Add CVE-2025-8291-consistency-zip64.patch

Checks consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) Readjust patches while synchronizing between openSUSE and SLE trees: - F00251-change-user-install-location.patch - doc-py38-to-py36.patch - gh126985-mv-pyvenv.cfg2getpath.patch
Merge branch 'main' into main_3139
2025-11-04 17:47:42 +01:00 · 2025-11-04 17:40:24 +01:00 · 2025-08-01 20:14:12 +00:00 · 2025-07-10 10:18:09 +00:00 · 2025-07-02 14:51:36 +00:00 · 2025-07-02 13:52:43 +00:00
8 changed files with 396 additions and 91 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -21,3 +21,4 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+*.changes merge=merge-changes
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,6 @@
 .osc
+*.obscpio
+*.osc
+_build.*
+.pbuild
+python313-*-build/
--- a/CVE-2025-8291-consistency-zip64.patch
+++ b/CVE-2025-8291-consistency-zip64.patch
@@ -0,0 +1,306 @@
+From 1f2e4ec73cf7ece0a8c0a7a85cb73ec9ec0ef85a Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Tue, 7 Oct 2025 20:15:26 +0300
+Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
+ central directory record (GH-139702)
+
+Support records with "zip64 extensible data" if there are no bytes
+prepended to the ZIP file.
+(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/test/test_zipfile/test_core.py                                       |   82 +++++++++-
+ Lib/zipfile/__init__.py                                                  |   51 +++---
+ Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst |    3
+ 3 files changed, 113 insertions(+), 23 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+
+Index: Python-3.13.9/Lib/test/test_zipfile/test_core.py
+===================================================================
+--- Python-3.13.9.orig/Lib/test/test_zipfile/test_core.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Lib/test/test_zipfile/test_core.py	2025-11-04 17:42:44.951505949 +0100
+@@ -884,6 +884,8 @@
+         self, file_size_64_set=False, file_size_extra=False,
+         compress_size_64_set=False, compress_size_extra=False,
+         header_offset_64_set=False, header_offset_extra=False,
+        extensible_data=b'',
+        end_of_central_dir_size=None, offset_to_end_of_central_dir=None,
+     ):
+         """Generate bytes sequence for a zip with (incomplete) zip64 data.
+
+@@ -937,6 +939,12 @@
+
+         central_dir_size = struct.pack('<Q', 58 + 8 * len(central_zip64_fields))
+         offset_to_central_dir = struct.pack('<Q', 50 + 8 * len(local_zip64_fields))
+        if end_of_central_dir_size is None:
+            end_of_central_dir_size = 44 + len(extensible_data)
+        if offset_to_end_of_central_dir is None:
+            offset_to_end_of_central_dir = (108
+                                            + 8 * len(local_zip64_fields)
+                                            + 8 * len(central_zip64_fields))
+
+         local_extra_length = struct.pack("<H", 4 + 8 * len(local_zip64_fields))
+         central_extra_length = struct.pack("<H", 4 + 8 * len(central_zip64_fields))
+@@ -965,14 +973,17 @@
+             + filename
+             + central_extra
+             # Zip64 end of central directory
+-            + b"PK\x06\x06,\x00\x00\x00\x00\x00\x00\x00-\x00-"
+-            + b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
+            + b"PK\x06\x06"
+            + struct.pack('<Q', end_of_central_dir_size)
+            + b"-\x00-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
+             + b"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
+             + central_dir_size
+             + offset_to_central_dir
+            + extensible_data
+             # Zip64 end of central directory locator
+-            + b"PK\x06\x07\x00\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x01"
+-            + b"\x00\x00\x00"
+            + b"PK\x06\x07\x00\x00\x00\x00"
+            + struct.pack('<Q', offset_to_end_of_central_dir)
+            + b"\x01\x00\x00\x00"
+             # end of central directory
+             + b"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x002\x00"
+             + b"\x00\x00\x00\x00"
+@@ -1003,6 +1014,7 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_file_size_extra))
+         self.assertIn('file size', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_file_size_extra)))
+
+         # zip64 file size present, zip64 compress size present, one field in
+         # extra, expecting two, equals missing compress size.
+@@ -1014,6 +1026,7 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
+         self.assertIn('compress size', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
+
+         # zip64 compress size present, no fields in extra, expecting one,
+         # equals missing compress size.
+@@ -1023,6 +1036,7 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
+         self.assertIn('compress size', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
+
+         # zip64 file size present, zip64 compress size present, zip64 header
+         # offset present, two fields in extra, expecting three, equals missing
+@@ -1037,6 +1051,7 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+
+         # zip64 compress size present, zip64 header offset present, one field
+         # in extra, expecting two, equals missing header offset
+@@ -1049,6 +1064,7 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+
+         # zip64 file size present, zip64 header offset present, one field in
+         # extra, expecting two, equals missing header offset
+@@ -1061,6 +1077,7 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+
+         # zip64 header offset present, no fields in extra, expecting one,
+         # equals missing header offset
+@@ -1072,6 +1089,63 @@
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+
+    def test_bad_zip64_end_of_central_dir(self):
+        zipdata = self.make_zip64_file(end_of_central_dir_size=0)
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
+            zipfile.ZipFile(io.BytesIO(zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+        zipdata = self.make_zip64_file(end_of_central_dir_size=100)
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
+            zipfile.ZipFile(io.BytesIO(zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=0)
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
+            zipfile.ZipFile(io.BytesIO(zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=1000)
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*locator'):
+            zipfile.ZipFile(io.BytesIO(zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+    def test_zip64_end_of_central_dir_record_not_found(self):
+        zipdata = self.make_zip64_file()
+        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
+            zipfile.ZipFile(io.BytesIO(zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+        zipdata = self.make_zip64_file(
