From 10bb24e52755a7deec8ad7a13d487aed9cee9b7b62d8a926b50cffe4203cf588 Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Sat, 16 Sep 2023 16:30:00 +0000
Subject: [PATCH] - (bsc#1214691, CVE-2022-48566) Add  
 CVE-2022-48566-compare_digest-more-constant.patch to make   compare_digest
 more constant-time.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=385
---
 ...2-48566-compare_digest-more-constant.patch | 35 +++++++++++++++++++
 python-base.changes                           |  7 ++++
 python-base.spec                              |  4 +++
 python-doc.changes                            |  7 ++++
 python-doc.spec                               |  4 +++
 python.changes                                |  7 ++++
 python.spec                                   |  4 +++
 7 files changed, 68 insertions(+)
 create mode 100644 CVE-2022-48566-compare_digest-more-constant.patch

diff --git a/CVE-2022-48566-compare_digest-more-constant.patch b/CVE-2022-48566-compare_digest-more-constant.patch
new file mode 100644
index 0000000..f87f3f9
--- /dev/null
+++ b/CVE-2022-48566-compare_digest-more-constant.patch
@@ -0,0 +1,35 @@
+From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 14 Dec 2020 09:04:57 -0800
+Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438)
+ (GH-23767)
+
+The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
+
+(This is change GH-1 from https://bugs.python.org/issue40791 .)
+(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28)
+
+Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
+---
+ Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst |    1 +
+ Modules/_operator.c                                                |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
+
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
+@@ -0,0 +1 @@
++Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely.
+\ No newline at end of file
+--- a/Modules/_operator.c
++++ b/Modules/_operator.c
+@@ -182,7 +182,7 @@ _tscmp(const unsigned char *a, const uns
+     volatile const unsigned char *left;
+     volatile const unsigned char *right;
+     Py_ssize_t i;
+-    unsigned char result;
++    volatile unsigned char result;
+ 
+     /* loop count depends on length of b */
+     length = len_b;
diff --git a/python-base.changes b/python-base.changes
index ab2c6e0..9f6b63b 100644
--- a/python-base.changes
+++ b/python-base.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+  CVE-2022-48566-compare_digest-more-constant.patch to make
+  compare_digest more constant-time.
+
 -------------------------------------------------------------------
 Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
 
diff --git a/python-base.spec b/python-base.spec
index 700832b..9ce7853 100644
--- a/python-base.spec
+++ b/python-base.spec
@@ -158,6 +158,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
+# Make compare_digest more constant-time
+Patch80:        CVE-2022-48566-compare_digest-more-constant.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -313,6 +316,7 @@ other applications.
 # %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
diff --git a/python-doc.changes b/python-doc.changes
index ab2c6e0..9f6b63b 100644
--- a/python-doc.changes
+++ b/python-doc.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+  CVE-2022-48566-compare_digest-more-constant.patch to make
+  compare_digest more constant-time.
+
 -------------------------------------------------------------------
 Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
 
diff --git a/python-doc.spec b/python-doc.spec
index 6dbf161..699adbe 100644
--- a/python-doc.spec
+++ b/python-doc.spec
@@ -157,6 +157,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
+# Make compare_digest more constant-time
+Patch80:        CVE-2022-48566-compare_digest-more-constant.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -247,6 +250,7 @@ Python, and Macintosh Module Reference in PDF format.
 # %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
diff --git a/python.changes b/python.changes
index ab2c6e0..9f6b63b 100644
--- a/python.changes
+++ b/python.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+  CVE-2022-48566-compare_digest-more-constant.patch to make
+  compare_digest more constant-time.
+
 -------------------------------------------------------------------
 Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
 
diff --git a/python.spec b/python.spec
index ee2c945..2cefccb 100644
--- a/python.spec
+++ b/python.spec
@@ -157,6 +157,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
+# Make compare_digest more constant-time
+Patch80:        CVE-2022-48566-compare_digest-more-constant.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -367,6 +370,7 @@ that rely on earlier non-verification behavior.
 # %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar