- Update to 3.10.8:

- Fix multiplying a list by an integer (list *= int): detect
    the integer overflow when the new allocated length is close
    to the maximum size.
  - Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no
    longer uses a shell to run openssl commands. (originally
    filed as CVE-2022-37460, later withdrawn)
  - Fix command line parsing: reject -X int_max_str_digits option
    with no value (invalid) when the PYTHONINTMAXSTRDIGITS
    environment variable is set to a valid limit.
  - When ValueError is raised if an integer is larger than the
    limit, mention the sys.set_int_max_str_digits() function in
    the error message.
  - The deprecated mailcap module now refuses to inject unsafe
    text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
  - os.sched_yield() now release the GIL while calling
    sched_yield(2).
  - Bugfix: PyFunction_GetAnnotations() should return a borrowed
    reference. It was returning a new reference.
  - Fixed a missing incref/decref pair in
    Exception.__setstate__().
  - Fix overly-broad source position information for chained
    comparisons used as branching conditions.
  - Fix undefined behaviour in _testcapimodule.c.
  - At Python exit, sometimes a thread holding the GIL can
    wait forever for a thread (usually a daemon thread) which

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=61
This commit is contained in:
Matej Cepl 2022-10-19 07:46:21 +00:00 committed by Git OBS Bridge
parent 01ff931ee1
commit 9ffbba32c9
10 changed files with 145 additions and 197 deletions

View File

@ -5,17 +5,16 @@ Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
filenames/types/params
---
Doc/library/mailcap.rst | 12 ++++
Lib/mailcap.py | 26 +++++++++-
Lib/test/test_mailcap.py | 8 ++-
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +
4 files changed, 46 insertions(+), 4 deletions(-)
Doc/library/mailcap.rst | 12 ++++++++++
Lib/mailcap.py | 5 ++++
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
3 files changed, 21 insertions(+)
--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -60,6 +60,18 @@ standard. However, mailcap files are su
use) to determine whether or not the mailcap line applies. :func:`findmatch`
will automatically check such conditions and skip the entry if the check fails.
@@ -27,6 +27,18 @@ The mailcap format is documented in :rfc
Mechanism For Multimedia Mail Format Information", but is not an internet
standard. However, mailcap files are supported on most Unix systems.
+ .. versionchanged:: 3.11
+
@ -30,21 +29,13 @@ Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
+ ``findmatch`` will ignore all mailcap entries which use that value.
+ A :mod:`warning <warnings>` will be raised in either case.
.. function:: getcaps()
.. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[])
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
import os
import warnings
+import re
__all__ = ["getcaps","findmatch"]
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
else:
return 1, 0
@@ -19,6 +19,11 @@ _find_unsafe = re.compile(r'[^\xa1-\U001
class UnsafeMailcapInput(Warning):
"""Warning raised when refusing unsafe input"""
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
@ -54,79 +45,6 @@ Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
# Part 1: top-level interface.
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view'
entry to use.
"""
+ if _find_unsafe(filename):
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
entries = lookup(caps, MIMEtype, key)
# XXX This code should somehow check for the needsterminal flag.
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts
--- a/Lib/test/test_mailcap.py
+++ b/Lib/test/test_mailcap.py
@@ -123,7 +123,8 @@ class HelperFunctionTest(unittest.TestCa
(["", "audio/*", "foo.txt"], ""),
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
+ (["echo %t", "audio/*", "foo.txt"], None),
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -207,7 +208,10 @@ class FindmatchTest(unittest.TestCase):
('"An audio fragment"', audio_basic_entry)),
([c, "audio/*"],
{"filename": fname},
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
+ (None, None)),
+ ([c, "audio/wav"],
+ {"filename": fname},
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
([c, "message/external-body"],
{"plist": plist},
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48
size 19618696

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmMV9eMACgkQ/+h0BBaL
2Ec6FQ//eXrKOb5NoocNPIs9o5Jcbk5jtWxnOp3mqjO8D/LBYc8gwovZMPd+903w
In2QWtPSK22ZWdaR4DqizK9GjBRi+Y/ZEFfh3uiPM0I2/jGkr5BXizRZNdTo3GyB
/OuPiBKBVqMgTSGrpO4M24yUekqGdPfzg614GroWSr/16UVVUQADE8DP+BJCTIbk
v+t+AIYsALR0cUO+uqp2QbWf7N2aF+r08g59Vyb09+Nr2ZfjjINIbHQgRtHv7ZoI
7BsWiGW3qIeY8XxYt1/kWv4yMqaTyABdmdEHeM0vCzeEUpurj5072isGvOpI92N4
LZ6nK8GR4pBS+OfOB7bgzUTC+tQ48wPQwb9lZTuWfSXGYotVdTXs1zW6o1T+vply
MrMZcsc6Y9o8fX3Mkkv4zT9S6JkXtq/MUTIZ27cZr492DzJNaKBG+NqF22FKR35M
ojLK24YpGyw2PCIlUSiFfAqkGNu53U5rP3N71mh7Ao00nx8WhKj4YAci0tBkfHyw
NYoX4tz7ybiR3zV5kyrmJv4G2x89cgosfHuEL2Lr+Irf3PV5vgjXHteAwu8Egdej
myokqzWEwoqNtrK9JsSYE3bcWmrVU9R/siQnNJXKWj+AkHKG0jMsrIh6iRvQGDhp
Q3Avu3ZQ/K9rreZ4Jk1DHX3BoDvRIFdEjBDAB+b6UUQEGE32nj8=
=O8kG
-----END PGP SIGNATURE-----

3
Python-3.10.8.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3
size 19619508

16
Python-3.10.8.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmNFVREACgkQ/+h0BBaL
2EfmBhAAlIlx22S5RL7ehPDOWlEj06uK87EKEfMXch2DMapEXsrBR2Z+Q3Kb0Le+
T3vru6k9MUbDGI0pei+o5k621jvg8Gj+0rUKTydAd46Pt9ZoCPWuIdyWKaJBknLu
XsYs6Xiv6Ug7Q3JGy67j8ei6bFoqATyYEe45ljReVfug7VmisjMXHdiyZoAkAFMO
fDZvtfXRY/ZwLcCfK5SkaJqSRVfYowAh1lQqiXDnbfaX40BVCw78YKFsYN//PCpU
DrsE7JFapXQGvCJmcZ+WC8A/WMjyLoKI36w2WDcy8AFKsf49xQWPEWnUzXcJyF2n
zKGxn6kUEMdzelSWWWqMYlckL6Xf87E+CRTRS0MRX6OIrf+zJkeEoWRW8cGT/U8I
1o0hawm9O50nSIjMGzaXGKjWsHLSIeOA9ToLz19TzzO7VikNkXAx5gQcHQu3bJyT
SrMCw/VXJy+0BinBpSX/qZoptX2+6lFfArb/xOZGX2ZhU44+ecPrUHxB8xiw0qr8
pw16k6nCkW3f0aZ0jrlsfNLsXr9G/ZRu+ugrcTTQ53rfXO0pQ5nxm0CJ5O9twDjw
DIKvuqnOHlSGEcFM4bNDvpqskDnXrK6oyqBvtVhsjdFAp8YHYoM0yALTBlS4v2Xt
Em1BPUXHps0M1AY59KrXe0OpwibJjKhvWoogAS5bqe/mYInBE/Y=
=2vcv
-----END PGP SIGNATURE-----

View File

@ -29,7 +29,7 @@
Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -2783,7 +2783,7 @@ C API
@@ -2979,7 +2979,7 @@ C API
-----
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name

