pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch

Browse Source 
removing failing test fixing bpo#3151, which we just not
  support.
- Remove patches over those embedded packages (cffi):
  - python-2.7-libffi-aarch64.patch
  - sparc_longdouble.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=418
This commit is contained in:
Matej Cepl 2024-05-19 06:56:12 +00:00 committed by Git OBS Bridge
parent 8c35dee7e0
commit 01ce66c584
11 changed files with 101 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch Normal file
View File

@ -0,0 +1,32 @@
---
Lib/test/test_minidom.py | 3 ++-
Lib/test/test_xml_etree.py | 6 ------
2 files changed, 2 insertions(+), 7 deletions(-)
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -1051,7 +1051,8 @@ class MinidomTest(unittest.TestCase):
# Verify that character decoding errors raise exceptions instead
# of crashing
- self.assertRaises(UnicodeDecodeError, parseString,
+ self.assertRaises((UnicodeDecodeError, xml.parsers.expat.ExpatError),
+ parseString,
'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
doc.unlink()
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1482,12 +1482,6 @@ class BugsTest(unittest.TestCase):
b"<?xml version='1.0' encoding='ascii'?>\n"
b'<body>t&#227;g</body>')
- def test_issue3151(self):
- e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
- self.assertEqual(e.tag, '{${stuff}}localname')
- t = ET.ElementTree(e)
- self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}" />')
-
def test_issue6565(self):
elem = ET.XML("<body><tag/></body>")
self.assertEqual(summarize_list(elem), ['tag'])

45
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
View File

@ -11,19 +11,46 @@ From-PR: gh#python/cpython!110016
Fixes: gh#python/cpython#109858
Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
---
Lib/test/test_zipfile.py | 60 ++++++++++
Lib/zipfile.py | 12 ++
Lib/test/test_zipfile.py | 66 +++++++++-
Lib/zipfile.py | 12 +
Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst | 3
3 files changed, 75 insertions(+)
3 files changed, 78 insertions(+), 3 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst
--- a/Lib/test/test_zipfile.py
+++ b/Lib/test/test_zipfile.py
@@ -1004,7 +1004,7 @@ class OtherTests(unittest.TestCase):
self.assertTrue(not chk)
def test_damaged_zipfile(self):
- """Check that zipfiles with missing bytes at the end raise BadZipFile."""
+ """Check that zipfiles with missing bytes at the end raise BadZipfile."""
# - Create a valid zip file
fp = io.BytesIO()
with zipfile.ZipFile(fp, mode="w") as zipf:
@@ -1012,7 +1012,7 @@ class OtherTests(unittest.TestCase):
zipfiledata = fp.getvalue()
# - Now create copies of it missing the last N bytes and make sure
- # a BadZipFile exception is raised when we try to open it
+ # a BadZipfile exception is raised when we try to open it
for N in range(len(zipfiledata)):
fp = io.BytesIO(zipfiledata[:N])
self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, fp)
@@ -1053,7 +1053,7 @@ class OtherTests(unittest.TestCase):
# quickly.
self.assertRaises(IOError, zipfile.ZipFile, TESTFN)
- def test_empty_file_raises_BadZipFile(self):
+ def test_empty_file_raises_BadZipfile(self):
with open(TESTFN, 'w') as f:
pass
self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, TESTFN)
@@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes
with open(TESTFN, "wb") as fp:
fp.write(self.data)
+ @requires_zlib
+ @skipUnless(zlib, "requires zlib")
+ def test_full_overlap(self):
+ data = (
+ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e'
@ -49,10 +76,10 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
+ self.assertEqual(zi.compress_size, 16)
+ self.assertEqual(zi.file_size, 1033)
+ self.assertEqual(len(zipf.read('a')), 1033)
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'):
+ with self.assertRaisesRegexp(zipfile.BadZipfile, 'File name.*differ'):
+ zipf.read('b')
+
+ @requires_zlib
+ @skipUnless(zlib, "requires zlib")
+ def test_quoted_overlap(self):
+ data = (
+ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc'
@ -79,7 +106,7 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
+ self.assertEqual(zi.header_offset, 36)
+ self.assertEqual(zi.compress_size, 16)
+ self.assertEqual(zi.file_size, 1033)
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'):
+ with self.assertRaisesRegexp(zipfile.BadZipfile, 'Overlapped entries'):
+ zipf.read('a')
+ self.assertEqual(len(zipf.read('b')), 1033)
+
@ -123,7 +150,7 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
+ if (zinfo._end_offset is not None and
+ zef_file.tell() + zinfo.compress_size > zinfo._end_offset):
+ raise BadZipFile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename))
+ raise BadZipfile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename))
+
# check for encrypted flag & handle password
is_encrypted = zinfo.flag_bits & 0x1
@ -132,5 +159,5 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
+++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst
@@ -0,0 +1,3 @@
+Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises
+BadZipFile when try to read an entry that overlaps with other entry or
+BadZipfile when try to read an entry that overlaps with other entry or
+central directory.

