From 6a9d569c256c1454d4d57c3dbc851c0c1a75c8ba340564eb24b437151945a235 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 22 Nov 2022 20:56:11 +0000 Subject: [PATCH] - Restore python-2.7.9-sles-disable-verification-by-default.patch for SLE-12. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=337 --- CVE-2019-5010-null-defer-x509-cert-DOS.patch | 10 +- do-not-use-non-ascii-in-test_ssl.patch | 6 +- openssl-111-middlebox-compat.patch | 6 +- openssl-111-ssl_options.patch | 6 +- python-2.7.4-canonicalize2.patch | 30 +++-- python-2.7.5-multilib.patch | 114 ++++++++++-------- ...sles-disable-verification-by-default.patch | 25 ++++ python-base.changes | 6 + python-base.spec | 5 + python-bsddb6.patch | 10 +- python-doc.changes | 6 + python-doc.spec | 5 + python.changes | 6 + python.spec | 5 + remove-static-libpython.patch | 6 +- 15 files changed, 169 insertions(+), 77 deletions(-) create mode 100644 python-2.7.9-sles-disable-verification-by-default.patch diff --git a/CVE-2019-5010-null-defer-x509-cert-DOS.patch b/CVE-2019-5010-null-defer-x509-cert-DOS.patch index c0a272b..9404256 100644 --- a/CVE-2019-5010-null-defer-x509-cert-DOS.patch +++ b/CVE-2019-5010-null-defer-x509-cert-DOS.patch @@ -14,17 +14,15 @@ https://bugs.python.org/issue35746 Co-authored-by: Christian Heimes --- - Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ - Lib/test/test_ssl.py | 22 +++++++++++++++++++ - .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ - Modules/_ssl.c | 4 ++++ - 4 files changed, 51 insertions(+) + Lib/test/test_ssl.py | 21 ++++++++++ + Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 + + 2 files changed, 24 insertions(+) create mode 100644 Lib/test/talos-2019-0758.pem create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -256,6 +256,27 @@ class BasicSocketTests(unittest.TestCase +@@ -287,6 +287,27 @@ class BasicSocketTests(unittest.TestCase } ) diff --git a/do-not-use-non-ascii-in-test_ssl.patch b/do-not-use-non-ascii-in-test_ssl.patch index ce7dd1f..9701bd7 100644 --- a/do-not-use-non-ascii-in-test_ssl.patch +++ b/do-not-use-non-ascii-in-test_ssl.patch @@ -1,6 +1,10 @@ +--- + Lib/test/test_ssl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -1021,7 +1021,7 @@ class ContextTests(unittest.TestCase): +@@ -1052,7 +1052,7 @@ class ContextTests(unittest.TestCase): def test_load_dh_params(self): diff --git a/openssl-111-middlebox-compat.patch b/openssl-111-middlebox-compat.patch index d217ebc..02685a9 100644 --- a/openssl-111-middlebox-compat.patch +++ b/openssl-111-middlebox-compat.patch @@ -8,12 +8,12 @@ Signed-off-by: Dimitri John Ledkov https://bugs.python.org/issue34834 --- - Lib/test/test_ssl.py | 5 +++++ - 1 file changed, 5 insertions(+) + Lib/test/test_ssl.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -807,8 +807,12 @@ class ContextTests(unittest.TestCase): +@@ -838,8 +838,12 @@ class ContextTests(unittest.TestCase): default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) # SSLContext also enables these by default default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | diff --git a/openssl-111-ssl_options.patch b/openssl-111-ssl_options.patch index e32276b..f6100d2 100644 --- a/openssl-111-ssl_options.patch +++ b/openssl-111-ssl_options.patch @@ -1,6 +1,10 @@ +--- + Lib/test/test_ssl.py | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -807,12 +807,8 @@ class ContextTests(unittest.TestCase): +@@ -838,12 +838,8 @@ class ContextTests(unittest.TestCase): default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) # SSLContext also enables these by default default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | diff --git a/python-2.7.4-canonicalize2.patch b/python-2.7.4-canonicalize2.patch index 8450675..a142cfe 100644 --- a/python-2.7.4-canonicalize2.patch +++ b/python-2.7.4-canonicalize2.patch @@ -1,3 +1,9 @@ +--- + Python/sysmodule.c | 26 +++++++++++++++++++------- + configure.ac | 2 +- + pyconfig.h.in | 3 +++ + 3 files changed, 23 insertions(+), 8 deletions(-) + --- a/Python/sysmodule.c +++ b/Python/sysmodule.c @@ -1638,7 +1638,20 @@ PySys_SetArgvEx(int argc, char **argv, i @@ -28,7 +34,7 @@ } -#endif /* HAVE_READLINK */ +#endif /* resolve method selection */ -+ ++ #if SEP == '\\' /* Special case for MS filename syntax */ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { char *q; @@ -54,6 +60,17 @@ if (PyList_Insert(path, 0, a) < 0) Py_FatalError("sys.path.insert(0) failed"); Py_DECREF(a); +--- a/configure.ac ++++ b/configure.ac +@@ -3165,7 +3165,7 @@ AC_CHECK_FUNCS(alarm setitimer getitimer + getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \ + initgroups kill killpg lchown lstat mkfifo mknod mktime mmap \ + mremap nice pathconf pause plock poll pthread_init \ +- putenv readlink realpath \ ++ putenv readlink realpath canonicalize_file_name \ + select sem_open sem_timedwait sem_getvalue sem_unlink setegid seteuid \ + setgid \ + setlocale setregid setreuid setsid setpgid setpgrp setuid setvbuf snprintf \ --- a/pyconfig.h.in +++ b/pyconfig.h.in @@ -109,6 +109,9 @@ @@ -66,14 +83,3 @@ /* Define to 1 if you have the `chown' function. */ #undef HAVE_CHOWN ---- a/configure.ac -+++ b/configure.ac -@@ -3159,7 +3159,7 @@ AC_CHECK_FUNCS(alarm setitimer getitimer - getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \ - initgroups kill killpg lchown lstat mkfifo mknod mktime mmap \ - mremap nice pathconf pause plock poll pthread_init \ -- putenv readlink realpath \ -+ putenv readlink realpath canonicalize_file_name \ - select sem_open sem_timedwait sem_getvalue sem_unlink setegid seteuid \ - setgid \ - setlocale setregid setreuid setsid setpgid setpgrp setuid setvbuf snprintf \ diff --git a/python-2.7.5-multilib.patch b/python-2.7.5-multilib.patch index 5d57cf9..ed4020f 100644 --- a/python-2.7.5-multilib.patch +++ b/python-2.7.5-multilib.patch @@ -1,47 +1,21 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -773,6 +773,41 @@ SunOS*) - ;; - esac - -+AC_SUBST(ARCH) -+AC_MSG_CHECKING(ARCH) -+ARCH=`uname -m` -+case $ARCH in -+i?86) ARCH=i386;; -+esac -+AC_MSG_RESULT($ARCH) -+ -+AC_SUBST(LIB) -+AC_MSG_CHECKING(LIB) -+case $ac_sys_system in -+Linux*) -+ # Test if the compiler is 64bit -+ echo 'int i;' > conftest.$ac_ext -+ python_cv_cc_64bit_output=no -+ if AC_TRY_EVAL(ac_compile); then -+ case `/usr/bin/file conftest.$ac_objext` in -+ *"ELF 64"*) -+ python_cv_cc_64bit_output=yes -+ ;; -+ esac -+ fi -+ rm -rf conftest* -+ ;; -+esac -+ -+case $ARCH:$python_cv_cc_64bit_output in -+aarch64:yes | ppc64:yes | ppc64le:yes | powerpc64:yes | s390x:yes | sparc64:yes | x86_64:yes) -+ LIB="lib64" -+ ;; -+*:*) -+ LIB="lib" -+ ;; -+esac -+AC_MSG_RESULT($LIB) - - AC_SUBST(LIBRARY) - AC_MSG_CHECKING(LIBRARY) +--- + Include/pythonrun.h | 2 + + Lib/distutils/command/install.py | 4 ++- + Lib/distutils/sysconfig.py | 7 ++++-- + Lib/pydoc.py | 2 - + Lib/site.py | 40 +++++++++++++++++++++++++++------------ + Lib/sysconfig.py | 12 +++++------ + Lib/test/test_dl.py | 5 ++-- + Lib/test/test_site.py | 16 +++++++++++---- + Lib/trace.py | 4 +-- + Makefile.pre.in | 5 +++- + Modules/getpath.c | 4 ++- + Python/getplatform.c | 20 +++++++++++++++++++ + Python/sysmodule.c | 4 +++ + configure.ac | 35 ++++++++++++++++++++++++++++++++++ + setup.py | 15 ++++++-------- + 15 files changed, 135 insertions(+), 40 deletions(-) + --- a/Include/pythonrun.h +++ b/Include/pythonrun.h @@ -108,6 +108,8 @@ PyAPI_FUNC(char *) Py_GetPath(void); @@ -75,7 +49,7 @@ 'data' : '$base', --- a/Lib/distutils/sysconfig.py +++ b/Lib/distutils/sysconfig.py -@@ -119,8 +119,11 @@ def get_python_lib(plat_specific=0, stan +@@ -129,8 +129,11 @@ def get_python_lib(plat_specific=0, stan prefix = plat_specific and EXEC_PREFIX or PREFIX if os.name == "posix": @@ -368,9 +342,53 @@ SET_SYS_FROM_STRING("executable", PyString_FromString(Py_GetProgramFullPath())); SET_SYS_FROM_STRING("prefix", +--- a/configure.ac ++++ b/configure.ac +@@ -773,6 +773,41 @@ SunOS*) + ;; + esac + ++AC_SUBST(ARCH) ++AC_MSG_CHECKING(ARCH) ++ARCH=`uname -m` ++case $ARCH in ++i?86) ARCH=i386;; ++esac ++AC_MSG_RESULT($ARCH) ++ ++AC_SUBST(LIB) ++AC_MSG_CHECKING(LIB) ++case $ac_sys_system in ++Linux*) ++ # Test if the compiler is 64bit ++ echo 'int i;' > conftest.