From 7757e5a6dc4e044bce3b2782d6412590f702c0594133ab241b17983c89d75a03 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 8 Dec 2022 14:49:07 +0000 Subject: [PATCH] =?UTF-8?q?-=20Update=20to=203.10.9:=20=20=20-=20python=20?= =?UTF-8?q?-m=20http.server=20no=20longer=20allows=20terminal=20=20=20=20?= =?UTF-8?q?=20control=20characters=20sent=20within=20a=20garbage=20request?= =?UTF-8?q?=20to=20be=20=20=20=20=20printed=20to=20the=20stderr=20server?= =?UTF-8?q?=20lo=20This=20is=20done=20by=20changing=20=20=20=20=20the=20ht?= =?UTF-8?q?tp.server=20BaseHTTPRequestHandler=20.log=5Fmessage=20method=20?= =?UTF-8?q?=20=20=20=20to=20replace=20control=20characters=20with=20a=20\x?= =?UTF-8?q?HH=20hex=20escape=20before=20=20=20=20=20printin=20=20=20-=20Av?= =?UTF-8?q?oid=20publishing=20list=20of=20active=20per-interpreter=20=20?= =?UTF-8?q?=20=20=20audit=20hooks=20via=20the=20gc=20module=20=20=20-=20Th?= =?UTF-8?q?e=20IDNA=20codec=20decoder=20used=20on=20DNS=20hostnames=20by?= =?UTF-8?q?=20=20=20=20=20socket=20or=20asyncio=20related=20name=20resolut?= =?UTF-8?q?ion=20functions=20no=20=20=20=20=20longer=20involves=20a=20quad?= =?UTF-8?q?ratic=20algorithm.=20This=20prevents=20a=20=20=20=20=20potentia?= =?UTF-8?q?l=20CPU=20denial=20of=20service=20if=20an=20out-of-spec=20exces?= =?UTF-8?q?sive=20=20=20=20=20length=20hostname=20involving=20bidirectiona?= =?UTF-8?q?l=20characters=20were=20=20=20=20=20decoded.=20Some=20protocols?= =?UTF-8?q?=20such=20as=20urllib=20http=203xx=20redirects=20=20=20=20=20po?= =?UTF-8?q?tentially=20allow=20for=20an=20attacker=20to=20supply=20such=20?= =?UTF-8?q?a=20name.=20=20=20-=20Update=20bundled=20libexpat=20to=202.5.0?= =?UTF-8?q?=20=20=20-=20Port=20XKCP=E2=80=99s=20fix=20for=20the=20buffer?= =?UTF-8?q?=20overflows=20in=20SHA-3=20=20=20=20=20(CVE-2022-37454).=20=20?= =?UTF-8?q?=20-=20On=20Linux=20the=20multiprocessing=20module=20returns=20?= =?UTF-8?q?=20=20=20=20to=20using=20filesystem=20backed=20unix=20domain=20?= =?UTF-8?q?sockets=20for=20=20=20=20=20communication=20with=20the=20forkse?= =?UTF-8?q?rver=20process=20instead=20of=20the=20=20=20=20=20Linux=20abstr?= =?UTF-8?q?act=20socket=20namespace.=20Only=20code=20that=20chooses=20=20?= =?UTF-8?q?=20=20=20to=20use=20the=20=E2=80=9Cforkserver=E2=80=9D=20start?= =?UTF-8?q?=20method=20is=20affected=20Abstract=20=20=20=20=20sockets=20ha?= =?UTF-8?q?ve=20no=20permissions=20and=20could=20allow=20any=20user=20=20?= =?UTF-8?q?=20=20=20on=20the=20system=20in=20the=20same=20network=20namesp?= =?UTF-8?q?ace=20(often=20the=20=20=20=20=20whole=20system)=20to=20inject?= =?UTF-8?q?=20code=20into=20the=20multiprocessing=20=20=20=20=20forkserver?= =?UTF-8?q?=20process.=20This=20was=20a=20potential=20privilege=20=20=20?= =?UTF-8?q?=20=20escalation.=20Filesystem=20based=20socket=20permissions?= =?UTF-8?q?=20restrict=20=20=20=20=20this=20to=20the=20forkserver=20proces?= =?UTF-8?q?s=20user=20as=20was=20the=20default=20in?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=68 --- ...nx.locale._-as-gettext-in-pyspecific.patch | 54 ---- CVE-2015-20107-mailcap-unsafe-filenames.patch | 54 ---- ...022-42919-loc-priv-mulitproc-forksrv.patch | 59 ---- CVE-2022-45061-DoS-by-IDNA-decode.patch | 88 ------ Python-3.10.8.tar.xz | 3 - Python-3.10.8.tar.xz.asc | 16 -- Python-3.10.9.tar.xz | 3 + Python-3.10.9.tar.xz.asc | 16 ++ bpo-31046_ensurepip_honours_prefix.patch | 8 +- fix_configure_rst.patch | 2 +- python310.changes | 255 +++++++++++++++--- python310.spec | 18 +- 12 files changed, 240 insertions(+), 336 deletions(-) delete mode 100644 98437-sphinx.locale._-as-gettext-in-pyspecific.patch delete mode 100644 CVE-2015-20107-mailcap-unsafe-filenames.patch delete mode 100644 CVE-2022-42919-loc-priv-mulitproc-forksrv.patch delete mode 100644 CVE-2022-45061-DoS-by-IDNA-decode.patch delete mode 100644 Python-3.10.8.tar.xz delete mode 100644 Python-3.10.8.tar.xz.asc create mode 100644 Python-3.10.9.tar.xz create mode 100644 Python-3.10.9.tar.xz.asc diff --git a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch b/98437-sphinx.locale._-as-gettext-in-pyspecific.patch deleted file mode 100644 index 680c2c1..0000000 --- a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5775f51691d7d64fb676586e008b41261ce64ac2 Mon Sep 17 00:00:00 2001 -From: "Matt.Wang" -Date: Wed, 19 Oct 2022 14:49:08 +0800 -Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for - backward-compatibility in pyspecific.py - -[why] spinix 5.3 changed locale.translators from a defaultdict(gettext.NullTranslations) to a dict, which leads to failure of pyspecific.py. Use sphinx.locale._ as gettext to fix the issue. ---- - Doc/tools/extensions/pyspecific.py | 8 ++++---- - Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst | 1 + - 2 files changed, 5 insertions(+), 4 deletions(-) - ---- a/Doc/tools/extensions/pyspecific.py -+++ b/Doc/tools/extensions/pyspecific.py -@@ -26,7 +26,7 @@ try: - from sphinx.errors import NoUri - except