensurepip="--altinstall" ;; \ install|*) ensurepip="--altinstall" ;; \
esac; \ esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@ -157,7 +165,9 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
fi fi
commoninstall: check-clean-src @FRAMEWORKALTINSTALLFIRST@ \ commoninstall: check-clean-src @FRAMEWORKALTINSTALLFIRST@ \
Index: Python-3.11.8/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
===================================================================
--- /dev/null --- /dev/null
+++ b/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst +++ Python-3.11.8/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+A directory prefix can now be specified when using :mod:`ensurepip`. +A directory prefix can now be specified when using :mod:`ensurepip`.

6
distutils-reproducible-compile.patch
View File

@ -2,8 +2,10 @@
Lib/distutils/util.py | 2 +- Lib/distutils/util.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Lib/distutils/util.py Index: Python-3.11.8/Lib/distutils/util.py
+++ b/Lib/distutils/util.py ===================================================================
--- Python-3.11.8.orig/Lib/distutils/util.py
+++ Python-3.11.8/Lib/distutils/util.py
@@ -436,7 +436,7 @@ byte_compile(files, optimize=%r, force=% @@ -436,7 +436,7 @@ byte_compile(files, optimize=%r, force=%
else: else:
from py_compile import compile from py_compile import compile

28
fix_configure_rst.patch
View File

@ -3,36 +3,40 @@
Misc/NEWS | 2 +- Misc/NEWS | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-) 2 files changed, 1 insertion(+), 4 deletions(-)
--- a/Doc/using/configure.rst Index: Python-3.11.8/Doc/using/configure.rst
+++ b/Doc/using/configure.rst ===================================================================
--- Python-3.11.8.orig/Doc/using/configure.rst
+++ Python-3.11.8/Doc/using/configure.rst
@@ -41,7 +41,6 @@ General Options @@ -41,7 +41,6 @@ General Options
See :data:`sys.int_info.bits_per_digit <sys.int_info>`. See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
-.. cmdoption:: --with-cxx-main -.. option:: --with-cxx-main
.. cmdoption:: --with-cxx-main=COMPILER .. option:: --with-cxx-main=COMPILER
Compile the Python ``main()`` function and link Python executable with C++ Compile the Python ``main()`` function and link Python executable with C++
@@ -527,13 +526,11 @@ macOS Options @@ -527,13 +526,11 @@ macOS Options
See ``Mac/README.rst``. See ``Mac/README.rst``.
-.. cmdoption:: --enable-universalsdk -.. option:: --enable-universalsdk
.. cmdoption:: --enable-universalsdk=SDKDIR .. option:: --enable-universalsdk=SDKDIR
Create a universal binary build. *SDKDIR* specifies which macOS SDK should Create a universal binary build. *SDKDIR* specifies which macOS SDK should
be used to perform the build (default is no). be used to perform the build (default is no).
-.. cmdoption:: --enable-framework -.. option:: --enable-framework
.. cmdoption:: --enable-framework=INSTALLDIR .. option:: --enable-framework=INSTALLDIR
Create a Python.framework rather than a traditional Unix install. Optional Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS Index: Python-3.11.8/Misc/NEWS
+++ b/Misc/NEWS ===================================================================
@@ -8105,7 +8105,7 @@ C API --- Python-3.11.8.orig/Misc/NEWS
+++ Python-3.11.8/Misc/NEWS
@@ -9411,7 +9411,7 @@ C API
- bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name - bpo-43795: The list in :ref:`limited-api-list` now shows the public name
- :c:struct:`PyFrameObject` rather than ``_frame``. The non-existing entry - :c:struct:`PyFrameObject` rather than ``_frame``. The non-existing entry
+ :c:type:`PyFrameObject` rather than ``_frame``. The non-existing entry + :c:type:`PyFrameObject` rather than ``_frame``. The non-existing entry
``_node`` no longer appears in the list. ``_node`` no longer appears in the list.

108
libexpat260.patch Normal file
View File

@ -0,0 +1,108 @@
From f2eebf3c38eae77765247791576b437ec25ccfe2 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sun, 11 Feb 2024 12:08:39 +0200
Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
(GH-115164)
Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Lib/test/test_xml_etree.py | 58 ++++++++++++-------
...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 +
2 files changed, 38 insertions(+), 22 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
index 267982a8233c92..fa03f381fac92a 100644
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -13,6 +13,7 @@
import operator
import os
import pickle
+import pyexpat
import sys
import textwrap
import types
@@ -120,6 +121,10 @@
</foo>
"""
+fails_with_expat_2_6_0 = (unittest.expectedFailure
+ if pyexpat.version_info >= (2, 6, 0) else
+ lambda test: test)
+
def checkwarnings(*filters, quiet=False):
def decorator(test):
def newtest(*args, **kwargs):
@@ -1400,28 +1405,37 @@ def assert_event_tags(self, parser, expected, max_events=None):
self.assertEqual([(action, elem.tag) for action, elem in events],
expected)
- def test_simple_xml(self):
- for chunk_size in (None, 1, 5):
- with self.subTest(chunk_size=chunk_size):
- parser = ET.XMLPullParser()
- self.assert_event_tags(parser, [])
- self._feed(parser, "<!-- comment -->\n", chunk_size)
- self.assert_event_tags(parser, [])
- self._feed(parser,
- "<root>\n <element key='value'>text</element",
- chunk_size)
- self.assert_event_tags(parser, [])
- self._feed(parser, ">\n", chunk_size)
- self.assert_event_tags(parser, [('end', 'element')])
- self._feed(parser, "<element>text</element>tail\n", chunk_size)
- self._feed(parser, "<empty-element/>\n", chunk_size)
- self.assert_event_tags(parser, [
- ('end', 'element'),
- ('end', 'empty-element'),
- ])
- self._feed(parser, "</root>\n", chunk_size)
- self.assert_event_tags(parser, [('end', 'root')])
- self.assertIsNone(parser.close())
+ def test_simple_xml(self, chunk_size=None):
+ parser = ET.XMLPullParser()
+ self.assert_event_tags(parser, [])
+ self._feed(parser, "<!-- comment -->\n", chunk_size)
+ self.assert_event_tags(parser, [])
+ self._feed(parser,
+ "<root>\n <element key='value'>text</element",
+ chunk_size)
+ self.assert_event_tags(parser, [])
+ self._feed(parser, ">\n", chunk_size)
+ self.assert_event_tags(parser, [('end', 'element')])
+ self._feed(parser, "<element>text</element>tail\n", chunk_size)
+ self._feed(parser, "<empty-element/>\n", chunk_size)
+ self.assert_event_tags(parser, [
+ ('end', 'element'),
+ ('end', 'empty-element'),
+ ])
+ self._feed(parser, "</root>\n", chunk_size)
+ self.assert_event_tags(parser, [('end', 'root')])
+ self.assertIsNone(parser.close())
+
+ @fails_with_expat_2_6_0
+ def test_simple_xml_chunk_1(self):
+ self.test_simple_xml(chunk_size=1)
+
+ @fails_with_expat_2_6_0
+ def test_simple_xml_chunk_5(self):
+ self.test_simple_xml(chunk_size=5)
+
+ def test_simple_xml_chunk_22(self):
+ self.test_simple_xml(chunk_size=22)
def test_feed_while_iterating(self):
parser = ET.XMLPullParser()
diff --git a/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
new file mode 100644
index 00000000000000..6f1015235cc25d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
@@ -0,0 +1,2 @@
+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat
+2.6.0.