$ac_ext ++ python_cv_cc_64bit_output=no ++ if AC_TRY_EVAL(ac_compile); then ++ case `/usr/bin/file conftest.$ac_objext` in ++ *"ELF 64"*) ++ python_cv_cc_64bit_output=yes ++ ;; ++ esac ++ fi ++ rm -rf conftest* ++ ;; ++esac ++ ++case $ARCH:$python_cv_cc_64bit_output in ++aarch64:yes | ppc64:yes | ppc64le:yes | powerpc64:yes | s390x:yes | sparc64:yes | x86_64:yes) ++ LIB="lib64" ++ ;; ++*:*) ++ LIB="lib" ++ ;; ++esac ++AC_MSG_RESULT($LIB) + + AC_SUBST(LIBRARY) + AC_MSG_CHECKING(LIBRARY) --- a/setup.py +++ b/setup.py -@@ -456,7 +456,7 @@ class PyBuildExt(build_ext): +@@ -502,7 +502,7 @@ class PyBuildExt(build_ext): def detect_modules(self): # Ensure that /usr/local is always used if not cross_compiling: @@ -379,7 +397,7 @@ add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') if cross_compiling: self.add_gcc_paths() -@@ -782,11 +782,11 @@ class PyBuildExt(build_ext): +@@ -828,11 +828,11 @@ class PyBuildExt(build_ext): elif curses_library: readline_libs.append(curses_library) elif self.compiler.find_library_file(lib_dirs + @@ -393,7 +411,7 @@ extra_link_args=readline_extra_link_args, libraries=readline_libs) ) else: -@@ -1933,18 +1933,17 @@ class PyBuildExt(build_ext): +@@ -1979,18 +1979,17 @@ class PyBuildExt(build_ext): # Check for various platform-specific directories if host_platform == 'sunos5': include_dirs.append('/usr/openwin/include') diff --git a/python-2.7.9-sles-disable-verification-by-default.patch b/python-2.7.9-sles-disable-verification-by-default.patch new file mode 100644 index 0000000..4bce1d7 --- /dev/null +++ b/python-2.7.9-sles-disable-verification-by-default.patch @@ -0,0 +1,25 @@ +--- + Lib/ssl.py | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -497,7 +497,17 @@ def _get_https_context_factory(): + return _create_unverified_context + return create_default_context + +-_create_default_https_context = _get_https_context_factory() ++try: ++ # load the TLS checks policy from separate package ++ import sle_tls_checks_policy as policy ++ if policy.get_policy: ++ _create_default_https_context = policy.get_policy() ++ else: ++ # empty policy file means simply enable strict verification ++ _create_default_https_context = _get_https_context_factory() ++except ImportError: ++ # policy not present, disable verification for backwards compatibility ++ _create_default_https_context = _create_unverified_context + + # PEP 493: "private" API to configure HTTPS defaults without monkeypatching + def _https_verify_certificates(enable=True): diff --git a/python-base.changes b/python-base.changes index 68ef52e..27f4bda 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 22 20:55:13 UTC 2022 - Matej Cepl + +- Restore python-2.7.9-sles-disable-verification-by-default.patch + for SLE-12. + ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index c263540..7b50103 100644 --- a/python-base.spec +++ b/python-base.spec @@ -58,6 +58,8 @@ Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch +# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients +Patch34: python-2.7.9-sles-disable-verification-by-default.patch # PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py Patch35: do-not-use-non-ascii-in-test_ssl.patch # PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly @@ -243,6 +245,9 @@ other applications. %patch22 -p1 %patch24 -p1 %patch33 -p1 +%if %{suse_version} < 1500 && !0%{?is_opensuse} +%patch34 -p1 +%endif %patch35 -p1 %patch38 -p1 %ifarch ppc ppc64 ppc64le diff --git a/python-bsddb6.patch b/python-bsddb6.patch index a64b919..aefd595 100644 --- a/python-bsddb6.patch +++ b/python-bsddb6.patch @@ -13,8 +13,8 @@ This patch was partially autogenerated: Lib/bsddb/test/test_replication.py | 25 +------- Modules/_bsddb.c | 108 +++++++++++++++++++++++++++++++++---- Modules/bsddb.h | 2 - setup.py | 6 +- - 6 files changed, 120 insertions(+), 41 deletions(-) + setup.py | 4 + + 6 files changed, 118 insertions(+), 41 deletions(-) --- a/Lib/bsddb/test/test_all.py +++ b/Lib/bsddb/test/test_all.py @@ -368,7 +368,7 @@ This patch was partially autogenerated: --- a/setup.py +++ b/setup.py -@@ -905,7 +905,7 @@ class PyBuildExt(build_ext): +@@ -951,7 +951,7 @@ class PyBuildExt(build_ext): # a release. Most open source OSes come with one or more # versions of BerkeleyDB already installed. @@ -377,7 +377,7 @@ This patch was partially autogenerated: min_db_ver = (4, 3) db_setup_debug = False # verbose debug prints from this script? -@@ -945,6 +945,7 @@ class PyBuildExt(build_ext): +@@ -991,6 +991,7 @@ class PyBuildExt(build_ext): # construct a list of paths to look for the header file in on # top of the normal inc_dirs. db_inc_paths = [ @@ -385,7 +385,7 @@ This patch was partially autogenerated: '/usr/include/db4', '/usr/local/include/db4', '/opt/sfw/include/db4', -@@ -984,6 +985,7 @@ class PyBuildExt(build_ext): +@@ -1030,6 +1031,7 @@ class PyBuildExt(build_ext): for dn in inc_dirs: std_variants.append(os.path.join(dn, 'db3')) std_variants.append(os.path.join(dn, 'db4')) diff --git a/python-doc.changes b/python-doc.changes index 68ef52e..27f4bda 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 22 20:55:13 UTC 2022 - Matej Cepl + +- Restore python-2.7.9-sles-disable-verification-by-default.patch + for SLE-12. + ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index b97d57e..d0be67e 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -57,6 +57,8 @@ Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch +# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients +Patch34: python-2.7.9-sles-disable-verification-by-default.patch # PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py Patch35: do-not-use-non-ascii-in-test_ssl.patch # PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly @@ -180,6 +182,9 @@ Python, and Macintosh Module Reference in PDF format. %patch22 -p1 %patch24 -p1 %patch33 -p1 +%if %{suse_version} < 1500 && !0%{?is_opensuse} +%patch34 -p1 +%endif %patch35 -p1 %patch38 -p1 %ifarch ppc ppc64 ppc64le diff --git a/python.changes b/python.changes index 68ef52e..27f4bda 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 22 20:55:13 UTC 2022 - Matej Cepl + +- Restore python-2.7.9-sles-disable-verification-by-default.patch + for SLE-12. + ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl diff --git a/python.spec b/python.spec index 990bd73..3da5973 100644 --- a/python.spec +++ b/python.spec @@ -57,6 +57,8 @@ Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch +# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients +Patch34: python-2.7.9-sles-disable-verification-by-default.patch # PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py Patch35: do-not-use-non-ascii-in-test_ssl.patch # PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly @@ -296,6 +298,9 @@ that rely on earlier non-verification behavior. %patch22 -p1 %patch24 -p1 %patch33 -p1 +%if %{suse_version} < 1500 && !0%{?is_opensuse} +%patch34 -p1 +%endif %patch35 -p1 %patch38 -p1 %ifarch ppc ppc64 ppc64le diff --git a/remove-static-libpython.patch b/remove-static-libpython.patch index c4997d3..65df578 100644 --- a/remove-static-libpython.patch +++ b/remove-static-libpython.patch @@ -1,3 +1,7 @@ +--- + Makefile.pre.in | 26 +------------------------- + 1 file changed, 1 insertion(+), 25 deletions(-) + --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -488,7 +488,7 @@ coverage-report: regen-grammar @@ -28,7 +32,7 @@ libpython$(VERSION).so: $(LIBRARY_OBJS) if test $(INSTSONAME) != $(LDLIBRARY); then \ $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ -@@ -1220,18 +1208,6 @@ libainstall: @DEF_MAKE_RULE@ python-conf +@@ -1226,18 +1214,6 @@ libainstall: @DEF_MAKE_RULE@ python-conf else true; \ fi; \ done