View File

@ -1,3 +1,114 @@
-------------------------------------------------------------------
Wed Oct 19 07:12:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Update to 3.10.8:
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- The deprecated mailcap module now refuses to inject unsafe
text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- os.sched_yield() now release the GIL while calling
sched_yield(2).
- Bugfix: PyFunction_GetAnnotations() should return a borrowed
reference. It was returning a new reference.
- Fixed a missing incref/decref pair in
Exception.__setstate__().
- Fix overly-broad source position information for chained
comparisons used as branching conditions.
- Fix undefined behaviour in _testcapimodule.c.
- At Python exit, sometimes a thread holding the GIL can
wait forever for a thread (usually a daemon thread) which
requested to drop the GIL, whereas the thread already
exited. To fix the race condition, the thread which requested
the GIL drop now resets its request before exiting.
- Fix a possible assertion failure, fatal error, or SystemError
if a line tracing event raises an exception while opcode
tracing is enabled.
- Fix undefined behaviour in C code of null pointer arithmetic.
- Do not expose KeyWrapper in _functools.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Disable incorrect pickling of the C implemented classmethod
descriptors.
- Fix AttributeError missing name and obj attributes in .
object.__getattribute__() bpo-42316: Document some places .
where an assignment expression needs parentheses .
- Wrap network errors consistently in urllib FTP support, so
the test suite doesnt fail when a network is available but
the public internet is not reachable.
- Fixes AttributeError when subprocess.check_output() is used
with argument input=None and either of the arguments encoding
or errors are used.
- Avoid spurious tracebacks from asyncio when default executor
cleanup is delayed until after the event loop is closed (e.g.
as the result of a keyboard interrupt).
- Avoid a crash in the C version of
asyncio.Future.remove_done_callback() when an evil argument
is passed.
- Remove tokenize.NL check from tabnanny.
- Make Semaphore run faster.
- Fix generation of the default name of
tkinter.Checkbutton. Previously, checkbuttons in different
parent widgets could have the same short name and share
the same state if arguments “name” and “variable” are not
specified. Now they are globally unique.
- Update bundled libexpat to 2.4.9
- Fix race condition in asyncio where process_exited() called
before the pipe_data_received() leading to inconsistent
output.
- Fixed check in multiprocessing.resource_tracker that
guarantees that the length of a write to a pipe is not
greater than PIPE_BUF.
- Corrected type annotation for dataclass attribute
pstats.FunctionProfile.ncalls to be str.
- Fix the faulthandler implementation of
faulthandler.register(signal, chain=True) if the sigaction()
function is not available: dont call the previous signal
handler if its NULL.
- In inspect, fix overeager replacement of “typing.” in
formatting annotations.
- Fix asyncio.streams.StreamReaderProtocol to keep a strong
reference to the created task, so that its not garbage
collected
- Fix handling compiler warnings (SyntaxWarning and
DeprecationWarning) in codeop.compile_command() when checking
for incomplete input. Previously it emitted warnings and
raised a SyntaxError. Now it always returns None for
incomplete input without emitting any warnings.
- Fixed flickering of the turtle window when the tracer is
turned off.
- Allow asyncio.StreamWriter.drain() to be awaited concurrently
by multiple tasks.
- Fix broken asyncio.Semaphore when acquire is cancelled.
- Fix ast.unparse() when ImportFrom.level is None
- Improve performance of urllib.request.getproxies_environment
when there are many environment variables
- Fix ! in c domain ref target syntax via a conf.py patch, so
it works as intended to disable ref target resolution.
- Clarified the conflicting advice given in the ast
documentation about ast.literal_eval() being “safe” for use
on untrusted input while at the same time warning that it
can crash the process. The latter statement is true and is
deemed unfixable without a large amount of work unsuitable
for a bugfix. So we keep the warning and no longer claim that
literal_eval is safe.
- Update tutorial introduction output to use 3.10+ SyntaxError
invalid range.
- Remove upstreamed test-int-timing.patch.
-------------------------------------------------------------------
Sun Sep 18 08:48:51 UTC 2022 - Andreas Schwab <schwab@suse.de>

View File

@ -67,7 +67,7 @@ Obsoletes: python39%{?1:-%{1}}
%define tarversion %{version}
%endif
# We don't process beta signs well
%define folderversion 3.10.7
%define folderversion %{tarversion}
%define tarname Python-%{tarversion}
%define sitedir %{_libdir}/python%{python_version}
# three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}}
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.10.7
Version: 3.10.8
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@ -169,8 +169,6 @@ Patch36: support-expat-CVE-2022-25236-patched.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch
# PATCH-FIX-UPSTREAM gh-96710: Make the test timing more lenient for the int/str DoS regression test. (#96717)
Patch38: test-int-timing.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -440,7 +438,6 @@ other applications.
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

View File

@ -4,7 +4,7 @@
--- a/Lib/test/test_subprocess.py
+++ b/Lib/test/test_subprocess.py
@@ -261,7 +261,8 @@ class ProcessTestCase(BaseTestCase):
@@ -267,7 +267,8 @@ class ProcessTestCase(BaseTestCase):
"time.sleep(3600)"],
# Some heavily loaded buildbots (sparc Debian 3.x) require
# this much time to start and print.

View File

@ -1,78 +0,0 @@
From 11e3548fd1d3445ccde971d613633b58d73c3016 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Fri, 9 Sep 2022 12:51:34 -0700
Subject: [PATCH] gh-96710: Make the test timing more lenient for the int/str
DoS regression test. (#96717)
A regression would still absolutely fail and even a flaky pass isn't
harmful as it'd fail most of the time across our N system test runs.
Windows has a low resolution timer and CI systems are prone to odd
timing so this just gives more leeway to avoid flakiness.
---
Lib/test/test_int.py | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/Lib/test/test_int.py b/Lib/test/test_int.py
index 800c0b006c..c972b8afb4 100644
--- a/Lib/test/test_int.py
+++ b/Lib/test/test_int.py
@@ -650,7 +650,8 @@ def test_denial_of_service_prevented_int_to_str(self):
self.assertEqual(len(huge_decimal), digits)
# Ensuring that we chose a slow enough conversion to measure.
# It takes 0.1 seconds on a Zen based cloud VM in an opt build.
- if seconds_to_convert < 0.005:
+ # Some OSes have a low res 1/64s timer, skip if hard to measure.
+ if seconds_to_convert < 1/64:
raise unittest.SkipTest('"slow" conversion took only '
f'{seconds_to_convert} seconds.')
@@ -662,7 +663,7 @@ def test_denial_of_service_prevented_int_to_str(self):
str(huge_int)
seconds_to_fail_huge = get_time() - start
self.assertIn('conversion', str(err.exception))
- self.assertLess(seconds_to_fail_huge, seconds_to_convert/8)
+ self.assertLessEqual(seconds_to_fail_huge, seconds_to_convert/2)
# Now we test that a conversion that would take 30x as long also fails
# in a similarly fast fashion.
@@ -673,7 +674,7 @@ def test_denial_of_service_prevented_int_to_str(self):
str(extra_huge_int)
seconds_to_fail_extra_huge = get_time() - start
self.assertIn('conversion', str(err.exception))
- self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/8)
+ self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/2)
def test_denial_of_service_prevented_str_to_int(self):
"""Regression test: ensure we fail before performing O(N**2) work."""
@@ -691,7 +692,8 @@ def test_denial_of_service_prevented_str_to_int(self):
seconds_to_convert = get_time() - start
# Ensuring that we chose a slow enough conversion to measure.
# It takes 0.1 seconds on a Zen based cloud VM in an opt build.
- if seconds_to_convert < 0.005:
+ # Some OSes have a low res 1/64s timer, skip if hard to measure.
+ if seconds_to_convert < 1/64:
raise unittest.SkipTest('"slow" conversion took only '
f'{seconds_to_convert} seconds.')
@@ -701,7 +703,7 @@ def test_denial_of_service_prevented_str_to_int(self):
int(huge)
seconds_to_fail_huge = get_time() - start
self.assertIn('conversion', str(err.exception))
- self.assertLess(seconds_to_fail_huge, seconds_to_convert/8)
+ self.assertLessEqual(seconds_to_fail_huge, seconds_to_convert/2)
# Now we test that a conversion that would take 30x as long also fails
# in a similarly fast fashion.
@@ -712,7 +714,7 @@ def test_denial_of_service_prevented_str_to_int(self):
int(extra_huge)
seconds_to_fail_extra_huge = get_time() - start
self.assertIn('conversion', str(err.exception))
- self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/8)
+ self.assertLessEqual(seconds_to_fail_extra_huge, seconds_to_convert/2)
def test_power_of_two_bases_unlimited(self):
"""The limit does not apply to power of 2 bases."""
--
2.37.3