8
python-3.3.0b1-fix_date_time_compiler.patch
View File

@ -2,9 +2,11 @@
Makefile.pre.in | 7 +++++++ Makefile.pre.in | 7 +++++++
1 file changed, 7 insertions(+) 1 file changed, 7 insertions(+)
--- a/Makefile.pre.in Index: Python-3.11.8/Makefile.pre.in
+++ b/Makefile.pre.in ===================================================================
@@ -1235,11 +1235,18 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ --- Python-3.11.8.orig/Makefile.pre.in
+++ Python-3.11.8/Makefile.pre.in
@@ -1240,11 +1240,18 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \
$(DTRACE_OBJS) \ $(DTRACE_OBJS) \
$(srcdir)/Modules/getbuildinfo.c $(srcdir)/Modules/getbuildinfo.c
$(CC) -c $(PY_CORE_CFLAGS) \ $(CC) -c $(PY_CORE_CFLAGS) \

10
python-3.3.0b1-localpath.patch
View File

@ -1,7 +1,9 @@
--- a/Lib/site.py Index: Python-3.11.8/Lib/site.py
+++ b/Lib/site.py ===================================================================
@@ -76,7 +76,7 @@ import _sitebuiltins --- Python-3.11.8.orig/Lib/site.py
import io +++ Python-3.11.8/Lib/site.py
@@ -77,7 +77,7 @@ import io
import stat
# Prefixes for site-packages; add additional prefixes like /usr/local here # Prefixes for site-packages; add additional prefixes like /usr/local here
-PREFIXES = [sys.prefix, sys.exec_prefix] -PREFIXES = [sys.prefix, sys.exec_prefix]

8
python-3.3.0b1-test-posix_fadvise.patch
View File

@ -2,9 +2,11 @@
Lib/test/test_posix.py | 2 +- Lib/test/test_posix.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Lib/test/test_posix.py Index: Python-3.11.8/Lib/test/test_posix.py
+++ b/Lib/test/test_posix.py ===================================================================
@@ -428,7 +428,7 @@ class PosixTester(unittest.TestCase): --- Python-3.11.8.orig/Lib/test/test_posix.py
+++ Python-3.11.8/Lib/test/test_posix.py
@@ -430,7 +430,7 @@ class PosixTester(unittest.TestCase):
def test_posix_fadvise(self): def test_posix_fadvise(self):
fd = os.open(os_helper.TESTFN, os.O_RDONLY) fd = os.open(os_helper.TESTFN, os.O_RDONLY)
try: try:

