Accepting request 1327332 from devel:languages:python

OBS-URL: https://build.opensuse.org/request/show/1327332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-virtualenv?expand=0&rev=74

CVE-2026-22702.patch

@@ -1,70 +0,0 @@
-
-From b338d8cee138c2fd98f788ec295f8f2f719f53c2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
-Date: Fri, 9 Jan 2026 09:49:49 -0800
-Subject: [PATCH] fix: resolve TOCTOU vulnerabilities in app_data and lock
- directory creation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use atomic os.makedirs(..., exist_ok=True) operations instead of
-check-then-act pattern to prevent symlink-based TOCTOU attacks.
-
-Reported by: tsigouris007
-
-Signed-off-by: Bernát Gábor <bgabor8@bloomberg.net>
----
- docs/changelog/3013.bugfix.rst      |  1 +
- src/virtualenv/app_data/__init__.py | 11 +++++------
- src/virtualenv/util/lock.py         |  7 +++----
- 3 files changed, 9 insertions(+), 10 deletions(-)
- create mode 100644 docs/changelog/3013.bugfix.rst
-
-diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py
-index d7f148023..7a9d38e92 100644
---- a/src/virtualenv/app_data/__init__.py
-+++ b/src/virtualenv/app_data/__init__.py
-@@ -36,12 +36,11 @@ def make_app_data(folder, **kwargs):
-     if is_read_only:
-         return ReadOnlyAppData(folder)
- 
--    if not os.path.isdir(folder):
--        try:
--            os.makedirs(folder)
--            LOGGER.debug("created app data folder %s", folder)
--        except OSError as exception:
--            LOGGER.info("could not create app data folder %s due to %r", folder, exception)
-+    try:
-+        os.makedirs(folder, exist_ok=True)
-+        LOGGER.debug("created app data folder %s", folder)
-+    except OSError as exception:
-+        LOGGER.info("could not create app data folder %s due to %r", folder, exception)
- 
-     if os.access(folder, os.W_OK):
-         return AppDataDiskFolder(folder)
-diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py
-index b250e032f..82c8eed65 100644
---- a/src/virtualenv/util/lock.py
-+++ b/src/virtualenv/util/lock.py
-@@ -17,9 +17,8 @@
- class _CountedFileLock(FileLock):
-     def __init__(self, lock_file) -> None:
-         parent = os.path.dirname(lock_file)
--        if not os.path.isdir(parent):
--            with suppress(OSError):
--                os.makedirs(parent)
-+        with suppress(OSError):
-+            os.makedirs(parent, exist_ok=True)
- 
-         super().__init__(lock_file)
-         self.count = 0
-@@ -117,7 +116,7 @@ def _lock_file(self, lock, no_block=False):  # noqa: FBT002
-         # a lock, but that lock might then become expensive, and it's not clear where that lock should live.
-         # Instead here we just ignore if we fail to create the directory.
-         with suppress(OSError):
--            os.makedirs(str(self.path))
-+            os.makedirs(str(self.path), exist_ok=True)
- 
-         try:
-             lock.acquire(0.0001)

python-virtualenv.changes

@@ -1,7 +1,24 @@
 -------------------------------------------------------------------
-Tue Jan 13 15:21:00 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+Mon Jan 12 11:27:00 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
 
-- Add patch CVE-2026-22702.patch to fix CVE-2026-22702 (bsc#1256458)
+- Update to 3.36.1 (fixes CVE-2026-22702, bsc#1256458)
+  * fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation
+- Update to 3.36.0
+  * fix: Prevent NameError when accessing _DISTUTILS_PATCH during file
+    overwrite
+  * Upgrade pip and fix 3.15 picking old wheel
+  * fix: wrong path on migrated venv 
+  * test_too_many_open_files: assert on errno.EMFILE instead of strerror
+  * fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146
+  * fix: resolve EncodingWarning in tox upgrade environment
+  * Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1
+  * Add support for PEP 440 version specifiers in the --python flag
+- disable test that is broken upstream
+
+-------------------------------------------------------------------
+Tue Aug 26 09:28:27 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Convert to libalternatives on SLE-16-based and newer systems
 
 -------------------------------------------------------------------
 Sun Mar 30 07:54:04 UTC 2025 - Dirk Müller <dmueller@suse.com>

python-virtualenv.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-virtualenv
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,29 +24,33 @@
 %define psuffix %{nil}
 %bcond_with test
 %endif
-
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
 %{?sle15_python_module_pythons}
 Name:           python-virtualenv%{psuffix}
-Version:        20.29.3
+Version:        20.36.1
 Release:        0
 Summary:        Virtual Python Environment builder
 License:        MIT
 URL:            https://virtualenv.pypa.io/
 # SourceRepository: https://github.com/pypa/virtualenv
 Source:         https://files.pythonhosted.org/packages/source/v/virtualenv/virtualenv-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM CVE-2026-22702.patch bsc#1256458 gh#pypa/virtualenv#3013
-Patch0:         CVE-2026-22702.patch
-BuildRequires:  %{python_module base >= 3.7}
+BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}
 BuildRequires:  python-rpm-macros
+Requires:       (python-distlib >= 0.3.7 with python-distlib < 1)
+Requires:       (python-filelock >= 3.20.3 with python-filelock < 4)
+Requires:       (python-platformdirs >= 3.9.1 with python-platformdirs < 5)
+BuildArch:      noarch
 %if !%{with test}
 # Don't install the build requirements during testing, see setuptools_scm comment below
 BuildRequires:  %{python_module hatch-vcs >= 0.3}
 BuildRequires:  %{python_module hatchling >= 1.17.1}
 BuildRequires:  fdupes
 %else
-# Conflict with setuptools_scm giving a warning, https://github.com/pypa/virtualenv/issues/2668
-BuildConflicts: %{python_module setuptools_scm}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module flaky >= 3.7}
 BuildRequires:  %{python_module packaging >= 23.1}
@@ -58,13 +62,16 @@ BuildRequires:  %{python_module setuptools >= 68}
 BuildRequires:  %{python_module setuptools-wheel >= 68}
 BuildRequires:  %{python_module time-machine >= 2.10}
 BuildRequires:  %{python_module virtualenv = %{version}}
+# Conflict with setuptools_scm giving a warning, https://github.com/pypa/virtualenv/issues/2668
+BuildConflicts: %{python_module setuptools_scm}
 %endif
-Requires:       (python-distlib >= 0.3.7 with python-distlib < 1)
-Requires:       (python-filelock >= 3.12.2 with python-filelock < 4)
-Requires:       (python-platformdirs >= 3.9.1 with python-platformdirs < 5)
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
-BuildArch:      noarch
+%endif
 %if 0%{python_version_nodots} < 38
 Requires:       python-importlib-metadata >= 6.6
 %endif
@@ -108,16 +115,17 @@ rm -r tests/unit/activation
 %check
 # online tests downloads from pypi
 donttest="test_seed_link_via_app_data"
+donttest+=" or test_py_info_cache_invalidation_on_py_info_change" # https://github.com/pypa/virtualenv/issues/2939
 # take the first wheels directory we can find, they all contain the same file
 export PIP_FIND_LINKS=$(ls -1d /usr/lib/python3.*/wheels | head -n 1)
 %pytest -k "not ($donttest)"
-# test the special case with the bundles (for all flavors)
-export VIRTUALENV_SETUPTOOLS=bundle
-export VIRTUALENV_WHEEL=bundle
 donttest+=" or test_embed_wheel_versions"
 %pytest -k "not ($donttest)"
 %endif
 
+%pre
+%python_libalternatives_reset_alternative virtualenv
+
 %post
 %python_install_alternative virtualenv
 

virtualenv-20.36.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba
+size 6032239