From d8ac67fc2d2898b934f16cd7dc87c1cd6fabcfdc150f5b29114aad902106e2a3 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 15 Sep 2022 09:14:50 +0000 Subject: [PATCH] - Update to 3.11.0rc2: - Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735. This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form. - Fix case of undefined behavior in ceval.c - Do not expose KeyWrapper in _functools. - Ensure that tracing, sys.setrace(), is turned on immediately. In pre-release versions of 3.11, some tracing events might have been lost when turning on tracing in a __del__ method or interrupt. - Fix use after free in trace refs build mode. Patch by Kumar Aditya. - When loading a file with invalid UTF-8 inside a multi-line string, a correct SyntaxError is emitted. - Make sure that incomplete frames do not show up in tracemalloc traces. - Remove two cases of undefined behavior, by adding NULL checks. - Fix possible NULL pointer dereference in _PyThread_CurrentFrames. Patch by Kumar Aditya. - Fix AttributeError missing name and obj attributes in object.__getattribute__(). Patch by Philip Georgi. - Loading a file with invalid UTF-8 will now report the broken OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32 --- Python-3.11.0rc1.tar.xz | 3 - Python-3.11.0rc1.tar.xz.asc | 16 --- Python-3.11.0rc2.tar.xz | 3 + Python-3.11.0rc2.tar.xz.asc | 16 +++ fix_configure_rst.patch | 2 +- python311.changes | 103 ++++++++++++++++++ python311.spec | 6 +- ...support-expat-CVE-2022-25236-patched.patch | 62 +++++------ 8 files changed, 157 insertions(+), 54 deletions(-) delete mode 100644 Python-3.11.0rc1.tar.xz delete mode 100644 Python-3.11.0rc1.tar.xz.asc create mode 100644 Python-3.11.0rc2.tar.xz create mode 100644 Python-3.11.0rc2.tar.xz.asc rename support-expat-245.patch => support-expat-CVE-2022-25236-patched.patch (50%) diff --git a/Python-3.11.0rc1.tar.xz b/Python-3.11.0rc1.tar.xz deleted file mode 100644 index 6f78839..0000000 --- a/Python-3.11.0rc1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:53a5377c37a8a2c6da075b14eb9d63374579f7f3c718fa20f0a1fbb0e94a922b -size 19815524 diff --git a/Python-3.11.0rc1.tar.xz.asc b/Python-3.11.0rc1.tar.xz.asc deleted file mode 100644 index 50ca3e1..0000000 --- a/Python-3.11.0rc1.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmLtMGcACgkQ/+h0BBaL -2Eeirw//ZSjlvrUAouGGLbWal2CnJ8qmR7eAuSQQpwftmj++JhiQfKfIoWH8WYn9 -FTYVcVD/seXKGUK+ydj8ZDRoSA59sS+zVNnca/BaxPeqScZVbFTOB/o1tlE5g4h+ -WxSCRXfYmkIqXag3ZOZ/A+EXjgfAl/DrYtYKAafjH2nF9R9j4+w8YZ/ENELQ8Fd5 -thHyxNPDFeTK56ClR2QIZHdqCZHHNk1sO+FaB1Na/uZ5dD7snc+T7CjN1/Dlcs75 -oye5HAU35FHxV5nzk8uieatwW0q6/BtFWE3g8LbxECPRbLCo6bBySj2TA2LuwroR -fhn+r093y6NIJBLPIYjpFl5HlDnxDyOvFvKrJ1hZI9DC9VHPyeYP9hzHYQ2yBMwx -SD3djAPVJnwESM25MdZ5oaYrQu8e13+zA2l6Hnk5tsIjPI6CelO/xyPdWeSzBQEg -SaJke+QakoLXKoBSJhkIskwhCX6m+vmoiZFFSpemr3k13e3jTObyDRilh8eGkQtN -EFNp2KPBn8NM7udBNI4zxGr6kviEt4R+8nfQ2VmdnlU2XIMW7pwMfoPmWI1yXpl2 -JNo9o9EbeuawY7I/j+ryHV40b2wx9UA8DXHJg0iTiQT2IMvwPy18eiQJoVg4nJqH -tH6/zUw2yqFd9G7/uoYcGhk5PlalrZO7Ufeb/vUEUqvrISYu2QE= -=jjd6 ------END PGP SIGNATURE----- diff --git a/Python-3.11.0rc2.tar.xz b/Python-3.11.0rc2.tar.xz new file mode 100644 index 0000000..52f72f9 --- /dev/null +++ b/Python-3.11.0rc2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25b35cc7d82c5ad34d867b179a1c1695d129be5ed14a21e46b6b7f2350a8b490 +size 19828340 diff --git a/Python-3.11.0rc2.tar.xz.asc b/Python-3.11.0rc2.tar.xz.asc new file mode 100644 index 0000000..3060388 --- /dev/null +++ b/Python-3.11.0rc2.