- Update to 3.10.8:
- Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. - Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. (originally filed as CVE-2022-37460, later withdrawn) - Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. - When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message. - The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). - os.sched_yield() now release the GIL while calling sched_yield(2). - Bugfix: PyFunction_GetAnnotations() should return a borrowed reference. It was returning a new reference. - Fixed a missing incref/decref pair in Exception.__setstate__(). - Fix overly-broad source position information for chained comparisons used as branching conditions. - Fix undefined behaviour in _testcapimodule.c. - At Python exit, sometimes a thread holding the GIL can wait forever for a thread (usually a daemon thread) which OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=61
This commit is contained in:
parent
01ff931ee1
commit
9ffbba32c9
@ -5,17 +5,16 @@ Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
|
|||||||
filenames/types/params
|
filenames/types/params
|
||||||
|
|
||||||
---
|
---
|
||||||
Doc/library/mailcap.rst | 12 ++++
|
Doc/library/mailcap.rst | 12 ++++++++++
|
||||||
Lib/mailcap.py | 26 +++++++++-
|
Lib/mailcap.py | 5 ++++
|
||||||
Lib/test/test_mailcap.py | 8 ++-
|
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
|
||||||
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +
|
3 files changed, 21 insertions(+)
|
||||||
4 files changed, 46 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/Doc/library/mailcap.rst
|
--- a/Doc/library/mailcap.rst
|
||||||
+++ b/Doc/library/mailcap.rst
|
+++ b/Doc/library/mailcap.rst
|
||||||
@@ -60,6 +60,18 @@ standard. However, mailcap files are su
|
@@ -27,6 +27,18 @@ The mailcap format is documented in :rfc
|
||||||
use) to determine whether or not the mailcap line applies. :func:`findmatch`
|
Mechanism For Multimedia Mail Format Information", but is not an internet
|
||||||
will automatically check such conditions and skip the entry if the check fails.
|
standard. However, mailcap files are supported on most Unix systems.
|
||||||
|
|
||||||
+ .. versionchanged:: 3.11
|
+ .. versionchanged:: 3.11
|
||||||
+
|
+
|
||||||
@ -30,21 +29,13 @@ Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
|
|||||||
+ ``findmatch`` will ignore all mailcap entries which use that value.
|
+ ``findmatch`` will ignore all mailcap entries which use that value.
|
||||||
+ A :mod:`warning <warnings>` will be raised in either case.
|
+ A :mod:`warning <warnings>` will be raised in either case.
|
||||||
|
|
||||||
.. function:: getcaps()
|
.. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[])
|
||||||
|
|
||||||
--- a/Lib/mailcap.py
|
--- a/Lib/mailcap.py
|
||||||
+++ b/Lib/mailcap.py
|
+++ b/Lib/mailcap.py
|
||||||
@@ -2,6 +2,7 @@
|
@@ -19,6 +19,11 @@ _find_unsafe = re.compile(r'[^\xa1-\U001
|
||||||
|
class UnsafeMailcapInput(Warning):
|
||||||
import os
|
"""Warning raised when refusing unsafe input"""
|
||||||
import warnings
|
|
||||||
+import re
|
|
||||||
|
|
||||||
__all__ = ["getcaps","findmatch"]
|
|
||||||
|
|
||||||
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
|
|
||||||
else:
|
|
||||||
return 1, 0
|
|
||||||
|
|
||||||
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
|
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
|
||||||
+
|
+
|
||||||
@ -54,79 +45,6 @@ Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
|
|||||||
|
|
||||||
# Part 1: top-level interface.
|
# Part 1: top-level interface.
|
||||||
|
|
||||||
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view'
|
|
||||||
entry to use.
|
|
||||||
|
|
||||||
"""
|
|
||||||
+ if _find_unsafe(filename):
|
|
||||||
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
|
|
||||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
|
||||||
+ return None, None
|
|
||||||
entries = lookup(caps, MIMEtype, key)
