From 31dd9389f8caf635f366277cdaa42c21e5ac5944f73f02cb64e1a7a2a45bb5e6 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 21 Jun 2024 09:49:34 +0000 Subject: [PATCH] - Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with patched libexpat below 2.6.0 that doesn't update the version number, just in SLE. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=128 --- CVE-2023-52425-libexpat-2.6.0-backport.patch | 57 ++++++++++++++++++++ python310.changes | 7 +++ python310.spec | 4 +- 3 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-52425-libexpat-2.6.0-backport.patch diff --git a/CVE-2023-52425-libexpat-2.6.0-backport.patch b/CVE-2023-52425-libexpat-2.6.0-backport.patch new file mode 100644 index 0000000..334b7b8 --- /dev/null +++ b/CVE-2023-52425-libexpat-2.6.0-backport.patch @@ -0,0 +1,57 @@ +--- + Lib/test/test_pyexpat.py | 4 ++++ + Lib/test/test_sax.py | 3 +++ + Lib/test/test_xml_etree.py | 7 +++++++ + 3 files changed, 14 insertions(+) + +--- a/Lib/test/test_pyexpat.py ++++ b/Lib/test/test_pyexpat.py +@@ -766,6 +766,10 @@ class ReparseDeferralTest(unittest.TestC + self.assertEqual(started, ['doc']) + + def test_reparse_deferral_disabled(self): ++ if expat.version_info < (2, 6, 0): ++ self.skipTest(f'Expat {expat.version_info} does not ' ++ 'support reparse deferral') ++ + started = [] + + def start_element(name, _): +--- a/Lib/test/test_sax.py ++++ b/Lib/test/test_sax.py +@@ -1240,6 +1240,9 @@ class ExpatReaderTest(XmlTestBase): + + self.assertEqual(result.getvalue(), start + b"") + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ f'Expat {pyexpat.version_info} does not ' ++ 'support reparse deferral') + def test_flush_reparse_deferral_disabled(self): + result = BytesIO() + xmlgen = XMLGenerator(result) +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1420,9 +1420,13 @@ class XMLPullParserTest(unittest.TestCas + self.assert_event_tags(parser, [('end', 'root')]) + self.assertIsNone(parser.close()) + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ f'Fail with patched version of Expat {pyexpat.version_info}') + def test_simple_xml_chunk_1(self): + self.test_simple_xml(chunk_size=1, flush=True) + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ f'Fail with patched version of Expat {pyexpat.version_info}') + def test_simple_xml_chunk_5(self): + self.test_simple_xml(chunk_size=5, flush=True) + +@@ -1648,6 +1652,9 @@ class XMLPullParserTest(unittest.TestCas + + self.assert_event_tags(parser, [('end', 'doc')]) + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ f'Expat {pyexpat.version_info} does not ' ++ 'support reparse deferral') + def test_flush_reparse_deferral_disabled(self): + parser = ET.XMLPullParser(events=('start', 'end')) + diff --git a/python310.changes b/python310.changes index 0f27724..dd71def 100644 --- a/python310.changes +++ b/python310.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Apr 19 08:37:04 UTC 2024 - Matej Cepl + +- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with + patched libexpat below 2.6.0 that doesn't update the version number, + just in SLE. + ------------------------------------------------------------------- Sun Mar 24 00:43:14 UTC 2024 - Matej Cepl diff --git a/python310.spec b/python310.spec index 49ce1b7..202491b 100644 --- a/python310.spec +++ b/python310.spec @@ -192,9 +192,9 @@ Patch20: CVE-2023-27043-email-parsing-errors.patch # * gh#python/cpython#104221 # * gh#python/cpython#107246 Patch21: fix-sphinx-72.patch -# PATCH-FIX-UPSTREAM old-libexpat.patch gh#python/cpython#117187 mcepl@suse.com +# PATCH-FIX-UPSTREAM CVE-2023-52425-libexpat-2.6.0-backport.patch gh#python/cpython#117187 mcepl@suse.com # Make the test suite work with libexpat < 2.6.0 -Patch22: old-libexpat.patch +Patch22: CVE-2023-52425-libexpat-2.6.0-backport.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes