dgarcia/python314
SHA256
1
0
Fork 0
forked from python-interpreters/python314
Code Pull Requests Activity

Compare commits

base: dgarcia:llvm21
Branches Tags
dgarcia:main dgarcia:llvm21 python-interpreters:factory
..
compare: python-interpreters:factory
Branches Tags
python-interpreters:factory dgarcia:main dgarcia:llvm21

22 Commits
llvm21 ... factory

Author SHA256 Message Date
Matěj Cepl
a667dcdda9 Remove upstreamed patches: 
- CVE-2025-11468-email-hdr-fold-comment.patch
  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
 2026-02-13 20:53:01 +01:00
Matěj Cepl
2ac99260ce Merge remote-tracking branch 'in_devel/slfo-main' into slfo-main 2026-02-13 15:18:02 +01:00
Matěj Cepl
3198f34561 Fix format of CVE changelong entries 2026-02-10 11:32:52 +01:00
Matěj Cepl
ae199523cc Add additional CVEs fixed by the upgrade. 2026-02-09 19:50:26 +01:00
Matěj Cepl
5a93ef3ac0 Fix bsc#1257041 (CVE-2025-15367) 
Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041
(CVE-2025-15367) using gh#python/cpython!143924 and doing basically the
same as the previous patch for poplib library.
 2026-02-05 19:23:10 +01:00
Matěj Cepl
3a530bad02 Fixing bsc#1257044 (CVE-2025-15366) 
Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044
(CVE-2025-15366) using gh#python/cpython!143922 and doing basically the
same as the previous patch for IMAP protocol.
 2026-02-05 18:55:37 +01:00
Matěj Cepl
706c7b4cac Fixing bsc#1257108 (CVE-2025-12781) 
Add CVE-2025-12781-b64decode-alt-chars.patch fixing bsc#1257108
  (CVE-2025-12781) combining gh#python/cpython!141061,
  gh#python/cpython!141128, and gh#python/cpython!141153. All
  `*b64decode` functions should not accept non-altchars.
 2026-02-05 18:44:04 +01:00
Matěj Cepl
f41d0d940b Update to 3.14.3 
- Tools/Demos
    - gh-142095: Make gdb ‘py-bt’ command use frame from thread
      local state when available. Patch by Sam Gross and Victor
      Stinner.
  - Tests
    - gh-144415: The Android testbed now distinguishes between
      stdout/stderr messages which were triggered by a newline,
      and those triggered by a manual call to flush. This fixes
      logging of progress indicators and similar content.
    - gh-143460: Skip tests relying on infinite recusion if stack
      size is unlimited.
    - gh-65784: Add support for parametrized resource wantobjects
      in regrtests, which allows to run Tkinter tests with the
      specified value of tkinter.wantobjects, for example -u
      wantobjects=0.
    - gh-143553: Add support for parametrized resources, such as
      -u xpickle=2.7.
    - gh-142836: Accommodated Solaris in
      test_pdb.test_script_target_anonymous_pipe.
    - bpo-31391: Forward-port test_xpickle from Python 2 to
      Python 3 and add the resource back to test’s command line.
  - Security
    - gh-144125: BytesGenerator will now refuse to serialize
      (write) headers that are unsafely folded or delimited; see
      verify_generated_headers. (Contributed by Bas Bloemsaat and
      Petr Viktorin in gh-121650).
    - gh-143935: Fixed a bug in the folding of comments when
      flattening an email message using a modern email policy.
      Comments consisting of a very long sequence of non-foldable
      characters could trigger a forced line wrap that omitted
      the required leading space on the continuation line,
      causing the remainder of the comment to be interpreted as
      a new header field. This enabled header injection with
      carefully crafted inputs (bsc#1257029, CVE-2025-11468).
    - gh-143925: Reject control characters in data: URL media
      types.
    - gh-143919: Reject control characters in http.cookies.Morsel
      fields and values (bsc#1257031, CVE-2026-0672).
    - gh-143916: Reject C0 control characters within
      wsgiref.headers.Headers fields, values, and parameters.
  - Library
    - gh-144380: Improve performance of io.BufferedReader line
      iteration by ~49%.
    - gh-144169: Fix three crashes when non-string keyword
      arguments are supplied to objects in the ast module.
    - gh-144100: Fixed a crash in ctypes when using a deprecated
      POINTER(str) type in argtypes. Instead of aborting, ctypes
      now raises a proper Python exception when the pointer
      target type is unresolved.
    - gh-144050: Fix stat.filemode() in the pure-Python
      implementation to avoid misclassifying invalid mode values
      as block devices.
    - gh-144023: Fixed validation of file descriptor 0 in posix
      functions when used with follow_symlinks parameter.
    - gh-143999: Fix an issue where inspect.getgeneratorstate()
      and inspect.getcoroutinestate() could fail for generators
      wrapped by types.coroutine() in the suspended state.
    - gh-143831: annotationlib.ForwardRef objects are now
      hashable when created from annotation scopes with closures.
      Previously, hashing such objects would throw an exception.
      Patch by Bartosz Sławecki.
    - gh-143874: Fixed a bug in pdb where expression results were
      not sent back to remote client.
    - gh-143880: Fix data race in functools.partial() in the free
      threading build.
    - gh-143706: Fix multiprocessing forkserver so that sys.argv
      is correctly set before __main__ is preloaded. Previously,
      sys.argv was empty during main module import in forkserver
      child processes. This fixes a regression introduced in
      3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
      provided by Thomas Watson, thanks!
    - gh-143638: Forbid reentrant calls of the pickle.Pickler and
      pickle.Unpickler methods for the C implementation.
      Previously, this could cause crash or data corruption, now
      concurrent calls of methods of the same object raise
      RuntimeError.
    - gh-78724: Raise RuntimeError’s when user attempts to call
      methods on half-initialized Struct objects, For example,
      created by Struct.__new__(Struct). Patch by Sergey
      B Kirpichev.
    - gh-143196: Fix crash when the internal encoder object
      returned by undocumented function
      json.encoder.c_make_encoder() was called with non-zero
      second (_current_indent_level) argument.
    - gh-143191: _thread.stack_size() now raises ValueError if
      the stack size is too small. Patch by Victor Stinner.
    - gh-143602: Fix a inconsistency issue in write() that leads
      to unexpected buffer overwrite by deduplicating the buffer
      exports.
    - gh-143547: Fix sys.unraisablehook() when the hook raises an
      exception and changes sys.unraisablehook(): hold a strong
      reference to the old hook. Patch by Victor Stinner.
    - gh-143517: annotationlib.get_annotations() no longer raises
      a SyntaxError when evaluating a stringified starred
      annotation that starts with one or more whitespace
      characters followed by a *. Patch by Bartosz Sławecki.
    - gh-143378: Fix use-after-free crashes when a BytesIO object
      is concurrently mutated during write() or writelines().
    - gh-143346: Fix incorrect wrapping of the Base64 data in
      plistlib._PlistWriter when the indent contains a mix of
      tabs and spaces.
    - gh-143310: tkinter: fix a crash when a Python list is
      mutated during the conversion to a Tcl object (e.g., when
      setting a Tcl variable). Patch by Bénédikt Tran.
    - gh-143309: Fix a crash in os.execve() on non-Windows
      platforms when given a custom environment mapping which is
      then mutated during parsing. Patch by Bénédikt Tran.
    - gh-143308: pickle: fix use-after-free crashes when
      a PickleBuffer is concurrently mutated by a custom buffer
      callback during pickling. Patch by Bénédikt Tran and Aaron
      Wieczorek.
    - gh-143237: Fix support of named pipes in the rotating
      logging handlers.
    - gh-143249: Fix possible buffer leaks in Windows overlapped
      I/O on error handling.
    - gh-143241: zoneinfo: fix infinite loop in
      ZoneInfo.from_file when parsing a malformed TZif file.
      Patch by Fatih Celik.
    - gh-142830: sqlite3: fix use-after-free crashes when the
      connection’s callbacks are mutated during a callback
      execution. Patch by Bénédikt Tran.
    - gh-143200: xml.etree.ElementTree: fix use-after-free
      crashes in __getitem__() and __setitem__() methods of
      Element when the element is concurrently mutated. Patch by
      Bénédikt Tran.
    - gh-142195: Updated timeout evaluation logic in subprocess
      to be compatible with deterministic environments like
      Shadow where time moves exactly as requested.
    - gh-142164: Fix the ctypes bitfield overflow error message
      to report the correct offset and size calculation.
    - gh-143145: Fixed a possible reference leak in ctypes when
      constructing results with multiple output parameters on
      error.
    - gh-122431: Corrected the error message in
      readline.append_history_file() to state that nelements must
      be non-negative instead of positive.
    - gh-143004: Fix a potential use-after-free in
      collections.Counter.update() when user code mutates the
      Counter during an update.
    - gh-143046: The asyncio REPL no longer prints copyright and
      version messages in the quiet mode (-q). Patch by Bartosz
      Sławecki.
    - gh-140648: The asyncio REPL now respects the -I flag
      (isolated mode). Previously, it would load and execute
      PYTHONSTARTUP even if the flag was set. Contributed by
      Bartosz Sławecki.
    - gh-142991: Fixed socket operations such as recvfrom() and
      sendto() for FreeBSD divert(4) socket.
    - gh-143010: Fixed a bug in mailbox where the precise timing
      of an external event could result in the library opening an
      existing file instead of a file it expected to create.
    - gh-142881: Fix concurrent and reentrant call of
      atexit.unregister().
    - gh-112127: Fix possible use-after-free in
      atexit.unregister() when the callback is unregistered
      during comparison.
    - gh-142783: Fix zoneinfo use-after-free with descriptor
      _weak_cache. a descriptor as _weak_cache could cause
      crashes during object creation. The fix ensures proper
      reference counting for descriptor-provided objects.
    - gh-142754: Add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead.
    - gh-142784: The asyncio REPL now properly closes the loop
      upon the end of interactive session. Previously, it could
      cause surprising warnings. Contributed by Bartosz Sławecki.
    - gh-142555: array: fix a crash in a[i] = v when converting
      i to an index via i.__index__ or i.__float__ mutates the
      array.
    - gh-142594: Fix crash in TextIOWrapper.close() when the
      underlying buffer’s closed property calls detach().
    - gh-142451: hmac: Ensure that the HMAC.block_size attribute
      is correctly copied by HMAC.copy. Patch by Bénédikt Tran.
    - gh-142495: collections.defaultdict now prioritizes
      __setitem__() when inserting default values from
      default_factory. This prevents race conditions where
      a default value would overwrite a value set before
      default_factory returns.
    - gh-142651: unittest.mock: fix a thread safety issue where
      Mock.call_count may return inaccurate values when the mock
      is called concurrently from multiple threads.
    - gh-142595: Added type check during initialization of the
      decimal module to prevent a crash in case of broken stdlib.
      Patch by Sergey B Kirpichev.
    - gh-142556: Fix crash when a task gets re-registered during
      finalization in asyncio. Patch by Kumar Aditya.
    - gh-123241: Avoid reference count operations in garbage
      collection of ctypes objects.
    - gh-142517: The non-compat32 email policies now correctly
      handle refolding encoded words that contain bytes that can
      not be decoded in their specified character set. Previously
      this resulted in an encoding exception during folding.
    - gh-112527: The help text for required options in argparse
      no longer extended with “ (default: None)”.
    - gh-142346: Fix usage formatting for mutually exclusive
      groups in argparse when they are preceded by positional
      arguments or followed or intermixed with other optional
      arguments.
    - gh-142315: Pdb can now run scripts from anonymous pipes
      used in process substitution. Patch by Bartosz Sławecki.
    - gh-142332: Fix usage formatting for positional arguments in
      mutually exclusive groups in argparse. in argparse.
    - gh-142282: Fix winreg.QueryValueEx() to not accidentally
      read garbage buffer under race condition.
    - gh-75949: Fix argparse to preserve | separators in mutually
      exclusive groups when the usage line wraps due to length.
    - gh-142267: Improve argparse performance by caching the
      formatter used for argument validation.
    - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
      name defects are now correctly passed to the handle_defect
      method of policy in FeedParser.
    - gh-142006: Fix a bug in the email.policy.default folding
      algorithm which incorrectly resulted in a doubled newline
      when a line ending at exactly max_line_length was followed
      by an unfoldable token.
    - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
      underlying cancelled asyncio task running.
    - gh-139971: pydoc: Ensure that the link to the online
      documentation of a stdlib module is correct.
    - gh-139262: Some keystrokes can be swallowed in the new
      PyREPL on Windows, especially when used together with the
      ALT key. Fix by Chris Eibl.
    - gh-138897: Improved license/copyright/credits display in
      the REPL: now uses a pager.
    - gh-79986: Add parsing for References and In-Reply-To
      headers to the email library that parses the header content
      as lists of message id tokens. This prevents them from
      being folded incorrectly.
    - gh-136282: Add support for UNNAMED_SECTION when creating
      a section via the mapping protocol access
    - gh-109263: Starting a process from spawn context in
      multiprocessing no longer sets the start method globally.
    - gh-133253: Fix thread-safety issues in linecache.
    - gh-132715: Skip writing objects during marshalling once
      a failure has occurred.
  - IDLE
    - gh-143774: Better explain the operation of Format / Format
      Paragraph.
  - Documentation
    - gh-140806: Add documentation for enum.bin().
  - Core and Builtins
    - gh-144307: Prevent a reference leak in module teardown at
      interpreter finalization.
    - gh-144194: Fix error handling in perf jitdump
      initialization on memory allocation failure.
    - gh-144012: Check if the result is NULL in BINARY_OP_EXTENT
      opcode.
    - gh-141805: Fix crash in set when objects with the same hash
      are concurrently added to the set after removing an element
      with the same hash while the set still contains elements
      with the same hash.
    - gh-143670: Fixes a crash in ga_repr_items_list function.
    - gh-143377: Fix a crash in _interpreters.capture_exception()
      when the exception is incorrectly formatted. Patch by
      Bénédikt Tran.
    - gh-136924: The interactive help mode in the REPL no longer
      incorrectly syntax highlights text input as Python code.
      Contributed by Olga Matoula.
    - gh-143189: Fix crash when inserting a non-str key into
      a split table dictionary when the key matches an existing
      key in the split table but has no corresponding value in
      the dict.
    - gh-143228: Fix use-after-free in perf trampoline when
      toggling profiling while threads are running or during
      interpreter finalization with daemon threads active. The
      fix uses reference counting to ensure trampolines are not
      freed while any code object could still reference them.
      Pach by Pablo Galindo
    - gh-142664: Fix a use-after-free crash in
      memoryview.__hash__ when the __hash__ method of the
      referenced object mutates that object or the view. Patch by
      Bénédikt Tran.
    - gh-142557: Fix a use-after-free crash in bytearray.__mod__
      when the bytearray is mutated while formatting the %-style
      arguments. Patch by Bénédikt Tran.
    - gh-143195: Fix use-after-free crashes in bytearray.hex()
      and memoryview.hex() when the separator’s __len__() mutates
      the original object. Patch by Bénédikt Tran.
    - gh-142975: Fix crash after unfreezing all objects tracked
      by the garbage collector on the free threaded build.
    - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
      0. Previously, it was set to 0 in this case.
    - gh-143003: Fix an overflow of the shared empty buffer in
      bytearray.extend() when __length_hint__() returns 0 for
      non-empty iterator.
    - gh-143006: Fix a possible assertion error when comparing
      negative non-integer float and int with the same number of
      bits in the integer part.
    - gh-143057: Avoid locking in PyTraceMalloc_Track() and
      PyTraceMalloc_Untrack() when tracemalloc is not enabled.
    - gh-142776: Fix a file descriptor leak in import.c
    - gh-142829: Fix a use-after-free crash in
      contextvars.Context comparison when a custom __eq__ method
      modifies the context via set().
    - gh-142766: Clear the frame of a generator when
      generator.close() is called.
    - gh-142737: Tracebacks will be displayed in fallback mode
      even if io.open() is lost. Previously, this would crash the
      interpreter. Patch by Bartosz Sławecki.
    - gh-142554: Fix a crash in divmod() when
      _pylong.int_divmod() does not return a tuple of length two
      exactly. Patch by Bénédikt Tran.
    - gh-142560: Fix use-after-free in bytearray search-like
      methods (find(), count(), index(), rindex(), and rfind())
      by marking the storage as exported which causes
      reallocation attempts to raise BufferError. For contains(),
      split(), and rsplit() the buffer protocol is used for this.
    - gh-142531: Fix a free-threaded GC performance regression.
      If there are many untracked tuples, the GC will run too
      often, resulting in poor performance. The fix is to include
      untracked tuples in the “long lived” object count. The
      number of frozen objects is also now included since the
      free-threaded GC must scan those too.
    - gh-142402: Fix reference counting when adjacent literal
      parts are merged while constructing
      string.templatelib.Template, preventing the displaced
      string object from leaking.
    - gh-133932: Fix crash in the free threading build when
      clearing frames that hold tagged integers.
    - gh-142343: Fix SIGILL crash on m68k due to incorrect
      assembly constraint.
    - gh-100964: Fix reference cycle in exhausted generator
      frames. Patch by Savannah Ostrowski.
    - gh-69605: Fix edge-cases around already imported modules in
      the REPL auto-completion of imports.
    - gh-138568: Adjusted the built-in help() function so that
      empty inputs are ignored in interactive mode.
    - gh-137007: Fix a bug during JIT compilation failure which
      caused garbage collection debug assertions to fail.
  - C API
    - gh-142589: Fix
      PyUnstable_Object_IsUniqueReferencedTemporary() handling of
      tagged ints on the interpreter stack.
    - gh-142571: PyUnstable_CopyPerfMapFile() now checks that
      opening the file succeeded before flushing.
  - Build
    - gh-142454: When calculating the digest of the JIT stencils
      input, sort the hashed files by filenames before adding
      their content to the hasher. This ensures deterministic
      hash input and hence deterministic hash, independent on
      filesystem order.
    - gh-141808: When running make clean-retain-profile, keep the
      generated JIT stencils. That way, the stencils are not
      generated twice when Profile-guided optimization (PGO) is
      used. It also allows distributors to supply their own
      pre-built JIT stencils.
    - gh-138061: Ensure reproducible builds by making JIT stencil
      header generation deterministic.
Remove upstreamed patches:
  - CVE-2024-6923-follow-up-EOL-email-headers.patch
  - CVE-2025-11468-email-hdr-fold-comment.patch
  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
  - gh138131-exclude-pycache-from-digest.patch
      by a factor of 3.8x (bsc#1257031, CVE-2026-0672).
 2026-02-05 18:44:03 +01:00
Matěj Cepl
c99dacd908 fix(CVE-2026-0672-http-hdr-inject-cookie-Morsel): add test.support.control_characters_c0 2026-02-05 18:44:03 +01:00
Matěj Cepl
3206c36a35 Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch 
Reject control characters in http cookies (bsc#1257031, CVE-2026-0672).
 2026-02-05 18:44:03 +01:00
Matěj Cepl
16a4b703f5 Add CVE-2025-11468-email-hdr-fold-comment.patch 
Preserving parens when folding comments in email headers (bsc#1257029,
CVE-2025-11468).
 2026-02-05 18:44:03 +01:00
Matěj Cepl
597c86f858 Add CVE-2024-6923-follow-up-EOL-email-headers.patch 
It is a follow-up to the previous fix of CVE-2024-6923 further encoding
EOL possibly hidden in email headers (bsc#1257181).
 2026-02-05 18:44:03 +01:00
Matěj Cepl
8e0da3e0be doc: mention that we have already fixed also bsc#1257181 2026-02-05 18:44:03 +01:00
Matěj Cepl
efcb67a2f8 fix(CVE-2026-0672-http-hdr-inject-cookie-Morsel): add test.support.control_characters_c0 2026-01-30 14:27:17 +01:00
Matěj Cepl
cc505ee89f Merge branch 'factory' into slfo-main 
Fixes for bsc#1257181 CVE-2026-1299 and bsc#1257029 CVE-2025-11468
 2026-01-29 17:38:53 +01:00
Matěj Cepl
902b37d5bd Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch 
Reject control characters in http cookies (bsc#1257031, CVE-2026-0672).
 2026-01-29 14:11:03 +01:00
Matěj Cepl
3a0658eda4 Add CVE-2025-11468-email-hdr-fold-comment.patch 
Preserving parens when folding comments in email headers (bsc#1257029,
CVE-2025-11468).
 2026-01-29 13:59:57 +01:00
Matěj Cepl
faa9dd3a19 Add CVE-2024-6923-follow-up-EOL-email-headers.patch 
It is a follow-up to the previous fix of CVE-2024-6923 further encoding
EOL possibly hidden in email headers (bsc#1257181).
 2026-01-29 13:58:57 +01:00
Matěj Cepl
70db7ff339 doc: mention that we have already fixed also bsc#1257181 2026-01-27 14:31:46 +01:00
Elisei Roca
5a4398f438 Add package in slfo-main 
--
2.52.0
 2026-01-12 13:10:27 +01:00
Matěj Cepl
7cd0446b54 Remove (hopefully) unnecessary python314-base.rpmlintrc 2026-01-05 18:28:45 +01:00
Matěj Cepl
08540e4dfe Fix changelog. 2025-12-23 17:08:55 +01:00
18 changed files with 820 additions and 288 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,4 +2,5 @@
*.obscpio
_build.*
.pbuild
*.orig
python314-*-build/

41
CVE-2024-6923-follow-up-EOL-email-headers.patch Normal file
View File

@@ -0,0 +1,41 @@
From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 23 Jan 2026 08:59:35 -0600
Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator
(cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Denis Ledoux <dle@odoo.com>
Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
---
Lib/test/test_email/test_policy.py | 4 ++++
Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 ++++
2 files changed, 8 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
Index: Python-3.14.3/Lib/test/test_email/test_policy.py
===================================================================
--- Python-3.14.3.orig/Lib/test/test_email/test_policy.py 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/Lib/test/test_email/test_policy.py 2026-02-13 17:09:32.641745760 +0100
@@ -323,6 +323,10 @@
message.as_bytes(),
f"{text}\nBody".encode(),
)
+ self.assertEqual(
+ message.as_bytes(),
+ f"{text}\nBody".encode(),
+ )
# XXX: Need subclassing tests.
# For adding subclassed objects, make sure the usual rules apply (subclass
Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-02-13 17:09:32.642152246 +0100
@@ -0,0 +1,4 @@
+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers
+that are unsafely folded or delimited; see
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
+Bloemsaat and Petr Viktorin in :gh:`121650`).

196
CVE-2025-12781-b64decode-alt-chars.patch Normal file
View File

@@ -0,0 +1,196 @@
From f922c02c529d25d61aa9c28a8192639c1fce8d4d Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Wed, 5 Nov 2025 20:12:31 +0200
Subject: [PATCH] gh-125346: Add more base64 tests
Add more tests for the altchars argument of b64decode() and for the map01
argument of b32decode().
---
Doc/library/base64.rst | 18 ++--
Lib/base64.py | 40 +++++++-
Lib/test/test_base64.py | 45 ++++++++--
Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst | 5 +
4 files changed, 91 insertions(+), 17 deletions(-)
Index: Python-3.14.3/Doc/library/base64.rst
===================================================================
--- Python-3.14.3.orig/Doc/library/base64.rst 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/Doc/library/base64.rst 2026-02-13 15:43:18.030360439 +0100
@@ -77,15 +77,20 @@
A :exc:`binascii.Error` exception is raised
if *s* is incorrectly padded.
- If *validate* is ``False`` (the default), characters that are neither
+ If *validate* is false (the default), characters that are neither
in the normal base-64 alphabet nor the alternative alphabet are
- discarded prior to the padding check. If *validate* is ``True``,
- these non-alphabet characters in the input result in a
- :exc:`binascii.Error`.
+ discarded prior to the padding check, but the ``+`` and ``/`` characters
+ keep their meaning if they are not in *altchars* (they will be discarded
+ in future Python versions).
+ If *validate* is true, these non-alphabet characters in the input
+ result in a :exc:`binascii.Error`.
For more information about the strict base64 check, see :func:`binascii.a2b_base64`
- May assert or raise a :exc:`ValueError` if the length of *altchars* is not 2.
+ .. deprecated:: next
+ Accepting the ``+`` and ``/`` characters with an alternative alphabet
+ is now deprecated.
+
.. function:: standard_b64encode(s)
@@ -116,6 +121,9 @@
``/`` in the standard Base64 alphabet, and return the decoded
:class:`bytes`.
+ .. deprecated:: next
+ Accepting the ``+`` and ``/`` characters is now deprecated.
+
.. function:: b32encode(s)
Index: Python-3.14.3/Lib/base64.py
===================================================================
--- Python-3.14.3.orig/Lib/base64.py 2026-02-13 15:20:33.905228929 +0100
+++ Python-3.14.3/Lib/base64.py 2026-02-13 15:43:18.030771327 +0100
@@ -69,20 +69,39 @@
The result is returned as a bytes object. A binascii.Error is raised if
s is incorrectly padded.
- If validate is False (the default), characters that are neither in the
+ If validate is false (the default), characters that are neither in the
normal base-64 alphabet nor the alternative alphabet are discarded prior
- to the padding check. If validate is True, these non-alphabet characters
+ to the padding check. If validate is true, these non-alphabet characters
in the input result in a binascii.Error.
For more information about the strict base64 check, see:
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
"""
s = _bytes_from_decode_data(s)
+ badchar = None
if altchars is not None:
altchars = _bytes_from_decode_data(altchars)
- assert len(altchars) == 2, repr(altchars)
+ if len(altchars) != 2:
+ raise ValueError(f'invalid altchars: {altchars!r}')
+ for b in b'+/':
+ if b not in altchars and b in s:
+ badchar = b
+ break
s = s.translate(bytes.maketrans(altchars, b'+/'))
- return binascii.a2b_base64(s, strict_mode=validate)
+ result = binascii.a2b_base64(s, strict_mode=validate)
+ if badchar is not None:
+ import warnings
+ if validate:
+ warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
+ f'with altchars={altchars!r} and validate=True '
+ f'will be an error in future Python versions',
+ DeprecationWarning, stacklevel=2)
+ else:
+ warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
+ f'with altchars={altchars!r} and validate=False '
+ f'will be discarded in future Python versions',
+ FutureWarning, stacklevel=2)
+ return result
def standard_b64encode(s):
@@ -127,8 +146,19 @@
The alphabet uses '-' instead of '+' and '_' instead of '/'.
"""
s = _bytes_from_decode_data(s)
+ badchar = None
+ for b in b'+/':
+ if b in s:
+ badchar = b
+ break
s = s.translate(_urlsafe_decode_translation)
- return b64decode(s)
+ result = binascii.a2b_base64(s, strict_mode=False)
+ if badchar is not None:
+ import warnings
+ warnings.warn(f'invalid character {chr(badchar)!a} in URL-safe Base64 data '
+ f'will be discarded in future Python versions',
+ FutureWarning, stacklevel=2)
+ return result
Index: Python-3.14.3/Lib/test/test_base64.py
===================================================================
--- Python-3.14.3.orig/Lib/test/test_base64.py 2026-02-13 15:20:35.393785541 +0100
+++ Python-3.14.3/Lib/test/test_base64.py 2026-02-13 15:43:18.031706655 +0100
@@ -242,6 +242,25 @@
eq(base64.b64decode(data, altchars=altchars_str), res)
eq(base64.b64decode(data_str, altchars=altchars_str), res)
+ def test_b64decode_altchars(self):
+ # Test with arbitrary alternative characters
+ eq = self.assertEqual
+ res = b'\xd3V\xbeo\xf7\x1d'
+ for altchars in b'*$', b'+/', b'/+', b'+_', b'-+', b'-/', b'/_':
+ data = b'01a%cb%ccd' % tuple(altchars)
+ data_str = data.decode('ascii')
+ altchars_str = altchars.decode('ascii')
+
+ eq(base64.b64decode(data, altchars=altchars), res)
+ eq(base64.b64decode(data_str, altchars=altchars), res)
+ eq(base64.b64decode(data, altchars=altchars_str), res)
+ eq(base64.b64decode(data_str, altchars=altchars_str), res)
+
+ self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+')
+ self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+/-')
+ self.assertRaises(ValueError, base64.b64decode, '', altchars='+')
+ self.assertRaises(ValueError, base64.b64decode, '', altchars='+/-')
+
def test_b64decode_padding_error(self):
self.assertRaises(binascii.Error, base64.b64decode, b'abc')
self.assertRaises(binascii.Error, base64.b64decode, 'abc')
@@ -273,13 +292,25 @@
with self.assertRaises(binascii.Error):
base64.b64decode(bstr.decode('ascii'), validate=True)
- # Normal alphabet characters not discarded when alternative given
- res = b'\xfb\xef\xff'
- self.assertEqual(base64.b64decode(b'++//', validate=True), res)
- self.assertEqual(base64.b64decode(b'++//', '-_', validate=True), res)
- self.assertEqual(base64.b64decode(b'--__', '-_', validate=True), res)
- self.assertEqual(base64.urlsafe_b64decode(b'++//'), res)
- self.assertEqual(base64.urlsafe_b64decode(b'--__'), res)
+ # Normal alphabet characters will be discarded when alternative given
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.b64decode(b'++++', altchars=b'-_'),
+ b'\xfb\xef\xbe')
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.b64decode(b'////', altchars=b'-_'),
+ b'\xff\xff\xff')
+ with self.assertWarns(DeprecationWarning):
+ self.assertEqual(base64.b64decode(b'++++', altchars=b'-_', validate=True),
+ b'\xfb\xef\xbe')
+ with self.assertWarns(DeprecationWarning):
+ self.assertEqual(base64.b64decode(b'////', altchars=b'-_', validate=True),
+ b'\xff\xff\xff')
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.urlsafe_b64decode(b'++++'), b'\xfb\xef\xbe')
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.urlsafe_b64decode(b'////'), b'\xff\xff\xff')
+ with self.assertRaises(binascii.Error):
+ base64.b64decode(b'+/!', altchars=b'-_')
def test_b32encode(self):
eq = self.assertEqual
Index: Python-3.14.3/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.14.3/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst 2026-02-13 15:43:18.032082102 +0100
@@ -0,0 +1,5 @@
+Accepting ``+`` and ``/`` characters with an alternative alphabet in
+:func:`base64.b64decode` and :func:`base64.urlsafe_b64decode` is now
+deprecated.
+In future Python versions they will be errors in the strict mode and
+discarded in the non-strict mode.

56
CVE-2025-15366-imap-ctrl-chars.patch Normal file
View File

@@ -0,0 +1,56 @@
From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
---
Lib/imaplib.py | 4 +++-
Lib/test/test_imaplib.py | 6 ++++++
Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
3 files changed, 10 insertions(+), 1 deletion(-)
Index: Python-3.14.3/Lib/imaplib.py
===================================================================
--- Python-3.14.3.orig/Lib/imaplib.py 2026-02-13 15:20:34.675850664 +0100
+++ Python-3.14.3/Lib/imaplib.py 2026-02-13 15:43:20.726880248 +0100
@@ -131,7 +131,7 @@
# We compile these in _mode_xxx.
_Literal = br'.*{(?P<size>\d+)}$'
_Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
-
+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
class IMAP4:
@@ -1108,6 +1108,8 @@
if arg is None: continue
if isinstance(arg, str):
arg = bytes(arg, self._encoding)
+ if _control_chars.search(arg):
+ raise ValueError("Control characters not allowed in commands")
data = data + b' ' + arg
literal = self.literal
Index: Python-3.14.3/Lib/test/test_imaplib.py
===================================================================
--- Python-3.14.3.orig/Lib/test/test_imaplib.py 2026-02-13 15:20:36.132236378 +0100
+++ Python-3.14.3/Lib/test/test_imaplib.py 2026-02-13 15:43:20.727593302 +0100
@@ -663,6 +663,12 @@
self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
self.assertEqual(client.state, 'AUTH')
+ def test_control_characters(self):
+ client, _ = self._setup(SimpleIMAPHandler)
+ for c0 in support.control_characters_c0():
+ with self.assertRaises(ValueError):
+ client.login(f'user{c0}', 'pass')
+
# property tests
def test_file_property_should_not_be_accessed(self):
Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-02-13 15:43:20.727873249 +0100
@@ -0,0 +1 @@
+Reject control characters in IMAP commands.

56
CVE-2025-15367-poplib-ctrl-chars.patch Normal file
View File

@@ -0,0 +1,56 @@
From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
---
Lib/poplib.py | 2 ++
Lib/test/test_poplib.py | 8 ++++++++
Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 +
3 files changed, 11 insertions(+)
Index: Python-3.14.3/Lib/poplib.py
===================================================================
--- Python-3.14.3.orig/Lib/poplib.py 2026-02-13 15:20:34.865869684 +0100
+++ Python-3.14.3/Lib/poplib.py 2026-02-13 15:43:22.865622881 +0100
@@ -122,6 +122,8 @@
def _putcmd(self, line):
if self._debugging: print('*cmd*', repr(line))
line = bytes(line, self.encoding)
+ if re.search(b'[\x00-\x1F\x7F]', line):
+ raise ValueError('Control characters not allowed in commands')
self._putline(line)
Index: Python-3.14.3/Lib/test/test_poplib.py
===================================================================
--- Python-3.14.3.orig/Lib/test/test_poplib.py 2026-02-13 15:20:36.695240465 +0100
+++ Python-3.14.3/Lib/test/test_poplib.py 2026-02-13 15:43:22.865782353 +0100
@@ -17,6 +17,7 @@
from test.support import threading_helper
from test.support import asynchat
from test.support import asyncore
+from test.support import control_characters_c0
test_support.requires_working_socket(module=True)
@@ -395,6 +396,13 @@
self.assertIsNone(self.client.sock)
self.assertIsNone(self.client.file)
+ def test_control_characters(self):
+ for c0 in control_characters_c0():
+ with self.assertRaises(ValueError):
+ self.client.user(f'user{c0}')
+ with self.assertRaises(ValueError):
+ self.client.pass_(f'{c0}pass')
+
@requires_ssl
def test_stls_capa(self):
capa = self.client.capa()
Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst 2026-02-13 15:43:22.866393092 +0100
@@ -0,0 +1 @@
+Reject control characters in POP3 commands.

BIN
Python-3.14.2.tar.xz LFS
View File

Binary file not shown.

1
Python-3.14.2.tar.xz.sigstore
View File

File diff suppressed because one or more lines are too long

BIN
Python-3.14.3.tar.xz LFS Normal file
View File

Binary file not shown.

1
Python-3.14.3.tar.xz.sigstore Normal file
View File

File diff suppressed because one or more lines are too long

17
configure-drop-autoconf-ver-req.patch Normal file
View File

@@ -0,0 +1,17 @@
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: Python-3.14.3/configure.ac
===================================================================
--- Python-3.14.3.orig/configure.ac 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/configure.ac 2026-02-13 20:23:46.066774038 +0100
@@ -12,7 +12,7 @@
# Set VERSION so we only need to edit in one place (i.e., here)
m4_define([PYTHON_VERSION], [3.14])
-AC_PREREQ([2.72])
+dnl AC_PREREQ([2.72])
AC_INIT([python],[PYTHON_VERSION],[https://github.com/python/cpython/issues/])

30
gh138131-exclude-pycache-from-digest.patch
View File

@@ -1,30 +0,0 @@
From 4bb41b28d5bac09bccd636d8c5fefe1a462f63a7 Mon Sep 17 00:00:00 2001
From: Alm <alon.menczer@gmail.com>
Date: Mon, 25 Aug 2025 08:56:38 +0300
Subject: [PATCH 1/4] Exclude .pyc files from the computed digest in the jit
stencils
---
Tools/jit/_targets.py | 3 +++
1 file changed, 3 insertions(+)
Index: Python-3.14.0rc2/Tools/jit/_targets.py
===================================================================
--- Python-3.14.0rc2.orig/Tools/jit/_targets.py
+++ Python-3.14.0rc2/Tools/jit/_targets.py
@@ -69,6 +69,9 @@ class _Target(typing.Generic[_S, _R]):
hasher.update(PYTHON_EXECUTOR_CASES_C_H.read_bytes())
hasher.update((self.pyconfig_dir / "pyconfig.h").read_bytes())
for dirpath, _, filenames in sorted(os.walk(TOOLS_JIT)):
+ # Exclude cache files from digest computation to ensure reproducible builds.
+ if dirpath.endswith("__pycache__"):
+ continue
for filename in filenames:
hasher.update(pathlib.Path(dirpath, filename).read_bytes())
return hasher.hexdigest()
Index: Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst
===================================================================
--- /dev/null
+++ Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst
@@ -0,0 +1 @@
+Ensure reproducible builds by making JIT stencil header generation deterministic.