+            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
+        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
+            zipfile.ZipFile(io.BytesIO(zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+    def test_zip64_extensible_data(self):
+        # These values are what is set in the make_zip64_file method.
+        expected_file_size = 8
+        expected_compress_size = 8
+        expected_header_offset = 0
+        expected_content = b"test1234"
+
+        zipdata = self.make_zip64_file(
+            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
+        with zipfile.ZipFile(io.BytesIO(zipdata)) as zf:
+            zinfo = zf.infolist()[0]
+            self.assertEqual(zinfo.file_size, expected_file_size)
+            self.assertEqual(zinfo.compress_size, expected_compress_size)
+            self.assertEqual(zinfo.header_offset, expected_header_offset)
+            self.assertEqual(zf.read(zinfo), expected_content)
+        self.assertTrue(zipfile.is_zipfile(io.BytesIO(zipdata)))
+
+        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
+            zipfile.ZipFile(io.BytesIO(b'prepended' + zipdata))
+        self.assertFalse(zipfile.is_zipfile(io.BytesIO(b'prepended' + zipdata)))
+
+     def test_generated_valid_zip64_extra(self):
+         # These values are what is set in the make_zip64_file method.
+Index: Python-3.13.9/Lib/zipfile/__init__.py
+===================================================================
+--- Python-3.13.9.orig/Lib/zipfile/__init__.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Lib/zipfile/__init__.py	2025-11-04 17:42:44.951898115 +0100
+@@ -245,7 +245,7 @@
+         else:
+             with open(filename, "rb") as fp:
+                 result = _check_zipfile(fp)
+-    except OSError:
+    except (OSError, BadZipFile):
+         pass
+     return result
+
+@@ -253,16 +253,15 @@
+     """
+     Read the ZIP64 end-of-archive records and use that to update endrec
+     """
+-    try:
+-        fpin.seek(offset - sizeEndCentDir64Locator, 2)
+-    except OSError:
+-        # If the seek fails, the file is not large enough to contain a ZIP64
+    offset -= sizeEndCentDir64Locator
+    if offset < 0:
+        # The file is not large enough to contain a ZIP64
+         # end-of-archive record, so just return the end record we were given.
+         return endrec
+-
+    fpin.seek(offset)
+     data = fpin.read(sizeEndCentDir64Locator)
+     if len(data) != sizeEndCentDir64Locator:
+-        return endrec
+        raise OSError("Unknown I/O error")
+     sig, diskno, reloff, disks = struct.unpack(structEndArchive64Locator, data)
+     if sig != stringEndArchive64Locator:
+         return endrec
+@@ -270,16 +269,33 @@
+     if diskno != 0 or disks > 1:
+         raise BadZipFile("zipfiles that span multiple disks are not supported")
+
+-    # Assume no 'zip64 extensible data'
+-    fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2)
+    offset -= sizeEndCentDir64
+    if reloff > offset:
+        raise BadZipFile("Corrupt zip64 end of central directory locator")
+    # First, check the assumption that there is no prepended data.
+    fpin.seek(reloff)
+    extrasz = offset - reloff
+     data = fpin.read(sizeEndCentDir64)
+     if len(data) != sizeEndCentDir64:
+-        return endrec
+        raise OSError("Unknown I/O error")
+    if not data.startswith(stringEndArchive64) and reloff != offset:
+        # Since we already have seen the Zip64 EOCD Locator, it's
+        # possible we got here because there is prepended data.
+        # Assume no 'zip64 extensible data'
+        fpin.seek(offset)
+        extrasz = 0
+        data = fpin.read(sizeEndCentDir64)
+        if len(data) != sizeEndCentDir64:
+            raise OSError("Unknown I/O error")
+    if not data.startswith(stringEndArchive64):
+        raise BadZipFile("Zip64 end of central directory record not found")
+
+     sig, sz, create_version, read_version, disk_num, disk_dir, \
+         dircount, dircount2, dirsize, diroffset = \
+         struct.unpack(structEndArchive64, data)
+-    if sig != stringEndArchive64:
+-        return endrec
+    if (diroffset + dirsize != reloff or
+        sz + 12 != sizeEndCentDir64 + extrasz):
+        raise BadZipFile("Corrupt zip64 end of central directory record")
+
+     # Update the original endrec using data from the ZIP64 record
+     endrec[_ECD_SIGNATURE] = sig
+@@ -289,6 +305,7 @@
+     endrec[_ECD_ENTRIES_TOTAL] = dircount2
+     endrec[_ECD_SIZE] = dirsize
+     endrec[_ECD_OFFSET] = diroffset
+    endrec[_ECD_LOCATION] = offset - extrasz
+     return endrec
+
+
+@@ -322,7 +339,7 @@
+         endrec.append(filesize - sizeEndCentDir)
+
+         # Try to read the "Zip64 end of central directory" structure
+-        return _EndRecData64(fpin, -sizeEndCentDir, endrec)
+        return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec)
+
+     # Either this is not a ZIP file, or it is a ZIP file with an archive
+     # comment.  Search the end of the file for the "end of central directory"
+@@ -346,8 +363,7 @@
+         endrec.append(maxCommentStart + start)
+
+         # Try to read the "Zip64 end of central directory" structure
+-        return _EndRecData64(fpin, maxCommentStart + start - filesize,
+-                             endrec)
+        return _EndRecData64(fpin, maxCommentStart + start, endrec)
+
+     # Unable to find a valid end of central directory structure
+     return None
+@@ -1458,9 +1474,6 @@
+
+         # "concat" is zero, unless zip was concatenated to another file
+         concat = endrec[_ECD_LOCATION] - size_cd - offset_cd
+-        if endrec[_ECD_SIGNATURE] == stringEndArchive64:
+-            # If Zip64 extension structures are present, account for them
+-            concat -= (sizeEndCentDir64 + sizeEndCentDir64Locator)
+
+         if self.debug > 2:
+             inferred = concat + offset_cd
+@@ -2082,7 +2095,7 @@
+                                    " would require ZIP64 extensions")
+             zip64endrec = struct.pack(
+                 structEndArchive64, stringEndArchive64,
+-                44, 45, 45, 0, 0, centDirCount, centDirCount,
+                sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount,
+                 centDirSize, centDirOffset)
+             self.fp.write(zip64endrec)
+
+Index: Python-3.13.9/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.13.9/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst	2025-11-04 17:42:44.952237544 +0100
+@@ -0,0 +1,3 @@
+Check consistency of the zip64 end of central directory record. Support
+records with "zip64 extensible data" if there are no bytes prepended to the
+ZIP file.
--- a/F00251-change-user-install-location.patch
+++ b/F00251-change-user-install-location.patch
@@ -28,10 +28,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
 Lib/test/test_sysconfig.py |   17 +++++++++++--
 2 files changed, 67 insertions(+), 7 deletions(-)

-Index: Python-3.13.3/Lib/sysconfig/__init__.py
+Index: Python-3.13.9/Lib/sysconfig/__init__.py
 ===================================================================
--- Python-3.13.3.orig/Lib/sysconfig/__init__.py	2025-04-08 15:54:08.000000000 +0200
-+++ Python-3.13.3/Lib/sysconfig/__init__.py	2025-04-11 21:52:31.769387873 +0200
+--- Python-3.13.9.orig/Lib/sysconfig/__init__.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Lib/sysconfig/__init__.py	2025-11-04 17:41:28.521141323 +0100
@@ -106,6 +106,11 @@
 else:
     _INSTALL_SCHEMES['venv'] = _INSTALL_SCHEMES['posix_venv']
@@ -128,10 +128,10 @@ Index: Python-3.13.3/Lib/sysconfig/__init__.py
     _CONFIG_VARS['py_version'] = _PY_VERSION
     _CONFIG_VARS['py_version_short'] = _PY_VERSION_SHORT
     _CONFIG_VARS['py_version_nodot'] = _PY_VERSION_SHORT_NO_DOT
-Index: Python-3.13.3/Lib/test/test_sysconfig.py
+Index: Python-3.13.9/Lib/test/test_sysconfig.py
 ===================================================================
--- Python-3.13.3.orig/Lib/test/test_sysconfig.py	2025-04-08 15:54:08.000000000 +0200
-+++ Python-3.13.3/Lib/test/test_sysconfig.py	2025-04-11 21:52:31.769841915 +0200
+--- Python-3.13.9.orig/Lib/test/test_sysconfig.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Lib/test/test_sysconfig.py	2025-11-04 17:41:28.521386489 +0100
@@ -130,8 +130,19 @@
         for scheme in _INSTALL_SCHEMES:
             for name in _INSTALL_SCHEMES[scheme]:
@@ -153,7 +153,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
                     os.path.normpath(expected),
                 )
 