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmMeOSQACgkQ/+h0BBaL +2EcrTA//USzDkebYcAJ1jcb1diiV9JJd7Znm4l7rwb/TKimY82gN1ev9R1/fkmOk +KaRhn5Ss23lm5IdwbJNL1dhrx9DdtsW3oBzaT+pchSVXu0qVokQ0XFVvWzEqwiit +2K6JOlcVyMV8QnBBJPAC+/HN1pjZGQESk/HoP7ESqQUytRkieddjO/cnJ/m36oMJ +YUVoHS1sQVrRHQU3C1RSZ+DF1sdCjzy1ZxfKMVz73gBjLRQ5MiWYIp7ryDtNMZ7F +Ws8m+5WXVhWE2hniMvCVDN25vHIan+9l4hjT01kLh7Ei/QJ6t2GrOtHagMDhFcS1 +Lhq/7flMGpLjhpNNtzAXSPhMZDDxIpyIZu4XwxmQAXFkhCm6H2RBo6OrGWDaOT+V +6kfVCUky+v7oKHs19xm+UilNBIzd4DMNKP2Q9MYcqnR+aI/ggMG7k7KZ3gpPKrQI +x8u6PGFl9vUsRHiUxXYuIM+FO9LAYIFskpWy/CW7fZ29iAkeMjRzhcyS/A8exaae +YA+z4dqgnYLQqMUX3aK3kzAreKAncFkYdNmnv7YMUUSM5J5fvIN2bG/oJ2oti0sk +o1WhVr3ygizeqAOhw0bd2N84xqee+ky18fl+FkauyzEPh7vdI+OQWrBAuJF7YZKR +sHTSxdzPBjaXijLXriZIo1YRXc7N7jd05Cq8R95dzxC9BZjOOfI= +=KvNZ +-----END PGP SIGNATURE----- diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index 6b40cea..ce566cd 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -6464,7 +6464,7 @@ C API +@@ -6636,7 +6636,7 @@ C API - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name diff --git a/python311.changes b/python311.changes index 8894ec9..128d145 100644 --- a/python311.changes +++ b/python311.changes @@ -1,3 +1,106 @@ +------------------------------------------------------------------- +Thu Sep 15 08:43:07 UTC 2022 - Matej Cepl + +- Update to 3.11.0rc2: + - Converting between int and str in bases other than 2 + (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base + 10 (decimal) now raises a ValueError if the number of digits + in string form is above a limit to avoid potential denial of + service attacks due to the algorithmic complexity. This is + a mitigation for CVE-2020-10735. + This new limit can be configured or disabled by environment + variable, command line flag, or sys APIs. See the integer + string conversion length limitation documentation. The + default limit is 4300 digits in string form. + - Fix case of undefined behavior in ceval.c + - Do not expose KeyWrapper in _functools. + - Ensure that tracing, sys.setrace(), is turned on + immediately. In pre-release versions of 3.11, some tracing + events might have been lost when turning on tracing in a + __del__ method or interrupt. + - Fix use after free in trace refs build mode. Patch by Kumar + Aditya. + - When loading a file with invalid UTF-8 inside a multi-line + string, a correct SyntaxError is emitted. + - Make sure that incomplete frames do not show up in + tracemalloc traces. + - Remove two cases of undefined behavior, by adding NULL + checks. + - Fix possible NULL pointer dereference in + _PyThread_CurrentFrames. Patch by Kumar Aditya. + - Fix AttributeError missing name and obj attributes in + object.__getattribute__(). Patch by Philip Georgi. + - Loading a file with invalid UTF-8 will now report the broken + character at the correct location. + - Fixed a bug that caused _PyCode_GetExtra to return garbage + for negative indexes. Patch by Pablo Galindo + - Fix a deadlock in PyGILState_Ensure() when allocating new + thread state. Patch by Kumar Aditya. + - PyType_Ready() now initializes ht_cached_keys and performs + additional checks to ensure that type objects are properly + configured. This avoids crashes in 3rd party packages that + don’t use regular API to create new types. + - Skip over incomplete frames in PyThreadState_GetFrame(). + - Fix format string in _PyPegen_raise_error_known_location that + can lead to memory corruption on some 64bit systems. The + function was building a tuple with i (int) instead of n + (Py_ssize_t) for Py_ssize_t arguments. + - Fix misleading contents of error message when converting an + all-whitespace string to float. + - ast.parse() will no longer parse function definitions with + positional-only params when passed feature_version less than + (3, 8). Patch by Shantanu Jain. + - Fix incorrect error message in the io module. + - Fix the faulthandler implementation of + faulthandler.register(signal, chain=True) if the sigaction() + function is not available: don’t call the previous signal + handler if it’s NULL. Patch by Victor Stinner. + - Correct conversion of numbers.Rational’s to float. + - Fix TypeVarTuple.__typing_prepare_subst__. TypeError was not + raised when using more than one TypeVarTuple, like [*T, *V] + in type alias substitutions. + - Fix asyncio.streams.StreamReaderProtocol to keep a strong + reference to the created task, so that it’s not garbage + collected + - Fix a performance regression in logging + TimedRotatingFileHandler. Only check for special files when + the rollover time has passed. + - Fix unused localName parameter in the Attr class in + xml.dom.minidom. + - Fix incorrect condition that causes sys.thread_info.name to + be wrong on pthread platforms. + - Remove an incompatible change from bpo-28080 that caused a + regression that ignored the utf8 in ZipInfo.flag_bits. Patch + by Pablo Galindo. + - Fix asyncio.Runner to call asyncio.set_event_loop() only + once to avoid calling attach_loop() multiple times on child + watchers. Patch by Kumar Aditya. + - Fix unittest.IsolatedAsyncioTestCase to set event loop before + calling setup functions. Patch by Kumar Aditya. + - When a task catches asyncio.CancelledError and raises some + other error, the other error should generally not silently be + suppressed. + - Fail gracefully if EPERM or ENOSYS is raised when loading + crypt methods. This may happen when trying to load MD5 on a + Linux kernel with FIPS enabled. + - Allow asyncio.StreamWriter.drain() to be awaited concurrently + by multiple tasks. Patch by Kumar Aditya. + - Fix ast.unparse() when ImportFrom.level is None + - Improve discoverability of the higher level + concurrent.futures module by providing clearer links from the + lower level threading and multiprocessing modules. + - What’s New 3.11 now has instructions for how to provide + compiler and linker flags for Tcl/Tk and OpenSSL on RHEL 7 + and CentOS 7. + - Mitigate the inherent race condition from using + find_unused_port() in testSockName() by trying to find an + unused port a few times before failing. Patch by Ross Burton. + - Build and test with OpenSSL 1.1.1q +- Use support-expat-CVE-2022-25236-patched.patch from the current + version of gh#python/cpython#93900 instead of the old + support-expat-245.patch. +- Reapply fix_configure_rst.patch. + ------------------------------------------------------------------- Mon Sep 5 08:43:49 UTC 2022 - Andreas Schwab diff --git a/python311.spec b/python311.spec index c95ad12..84717f0 100644 --- a/python311.spec +++ b/python311.spec @@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}} %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.11.0rc1 +Version: 3.11.0rc2 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -163,9 +163,9 @@ Patch34: skip-test_pyobject_freed_is_freed.patch # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com # remove duplicate link targets and make documentation with old Sphinx in SLE Patch35: fix_configure_rst.patch -# PATCH-FIX-UPSTREAM support-expat-245.patch jsc#SLE-21253 mcepl@suse.com +# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com # Makes Python resilient to changes of API of libexpat -Patch36: support-expat-245.patch +Patch36: support-expat-CVE-2022-25236-patched.