From 01ce66c584405cee5c43ec65921d9361e37e5513470d2b74b4c3b7f3007d855a Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sun, 19 May 2024 06:56:12 +0000 Subject: [PATCH] - Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch removing failing test fixing bpo#3151, which we just not support. - Remove patches over those embedded packages (cffi): - python-2.7-libffi-aarch64.patch - sparc_longdouble.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=418 --- ...-libexpat-2.6.0-remove-failing-tests.patch | 32 +++++++++++++ ...zipfile-avoid-quoted-overlap-zipbomb.patch | 45 +++++++++++++++---- _multibuild | 5 --- python-2.7-libffi-aarch64.patch | 13 ------ python-base.changes | 6 +++ python-base.spec | 11 +++-- python-doc.changes | 6 +++ python-doc.spec | 11 +++-- python.changes | 6 +++ python.spec | 11 +++-- sparc_longdouble.patch | 21 --------- 11 files changed, 101 insertions(+), 66 deletions(-) create mode 100644 CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch delete mode 100644 _multibuild delete mode 100644 python-2.7-libffi-aarch64.patch delete mode 100644 sparc_longdouble.patch diff --git a/CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch b/CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch new file mode 100644 index 0000000..d10ffde --- /dev/null +++ b/CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch @@ -0,0 +1,32 @@ +--- + Lib/test/test_minidom.py | 3 ++- + Lib/test/test_xml_etree.py | 6 ------ + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -1051,7 +1051,8 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- self.assertRaises(UnicodeDecodeError, parseString, ++ self.assertRaises((UnicodeDecodeError, xml.parsers.expat.ExpatError), ++ parseString, + 'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1482,12 +1482,6 @@ class BugsTest(unittest.TestCase): + b"\n" + b'tãg') + +- def test_issue3151(self): +- e = ET.XML('') +- self.assertEqual(e.tag, '{${stuff}}localname') +- t = ET.ElementTree(e) +- self.assertEqual(ET.tostring(e), b'') +- + def test_issue6565(self): + elem = ET.XML("") + self.assertEqual(summarize_list(elem), ['tag']) diff --git a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch index 01fffcb..5abc285 100644 --- a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +++ b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch @@ -11,19 +11,46 @@ From-PR: gh#python/cpython!110016 Fixes: gh#python/cpython#109858 Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch --- - Lib/test/test_zipfile.py | 60 ++++++++++ - Lib/zipfile.py | 12 ++ + Lib/test/test_zipfile.py | 66 +++++++++- + Lib/zipfile.py | 12 + Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst | 3 - 3 files changed, 75 insertions(+) + 3 files changed, 78 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst --- a/Lib/test/test_zipfile.py +++ b/Lib/test/test_zipfile.py +@@ -1004,7 +1004,7 @@ class OtherTests(unittest.TestCase): + self.assertTrue(not chk) + + def test_damaged_zipfile(self): +- """Check that zipfiles with missing bytes at the end raise BadZipFile.""" ++ """Check that zipfiles with missing bytes at the end raise BadZipfile.""" + # - Create a valid zip file + fp = io.BytesIO() + with zipfile.ZipFile(fp, mode="w") as zipf: +@@ -1012,7 +1012,7 @@ class OtherTests(unittest.TestCase): + zipfiledata = fp.getvalue() + + # - Now create copies of it missing the last N bytes and make sure +- # a BadZipFile exception is raised when we try to open it ++ # a BadZipfile exception is raised when we try to open it + for N in range(len(zipfiledata)): + fp = io.BytesIO(zipfiledata[:N]) + self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, fp) +@@ -1053,7 +1053,7 @@ class OtherTests(unittest.TestCase): + # quickly. + self.assertRaises(IOError, zipfile.ZipFile, TESTFN) + +- def test_empty_file_raises_BadZipFile(self): ++ def test_empty_file_raises_BadZipfile(self): + with open(TESTFN, 'w') as f: + pass + self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, TESTFN) @@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes with open(TESTFN, "wb") as fp: fp.write(self.data) -+ @requires_zlib ++ @skipUnless(zlib, "requires zlib") + def test_full_overlap(self): + data = ( + b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e' @@ -49,10 +76,10 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + self.assertEqual(zi.compress_size, 16) + self.assertEqual(zi.file_size, 1033) + self.assertEqual(len(zipf.read('a')), 1033) -+ with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'): ++ with self.assertRaisesRegexp(zipfile.BadZipfile, 'File name.