|
|
||||||
# XXX This code should somehow check for the needsterminal flag.
|
|
||||||
for e in entries:
|
|
||||||
if 'test' in e:
|
|
||||||
test = subst(e['test'], filename, plist)
|
|
||||||
+ if test is None:
|
|
||||||
+ continue
|
|
||||||
if test and os.system(test) != 0:
|
|
||||||
continue
|
|
||||||
command = subst(e[key], MIMEtype, filename, plist)
|
|
||||||
- return command, e
|
|
||||||
+ if command is not None:
|
|
||||||
+ return command, e
|
|
||||||
return None, None
|
|
||||||
|
|
||||||
def lookup(caps, MIMEtype, key=None):
|
|
||||||
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli
|
|
||||||
elif c == 's':
|
|
||||||
res = res + filename
|
|
||||||
elif c == 't':
|
|
||||||
+ if _find_unsafe(MIMEtype):
|
|
||||||
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
|
|
||||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
|
||||||
+ return None
|
|
||||||
res = res + MIMEtype
|
|
||||||
elif c == '{':
|
|
||||||
start = i
|
|
||||||
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli
|
|
||||||
i = i+1
|
|
||||||
name = field[start:i]
|
|
||||||
i = i+1
|
|
||||||
- res = res + findparam(name, plist)
|
|
||||||
+ param = findparam(name, plist)
|
|
||||||
+ if _find_unsafe(param):
|
|
||||||
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
|
|
||||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
|
||||||
+ return None
|
|
||||||
+ res = res + param
|
|
||||||
# XXX To do:
|
|
||||||
# %n == number of parts if type is multipart/*
|
|
||||||
# %F == list of alternating type and filename for parts
|
|
||||||
--- a/Lib/test/test_mailcap.py
|
|
||||||
+++ b/Lib/test/test_mailcap.py
|
|
||||||
@@ -123,7 +123,8 @@ class HelperFunctionTest(unittest.TestCa
|
|
||||||
(["", "audio/*", "foo.txt"], ""),
|
|
||||||
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
|
|
||||||
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
|
|
||||||
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
|
|
||||||
+ (["echo %t", "audio/*", "foo.txt"], None),
|
|
||||||
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
|
|
||||||
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
|
|
||||||
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
|
|
||||||
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
|
|
||||||
@@ -207,7 +208,10 @@ class FindmatchTest(unittest.TestCase):
|
|
||||||
('"An audio fragment"', audio_basic_entry)),
|
|
||||||
([c, "audio/*"],
|
|
||||||
{"filename": fname},
|
|
||||||
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
|
|
||||||
+ (None, None)),
|
|
||||||
+ ([c, "audio/wav"],
|
|
||||||
+ {"filename": fname},
|
|
||||||
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
|
|
||||||
([c, "message/external-body"],
|
|
||||||
{"plist": plist},
|
|
||||||
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
|
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||||
@@ -0,0 +1,4 @@
|
@@ -0,0 +1,4 @@
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48
|
|
||||||
size 19618696
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmMV9eMACgkQ/+h0BBaL
|
|
||||||
2Ec6FQ//eXrKOb5NoocNPIs9o5Jcbk5jtWxnOp3mqjO8D/LBYc8gwovZMPd+903w
|
|
||||||
In2QWtPSK22ZWdaR4DqizK9GjBRi+Y/ZEFfh3uiPM0I2/jGkr5BXizRZNdTo3GyB
|
|
||||||
/OuPiBKBVqMgTSGrpO4M24yUekqGdPfzg614GroWSr/16UVVUQADE8DP+BJCTIbk
|
|
||||||
v+t+AIYsALR0cUO+uqp2QbWf7N2aF+r08g59Vyb09+Nr2ZfjjINIbHQgRtHv7ZoI
|
|
||||||
7BsWiGW3qIeY8XxYt1/kWv4yMqaTyABdmdEHeM0vCzeEUpurj5072isGvOpI92N4
|
|
||||||
LZ6nK8GR4pBS+OfOB7bgzUTC+tQ48wPQwb9lZTuWfSXGYotVdTXs1zW6o1T+vply
|
|
||||||
MrMZcsc6Y9o8fX3Mkkv4zT9S6JkXtq/MUTIZ27cZr492DzJNaKBG+NqF22FKR35M
|
|
||||||
ojLK24YpGyw2PCIlUSiFfAqkGNu53U5rP3N71mh7Ao00nx8WhKj4YAci0tBkfHyw
|
|
||||||
NYoX4tz7ybiR3zV5kyrmJv4G2x89cgosfHuEL2Lr+Irf3PV5vgjXHteAwu8Egdej
|
|
||||||
myokqzWEwoqNtrK9JsSYE3bcWmrVU9R/siQnNJXKWj+AkHKG0jMsrIh6iRvQGDhp
|
|
||||||
Q3Avu3ZQ/K9rreZ4Jk1DHX3BoDvRIFdEjBDAB+b6UUQEGE32nj8=
|
|
||||||
=O8kG
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
Python-3.10.8.tar.xz
Normal file
3
Python-3.10.8.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3
|
||||||
|
size 19619508
|
16
Python-3.10.8.tar.xz.asc
Normal file
16
Python-3.10.8.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmNFVREACgkQ/+h0BBaL
|
||||||
|
2EfmBhAAlIlx22S5RL7ehPDOWlEj06uK87EKEfMXch2DMapEXsrBR2Z+Q3Kb0Le+
|
||||||
|
T3vru6k9MUbDGI0pei+o5k621jvg8Gj+0rUKTydAd46Pt9ZoCPWuIdyWKaJBknLu
|
||||||
|
XsYs6Xiv6Ug7Q3JGy67j8ei6bFoqATyYEe45ljReVfug7VmisjMXHdiyZoAkAFMO
|
||||||
|
fDZvtfXRY/ZwLcCfK5SkaJqSRVfYowAh1lQqiXDnbfaX40BVCw78YKFsYN//PCpU
|
||||||
|
DrsE7JFapXQGvCJmcZ+WC8A/WMjyLoKI36w2WDcy8AFKsf49xQWPEWnUzXcJyF2n
|
||||||
|
zKGxn6kUEMdzelSWWWqMYlckL6Xf87E+CRTRS0MRX6OIrf+zJkeEoWRW8cGT/U8I
|
||||||
|
1o0hawm9O50nSIjMGzaXGKjWsHLSIeOA9ToLz19TzzO7VikNkXAx5gQcHQu3bJyT
|
||||||
|
SrMCw/VXJy+0BinBpSX/qZoptX2+6lFfArb/xOZGX2ZhU44+ecPrUHxB8xiw0qr8
|
||||||
|
pw16k6nCkW3f0aZ0jrlsfNLsXr9G/ZRu+ugrcTTQ53rfXO0pQ5nxm0CJ5O9twDjw
|
||||||
|
DIKvuqnOHlSGEcFM4bNDvpqskDnXrK6oyqBvtVhsjdFAp8YHYoM0yALTBlS4v2Xt
|
||||||
|
Em1BPUXHps0M1AY59KrXe0OpwibJjKhvWoogAS5bqe/mYInBE/Y=
|
||||||
|
=2vcv
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -29,7 +29,7 @@
|
|||||||
Create a Python.framework rather than a traditional Unix install. Optional
|
Create a Python.framework rather than a traditional Unix install. Optional
|
||||||
--- a/Misc/NEWS
|
--- a/Misc/NEWS
|
||||||
+++ b/Misc/NEWS
|
+++ b/Misc/NEWS
|
||||||
@@ -2783,7 +2783,7 @@ C API
|
@@ -2979,7 +2979,7 @@ C API
|
||||||
-----
|
-----
|
||||||
|
|
||||||
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
|
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
|
||||||
|
@ -1,3 +1,114 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 19 07:12:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.10.8:
|
||||||
|
- Fix multiplying a list by an integer (list *= int): detect
|
||||||
|
the integer overflow when the new allocated length is close
|
||||||
|
to the maximum size.
|
||||||
|
- Fix a shell code injection vulnerability in the
|
||||||
|
get-remote-certificate.py example script. The script no
|
||||||
|
longer uses a shell to run openssl commands. (originally
|
||||||
|
filed as CVE-2022-37460, later withdrawn)
|
||||||
|
- Fix command line parsing: reject -X int_max_str_digits option
|
||||||
|
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
|
||||||
|
environment variable is set to a valid limit.
|
||||||
|
- When ValueError is raised if an integer is larger than the
|
||||||
|
limit, mention the sys.set_int_max_str_digits() function in
|
||||||
|
the error message.
|
||||||
|
- The deprecated mailcap module now refuses to inject unsafe
|
||||||
|
text (filenames, MIME types, parameters) into shell
|
||||||
|
commands. Instead of using such text, it will warn and act
|
||||||
|
as if a match was not found (or for test commands, as if the
|
||||||
|
test failed).
|
||||||
|
- os.sched_yield() now release the GIL while calling
|
||||||
|
sched_yield(2).
|
||||||
|
- Bugfix: PyFunction_GetAnnotations() should return a borrowed
|
||||||
|
reference. It was returning a new reference.
|
||||||
|
- Fixed a missing incref/decref pair in
|
||||||
|
Exception.__setstate__().
