Accepting request 1068979 from devel:languages:python:Factory

- Update to 3.10.10:
  Bug fixes and regressions handling, no change of behaviour and
  no security bugs fixed.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/request/show/1068979
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=29

CVE-2023-24329-blank-URL-bypass.patch

@@ -0,0 +1,55 @@
+From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
+From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
+Date: Sat, 12 Nov 2022 15:43:33 -0500
+Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
+ schemes that don't begin with an alphabetical ASCII character.
+
+---
+ Lib/test/test_urlparse.py                                              |   18 ++++++++++
+ Lib/urllib/parse.py                                                    |    2 -
+ Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
+                         with self.assertRaises(ValueError):
+                             p.port
+ 
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&", "६http"):
++                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
++                        url = scheme + "://www.example.net"
++                        if bytes:
++                            if url.isascii():
++                                url = url.encode("ascii")
++                            else:
++                                continue
++                        p = parse(url)
++                        if bytes:
++                            self.assertEqual(p.scheme, b"")
++                        else:
++                            self.assertEqual(p.scheme, "")
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and url[0].isascii() and url[0].isalpha():
+         for c in url[:i]:
+             if c not in scheme_chars:
+                 break
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.

Python-3.10.10.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0419e9085bf51b7a672009b3f50dbf1859acdf18ba725d0ec19aa5c8503f0ea3
+size 19627028

Python-3.10.10.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiQfoACgkQ/+h0BBaL
+2EcB8hAAmFEIHZopWn+A4tDxd001eViLrOmjygqPn1doAQ3dAgyESt4Z/HDtN6rB
++6z5rsx+qdcP9kfb/+3V0gKBh/3V4bEpnD+EQtpONWhKbCcqOfq1ok1V+uNH8uOF
+ixxWkY+MWJzPPhlQiW/sm9FP6CdnaeriKf1JMCUt9aiganpo2CQv5gPE/0PlSGO5
+BEKjCcyHHPIEAxC6jLm/+33PSzbhGq+YstK/1tcqUrJfkifipovmSZeFyzULPonK
+MATPyliOupo3ixPs3LoJUjNpGD4fH+p2Lg1ZOgYv7vGmeLcadNVanRlqRg76m+ke
+zvp/MAqQg4Fr75m2+mfDG/Md+PrSMvz71i55a1Q1NcYdW6QR62m08FCZg7/+t5pD
+H91ywhMqTv1nySsEZGfuETPTs7gMCtyBeDjIhXBMcfbhGivd7r5zZJ8MUD/FSASC
+fQ/vEVeHWQeWpfFgxLfLmRnkjIS7JCGlM9z6zsZqbppWqeA94sBIf4ka2JG2DnGP
+1Pvn+ragiHt1++i2yVhmoAB0t44/SgXacCce5AT3yB71brT21cOXQs0Gq80MwVPI
+nVbzdOtuGNGcvEi2fbO2IEcgegSHaOHo9PvYTRropSz3V7A95x8mA1xjZf2y77H5
+/mfJ4687YIItCIcNE5Zzj6GspWlWP31OvRFIIefnKYf2JuU+qt8=
+=B3xo
+-----END PGP SIGNATURE-----

Python-3.10.9.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83
-size 19612112

Python-3.10.9.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmOPjc0ACgkQ/+h0BBaL
-2EeV0hAAqnRoPq/yKFBquimXkwLGWPOwmPC1W4ehfS8OzXtfqw53xyG8q5ggemyd
-pc6k6lXlgFS1AzE3wGPfVNzr+iFf2xP+3c21e3nbKUISxFQ6xF+X2xY7sTLIZUuQ
-h8ZEyq7W9a1ta/78ap03+C3i98EWK5WaO5PIt57yq4ZLWdNVaJpqXessFQiZ5+ys
-pN0D0iC9TCUv3QTDhyB2xB7fThVXcIsvfgvAsSzLMC3t/POsp3Qiooa1Tc9lB4TK
-GEgfGUrvd/YZaI9LKT309aXfBuorjX9oDN05+efg+8/2DsRCus7KX+buNRC5xRX6
-gIFp/Bjgc+eBDW/8f8zEl/aB8DWm/rkfX83Xc0m9W0iZYtSQT0AGoQE5fcJg1jnR
-lV5RpD9uZa/RrHtc/Sl7e0PfOdfZsWUKsNiiJhDVdfRPJYanezAHZCZpc8q2JoOV
-IoxKlWp5eBhk10hWwtAjLGPK2iGNfUksV72oqDGU8IyA4+wL/iC9quq5nWED0U0w
-gjrmXYIspCT2oCF/U3kCjqf26vYp6hxFrvloseD65ExwNiqQCGQlsxZJelCJUDnO
-lezBraV5QSElsRReO2t8+XQgxoCeBbsvRpCNPWnzGdvNHljTRWVQtdx8s3A+LYEX
-dNnL5pI91C+5pn+vvKYO4x2S7hdgG4aRNSwH19D05VdThEsmt0U=
-=L+IQ
------END PGP SIGNATURE-----

fix_configure_rst.patch

@@ -29,7 +29,7 @@
     Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -3254,7 +3254,7 @@ C API
+@@ -3422,7 +3422,7 @@ C API
  -----
  
  - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name

python310.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Mar  1 20:59:04 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Update to 3.10.10:
+  Bug fixes and regressions handling, no change of behaviour and
+  no security bugs fixed.
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
 -------------------------------------------------------------------
 Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python310.spec

@@ -103,7 +103,7 @@ Obsoletes:      python39%{?1:-%{1}}
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.10.9
+Version:        3.10.10
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -166,6 +166,10 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
 # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
 Patch36:        support-expat-CVE-2022-25236-patched.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch37:        CVE-2023-24329-blank-URL-bypass.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -438,6 +442,7 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
+%patch37 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -633,7 +638,7 @@ for library in \
     _posixsubprocess _queue _random resource select _ssl _socket spwd \
     _statistics _struct syslog termios _testbuffer _testimportmultiple \
     _testmultiphase unicodedata zlib _ctypes_test _testinternalcapi _testcapi \
-    xxlimited xxlimited_35 \
+    _testclinic xxlimited xxlimited_35 \
     _xxtestfuzz _xxsubinterpreters _elementtree pyexpat _md5 _sha1 \
     _sha256 _sha512 _blake2 _sha3 _uuid _zoneinfo
 do
@@ -882,6 +887,7 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
 %{dynlib _ctypes_test}
 %{dynlib _testbuffer}
 %{dynlib _testcapi}
+%{dynlib _testclinic}
 %{dynlib _testinternalcapi}
 %{dynlib _testimportmultiple}
 %{dynlib _testmultiphase}