*differ'): + zipf.read('b') + -+ @requires_zlib ++ @skipUnless(zlib, "requires zlib") + def test_quoted_overlap(self): + data = ( + b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc' @@ -79,7 +106,7 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + self.assertEqual(zi.header_offset, 36) + self.assertEqual(zi.compress_size, 16) + self.assertEqual(zi.file_size, 1033) -+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'): ++ with self.assertRaisesRegexp(zipfile.BadZipfile, 'Overlapped entries'): + zipf.read('a') + self.assertEqual(len(zipf.read('b')), 1033) + @@ -123,7 +150,7 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + if (zinfo._end_offset is not None and + zef_file.tell() + zinfo.compress_size > zinfo._end_offset): -+ raise BadZipFile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename)) ++ raise BadZipfile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename)) + # check for encrypted flag & handle password is_encrypted = zinfo.flag_bits & 0x1 @@ -132,5 +159,5 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst @@ -0,0 +1,3 @@ +Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises -+BadZipFile when try to read an entry that overlaps with other entry or ++BadZipfile when try to read an entry that overlaps with other entry or +central directory. diff --git a/_multibuild b/_multibuild deleted file mode 100644 index e34acc7..0000000 --- a/_multibuild +++ /dev/null @@ -1,5 +0,0 @@ - - python-base - python-doc - - diff --git a/python-2.7-libffi-aarch64.patch b/python-2.7-libffi-aarch64.patch deleted file mode 100644 index 77a398d..0000000 --- a/python-2.7-libffi-aarch64.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c -=================================================================== ---- Python-2.7.9.orig/Modules/_ctypes/libffi/src/aarch64/ffi.c -+++ Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c -@@ -728,7 +728,7 @@ aarch64_prep_args (struct call_context * - state.ngrn = N_X_ARG_REG; - - memcpy (allocate_to_stack (&state, stack, ty->alignment, -- ty->size), ecif->avalue + i, ty->size); -+ ty->size), ecif->avalue[i], ty->size); - } - break; - diff --git a/python-base.changes b/python-base.changes index fc49fab..518b787 100644 --- a/python-base.changes +++ b/python-base.changes @@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). +- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch + removing failing test fixing bpo#3151, which we just not + support. +- Remove patches over those embedded packages (cffi): + - python-2.7-libffi-aarch64.patch + - sparc_longdouble.patch ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index 450e77d..6bc35d3 100644 --- a/python-base.spec +++ b/python-base.spec @@ -51,13 +51,10 @@ Patch4: python-2.5.1-sqlite.patch Patch5: python-2.7.4-canonicalize2.patch Patch7: python-2.6-gettext-plurals.patch Patch8: python-2.6b3-curses-panel.patch -Patch10: sparc_longdouble.patch Patch13: python-2.7.2-fix_date_time_compiler.patch Patch17: remove-static-libpython.patch # PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. Patch20: python-bundle-lang.patch -# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 -Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch @@ -165,9 +162,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com +# We don't have fix for bpo#3151 and it is just not supported +Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). -Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -271,11 +271,9 @@ other applications. %patch -P 5 -p1 %patch -P 7 -p1 %patch -P 8 -p1 -%patch -P 10 -p1 %patch -P 13 -p1 %patch -P 17 -p1 %patch -P 20 -p1 -%patch -P 22 -p1 %patch -P 24 -p1 %patch -P 33 -p1 %if %{suse_version} < 1500 && !0%{?is_opensuse} @@ -326,6 +324,7 @@ other applications. %patch -P 79 -p1 %patch -P 80 -p1 %patch -P 81 -p1 +%patch -P 82 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python-doc.changes b/python-doc.changes index fc49fab..518b787 