-@@ -386,7 +397,7 @@
+@@ -393,7 +404,7 @@
         self.assertTrue(os.path.isfile(config_h), config_h)
 
     def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
         if HAS_USER_BASE:
             wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
         self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -398,6 +409,8 @@
+@@ -405,6 +416,8 @@
             cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
             self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
 
--- a/doc-py38-to-py36.patch
+++ b/doc-py38-to-py36.patch
@@ -7,7 +7,6 @@
 Doc/library/doctest.rst                       |    1
 Doc/library/email.compat32-message.rst        |    1
 Doc/library/xml.etree.elementtree.rst         |    1
- Doc/Makefile                                  |    8 +--
 Doc/c-api/arg.rst                             |    1 
 Doc/c-api/typeobj.rst                         |    8 +--
 Doc/conf.py                                   |   29 ++++++++++---
@@ -25,36 +24,12 @@
 Doc/tools/extensions/misc_news.py             |   14 ++----
 Doc/tools/extensions/patchlevel.py            |    9 ++--
 Doc/tools/extensions/pydoc_topics.py          |   22 +++++-----
- 18 files changed, 159 insertions(+), 130 deletions(-)
+ 17 files changed, 155 insertions(+), 126 deletions(-)

-Index: Python-3.13.6/Doc/Makefile
+Index: Python-3.13.9/Doc/c-api/arg.rst
 ===================================================================
--- Python-3.13.6.orig/Doc/Makefile	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/Makefile	2025-08-07 12:16:58.253706854 +0200
-@@ -14,15 +14,15 @@
- SOURCES      =
- DISTVERSION  = $(shell $(PYTHON) tools/extensions/patchlevel.py)
- REQUIREMENTS = requirements.txt
-SPHINXERRORHANDLING = --fail-on-warning
-+SPHINXERRORHANDLING =
- 
- # Internal variables.
- PAPEROPT_a4     = --define latex_elements.papersize=a4paper
- PAPEROPT_letter = --define latex_elements.papersize=letterpaper
- 
-ALLSPHINXOPTS = --builder $(BUILDER) \
-                --doctree-dir build/doctrees \
-                --jobs $(JOBS) \
-+ALLSPHINXOPTS = -b $(BUILDER) \
-+                -d build/doctrees \
-+                -j $(JOBS) \
-                 $(PAPEROPT_$(PAPER)) \
-                 $(SPHINXOPTS) $(SPHINXERRORHANDLING) \
-                 . build/$(BUILDER) $(SOURCES)
-Index: Python-3.13.6/Doc/c-api/arg.rst
-===================================================================
--- Python-3.13.6.orig/Doc/c-api/arg.rst	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/c-api/arg.rst	2025-08-07 12:16:58.254160756 +0200
+--- Python-3.13.9.orig/Doc/c-api/arg.rst	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/c-api/arg.rst	2025-11-04 17:41:42.876411055 +0100
@@ -334,7 +334,6 @@
    should raise an exception and leave the content of *address* unmodified.
 
@@ -63,10 +38,10 @@ Index: Python-3.13.6/Doc/c-api/arg.rst
 
    If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
    second time if the argument parsing eventually fails, giving the converter a
-Index: Python-3.13.6/Doc/c-api/typeobj.rst
+Index: Python-3.13.9/Doc/c-api/typeobj.rst
 ===================================================================
--- Python-3.13.6.orig/Doc/c-api/typeobj.rst	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/c-api/typeobj.rst	2025-08-07 12:16:58.254692184 +0200
+--- Python-3.13.9.orig/Doc/c-api/typeobj.rst	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/c-api/typeobj.rst	2025-11-04 17:41:42.877033887 +0100
@@ -610,7 +610,7 @@
    Functions like :c:func:`PyObject_NewVar` will take the value of N as an
    argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
@@ -97,10 +72,10 @@ Index: Python-3.13.6/Doc/c-api/typeobj.rst
    include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
    whether :c:member:`~PyVarObject.ob_size` should be included). These are
    usually defined by the macro :c:macro:`PyObject_HEAD` or
-Index: Python-3.13.6/Doc/conf.py
+Index: Python-3.13.9/Doc/conf.py
 ===================================================================
--- Python-3.13.6.orig/Doc/conf.py	2025-08-07 12:16:45.115568663 +0200
-+++ Python-3.13.6/Doc/conf.py	2025-08-07 12:16:58.255236531 +0200
+--- Python-3.13.9.orig/Doc/conf.py	2025-11-04 17:39:03.414159687 +0100
+++ Python-3.13.9/Doc/conf.py	2025-11-04 17:41:42.877735198 +0100
@@ -11,6 +11,8 @@
 from importlib import import_module
 from importlib.util import find_spec
@@ -136,7 +111,7 @@ Index: Python-3.13.6/Doc/conf.py
 