212
gh138498-llvm-version-config.patch
View File

@@ -1,212 +0,0 @@
Index: Python-3.14.0/Tools/jit/README.md
===================================================================
--- Python-3.14.0.orig/Tools/jit/README.md
+++ Python-3.14.0/Tools/jit/README.md
@@ -9,7 +9,7 @@ Python 3.11 or newer is required to buil
The JIT compiler does not require end users to install any third-party dependencies, but part of it must be *built* using LLVM[^why-llvm]. You are *not* required to build the rest of CPython using LLVM, or even the same version of LLVM (in fact, this is uncommon).
-LLVM version 19 is required. Both `clang` and `llvm-readobj` need to be installed and discoverable (version suffixes, like `clang-19`, are okay). It's highly recommended that you also have `llvm-objdump` available, since this allows the build script to dump human-readable assembly for the generated code.
+LLVM version 19 is the officially supported version. You can modify if needed using the `LLVM_VERSION` env var during configure. Both `clang` and `llvm-readobj` need to be installed and discoverable (version suffixes, like `clang-19`, are okay). It's highly recommended that you also have `llvm-objdump` available, since this allows the build script to dump human-readable assembly for the generated code.
It's easy to install all of the required tools:
Index: Python-3.14.0/Tools/jit/_llvm.py
===================================================================
--- Python-3.14.0.orig/Tools/jit/_llvm.py
+++ Python-3.14.0/Tools/jit/_llvm.py
@@ -10,8 +10,8 @@ import typing
import _targets
-_LLVM_VERSION = 19
-_LLVM_VERSION_PATTERN = re.compile(rf"version\s+{_LLVM_VERSION}\.\d+\.\d+\S*\s+")
+
+_LLVM_VERSION = "19"
_EXTERNALS_LLVM_TAG = "llvm-19.1.7.0"
_P = typing.ParamSpec("_P")
@@ -56,53 +56,66 @@ async def _run(tool: str, args: typing.I
@_async_cache
-async def _check_tool_version(name: str, *, echo: bool = False) -> bool:
+async def _check_tool_version(
+ name: str, llvm_version: str, *, echo: bool = False
+) -> bool:
output = await _run(name, ["--version"], echo=echo)
- return bool(output and _LLVM_VERSION_PATTERN.search(output))
+ _llvm_version_pattern = re.compile(rf"version\s+{llvm_version}\.\d+\.\d+\S*\s+")
+ return bool(output and _llvm_version_pattern.search(output))
@_async_cache
-async def _get_brew_llvm_prefix(*, echo: bool = False) -> str | None:
- output = await _run("brew", ["--prefix", f"llvm@{_LLVM_VERSION}"], echo=echo)
+async def _get_brew_llvm_prefix(llvm_version: str, *, echo: bool = False) -> str | None:
+ output = await _run("brew", ["--prefix", f"llvm@{llvm_version}"], echo=echo)
return output and output.removesuffix("\n")
@_async_cache
-async def _find_tool(tool: str, *, echo: bool = False) -> str | None:
+async def _find_tool(tool: str, llvm_version: str, *, echo: bool = False) -> str | None:
# Unversioned executables:
path = tool
- if await _check_tool_version(path, echo=echo):
+ if await _check_tool_version(path, llvm_version, echo=echo):
return path
# Versioned executables:
- path = f"{tool}-{_LLVM_VERSION}"
- if await _check_tool_version(path, echo=echo):
+ path = f"{tool}-{llvm_version}"
+ if await _check_tool_version(path, llvm_version, echo=echo):
return path
# PCbuild externals:
externals = os.environ.get("EXTERNALS_DIR", _targets.EXTERNALS)
path = os.path.join(externals, _EXTERNALS_LLVM_TAG, "bin", tool)
- if await _check_tool_version(path, echo=echo):
+ if await _check_tool_version(path, llvm_version, echo=echo):
return path
# Homebrew-installed executables:
- prefix = await _get_brew_llvm_prefix(echo=echo)
+ prefix = await _get_brew_llvm_prefix(llvm_version, echo=echo)
if prefix is not None:
path = os.path.join(prefix, "bin", tool)
- if await _check_tool_version(path, echo=echo):
+ if await _check_tool_version(path, llvm_version, echo=echo):
return path
# Nothing found:
return None
async def maybe_run(
- tool: str, args: typing.Iterable[str], echo: bool = False
+ tool: str,
+ args: typing.Iterable[str],
+ echo: bool = False,
+ llvm_version: str = _LLVM_VERSION,
) -> str | None:
"""Run an LLVM tool if it can be found. Otherwise, return None."""
- path = await _find_tool(tool, echo=echo)
+
+ path = await _find_tool(tool, llvm_version, echo=echo)
return path and await _run(path, args, echo=echo)
-async def run(tool: str, args: typing.Iterable[str], echo: bool = False) -> str:
+async def run(
+ tool: str,
+ args: typing.Iterable[str],
+ echo: bool = False,
+ llvm_version: str = _LLVM_VERSION,
+) -> str:
"""Run an LLVM tool if it can be found. Otherwise, raise RuntimeError."""
- output = await maybe_run(tool, args, echo=echo)
+
+ output = await maybe_run(tool, args, echo=echo, llvm_version=llvm_version)
if output is None:
- raise RuntimeError(f"Can't find {tool}-{_LLVM_VERSION}!")
+ raise RuntimeError(f"Can't find {tool}-{llvm_version}!")
return output
Index: Python-3.14.0/Tools/jit/_targets.py
===================================================================
--- Python-3.14.0.orig/Tools/jit/_targets.py
+++ Python-3.14.0/Tools/jit/_targets.py
@@ -48,6 +48,7 @@ class _Target(typing.Generic[_S, _R]):
debug: bool = False
verbose: bool = False
cflags: str = ""
+ llvm_version: str = _llvm._LLVM_VERSION
known_symbols: dict[str, int] = dataclasses.field(default_factory=dict)
pyconfig_dir: pathlib.Path = pathlib.Path.cwd().resolve()
@@ -79,7 +80,9 @@ class _Target(typing.Generic[_S, _R]):
async def _parse(self, path: pathlib.Path) -> _stencils.StencilGroup:
group = _stencils.StencilGroup()
args = ["--disassemble", "--reloc", f"{path}"]
- output = await _llvm.maybe_run("llvm-objdump", args, echo=self.verbose)
+ output = await _llvm.maybe_run(
+ "llvm-objdump", args, echo=self.verbose, llvm_version=self.llvm_version
+ )
if output is not None:
# Make sure that full paths don't leak out (for reproducibility):
long, short = str(path), str(path.name)
@@ -97,7 +100,9 @@ class _Target(typing.Generic[_S, _R]):
"--sections",
f"{path}",
]
- output = await _llvm.run("llvm-readobj", args, echo=self.verbose)
+ output = await _llvm.run(
+ "llvm-readobj", args, echo=self.verbose, llvm_version=self.llvm_version
+ )
# --elf-output-style=JSON is only *slightly* broken on Mach-O...
output = output.replace("PrivateExtern\n", "\n")
output = output.replace("Extern\n", "\n")
@@ -164,7 +169,9 @@ class _Target(typing.Generic[_S, _R]):
# Allow user-provided CFLAGS to override any defaults
*shlex.split(self.cflags),
]
- await _llvm.run("clang", args, echo=self.verbose)
+ await _llvm.run(
+ "clang", args, echo=self.verbose, llvm_version=self.llvm_version
+ )
return await self._parse(o)
async def _build_stencils(self) -> dict[str, _stencils.StencilGroup]:
@@ -212,6 +219,8 @@ class _Target(typing.Generic[_S, _R]):
if not self.stable:
warning = f"JIT support for {self.triple} is still experimental!"
request = "Please report any issues you encounter.".center(len(warning))
+ if self.llvm_version != _llvm._LLVM_VERSION:
+ request = f"Warning! Building with an LLVM version other than {_llvm._LLVM_VERSION} is not supported."
outline = "=" * len(warning)
print("\n".join(["", outline, warning, request, outline, ""]))
digest = f"// {self._compute_digest()}\n"
Index: Python-3.14.0/Tools/jit/build.py
===================================================================
--- Python-3.14.0.orig/Tools/jit/build.py
+++ Python-3.14.0/Tools/jit/build.py
@@ -42,6 +42,7 @@ if __name__ == "__main__":
parser.add_argument(
"--cflags", help="additional flags to pass to the compiler", default=""
)
+ parser.add_argument("--llvm-version", help="LLVM version to use")
args = parser.parse_args()
for target in args.target:
target.debug = args.debug
@@ -49,6 +50,8 @@ if __name__ == "__main__":
target.verbose = args.verbose
target.cflags = args.cflags
target.pyconfig_dir = args.pyconfig_dir
+ if args.llvm_version:
+ target.llvm_version = args.llvm_version
target.build(
comment=comment,
force=args.force,
Index: Python-3.14.0/configure
===================================================================
--- Python-3.14.0.orig/configure
+++ Python-3.14.0/configure
@@ -10866,7 +10866,7 @@ then :
else case e in #(
e) as_fn_append CFLAGS_NODIST " $jit_flags"
- REGEN_JIT_COMMAND="\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\""
+ REGEN_JIT_COMMAND="\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\" --llvm-version=\"$LLVM_VERSION\""
JIT_STENCILS_H="jit_stencils.h"
if test "x$Py_DEBUG" = xtrue
then :
Index: Python-3.14.0/configure.ac
===================================================================
--- Python-3.14.0.orig/configure.ac
+++ Python-3.14.0/configure.ac
@@ -2779,7 +2779,7 @@ AS_VAR_IF([jit_flags],
[],
[AS_VAR_APPEND([CFLAGS_NODIST], [" $jit_flags"])
AS_VAR_SET([REGEN_JIT_COMMAND],
- ["\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\""])
+ ["\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\" --llvm-version=\"$LLVM_VERSION\""])
AS_VAR_SET([JIT_STENCILS_H], ["jit_stencils.h"])
AS_VAR_IF([Py_DEBUG],
[true],