|
||||||
|
- Fix overly-broad source position information for chained
|
||||||
|
comparisons used as branching conditions.
|
||||||
|
- Fix undefined behaviour in _testcapimodule.c.
|
||||||
|
- At Python exit, sometimes a thread holding the GIL can
|
||||||
|
wait forever for a thread (usually a daemon thread) which
|
||||||
|
requested to drop the GIL, whereas the thread already
|
||||||
|
exited. To fix the race condition, the thread which requested
|
||||||
|
the GIL drop now resets its request before exiting.
|
||||||
|
- Fix a possible assertion failure, fatal error, or SystemError
|
||||||
|
if a line tracing event raises an exception while opcode
|
||||||
|
tracing is enabled.
|
||||||
|
- Fix undefined behaviour in C code of null pointer arithmetic.
|
||||||
|
- Do not expose KeyWrapper in _functools.
|
||||||
|
- When loading a file with invalid UTF-8 inside a multi-line
|
||||||
|
string, a correct SyntaxError is emitted.
|
||||||
|
- Disable incorrect pickling of the C implemented classmethod
|
||||||
|
descriptors.
|
||||||
|
- Fix AttributeError missing name and obj attributes in .
|
||||||
|
object.__getattribute__() bpo-42316: Document some places .
|
||||||
|
where an assignment expression needs parentheses .
|
||||||
|
- Wrap network errors consistently in urllib FTP support, so
|
||||||
|
the test suite doesn’t fail when a network is available but
|
||||||
|
the public internet is not reachable.
|
||||||
|
- Fixes AttributeError when subprocess.check_output() is used
|
||||||
|
with argument input=None and either of the arguments encoding
|
||||||
|
or errors are used.
|
||||||
|
- Avoid spurious tracebacks from asyncio when default executor
|
||||||
|
cleanup is delayed until after the event loop is closed (e.g.
|
||||||
|
as the result of a keyboard interrupt).
|
||||||
|
- Avoid a crash in the C version of
|
||||||
|
asyncio.Future.remove_done_callback() when an evil argument
|
||||||
|
is passed.
|
||||||
|
- Remove tokenize.NL check from tabnanny.
|
||||||
|
- Make Semaphore run faster.
|
||||||
|
- Fix generation of the default name of
|
||||||
|
tkinter.Checkbutton. Previously, checkbuttons in different
|
||||||
|
parent widgets could have the same short name and share
|
||||||
|
the same state if arguments “name” and “variable” are not
|
||||||
|
specified. Now they are globally unique.
|
||||||
|
- Update bundled libexpat to 2.4.9
|
||||||
|
- Fix race condition in asyncio where process_exited() called
|
||||||
|
before the pipe_data_received() leading to inconsistent
|
||||||
|
output.
|
||||||
|
- Fixed check in multiprocessing.resource_tracker that
|
||||||
|
guarantees that the length of a write to a pipe is not
|
||||||
|
greater than PIPE_BUF.
|
||||||
|
- Corrected type annotation for dataclass attribute
|
||||||
|
pstats.FunctionProfile.ncalls to be str.
|
||||||
|
- Fix the faulthandler implementation of
|
||||||
|
faulthandler.register(signal, chain=True) if the sigaction()
|
||||||
|
function is not available: don’t call the previous signal
|
||||||
|
handler if it’s NULL.
|
||||||
|
- In inspect, fix overeager replacement of “typing.” in
|
||||||
|
formatting annotations.
|
||||||
|
- Fix asyncio.streams.StreamReaderProtocol to keep a strong
|
||||||
|
reference to the created task, so that it’s not garbage
|
||||||
|
collected
|
||||||
|
- Fix handling compiler warnings (SyntaxWarning and
|
||||||
|
DeprecationWarning) in codeop.compile_command() when checking
|
||||||
|
for incomplete input. Previously it emitted warnings and
|
||||||
|
raised a SyntaxError. Now it always returns None for
|
||||||
|
incomplete input without emitting any warnings.
|
||||||
|
- Fixed flickering of the turtle window when the tracer is
|
||||||
|
turned off.
|
||||||
|
- Allow asyncio.StreamWriter.drain() to be awaited concurrently
|
||||||
|
by multiple tasks.
|
||||||
|
- Fix broken asyncio.Semaphore when acquire is cancelled.
|
||||||
|
- Fix ast.unparse() when ImportFrom.level is None
|
||||||
|
- Improve performance of urllib.request.getproxies_environment
|
||||||
|
when there are many environment variables
|
||||||
|
- Fix ! in c domain ref target syntax via a conf.py patch, so
|
||||||
|
it works as intended to disable ref target resolution.
|
||||||
|
- Clarified the conflicting advice given in the ast
|
||||||
|
documentation about ast.literal_eval() being “safe” for use
|
||||||
|
on untrusted input while at the same time warning that it
|
||||||
|
can crash the process. The latter statement is true and is
|
||||||
|
deemed unfixable without a large amount of work unsuitable
|
||||||
|
for a bugfix. So we keep the warning and no longer claim that
|
||||||
|
literal_eval is safe.
|
||||||
|
- Update tutorial introduction output to use 3.10+ SyntaxError
|
||||||
|
invalid range.
|
||||||
|
- Remove upstreamed test-int-timing.patch.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Sep 18 08:48:51 UTC 2022 - Andreas Schwab <schwab@suse.de>
|
Sun Sep 18 08:48:51 UTC 2022 - Andreas Schwab <schwab@suse.de>
|
||||||
|
|
||||||
|
@ -67,7 +67,7 @@ Obsoletes: python39%{?1:-%{1}}
|
|||||||
%define tarversion %{version}
|
%define tarversion %{version}
|
||||||
%endif
|
%endif
|
||||||
# We don't process beta signs well
|
# We don't process beta signs well
|
||||||
%define folderversion 3.10.7
|
%define folderversion %{tarversion}
|
||||||
%define tarname Python-%{tarversion}
|
%define tarname Python-%{tarversion}
|
||||||
%define sitedir %{_libdir}/python%{python_version}
|
%define sitedir %{_libdir}/python%{python_version}
|
||||||
# three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
|
# three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
|
||||||
@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}}
|
|||||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||||
%bcond_without profileopt
|
%bcond_without profileopt
|
||||||
Name: %{python_pkg_name}%{psuffix}
|
Name: %{python_pkg_name}%{psuffix}
|
||||||
Version: 3.10.7
|
Version: 3.10.8
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Python 3 Interpreter
|
Summary: Python 3 Interpreter
|
||||||
License: Python-2.0
|
License: Python-2.0
|
||||||
@ -169,8 +169,6 @@ Patch36: support-expat-CVE-2022-25236-patched.patch
|
|||||||
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
|
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
|
||||||
# avoid the command injection in the mailcap module.
|
# avoid the command injection in the mailcap module.
|
||||||
Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch
|
Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch
|
||||||
# PATCH-FIX-UPSTREAM gh-96710: Make the test timing more lenient for the int/str DoS regression test. (#96717)
|
|
||||||
Patch38: test-int-timing.patch
|
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
@ -440,7 +438,6 @@ other applications.
|
|||||||
%patch35 -p1
|
%patch35 -p1
|
||||||
%patch36 -p1
|
%patch36 -p1
|
||||||
%patch37 -p1
|
%patch37 -p1
|
||||||
%patch38 -p1
|
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
--- a/Lib/test/test_subprocess.py
|
--- a/Lib/test/test_subprocess.py
|
||||||
+++ b/Lib/test/test_subprocess.py
|
+++ b/Lib/test/test_subprocess.py
|
||||||
@@ -261,7 +261,8 @@ class ProcessTestCase(BaseTestCase):
|
@@ -267,7 +267,8 @@ class ProcessTestCase(BaseTestCase):
|
||||||
"time.sleep(3600)"],
|
"time.sleep(3600)"],
|
||||||
# Some heavily loaded buildbots (sparc Debian 3.x) require
|
# Some heavily loaded buildbots (sparc Debian 3.x) require
|
||||||
# this much time to start and print.
|
# this much time to start and print.
|
||||||
|
@ -1,78 +0,0 @@
|
|||||||
From 11e3548fd1d3445ccde971d613633b58d73c3016 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Gregory P. Smith" <greg@krypto.org>
|
|
||||||
Date: Fri, 9 Sep 2022 12:51:34 -0700
|
|
||||||
Subject: [PATCH] gh-96710: Make the test timing more lenient for the int/str
|
|
||||||
DoS regression test. (#96717)
|
|
||||||
|
|
||||||
A regression would still absolutely fail and even a flaky pass isn't
|
|
||||||
harmful as it'd fail most of the time across our N system test runs.
|
|
||||||
|
|
||||||
Windows has a low resolution timer and CI systems are prone to odd
|
|
||||||
timing so this just gives more leeway to avoid flakiness.