ImportError: - from sphinx.environment import NoUri --from sphinx.locale import translators -+from sphinx.locale import _ as sphinx_gettext - from sphinx.util import status_iterator, logging - from sphinx.util.nodes import split_explicit_title - from sphinx.writers.text import TextWriter, TextTranslator -@@ -109,7 +109,7 @@ class ImplementationDetail(Directive): - def run(self): - self.assert_has_content() - pnode = nodes.compound(classes=['impl-detail']) -- label = translators['sphinx'].gettext(self.label_text) -+ label = sphinx_gettext(self.label_text) - content = self.content - add_text = nodes.strong(label, label) - self.state.nested_parse(content, self.content_offset, pnode) -@@ -203,7 +203,7 @@ class AuditEvent(Directive): - else: - args = [] - -- label = translators['sphinx'].gettext(self._label[min(2, len(args))]) -+ label = sphinx_gettext(self._label[min(2, len(args))]) - text = label.format(name="``{}``".format(name), - args=", ".join("``{}``".format(a) for a in args if a)) - -@@ -382,7 +382,7 @@ class DeprecatedRemoved(Directive): - else: - label = self._removed_label - -- label = translators['sphinx'].gettext(label) -+ label = sphinx_gettext(label) - text = label.format(deprecated=self.arguments[0], removed=self.arguments[1]) - if len(self.arguments) == 3: - inodes, messages = self.state.inline_text(self.arguments[2], ---- /dev/null -+++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst -@@ -0,0 +1 @@ -+Use sphinx.locale._ as the gettext function in pyspecific.py. diff --git a/CVE-2015-20107-mailcap-unsafe-filenames.patch b/CVE-2015-20107-mailcap-unsafe-filenames.patch deleted file mode 100644 index 117ef59..0000000 --- a/CVE-2015-20107-mailcap-unsafe-filenames.patch +++ /dev/null @@ -1,54 +0,0 @@ -From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Wed, 27 Apr 2022 18:17:33 +0200 -Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe - filenames/types/params - ---- - Doc/library/mailcap.rst | 12 ++++++++++ - Lib/mailcap.py | 5 ++++ - Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++ - 3 files changed, 21 insertions(+) - ---- a/Doc/library/mailcap.rst -+++ b/Doc/library/mailcap.rst -@@ -27,6 +27,18 @@ The mailcap format is documented in :rfc - Mechanism For Multimedia Mail Format Information", but is not an internet - standard. However, mailcap files are supported on most Unix systems. - -+ .. versionchanged:: 3.11 -+ -+ To prevent security issues with shell metacharacters (symbols that have -+ special effects in a shell command line), ``findmatch`` will refuse -+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` -+ into the returned command line. -+ -+ If a disallowed character appears in *filename*, ``findmatch`` will always -+ return ``(None, None)`` as if no entry was found. -+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), -+ ``findmatch`` will ignore all mailcap entries which use that value. -+ A :mod:`warning ` will be raised in either case. - - .. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[]) - ---- a/Lib/mailcap.py -+++ b/Lib/mailcap.py -@@ -19,6 +19,11 @@ _find_unsafe = re.compile(r'[^\xa1-\U001 - class UnsafeMailcapInput(Warning): - """Warning raised when refusing unsafe input""" - -+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search -+ -+class UnsafeMailcapInput(Warning): -+ """Warning raised when refusing unsafe input""" -+ - - # Part 1: top-level interface. - ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst -@@ -0,0 +1,4 @@ -+The deprecated mailcap module now refuses to inject unsafe text (filenames, -+MIME types, parameters) into shell commands. Instead of using such text, it -+will warn and act as if a match was not found (or for test commands, as if -+the test failed). diff --git a/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch b/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch deleted file mode 100644 index e616e48..0000000 --- a/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001 -From: "Gregory P. Smith" -Date: Thu, 20 Oct 2022 15:30:09 -0700 -Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for - multiprocessing (GH-98501) - -Linux abstract sockets are insecure as they lack any form of filesystem -permissions so their use allows anyone on the system to inject code into -the process. - -This removes the default preference for abstract sockets in -multiprocessing introduced in Python 3.9+ via -https://github.com/python/cpython/pull/18866 while fixing -https://github.com/python/cpython/issues/84031. - -Explicit use of an abstract socket by a user now generates a -RuntimeWarning. If we choose to keep this warning, it should be -backported to the 3.7 and 3.8 branches. -(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) - -Co-authored-by: Gregory P. Smith ---- - Lib/multiprocessing/connection.py | 5 --- - Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 ++++++++++ - 2 files changed, 15 insertions(+), 5 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst - ---- a/Lib/multiprocessing/connection.py -+++ b/Lib/multiprocessing/connection.py -@@ -73,11 +73,6 @@ def arbitrary_address(family): - if family == 'AF_INET': - return ('localhost', 0) - elif family == 'AF_UNIX': -- # Prefer abstract sockets if possible to avoid problems with the address -- # size. When coding portable applications, some implementations have -- # sun_path as short as 92 bytes in the sockaddr_un struct. -- if util.abstract_sockets_supported: -- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}" - return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir()) - elif family == 'AF_PIPE': - return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' % ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst -@@ -0,0 +1,15 @@ -+On Linux the :mod:`multiprocessing` module returns to using filesystem backed -+unix domain sockets for communication with the *forkserver* process instead of -+the Linux abstract socket namespace. Only code that chooses to use the -+:ref:`"forkserver" start method ` is affected. -+ -+Abstract sockets have no permissions and could allow any user on the system in -+the same `network namespace -+`_ (often the -+whole system) to inject code into the multiprocessing *forkserver* process. -+This was a potential privilege escalation. Filesystem based socket permissions -+restrict this to the *forkserver* process user as was the default in Python 3.8 -+and earlier. -+ -+This prevents Linux `CVE-2022-42919 -+`_. diff --git a/CVE-2022-45061-DoS-by-IDNA-decode.patch b/CVE-2022-45061-DoS-by-IDNA-decode.patch deleted file mode 100644 index ee9fc70..0000000 --- a/CVE-2022-45061-DoS-by-IDNA-decode.patch +++ /dev/null @@ -1,88 +0,0 @@ -From b8f89940de09a51fdbd8fe4705d3d1d7f1bb0c6a Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 7 Nov 2022 18:57:10 -0800 -Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) - (GH-99222) - -There was an unnecessary quadratic loop in idna decoding. This restores -the behavior to linear. - -(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) - -(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) - -Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> -Co-authored-by: Gregory P. Smith ---- - Lib/encodings/idna.py | 32 ++++------ - Lib/test/test_codecs.py | 6 + - Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 + - 3 files changed, 27 insertions(+), 17 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst - ---- a/Lib/encodings/idna.py -+++ b/Lib/encodings/idna.py -@@ -39,23 +39,21 @@ def nameprep(label): - - # Check bidi - RandAL = [stringprep.in_table_d1(x) for x in label] -- for c in RandAL: -- if c: -- # There is a RandAL char in the string. Must perform further -- # tests: -- # 1) The characters in section 5.8 MUST be prohibited. -- # This is table C.8, which was already checked -- # 2) If a string contains any RandALCat character, the string -- # MUST NOT contain any LCat character. -- if any(stringprep.in_table_d2(x) for x in label): -- raise UnicodeError("Violation of BIDI requirement 2") -- -- # 3) If a string contains any RandALCat character, a -- # RandALCat character MUST be the first character of the -- # string, and a RandALCat character MUST be the last -- # character of the string. -- if not RandAL[0] or not RandAL[-1]: -- raise UnicodeError("Violation of BIDI requirement 3") -+ if any(RandAL): -+ # There is a RandAL char in the string. Must perform further -+ # tests: -+ # 1) The characters in section 5.8 MUST be prohibited. -+ # This is table C.8, which was already checked -+ # 2) If a string contains any RandALCat character, the string -+ # MUST NOT contain any LCat character. -+ if any(stringprep.in_table_d2(x) for x in label): -+ raise UnicodeError("Violation of BIDI requirement 2") -+ # 3) If a string contains any RandALCat character, a -+ # RandALCat character MUST be the first character of the -+ # string, and a RandALCat character MUST be the last -+ # character of the string. -+ if not RandAL[0] or not RandAL[-1]: -+ raise UnicodeError("Violation of BIDI requirement 3") - - return label - ---- a/Lib/test/test_codecs.py -+++ b/Lib/test/test_codecs.py -@@ -1534,6 +1534,12 @@ class IDNACodecTest(unittest.TestCase): - self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org") - self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.") - -+ def test_builtin_decode_length_limit(self): -+ with self.assertRaisesRegex(UnicodeError, "too long"): -+ (b"xn--016c"+b"a"*1100).decode("idna") -+ with self.assertRaisesRegex(UnicodeError, "too long"): -+ (b"xn--016c"+b"a"*70).decode("idna") -+ - def test_stream(self): - r = codecs.getreader("idna")(io.BytesIO(b"abc")) - r.read(3) ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst -@@ -0,0 +1,6 @@ -+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` -+related name resolution functions no longer involves a quadratic algorithm. -+This prevents a potential CPU denial of service if an out-of-spec excessive -+length hostname involving bidirectional characters were decoded. Some protocols -+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker -+to supply such a name. diff --git a/Python-3.10.8.tar.xz b/Python-3.10.8.tar.xz deleted file mode 100644 index 2f80eb5..0000000 --- a/Python-3.10.8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3 -size 19619508 diff --git a/Python-3.10.8.tar.xz.asc b/Python-3.10.8.tar.xz.asc deleted file mode 100644 index f4690b4..0000000 --- a/Python-3.10.8.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmNFVREACgkQ/+h0BBaL -2EfmBhAAlIlx22S5RL7ehPDOWlEj06uK87EKEfMXch2DMapEXsrBR2Z+Q3Kb0Le+ -T3vru6k9MUbDGI0pei+o5k621jvg8Gj+0rUKTydAd46Pt9ZoCPWuIdyWKaJBknLu -XsYs6Xiv6Ug7Q3JGy67j8ei6bFoqATyYEe45ljReVfug7VmisjMXHdiyZoAkAFMO -fDZvtfXRY/ZwLcCfK5SkaJqSRVfYowAh1lQqiXDnbfaX40BVCw78YKFsYN//PCpU -DrsE7JFapXQGvCJmcZ+WC8A/WMjyLoKI36w2WDcy8AFKsf49xQWPEWnUzXcJyF2n -zKGxn6kUEMdzelSWWWqMYlckL6Xf87E+CRTRS0MRX6OIrf+zJkeEoWRW8cGT/U8I -1o0hawm9O50nSIjMGzaXGKjWsHLSIeOA9ToLz19TzzO7VikNkXAx5gQcHQu3bJyT -SrMCw/VXJy+0BinBpSX/qZoptX2+6lFfArb/xOZGX2ZhU44+ecPrUHxB8xiw0qr8 -pw16k6nCkW3f0aZ0jrlsfNLsXr9G/ZRu+ugrcTTQ53rfXO0pQ5nxm0CJ5O9twDjw -DIKvuqnOHlSGEcFM4bNDvpqskDnXrK6oyqBvtVhsjdFAp8YHYoM0yALTBlS4v2Xt -Em1BPUXHps0M1AY59KrXe0OpwibJjKhvWoogAS5bqe/mYInBE/Y= -=2vcv ------END PGP SIGNATURE----- diff --git a/Python-3.10.9.tar.xz b/Python-3.10.9.tar.xz new file mode 100644 index 0000000..d340fc2 --- /dev/null +++ b/Python-3.10.9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83 +size 19612112 diff --git a/Python-3.10.9.tar.xz.asc b/Python-3.10.9.tar.xz.asc new file mode 100644 index 0000000..ab8f048 --- /dev/null +++ b/Python-3.10.9.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmOPjc0ACgkQ/+h0BBaL +2EeV0hAAqnRoPq/yKFBquimXkwLGWPOwmPC1W4ehfS8OzXtfqw53xyG8q5ggemyd +pc6k6lXlgFS1AzE3wGPfVNzr+iFf2xP+3c21e3nbKUISxFQ6xF+X2xY7sTLIZUuQ +h8ZEyq7W9a1ta/78ap03+C3i98EWK5WaO5PIt57yq4ZLWdNVaJpqXessFQiZ5+ys +pN0D0iC9TCUv3QTDhyB2xB7fThVXcIsvfgvAsSzLMC3t/POsp3Qiooa1Tc9lB4TK +GEgfGUrvd/YZaI9LKT309aXfBuorjX9oDN05+efg+8/2DsRCus7KX+buNRC5xRX6 +gIFp/Bjgc+eBDW/8f8zEl/aB8DWm/rkfX83Xc0m9W0iZYtSQT0AGoQE5fcJg1jnR +lV5RpD9uZa/RrHtc/Sl7e0PfOdfZsWUKsNiiJhDVdfRPJYanezAHZCZpc8q2JoOV +IoxKlWp5eBhk10hWwtAjLGPK2iGNfUksV72oqDGU8IyA4+wL/iC9quq5nWED0U0w +gjrmXYIspCT2oCF/U3kCjqf26vYp6hxFrvloseD65ExwNiqQCGQlsxZJelCJUDnO +lezBraV5QSElsRReO2t8+XQgxoCeBbsvRpCNPWnzGdvNHljTRWVQtdx8s3A+LYEX +dNnL5pI91C+5pn+vvKYO4x2S7hdgG4aRNSwH19D05VdThEsmt0U= +=L+IQ +-----END PGP SIGNATURE----- diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch index 1c1f3a7..6afc257 100644 --- a/bpo-31046_ensurepip_honours_prefix.patch +++ b/bpo-31046_ensurepip_honours_prefix.patch @@ -15,7 +15,7 @@ Co-Authored-By: Xavier de Gaye --- a/Doc/library/ensurepip.rst +++ b/Doc/library/ensurepip.rst -@@ -56,8 +56,9 @@ is at least as recent as the one availab +@@ -58,8 +58,9 @@ is at least as recent as the one availab By default, ``pip`` is installed into the current virtual environment (if one is active) or into the system site packages (if there is no active virtual environment). The installation location can be controlled @@ -26,7 +26,7 @@ Co-Authored-By: Xavier de Gaye * ``--root ``: Installs ``pip`` relative to the given root directory rather than the root of the currently active virtual environment (if any) or the default root for the current Python installation. -@@ -89,7 +90,7 @@ Module API +@@ -91,7 +92,7 @@ Module API Returns a string specifying the available version of pip that will be installed when bootstrapping an environment. @@ -35,7 +35,7 @@ Co-Authored-By: Xavier de Gaye altinstall=False, default_pip=False, \ verbosity=0) -@@ -99,6 +100,8 @@ Module API +@@ -101,6 +102,8 @@ Module API If *root* is ``None``, then installation uses the default install location for the current environment. @@ -44,7 +44,7 @@ Co-Authored-By: Xavier de Gaye *upgrade* indicates whether or not to upgrade an existing installation of an earlier version of ``pip`` to the available version. -@@ -119,6 +122,8 @@ Module API +@@ -121,6 +124,8 @@ Module API *verbosity* controls the level of output to :data:`sys.stdout` from the bootstrapping operation. diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index c91498d..51c85bb 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -2979,7 +2979,7 @@ C API +@@ -3254,7 +3254,7 @@ C API ----- - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name diff --git a/python310.changes b/python310.changes index 4380d4b..7d51e41 100644 --- a/python310.changes +++ b/python310.changes @@ -1,3 +1,178 @@ +------------------------------------------------------------------- +Thu Dec 8 14:42:15 UTC 2022 - Matej Cepl + +- Update to 3.10.9: + - python -m http.server no longer allows terminal + control characters sent within a garbage request to be + printed to the stderr server lo This is done by changing + the http.server BaseHTTPRequestHandler .log_message method + to replace control characters with a \xHH hex escape before + printin + - Avoid publishing list of active per-interpreter + audit hooks via the gc module + - The IDNA codec decoder used on DNS hostnames by + socket or asyncio related name resolution functions no + longer involves a quadratic algorithm. This prevents a + potential CPU denial of service if an out-of-spec excessive + length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects + potentially allow for an attacker to supply such a name. + - Update bundled libexpat to 2.5.0 + - Port XKCP’s fix for the buffer overflows in SHA-3 + (CVE-2022-37454). + - On Linux the multiprocessing module returns + to using filesystem backed unix domain sockets for + communication with the forkserver process instead of the + Linux abstract socket namespace. Only code that chooses + to use the “forkserver” start method is affected Abstract + sockets have no permissions and could allow any user + on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing + forkserver process. This was a potential privilege + escalation. Filesystem based socket permissions restrict + this to the forkserver process user as was the default in + Python 3.8 and earlier This prevents Linux CVE-2022-42919 + - Fix a reference bug in _imp.create_builtin() + after the creation of the first sub-interpreter for modules + builtins and sys. Patch by Victor Stinner. + - Fixed a bug that was causing a buffer overflow if + the tokenizer copies a line missing the newline caracter + from a file that is as long as the available tokenizer + buffer. Patch by Pablo galindo + - Update faulthandler to emit an error message with + the proper unexpected signal number. Patch by Dong-hee Na. + - Fix subscription of types.GenericAlias instances + containing bare generic types: for example tuple[A, T][int], + where A is a generic type, and T is a type variable. + - Fix detection of MAC addresses for uuid on certain + OSs. Patch by Chaim Sanders + - Print exception class name instead of its string + representation when raising errors from ctypes calls. + - Allow pdb to locate source for frozen modules in + the standard library. + - Raise ValueError instead of SystemError when + methods of uninitialized io.IncrementalNewlineDecoder objects + are called. Patch by Oren Milman. + - Fix a possible assertion failure in io.FileIO when + the opener returns an invalid file descriptor. + - Also escape s in the http.server + BaseHTTPRequestHandler.log_message so that it is technically + possible to parse the line and reconstruct what the original + data was. Without this a xHH is ambiguious as to if it is a + hex replacement we put in or the characters r”x” came through + in the original request line. + - asyncio.get_event_loop() now only emits a + deprecation warning when a new event loop was created + implicitly. It no longer emits a deprecation warning if the + current event loop was set. + - Fix bug when calling trace.CoverageResults with + valid infile. + - Fix a bug in handling class cleanups in + unittest.TestCase. Now addClassCleanup() uses separate lists + for different TestCase subclasses, and doClassCleanups() only + cleans up the particular class. + - Release the GIL when calling termios APIs to avoid + blocking threads. + - Fix ast.increment_lineno() to also cover + ast.TypeIgnore when changing line numbers. + - Fixed bug where inspect.signature() reported + incorrect arguments for decorated methods. + - Fix SystemError in ctypes when exception was not + set during __initsubclass__. + - Fix statistics.NormalDist pickle with 0 and 1 + protocols. + - Update the bundled copy of pip to version 22.3.1. + - Apply bugfixes from importlib_metadata 4.11.4, + namely: In PathDistribution._name_from_stem, avoid + including parts of the extension in the result. In + PathDistribution._normalized_name, ensure names loaded from + the stem of the filename are also normalized, ensuring + duplicate entry points by packages varying only by + non-normalized name are hidden. + - Clean up refleak on failed module initialisation in + _zoneinfo + - Clean up refleaks on failed module initialisation + in in _pickle + - Clean up refleak on failed module initialisation in + _io. + - Fix memory leak in math.dist() when both points + don’t have the same dimension. Patch by Kumar Aditya. + - Fix argument typechecks in _overlapped.WSAConnect() + and _overlapped.Overlapped.WSASendTo() functions. + - Fix internal error in the re module which in + very rare circumstances prevented compilation of a regular + expression containing a conditional expression without the + “else” branch. + - Fix asyncio.StreamWriter.drain() to call + protocol.connection_lost callback only once on Windows. + - Add a mutex to unittest.mock.NonCallableMock to + protect concurrent access to mock attributes. + - Fix hang on Windows