- Fix building of documentation and the universal configuration of the

%primary_interpreter. - Switch primary_interpreter from python38 to python310 for Factory (only) - (bsc#1196784, CVE-2022-25236) Rename patch: support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5 as it was fully patched against CVE-2022-25236. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=41
2022-06-10 17:46:36 +00:00 · 2022-06-10 17:46:36 +00:00 · 140fcc45f7
commit 140fcc45f7
parent 83bcadedd7
3 changed files with 75 additions and 8 deletions
--- a/python310.changes
+++ b/python310.changes
@ -4,6 +4,8 @@ Thu Jun  9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com>
 - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
+- Fix building of documentation and the universal configuration of the
+  %primary_interpreter.

 -------------------------------------------------------------------
 Mon Jun  6 22:29:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
@ -247,7 +249,8 @@ Tue May 10 14:35:52 UTC 2022 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Thu May  5 14:35:56 UTC 2022 - Matej Cepl <mcepl@suse.com>

- Switch primary_interpreter from python38 to python310
+- Switch primary_interpreter from python38 to python310 for
+  Factory (only)

 -------------------------------------------------------------------
 Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
@ -530,8 +533,13 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
  - bpo-14916: Fixed bug in the tokenizer that prevented
    PyRun_InteractiveOne from parsing from the provided FD.

- Remove upstreamed patches:
-  - support-expat-245.patch
+-------------------------------------------------------------------
+Thu Mar 24 18:55:46 UTC 2022 - David Anes <david.anes@suse.com>
+
+- (bsc#1196784, CVE-2022-25236) Rename patch:
+  support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
+  and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
+  as it was fully patched against CVE-2022-25236.

 -------------------------------------------------------------------
 Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
--- a/python310.spec
+++ b/python310.spec
@ -62,7 +62,11 @@ Obsoletes:      python39%{?1:-%{1}}
 %define         python_pkg_name python310
 # Will provide the python3-* provides
 # Will do the /usr/bin/python3 and all the core links
-%define         primary_interpreter 1
+%if 0%{?sle_version} || 0%{?suse_version} >= 1550
+%define primary_interpreter 0
+%else
+%define primary_interpreter 1
+%endif
 # We don't process beta signs well
 %define         folderversion 3.10.5
 %define         tarname    Python-%{tarversion}
@ -160,9 +164,12 @@ Patch34:        skip-test_pyobject_freed_is_freed.patch
 # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com
 # remove duplicate link targets and make documentation with old Sphinx in SLE
 Patch35:        fix_configure_rst.patch
+# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
+# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
+Patch36:        support-expat-CVE-2022-25236-patched.patch
 # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
 # avoid the command injection in the mailcap module.
-Patch36:        CVE-2015-20107-mailcap-unsafe-filenames.patch
+Patch37:        CVE-2015-20107-mailcap-unsafe-filenames.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -190,7 +197,11 @@ BuildRequires:  pkgconfig(libtirpc)
 BuildRequires:  mpdecimal-devel
 %endif
 %if %{with doc}
+%if 0%{?sle_version} && 0%{?sle_version} <= 150300
 BuildRequires:  python3-Sphinx
+%else
+BuildRequires:  python3-Sphinx >= 3.2.0
+%endif
 %if 0%{?suse_version} >= 1500
 BuildRequires:  python3-python-docs-theme >= 2022.1
 %endif
@ -421,14 +432,13 @@ other applications.
 %patch09 -p1
 %patch15 -p1
 %patch29 -p1
-%if 0%{?suse_version} <= 1500
-%patch33 -p1
-%endif
 %if 0%{?sle_version} && 0%{?sle_version} <= 150300
+%patch33 -p1
 %patch34 -p1
 %endif
 %patch35 -p1
 %patch36 -p1
+%patch37 -p1

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
--- a/support-expat-CVE-2022-25236-patched.patch
+++ b/support-expat-CVE-2022-25236-patched.patch
@ -0,0 +1,49 @@
+From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 21 Feb 2022 08:16:09 -0800
+Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
+ (GH-31472)
+
+Curly brackets were never allowed in namespace URIs
+according to RFC 3986, and so-called namespace-validating
+XML parsers have the right to reject them a invalid URIs.
+
+libexpat >=2.4.5 has become strcter in that regard due to
+related security issues; with ET.XML instantiating a
+namespace-aware parser under the hood, this test has no
+future in CPython.
+
+References:
+- https://datatracker.ietf.org/doc/html/rfc3968
+- https://www.w3.org/TR/xml-names/
+
+Also, test_minidom.py: Support Expat >=2.4.5
+(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ Lib/test/test_minidom.py |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+
+--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
+@@ -1149,7 +1149,7 @@ class MinidomTest(unittest.TestCase):
+ 
+         # Verify that character decoding errors raise exceptions instead
+         # of crashing
+-        if pyexpat.version_info >= (2, 4, 5):
+        if pyexpat.version_info >= (2, 4, 4):
+             self.assertRaises(ExpatError, parseString,
+                     b'<fran\xe7ais></fran\xe7ais>')
+             self.assertRaises(ExpatError, parseString,
+@@ -1617,7 +1617,7 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
+ 
+     def testExceptionOnSpacesInXMLNSValue(self):
+-        if pyexpat.version_info >= (2, 4, 5):
+        if pyexpat.version_info >= (2, 4, 4):
+             context = self.assertRaisesRegex(ExpatError, 'syntax error')
+         else:
+             context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')