- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
(CVE-2019-20907, bpo#39017) avoiding possible infinite loop
in specifically crafted tarball.
Add recursion.tar as a testing tarball for the patch.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
(CVE-2020-26116, bpo#39603) no longer allowing special characters in
the method parameter of HTTPConnection.putrequest in httplib, stopping
injection of headers. Such characters now raise ValueError.
- bsc#1155094 (CVE-2019-18348) Disallow control characters in
hostnames in http.client. Such potentially malicious header
injection URLs now cause a InvalidURL to be raised.
- bsc#1109847 (CVE-2018-14647): add
CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
bpo-34623.
fixing bpo-35746 (CVE-2019-5010).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=304
This commit is contained in:
Git OBS Bridge
@@ -31,6 +31,8 @@ Source0: %{tarname}.tar.xz
|
||||
#Source3: http://docs.python.org/%{version}/archives/python-%{pyver}-docs-pdf-letter.tar.bz2
|
||||
Source2: python-%{version}-docs-pdf-a4.tar.bz2
|
||||
Source3: python-%{version}-docs-pdf-letter.tar.bz2
|
||||
# For Patch 66
|
||||
Source66: recursion.tar
|
||||
%if 0%{?suse_version} >= 1500
|
||||
BuildRequires: python3-Sphinx
|
||||
%else
|
||||
@@ -111,6 +113,14 @@ Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
|
||||
Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch
|
||||
# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
|
||||
Patch65: sphinx-update-removed-function.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
|
||||
# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
|
||||
# REQUIRES SOURCE 66
|
||||
Patch66: CVE-2019-20907_tarfile-inf-loop.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
|
||||
# Fixes httplib to disallow control characters in method to avoid header
|
||||
# injection
|
||||
Patch67: CVE-2020-26116-httplib-header-injection.patch
|
||||
# COMMON-PATCH-END
|
||||
Provides: pyth_doc = %{version}
|
||||
Provides: pyth_ps = %{version}
|
||||
@@ -183,17 +193,16 @@ Python, and Macintosh Module Reference in PDF format.
|
||||
%patch63 -p1
|
||||
%patch64 -p1
|
||||
%patch65 -p1
|
||||
%patch66 -p1
|
||||
%patch67 -p1
|
||||
|
||||
# For patch 66
|
||||
cp -v %{SOURCE66} Lib/test/recursion.tar
|
||||
|
||||
# drop Autoconf version requirement
|
||||
sed -i 's/^version_required/dnl version_required/' configure.ac
|
||||
# COMMON-PREP-END
|
||||
|
||||
# Update documentation formatting for Sphinx 3.0 (bpo#40204)
|
||||
for i in `find Doc/ -type f -name "*.rst"`
|
||||
do
|
||||
sed -i 's/:c:type:/:c:expr:/g' $i
|
||||
done
|
||||
|
||||
%build
|
||||
TODAY_DATE=`date -r %{S:0} "+%B %d, %Y"`
|
||||
# TODO use not date of tarball but date of latest patch
|
||||
|
||||
Reference in New Issue
Block a user