34
gh139257-Support-docutils-0.22.patch
View File

@@ -4,13 +4,39 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200
Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
---
Doc/Makefile | 2 -
Doc/conf.py | 3 +
Doc/tools/extensions/pyspecific.py | 68 +++++++++++++++++++++++++------------
1 file changed, 46 insertions(+), 22 deletions(-)
3 files changed, 50 insertions(+), 23 deletions(-)
Index: Python-3.14.2/Doc/tools/extensions/pyspecific.py
Index: Python-3.14.3/Doc/Makefile
===================================================================
--- Python-3.14.2.orig/Doc/tools/extensions/pyspecific.py 2025-12-05 17:49:16.000000000 +0100
+++ Python-3.14.2/Doc/tools/extensions/pyspecific.py 2025-12-11 18:15:44.936875242 +0100
--- Python-3.14.3.orig/Doc/Makefile 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/Doc/Makefile 2026-02-13 20:28:48.460059340 +0100
@@ -14,7 +14,7 @@
SOURCES =
DISTVERSION = $(shell $(PYTHON) tools/extensions/patchlevel.py)
REQUIREMENTS = requirements.txt
-SPHINXERRORHANDLING = --fail-on-warning
+SPHINXERRORHANDLING =
# Internal variables.
PAPEROPT_a4 = --define latex_elements.papersize=a4paper
Index: Python-3.14.3/Doc/conf.py
===================================================================
--- Python-3.14.3.orig/Doc/conf.py 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/Doc/conf.py 2026-02-13 20:21:11.034520886 +0100
@@ -582,3 +582,6 @@
'<meta property="og:image:width" content="200">',
'<meta property="og:image:height" content="200">',
)
+
+# Fix devhelp doc build gh#python/cpython#120150
+master_doc = 'contents'
Index: Python-3.14.3/Doc/tools/extensions/pyspecific.py
===================================================================
--- Python-3.14.3.orig/Doc/tools/extensions/pyspecific.py 2026-02-03 16:32:20.000000000 +0100
+++ Python-3.14.3/Doc/tools/extensions/pyspecific.py 2026-02-13 17:09:31.987767795 +0100
@@ -1,12 +1,12 @@
# -*- coding: utf-8 -*-
"""

4
python314-base.rpmlintrc
View File

@@ -1,4 +0,0 @@
addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc")

1
python314-rpmlintrc
View File

@@ -1,3 +1,4 @@
addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc")

406
python314.changes
View File

@@ -1,9 +1,396 @@
-------------------------------------------------------------------
Thu Dec 12 07:00:00 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
Thu Feb 5 17:26:23 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- Use LLVM21 to build python314, add patch
gh138498-llvm-version-config.patch
bsc#1254826, gh#python/cpython#138498
- CVE-2025-12781: All `*b64decode` functions should not accept
non-altchars. (bsc#1257108, gh#python/cpython#125346)
CVE-2025-12781-b64decode-alt-chars.patch
- CVE-2025-15366: IMAP protocol should not accept non-altchars as
well. (bsc#1257044, gh-143921)
CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch but for
the poplib library. (bsc#1257041, gh#python/cpython#143923)
CVE-2025-15367-poplib-ctrl-chars.patch
- Remove upstreamed patches:
- CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- Add configure-drop-autoconf-ver-req.patch to move some `sed`
modifications to patch.
-------------------------------------------------------------------
Thu Feb 5 12:57:09 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.14.3:
- Tools/Demos
- gh-142095: Make gdb py-bt command use frame from thread
local state when available. Patch by Sam Gross and Victor
Stinner.
- Tests
- gh-144415: The Android testbed now distinguishes between
stdout/stderr messages which were triggered by a newline,
and those triggered by a manual call to flush. This fixes
logging of progress indicators and similar content.
- gh-143460: Skip tests relying on infinite recusion if stack
size is unlimited.
- gh-65784: Add support for parametrized resource wantobjects
in regrtests, which allows to run Tkinter tests with the
specified value of tkinter.wantobjects, for example -u
wantobjects=0.
- gh-143553: Add support for parametrized resources, such as
-u xpickle=2.7.
- gh-142836: Accommodated Solaris in
test_pdb.test_script_target_anonymous_pipe.
- bpo-31391: Forward-port test_xpickle from Python 2 to
Python 3 and add the resource back to tests command line.
- Security
- gh-144125: BytesGenerator will now refuse to serialize
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650).
- CVE-2025-11468: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs (bsc#1257029, gh-143935).
- CVE-2025-15282: Reject control characters in data: URL
media types (bsc#1257046, gh-143925).
- CVE-2026-0672: Reject control characters in
http.cookies.Morsel fields and values (bsc#1257031,
gh-143919).
- CVE-2026-0865: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters
(bsc#1257042, gh-143916).
- Library
- gh-144380: Improve performance of io.BufferedReader line
iteration by ~49%.
- gh-144169: Fix three crashes when non-string keyword
arguments are supplied to objects in the ast module.
- gh-144100: Fixed a crash in ctypes when using a deprecated
POINTER(str) type in argtypes. Instead of aborting, ctypes
now raises a proper Python exception when the pointer
target type is unresolved.
- gh-144050: Fix stat.filemode() in the pure-Python
implementation to avoid misclassifying invalid mode values
as block devices.
- gh-144023: Fixed validation of file descriptor 0 in posix
functions when used with follow_symlinks parameter.
- gh-143999: Fix an issue where inspect.getgeneratorstate()
and inspect.getcoroutinestate() could fail for generators
wrapped by types.coroutine() in the suspended state.
- gh-143831: annotationlib.ForwardRef objects are now
hashable when created from annotation scopes with closures.
Previously, hashing such objects would throw an exception.
Patch by Bartosz Sławecki.
- gh-143874: Fixed a bug in pdb where expression results were
not sent back to remote client.
- gh-143880: Fix data race in functools.partial() in the free
threading build.
- gh-143706: Fix multiprocessing forkserver so that sys.argv
is correctly set before __main__ is preloaded. Previously,
sys.argv was empty during main module import in forkserver
child processes. This fixes a regression introduced in
3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
provided by Thomas Watson, thanks!
- gh-143638: Forbid reentrant calls of the pickle.Pickler and
pickle.Unpickler methods for the C implementation.
Previously, this could cause crash or data corruption, now
concurrent calls of methods of the same object raise
RuntimeError.
- gh-78724: Raise RuntimeErrors when user attempts to call
methods on half-initialized Struct objects, For example,
created by Struct.__new__(Struct). Patch by Sergey
B Kirpichev.
- gh-143196: Fix crash when the internal encoder object
returned by undocumented function
json.encoder.c_make_encoder() was called with non-zero
second (_current_indent_level) argument.
- gh-143191: _thread.stack_size() now raises ValueError if
the stack size is too small. Patch by Victor Stinner.
- gh-143602: Fix a inconsistency issue in write() that leads
to unexpected buffer overwrite by deduplicating the buffer
exports.
- gh-143547: Fix sys.unraisablehook() when the hook raises an
exception and changes sys.unraisablehook(): hold a strong
reference to the old hook. Patch by Victor Stinner.
- gh-143517: annotationlib.get_annotations() no longer raises
a SyntaxError when evaluating a stringified starred
annotation that starts with one or more whitespace
characters followed by a *. Patch by Bartosz Sławecki.
- gh-143378: Fix use-after-free crashes when a BytesIO object
is concurrently mutated during write() or writelines().
- gh-143346: Fix incorrect wrapping of the Base64 data in
plistlib._PlistWriter when the indent contains a mix of
tabs and spaces.
- gh-143310: tkinter: fix a crash when a Python list is
mutated during the conversion to a Tcl object (e.g., when
setting a Tcl variable). Patch by Bénédikt Tran.
- gh-143309: Fix a crash in os.execve() on non-Windows
platforms when given a custom environment mapping which is
then mutated during parsing. Patch by Bénédikt Tran.
- gh-143308: pickle: fix use-after-free crashes when
a PickleBuffer is concurrently mutated by a custom buffer
callback during pickling. Patch by Bénédikt Tran and Aaron
Wieczorek.
- gh-143237: Fix support of named pipes in the rotating
logging handlers.
- gh-143249: Fix possible buffer leaks in Windows overlapped
I/O on error handling.
- gh-143241: zoneinfo: fix infinite loop in
ZoneInfo.from_file when parsing a malformed TZif file.
Patch by Fatih Celik.
- gh-142830: sqlite3: fix use-after-free crashes when the
connections callbacks are mutated during a callback
execution. Patch by Bénédikt Tran.
- gh-143200: xml.etree.ElementTree: fix use-after-free
crashes in __getitem__() and __setitem__() methods of
Element when the element is concurrently mutated. Patch by
Bénédikt Tran.
- gh-142195: Updated timeout evaluation logic in subprocess
to be compatible with deterministic environments like
Shadow where time moves exactly as requested.
- gh-142164: Fix the ctypes bitfield overflow error message
to report the correct offset and size calculation.
- gh-143145: Fixed a possible reference leak in ctypes when
constructing results with multiple output parameters on
error.
- gh-122431: Corrected the error message in
readline.append_history_file() to state that nelements must
be non-negative instead of positive.
- gh-143004: Fix a potential use-after-free in
collections.Counter.update() when user code mutates the
Counter during an update.
- gh-143046: The asyncio REPL no longer prints copyright and
version messages in the quiet mode (-q). Patch by Bartosz
Sławecki.
- gh-140648: The asyncio REPL now respects the -I flag
(isolated mode). Previously, it would load and execute
PYTHONSTARTUP even if the flag was set. Contributed by
Bartosz Sławecki.
- gh-142991: Fixed socket operations such as recvfrom() and
sendto() for FreeBSD divert(4) socket.
- gh-143010: Fixed a bug in mailbox where the precise timing
of an external event could result in the library opening an
existing file instead of a file it expected to create.
- gh-142881: Fix concurrent and reentrant call of
atexit.unregister().
- gh-112127: Fix possible use-after-free in
atexit.unregister() when the callback is unregistered
during comparison.
- gh-142783: Fix zoneinfo use-after-free with descriptor
_weak_cache. a descriptor as _weak_cache could cause
crashes during object creation. The fix ensures proper
reference counting for descriptor-provided objects.
- gh-142754: Add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead.
- gh-142784: The asyncio REPL now properly closes the loop
upon the end of interactive session. Previously, it could
cause surprising warnings. Contributed by Bartosz Sławecki.
- gh-142555: array: fix a crash in a[i] = v when converting
i to an index via i.__index__ or i.__float__ mutates the
array.
- gh-142594: Fix crash in TextIOWrapper.close() when the
underlying buffers closed property calls detach().
- gh-142451: hmac: Ensure that the HMAC.block_size attribute
is correctly copied by HMAC.copy. Patch by Bénédikt Tran.
- gh-142495: collections.defaultdict now prioritizes
__setitem__() when inserting default values from
default_factory. This prevents race conditions where
a default value would overwrite a value set before
default_factory returns.
- gh-142651: unittest.mock: fix a thread safety issue where
Mock.call_count may return inaccurate values when the mock
is called concurrently from multiple threads.
- gh-142595: Added type check during initialization of the
decimal module to prevent a crash in case of broken stdlib.
Patch by Sergey B Kirpichev.
- gh-142556: Fix crash when a task gets re-registered during
finalization in asyncio. Patch by Kumar Aditya.
- gh-123241: Avoid reference count operations in garbage
collection of ctypes objects.
- gh-142517: The non-compat32 email policies now correctly
handle refolding encoded words that contain bytes that can
not be decoded in their specified character set. Previously
this resulted in an encoding exception during folding.
- gh-112527: The help text for required options in argparse
no longer extended with “ (default: None)”.
- gh-142346: Fix usage formatting for mutually exclusive
groups in argparse when they are preceded by positional
arguments or followed or intermixed with other optional
arguments.
- gh-142315: Pdb can now run scripts from anonymous pipes
used in process substitution. Patch by Bartosz Sławecki.
- gh-142332: Fix usage formatting for positional arguments in
mutually exclusive groups in argparse. in argparse.
- gh-142282: Fix winreg.QueryValueEx() to not accidentally
read garbage buffer under race condition.
- gh-75949: Fix argparse to preserve | separators in mutually
exclusive groups when the usage line wraps due to length.
- gh-142267: Improve argparse performance by caching the
formatter used for argument validation.
- gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
name defects are now correctly passed to the handle_defect
method of policy in FeedParser.
- gh-142006: Fix a bug in the email.policy.default folding
algorithm which incorrectly resulted in a doubled newline
when a line ending at exactly max_line_length was followed
by an unfoldable token.
- gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
underlying cancelled asyncio task running.
- gh-139971: pydoc: Ensure that the link to the online
documentation of a stdlib module is correct.
- gh-139262: Some keystrokes can be swallowed in the new
PyREPL on Windows, especially when used together with the
ALT key. Fix by Chris Eibl.
- gh-138897: Improved license/copyright/credits display in
the REPL: now uses a pager.
- gh-79986: Add parsing for References and In-Reply-To
headers to the email library that parses the header content
as lists of message id tokens. This prevents them from
being folded incorrectly.
- gh-136282: Add support for UNNAMED_SECTION when creating
a section via the mapping protocol access
- gh-109263: Starting a process from spawn context in
multiprocessing no longer sets the start method globally.
- gh-133253: Fix thread-safety issues in linecache.
- gh-132715: Skip writing objects during marshalling once
a failure has occurred.
- IDLE
- gh-143774: Better explain the operation of Format / Format
Paragraph.
- Documentation
- gh-140806: Add documentation for enum.bin().
- Core and Builtins
- gh-144307: Prevent a reference leak in module teardown at
interpreter finalization.
- gh-144194: Fix error handling in perf jitdump
initialization on memory allocation failure.
- gh-144012: Check if the result is NULL in BINARY_OP_EXTENT
opcode.
- gh-141805: Fix crash in set when objects with the same hash
are concurrently added to the set after removing an element
with the same hash while the set still contains elements
with the same hash.
- gh-143670: Fixes a crash in ga_repr_items_list function.
- gh-143377: Fix a crash in _interpreters.capture_exception()
when the exception is incorrectly formatted. Patch by
Bénédikt Tran.
- gh-136924: The interactive help mode in the REPL no longer
incorrectly syntax highlights text input as Python code.
Contributed by Olga Matoula.
- gh-143189: Fix crash when inserting a non-str key into
a split table dictionary when the key matches an existing
key in the split table but has no corresponding value in
the dict.
- gh-143228: Fix use-after-free in perf trampoline when
toggling profiling while threads are running or during
interpreter finalization with daemon threads active. The
fix uses reference counting to ensure trampolines are not
freed while any code object could still reference them.
Pach by Pablo Galindo
- gh-142664: Fix a use-after-free crash in
memoryview.__hash__ when the __hash__ method of the
referenced object mutates that object or the view. Patch by
Bénédikt Tran.
- gh-142557: Fix a use-after-free crash in bytearray.__mod__
when the bytearray is mutated while formatting the %-style
arguments. Patch by Bénédikt Tran.
- gh-143195: Fix use-after-free crashes in bytearray.hex()
and memoryview.hex() when the separators __len__() mutates
the original object. Patch by Bénédikt Tran.
- gh-142975: Fix crash after unfreezing all objects tracked
by the garbage collector on the free threaded build.
- gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
0. Previously, it was set to 0 in this case.
- gh-143003: Fix an overflow of the shared empty buffer in
bytearray.extend() when __length_hint__() returns 0 for
non-empty iterator.
- gh-143006: Fix a possible assertion error when comparing
negative non-integer float and int with the same number of
bits in the integer part.
- gh-143057: Avoid locking in PyTraceMalloc_Track() and
PyTraceMalloc_Untrack() when tracemalloc is not enabled.
- gh-142776: Fix a file descriptor leak in import.c
- gh-142829: Fix a use-after-free crash in
contextvars.Context comparison when a custom __eq__ method
modifies the context via set().
- gh-142766: Clear the frame of a generator when
generator.close() is called.
- gh-142737: Tracebacks will be displayed in fallback mode
even if io.open() is lost. Previously, this would crash the
interpreter. Patch by Bartosz Sławecki.
- gh-142554: Fix a crash in divmod() when
_pylong.int_divmod() does not return a tuple of length two
exactly. Patch by Bénédikt Tran.
- gh-142560: Fix use-after-free in bytearray search-like
methods (find(), count(), index(), rindex(), and rfind())
by marking the storage as exported which causes
reallocation attempts to raise BufferError. For contains(),
split(), and rsplit() the buffer protocol is used for this.
- gh-142531: Fix a free-threaded GC performance regression.
If there are many untracked tuples, the GC will run too
often, resulting in poor performance. The fix is to include
untracked tuples in the “long lived” object count. The
number of frozen objects is also now included since the
free-threaded GC must scan those too.
- gh-142402: Fix reference counting when adjacent literal
parts are merged while constructing
string.templatelib.Template, preventing the displaced
string object from leaking.
- gh-133932: Fix crash in the free threading build when
clearing frames that hold tagged integers.
- gh-142343: Fix SIGILL crash on m68k due to incorrect
assembly constraint.
- gh-100964: Fix reference cycle in exhausted generator
frames. Patch by Savannah Ostrowski.
- gh-69605: Fix edge-cases around already imported modules in
the REPL auto-completion of imports.
- gh-138568: Adjusted the built-in help() function so that
empty inputs are ignored in interactive mode.
- gh-137007: Fix a bug during JIT compilation failure which
caused garbage collection debug assertions to fail.
- C API
- gh-142589: Fix
PyUnstable_Object_IsUniqueReferencedTemporary() handling of
tagged ints on the interpreter stack.
- gh-142571: PyUnstable_CopyPerfMapFile() now checks that
opening the file succeeded before flushing.
- Build
- gh-142454: When calculating the digest of the JIT stencils
input, sort the hashed files by filenames before adding
their content to the hasher. This ensures deterministic
hash input and hence deterministic hash, independent on
filesystem order.
- gh-141808: When running make clean-retain-profile, keep the
generated JIT stencils. That way, the stencils are not
generated twice when Profile-guided optimization (PGO) is
used. It also allows distributors to supply their own
pre-built JIT stencils.
- gh-138061: Ensure reproducible builds by making JIT stencil
header generation deterministic.
- Remove upstreamed patches:
- CVE-2024-6923-follow-up-EOL-email-headers.patch
- CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- gh138131-exclude-pycache-from-digest.patch
-------------------------------------------------------------------
Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
a follow-up to the previous fix of CVE-2024-6923 further
encoding EOL possibly hidden in email headers (bsc#1257181,
also bsc#1257181, CVE-2026-1299).
- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
parens when folding comments in email headers (bsc#1257029,
CVE-2025-11468).
- Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch, which
rejects control characters in http cookies (bsc#1257031,
CVE-2026-0672).
-------------------------------------------------------------------
Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
@@ -11,7 +398,7 @@ Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
* Update to 3.14.2:
- Security
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing.
cache clearing (CVE-2025-12084, bsc#1254997).
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to the
CGI server on Windows, it could cause an arbitrary amount of
@@ -73,10 +460,10 @@ Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible
data” if there are no bytes prepended to the ZIP file.
(CVE-2025-8291, bsc#1251305)
- gh-139283: sqlite3: correctly handle maximum number of rows
to fetch in Cursor.fetchmany and reject negative values for
Cursor.arraysize. Patch by Bénédikt Tran. (CVE-2025-8291,
bsc#1251305)
Cursor.arraysize. Patch by Bénédikt Tran.
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
@@ -4024,7 +4411,7 @@ Tue Nov 19 22:08:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
generated URLs beginning with four slashes (rather than
two) when given a Windows UNC path.
- gh-126156: Improved performances of creating Morsel objects
by a factor of 3.8x.
by a factor of 3.8x (bsc#1257031, CVE-2026-0672).
- gh-126105: Fix a crash in ast when the ast.AST._fields
attribute is deleted.
- gh-126106: Fixes a possible NULL pointer dereference in
@@ -4679,7 +5066,8 @@ Sat Sep 7 15:36:03 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
now refuse to serialize (write) headers
that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780)
Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780,
bsc#1257181)
- gh-121723: Make logging.config.dictConfig() accept any
object implementing the Queue public API. See the queue
configuration section for details. Patch by Bénédikt Tran.