 # Create table of contents entries for domain objects (e.g. functions, classes,
 # attributes, etc.). Default is True.
-@@ -258,6 +260,9 @@
+@@ -257,6 +259,9 @@
 # Avoid a warning with Sphinx >= 4.0
 root_doc = 'contents'
 
@@ -146,7 +121,7 @@ Index: Python-3.13.6/Doc/conf.py
 # Allow translation of index directives
 gettext_additional_targets = [
     'index',
-@@ -297,7 +302,7 @@
+@@ -296,7 +301,7 @@
 # (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
 is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
 repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -172,10 +147,10 @@ Index: Python-3.13.6/Doc/conf.py
 # Options for c_annotations extension
 # -----------------------------------
 
-Index: Python-3.13.6/Doc/library/doctest.rst
+Index: Python-3.13.9/Doc/library/doctest.rst
 ===================================================================
--- Python-3.13.6.orig/Doc/library/doctest.rst	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/library/doctest.rst	2025-08-07 12:16:58.255583157 +0200
+--- Python-3.13.9.orig/Doc/library/doctest.rst	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/library/doctest.rst	2025-11-04 17:41:42.878188221 +0100
@@ -310,7 +310,6 @@
 .. currentmodule:: None
 
@@ -184,10 +159,10 @@ Index: Python-3.13.6/Doc/library/doctest.rst
 
 .. currentmodule:: doctest
 
-Index: Python-3.13.6/Doc/library/email.compat32-message.rst
+Index: Python-3.13.9/Doc/library/email.compat32-message.rst
 ===================================================================
--- Python-3.13.6.orig/Doc/library/email.compat32-message.rst	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/library/email.compat32-message.rst	2025-08-07 12:16:58.256095517 +0200
+--- Python-3.13.9.orig/Doc/library/email.compat32-message.rst	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/library/email.compat32-message.rst	2025-11-04 17:41:42.878726754 +0100
@@ -7,7 +7,6 @@
    :synopsis: The base class representing email messages in a fashion
               backward compatible with Python 3.2
@@ -196,10 +171,10 @@ Index: Python-3.13.6/Doc/library/email.compat32-message.rst
 
 
 The :class:`Message` class is very similar to the
-Index: Python-3.13.6/Doc/library/xml.etree.elementtree.rst
+Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
 ===================================================================
--- Python-3.13.6.orig/Doc/library/xml.etree.elementtree.rst	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/library/xml.etree.elementtree.rst	2025-08-07 12:16:58.256380542 +0200
+--- Python-3.13.9.orig/Doc/library/xml.etree.elementtree.rst	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/library/xml.etree.elementtree.rst	2025-11-04 17:41:42.879107050 +0100
@@ -873,7 +873,6 @@
 
 .. module:: xml.etree.ElementTree
@@ -208,10 +183,10 @@ Index: Python-3.13.6/Doc/library/xml.etree.elementtree.rst
 
 .. class:: Element(tag, attrib={}, **extra)
 
-Index: Python-3.13.6/Doc/tools/check-warnings.py
+Index: Python-3.13.9/Doc/tools/check-warnings.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/check-warnings.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/check-warnings.py	2025-08-07 12:16:58.256796101 +0200
+--- Python-3.13.9.orig/Doc/tools/check-warnings.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/check-warnings.py	2025-11-04 17:41:42.879425179 +0100
@@ -228,7 +228,8 @@
             print(filename)
             for warning in warnings:
@@ -231,10 +206,10 @@ Index: Python-3.13.6/Doc/tools/check-warnings.py
         for warning in warnings
         if "Doc/" in warning
     }
-Index: Python-3.13.6/Doc/tools/extensions/audit_events.py
+Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/audit_events.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/audit_events.py	2025-08-07 12:16:58.257103336 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/audit_events.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/audit_events.py	2025-11-04 17:41:42.879679368 +0100
@@ -1,9 +1,6 @@
 """Support for documenting audit events."""
 