|
|
||||||
---
|
|
||||||
Lib/test/test_int.py | 14 ++++++++------
|
|
||||||
1 file changed, 8 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Lib/test/test_int.py b/Lib/test/test_int.py
|
|
||||||
index 800c0b006c..c972b8afb4 100644
|
|
||||||
--- a/Lib/test/test_int.py
|
|
||||||
+++ b/Lib/test/test_int.py
|
|
||||||
@@ -650,7 +650,8 @@ def test_denial_of_service_prevented_int_to_str(self):
|
|
||||||
self.assertEqual(len(huge_decimal), digits)
|
|
||||||
# Ensuring that we chose a slow enough conversion to measure.
|
|
||||||
# It takes 0.1 seconds on a Zen based cloud VM in an opt build.
|
|
||||||
- if seconds_to_convert < 0.005:
|
|
||||||
+ # Some OSes have a low res 1/64s timer, skip if hard to measure.
|
|
||||||
+ if seconds_to_convert < 1/64:
|
|
||||||
raise unittest.SkipTest('"slow" conversion took only '
|
|
||||||
f'{seconds_to_convert} seconds.')
|
|
||||||
|
|
||||||
@@ -662,7 +663,7 @@ def test_denial_of_service_prevented_int_to_str(self):
|
|
||||||
str(huge_int)
|
|
||||||
seconds_to_fail_huge = get_time() - start
|
|
||||||
self.assertIn('conversion', str(err.exception))
|
|
||||||
- self.assertLess(seconds_to_fail_huge, seconds_to_convert/8)
|
|
||||||
+ self.assertLessEqual(seconds_to_fail_huge, seconds_to_convert/2)
|
|
||||||
|
|
||||||
# Now we test that a conversion that would take 30x as long also fails
|
|
||||||
# in a similarly fast fashion.
|
|
||||||
@@ -673,7 +674,7 @@ def test_denial_of_service_prevented_int_to_str(self):
|
|
||||||
str(extra_huge_int)
|
|
||||||
seconds_to_fail_extra_huge = get_time() - start
|
|
||||||
self.assertIn('conversion', str(err.exception))
|
|
||||||
- self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/8)
|
|
||||||
+ self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/2)
|
|
||||||
|
|
||||||
def test_denial_of_service_prevented_str_to_int(self):
|
|
||||||
"""Regression test: ensure we fail before performing O(N**2) work."""
|
|
||||||
@@ -691,7 +692,8 @@ def test_denial_of_service_prevented_str_to_int(self):
|
|
||||||
seconds_to_convert = get_time() - start
|
|
||||||
# Ensuring that we chose a slow enough conversion to measure.
|
|
||||||
# It takes 0.1 seconds on a Zen based cloud VM in an opt build.
|
|
||||||
- if seconds_to_convert < 0.005:
|
|
||||||
+ # Some OSes have a low res 1/64s timer, skip if hard to measure.
|
|
||||||
+ if seconds_to_convert < 1/64:
|
|
||||||
raise unittest.SkipTest('"slow" conversion took only '
|
|
||||||
f'{seconds_to_convert} seconds.')
|
|
||||||
|
|
||||||
@@ -701,7 +703,7 @@ def test_denial_of_service_prevented_str_to_int(self):
|
|
||||||
int(huge)
|
|
||||||
seconds_to_fail_huge = get_time() - start
|
|
||||||
self.assertIn('conversion', str(err.exception))
|
|
||||||
- self.assertLess(seconds_to_fail_huge, seconds_to_convert/8)
|
|
||||||
+ self.assertLessEqual(seconds_to_fail_huge, seconds_to_convert/2)
|
|
||||||
|
|
||||||
# Now we test that a conversion that would take 30x as long also fails
|
|
||||||
# in a similarly fast fashion.
|
|
||||||
@@ -712,7 +714,7 @@ def test_denial_of_service_prevented_str_to_int(self):
|
|
||||||
int(extra_huge)
|
|
||||||
seconds_to_fail_extra_huge = get_time() - start
|
|
||||||
self.assertIn('conversion', str(err.exception))
|
|
||||||
- self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/8)
|
|
||||||
+ self.assertLessEqual(seconds_to_fail_extra_huge, seconds_to_convert/2)
|
|
||||||
|
|
||||||
def test_power_of_two_bases_unlimited(self):
|
|
||||||
"""The limit does not apply to power of 2 bases."""
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user