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). +- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch + removing failing test fixing bpo#3151, which we just not + support. +- Remove patches over those embedded packages (cffi): + - python-2.7-libffi-aarch64.patch + - sparc_longdouble.patch ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index d6e9011..b84523d 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -47,13 +47,10 @@ Patch4: python-2.5.1-sqlite.patch Patch5: python-2.7.4-canonicalize2.patch Patch7: python-2.6-gettext-plurals.patch Patch8: python-2.6b3-curses-panel.patch -Patch10: sparc_longdouble.patch Patch13: python-2.7.2-fix_date_time_compiler.patch Patch17: remove-static-libpython.patch # PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. Patch20: python-bundle-lang.patch -# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 -Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch @@ -161,9 +158,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com +# We don't have fix for bpo#3151 and it is just not supported +Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). -Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -201,11 +201,9 @@ Python, and Macintosh Module Reference in PDF format. %patch -P 5 -p1 %patch -P 7 -p1 %patch -P 8 -p1 -%patch -P 10 -p1 %patch -P 13 -p1 %patch -P 17 -p1 %patch -P 20 -p1 -%patch -P 22 -p1 %patch -P 24 -p1 %patch -P 33 -p1 %if %{suse_version} < 1500 && !0%{?is_opensuse} @@ -256,6 +254,7 @@ Python, and Macintosh Module Reference in PDF format. %patch -P 79 -p1 %patch -P 80 -p1 %patch -P 81 -p1 +%patch -P 82 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index fc49fab..518b787 100644 --- a/python.changes +++ b/python.changes @@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). +- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch + removing failing test fixing bpo#3151, which we just not + support. +- Remove patches over those embedded packages (cffi): + - python-2.7-libffi-aarch64.patch + - sparc_longdouble.patch ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python.spec b/python.spec index 1f681f9..7741839 100644 --- a/python.spec +++ b/python.spec @@ -47,13 +47,10 @@ Patch4: python-2.5.1-sqlite.patch Patch5: python-2.7.4-canonicalize2.patch Patch7: python-2.6-gettext-plurals.patch Patch8: python-2.6b3-curses-panel.patch -Patch10: sparc_longdouble.patch Patch13: python-2.7.2-fix_date_time_compiler.patch Patch17: remove-static-libpython.patch # PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. Patch20: python-bundle-lang.patch -# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 -Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch @@ -161,9 +158,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com +# We don't have fix for bpo#3151 and it is just not supported +Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). -Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -321,11 +321,9 @@ that rely on earlier non-verification behavior. %patch -P 5 -p1 %patch -P 7 -p1 %patch -P 8 -p1 -%patch -P 10 -p1 %patch -P 13 -p1 %patch -P 17 -p1 %patch -P 20 -p1 -%patch -P 22 -p1 %patch -P 24 -p1 %patch -P 33 -p1 %if %{suse_version} < 1500 && !0%{?is_opensuse} @@ -376,6 +374,7 @@ that rely on earlier non-verification behavior. %patch -P 79 -p1 %patch -P 80 -p1 %patch -P 81 -p1 +%patch -P 82 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/sparc_longdouble.patch b/sparc_longdouble.patch deleted file mode 100644 index 7004f8d..0000000 --- a/sparc_longdouble.patch +++ /dev/null @@ -1,21 +0,0 @@ -Python ticket 6029 - -==== //tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c#1 - /home/build/clifford/gpdb/tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c ==== ---- - Modules/_ctypes/libffi/src/sparc/ffi.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/Modules/_ctypes/libffi/src/sparc/ffi.c -+++ b/Modules/_ctypes/libffi/src/sparc/ffi.c -@@ -652,6 +652,11 @@ - } - else - { -+#if FFI_TYPE_LONGDOUBLE != FFI_TYPE_DOUBLE -+ /* SparcV9 long double is 16-byte aligned; skip arg if necessary */ -+ if (arg_types[i]->type == FFI_TYPE_LONGDOUBLE && (argn & 1)) -+ argn++; -+#endif - /* Right-justify. */ - argn += ALIGN(arg_types[i]->size, FFI_SIZEOF_ARG) / FFI_SIZEOF_ARG; -