pool/python-future
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1060113 from devel:languages:python

Browse Source 
- update to 0.18.3:
  * Backport fix for bpo-38804 (c91d70b)
  * Fix bug in fix_print.py fixer (dffc579)
  * Fix bug in fix_raise.py fixer (3401099)
  * Fix newint bool in py3 (fe645ba)
  * Fix bug in super() with metaclasses (6e27aac)
  * docs: fix simple typo, reqest -> request (974eb1f)
  * Correct eq (c780bf5)
  * Pass if lint fails (2abe00d)
  * fix order (f96a219)
  * Add flake8 to image (046ff18)
  * Make lint.sh executable (58cc984)
  * Add docker push to optimize CI (01e8440)
  * Build System (42b3025)
  * Add docs build status badge to README.md (3f40bd7)
  * Use same docs requirements in tox (18ecc5a)
  * Add docs/requirements.txt (5f9893f)
  * Add PY37_PLUS, PY38_PLUS, and PY39_PLUS (bee0247)
  * fix 2.6 test, better comment (ddedcb9)
  * fix 2.6 test (3f1ff7e)
  * remove nan test (4dbded1)
  * include list test values (e3f1a12)
  * fix other python2 test issues (c051026)
  * fix missing subTest (f006cad)
  * import from old imp library on older python versions (fc84fa8)
  * replace fstrings with format for python 3.4,3.5 (4a687ea)
  * minor style/spelling fixes (8302d8c)
  * improve cmp function, add unittest (0d95a40)
  * Pin typing==3.7.4.1 for Python 3.3 compatiblity (1a48f1b)
  * Fix various py26 unit test failures (9ca5a14)

OBS-URL: https://build.opensuse.org/request/show/1060113
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-future?expand=0&rev=15
This commit is contained in:
Dominique Leuenberger 2023-01-23 17:30:40 +00:00 committed by Git OBS Bridge
commit 21282e64e9
5 changed files with 62 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
CVE-2022-40899.patch
View File

@ -1,70 +0,0 @@
Index: future-0.16.0/src/future/backports/http/cookiejar.py
===================================================================
--- future-0.16.0.orig/src/future/backports/http/cookiejar.py
+++ future-0.16.0/src/future/backports/http/cookiejar.py
@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile(
(?::(\d\d))? # optional seconds
)? # optional clock
\s*
- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+ (?:
+ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
\s*
- (?:\(\w+\))? # ASCII representation of timezone in parens.
- \s*$""", re.X | re.ASCII)
+ )?
+ (?:
+ \(\w+\) # ASCII representation of timezone in parens.
+ \s*
+ )?$""", re.X | re.ASCII)
def http2time(text):
"""Returns time in seconds since epoch of time represented by a string.
@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile(
(?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional)
)? # optional clock
\s*
- ([-+]?\d\d?:?(:?\d\d)?
- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT)
- \s*$""", re.X | re. ASCII)
+ (?:
+ ([-+]?\d\d?:?(:?\d\d)?
+ |Z|z) # timezone (Z is "zero meridian", i.e. GMT)
+ \s*
+ )?$""", re.X | re. ASCII)
def iso2time(text):
"""
As for http2time, but parses the ISO 8601 formats:
Index: future-0.16.0/tests/test_future/test_http_cookiejar.py
===================================================================
--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py
+++ future-0.16.0/tests/test_future/test_http_cookiejar.py
@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase):
"http2time(%s) is not None\n"
"http2time(test) %s" % (test, http2time(test)))
+ def test_http2time_redos_regression_actually_completes(self):
+ # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused
+ # catastrophic backtracking (REDoS). If we regress to cubic complexity,
+ # this test will take a very long time to succeed. If fixed, it should
+ # complete within a fraction of a second.
+ http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5))
+ http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5))
+
def test_iso2time(self):
def parse_date(text):
return time.gmtime(iso2time(text))[:6]
@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase):
"iso2time(%s) is not None\n"
"iso2time(test) %s" % (test, iso2time(test)))
+ def test_iso2time_performance_regression(self):
+ # If ISO_DATE_RE regresses to quadratic complexity, this test will take
+ # a very long time to succeed. If fixed, it should complete within a
+ # fraction of a second.
+ iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6))
+ iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6))
+
class HeaderTests(unittest.TestCase):

3
future-0.18.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d
size 829220

BIN
future-0.18.3.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

58
python-future.changes
View File

@ -1,3 +1,61 @@
-------------------------------------------------------------------
Sat Jan 21 09:53:11 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 0.18.3:
* Backport fix for bpo-38804 (c91d70b)
* Fix bug in fix_print.py fixer (dffc579)
* Fix bug in fix_raise.py fixer (3401099)
* Fix newint bool in py3 (fe645ba)
* Fix bug in super() with metaclasses (6e27aac)
* docs: fix simple typo, reqest -> request (974eb1f)
* Correct eq (c780bf5)
* Pass if lint fails (2abe00d)
* fix order (f96a219)
* Add flake8 to image (046ff18)
* Make lint.sh executable (58cc984)
* Add docker push to optimize CI (01e8440)
* Build System (42b3025)
* Add docs build status badge to README.md (3f40bd7)
* Use same docs requirements in tox (18ecc5a)
* Add docs/requirements.txt (5f9893f)
* Add PY37_PLUS, PY38_PLUS, and PY39_PLUS (bee0247)
* fix 2.6 test, better comment (ddedcb9)
* fix 2.6 test (3f1ff7e)
* remove nan test (4dbded1)
* include list test values (e3f1a12)
* fix other python2 test issues (c051026)
* fix missing subTest (f006cad)
* import from old imp library on older python versions (fc84fa8)
* replace fstrings with format for python 3.4,3.5 (4a687ea)
* minor style/spelling fixes (8302d8c)
* improve cmp function, add unittest (0d95a40)
* Pin typing==3.7.4.1 for Python 3.3 compatiblity (1a48f1b)
* Fix various py26 unit test failures (9ca5a14)
* Add initial contributing guide with docs build instruction (e55f915)
* Add docs building to tox.ini (3ee9e7f)
* Support NumPy's specialized int types in builtins.round (b4b54f0)
* Added r""" to the docstring to avoid warnings in python3 (5f94572)
* Add subclasscheck for past.types.basestring (c9bc0ff)
* Correct example in README (681e78c)
* Add simple documentation (6c6e3ae)
* Add pre-commit hooks (a9c6a37)
* Handling of next and next by future.utils.get_next was reversed (52b0ff9)
* Add a test for our fix (461d77e)
* Compare headers to correct definition of str (3eaa8fd)
* Add support for negative ndigits in round; additionally, fixing a bug so
that it handles passing in Decimal properly (a4911b9)
* Add tkFileDialog to future.movers.tkinter (f6a6549)
* Sort before comparing dicts in TestChainMap (6126997)
* Fix typo (4dfa099)
* Fix formatting in "What's new" (1663dfa)
* Fix typo (4236061)
* Avoid DeprecationWarning caused by invalid escape (e4b7fa1)
* Fixup broken link to external django documentation re: porting to Python 3
and unicode_literals (d87713e)
* Fixed newdict checking version every time (99030ec)
* Add count from 2.7 to 2.6 (1b8ef51)
- drop CVE-2022-40899.patch (upstream)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jan 5 12:03:41 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com> Thu Jan 5 12:03:41 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

4
python-future.spec
View File

@ -17,7 +17,7 @@
Name: python-future Name: python-future
Version: 0.18.2 Version: 0.18.3
Release: 0 Release: 0
Summary: Single-source support for Python 3 and 2 Summary: Single-source support for Python 3 and 2
# See https://github.com/PythonCharmers/python-future/issues/242 for PSF licensing # See https://github.com/PythonCharmers/python-future/issues/242 for PSF licensing
@ -32,8 +32,6 @@ Patch1: future-correct-mimetype.patch
# PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 mcepl@suse.com # PATCH-FIX-UPSTREAM python39-build.patch gh#PythonCharmers/python-future#578 mcepl@suse.com
# Overcome incompatibilites with python 3.9 # Overcome incompatibilites with python 3.9
Patch2: python39-build.patch Patch2: python39-build.patch
# PATCH-FIX-UPSTREAM CVE-2022-40899.patch gh#PythonCharmers/python-future#610 bsc#1206673
Patch3: CVE-2022-40899.patch
BuildRequires: %{python_module pytest} BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools} BuildRequires: %{python_module setuptools}
BuildRequires: fdupes BuildRequires: fdupes