From 423ac96490ead4e8b872ff2bfb052a3178bc17b24c0b40a1c72a98fd512a7211 Mon Sep 17 00:00:00 2001 From: Dominik Heidler Date: Mon, 27 Oct 2025 12:51:10 +0000 Subject: [PATCH 1/3] - Fix building on single core systems * Skip tests/thread/stress_schedule.py when single core system detected OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/micropython?expand=0&rev=58 --- micropython.changes | 6 ++++++ micropython.spec | 2 ++ 2 files changed, 8 insertions(+) diff --git a/micropython.changes b/micropython.changes index a3e5c11..dae0f08 100644 --- a/micropython.changes +++ b/micropython.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 27 12:49:06 UTC 2025 - Dominik Heidler + +- Fix building on single core systems + * Skip tests/thread/stress_schedule.py when single core system detected + ------------------------------------------------------------------- Wed Oct 22 12:19:48 UTC 2025 - Dominik Heidler diff --git a/micropython.spec b/micropython.spec index 9141caa..bb1b60c 100644 --- a/micropython.spec +++ b/micropython.spec @@ -113,6 +113,8 @@ install -m755 -D -v tools/mpy-tool.py %{buildroot}%{_bindir}/mpy-tool # https://github.com/micropython/micropython/pull/6024 rm -f tests/float/float_parse.py rm -f tests/float/float_parse_doubleprec.py +# fails on single core systems +[ "$(grep core.id /proc/cpuinfo | wc -l)" == 1 ] && rm -f tests/thread/stress_schedule.py %endif export MICROPY_CPYTHON3=python%python_version make -C ports/unix PYTHON=%{_bindir}/python%python_version V=1 test -- 2.51.1 From 7d5d4233ce3ed3d873421465a52838bae1709299c1d9f9868b1022b58f3886e4 Mon Sep 17 00:00:00 2001 From: Dominik Heidler Date: Mon, 27 Oct 2025 13:59:09 +0000 Subject: [PATCH 2/3] - Version 1.26.1 * esp32: update esp_tinyusb component to v1.7.6 * tools: add an environment variable MICROPY_MAINTAINER_BUILD * esp32: add IDF Component Lockfiles to git repo * shared/tinyusb: fix hang from new tx_overwritabe_if_not_connected flag * shared/tinyusb/mp_usbd_cdc: rewrite USB CDC TX loop * tools/mpremote: don't apply Espressif DTR/RTS quirk to TinyUSB CDC dev OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/micropython?expand=0&rev=59 --- micropython-1.26.0.tar.xz | 3 --- micropython-1.26.1.tar.xz | 3 +++ micropython.changes | 11 +++++++++++ micropython.spec | 2 +- prepare.sh | 3 ++- 5 files changed, 17 insertions(+), 5 deletions(-) delete mode 100644 micropython-1.26.0.tar.xz create mode 100644 micropython-1.26.1.tar.xz diff --git a/micropython-1.26.0.tar.xz b/micropython-1.26.0.tar.xz deleted file mode 100644 index 2213870..0000000 --- a/micropython-1.26.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c43e4512fb2ada940a1d7808c84f313a161339b39c921292706b2f0163818062 -size 16178748 diff --git a/micropython-1.26.1.tar.xz b/micropython-1.26.1.tar.xz new file mode 100644 index 0000000..4e2269c --- /dev/null +++ b/micropython-1.26.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44e52136c2685cabe33a4a74267d4aacddc7ebe89c9142558a8bc8a80f209c9c +size 16188668 diff --git a/micropython.changes b/micropython.changes index dae0f08..9948363 100644 --- a/micropython.changes +++ b/micropython.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Oct 27 13:58:27 UTC 2025 - Dominik Heidler + +- Version 1.26.1 + * esp32: update esp_tinyusb component to v1.7.6 + * tools: add an environment variable MICROPY_MAINTAINER_BUILD + * esp32: add IDF Component Lockfiles to git repo + * shared/tinyusb: fix hang from new tx_overwritabe_if_not_connected flag + * shared/tinyusb/mp_usbd_cdc: rewrite USB CDC TX loop + * tools/mpremote: don't apply Espressif DTR/RTS quirk to TinyUSB CDC dev + ------------------------------------------------------------------- Mon Oct 27 12:49:06 UTC 2025 - Dominik Heidler diff --git a/micropython.spec b/micropython.spec index bb1b60c..36a3a98 100644 --- a/micropython.spec +++ b/micropython.spec @@ -20,7 +20,7 @@ %{?sle15_python_module_pythons} Name: micropython -Version: 1.26.0 +Version: 1.26.1 Release: 0 Summary: Implementation of Python 3 with very low memory footprint License: MIT diff --git a/prepare.sh b/prepare.sh index 0b36744..7079d1b 100644 --- a/prepare.sh +++ b/prepare.sh @@ -7,7 +7,7 @@ set -e version=$(rpmspec --query micropython.spec | head -1 | cut -d- -f2) -rm -fv micropython-*.tar.xz +osc rm -fv micropython-*.tar.xz wget "https://micropython.org/resources/source/micropython-${version}.tar.xz" -O "micropython-${version}.tar.xz" tar xf "micropython-${version}.tar.xz" pushd "micropython-${version}" @@ -34,3 +34,4 @@ popd popd tar caf "micropython-${version}.tar.xz" "micropython-${version}" rm -r "micropython-${version}" +osc add micropython-*.tar.xz -- 2.51.1 From 1a105a4362c062d3ab3b33c78cf28cc4a8087c5a908c1284112c3c7e16c533ee Mon Sep 17 00:00:00 2001 From: Dominik Heidler Date: Fri, 6 Feb 2026 16:14:40 +0000 Subject: [PATCH 3/3] - Add CVE-2026-1998.patch for CVE-2026-1998 / bsc#1257803 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/micropython?expand=0&rev=61 --- CVE-2026-1998.patch | 144 ++++++++++++++++++++++++++++++++++++++++++++ micropython.changes | 5 ++ micropython.spec | 3 +- 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 CVE-2026-1998.patch diff --git a/CVE-2026-1998.patch b/CVE-2026-1998.patch new file mode 100644 index 0000000..ba370d5 --- /dev/null +++ b/CVE-2026-1998.patch @@ -0,0 +1,144 @@ +From 570744d06c5ba9dba59b4c3f432ca4f0abd396b6 Mon Sep 17 00:00:00 2001 +From: Damien George +Date: Mon, 12 Jan 2026 11:04:09 +1100 +Subject: [PATCH] py/runtime: Make import-all support non-modules via + __dict__/__all__. + +Prior to this fix, `mp_import_all()` assumed that its argument was exactly +a native module instance. That would lead to a crash if something else was +passed in, eg a user class via a custom `__import__` implementation or by +writing to `sys.modules`. + +MicroPython already supports injecting non-module objects into the import +machinery, so it makes sense to round out that implementation by supporting +`from x import *` where `x` is a non-module object. + +Fixes issue #18639. + +Signed-off-by: Damien George +--- + py/runtime.c | 21 ++++++--- + tests/basics/import_star_nonmodule.py | 65 +++++++++++++++++++++++++++ + 2 files changed, 81 insertions(+), 5 deletions(-) + create mode 100644 tests/basics/import_star_nonmodule.py + +diff --git a/py/runtime.c b/py/runtime.c +index 8d7e11e5f0dab..3fc35c8c2daf6 100644 +--- a/py/runtime.c ++++ b/py/runtime.c +@@ -1592,19 +1592,19 @@ mp_obj_t mp_import_from(mp_obj_t module, qstr name) { + void mp_import_all(mp_obj_t module) { + DEBUG_printf("import all %p\n", module); + +- mp_map_t *map = &mp_obj_module_get_globals(module)->map; ++ mp_obj_t dest[2]; + + #if MICROPY_MODULE___ALL__ +- mp_map_elem_t *elem = mp_map_lookup(map, MP_OBJ_NEW_QSTR(MP_QSTR___all__), MP_MAP_LOOKUP); +- if (elem != NULL) { ++ ++ mp_load_method_maybe(module, MP_QSTR___all__, dest); ++ if (dest[0] != MP_OBJ_NULL) { + // When __all__ is defined, we must explicitly load all specified + // symbols, possibly invoking the module __getattr__ function + size_t len; + mp_obj_t *items; +- mp_obj_get_array(elem->value, &len, &items); ++ mp_obj_get_array(dest[0], &len, &items); + for (size_t i = 0; i < len; i++) { + qstr qname = mp_obj_str_get_qstr(items[i]); +- mp_obj_t dest[2]; + mp_load_method(module, qname, dest); + mp_store_name(qname, dest[0]); + } +@@ -1612,8 +1612,19 @@ void mp_import_all(mp_obj_t module) { + } + #endif + ++ #if MICROPY_CPYTHON_COMPAT ++ // Load the dict from the module. In MicroPython, if __dict__ is ++ // available then it always returns a native mp_obj_dict_t instance. ++ mp_load_method(module, MP_QSTR___dict__, dest); ++ #else ++ // Without MICROPY_CPYTHON_COMPAT __dict__ is not available, so just ++ // assume the given module is actually an mp_obj_module_t instance. ++ dest[0] = MP_OBJ_FROM_PTR(mp_obj_module_get_globals(module)); ++ #endif ++ + // By default, the set of public names includes all names found in the module's + // namespace which do not begin with an underscore character ('_') ++ mp_map_t *map = mp_obj_dict_get_map(dest[0]); + for (size_t i = 0; i < map->alloc; i++) { + if (mp_map_slot_is_filled(map, i)) { + // Entry in module global scope may be generated programmatically +diff --git a/tests/basics/import_star_nonmodule.py b/tests/basics/import_star_nonmodule.py +new file mode 100644 +index 0000000000000..8a98ef26ce544 +--- /dev/null ++++ b/tests/basics/import_star_nonmodule.py +@@ -0,0 +1,65 @@ ++# Test "from x import *" where x is something other than a module. ++ ++import sys ++ ++try: ++ next(iter([]), 42) ++except TypeError: ++ # Two-argument version of next() not supported. We are probably not at ++ # MICROPY_CONFIG_ROM_LEVEL_BASIC_FEATURES which is needed for "import *". ++ print("SKIP") ++ raise SystemExit ++ ++print("== test with a class as a module ==") ++ ++ ++class M: ++ x = "a1" ++ ++ def __init__(self): ++ self.x = "a2" ++ ++ ++sys.modules["mod"] = M ++from mod import * ++ ++print(x) ++ ++sys.modules["mod"] = M() ++from mod import * ++ ++print(x) ++ ++print("== test with a class as a module that overrides __all__ ==") ++ ++ ++class M: ++ __all__ = ("y",) ++ x = "b1" ++ y = "b2" ++ ++ def __init__(self): ++ self.__all__ = ("x",) ++ self.x = "b3" ++ self.y = "b4" ++ ++ ++sys.modules["mod"] = M ++x = None ++from mod import * ++ ++print(x, y) ++ ++sys.modules["mod"] = M() ++from mod import * ++ ++print(x, y) ++ ++print("== test with objects that don't have a __dict__ ==") ++ ++sys.modules["mod"] = 1 ++try: ++ from mod import * ++ # MicroPython raises AttributeError, CPython raises ImportError. ++except (AttributeError, ImportError): ++ print("ImportError") diff --git a/micropython.changes b/micropython.changes index 9948363..be0d74d 100644 --- a/micropython.changes +++ b/micropython.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Feb 6 16:13:57 UTC 2026 - Dominik Heidler + +- Add CVE-2026-1998.patch for CVE-2026-1998 / bsc#1257803 + ------------------------------------------------------------------- Mon Oct 27 13:58:27 UTC 2025 - Dominik Heidler diff --git a/micropython.spec b/micropython.spec index 36a3a98..326d7d2 100644 --- a/micropython.spec +++ b/micropython.spec @@ -1,7 +1,7 @@ # # spec file for package micropython # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,7 @@ URL: https://micropython.org/ Source0: %{name}-%{version}.tar.xz Source1: prepare.sh Source2: https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.5/mbedtls-3.6.5.tar.bz2#/mbedtls-3.6.5.tar.bz2 +Patch0: CVE-2026-1998.patch BuildRequires: openssl BuildRequires: pkgconfig BuildRequires: python3 -- 2.51.1