From 40186bcd83500f398df5737c177cdd313f74e390ddd84ec9894e6325458ba6fe Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 10 May 2024 20:06:20 +0000 Subject: [PATCH 1/2] Enable system libexpat OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=413 --- python-base.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/python-base.spec b/python-base.spec index 820c20e..e0ca3e0 100644 --- a/python-base.spec +++ b/python-base.spec @@ -170,6 +170,7 @@ Patch80: CVE-2022-48566-compare_digest-more-constant.patch BuildRequires: automake BuildRequires: fdupes BuildRequires: libbz2-devel +BuildRequires: libexpat-devel BuildRequires: libffi-devel # This is NOT switching off NIS support on SLE < 15, # support for NIS used to be in the glibc itself @@ -363,6 +364,7 @@ touch Parser/asdl* Python/Python-ast.c Include/Python-ast.h --docdir=%{_docdir}/python \ --with-fpectl \ --with-system-ffi \ + --with-system-expat \ --enable-ipv6 \ --enable-shared \ --enable-unicode=ucs4 @@ -484,6 +486,8 @@ ln -s python%{python_version}.1.gz %{buildroot}%{_mandir}/man1/python.1.gz # install Makefile.pre.in and Makefile.pre cp Makefile Makefile.pre.in Makefile.pre %{buildroot}%{_libdir}/python%{python_version}/config/ +%clean + %post -n libpython2_7-1_0 -p %{run_ldconfig} %postun -n libpython2_7-1_0 -p %{run_ldconfig} From 773b5da2c2d86a5fccc2e9abda5c18407b28467b03b6d7bc4681fcde73793f7f Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 11 May 2024 05:48:37 +0000 Subject: [PATCH 2/2] - Switch to using the system libexpat (bsc#1219559, CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=414 --- python-base.changes | 8 ++++++++ python-base.spec | 13 +++++++++++++ python-doc.changes | 8 ++++++++ python.changes | 8 ++++++++ 4 files changed, 37 insertions(+) diff --git a/python-base.changes b/python-base.changes index 092c6ec..d465808 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat May 11 05:46:55 UTC 2024 - Matej Cepl + +- Switch to using the system libexpat (bsc#1219559, + CVE-2023-52425) +- Make sure to remove all embedded versions of other packages + (including expat). + ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index e0ca3e0..e5affbe 100644 --- a/python-base.spec +++ b/python-base.spec @@ -346,6 +346,19 @@ cp -p %{SOURCE1} macros.python2 sed -i -e 's/python2_package_prefix python2/python2_package_prefix python/' macros.python2 %endif +# Ensure that we're using the system copy of various libraries, rather than +# copies shipped by upstream in the tarball: +# Remove embedded copy of expat: +rm -r Modules/expat || exit 1 + +# Remove embedded copy of libffi: +for SUBDIR in darwin libffi libffi_arm_wince libffi_msvc libffi_osx ; do + rm -r Modules/_ctypes/$SUBDIR || exit 1 ; +done + +# Remove embedded copy of zlib: +rm -r Modules/zlib || exit 1 + %build %define _lto_cflags %{nil} # -std=gnu89 option is needed to build with gcc14, bsc#1220970 diff --git a/python-doc.changes b/python-doc.changes index 092c6ec..d465808 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat May 11 05:46:55 UTC 2024 - Matej Cepl + +- Switch to using the system libexpat (bsc#1219559, + CVE-2023-52425) +- Make sure to remove all embedded versions of other packages + (including expat). + ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python.changes b/python.changes index 092c6ec..d465808 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat May 11 05:46:55 UTC 2024 - Matej Cepl + +- Switch to using the system libexpat (bsc#1219559, + CVE-2023-52425) +- Make sure to remove all embedded versions of other packages + (including expat). + ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl