From e54275a76b6aa7e30ccc0001c9e13c1c18d925e0100b12526202726830db19f4 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 1 May 2024 09:01:36 +0000 Subject: [PATCH] - Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number. Include also support-expat-CVE-2022-25236-patched.patch. - Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - Remove included patch: - support-expat-CVE-2022-25236-patched.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=123 --- CVE-2023-27043-email-parsing-errors.patch | 26 +-- CVE-2023-52425-libexpat-2.6.0-backport.patch | 164 ++++++++++++------- fix_configure_rst.patch | 18 +- python311.changes | 13 ++ python311.spec | 4 - skip_if_buildbot-extend.patch | 8 +- support-expat-CVE-2022-25236-patched.patch | 77 --------- 7 files changed, 135 insertions(+), 175 deletions(-) delete mode 100644 support-expat-CVE-2022-25236-patched.patch diff --git a/CVE-2023-27043-email-parsing-errors.patch b/CVE-2023-27043-email-parsing-errors.patch index 1ced142..6d74e95 100644 --- a/CVE-2023-27043-email-parsing-errors.patch +++ b/CVE-2023-27043-email-parsing-errors.patch @@ -5,10 +5,8 @@ Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8 4 files changed, 344 insertions(+), 21 deletions(-) -Index: Python-3.11.8/Doc/library/email.utils.rst -=================================================================== ---- Python-3.11.8.orig/Doc/library/email.utils.rst -+++ Python-3.11.8/Doc/library/email.utils.rst +--- a/Doc/library/email.utils.rst ++++ b/Doc/library/email.utils.rst @@ -60,13 +60,18 @@ of the new API. begins with angle brackets, they are stripped off. @@ -58,10 +56,8 @@ Index: Python-3.11.8/Doc/library/email.utils.rst .. function:: parsedate(date) -Index: Python-3.11.8/Lib/email/utils.py -=================================================================== ---- Python-3.11.8.orig/Lib/email/utils.py -+++ Python-3.11.8/Lib/email/utils.py +--- a/Lib/email/utils.py ++++ b/Lib/email/utils.py @@ -48,6 +48,7 @@ TICK = "'" specialsre = re.compile(r'[][\\()<>@,:;".]') escapesre = re.compile(r'[\\"]') @@ -241,10 +237,8 @@ Index: Python-3.11.8/Lib/email/utils.py return addrs[0] -Index: Python-3.11.8/Lib/test/test_email/test_email.py -=================================================================== ---- Python-3.11.8.orig/Lib/test/test_email/test_email.py -+++ Python-3.11.8/Lib/test/test_email/test_email.py +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py @@ -17,6 +17,7 @@ from unittest.mock import patch import email @@ -253,7 +247,7 @@ Index: Python-3.11.8/Lib/test/test_email/test_email.py from email.charset import Charset from email.generator import Generator, DecodedGenerator, BytesGenerator -@@ -3321,15 +3322,137 @@ Foo +@@ -3336,15 +3337,137 @@ Foo [('Al Person', 'aperson@dom.ain'), ('Bud Person', 'bperson@dom.ain')]) @@ -399,7 +393,7 @@ Index: Python-3.11.8/Lib/test/test_email/test_email.py def test_getaddresses_embedded_comment(self): """Test proper handling of a nested comment""" -@@ -3520,6 +3643,54 @@ multipart/report +@@ -3535,6 +3658,54 @@ multipart/report m = cls(*constructor, policy=email.policy.default) self.assertIs(m.policy, email.policy.default) @@ -454,10 +448,8 @@ Index: Python-3.11.8/Lib/test/test_email/test_email.py # Test the iterator/generators class TestIterators(TestEmailBase): -Index: Python-3.11.8/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst -=================================================================== --- /dev/null -+++ Python-3.11.8/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst ++++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst @@ -0,0 +1,8 @@ +:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now +return ``('', '')`` 2-tuples in more situations where invalid email diff --git a/CVE-2023-52425-libexpat-2.6.0-backport.patch b/CVE-2023-52425-libexpat-2.6.0-backport.patch index 6238018..7c9bb82 100644 --- a/CVE-2023-52425-libexpat-2.6.0-backport.patch +++ b/CVE-2023-52425-libexpat-2.6.0-backport.patch @@ -1,9 +1,10 @@ --- - Lib/test/support/__init__.py | 9 ++++++++- - Lib/test/test_pyexpat.py | 8 ++++---- + Lib/test/support/__init__.py | 16 ++++++++++++++-- + Lib/test/test_minidom.py | 23 +++++++++-------------- + Lib/test/test_pyexpat.py | 14 +++++++------- Lib/test/test_sax.py | 18 +++++++++--------- - Lib/test/test_xml_etree.py | 12 +++++------- - 4 files changed, 26 insertions(+), 21 deletions(-) + Lib/test/test_xml_etree.py | 12 ------------ + 5 files changed, 39 insertions(+), 44 deletions(-) --- a/Lib/test/support/__init__.py +++ b/Lib/test/support/__init__.py @@ -20,20 +21,75 @@ "ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST", "LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT", - "skip_on_s390x", -+ "skip_on_s390x", "fails_with_expat_2_6_0" ++ "skip_on_s390x", "fails_with_expat_2_6_0", "is_expat_2_6_0" ] -@@ -2243,3 +2244,9 @@ def copy_python_src_ignore(path, names): - #Windows doesn't have os.uname() but it doesn't support s390x. +@@ -2240,6 +2241,17 @@ def copy_python_src_ignore(path, names): + } + return ignored + +-#Windows doesn't have os.uname() but it doesn't support s390x. ++ ++# Windows doesn't have os.uname() but it doesn't support s390x. skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x', 'skipped on s390x') + + -+_null_pyexpat_parser=pyexpat.ParserCreate() ++@functools.lru_cache ++def _is_expat_2_6_0(): ++ return hasattr(pyexpat.ParserCreate(), 'GetReparseDeferralEnabled') ++is_expat_2_6_0 = _is_expat_2_6_0() ++ +fails_with_expat_2_6_0 = (unittest.expectedFailure -+ if hasattr(_null_pyexpat_parser, 'GetReparseDeferralEnabled') else -+ lambda test: test) ++ if is_expat_2_6_0 ++ else lambda test: test) +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -6,7 +6,6 @@ import io + from test import support + import unittest + +-import pyexpat + import xml.dom.minidom + + from xml.dom.minidom import parse, Attr, Node, Document, parseString +@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- if pyexpat.version_info >= (2, 4, 5): +- self.assertRaises(ExpatError, parseString, +- b'') +- self.assertRaises(ExpatError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') +- else: +- self.assertRaises(UnicodeDecodeError, parseString, ++ # It doesn’t make any sense to insist on the exact text of the ++ # error message, or even the exact Exception … it is enough that ++ # the error has been discovered. ++ with self.assertRaises((UnicodeDecodeError, ExpatError)): ++ parseString( + b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() +@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase): + self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) + + def testExceptionOnSpacesInXMLNSValue(self): +- if pyexpat.version_info >= (2, 4, 5): +- context = self.assertRaisesRegex(ExpatError, 'syntax error') +- else: +- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') +- +- with context: ++ # It doesn’t make any sense to insist on the exact text of the ++ # error message, or even the exact Exception … it is enough that ++ # the error has been discovered. ++ with self.assertRaises((ExpatError, ValueError)): + parseString('') + + def testDocRemoveChild(self): --- a/Lib/test/test_pyexpat.py +++ b/Lib/test/test_pyexpat.py @@ -14,8 +14,7 @@ from test.support import os_helper @@ -42,23 +98,30 @@ -from test.support import sortdict, is_emscripten, is_wasi - -+from test.support import sortdict, is_emscripten, is_wasi, fails_with_expat_2_6_0 ++from test.support import sortdict, is_emscripten, is_wasi, is_expat_2_6_0 class SetAttributeTest(unittest.TestCase): def setUp(self): -@@ -793,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC +@@ -770,9 +769,8 @@ class ReparseDeferralTest(unittest.TestC + self.assertIs(parser.GetReparseDeferralEnabled(), enabled) - self.assertEqual(started, ['doc']) + def test_reparse_deferral_enabled(self): +- if expat.version_info < (2, 6, 0): +- self.skipTest(f'Expat {expat.version_info} does not ' +- 'support reparse deferral') ++ if not is_expat_2_6_0: ++ self.skipTest("Linked libexpat doesn't support reparse deferral") -+ @fails_with_expat_2_6_0 - def test_reparse_deferral_disabled(self): started = [] -@@ -800,9 +800,9 @@ class ReparseDeferralTest(unittest.TestC +@@ -799,10 +797,12 @@ class ReparseDeferralTest(unittest.TestC + def start_element(name, _): started.append(name) ++ if not is_expat_2_6_0: ++ self.skipTest("Linked libexpat doesn't support reparse deferral") ++ parser = expat.ParserCreate() -+ self.assertTrue(hasattr(parser, 'GetReparseDeferralEnabled')) parser.StartElementHandler = start_element - if expat.version_info >= (2, 6, 0): - parser.SetReparseDeferralEnabled(False) @@ -79,47 +142,41 @@ import urllib.request -from test.support import os_helper -from test.support import findfile -+from test.support import os_helper, findfile, fails_with_expat_2_6_0 ++from test.support import os_helper, findfile, is_expat_2_6_0 from test.support.os_helper import FakePath, TESTFN -@@ -1215,9 +1213,7 @@ class ExpatReaderTest(XmlTestBase): +@@ -1215,10 +1213,10 @@ class ExpatReaderTest(XmlTestBase): self.assertEqual(result.getvalue(), start + b"text") - @unittest.skipIf(pyexpat.version_info < (2, 6, 0), - f'Expat {pyexpat.version_info} does not ' - 'support reparse deferral') -+ @fails_with_expat_2_6_0 def test_flush_reparse_deferral_enabled(self): ++ if not is_expat_2_6_0: ++ self.skipTest("Linked libexpat doesn't support reparse deferral") ++ result = BytesIO() xmlgen = XMLGenerator(result) -@@ -1227,6 +1223,8 @@ class ExpatReaderTest(XmlTestBase): - for chunk in (""): - parser.feed(chunk) - -+ self.assertTrue(hasattr(parser._parser, 'GetReparseDeferralEnabled')) -+ - self.assertEqual(result.getvalue(), start) # i.e. no elements started - self.assertTrue(parser._parser.GetReparseDeferralEnabled()) - -@@ -1240,6 +1238,7 @@ class ExpatReaderTest(XmlTestBase): - + parser = create_parser() +@@ -1241,6 +1239,9 @@ class ExpatReaderTest(XmlTestBase): self.assertEqual(result.getvalue(), start + b"") -+ @fails_with_expat_2_6_0 def test_flush_reparse_deferral_disabled(self): ++ if not is_expat_2_6_0: ++ self.skipTest("Linked libexpat doesn't support reparse deferral") ++ result = BytesIO() xmlgen = XMLGenerator(result) -@@ -1249,9 +1248,10 @@ class ExpatReaderTest(XmlTestBase): + parser = create_parser() +@@ -1249,9 +1250,8 @@ class ExpatReaderTest(XmlTestBase): for chunk in (""): parser.feed(chunk) - if pyexpat.version_info >= (2, 6, 0): - parser._parser.SetReparseDeferralEnabled(False) - self.assertEqual(result.getvalue(), start) # i.e. no elements started -+ self.assertTrue(hasattr(parser._parser, 'SetReparseDeferralEnabled')) -+ + parser._parser.SetReparseDeferralEnabled(False) + self.assertEqual(result.getvalue(), start) # i.e. no elements started @@ -135,45 +192,30 @@ import sys import textwrap import types -@@ -26,7 +25,7 @@ from itertools import product, islice - from test import support - from test.support import os_helper - from test.support import warnings_helper --from test.support import findfile, gc_collect, swap_attr, swap_item -+from test.support import findfile, gc_collect, swap_attr, swap_item, fails_with_expat_2_6_0 - from test.support.import_helper import import_fresh_module - from test.support.os_helper import TESTFN - -@@ -1424,9 +1423,11 @@ class XMLPullParserTest(unittest.TestCas +@@ -1424,12 +1423,6 @@ class XMLPullParserTest(unittest.TestCas self.assert_event_tags(parser, [('end', 'root')]) self.assertIsNone(parser.close()) -+ @fails_with_expat_2_6_0 - def test_simple_xml_chunk_1(self): - self.test_simple_xml(chunk_size=1, flush=True) +- def test_simple_xml_chunk_1(self): +- self.test_simple_xml(chunk_size=1, flush=True) +- +- def test_simple_xml_chunk_5(self): +- self.test_simple_xml(chunk_size=5, flush=True) +- + def test_simple_xml_chunk_22(self): + self.test_simple_xml(chunk_size=22) -+ @fails_with_expat_2_6_0 - def test_simple_xml_chunk_5(self): - self.test_simple_xml(chunk_size=5, flush=True) - -@@ -1627,9 +1628,7 @@ class XMLPullParserTest(unittest.TestCas +@@ -1627,9 +1620,6 @@ class XMLPullParserTest(unittest.TestCas with self.assertRaises(ValueError): ET.XMLPullParser(events=('start', 'end', 'bogus')) - @unittest.skipIf(pyexpat.version_info < (2, 6, 0), - f'Expat {pyexpat.version_info} does not ' - 'support reparse deferral') -+ @fails_with_expat_2_6_0 def test_flush_reparse_deferral_enabled(self): parser = ET.XMLPullParser(events=('start', 'end')) -@@ -1651,13 +1650,12 @@ class XMLPullParserTest(unittest.TestCas - - self.assert_event_tags(parser, [('end', 'doc')]) - -+ @fails_with_expat_2_6_0 - def test_flush_reparse_deferral_disabled(self): - parser = ET.XMLPullParser(events=('start', 'end')) +@@ -1656,8 +1646,6 @@ class XMLPullParserTest(unittest.TestCas for chunk in (""): parser.feed(chunk) diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index 2fabf1b..9fa2590 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -3,11 +3,9 @@ Misc/NEWS | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) -Index: Python-3.11.8/Doc/using/configure.rst -=================================================================== ---- Python-3.11.8.orig/Doc/using/configure.rst -+++ Python-3.11.8/Doc/using/configure.rst -@@ -41,7 +41,6 @@ General Options +--- a/Doc/using/configure.rst ++++ b/Doc/using/configure.rst +@@ -43,7 +43,6 @@ General Options See :data:`sys.int_info.bits_per_digit `. @@ -15,7 +13,7 @@ Index: Python-3.11.8/Doc/using/configure.rst .. option:: --with-cxx-main=COMPILER Compile the Python ``main()`` function and link Python executable with C++ -@@ -527,13 +526,11 @@ macOS Options +@@ -529,13 +528,11 @@ macOS Options See ``Mac/README.rst``. @@ -29,11 +27,9 @@ Index: Python-3.11.8/Doc/using/configure.rst .. option:: --enable-framework=INSTALLDIR Create a Python.framework rather than a traditional Unix install. Optional -Index: Python-3.11.8/Misc/NEWS -=================================================================== ---- Python-3.11.8.orig/Misc/NEWS -+++ Python-3.11.8/Misc/NEWS -@@ -9411,7 +9411,7 @@ C API +--- a/Misc/NEWS ++++ b/Misc/NEWS +@@ -9768,7 +9768,7 @@ C API - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - bpo-43795: The list in :ref:`limited-api-list` now shows the public name diff --git a/python311.changes b/python311.changes index 5bcc5da..14ea885 100644 --- a/python311.changes +++ b/python311.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed May 1 08:39:08 UTC 2024 - Matej Cepl + +- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it + uses features sniffing, not just comparing version + number. Include also support-expat-CVE-2022-25236-patched.patch. +- Refresh patches: + - CVE-2023-27043-email-parsing-errors.patch + - fix_configure_rst.patch + - skip_if_buildbot-extend.patch +- Remove included patch: + - support-expat-CVE-2022-25236-patched.patch + ------------------------------------------------------------------- Mon Apr 15 10:31:32 UTC 2024 - Daniel Garcia diff --git a/python311.spec b/python311.spec index e5c3514..effbb92 100644 --- a/python311.spec +++ b/python311.spec @@ -155,9 +155,6 @@ Patch10: skip-test_pyobject_freed_is_freed.patch # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com # remove duplicate link targets and make documentation with old Sphinx in SLE Patch11: fix_configure_rst.patch -# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com -# Makes Python resilient to changes of API of libexpat -Patch12: support-expat-CVE-2022-25236-patched.patch # PATCH-FIX-UPSTREAM skip_if_buildbot-extend.patch gh#python/cpython#103053 mcepl@suse.com # Skip test_freeze_simple_script Patch13: skip_if_buildbot-extend.patch @@ -429,7 +426,6 @@ other applications. %patch -p1 -P 10 %patch -p1 -P 11 -%patch -p1 -P 12 %patch -p1 -P 13 %patch -p1 -P 14 %patch -p1 -P 15 diff --git a/skip_if_buildbot-extend.patch b/skip_if_buildbot-extend.patch index 55a1b60..fd9a584 100644 --- a/skip_if_buildbot-extend.patch +++ b/skip_if_buildbot-extend.patch @@ -2,11 +2,9 @@ Lib/test/support/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: Python-3.11.8/Lib/test/support/__init__.py -=================================================================== ---- Python-3.11.8.orig/Lib/test/support/__init__.py -+++ Python-3.11.8/Lib/test/support/__init__.py -@@ -383,7 +383,7 @@ def skip_if_buildbot(reason=None): +--- a/Lib/test/support/__init__.py ++++ b/Lib/test/support/__init__.py +@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None): if not reason: reason = 'not suitable for buildbots' try: diff --git a/support-expat-CVE-2022-25236-patched.patch b/support-expat-CVE-2022-25236-patched.patch deleted file mode 100644 index d6fbad9..0000000 --- a/support-expat-CVE-2022-25236-patched.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 21 Feb 2022 08:16:09 -0800 -Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) - (GH-31472) - -Curly brackets were never allowed in namespace URIs -according to RFC 3986, and so-called namespace-validating -XML parsers have the right to reject them a invalid URIs. - -libexpat >=2.4.5 has become strcter in that regard due to -related security issues; with ET.XML instantiating a -namespace-aware parser under the hood, this test has no -future in CPython. - -References: -- https://datatracker.ietf.org/doc/html/rfc3968 -- https://www.w3.org/TR/xml-names/ - -Also, test_minidom.py: Support Expat >=2.4.5 -(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) - -Co-authored-by: Sebastian Pipping ---- - Lib/test/test_minidom.py | 23 +++++++++-------------- - 1 file changed, 9 insertions(+), 14 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst - -Index: Python-3.11.8/Lib/test/test_minidom.py -=================================================================== ---- Python-3.11.8.orig/Lib/test/test_minidom.py -+++ Python-3.11.8/Lib/test/test_minidom.py -@@ -6,7 +6,6 @@ import io - from test import support - import unittest - --import pyexpat - import xml.dom.minidom - - from xml.dom.minidom import parse, Attr, Node, Document, parseString -@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase): - - # Verify that character decoding errors raise exceptions instead - # of crashing -- if pyexpat.version_info >= (2, 4, 5): -- self.assertRaises(ExpatError, parseString, -- b'') -- self.assertRaises(ExpatError, parseString, -- b'Comment \xe7a va ? Tr\xe8s bien ?') -- else: -- self.assertRaises(UnicodeDecodeError, parseString, -+ # It doesn’t make any sense to insist on the exact text of the -+ # error message, or even the exact Exception … it is enough that -+ # the error has been discovered. -+ with self.assertRaises((UnicodeDecodeError, ExpatError)): -+ parseString( - b'Comment \xe7a va ? Tr\xe8s bien ?') - - doc.unlink() -@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase): - self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) - - def testExceptionOnSpacesInXMLNSValue(self): -- if pyexpat.version_info >= (2, 4, 5): -- context = self.assertRaisesRegex(ExpatError, 'syntax error') -- else: -- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') -- -- with context: -+ # It doesn’t make any sense to insist on the exact text of the -+ # error message, or even the exact Exception … it is enough that -+ # the error has been discovered. -+ with self.assertRaises((ExpatError, ValueError)): - parseString('') - - def testDocRemoveChild(self):