From 8e56b3482c24762e30ab500c607f5b41aada0ceb59ef95ab1f09a1e398241b30 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sun, 11 Sep 2022 08:41:57 +0000 Subject: [PATCH] =?UTF-8?q?-=20Update=20to=203.10.7:=20=20=20-=20Fix=20for?= =?UTF-8?q?=20CVE-2020-10735=20(bsc#1203125)=20Converting=20between=20int?= =?UTF-8?q?=20=20=20=20=20and=20str=20in=20bases=20other=20than=202=20(bin?= =?UTF-8?q?ary),=204,=208=20(octal),=2016=20=20=20=20=20(hexadecimal),=20o?= =?UTF-8?q?r=2032=20such=20as=20base=2010=20(decimal)=20now=20raises=20=20?= =?UTF-8?q?=20=20=20a=20ValueError=20if=20the=20number=20of=20digits=20in?= =?UTF-8?q?=20string=20form=20is=20above=20=20=20=20=20a=20limit=20to=20av?= =?UTF-8?q?oid=20potential=20denial=20of=20service=20attacks=20due=20to=20?= =?UTF-8?q?=20=20=20=20the=20algorithmic=20complexity.=20=20=20-=20Other?= =?UTF-8?q?=20bug=20fixes:=20=20=20=20=20-=20Fixed=20a=20bug=20that=20caus?= =?UTF-8?q?ed=20=5FPyCode=5FGetExtra=20to=20return=20garbage=20=20=20=20?= =?UTF-8?q?=20=20=20for=20negative=20indexes.=20=20=20=20=20-=20Fix=20form?= =?UTF-8?q?at=20string=20in=20=5FPyPegen=5Fraise=5Ferror=5Fknown=5Flocatio?= =?UTF-8?q?n=20=20=20=20=20=20=20that=20can=20lead=20to=20memory=20corrupt?= =?UTF-8?q?ion=20on=20some=2064bit=20systems.=20=20=20=20=20=20=20The=20fu?= =?UTF-8?q?nction=20was=20building=20a=20tuple=20with=20i=20(int)=20instea?= =?UTF-8?q?d=20of=20=20=20=20=20=20=20n=20(Py=5Fssize=5Ft)=20for=20Py=5Fss?= =?UTF-8?q?ize=5Ft=20arguments.=20=20=20=20=20-=20Fix=20misleading=20conte?= =?UTF-8?q?nts=20of=20error=20message=20when=20converting=20an=20=20=20=20?= =?UTF-8?q?=20=20=20all-whitespace=20string=20to=20float.=20=20=20=20=20-?= =?UTF-8?q?=20coroutine.throw()=20now=20properly=20initializes=20the=20fra?= =?UTF-8?q?me.f=5Fback=20=20=20=20=20=20=20when=20resuming=20a=20stack=20o?= =?UTF-8?q?f=20coroutines.=20This=20allows=20e.g.=20=20=20=20=20=20=20trac?= =?UTF-8?q?eback.print=5Fstack()=20to=20work=20correctly=20when=20an=20exc?= =?UTF-8?q?eption=20=20=20=20=20=20=20(such=20as=20CancelledError)=20is=20?= =?UTF-8?q?thrown=20into=20a=20coroutine.=20=20=20=20=20-=20ast.parse()=20?= =?UTF-8?q?will=20no=20longer=20parse=20function=20definitions=20with=20?= =?UTF-8?q?=20=20=20=20=20=20positional-only=20params=20when=20passed=20fe?= =?UTF-8?q?ature=5Fversion=20less=20=20=20=20=20=20=20than=20(3,=208).=20?= =?UTF-8?q?=20=20=20=20-=20Correct=20conversion=20of=20numbers.Rational?= =?UTF-8?q?=E2=80=99s=20to=20float.=20=20=20=20=20-=20Fix=20a=20performanc?= =?UTF-8?q?e=20regression=20in=20logging=20=20=20=20=20=20=20TimedRotating?= =?UTF-8?q?FileHandler.=20Only=20check=20for=20special=20files=20when=20?= =?UTF-8?q?=20=20=20=20=20=20the=20rollover=20time=20has=20passed.=20=20?= =?UTF-8?q?=20=20=20-=20Fix=20unused=20localName=20parameter=20in=20the=20?= =?UTF-8?q?Attr=20class=20in=20=20=20=20=20=20=20xml.dom.minidom.=20=20=20?= =?UTF-8?q?=20=20-=20Update=20bundled=20pip=20to=2022.2.2.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=56 --- Python-3.10.6.tar.xz | 3 -- Python-3.10.6.tar.xz.asc | 16 ------- Python-3.10.7.tar.xz | 3 ++ Python-3.10.7.tar.xz.asc | 16 +++++++ fix_configure_rst.patch | 2 +- python310.changes | 52 ++++++++++++++++++++++ python310.spec | 4 +- support-expat-CVE-2022-25236-patched.patch | 10 ++--- 8 files changed, 79 insertions(+), 27 deletions(-) delete mode 100644 Python-3.10.6.tar.xz delete mode 100644 Python-3.10.6.tar.xz.asc create mode 100644 Python-3.10.7.tar.xz create mode 100644 Python-3.10.7.tar.xz.asc diff --git a/Python-3.10.6.tar.xz b/Python-3.10.6.tar.xz deleted file mode 100644 index d3ccbef..0000000 --- a/Python-3.10.