in subprocess.wait_closed() in + asyncio with ProactorEventLoop. Patch by Kumar Aditya. + - Fix infinite loop in unittest when a + self-referencing chained exception is raised + - tkinter.Text.count() raises now an exception for + options starting with “-” instead of silently ignoring them. + - On uname_result, restored expectation that _fields + and _asdict would include all six properties including + processor. + - Update the bundled copies of pip and setuptools to + versions 22.3 and 65.5.0 respectively. + - Fix bug in urllib.parse.urlparse() that causes + certain port numbers containing whitespace, underscores, + plus and minus signs, or non-ASCII digits to be incorrectly + accepted. + - Allow venv to pass along PYTHON* variables to + ensurepip and pip when they do not impact path resolution + - On macOS, fix a crash in syslog.syslog() in + multi-threaded applications. On macOS, the libc syslog() + function is not thread-safe, so syslog.syslog() no longer + releases the GIL to call it. Patch by Victor Stinner. + - Allow BUILTINS to be a valid field name for frozen + dataclasses. + - Make sure patch.dict() can be applied on async + functions. + - To avoid apparent memory leaks when + asyncio.open_connection() raises, break reference cycles + generated by local exception and future instances (which has + exception instance as its member var). Patch by Dong Uk, + Kang. + - Prevent error when activating venv in nested fish + instances. + - Restrict use of sockets instead of pipes for stdin + of subprocesses created by asyncio to AIX platform only. + - shutil.copytree() now applies the + ignore_dangling_symlinks argument recursively. + - Fix IndexError in argparse.ArgumentParser when a + store_true action is given an explicit argument. + - Document that calling variadic functions with + ctypes requires special care on macOS/arm64 (and possibly + other platforms). + - Skip test_normalization() of test_unicodedata + if it fails to download NormalizationTest.txt file from + pythontest.net. Patch by Victor Stinner. + - Some C API tests were moved into the new + Lib/test/test_capi/ directory. + - Fix -Wimplicit-int, -Wstrict-prototypes, and + -Wimplicit-function-declaration compiler warnings in + configure checks. + - Fix -Wimplicit-int compiler warning in configure + check for PTHREAD_SCOPE_SYSTEM. + - Specify the full path to the source location for + make docclean (needed for cross-builds). + - Fix NO_MISALIGNED_ACCESSES being not defined + for the SHA3 extension when HAVE_ALIGNED_REQUIRED is + set. Allowing builds on hardware that unaligned memory + accesses are not allowed. + - Fix handling of module docstrings in + Tools/i18n/pygettext.py. + +- Remove upstreamed patches: + - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch + - CVE-2015-20107-mailcap-unsafe-filenames.patch + - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch + - CVE-2022-45061-DoS-by-IDNA-decode.patch + ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl @@ -955,7 +1130,7 @@ Thu Mar 24 18:55:46 UTC 2022 - David Anes Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik - Add patch support-expat-245.patch: - * Support Expat >= 2.4.5 + * Support Expat >= 2.4.5 ------------------------------------------------------------------- Tue Feb 15 23:05:55 UTC 2022 - Matej Cepl @@ -1145,7 +1320,7 @@ Sat Jun 5 21:21:38 UTC 2021 - Matej Cepl ------------------------------------------------------------------- Fri Jun 4 21:36:30 UTC 2021 - Dirk Müller -- allow build with Sphinx >= 3.x +- allow build with Sphinx >= 3.x ------------------------------------------------------------------- Wed Jun 2 13:12:04 UTC 2021 - Dan Čermák @@ -1697,7 +1872,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner - Last try before this results in an editwar: - * remove importlib_resources and importlib-metadata + * remove importlib_resources and importlib-metadata provides/obsoletes * import importlib_resources is not the same as import importlib.resources, same for metadata @@ -1814,54 +1989,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer - Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream - Removed recursion.tar: contained in upstream - Update to 3.9.0b5: - - bpo-41304: Fixes python3x._pth being ignored on Windows, caused + - bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801). - bpo-41162: Audit hooks are now cleared later during finalization to avoid missing events. - - bpo-29778: Ensure python3.dll is loaded from correct locations + - bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523). - - bpo-39603: Prevent http header injection by rejecting control + - bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…). - bpo-41295: Resolve a regression in CPython 3.8.4 where defining - “__setattr__” in a multi-inheritance setup and + “__setattr__” in a multi-inheritance setup and calling up the hierarchy chain could fail if builtins/extension types