699
python311.changes
View File

@ -1,3 +1,702 @@
-------------------------------------------------------------------
Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
-------------------------------------------------------------------
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Remove double definition of /usr/bin/idle%%{version} in
%%files.
-------------------------------------------------------------------
Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
with Expat 2.6.0, gh#python/cpython#115289
-------------------------------------------------------------------
Thu Feb 8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Update to 3.11.8:
- Security
- gh-113659: Skip .pth files with names starting with a dot or
hidden file attribute.
- Core and Builtins
- gh-114887: Changed socket type validation in
create_datagram_endpoint() to accept all non-stream sockets.
This fixes a regression in compatibility with raw sockets.
- gh-114388: Fix a RuntimeWarning emitted when assign an
integer-like value that is not an instance of int to an
attribute that corresponds to a C struct member of type T_UINT
and T_ULONG. Fix a double RuntimeWarning emitted when assign a
negative integer value to an attribute that corresponds to a C
struct member of type T_UINT.
- gh-89811: Check for a valid tp_version_tag before performing
bytecode specializations that rely on this value being usable.
- gh-113602: Fix an error that was causing the parser to try to
overwrite existing errors and crashing in the process. Patch by
Pablo Galindo
- gh-113566: Fix a 3.11-specific crash when the repr of a Future
is requested after the module has already been
garbage-collected.
- gh-106905: Use per AST-parser state rather than global state to
track recursion depth within the AST parser to prevent potential
race condition due to simultaneous parsing.
- The issue primarily showed up in 3.11 by multithreaded users of
ast.parse(). In 3.12 a change to when garbage collection can be
triggered prevented the race condition from occurring.
- gh-112716: Fix SystemError in the import statement and in
__reduce__() methods of builtin types when __builtins__ is not a
dict.
- gh-105967: Workaround a bug in Apples macOS platform zlib
library where zlib.crc32() and binascii.crc32() could produce
incorrect results on multi-gigabyte inputs. Including when using
zipfile on zips containing large data.
- gh-94606: Fix UnicodeEncodeError when
email.message.get_payload() reads a message with a Unicode
surrogate character and the message content is not well-formed
for surrogateescape encoding. Patch by Sidney Markowitz.
- Library
- gh-114965: Update bundled pip to 24.0
- gh-114959: tarfile no longer ignores errors when trying to
extract a directory on top of a file.
- gh-109475: Fix support of explicit option value “–” in argparse
(e.g. --option=--).
- gh-110190: Fix ctypes structs with array on Windows ARM64
platform by setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by
Diego Russo
- gh-113280: Fix a leak of open socket in rare cases when error
occurred in ssl.SSLSocket creation.
- gh-77749: email.policy.EmailPolicy.fold() now always encodes
non-ASCII characters in headers if utf8 is false.
- gh-114492: Make the result of termios.tcgetattr() reproducible
on Alpine Linux. Previously it could leave a random garbage in
some fields.
- gh-75128: Ignore an OSError in
asyncio.BaseEventLoop.create_server() when IPv6 is available but
the interface cannot actually support it.
- gh-114257: Dismiss the FileNotFound error in
ctypes.util.find_library() and just return None on Linux.
- gh-101438: Avoid reference cycle in ElementTree.iterparse. The
iterator returned by ElementTree.iterparse may hold on to a file
descriptor. The reference cycle prevented prompt clean-up of the
file descriptor if the returned iterator was not exhausted.
- gh-104522: OSError raised when run a subprocess now only has
filename attribute set to cwd if the error was caused by a
failed attempt to change the current directory.
- gh-109534: Fix a reference leak in
asyncio.selector_events.BaseSelectorEventLoop when SSL
handshakes fail. Patch contributed by Jamie Phan.
- gh-114077: Fix possible OverflowError in
socket.socket.sendfile() when pass count larger than 2 GiB on
32-bit platform.
- gh-114014: Fixed a bug in fractions.Fraction where an invalid
string using d in the decimals part creates a different error
compared to other invalid letters/characters. Patch by Jeremiah
Gabriel Pascual.
- gh-113951: Fix the behavior of tag_unbind() methods of
tkinter.Text and tkinter.Canvas classes with three arguments.
Previously, widget.tag_unbind(tag, sequence, funcid) destroyed
the current binding for sequence, leaving sequence unbound, and
deleted the funcid command. Now it removes only funcid from the
binding for sequence, keeping other commands, and deletes the
funcid command. It leaves sequence unbound only if funcid was
the last bound command.
- gh-113877: Fix tkinter method winfo_pathname() on 64-bit
Windows.
- gh-113781: Silence unraisable AttributeError when warnings are
emitted during Python finalization.
- gh-113594: Fix UnicodeEncodeError in email when re-fold lines
that contain unknown-8bit encoded part followed by
non-unknown-8bit encoded part.
- gh-113538: In asyncio.StreamReaderProtocol.connection_made(),
there is callback that logs an error if the task wrapping the
“connected callback” fails. This callback would itself fail if
the task was cancelled. Prevent this by checking whether the
task was cancelled first. If so, close the transport but dont
log an error.
- gh-85567: Fix resource warnings for unclosed files in pickle and
pickletools command line interfaces.
- gh-101225: Increase the backlog for
multiprocessing.connection.Listener objects created by
multiprocessing.manager and multiprocessing.resource_sharer to
significantly reduce the risk of getting a connection refused
error when creating a multiprocessing.connection.Connection to
them.
- gh-113543: Make sure that webbrowser.MacOSXOSAScript sends
webbrowser.open audit event.
- gh-113028: When a second reference to a string appears in the
input to pickle, and the Python implementation is in use, we are
guaranteed that a single copy gets pickled and a single object
is shared when reloaded. Previously, in protocol 0, when a
string contained certain characters (e.g. newline) it resulted
in duplicate objects.
- gh-113421: Fix multiprocessing logger for %(filename)s.
- gh-113358: Fix rendering tracebacks for exceptions with a broken
__getattr__.
- gh-113214: Fix an AttributeError during asyncio SSL protocol
aborts in SSL-over-SSL scenarios.
- gh-113246: Update bundled pip to 23.3.2.
- gh-113199: Make http.client.HTTPResponse.read1 and
http.client.HTTPResponse.readline close IO after reading all
data when content length is known. Patch by Illia Volochii.
