From eacdd5e9b53fb69bab2969d3abedce29368ced48d012eade2b19b10badbcdc03 Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Thu, 6 Feb 2025 08:47:49 +0000
Subject: [PATCH] - Add CVE-2024-9287-venv_path_unquoted.patch to properly
 quote   path names provided when creating a virtual environment  
 (bsc#1232241, CVE-2024-9287) - Update doc-py38-to-py36.patch to include
 str.removeprefix   replacement.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=98
---
 Python-3.12.9.tar.xz.sigstore |   1 +
 doc-py38-to-py36.patch        | 101 +++++++++++++++-------------------
 python312.changes             |   9 +++
 python312.spec                |   2 +-
 4 files changed, 54 insertions(+), 59 deletions(-)
 create mode 100644 Python-3.12.9.tar.xz.sigstore

diff --git a/Python-3.12.9.tar.xz.sigstore b/Python-3.12.9.tar.xz.sigstore
new file mode 100644
index 0000000..1403d92
--- /dev/null
+++ b/Python-3.12.9.tar.xz.sigstore
@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzDCCAlGgAwIBAgIURTUfXRvqHjmDrUaHk+FetMa/yUIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMjA0MTg0NDI1WhcNMjUwMjA0MTg1NDI1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERw4E88OE+Kka1dO54CLpErUU6fdlwMd6ChuL9rXtu8kq8xC6gbNjsVqN1bFBdDsRe8+EpP7VT7T0X7oto90xb6OCAXAwggFsMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUNGXX3GOz7CXqRAPGCpmWTcOuEbEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGLBgorBgEEAdZ5AgQCBH0EewB5AHcA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGU0kcjwAAABAMASDBGAiEA88w9QbNsdJkrlbcJRDfDc5zN3M9iZTy+FOEmWF4llxYCIQDQOMoLvyJ5epD8bjP4ZJtkawsrINglKoTZbNTVukd7IjAKBggqhkjOPQQDAwNpADBmAjEAjzAEFF4PV7TKUZPtsEg5vPlBqTF6TM9xdnmX8RPXTXdDw+UjhK16cjgbc2PWb4/xAjEA4HgAk8dxEyw4filZ7a7M8XJbZIX5CNlsE8OAz1gVCbtlxYv9BnF0R1GPnZv6pJrM"}, "tlogEntries": [{"logIndex": "168669956", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1738694665", "inclusionPromise": {"signedEntryTimestamp": "MEYCIQDVmal6r4YwWZnRFAhkxtBuhC9DkI8edAE3TDtWeATI8QIhANxiG29sGfPL9neccap5pApPdpGNw7HUrcg2f/plSQaL"}, "inclusionProof": {"logIndex": "46765694", "rootHash": "tHDnjyWM1D0S/LMxPKpbA2ARX0nDJAIaiSJkEfAUt80=", "treeSize": "46765695", "hashes": ["MbM4b1IdzMcxrM0M3G0WRC6T9I04Nb9U2Ndsw9Iu8Kg=", "reCjGqzdYRJnPDpm1ah+58Nk8fWzbdDcnQRY4aLgnac=", "ffOkE+U7rrMFDm2qwCD3MfwiTo2njwK9PY4QIryK4yU=", "vfQF1SCq0+eofmO26+YjbYtOmw9myoV+5CV4JF4ZcL0=", "nhUF67tgV9eCOCZ/5rpk46g6Um0PL25g3oTmMl/VkpA=", "SkkhuNxwaCK56utv2d4O0v1RFIcnU5lTVMq89IZtWaE=", "5S8IyLnwlAhLZBEUNH1SaLO2dckc8NKwnGVgAO+3QQI=", "3onlfMyeVMDSIvH0BhkTTMYIWUuOZa+vitTl74eA7yo=", "TgYmpZ2JTTWko4kWZxTIAYkJpJpeOjVCg6ICKYnUS+8=", "PAMmlBIG22MGowjyiChYp5iB6NiTRa0xKI2vnvpExek=", "NS61TOUCaTiUJotPDnr7bTP/1ogKsWSnbgDlk1uvGzM=", "MvEBWaRrd43Pq04mjOFzGW9RiqBSzMBfuFXKBIVtQnc=", "Zse3BPkR/cJv62LvVuiDH+EpgIE5v3V3qXdG8HQFf1A=", "jU9+tgjTIKUYGeU7T7RjqyL+F+gFV9tCdwX2GZ1UtQs=", "vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n46765695\ntHDnjyWM1D0S/LMxPKpbA2ARX0nDJAIaiSJkEfAUt80=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiEAuCYs8aQChh+nY0StyUwt2eomG176aNsYT003B5N0Z90CIFtuoa7y2G4hHRVQx+lqO60qXMe4RzklsY59A1S70VZP\