were involved in the base types. - - bpo-41247: Always cache the running loop holder when running + - bpo-41247: Always cache the running loop holder when running asyncio.set_running_loop. - - bpo-41252: Fix incorrect refcounting in + - bpo-41252: Fix incorrect refcounting in _ssl.c’s _servername_callback(). - - bpo-41215: Use non-NULL default values in the PEG parser + - bpo-41215: Use non-NULL default values in the PEG parser keyword list to overcome a bug that was ' preventing Python from being properly compiled when using the XLC compiler. Patch by Pablo Galindo. - - bpo-41218: Python 3.8.3 had a regression where compiling with - ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would + - bpo-41218: Python 3.8.3 had a regression where compiling with + ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would aggressively mark list comprehension with CO_COROUTINE. Now only list comprehension making use of async/await will tagged as so. - - bpo-41175: Guard against a NULL pointer dereference within + - bpo-41175: Guard against a NULL pointer dereference within bytearrayobject triggered by the bytearray() + bytearray() operation. - - bpo-39960: The “hackcheck” that prevents sneaking around a type’s - __setattr__() by calling the superclass method was + - bpo-39960: The “hackcheck” that prevents sneaking around a type’s + __setattr__() by calling the superclass method was rewritten to allow C implemented heap types. - - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the + - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. - - bpo-39017: Avoid infinite loop when reading specially crafted + - bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907, bsc#1174091). - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params(). - - bpo-41207: In distutils.spawn, restore expectation that + - bpo-41207: In distutils.spawn, restore expectation that DistutilsExecError is raised when the command is not found. - bpo-39168: Remove the __new__ method of typing.Generic. - - bpo-41194: Fix a crash in the _ast module: it can no longer be + - bpo-41194: Fix a crash in the _ast module: it can no longer be loaded more than once. It now uses a global state rather than a module state. - - bpo-39384: Fixed email.contentmanager to allow set_content() to set a + - bpo-39384: Fixed email.contentmanager to allow set_content() to set a null string. - - bpo-41300: Save files with non-ascii chars. + - bpo-41300: Save files with non-ascii chars. Fix regression released in 3.9.0b4 and 3.8.4. - - bpo-37765: Add keywords to module name completion list. + - bpo-37765: Add keywords to module name completion list. Rewrite Completions section of IDLE doc. - - bpo-40170: Revert PyType_HasFeature() change: it reads - again directly the PyTypeObject.tp_flags - member when the limited C API is not used, rather than always calling + - bpo-40170: Revert PyType_HasFeature() change: it reads + again directly the PyTypeObject.tp_flags + member when the limited C API is not used, rather than always calling PyType_GetFlags() which hides implementation details. ------------------------------------------------------------------- @@ -2382,7 +2557,7 @@ Wed Jun 5 12:19:09 CEST 2019 - Matej Cepl pickling costs between processes - typed_ast is merged back to CPython - LOAD_GLOBAL is now 40% faster - - pickle now uses Protocol 4 by default, improving performance + - pickle now uses Protocol 4 by default, improving performance - Remove patches which were included in the upstream: - 00251-change-user-install-location.patch - 00316-mark-bdist_wininst-unsupported.patch @@ -2527,7 +2702,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com - Upgrade to 3.7.2rc1: * bugfix release, for the full list of all changes see - https://docs.python.org/3.7/whatsnew/changelog.html#changelog + https://docs.python.org/3.7/whatsnew/changelog.html#changelog - Make run of the test suite more verbose ------------------------------------------------------------------- @@ -2954,7 +3129,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com - Add 0001-allow-for-reproducible-builds-of-python-packages.patch - upstream https://github.com/python/cpython/pull/296 + upstream https://github.com/python/cpython/pull/296 ------------------------------------------------------------------- Wed Feb 8 12:30:20 UTC 2017 - jmatejek@suse.com @@ -3020,7 +3195,7 @@ Mon Mar 7 20:38:11 UTC 2016 - toddrme2178@gmail.com - Add Python-3.5.1-fix_lru_cache_copying.patch Fix copying the lru_cache() wrapper object. - Fixes deep-copying lru_cache regression, which worked on + Fixes deep-copying lru_cache regression, which worked on previous versions of python but fails on python 3.5. This fixes a bunch of packages in devel:languages:python3. See: https://bugs.python.org/issue25447 @@ -3158,7 +3333,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com ------------------------------------------------------------------- Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org -- Only pkgconfig(x11) is required for build, not the whole +- Only pkgconfig(x11) is required for build, not the whole set of packages provided by xorg-x11-devel metapackage. ------------------------------------------------------------------- @@ -3218,7 +3393,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com ------------------------------------------------------------------- Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com -- remove blacklisting of test_posix on aarch64: qemu bug is fixed +- remove blacklisting of test_posix on aarch64: qemu bug is fixed ------------------------------------------------------------------- Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com @@ -3321,7 +3496,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com ------------------------------------------------------------------- Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org -- build with -DOPENSSL_LOAD_CONF for the same reasons +- build with -DOPENSSL_LOAD_CONF for the same reasons described in the python2 package. ------------------------------------------------------------------- @@ -3333,7 +3508,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com ------------------------------------------------------------------- Thu Aug 8 14:54:49 UTC 2013 - dvaleev@suse.com -- Exclue test_faulthandler from tests on powerpc due to bnc#831629 +- Exclue test_faulthandler from tests on powerpc due to bnc#831629 ------------------------------------------------------------------- Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com @@ -3392,7 +3567,7 @@ Fri Mar 1 07:42:21 UTC 2013 - dmueller@suse.com - add ctypes-libffi-aarch64.patch: * import aarch64 support for libffi in _ctypes module -- add aarch64 to the list of lib64 based archs +- add aarch64 to the list of lib64 based archs - add movetogetdents64.diff: * port to getdents64, as SYS_getdents is not implemented everywhere @@ -3446,9 +3621,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com ------------------------------------------------------------------- Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com -- exclude test_math for SLE 11; math library fails on negative +- exclude test_math for SLE 11; math library fails on negative gamma function values close to integers and 0, probably - due to imprecision in -lm on SLE_11_SP2. + due to imprecision in -lm on SLE_11_SP2. ------------------------------------------------------------------- Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com @@ -3472,7 +3647,7 @@ Mon Oct 1 08:53:03 UTC 2012 - idonmez@suse.com ------------------------------------------------------------------- Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com -- Correct dependency for python3-testsuite, +- Correct dependency for python3-testsuite, python3-tkinter -> python3-tk ------------------------------------------------------------------- @@ -3505,7 +3680,7 @@ Fri Aug 3 12:09:34 UTC 2012 - jmatejek@suse.com ------------------------------------------------------------------- Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com -- skip test_io on ppc +- skip test_io on ppc - drop test_io ppc patch ------------------------------------------------------------------- @@ -3554,8 +3729,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com ------------------------------------------------------------------- Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com -- Use system ffi, included one is broken see - http://bugs.python.org/issue11729 and +- Use system ffi, included one is broken see + http://bugs.python.org/issue11729 and http://bugs.python.org/issue12081 ------------------------------------------------------------------- diff --git a/python310.spec b/python310.spec index d7fee4e..f3bfd07 100644 --- a/python310.spec +++ b/python310.spec @@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}} %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.10.8 +Version: 3.10.9 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -166,18 +166,6 @@ Patch35: fix_configure_rst.patch # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 Patch36: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com -# avoid the command injection in the mailcap module. -Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch -# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com -# this patch makes things totally awesome -Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mcepl@suse.com -# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method -Patch39: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch -# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com -# Avoid DoS by decoding IDNA for too long domain names -Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -446,10 +434,6 @@ other applications. %endif %patch35 -p1 %patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac