Accepting request 1095863 from devel:languages:python:Factory

- Update to 3.10.12: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2023-24329-blank-URL-bypass.patch - CVE-2007-4559-filter-tarfile_extractall.patch OBS-URL: https://build.opensuse.org/request/show/1095863 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=33
2023-06-30 17:58:24 +00:00 · 2023-06-30 17:58:24 +00:00 · 7870b5cb09
commit 7870b5cb09
parent d26ce719ad 4c4727d238
8 changed files with 51 additions and 2671 deletions
--- a/CVE-2007-4559-filter-tarfile_extractall.patch
+++ b/CVE-2007-4559-filter-tarfile_extractall.patch
--- a/CVE-2023-24329-blank-URL-bypass.patch
+++ b/CVE-2023-24329-blank-URL-bypass.patch
@ -1,55 +0,0 @@
-From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
-From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
-Date: Sat, 12 Nov 2022 15:43:33 -0500
-Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
- schemes that don't begin with an alphabetical ASCII character.
-
---
- Lib/test/test_urlparse.py                                              |   18 ++++++++++
- Lib/urllib/parse.py                                                    |    2 -
- Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
- 3 files changed, 21 insertions(+), 1 deletion(-)
-
--- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
-                         with self.assertRaises(ValueError):
-                             p.port
- 
-+    def test_attributes_bad_scheme(self):
-+        """Check handling of invalid schemes."""
-+        for bytes in (False, True):
-+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
-+                for scheme in (".", "+", "-", "0", "http&", "६http"):
-+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
-+                        url = scheme + "://www.example.net"
-+                        if bytes:
-+                            if url.isascii():
-+                                url = url.encode("ascii")
-+                            else:
-+                                continue
-+                        p = parse(url)
-+                        if bytes:
-+                            self.assertEqual(p.scheme, b"")
-+                        else:
-+                            self.assertEqual(p.scheme, "")
-+
-     def test_attributes_without_netloc(self):
-         # This example is straight from RFC 3261.  It looks like it
-         # should allow the username, hostname, and port to be filled
--- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
-         clear_cache()
-     netloc = query = fragment = ''
-     i = url.find(':')
-    if i > 0:
-+    if i > 0 and url[0].isascii() and url[0].isalpha():
-         for c in url[:i]:
-             if c not in scheme_chars:
-                 break
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
-@@ -0,0 +1,2 @@
-+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
-+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--- a/Python-3.10.11.tar.xz
+++ b/Python-3.10.11.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3c3bc3048303721c904a03eb8326b631e921f11cc3be2988456a42f115daf04c
-size 19640792
--- a/Python-3.10.11.tar.xz.asc
+++ b/Python-3.10.11.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmQsoHwACgkQ/+h0BBaL
-2Efs9BAAheWCnenhHhXi0m0DgyB6eEVH8xmZrBqA1WMgGQOqWVZmEnJdc0IXyFWQ
-1A4C59d6rEvu8jvXTLvsqGEmehofKqq0bXB1tMUBn9CwSiELOm19WvCHc/Htwo2U
-DsvAsXXO7vBkKBT9+CQ4BmkGzPUTrBLZRHsQX/M/tpx81jnQVunoMojyPK19sf1I
-C+YnxE0cQVL9+INd0WtbVByJIwzBBDCLqTQWL//73CqFs8IO6PsjFXqmlVqVfpmz
-aEXuGeRkRgy7kZaDdLcnhBq7a6vgaecfgfRUGyBgwgakfrHA5SOdsWdAonjA676J
-6DHmFIf82R4wo7Vu0WAfFAq9jJfVxXN7n5Y/N/cxzqjhrfO341vCflN1c16VAFnu
-ok7n50poENO/tMRerOEj5baL+mToi8Wh+cYHY6tNpaM2iP+bSyjoS+Ff225xhdNV
-fqGuyaH7cPgGgoXECrSb7iTWYZxJxQV9S8OlR2gX8IlA+XrbGWQl0PvmErhO3FqN
-W88gBmYrzrSl6+dzF62yn2gKFc2K5k6NmCcySFfjY87G7RhEf1ixPeDyMSvbKlVw
-sJWeoXuCNPL+PQV+V76UAbn3bEvH87fyImxoYHNAIbHh8JaTvO5vIKDrrsw92siQ
-6Pud3Oy6DcD5gWX2KcaAjQjruh18dljsbYN+2KVFfQHM8SYeXns=
-=enP4
-----END PGP SIGNATURE-----
--- a/Python-3.10.12.tar.xz
+++ b/Python-3.10.12.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:afb74bf19130e7a47d10312c8f5e784f24e0527981eab68e20546cfb865830b8
+size 19654836
--- a/Python-3.10.12.tar.xz.asc
+++ b/Python-3.10.12.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/tqIACgkQ/+h0BBaL
+2EfUfg/9FW0m6nngtGIKTJ+Gk4G13pQvnELgc3eq70t7Sn1g2kGxDpO+rs0WptYG
+gGcHs6v4rE/3uQ0mf4QCvnnXffQEQ+bRDaj1ZBY/rJjCdgQeUNMElV0KbvADiTqS
+akmsXaK3KqLHJesZo65lZ4HSADWKosBU3zxE2/CRMMsz1aLMDLIoaQo+pqDcFl7
+ZfGMlmiJNyD2jZVYGdwCbhG0BymOTU02BxkH2Dkd9OGzj9A3zDPCO6RcDFtw4dkK
+lngHQGijYaFV11FqIaApnUkz7aAPk//2KRLwpf5D5z8p8T8QsHAJyTmIm1gMQiQA
+tMThI1tFGN6lF1QSrfwGooXs3AdeEY0VoL4CpQi8TVRLyi6HE4AU4hEQdPqVmpm1
+U2K0MpYhkwtPp0E9E7y9v82fMSzUKvGgpTstnblKTfDmgGUGb47Ncj3XvxH8SZz
+p93YK2xpfl4V2ltLio8ONmwP9lQhxk5L34dQR20cjbOoj622VofqGUV7Zr6UHVLD
+pqYgnj3zgiTPmbCzgVxZOyaLD3ezsY8oAtfLgX6cjCfsTtV27TvQUD8Br0oKQYS/
+h5KJBdytokqPa+JWr59hvQpcLSbmCB2y7USminoS2yL1hpXidTvVDUALF3vorvZi
+BS8prxUIFT2dgerUpWmMrKYih7pJNKdySGgI3zXtxIt5TE0TRag=
+=9Zqh
+-----END PGP SIGNATURE-----
--- a/python310.changes
+++ b/python310.changes
@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Update to 3.10.12:
+  - gh-103142: The version of OpenSSL used in Windows and
+    Mac installers has been upgraded to 1.1.1u to address
+    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
+    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
+    fixed previously in 1.1.1t (gh-101727).
+  - gh-102153: urllib.parse.urlsplit() now strips leading C0
+    control and space characters following the specification for
+    URLs defined by WHATWG in response to CVE-2023-24329
+    (bsc#1208471).
+  - gh-99889: Fixed a security in flaw in uu.decode() that could
+    allow for directory traversal based on the input if no
+    out_file was specified.
+  - gh-104049: Do not expose the local on-disk
+    location in directory indexes produced by
+    http.client.SimpleHTTPRequestHandler.
+  - gh-103935: trace.__main__ now uses io.open_code() for files
+    to be executed instead of raw open().
+  - gh-102953: The extraction methods in tarfile, and
+    shutil.unpack_archive(), have a new filter argument that
+    allows limiting tar features than may be surprising or
+    dangerous, such as creating files outside the destination
+    directory. See Extraction filters for details (fixing
+    CVE-2007-4559, bsc#1203750).
+- Remove upstreamed patches:
+  - CVE-2023-24329-blank-URL-bypass.patch
+  - CVE-2007-4559-filter-tarfile_extractall.patch
+
 -------------------------------------------------------------------
 Tue Jun 20 21:39:58 UTC 2023 - Matej Cepl <mcepl@suse.com>

--- a/python310.spec
+++ b/python310.spec
@ -103,7 +103,7 @@ Obsoletes:      python39%{?1:-%{1}}
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.10.11
+Version:        3.10.12
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@ -166,13 +166,6 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
 # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
 Patch36:        support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
-# blocklist bypass via the urllib.parse component when supplying
-# a URL that starts with blank characters
-Patch37:        CVE-2023-24329-blank-URL-bypass.patch
-# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
-# PEP 706 – Filter for tarfile.extractall
-Patch38:        CVE-2007-4559-filter-tarfile_extractall.patch
 # PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com
 # Make `set` and `frozenset` marshalling deterministic
 Patch39:        bpo-37596-make-set-marshalling.patch
@ -447,8 +440,6 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
-%patch37 -p1
-%patch38 -p1
 %patch39 -p1

 # drop Autoconf version requirement