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f795ff87d11d4b0c7c33bc8851b0c28648d8a4583aa2100a98c22b4326b6d3f3 -size 19600672 diff --git a/Python-3.10.6.tar.xz.asc b/Python-3.10.6.tar.xz.asc deleted file mode 100644 index 888d94f..0000000 --- a/Python-3.10.6.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmLoOeYACgkQ/+h0BBaL -2EeOCw/8DZ+RhttyrfzanYVN8lkWASoyG3BO9dcUpuKgq70kcfnMVySDMoKcluJM -ACJGbJf7XvyiUaylbpiJsvgIbbdhprcJR0O/xCQqouBbjZEW/oOMJWTVOALlOAEG -PutOdZpxFUltFu49g9fumvZxfouN+/GGYJy3RA13MDl/kL+UWMzaHh4U54+fuD/K -iAxezTitzj/sRhgmpqoOPXN8wzalifAc5bJWRe2xcQQHFJQjOAbg3lA4tmiKGOuJ -inbacNNkkkWj6cMirIcwZ+25wXiBmTFlEl/Q/yOeHxJkiVDxD6/MKKarV0LNRLZL -eug4D+jp+XpCC48IvMQhZ7tUe3BlgUIyyUeq2hmiVkNzFHLNEG4Drihj/Zic3lt8 -LbcAOWEvR58qBoz6foPNahudBqlAL/jaKMDAOAd5X5oOUDXwWag4MjH5lJwb1S0D -cctY9azwCCGss6iFyi/zD2RB7QXrF+NRbUcEoMIjJJ/w5mB3sAKMTEV3wbOyrDkG -x4NQDfozZtvrVACJ9A6j4Vnh4CO4Gl/8dpV2ABcoIjE5IZgSyak/GhUaNIdBHkno -LgEKGYY8Wp/rw7PgHlhxYYcn0I/Y2Ej6ki03weRrD6Lpt6AUKh2eQCgjFC1xBSUh -2eM7eOOD8FD4h+urrTTmNAiTl7OFLtQfwhWzonrsCOJJF3Yqcho= -=0eZA ------END PGP SIGNATURE----- diff --git a/Python-3.10.7.tar.xz b/Python-3.10.7.tar.xz new file mode 100644 index 0000000..8f494d2 --- /dev/null +++ b/Python-3.10.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48 +size 19618696 diff --git a/Python-3.10.7.tar.xz.asc b/Python-3.10.7.tar.xz.asc new file mode 100644 index 0000000..1fc8949 --- /dev/null +++ b/Python-3.10.7.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmMV9eMACgkQ/+h0BBaL +2Ec6FQ//eXrKOb5NoocNPIs9o5Jcbk5jtWxnOp3mqjO8D/LBYc8gwovZMPd+903w +In2QWtPSK22ZWdaR4DqizK9GjBRi+Y/ZEFfh3uiPM0I2/jGkr5BXizRZNdTo3GyB +/OuPiBKBVqMgTSGrpO4M24yUekqGdPfzg614GroWSr/16UVVUQADE8DP+BJCTIbk +v+t+AIYsALR0cUO+uqp2QbWf7N2aF+r08g59Vyb09+Nr2ZfjjINIbHQgRtHv7ZoI +7BsWiGW3qIeY8XxYt1/kWv4yMqaTyABdmdEHeM0vCzeEUpurj5072isGvOpI92N4 +LZ6nK8GR4pBS+OfOB7bgzUTC+tQ48wPQwb9lZTuWfSXGYotVdTXs1zW6o1T+vply +MrMZcsc6Y9o8fX3Mkkv4zT9S6JkXtq/MUTIZ27cZr492DzJNaKBG+NqF22FKR35M +ojLK24YpGyw2PCIlUSiFfAqkGNu53U5rP3N71mh7Ao00nx8WhKj4YAci0tBkfHyw +NYoX4tz7ybiR3zV5kyrmJv4G2x89cgosfHuEL2Lr+Irf3PV5vgjXHteAwu8Egdej +myokqzWEwoqNtrK9JsSYE3bcWmrVU9R/siQnNJXKWj+AkHKG0jMsrIh6iRvQGDhp +Q3Avu3ZQ/K9rreZ4Jk1DHX3BoDvRIFdEjBDAB+b6UUQEGE32nj8= +=O8kG +-----END PGP SIGNATURE----- diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index bbca1cd..9d62100 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -2683,7 +2683,7 @@ C API +@@ -2783,7 +2783,7 @@ C API ----- - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name diff --git a/python310.changes b/python310.changes index cf8b6dc..17901eb 100644 --- a/python310.changes +++ b/python310.changes @@ -1,3 +1,55 @@ +------------------------------------------------------------------- +Sun Sep 11 08:32:53 UTC 2022 - Matej Cepl + +- Update to 3.10.7: + - Fix for CVE-2020-10735 (bsc#1203125) Converting between int + and str in bases other than 2 (binary), 4, 8 (octal), 16 + (hexadecimal), or 32 such as base 10 (decimal) now raises + a ValueError if the number of digits in string form is above + a limit to avoid potential denial of service attacks due to + the algorithmic complexity. + - Other bug fixes: + - Fixed a bug that caused _PyCode_GetExtra to return garbage + for negative indexes. + - Fix format string in _PyPegen_raise_error_known_location + that can lead to memory corruption on some 64bit systems. + The function was building a tuple with i (int) instead of + n (Py_ssize_t) for Py_ssize_t arguments. + - Fix misleading contents of error message when converting an + all-whitespace string to