4
python314.rpmlintrc
View File

@@ -1,4 +0,0 @@
addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc")

42
python314.spec
View File

@@ -54,8 +54,6 @@
%bcond_with GIL
%endif
%define llvm_version 21
%if 0%{?do_profiling} && !0%{?want_reproducible_builds}
%bcond_without profileopt
%else
@@ -126,7 +124,7 @@
# %%define tarversion %%{version}
# %%endif
# We don't process beta signs well
%define folderversion 3.14.2
%define folderversion 3.14.3
%define sitedir %{_libdir}/python%{python_version}
# three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
%define abi_kind %{nil}
@@ -164,7 +162,7 @@
# _md5.cpython-38m-x86_64-linux-gnu.so
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
Name: %{python_pkg_name}%{psuffix}
Version: 3.14.2
Version: 3.14.3
%define tarversion %{version}
%define tarname Python-%{tarversion}
Release: 0
@@ -205,14 +203,15 @@ Patch02: F00251-change-user-install-location.patch
Patch03: python-3.3.0b1-localpath.patch
# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
Patch04: python-3.3.0b1-fix_date_time_compiler.patch
# PATCH-FIX-OPENSUSE configure-drop-autoconf-ver-req.patch mcepl@suse.com
# don't require minimal version of Autoconf
Patch05: configure-drop-autoconf-ver-req.patch
# PATCH-FEATURE-UPSTREAM bpo-31046_ensurepip_honours_prefix.patch bpo#31046 mcepl@suse.com
# ensurepip should honour the value of $(prefix)
Patch07: bpo-31046_ensurepip_honours_prefix.patch
# PATCH-FIX-SLE skip-test_pyobject_freed_is_freed.patch mcepl@suse.com
# skip a test failing on SLE-15
Patch09: skip-test_pyobject_freed_is_freed.patch
# PATCH-FIX-UPSTREAM gh138498-llvm-version-config gh#python/cpython#138498 daniel.garcia@suse.com
Patch10: gh138498-llvm-version-config.patch
# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
# This problem on libexpat is patched on 15.6 without version
# update, this patch changes the tests to match the libexpat provided
@@ -224,11 +223,22 @@ Patch40: fix-test-recursion-limit-15.6.patch
# PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com
# Doc: Generate ids for audit_events using docname
Patch41: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-UPSTREAM gh138131-exclude-pycache-from-digest.patch bsc#1244680 daniel.garcia@suse.com
Patch44: gh138131-exclude-pycache-from-digest.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch45: gh139257-Support-docutils-0.22.patch
#### Python 3.14 DEVELOPMENT PATCHES
# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 mcepl@suse.com
# Encode newlines in headers when using ByteGenerator
# patch from gh#python/cpython#144125
Patch46: CVE-2024-6923-follow-up-EOL-email-headers.patch
# PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 mcepl@suse.com
# Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346
Patch49: CVE-2025-12781-b64decode-alt-chars.patch
# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
# Reject control characters in wsgiref.headers.Headers
Patch50: CVE-2025-15366-imap-ctrl-chars.patch
# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com
# Reject control characters in poplib
Patch51: CVE-2025-15367-poplib-ctrl-chars.patch
#### Python 3.14 END OF PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -273,7 +283,7 @@ BuildRequires: python3-python-docs-theme >= 2022.1
%if %{with experimental_jit}
# needed for experimental_jit
BuildRequires: clang%{llvm_version} llvm%{llvm_version}
BuildRequires: clang19 llvm19
BuildRequires: llvm
%endif
@@ -513,12 +523,6 @@ other applications.
%prep
%autosetup -p1 -n %{tarname}
# Fix devhelp doc build gh#python/cpython#120150
echo "master_doc = 'contents'" >> Doc/conf.py
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
%if %{primary_interpreter}
# fix shebangs - convert /usr/local/bin/python and /usr/bin/env/python to /usr/bin/python3
for dir in Lib Tools; do
@@ -538,7 +542,7 @@ done
sed -i -e '/Breakpoint 3 at ...pdb.py:97/s/97/96/' Lib/test/test_pdb.py
%endif
# Cannot remove it because of gh#python/cpython#92875
# Removing vendored expat gh#python/cpython#92875
rm -r Modules/expat
# drop duplicate README from site-packages
@@ -547,9 +551,6 @@ rm Lib/site-packages/README.txt
# Add vendored bluez-devel files
tar xvf %{SOURCE21}
# Don't fail on warnings when building documentation
sed -i -e '/^SPHINXERRORHANDLING/s/--fail-on-warning//' Doc/Makefile
%build
export SUSE_VERSION="0%{?suse_version}"
export SLE_VERSION="0%{?sle_version}"
@@ -579,7 +580,6 @@ sed -e 's/-fprofile-correction//' -i Makefile.pre.in
%endif
export CFLAGS="%{optflags} -IVendor/"
export LLVM_VERSION=%{llvm_version}
%configure \
--with-platlibdir=%{_lib} \