- gh-113188: Fix shutil.copymode() and shutil.copystat() on
Windows. Previously they worked differenly if dst is a symbolic
link: they modified the permission bits of dst itself rather
than the file it points to if follow_symlinks is true or src is
not a symbolic link, and did not modify the permission bits if
follow_symlinks is false and src is a symbolic link.
- gh-61648: Detect line numbers of properties in doctests.
- gh-112559: signal.signal() and signal.getsignal() no longer call
repr on callable handlers. asyncio.run() and
asyncio.Runner.run() no longer call repr on the task results.
Patch by Yilei Yang.
- gh-110190: Fix ctypes structs with array on PPC64LE platform by
setting MAX_STRUCT_SIZE to 64 in stgdict. Patch by Diego Russo.
- gh-79429: Ignore FileNotFoundError when remove a temporary
directory in the multiprocessing finalizer.
- gh-79325: Fix an infinite recursion error in
tempfile.TemporaryDirectory() cleanup on Windows.
- gh-110190: Fix ctypes structs with array on Arm platform by
setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
- gh-81194: Fix a crash in socket.if_indextoname() with specific
value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-75666: Fix the behavior of tkinter widgets unbind() method
with two arguments. Previously, widget.unbind(sequence, funcid)
destroyed the current binding for sequence, leaving sequence
unbound, and deleted the funcid command. Now it removes only
funcid from the binding for sequence, keeping other commands,
and deletes the funcid command. It leaves sequence unbound only
if funcid was the last bound command.
- gh-110345: Show the Tcl/Tk patchlevel (rather than version) in
tkinter._test().
- gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now
raises BadZipFile when try to read an entry that overlaps with
other entry or central directory.
- gh-38807: Fix race condition in trace. Instead of checking if a
directory exists and creating it, directly call os.makedirs()
with the kwarg exist_ok=True.
- gh-75705: Set unixfrom envelope in mailbox.mbox and
mailbox.MMDF.
- gh-105102: Allow ctypes.Union to be nested in ctypes.Structure
when the system endianness is the opposite of the classes.
- gh-104282: Fix null pointer dereference in
lzma._decode_filter_properties() due to improper handling of BCJ
filters with properties of zero length. Patch by Radislav
Chugunov.
- gh-102512: When os.fork() is called from a foreign thread (aka
_DummyThread), the type of the thread in a child process is
changed to _MainThread. Also changed its name and daemonic
status, it can be now joined.
- gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
which now no longer dereferences symlinks when working around
file system permission errors.
- bpo-43153: On Windows, tempfile.TemporaryDirectory previously
masked a PermissionError with NotADirectoryError during
directory cleanup. It now correctly raises PermissionError if
errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
- bpo-35332: The shutil.rmtree() function now ignores errors when
calling os.close() when ignore_errors is True, and os.close() no
longer retried after error.
- bpo-35928: io.TextIOWrapper now correctly handles the decoding
buffer after read() and write().
- bpo-26791: shutil.move() now moves a symlink into a directory
when that directory is the target of the symlink. This provides
the same behavior as the mv shell command. The previous behavior
raised an exception. Patch by Jeffrey Kintscher.
- bpo-36959: Fix some error messages for invalid ISO format string
combinations in strptime() that referred to directives not
contained in the format string. Patch by Gordon P. Hemsley.
- bpo-18060: Fixed a class inheritance issue that can cause
segfaults when deriving two or more levels of subclasses from a
base class of Structure or Union.
- Documentation
- gh-110746: Improved markup for valid options/values for methods
ttk.treeview.column and ttk.treeview.heading, and for Layouts.
- gh-95649: Document that the asyncio module contains code taken
from v0.16.0 of the uvloop project, as well as the required MIT
licensing information.
- Tests
- gh-109980: Fix test_tarfile_vs_tar in test_shutil for macOS,
where system tar can include more information in the archive
than shutil.make_archive.
- gh-112769: The tests now correctly compare zlib version when
zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
example zlib-ng defines the version as 1.3.0.zlib-ng.
- gh-105089: Fix
test.test_zipfile.test_core.TestWithDirectory.test_create_directory_with_write
test in AIX by doing a bitwise AND of 0xFFFF on mode , so that
it will be in sync with zinfo.external_attr
- bpo-40648: Test modes that file can get with chmod() on Windows.
- Build
- gh-101778: Fix build error when theres a dangling symlink in
the directory containing ffi.h.
- gh-112305: Fixed the check-clean-src step performed on out of
tree builds to detect errant $(srcdir)/Python/frozen_modules/*.h
files and recommend appropriate source tree cleanup steps to get
a working build again.
- bpo-11102: The os.major(), os.makedev(), and os.minor()
functions are now available on HP-UX v3.
- bpo-36351: Do not set ipv6type when cross-compiling.
- IDLE
- gh-96905: In idlelib code, stop redefining built-ins dict and
object.
- gh-72284: Improve the lists of features, editor key bindings,
and shell key bingings in the IDLE doc.
- gh-113903: Fix rare failure of test.test_idle, in
test_configdialog.
- gh-113729: Fix the “Help -> IDLE Doc” menu bug in 3.11.7 and
3.12.1.
- gh-113269: Fix test_editor hang on macOS Catalina.
- gh-112898: Fix processing unsaved files when quitting IDLE on
macOS.
- gh-103820: Revise IDLE bindings so that events from mouse button
4/5 on non-X11 windowing systems (i.e. Win32 and Aqua) are not
mistaken for scrolling.
- bpo-13586: Enter the selected text when opening the “Replace”
dialog.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13 and
multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1.
- gh-115015: Fix a bug in Argument Clinic that generated incorrect
code for methods with no parameters that use the METH_METHOD |
METH_FASTCALL | METH_KEYWORDS calling convention. Only the
positional parameter count was checked; any keyword argument
passed would be silently accepted.
- Refresh all patches:
- CVE-2023-27043-email-parsing-errors.patch
- F00251-change-user-install-location.patch
- bpo-31046_ensurepip_honours_prefix.patch
- distutils-reproducible-compile.patch
- fix_configure_rst.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- python-3.3.0b1-localpath.patch
- python-3.3.0b1-test-posix_fadvise.patch
- skip_if_buildbot-extend.patch
- subprocess-raise-timeout.patch
- support-expat-CVE-2022-25236-patched.patch
-------------------------------------------------------------------
Tue Dec 19 16:34:50 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Update patch fix_configure_rst.patch
- Update to 3.11.7:
- Core and Builtins
- gh-112625: Fixes a bug where a bytearray object could be cleared
while iterating over an argument in the bytearray.join() method
that could result in reading memory after it was freed.
- gh-112388: Fix an error that was causing the parser to try to
overwrite tokenizer errors. Patch by pablo Galindo
- gh-112387: Fix error positions for decoded strings with
backwards tokenize errors. Patch by Pablo Galindo
- gh-112266: Change docstrings of __dict__ and __weakref__.
- gh-109181: Speed up Traceback object creation by lazily compute
the line number. Patch by Pablo Galindo
- gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
codecs read out of bounds
- gh-111366: Fix an issue in the codeop that was causing
SyntaxError exceptions raised in the presence of invalid syntax
to not contain precise error messages. Patch by Pablo Galindo
- gh-111380: Fix a bug that was causing SyntaxWarning to appear
twice when parsing if invalid syntax is encountered later. Patch
by Pablo galindo
- gh-88116: Traceback location ranges involving wide unicode
characters (like emoji and asian characters) now are properly
highlighted. Patch by Batuhan Taskaya and Pablo Galindo.
- gh-94438: Fix a regression that prevented jumping across is None
and is not None when debugging. Patch by Savannah Ostrowski.
- gh-110696: Fix incorrect error message for invalid argument
unpacking. Patch by Pablo Galindo
- gh-110237: Fix missing error checks for calls to PyList_Append
in _PyEval_MatchClass.
- gh-109216: Fix possible memory leak in BUILD_MAP.
- Library
- gh-112618: Fix a caching bug relating to typing.Annotated.
Annotated[str, True] is no longer identical to Annotated[str,
1].
- gh-112509: Fix edge cases that could cause a key to be present
in both the __required_keys__ and __optional_keys__ attributes
of a typing.TypedDict. Patch by Jelle Zijlstra.
- gh-94722: Fix bug where comparison between instances of DocTest
fails if one of them has None as its lineno.
- gh-112105: Make readline.set_completer_delims() work with
libedit
- gh-111942: Fix SystemError in the TextIOWrapper constructor with
non-encodable “errors” argument in non-debug mode.
- gh-109538: Issue warning message instead of having RuntimeError
be displayed when event loop has already been closed at
StreamWriter.__del__().
- gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when
pass invalid arguments, e.g. non-string encoding.
- gh-111804: Remove posix.fallocate() under WASI as the underlying
posix_fallocate() is not available in WASI preview2.
- gh-111841: Fix truncating arguments on an embedded null
character in os.putenv() and os.unsetenv() on Windows.
- gh-111541: Fix doctest for SyntaxError not-builtin subclasses.
- gh-110894: Call loop exception handler for exceptions in
client_connected_cb of asyncio.start_server() so that
applications can handle it. Patch by Kumar Aditya.
- gh-111531: Fix reference leaks in bind_class() and bind_all()
methods of tkinter widgets.
- gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and
io.IncrementalNewlineDecoder to io.__all__.
- gh-68166: Remove mention of not supported “vsapi” element type
in tkinter.ttk.Style.element_create(). Add tests for
element_create() and other ttk.Style methods. Add examples for
element_create() in the documentation.
- gh-111251: Fix _blake2 not checking for errors when
initializing.
- gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly
for empty BytesIO.
- gh-111187: Postpone removal version for
locale.getdefaultlocale() to Python 3.15.
- gh-111159: Fix doctest output comparison for exceptions with
notes.
- gh-110910: Fix invalid state handling in asyncio.TaskGroup and
asyncio.Timeout. They now raise proper RuntimeError if they are
improperly used and are left in consistent state after this.
- gh-111092: Make turtledemo run without default root enabled.
- gh-110590: Fix a bug in _sre.compile() where TypeError would be
overwritten by OverflowError when the code argument was a list
of non-ints.
- gh-65052: Prevent pdb from crashing when trying to display
undisplayable objects
- gh-110519: Deprecation warning about non-integer number in
gettext now alwais refers to the line in the user code where
gettext function or method is used. Previously it could refer to
a line in gettext code.
- gh-110378: contextmanager() and asynccontextmanager() context
managers now close an invalid underlying generator object that
yields more then one value.
- gh-110365: Fix termios.tcsetattr() bug that was overwritting
existing errors during parsing integers from term list.
- gh-110196: Add __reduce__ method to IPv6Address in order to keep
scope_id
- gh-109747: Improve errors for unsupported look-behind patterns.
Now re.error is raised instead of OverflowError or RuntimeError
for too large width of look-behind pattern.
- gh-109786: Fix possible reference leaks and crash when re-enter
the __next__() method of itertools.pairwise.
- gh-108791: Improved error handling in pdb command line
interface, making it produce more concise error messages.
- gh-73561: Omit the interface scope from an IPv6 address when
used as Host header by http.client.
- gh-86826: zipinfo now supports the full range of values in the
TZ string determined by RFC 8536 and detects all invalid
formats. Both Python and C implementations now raise exceptions
of the same type on invalid data.
- bpo-41422: Fixed memory leaks of pickle.Pickler and
pickle.Unpickler involving cyclic references via the internal
memo mapping.
- bpo-40262: The ssl.SSLSocket.recv_into() method no longer
requires the buffer argument to implement __len__ and supports
buffers with arbitrary item size.
- bpo-35191: Fix unexpected integer truncation in
socket.setblocking() which caused it to interpret multiples of
2**32 as False.
- Documentation
- gh-108826: dis module command-line interface is now mentioned in
documentation.
- Tests
- gh-110367: Make regrtest --verbose3 option compatible with
--huntrleaks -jN options. The ./python -m test -j1 -R 3:3
--verbose3 command now works as expected. Patch by Victor
Stinner.
- gh-111309: distutils tests can now be run via unittest.
- gh-111165: Remove no longer used functions run_unittest() and
run_doctest() and class BasicTestRunner from the test.support
module.
- gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment
variable is defined: use the variable value as the random seed.
Patch by Victor Stinner.
- gh-110995: test_gdb: Fix detection of gdb built without Python
scripting support. Patch by Victor Stinner.
- gh-110918: Test case matching patterns specified by options
--match, --ignore, --matchfile and --ignorefile are now tested
in the order of specification, and the last match determines
whether the test case be run or ignored.
- gh-110647: Fix test_stress_modifying_handlers() of test_signal.
Patch by Victor Stinner.
- gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make
distclean” instead of “make clean” in the copied source
directory to remove also the “python” program. Patch by Victor
Stinner.
- gh-110167: Fix a deadlock in test_socket when server fails with
a timeout but the client is still running in its thread. Dont
hold a lock to call cleanup functions in doCleanups(). One of
the cleanup function waits until the client completes, whereas
the client could deadlock if it called addCleanup() in such
situation. Patch by Victor Stinner.
- gh-110388: Add tests for tty.
- gh-81002: Add tests for termios.
- gh-110267: Add tests for pickling and copying PyStructSequence
objects. Patched by Xuehai Pan.
- gh-109974: Fix race conditions in test_threading lock tests.
Wait until a condition is met rather than using time.sleep()
with a hardcoded number of seconds. Patch by Victor Stinner.
- gh-109972: Split test_gdb.py file into a test_gdb package made
of multiple tests, so tests can now be run in parallel. Patch by
Victor Stinner.
- gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
command output to detect when gdb fails to retrieve the
traceback. For example, skip a test if Backtrace stopped: frame
did not save the PC is found. Patch by Victor Stinner.
- gh-108927: Fixed order dependence in running tests in the same
process when a test that has submodules (e.g. test_importlib)
follows a test that imports its submodule (e.g.
test_importlib.util) and precedes a test (e.g. test_unittest or
test_compileall) that uses that submodule.
- Build
- gh-103053: “make check-clean-src” now also checks if the
“python” program is found in the source directory: fail with an
error if it does exist. Patch by Victor Stinner.
- gh-109191: Fix compile error when building with recent versions
of libedit.
- IDLE
- bpo-35668: Add docstrings to the IDLE debugger module. Fix two
bugs: initialize Idb.botframe (should be in Bdb); in
Idb.in_rpc_code, check whether prev_frame is None before trying
to use it. Greatly expand test_debugger.
- C API
- gh-112438: Fix support of format units “es”, “et”, “es#”, and
“et#” in nested tuples in PyArg_ParseTuple()-like functions.
- gh-109521: PyImport_GetImporter() now sets RuntimeError if it
fails to get sys.path_hooks or sys.path_importer_cache or they
are not list and dict correspondingly. Previously it could
return NULL without setting error in obscure cases, crash or
raise SystemError if these attributes have wrong type.
-------------------------------------------------------------------
Mon Dec 18 16:20:58 UTC 2023 - Matej Cepl <mcepl@cepl.eu>
- Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
now useless.
-------------------------------------------------------------------
Wed Nov 15 09:06:16 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Remove not needed patch 103213-fetch-CONFIG_ARGS.patch
- Refresh patches:
- bpo-31046_ensurepip_honours_prefix.patch
- fix_configure_rst.patch
- Update to 3.11.6:
- Core and Builtins
- gh-109351: Fix crash when compiling an invalid AST involving a
named (walrus) expression.
- gh-109207: Fix a SystemError in __repr__ of symtable entry
object.
- gh-109179: Fix bug where the C traceback display drops notes
from SyntaxError.
- gh-88943: Improve syntax error for non-ASCII character that
follows a numerical literal. It now points on the invalid
non-ASCII character, not on the valid numerical literal.
- gh-108959: Fix caret placement for error locations for subscript
and binary operations that involve non-semantic parentheses and
spaces. Patch by Pablo Galindo
- gh-108520: Fix
multiprocessing.synchronize.SemLock.__setstate__() to properly
initialize multiprocessing.synchronize.SemLock._is_fork_ctx.
This fixes a regression when passing a SemLock accross nested
processes.
- Rename multiprocessing.synchronize.SemLock.is_fork_ctx to
multiprocessing.synchronize.SemLock._is_fork_ctx to avoid
exposing it as public API.
- Library
- gh-110036: On Windows, multiprocessing Popen.terminate() now
catchs PermissionError and get the process exit code. If the
process is still running, raise again the PermissionError.
Otherwise, the process terminated as expected: store its exit
code. Patch by Victor Stinner.
- gh-110038: Fixed an issue that caused KqueueSelector.select() to
not return all the ready events in some cases when a file
descriptor is registered for both read and write.
- gh-109631: re functions such as re.findall(), re.split(),
re.search() and re.sub() which perform short repeated matches
can now be interrupted by user.
- gh-109593: Avoid deadlocking on a reentrant call to the
multiprocessing resource tracker. Such a reentrant call, though
unlikely, can happen if a GC pass invokes the finalizer for a
multiprocessing object such as SemLock.
- gh-109613: Fix os.stat() and os.DirEntry.stat(): check for
exceptions. Previously, on Python built in debug mode, these
functions could trigger a fatal Python error (and abort the
process) when a function succeeded with an exception set. Patch
by Victor Stinner.
- gh-109375: The pdb alias command now prevents registering
aliases without arguments.
- gh-107219: Fix a race condition in concurrent.futures. When a
process in the process pool was terminated abruptly (while the
future was running or pending), close the connection write end.
If the call queue is blocked on sending bytes to a worker
process, closing the connection write end interrupts the send,
so the queue can be closed. Patch by Victor Stinner.
- gh-50644: Attempts to pickle or create a shallow or deep copy of
codecs streams now raise a TypeError. Previously, copying failed
with a RecursionError, while pickling produced wrong results
that eventually caused unpickling to fail with a RecursionError.
- gh-108987: Fix _thread.start_new_thread() race condition. If a
thread is created during Python finalization, the newly spawned
thread now exits immediately instead of trying to access freed
memory and lead to a crash. Patch by Victor Stinner.
- gh-108843: Fix an issue in ast.unparse() when unparsing
f-strings containing many quote types.
- gh-108682: Enum: raise TypeError if super().__new__() is called
from a custom __new__.
- gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock
- gh-64662: Fix support for virtual tables in
sqlite3.Connection.iterdump(). Patch by Aviv Palivoda.
- gh-107913: Fix possible losses of errno and winerror values in
OSError exceptions if they were cleared or modified by the
cleanup code before creating the exception object.
- gh-104372: On Linux where subprocess can use the vfork() syscall
for faster spawning, prevent the parent process from blocking
other threads by dropping the GIL while it waits for the
vforked child process exec() outcome. This prevents spawning a
binary from a slow filesystem from blocking the rest of the
application.
- gh-84867: unittest.TestLoader no longer loads test cases from
exact unittest.TestCase and unittest.FunctionTestCase classes.
- Documentation
- gh-109209: The minimum Sphinx version required for the
documentation is now 4.2.
- gh-105052: Update timeit doc to specify that time in seconds is
just the default.
- gh-102823: Document the return type of x // y when x and y have
type float.
- Tests
- gh-110031: Skip test_threading tests using thread+fork if Python
is built with Address Sanitizer (ASAN). Patch by Victor Stinner.
- gh-110088: Fix test_asyncio timeouts: dont measure the maximum
duration, a test should not measure a CI performance. Only
measure the minimum duration when a task has a timeout or delay.
Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner.
- gh-110033: Fix test_interprocess_signal() of test_signal. Make
sure that the subprocess.Popen object is deleted before the test
raising an exception in a signal handler. Otherwise,
Popen.__del__() can get the exception which is logged as
Exception ignored in: ... and the test fails. Patch by Victor
Stinner.
- gh-109594: Fix test_timeout() of
test_concurrent_futures.test_wait. Remove the future which may
or may not complete depending if it takes longer than the
timeout ot not. Keep the second future which does not complete
before wait() timeout. Patch by Victor Stinner.
- gh-109748: Fix test_zippath_from_non_installed_posix() of
test_venv: dont copy __pycache__/ sub-directories, because they
can be modified by other Python tests running in parallel. Patch
by Victor Stinner.
- gh-103053: Skip test_freeze_simple_script() of
test_tools.test_freeze if Python is built with ./configure
--enable-optimizations, which means with Profile Guided
Optimization (PGO): it just makes the test too slow. The freeze
tool is tested by many other CIs with other (faster) compiler
flags. Patch by Victor Stinner.
- gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a
longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits. Patch by Victor Stinner.
- gh-104736: Fix test_gdb on Python built with LLVM clang 16 on
Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt”
command output to detect when gdb fails to retrieve the
traceback. For example, skip a test if Backtrace stopped: frame
did not save the PC is found. Patch by Victor Stinner.
- gh-109237: Fix test_site.test_underpth_basic() when the working
directory contains at least one non-ASCII character: encode the
._pth file to UTF-8 and enable the UTF-8 Mode to use UTF-8 for
the child process stdout. Patch by Victor Stinner.
- gh-109230: Fix test_pyexpat.test_exception(): it can now be run
from a directory different than Python source code directory.
Before, the test failed in this case. Skip the test if
Modules/pyexpat.c source is not available. Skip also the test on
Python implementations other than CPython. Patch by Victor
Stinner.
- gh-109015: Fix test_asyncio, test_imaplib and test_socket tests
on FreeBSD if the TCP blackhole is enabled (sysctl
net.inet.tcp.blackhole). Skip the few tests which failed with
ETIMEDOUT which such non standard configuration. Currently, the
FreeBSD GCP image enables TCP and UDP blackhole (sysctl
net.inet.tcp.blackhole=2 and sysctl net.inet.udp.blackhole=1).
Patch by Victor Stinner.
- gh-91960: Skip test_gdb if gdb is unable to retrieve Python
frame objects: if a frame is <optimized out>. When Python is
built with “clang -Og”, gdb can fail to retrive the frame
parameter of _PyEval_EvalFrameDefault(). In this case, tests
like py_bt() are likely to fail. Without getting access to
Python frames, python-gdb.py is mostly clueless on retrieving
the Python traceback. Moreover, test_gdb is no longer skipped on
macOS if Python is built with Clang. Patch by Victor Stinner.
- gh-108962: Skip test_tempfile.test_flags() if chflags() fails
with “OSError: [Errno 45] Operation not supported” (ex: on
FreeBSD 13). Patch by Victor Stinner.
- gh-89392: Removed support of test_main() function in tests. They
now always use normal unittest test runner.
- gh-108851: Fix test_tomllib recursion tests for WASI buildbots:
reduce the recursion limit and compute the maximum nested
array/dict depending on the current available recursion limit.
Patch by Victor Stinner.
- gh-108851: Add get_recursion_available() and
get_recursion_depth() functions to the test.support module.
Patch by Victor Stinner.
- gh-108822: regrtest now computes statistics on all tests:
successes, failures and skipped. test_netrc, test_pep646_syntax
and test_xml_etree now return results in their test_main()
function. Patch by Victor Stinner and Alex Waygood.
- gh-108388: Convert test_concurrent_futures to a package of 7
sub-tests. Patch by Victor Stinner.
- gh-108388: Split test_multiprocessing_fork,
test_multiprocessing_forkserver and test_multiprocessing_spawn
into test packages. Each package is made of 4 sub-tests:
processes, threads, manager and misc. It allows running more
tests in parallel and so reduce the total test duration. Patch
by Victor Stinner.
- gh-101634: When running the Python test suite with -jN option,
if a worker stdout cannot be decoded from the locale encoding
report a failed testn so the exitcode is non-zero. Patch by
Victor Stinner.
- gh-100086: The Python test runner (libregrtest) now logs Python
build information like “debug” vs “release” build, or LTO and
PGO optimizations. Patch by Victor Stinner.
- gh-98903: The Python test suite now fails wit exit code 4 if no
tests ran. It should help detecting typos in test names and test
methods.
- gh-95027: On Windows, when the Python test suite is run with the
-jN option, the ANSI code page is now used as the encoding for
the stdout temporary file, rather than using UTF-8 which can
lead to decoding errors. Patch by Victor Stinner.
- gh-93353: regrtest now checks if a test leaks temporary files or
directories if run with -jN option. Patch by Victor Stinner.
- Build
- gh-63760: Fix Solaris build: no longer redefine the
gethostname() function. Solaris defines the function since 2005.
Patch by Victor Stinner, original patch by Jakub Kulík.
- gh-108740: Fix a race condition in make regen-all. The
deepfreeze.c source and files generated by Argument Clinic are
now generated or updated before generating “global objects”.
Previously, some identifiers may miss depending on the order in
which these files were generated. Patch by Victor Stinner.
- Windows
- gh-109991: Update Windows build to use OpenSSL 3.0.11.
- gh-107565: Update Windows build to use OpenSSL 3.0.10.
- macOS
- gh-109991: Update macOS installer to use OpenSSL 3.0.11.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and
multissltests to use 1.1.1w, 3.0.11, and 3.1.3.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Sep 6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com> Wed Sep 6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

50
python311.spec
View File

@ -1,7 +1,7 @@
# #
# spec file # spec file for package python311
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -94,7 +94,7 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt %bcond_without profileopt
Name: %{python_pkg_name}%{psuffix} Name: %{python_pkg_name}%{psuffix}
Version: 3.11.5 Version: 3.11.8
Release: 0 Release: 0
Summary: Python 3 Interpreter Summary: Python 3 Interpreter
License: Python-2.0 License: Python-2.0
@ -158,9 +158,6 @@ Patch35: fix_configure_rst.patch
# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
# Makes Python resilient to changes of API of libexpat # Makes Python resilient to changes of API of libexpat
Patch36: support-expat-CVE-2022-25236-patched.patch Patch36: support-expat-CVE-2022-25236-patched.patch
# PATCH-FIX-UPSTREAM 103213-fetch-CONFIG_ARGS.patch gh#python/cpython#103053 mcepl@suse.com
# Fetch CONFIG_ARGS from original python instance
Patch38: 103213-fetch-CONFIG_ARGS.patch
# PATCH-FIX-UPSTREAM skip_if_buildbot-extend.patch gh#python/cpython#103053 mcepl@suse.com # PATCH-FIX-UPSTREAM skip_if_buildbot-extend.patch gh#python/cpython#103053 mcepl@suse.com
# Skip test_freeze_simple_script # Skip test_freeze_simple_script
Patch39: skip_if_buildbot-extend.patch Patch39: skip_if_buildbot-extend.patch
@ -168,9 +165,12 @@ Patch39: skip_if_buildbot-extend.patch
# Detect email address parsing errors and return empty tuple to # Detect email address parsing errors and return empty tuple to
# indicate the parsing error (old API) # indicate the parsing error (old API)
Patch40: CVE-2023-27043-email-parsing-errors.patch Patch40: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com # PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289
# Partially revert previous patch # Fix tests for XMLPullParser with Expat 2.6.0
Patch41: Revert-gh105127-left-tests.patch Patch41: libexpat260.patch
# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com
# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930)
Patch42: CVE-2023-6597-TempDir-cleaning-symlink.patch
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes
@ -413,26 +413,26 @@ other applications.
%prep %prep
%setup -q -n %{tarname} %setup -q -n %{tarname}
%patch02 -p1 %patch -P 02 -p1
%patch06 -p1 %patch -P 06 -p1
%patch07 -p1 %patch -P 07 -p1
%patch08 -p1 %patch -P 08 -p1
%patch09 -p1 %patch -P 09 -p1
%patch15 -p1 %patch -P 15 -p1
%patch29 -p1 %patch -P 29 -p1
%if 0%{?suse_version} <= 1500 %if 0%{?suse_version} <= 1500
%patch33 -p1 %patch -P 33 -p1
%endif %endif
%if 0%{?sle_version} && 0%{?sle_version} <= 150300 %if 0%{?sle_version} && 0%{?sle_version} <= 150300
%patch34 -p1 %patch -P 34 -p1
%endif %endif
%patch35 -p1 %patch -P 35 -p1
%patch36 -p1 %patch -P 36 -p1
%patch38 -p1 %patch -P 39 -p1
%patch39 -p1 %patch -P 40 -p1
%patch40 -p1 %patch -P 41 -p1
%patch41 -p1 %patch -P 42 -p1
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@ -816,7 +816,6 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
%{sitedir}/idlelib %{sitedir}/idlelib
%dir %{_sysconfdir}/idle%{python_version} %dir %{_sysconfdir}/idle%{python_version}
%config %{_sysconfdir}/idle%{python_version}/* %config %{_sysconfdir}/idle%{python_version}/*
%doc Lib/idlelib/NEWS.txt
%doc Lib/idlelib/README.txt %doc Lib/idlelib/README.txt
%doc Lib/idlelib/TODO.txt %doc Lib/idlelib/TODO.txt
%doc Lib/idlelib/extend.txt %doc Lib/idlelib/extend.txt
@ -830,7 +829,6 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
%dir %{_datadir}/icons/hicolor/32x32 %dir %{_datadir}/icons/hicolor/32x32
%dir %{_datadir}/icons/hicolor/48x48 %dir %{_datadir}/icons/hicolor/48x48
%dir %{_datadir}/icons/hicolor/*/apps %dir %{_datadir}/icons/hicolor/*/apps
%attr(755, root, root) %{_bindir}/idle%{python_version}
# endif for if general # endif for if general
%endif %endif

8
skip_if_buildbot-extend.patch
View File

@ -2,9 +2,11 @@
Lib/test/support/__init__.py | 2 +- Lib/test/support/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Lib/test/support/__init__.py Index: Python-3.11.8/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py ===================================================================
@@ -388,7 +388,7 @@ def skip_if_buildbot(reason=None): --- Python-3.11.8.orig/Lib/test/support/__init__.py
+++ Python-3.11.8/Lib/test/support/__init__.py
@@ -383,7 +383,7 @@ def skip_if_buildbot(reason=None):
if not reason: if not reason:
reason = 'not suitable for buildbots' reason = 'not suitable for buildbots'
try: try:

8
subprocess-raise-timeout.patch
View File

@ -2,9 +2,11 @@
Lib/test/test_subprocess.py | 3 ++- Lib/test/test_subprocess.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/Lib/test/test_subprocess.py Index: Python-3.11.8/Lib/test/test_subprocess.py
+++ b/Lib/test/test_subprocess.py ===================================================================
@@ -279,7 +279,8 @@ class ProcessTestCase(BaseTestCase): --- Python-3.11.8.orig/Lib/test/test_subprocess.py
+++ Python-3.11.8/Lib/test/test_subprocess.py
@@ -280,7 +280,8 @@ class ProcessTestCase(BaseTestCase):
"time.sleep(3600)"], "time.sleep(3600)"],
# Some heavily loaded buildbots (sparc Debian 3.x) require # Some heavily loaded buildbots (sparc Debian 3.x) require
# this much time to start and print. # this much time to start and print.

6
support-expat-CVE-2022-25236-patched.patch
View File

@ -27,8 +27,10 @@ Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
1 file changed, 9 insertions(+), 14 deletions(-) 1 file changed, 9 insertions(+), 14 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
--- a/Lib/test/test_minidom.py Index: Python-3.11.8/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py ===================================================================
--- Python-3.11.8.orig/Lib/test/test_minidom.py
+++ Python-3.11.8/Lib/test/test_minidom.py
@@ -6,7 +6,6 @@ import io @@ -6,7 +6,6 @@ import io
from test import support from test import support
import unittest import unittest