float. + - coroutine.throw() now properly initializes the frame.f_back + when resuming a stack of coroutines. This allows e.g. + traceback.print_stack() to work correctly when an exception + (such as CancelledError) is thrown into a coroutine. + - ast.parse() will no longer parse function definitions with + positional-only params when passed feature_version less + than (3, 8). + - Correct conversion of numbers.Rational’s to float. + - Fix a performance regression in logging + TimedRotatingFileHandler. Only check for special files when + the rollover time has passed. + - Fix unused localName parameter in the Attr class in + xml.dom.minidom. + - Update bundled pip to 22.2.2. + - Fail gracefully if EPERM or ENOSYS is raised when loading + crypt methods. This may happen when trying to load MD5 on + a Linux kernel with FIPS enabled. + - Improve discoverability of the higher level + concurrent.futures module by providing clearer links from + the lower level threading and multiprocessing modules. + - Update the default RFC base URL from deprecated + tools.ietf.org to datatracker.ietf.org + - Fix stylesheet not working in Windows CHM htmlhelp docs. + - The documentation now lists which members of C structs are + part of the Limited API/Stable ABI. + - Mitigate the inherent race condition from using + find_unused_port() in testSockName() by trying to find an + unused port a few times before failing. + - Build and test with OpenSSL 1.1.1q + - Document handling of extensions in Save As dialogs. + - Include prompts when saving Shell (interactive input and + output). + ------------------------------------------------------------------- Wed Aug 17 11:08:56 UTC 2022 - Dirk Müller diff --git a/python310.spec b/python310.spec index 3bbb087..7f8e1af 100644 --- a/python310.spec +++ b/python310.spec @@ -67,7 +67,7 @@ Obsoletes: python39%{?1:-%{1}} %define tarversion %{version} %endif # We don't process beta signs well -%define folderversion 3.10.6 +%define folderversion 3.10.7 %define tarname Python-%{tarversion} %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149 @@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}} %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.10.6 +Version: 3.10.7 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 diff --git a/support-expat-CVE-2022-25236-patched.patch b/support-expat-CVE-2022-25236-patched.patch index e7b3acb..5b26c99 100644 --- a/support-expat-CVE-2022-25236-patched.patch +++ b/support-expat-CVE-2022-25236-patched.patch @@ -23,8 +23,8 @@ Also, test_minidom.py: Support Expat >=2.4.5 Co-authored-by: Sebastian Pipping --- - Lib/test/test_minidom.py | 25 ++++++++++--------------- - 1 file changed, 10 insertions(+), 15 deletions(-) + Lib/test/test_minidom.py | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst --- a/Lib/test/test_minidom.py @@ -36,8 +36,8 @@ Co-authored-by: Sebastian Pipping -import pyexpat import xml.dom.minidom - from xml.dom.minidom import parse, Node, Document, parseString -@@ -1149,13 +1148,11 @@ class MinidomTest(unittest.TestCase): + from xml.dom.minidom import parse, Attr, Node, Document, parseString +@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase): # Verify that character decoding errors raise exceptions instead # of crashing @@ -56,7 +56,7 @@ Co-authored-by: Sebastian Pipping b'Comment \xe7a va ? Tr\xe8s bien ?') doc.unlink() -@@ -1617,12 +1614,10 @@ class MinidomTest(unittest.TestCase): +@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase): self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) def testExceptionOnSpacesInXMLNSValue(self):