5
_multibuild
View File

@ -1,5 +0,0 @@
<multibuild>
<package>python-base</package>
<package>python-doc</package>
</multibuild>

13
python-2.7-libffi-aarch64.patch
View File

@ -1,13 +0,0 @@
Index: Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c
===================================================================
--- Python-2.7.9.orig/Modules/_ctypes/libffi/src/aarch64/ffi.c
+++ Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c
@@ -728,7 +728,7 @@ aarch64_prep_args (struct call_context *
state.ngrn = N_X_ARG_REG;
memcpy (allocate_to_stack (&state, stack, ty->alignment,
- ty->size), ecif->avalue + i, ty->size);
+ ty->size), ecif->avalue[i], ty->size);
}
break;

6
python-base.changes
View File

@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
-------------------------------------------------------------------
Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

11
python-base.spec
View File

@ -51,13 +51,10 @@ Patch4: python-2.5.1-sqlite.patch
Patch5: python-2.7.4-canonicalize2.patch
Patch7: python-2.6-gettext-plurals.patch
Patch8: python-2.6b3-curses-panel.patch
Patch10: sparc_longdouble.patch
Patch13: python-2.7.2-fix_date_time_compiler.patch
Patch17: remove-static-libpython.patch
# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle.
Patch20: python-bundle-lang.patch
# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
Patch22: python-2.7-libffi-aarch64.patch
Patch24: python-bsddb6.patch
# PATCH-FIX-UPSTREAM accept directory-based CA paths as well
Patch33: python-2.7.9-ssl_ca_path.patch
@ -165,9 +162,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com
# We don't have fix for bpo#3151 and it is just not supported
Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com
# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016).
Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@ -271,11 +271,9 @@ other applications.
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
@ -326,6 +324,7 @@ other applications.
%patch -P 79 -p1
%patch -P 80 -p1
%patch -P 81 -p1
%patch -P 82 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

6
python-doc.changes
View File

@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
-------------------------------------------------------------------
Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

11
python-doc.spec
View File

@ -47,13 +47,10 @@ Patch4: python-2.5.1-sqlite.patch
Patch5: python-2.7.4-canonicalize2.patch
Patch7: python-2.6-gettext-plurals.patch
Patch8: python-2.6b3-curses-panel.patch
Patch10: sparc_longdouble.patch
Patch13: python-2.7.2-fix_date_time_compiler.patch
Patch17: remove-static-libpython.patch
# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle.
Patch20: python-bundle-lang.patch
# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
Patch22: python-2.7-libffi-aarch64.patch
Patch24: python-bsddb6.patch
# PATCH-FIX-UPSTREAM accept directory-based CA paths as well
Patch33: python-2.7.9-ssl_ca_path.patch
@ -161,9 +158,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com
# We don't have fix for bpo#3151 and it is just not supported
Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com
# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016).
Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@ -201,11 +201,9 @@ Python, and Macintosh Module Reference in PDF format.
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
@ -256,6 +254,7 @@ Python, and Macintosh Module Reference in PDF format.
%patch -P 79 -p1
%patch -P 80 -p1
%patch -P 81 -p1
%patch -P 82 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

6
python.changes
View File

@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
-------------------------------------------------------------------
Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

11
python.spec
View File

@ -47,13 +47,10 @@ Patch4: python-2.5.1-sqlite.patch
Patch5: python-2.7.4-canonicalize2.patch
Patch7: python-2.6-gettext-plurals.patch
Patch8: python-2.6b3-curses-panel.patch
Patch10: sparc_longdouble.patch
Patch13: python-2.7.2-fix_date_time_compiler.patch
Patch17: remove-static-libpython.patch
# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle.
Patch20: python-bundle-lang.patch
# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
Patch22: python-2.7-libffi-aarch64.patch
Patch24: python-bsddb6.patch
# PATCH-FIX-UPSTREAM accept directory-based CA paths as well
Patch33: python-2.7.9-ssl_ca_path.patch
@ -161,9 +158,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com
# We don't have fix for bpo#3151 and it is just not supported
Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com
# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016).
Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@ -321,11 +321,9 @@ that rely on earlier non-verification behavior.
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
@ -376,6 +374,7 @@ that rely on earlier non-verification behavior.
%patch -P 79 -p1
%patch -P 80 -p1
%patch -P 81 -p1
%patch -P 82 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

21
sparc_longdouble.patch
View File

@ -1,21 +0,0 @@
Python ticket 6029
==== //tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c#1 - /home/build/clifford/gpdb/tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c ====
---
Modules/_ctypes/libffi/src/sparc/ffi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/Modules/_ctypes/libffi/src/sparc/ffi.c
+++ b/Modules/_ctypes/libffi/src/sparc/ffi.c
@@ -652,6 +652,11 @@
}
else
{
+#if FFI_TYPE_LONGDOUBLE != FFI_TYPE_DOUBLE
+ /* SparcV9 long double is 16-byte aligned; skip arg if necessary */
+ if (arg_types[i]->type == FFI_TYPE_LONGDOUBLE && (argn & 1))
+ argn++;
+#endif
/* Right-justify. */
argn += ALIGN(arg_types[i]->size, FFI_SIZEOF_ARG) / FFI_SIZEOF_ARG;