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3MjIwODM1ZDlmOTBiMzdjMDA2ZTk4NDJhOGRmZjQ1ODBhYWNhNDMxODY3NGY5NDczMDJiOGQyOGYzZjgxMTEyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNPL2ozUHRyK1QwQU4yVHZMdlpXaVdpSHdmWno2ZDhoaXNWcXpBcWd3SlRRSWdTb1RpSGpScjlWeXN0YW5OTUtCYUhVZnIzUnkxdGovck1UMVFjVVlGTndvPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZSRU5EUVd4SFowRjNTVUpCWjBsVlVsUlZabGhTZG5GSWFtMUVjbFZoU0dzclJtVjBUV0V2ZVZWSmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDFxUVRCTlZHY3dUa1JKTVZkb1kwNU5hbFYzVFdwQk1FMVVaekZPUkVreFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZTZHpSRk9EaFBSU3RMYTJFeFpFODFORU5NY0VWeVZWVTJabVJzZDAxa05rTm9kVXdLT1hKWWRIVTRhM0U0ZUVNMloySk9hbk5XY1U0eFlrWkNaRVJ6VW1VNEswVndVRGRXVkRkVU1GZzNiM1J2T1RCNFlqWlBRMEZZUVhkblowWnpUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZPUjFoWUNqTkhUM28zUTFoeFVrRlFSME53YlZkVVkwOTFSV0pGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIweENaMjl5UW1kRlJVRmtXalZCWjFGRFFrZ3dSV1YzUWpVS1FVaGpRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIVlRCclkycDNRVUZCUWtGTlFRcFRSRUpIUVdsRlFUZzRkemxSWWs1elpFcHJjbXhpWTBwU1JHWkVZelY2VGpOTk9XbGFWSGtyUms5RmJWZEdOR3hzZUZsRFNWRkVVVTlOYjB4MmVVbzFDbVZ3UkRoaWFsQTBXa3AwYTJGM2MzSkpUbWRzUzI5VVdtSk9WRloxYTJRM1NXcEJTMEpuWjNGb2EycFBVRkZSUkVGM1RuQkJSRUp0UVdwRlFXcDZRVVVLUmtZMFVGWTNWRXRWV2xCMGMwVm5OWFpRYkVKeFZFWTJWRTA1ZUdSdWJWZzRVbEJZVkZoa1JIY3JWV3BvU3pFMlkycG5ZbU15VUZkaU5DOTRRV3BGUVFvMFNHZEJhemhrZUVWNWR6Um1hV3hhTjJFM1RUaFlTbUphU1ZnMVEwNXNjMFU0VDBGNk1XZFdRMkowYkhoWmRqbENia1l3VWpGSFVHNWFkalp3U25KTkNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "ciCDXZ+Qs3wAbphCqN/0WAqspDGGdPlHMCuNKPP4ERI="}, "signature": "MEUCIQCO/j3Ptr+T0AN2TvLvZWiWiHwfZz6d8hisVqzAqgwJTQIgSoTiHjRr9VystanNMKBaHUfr3Ry1tj/rMT1QcUYFNwo="}}
diff --git a/doc-py38-to-py36.patch b/doc-py38-to-py36.patch
index 5a55e05..34125d4 100644
--- a/doc-py38-to-py36.patch
+++ b/doc-py38-to-py36.patch
@@ -1,35 +1,25 @@
 ---
- Doc/conf.py                             |   17 ++++++++--
+ Doc/conf.py                             |    8 ++--
  Doc/tools/check-warnings.py             |    3 +
  Doc/tools/extensions/audit_events.py    |   54 ++++++++++++++++----------------
  Doc/tools/extensions/availability.py    |   15 ++++----
- Doc/tools/extensions/c_annotations.py   |   45 ++++++++++++++++----------
+ Doc/tools/extensions/c_annotations.py   |   37 ++++++++++-----------
  Doc/tools/extensions/glossary_search.py |   10 +----
  Doc/tools/extensions/patchlevel.py      |    9 ++---
- 7 files changed, 87 insertions(+), 66 deletions(-)
+ 7 files changed, 67 insertions(+), 69 deletions(-)
 
 --- a/Doc/conf.py
 +++ b/Doc/conf.py
-@@ -17,6 +17,9 @@ sys.path.append(os.path.abspath('include
- # Python specific content from Doc/Tools/extensions/pyspecific.py
- from pyspecific import SOURCE_URI
- 
-+# Needed for fixing extlinks modification
-+from sphinx import version_info as sphinx_version
-+
- # General configuration
- # ---------------------
- 
-@@ -82,7 +85,7 @@ highlight_language = 'python3'
+@@ -85,7 +85,7 @@ today_fmt = '%B %d, %Y'
+ highlight_language = 'python3'
  