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes diff --git a/support-expat-245.patch b/support-expat-CVE-2022-25236-patched.patch similarity index 50% rename from support-expat-245.patch rename to support-expat-CVE-2022-25236-patched.patch index f4761ee..5b26c99 100644 --- a/support-expat-245.patch +++ b/support-expat-CVE-2022-25236-patched.patch @@ -1,9 +1,9 @@ -From d4f5bb912e67299b59b814b89a5afd9a8821a14e Mon Sep 17 00:00:00 2001 +From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 21 Feb 2022 11:03:08 -0800 +Date: Mon, 21 Feb 2022 08:16:09 -0800 Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) - (GH-31471) + (GH-31472) Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating @@ -23,53 +23,53 @@ Also, test_minidom.py: Support Expat >=2.4.5 Co-authored-by: Sebastian Pipping --- - Lib/test/test_minidom.py | 13 ++++------ - Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 - 2 files changed, 7 insertions(+), 7 deletions(-) + Lib/test/test_minidom.py | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst --- a/Lib/test/test_minidom.py +++ b/Lib/test/test_minidom.py -@@ -6,12 +6,11 @@ import io +@@ -6,7 +6,6 @@ import io from test import support import unittest -import pyexpat -+import xml.parsers.expat import xml.dom.minidom - from xml.dom.minidom import parse, Node, Document, parseString - from xml.dom.minidom import getDOMImplementation --from xml.parsers.expat import ExpatError - - - tstfile = support.findfile("test.xml", subdir="xmltestdata") -@@ -1149,10 +1148,10 @@ class MinidomTest(unittest.TestCase): + from xml.dom.minidom import parse, Attr, Node, Document, parseString +@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase): # Verify that character decoding errors raise exceptions instead # of crashing - if pyexpat.version_info >= (2, 4, 5): - self.assertRaises(ExpatError, parseString, -+ if xml.parsers.expat.version_info >= (2, 4, 4): -+ self.assertRaises(xml.parsers.expat.ExpatError, parseString, - b'') +- b'') - self.assertRaises(ExpatError, parseString, -+ self.assertRaises(xml.parsers.expat.ExpatError, parseString, - b'Comment \xe7a va ? Tr\xe8s bien ?') - else: - self.assertRaises(UnicodeDecodeError, parseString, -@@ -1617,8 +1616,8 @@ class MinidomTest(unittest.TestCase): +- b'Comment \xe7a va ? Tr\xe8s bien ?') +- else: +- self.assertRaises(UnicodeDecodeError, parseString, ++ # It doesn’t make any sense to insist on the exact text of the ++ # error message, or even the exact Exception … it is enough that ++ # the error has been discovered. ++ with self.assertRaises((UnicodeDecodeError, ExpatError)): ++ parseString( + b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() +@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase): self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) def testExceptionOnSpacesInXMLNSValue(self): - if pyexpat.version_info >= (2, 4, 5): - context = self.assertRaisesRegex(ExpatError, 'syntax error') -+ if xml.parsers.expat.version_info >= (2, 4, 4): -+ context = self.assertRaisesRegex(xml.parsers.expat.ExpatError, 'syntax error') - else: - context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') +- else: +- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') +- +- with context: ++ # It doesn’t make any sense to insist on the exact text of the ++ # error message, or even the exact Exception … it is enough that ++ # the error has been discovered. ++ with self.assertRaises((ExpatError, ValueError)): + parseString('') ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst -@@ -0,0 +1 @@ -+Make test suite support Expat >=2.4.5 + def testDocRemoveChild(self):