From 4ce4906c94a4ba27161bd8698e727b2028655f9137ee80e68946891e5fafd2e6 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 6 Sep 2023 21:15:54 +0000 Subject: [PATCH] - Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969) - Add patch remove-svn-remants.patch to help with that goal. - Refresh pr_222.patch as needed for above. - Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972) - Drop CVE-2020-29651.patch, issue fixed upstream in 1.10.0 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:pytest/python-py?expand=0&rev=34 --- pr_222.patch | 146 --------------------------------------- python-py.changes | 13 ++++ python-py.spec | 10 +++ remove-svn-remants.patch | 36 ++++++++++ 4 files changed, 59 insertions(+), 146 deletions(-) create mode 100644 remove-svn-remants.patch diff --git a/pr_222.patch b/pr_222.patch index c730d0b..c0d1d4d 100644 --- a/pr_222.patch +++ b/pr_222.patch @@ -369,152 +369,6 @@ Index: py-1.9.0/testing/path/test_cacheutil.py def test_delentry_raising(self): self.cache.getorbuild(100, lambda: 100) -Index: py-1.9.0/testing/path/test_svnauth.py -=================================================================== ---- py-1.9.0.orig/testing/path/test_svnauth.py -+++ py-1.9.0/testing/path/test_svnauth.py -@@ -2,6 +2,7 @@ import py - from py.path import SvnAuth - import time - import sys -+import pytest - - svnbin = py.path.local.sysfind('svn') - -@@ -261,7 +262,8 @@ class TestSvnURLAuth(object): - u.propget('foo') - assert '--username="foo" --password="bar"' in u.commands[0] - --def pytest_funcarg__setup(request): -+@pytest.fixture -+def setup(request): - return Setup(request) - - class Setup: -@@ -271,7 +273,7 @@ class Setup: - if not request.config.option.runslowtests: - py.test.skip('use --runslowtests to run these tests') - -- tmpdir = request.getfuncargvalue("tmpdir") -+ tmpdir = request.getfixturevalue("tmpdir") - repodir = tmpdir.join("repo") - py.process.cmdexec('svnadmin create %s' % repodir) - if sys.platform == 'win32': -Index: py-1.9.0/testing/path/test_svnurl.py -=================================================================== ---- py-1.9.0.orig/testing/path/test_svnurl.py -+++ py-1.9.0/testing/path/test_svnurl.py -@@ -2,10 +2,12 @@ import py - from py._path.svnurl import InfoSvnCommand - import datetime - import time -+import pytest - from svntestbase import CommonSvnTests - --def pytest_funcarg__path1(request): -- repo, repourl, wc = request.getfuncargvalue("repowc1") -+@pytest.fixture -+def path1(request): -+ repo, repourl, wc = request.getfixturevalue("repowc1") - return py.path.svnurl(repourl) - - class TestSvnURLCommandPath(CommonSvnTests): -@@ -20,10 +22,12 @@ class TestSvnURLCommandPath(CommonSvnTes - super(TestSvnURLCommandPath, self).test_visit_ignore(path1) - - def test_svnurl_needs_arg(self, path1): -- py.test.raises(TypeError, "py.path.svnurl()") -+ with py.test.raises(TypeError): -+ py.path.svnurl() - - def test_svnurl_does_not_accept_None_either(self, path1): -- py.test.raises(Exception, "py.path.svnurl(None)") -+ with py.test.raises(Exception): -+ py.path.svnurl(None) - - def test_svnurl_characters_simple(self, path1): - py.path.svnurl("svn+ssh://hello/world") -@@ -32,7 +36,8 @@ class TestSvnURLCommandPath(CommonSvnTes - py.path.svnurl("http://user@host.com/some/dir") - - def test_svnurl_characters_at_path(self, path1): -- py.test.raises(ValueError, 'py.path.svnurl("http://host.com/foo@bar")') -+ with py.test.raises(ValueError): -+ py.path.svnurl("http://host.com/foo@bar") - - def test_svnurl_characters_colon_port(self, path1): - py.path.svnurl("http://host.com:8080/some/dir") -@@ -45,7 +50,8 @@ class TestSvnURLCommandPath(CommonSvnTes - # colons are allowed on win32, because they're part of the drive - # part of an absolute path... however, they shouldn't be allowed in - # other parts, I think -- py.test.raises(ValueError, 'py.path.svnurl("http://host.com/foo:bar")') -+ with py.test.raises(ValueError): -+ py.path.svnurl("http://host.com/foo:bar") - - def test_export(self, path1, tmpdir): - tmpdir = tmpdir.join("empty") -@@ -92,4 +98,5 @@ class TestSvnInfoCommand: - assert info.kind == 'dir' - - def test_badchars(): -- py.test.raises(ValueError, "py.path.svnurl('http://host/tmp/@@@:')") -+ with py.test.raises(ValueError): -+ py.path.svnurl('http://host/tmp/@@@:') -Index: py-1.9.0/testing/path/test_svnwc.py -=================================================================== ---- py-1.9.0.orig/testing/path/test_svnwc.py -+++ py-1.9.0/testing/path/test_svnwc.py -@@ -30,8 +30,9 @@ def test_make_repo(path1, tmpdir): - rev = wc.commit() - assert rev is None - --def pytest_funcarg__path1(request): -- repo, repourl, wc = request.getfuncargvalue("repowc1") -+@pytest.fixture -+def path1(request): -+ repo, repourl, wc = request.getfixturevalue("repowc1") - return wc - - class TestWCSvnCommandPath(CommonSvnTests): -@@ -346,7 +347,8 @@ class TestWCSvnCommandPath(CommonSvnTest - somefile = root.join('somefile') - somefile.ensure(file=True) - # not yet added to repo -- py.test.raises(Exception, 'somefile.lock()') -+ with py.test.raises(Exception): -+ somefile.lock() - somefile.write('foo') - somefile.commit('test') - assert somefile.check(versioned=True) -@@ -357,13 +359,15 @@ class TestWCSvnCommandPath(CommonSvnTest - assert locked[0].basename == somefile.basename - assert locked[0].dirpath().basename == somefile.dirpath().basename - #assert somefile.locked() -- py.test.raises(Exception, 'somefile.lock()') -+ with py.test.raises(Exception): -+ somefile.lock() - finally: - somefile.unlock() - #assert not somefile.locked() - locked = root.status().locked - assert locked == [] -- py.test.raises(Exception, 'somefile,unlock()') -+ with py.test.raises(Exception): -+ somefile,unlock() - somefile.remove() - - def test_commit_nonrecursive(self, path1): -@@ -481,7 +485,8 @@ class TestInfoSvnWCCommand: - - - def test_characters_at(): -- py.test.raises(ValueError, "py.path.svnwc('/tmp/@@@:')") -+ with py.test.raises(ValueError): -+ py.path.svnwc('/tmp/@@@:') - - def test_characters_tilde(): - py.path.svnwc('/tmp/test~') Index: py-1.9.0/testing/root/test_builtin.py =================================================================== --- py-1.9.0.orig/testing/root/test_builtin.py diff --git a/python-py.changes b/python-py.changes index 282777a..5dd3960 100644 --- a/python-py.changes +++ b/python-py.changes @@ -16,6 +16,13 @@ Thu Apr 13 22:43:30 UTC 2023 - Matej Cepl - Make calling of %{sle15modernpython} optional. +------------------------------------------------------------------- +Tue Jan 17 05:13:56 UTC 2023 - Steve Kowalik + +- Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969) +- Add patch remove-svn-remants.patch to help with that goal. +- Refresh pr_222.patch as needed for above. + ------------------------------------------------------------------- Tue Nov 29 17:04:41 UTC 2022 - Daniel Garcia @@ -29,6 +36,12 @@ Tue Mar 15 08:13:43 UTC 2022 - Stephan Kulow - use %python_expand for %fdupes +------------------------------------------------------------------- +Mon Mar 14 10:53:30 UTC 2022 - John Paul Adrian Glaubitz + +- Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972) +- Drop CVE-2020-29651.patch, issue fixed upstream in 1.10.0 + ------------------------------------------------------------------- Sun Jan 23 15:40:00 UTC 2022 - Dirk Müller diff --git a/python-py.spec b/python-py.spec index 1830b96..69444fe 100644 --- a/python-py.spec +++ b/python-py.spec @@ -36,6 +36,8 @@ URL: https://github.com/pytest-dev/py Source: https://files.pythonhosted.org/packages/source/p/py/py-%{version}.tar.gz # https://github.com/pytest-dev/py/pull/222 Patch0: pr_222.patch +# CVE-2022-42969 Remove all traces of svn +Patch1: remove-svn-remants.patch BuildRequires: %{python_module apipkg} BuildRequires: %{python_module iniconfig} BuildRequires: %{python_module setuptools_scm} @@ -71,6 +73,14 @@ rm -f tox.ini rm -f testing/log/test_warning.py rm -r py/_vendored_packages +# CVE-2022-42969 Remove all traces of svn +pushd py/_path +rm svnwc.py svnurl.py +popd +pushd testing/path +rm conftest.py svntestbase.py test_svnauth.py test_svnurl.py test_svnwc.py +popd + %build %python_build diff --git a/remove-svn-remants.patch b/remove-svn-remants.patch new file mode 100644 index 0000000..36930f2 --- /dev/null +++ b/remove-svn-remants.patch @@ -0,0 +1,36 @@ +Index: py-1.10.0/testing/path/test_local.py +=================================================================== +--- py-1.10.0.orig/testing/path/test_local.py ++++ py-1.10.0/testing/path/test_local.py +@@ -338,11 +338,11 @@ class TestLocalPath(common.CommonFSTests + l2 = local(l) + assert l2 == l + +- wc = py.path.svnwc('.') +- l3 = local(wc) +- assert l3 is not wc +- assert l3.strpath == wc.strpath +- assert not hasattr(l3, 'commit') ++ #wc = py.path.svnwc('.') ++ #l3 = local(wc) ++ #assert l3 is not wc ++ #assert l3.strpath == wc.strpath ++ #assert not hasattr(l3, 'commit') + + @py.test.mark.xfail(run=False, reason="unreliable est for long filenames") + def test_long_filenames(self, tmpdir): +Index: py-1.10.0/py/__init__.py +=================================================================== +--- py-1.10.0.orig/py/__init__.py ++++ py-1.10.0/py/__init__.py +@@ -57,10 +57,7 @@ apipkg.initpkg(__name__, attr={'_apipkg' + + 'path' : { + '__doc__' : '._path:__doc__', +- 'svnwc' : '._path.svnwc:SvnWCCommandPath', +- 'svnurl' : '._path.svnurl:SvnCommandPath', + 'local' : '._path.local:LocalPath', +- 'SvnAuth' : '._path.svnwc:SvnAuth', + }, + + # python inspection/code-generation API