diff --git a/python310.changes b/python310.changes index 5976509..529a368 100644 --- a/python310.changes +++ b/python310.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sun Sep 18 08:48:51 UTC 2022 - Andreas Schwab + +- test-int-timing.patch: gh-96710: Make the test timing more lenient for + the int/str DoS regression test. (#96717) + ------------------------------------------------------------------- Sun Sep 11 08:32:53 UTC 2022 - Matej Cepl diff --git a/python310.spec b/python310.spec index 7f8e1af..72d1ce2 100644 --- a/python310.spec +++ b/python310.spec @@ -169,6 +169,8 @@ Patch36: support-expat-CVE-2022-25236-patched.patch # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com # avoid the command injection in the mailcap module. Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch +# PATCH-FIX-UPSTREAM gh-96710: Make the test timing more lenient for the int/str DoS regression test. (#96717) +Patch38: test-int-timing.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -438,6 +440,7 @@ other applications. %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/test-int-timing.patch b/test-int-timing.patch new file mode 100644 index 0000000..4f7ef27 --- /dev/null +++ b/test-int-timing.patch @@ -0,0 +1,78 @@ +From 11e3548fd1d3445ccde971d613633b58d73c3016 Mon Sep 17 00:00:00 2001 +From: "Gregory P. Smith" +Date: Fri, 9 Sep 2022 12:51:34 -0700 +Subject: [PATCH] gh-96710: Make the test timing more lenient for the int/str + DoS regression test. (#96717) + +A regression would still absolutely fail and even a flaky pass isn't +harmful as it'd fail most of the time across our N system test runs. + +Windows has a low resolution timer and CI systems are prone to odd +timing so this just gives more leeway to avoid flakiness. +--- + Lib/test/test_int.py | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/Lib/test/test_int.py b/Lib/test/test_int.py +index 800c0b006c..c972b8afb4 100644 +--- a/Lib/test/test_int.py ++++ b/Lib/test/test_int.py +@@ -650,7 +650,8 @@ def test_denial_of_service_prevented_int_to_str(self): + self.assertEqual(len(huge_decimal), digits) + # Ensuring that we chose a slow enough conversion to measure. + # It takes 0.1 seconds on a Zen based cloud VM in an opt build. +- if seconds_to_convert < 0.005: ++ # Some OSes have a low res 1/64s timer, skip if hard to measure. ++ if seconds_to_convert < 1/64: + raise unittest.SkipTest('"slow" conversion took only ' + f'{seconds_to_convert} seconds.') + +@@ -662,7 +663,7 @@ def test_denial_of_service_prevented_int_to_str(self): + str(huge_int) + seconds_to_fail_huge = get_time() - start + self.assertIn('conversion', str(err.exception)) +- self.assertLess(seconds_to_fail_huge, seconds_to_convert/8) ++ self.assertLessEqual(seconds_to_fail_huge, seconds_to_convert/2) + + # Now we test that a conversion that would take 30x as long also fails + # in a similarly fast fashion. +@@ -673,7 +674,7 @@ def test_denial_of_service_prevented_int_to_str(self): + str(extra_huge_int) + seconds_to_fail_extra_huge = get_time() - start + self.assertIn('conversion', str(err.exception)) +- self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/8) ++ self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/2) + + def test_denial_of_service_prevented_str_to_int(self): + """Regression test: ensure we fail before performing O(N**2) work.""" +@@ -691,7 +692,8 @@ def test_denial_of_service_prevented_str_to_int(self): + seconds_to_convert = get_time() - start + # Ensuring that we chose a slow enough conversion to measure. + # It takes 0.1 seconds on a Zen based cloud VM in an opt build. +- if seconds_to_convert < 0.005: ++ # Some OSes have a low res 1/64s timer, skip if hard to measure. ++ if seconds_to_convert < 1/64: + raise unittest.SkipTest('"slow" conversion took only ' + f'{seconds_to_convert} seconds.') + +@@ -701,7 +703,7 @@ def test_denial_of_service_prevented_str_to_int(self): + int(huge) + seconds_to_fail_huge = get_time() - start + self.assertIn('conversion', str(err.exception)) +- self.assertLess(seconds_to_fail_huge, seconds_to_convert/8) ++ self.assertLessEqual(seconds_to_fail_huge, seconds_to_convert/2) + + # Now we test that a conversion that would take 30x as long also fails + # in a similarly fast fashion. +@@ -712,7 +714,7 @@ def test_denial_of_service_prevented_str_to_int(self): + int(extra_huge) + seconds_to_fail_extra_huge = get_time() - start + self.assertIn('conversion', str(err.exception)) +- self.assertLess(seconds_to_fail_extra_huge, seconds_to_convert/8) ++ self.assertLessEqual(seconds_to_fail_extra_huge, seconds_to_convert/2) + + def test_power_of_two_bases_unlimited(self): + """The limit does not apply to power of 2 bases.""" +-- +2.37.3 +