  # Minimum version of sphinx required
- # Keep this version in sync with ``Doc/requirements.txt``.
--needs_sphinx = '8.1.3'
+-needs_sphinx = '7.2.6'
 +needs_sphinx = '4.2.0'
  
  # Create table of contents entries for domain objects (e.g. functions, classes,
  # attributes, etc.). Default is True.
-@@ -337,7 +340,7 @@ html_short_title = f'{release} Documenta
+@@ -342,7 +342,7 @@ html_short_title = f'{release} Documenta
  # (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
  is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
  repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -38,23 +28,22 @@
  html_context = {
      "is_deployment_preview": is_deployment_preview,
      "repository_url": repository_url or None,
-@@ -583,6 +586,16 @@ extlinks = {
- }
- extlinks_detect_hardcoded_links = True
+@@ -598,13 +598,13 @@ extlinks_detect_hardcoded_links = True
+ 
+ if sphinx.version_info[:2] < (8, 1):
+     # Sphinx 8.1 has in-built CVE and CWE roles.
+-    extlinks |= {
++    extlinks.update({
+         "cve": (
+             "https://www.cve.org/CVERecord?id=CVE-%s",
+             "CVE-%s",
+         ),
+         "cwe": ("https://cwe.mitre.org/data/definitions/%s.html", "CWE-%s"),
+-    }
++    })
  
-+if sphinx_version[:2] < (8, 1):
-+   # Sphinx 8.1 has in-built CVE and CWE roles.
-+   extlinks.update({
-+        "cve": (
-+            "https://www.cve.org/CVERecord?id=CVE-%s",
-+            "CVE-%s",
-+        ),
-+        "cwe": ("https://cwe.mitre.org/data/definitions/%s.html", "CWE-%s"),
-+   })
-+
  # Options for c_annotations extension
  # -----------------------------------
- 
 --- a/Doc/tools/check-warnings.py
 +++ b/Doc/tools/check-warnings.py
 @@ -228,7 +228,8 @@ def fail_if_regression(
@@ -221,16 +210,16 @@
  
  from docutils import nodes
  from sphinx import addnodes
-@@ -53,7 +51,7 @@ class Availability(SphinxDirective):
+@@ -52,7 +50,7 @@ class Availability(SphinxDirective):
      optional_arguments = 0
      final_argument_whitespace = True
  
 -    def run(self) -> list[nodes.container]:
 +    def run(self) -> List[nodes.container]:
-         title = sphinx_gettext("Availability")
+         title = "Availability"
          refnode = addnodes.pending_xref(
              title,
-@@ -77,7 +75,7 @@ class Availability(SphinxDirective):
+@@ -76,7 +74,7 @@ class Availability(SphinxDirective):
  
          return [cnode]
  
@@ -239,7 +228,7 @@
          """Parse platform information from arguments
  
          Arguments is a comma-separated string of platforms. A platform may
-@@ -96,12 +94,13 @@ class Availability(SphinxDirective):
+@@ -95,12 +93,13 @@ class Availability(SphinxDirective):
              platform, _, version = arg.partition(" >= ")
              if platform.startswith("not "):
                  version = False
@@ -255,7 +244,7 @@
              logger.warning(
                  "Unknown platform%s or syntax '%s' in '.. availability:: %s', "
                  "see %s:KNOWN_PLATFORMS for a set of known platforms.",
-@@ -114,7 +113,7 @@ class Availability(SphinxDirective):
+@@ -113,7 +112,7 @@ class Availability(SphinxDirective):
          return platforms
  
  
@@ -266,7 +255,7 @@
      return {
 --- a/Doc/tools/extensions/c_annotations.py
 +++ b/Doc/tools/extensions/c_annotations.py
-@@ -9,22 +9,18 @@ Configuration:
+@@ -9,12 +9,10 @@ Configuration:
  * Set ``stable_abi_file`` to the path to stable ABI list.
  """
  
@@ -278,10 +267,9 @@
 -from typing import TYPE_CHECKING
 +from typing import Any, Dict, List, TYPE_CHECKING, Union
  
+ import sphinx
  from docutils import nodes
- from docutils.statemachine import StringList
--from sphinx import addnodes
-+from sphinx import addnodes, version_info
+@@ -23,9 +21,7 @@ from sphinx import addnodes
  from sphinx.locale import _ as sphinx_gettext
  from sphinx.util.docutils import SphinxDirective
  
@@ -292,7 +280,7 @@
  
  ROLE_TO_OBJECT_TYPE = {
      "func": "function",
-@@ -35,20 +31,20 @@ ROLE_TO_OBJECT_TYPE = {
+@@ -36,20 +32,20 @@ ROLE_TO_OBJECT_TYPE = {
  }
  
  
@@ -317,7 +305,7 @@
  class StableABIEntry:
      # Role of the object.
      # Source: Each [item_kind] in stable_abi.toml is mapped to a C Domain role.
-@@ -67,7 +63,7 @@ class StableABIEntry:
+@@ -68,7 +64,7 @@ class StableABIEntry:
      struct_abi_kind: str
  
  
@@ -326,7 +314,7 @@
      refcount_data = {}
      refcounts = refcount_filename.read_text(encoding="utf8")
      for line in refcounts.splitlines():
-@@ -103,7 +99,7 @@ def read_refcount_data(refcount_filename
+@@ -104,7 +100,7 @@ def read_refcount_data(refcount_filename
      return refcount_data
  
  
@@ -335,7 +323,7 @@
      stable_abi_data = {}
      with open(stable_abi_file, encoding="utf8") as fp:
          for record in csv.DictReader(fp):
-@@ -127,11 +123,14 @@ def add_annotations(app: Sphinx, doctree
+@@ -128,11 +124,14 @@ def add_annotations(app: Sphinx, doctree
              continue
          if not par[0].get("ids", None):
              continue
@@ -352,7 +340,7 @@
              if ROLE_TO_OBJECT_TYPE[record.role] != objtype:
                  msg = (
                      f"Object type mismatch in limited API annotation for {name}: "
-@@ -238,7 +237,7 @@ def _unstable_api_annotation() -> nodes.
+@@ -239,7 +238,7 @@ def _unstable_api_annotation() -> nodes.
      )
  
  
@@ -361,7 +349,7 @@
      classes = ["refcount"]
      if result_refs is None:
          rc = sphinx_gettext("Return value: Always NULL.")
-@@ -258,7 +257,7 @@ class LimitedAPIList(SphinxDirective):
+@@ -259,7 +258,7 @@ class LimitedAPIList(SphinxDirective):
      optional_arguments = 0
      final_argument_whitespace = True
  
@@ -370,7 +358,7 @@
          state = self.env.domaindata["c_annotations"]
          content = [
              f"* :c:{record.role}:`{record.name}`"
-@@ -281,13 +280,23 @@ def init_annotations(app: Sphinx) -> Non
+@@ -282,7 +281,7 @@ def init_annotations(app: Sphinx) -> Non
      )
  
  
@@ -379,22 +367,19 @@
      app.add_config_value("refcount_file", "", "env", types={str})
      app.add_config_value("stable_abi_file", "", "env", types={str})
      app.add_directive("limited-api-list", LimitedAPIList)
-     app.connect("builder-inited", init_annotations)
-     app.connect("doctree-read", add_annotations)
+@@ -294,10 +293,10 @@ def setup(app: Sphinx) -> ExtensionMetad
+         from sphinx.domains.c import CObject
  
-+    if version_info[:2] < (7, 2):
-+        from docutils.parsers.rst import directives
-+        from sphinx.domains.c import CObject
-+
-+        # monkey-patch C object...
+         # monkey-patch C object...
+-        CObject.option_spec |= {
 +        CObject.option_spec.update({
-+            "no-index-entry": directives.flag,
-+            "no-contents-entry": directives.flag,
+             "no-index-entry": directives.flag,
+             "no-contents-entry": directives.flag,
+-        }
 +        })
-+
+ 
      return {
          "version": "1.0",
-         "parallel_read_safe": True,
 --- a/Doc/tools/extensions/glossary_search.py
 +++ b/Doc/tools/extensions/glossary_search.py
 @@ -1,18 +1,14 @@
diff --git a/python312.changes b/python312.changes
index 2c101f9..313a2df 100644
--- a/python312.changes
+++ b/python312.changes
@@ -571,6 +571,15 @@ Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
   path names provided when creating a virtual environment
   (bsc#1232241, CVE-2024-9287)
 
+-------------------------------------------------------------------
+Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
+  path names provided when creating a virtual environment
+  (bsc#1232241, CVE-2024-9287)
+- Update doc-py38-to-py36.patch to include str.removeprefix
+  replacement.
+
 -------------------------------------------------------------------
 Tue Oct  1 15:32:06 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
diff --git a/python312.spec b/python312.spec
index 635fde7..bffb996 100644
--- a/python312.spec
+++ b/python312.spec
@@ -124,7 +124,7 @@ Summary:        Python 3 Interpreter
 License:        Python-2.0
 URL:            https://www.python.org/
 Source0:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
-Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
+Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source4:        externally_managed.in