@@ -370,10 +345,10 @@ Index: Python-3.13.6/Doc/tools/extensions/audit_events.py
     ) -> nodes.row:
         row = nodes.row()
         name_node = nodes.paragraph("", nodes.Text(name))
-Index: Python-3.13.6/Doc/tools/extensions/availability.py
+Index: Python-3.13.9/Doc/tools/extensions/availability.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/availability.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/availability.py	2025-08-07 12:16:58.257352322 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/availability.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/availability.py	2025-11-04 17:41:42.879900324 +0100
@@ -1,8 +1,6 @@
 """Support for documenting platform availability"""
 
@@ -427,10 +402,10 @@ Index: Python-3.13.6/Doc/tools/extensions/availability.py
     app.add_directive("availability", Availability)
 
     return {
-Index: Python-3.13.6/Doc/tools/extensions/c_annotations.py
+Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/c_annotations.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/c_annotations.py	2025-08-07 12:16:58.257571556 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/c_annotations.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/c_annotations.py	2025-11-04 17:41:42.880074051 +0100
@@ -9,22 +9,26 @@
 * Set ``stable_abi_file`` to the path to stable ABI list.
 """
@@ -568,10 +543,10 @@ Index: Python-3.13.6/Doc/tools/extensions/c_annotations.py
     return {
         "version": "1.0",
         "parallel_read_safe": True,
-Index: Python-3.13.6/Doc/tools/extensions/changes.py
+Index: Python-3.13.9/Doc/tools/extensions/changes.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/changes.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/changes.py	2025-08-07 12:16:58.257773818 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/changes.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/changes.py	2025-11-04 17:41:42.880259370 +0100
@@ -1,7 +1,5 @@
 """Support for documenting version of changes, additions, deprecations."""
 
@@ -607,10 +582,10 @@ Index: Python-3.13.6/Doc/tools/extensions/changes.py
     # Override Sphinx's directives with support for 'next'
     app.add_directive("versionadded", PyVersionChange, override=True)
     app.add_directive("versionchanged", PyVersionChange, override=True)
-Index: Python-3.13.6/Doc/tools/extensions/glossary_search.py
+Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/glossary_search.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/glossary_search.py	2025-08-07 12:16:58.257959947 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/glossary_search.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/glossary_search.py	2025-11-04 17:41:42.880446332 +0100
@@ -1,21 +1,27 @@
 """Feature search results for glossary items prominently."""
 
@@ -654,10 +629,10 @@ Index: Python-3.13.6/Doc/tools/extensions/glossary_search.py
     app.connect('doctree-resolved', process_glossary_nodes)
     app.connect('build-finished', write_glossary_json)
 
-Index: Python-3.13.6/Doc/tools/extensions/implementation_detail.py
+Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/implementation_detail.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/implementation_detail.py	2025-08-07 12:16:58.258140488 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/implementation_detail.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/implementation_detail.py	2025-11-04 17:41:42.880613957 +0100
@@ -1,17 +1,10 @@
 """Support for marking up implementation details."""
 
@@ -708,10 +683,10 @@ Index: Python-3.13.6/Doc/tools/extensions/implementation_detail.py
     app.add_directive("impl-detail", ImplementationDetail)
 
     return {
-Index: Python-3.13.6/Doc/tools/extensions/issue_role.py
+Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/issue_role.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/issue_role.py	2025-08-07 12:16:58.258306293 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/issue_role.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/issue_role.py	2025-11-04 17:41:42.880769320 +0100
@@ -1,22 +1,18 @@
 """Support for referencing issues in the tracker."""
 
@@ -757,10 +732,10 @@ Index: Python-3.13.6/Doc/tools/extensions/issue_role.py
     app.add_role("issue", BPOIssue())
     app.add_role("gh", GitHubIssue())
 
-Index: Python-3.13.6/Doc/tools/extensions/misc_news.py
+Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/misc_news.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/misc_news.py	2025-08-07 12:16:58.258481107 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/misc_news.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/misc_news.py	2025-11-04 17:41:42.880942406 +0100
@@ -1,7 +1,5 @@
 """Support for including Misc/NEWS."""
 
@@ -813,10 +788,10 @@ Index: Python-3.13.6/Doc/tools/extensions/misc_news.py
     app.add_directive("miscnews", MiscNews)
 
     return {
-Index: Python-3.13.6/Doc/tools/extensions/patchlevel.py
+Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/patchlevel.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/patchlevel.py	2025-08-07 12:16:58.258716335 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/patchlevel.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/patchlevel.py	2025-11-04 17:41:42.881098319 +0100
@@ -3,7 +3,7 @@
 import re
 import sys
@@ -854,10 +829,10 @@ Index: Python-3.13.6/Doc/tools/extensions/patchlevel.py
     version = f"{info.major}.{info.minor}"
     release = f"{info.major}.{info.minor}.{info.micro}"
     if info.releaselevel != "final":
-Index: Python-3.13.6/Doc/tools/extensions/pydoc_topics.py
+Index: Python-3.13.9/Doc/tools/extensions/pydoc_topics.py
 ===================================================================
--- Python-3.13.6.orig/Doc/tools/extensions/pydoc_topics.py	2025-08-06 15:05:20.000000000 +0200
-+++ Python-3.13.6/Doc/tools/extensions/pydoc_topics.py	2025-08-07 12:16:58.258911962 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/pydoc_topics.py	2025-10-14 15:52:31.000000000 +0200
+++ Python-3.13.9/Doc/tools/extensions/pydoc_topics.py	2025-11-04 17:41:42.881251888 +0100
@@ -1,21 +1,23 @@
 """Support for building "topic help" for pydoc."""
 
--- a/gh126985-mv-pyvenv.cfg2getpath.patch
+++ b/gh126985-mv-pyvenv.cfg2getpath.patch
@@ -8,10 +8,10 @@ Date:   Tue Nov 26 13:46:33 2024 +0000
 Lib/test/test_sysconfig.py |   67 ---------------------------------------------
 1 file changed, 1 insertion(+), 66 deletions(-)

-Index: Python-3.13.5/Lib/test/test_sysconfig.py
+Index: Python-3.13.9/Lib/test/test_sysconfig.py
 ===================================================================
--- Python-3.13.5.orig/Lib/test/test_sysconfig.py	2025-06-12 19:55:42.184491497 +0200
-+++ Python-3.13.5/Lib/test/test_sysconfig.py	2025-06-12 19:56:05.737665419 +0200
+--- Python-3.13.9.orig/Lib/test/test_sysconfig.py	2025-11-04 17:41:28.521386489 +0100
+++ Python-3.13.9/Lib/test/test_sysconfig.py	2025-11-04 17:42:36.888243505 +0100
@@ -110,6 +110,7 @@
             **venv_create_args,
         )
@@ -20,7 +20,7 @@ Index: Python-3.13.5/Lib/test/test_sysconfig.py
     def test_get_path_names(self):
         self.assertEqual(get_path_names(), sysconfig._SCHEME_KEYS)
 
-@@ -604,72 +605,6 @@
+@@ -611,72 +612,6 @@
         suffix = sysconfig.get_config_var('EXT_SUFFIX')
         self.assertTrue(suffix.endswith('-darwin.so'), suffix)
 
--- a/python313.changes
+++ b/python313.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Nov  4 16:44:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-8291-consistency-zip64.patch which checks
+  consistency of the zip64 end of central directory record, and
+  preventing obfuscation of the payload, i.e., you scanning for
+  malicious content in a ZIP file with one ZIP parser (let's say
+  a Rust one) then unpack it in production with another (e.g.,
+  the Python one) and get malicious content that the other parser
+  did not see (CVE-2025-8291, bsc#1251305)
+- Readjust patches while synchronizing between openSUSE and SLE trees:
+  - F00251-change-user-install-location.patch
+  - doc-py38-to-py36.patch
+  - gh126985-mv-pyvenv.cfg2getpath.patch
+
 -------------------------------------------------------------------
 Wed Oct 15 09:15:38 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>

--- a/python313.spec
+++ b/python313.spec
@@ -235,6 +235,9 @@ Patch43:        bsc1243155-sphinx-non-determinism.patch
 Patch44:        gh138131-exclude-pycache-from-digest.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch45:        gh139257-Support-docutils-0.22.patch
+# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
+# Check consistency of the zip64 end of central directory record
+Patch46:        CVE-2025-8291-consistency-zip64.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
Author	SHA256	Message	Date
Matěj Cepl	ff726ffdd5	Add CVE-2025-8291-consistency-zip64.patch Checks consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) Readjust patches while synchronizing between openSUSE and SLE trees: - F00251-change-user-install-location.patch - doc-py38-to-py36.patch - gh126985-mv-pyvenv.cfg2getpath.patch	2025-11-04 17:47:42 +01:00
Matěj Cepl	6823a127f7	Merge branch 'main' into main_3139	2025-11-04 17:40:24 +01:00
Matej Cepl	c0f5d18c1e	- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=113	2025-08-01 20:14:12 +00:00
Daniel Garcia	f1f4736355	- Fix gil/nogil package description, bsc#1246229 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=111	2025-07-10 10:18:09 +00:00
Matej Cepl	e51fa4e692	- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=110	2025-07-02 14:51:36 +00:00
Matej Cepl	da11e6e10a	- Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to generate ids for audit_events using docname (reproducible builds). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=109	2025-07-02 13:52:43 +00:00
Matej Cepl	a7efa91dcd	- Use one core to build doc. This will make sphinx doc build reproducible. bsc#1243155 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=108	2025-07-02 11:27:27 +00:00
Matej Cepl	b58f975be7	Add link to bsc#1244061 to changelog. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=106	2025-06-25 19:43:42 +00:00
Matej Cepl	c7e438c2e0	- Substantially rewritten doc-py38-to-py36.patch patch to be more flexible and covering even unexpected changes. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=104	2025-06-22 19:29:14 +00:00
Matej Cepl	eb2298e3f2	- adjusted sofilename for "nogil" build correctly. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=103	2025-06-22 16:37:53 +00:00
Matej Cepl	f9c64528f8	- Update to 3.13.5: - Tests - gh-135120: Add test.support.subTests(). - Library - gh-133967: Do not normalize locale name ‘C.UTF-8’ to ‘en_US.UTF-8’. - gh-135326: Restore support of integer-like objects with __index__() in random.getrandbits(). - gh-135321: Raise a correct exception for values greater than 0x7fffffff for the BINSTRING opcode in the C implementation of pickle. - gh-135276: Backported bugfixes in zipfile.Path from zipp 3.23. Fixed .name, .stem and other basename-based properties on Windows when working with a zipfile on disk. - gh-134151: email: Fix TypeError in email.utils.decode_params() when sorting RFC 2231 continuations that contain an unnumbered section. - gh-134152: email: Fix parsing of email message ID with invalid domain. - gh-127081: Fix libc thread safety issues with os by replacing getlogin with getlogin_r re-entrant version. - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - Core and Builtins - gh-135171: Roll back changes to generator and list comprehensions that went into 3.13.4 to fix gh-127682, but which involved semantic and bytecode changes not appropriate for a bugfix release. - C API - gh-134989: Fix Py_RETURN_NONE, Py_RETURN_TRUE and OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=102	2025-06-11 22:06:33 +00:00
Matej Cepl	3386fc12ed	Add missing import OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=101	2025-06-10 01:23:49 +00:00
Matej Cepl	e8c68d65d4	- Update to 3.13.4: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-134718: ast.dump() now only omits None and [] values if they are default values. - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134696: Built-in HACL* and OpenSSL implementations of hash function constructors now correctly accept the same documented named arguments. For instance, md5() could be previously invoked as md5(data=data) or md5(string=string) depending on the underlying implementation but these calls were not compatible. Patch by Bénédikt Tran. - gh-134210: curses.window.getch() now correctly handles signals. Patch by Bénédikt Tran. - gh-80334: multiprocessing.freeze_support() now checks for work on any “spawn” start method platform rather than only on Windows. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=100	2025-06-09 21:38:15 +00:00
Matej Cepl	96acb778b3	- Don't use %elif, it is supported only from rpm 4.15.0, which is not in SLE-15. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=98	2025-05-28 09:47:26 +00:00
Matej Cepl	8d20edb449	- Add CVE-2025-4516-DecodeError-handler.patch fixing CVE-2025-4516 (bsc#1243273) blocking DecodeError handling vulnerability, which could lead to DoS. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=96	2025-05-17 07:34:05 +00:00
Matej Cepl	64bae1f84b	- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed since kernel 3.6-rc1) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=94	2025-05-10 11:43:36 +00:00
Matej Cepl	201e349852	This OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=92	2025-04-16 07:52:47 +00:00
Matej Cepl	a90f4e560b	Fix patches OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=91	2025-04-16 07:17:38 +00:00
Matej Cepl	0f47302d79	- Add gh-126500-test_ssl-no-stop-ThreadedEchoServer-OSError.patch and gh-127257-ssl-OSError-ERR_LIB_SYS.patch to make the interpreter compatible with OpenSSL 3.5 (bsc#1241067). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=90	2025-04-16 07:15:35 +00:00
Matej Cepl	24d06dc05c	- Add gh-132535-rsrc-warn-test_timeout.patch to fix failing tests in the build system without network access (gh#python/cpython#132535). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=89	2025-04-15 22:19:57 +00:00
Matej Cepl	3837884001	- Add gh126985-mv-pyvenv.cfg2getpath.patch to remove failing tests in test_sysconfig. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=88	2025-04-15 14:09:42 +00:00
Matej Cepl	a23dbf9cdf	- Update to 3.13.3: - Tools/Demos - gh-131852: msgfmt no longer adds the POT-Creation-Date to generated .mo files for consistency with GNU msgfmt. - gh-85012: Correctly reset msgctxt when compiling messages in msgfmt. - gh-130025: The iOS testbed now correctly handles symlinks used as Python framework references. - Tests - gh-131050: test_ssl.test_dh_params is skipped if the underlying TLS library does not support finite-field ephemeral Diffie-Hellman. - gh-129200: Multiple iOS testbed runners can now be started at the same time without introducing an ambiguity over simulator ownership. - gh-130292: The iOS testbed will now run successfully on a machine that has not previously run Xcode tests (such as CI configurations). - gh-130293: The tests of terminal colorization are no longer sensitive to the value of the TERM variable in the testing environment. - gh-126332: Add unit tests for pyrepl. - Security - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-127371: Avoid unbounded buffering for tempfile.SpooledTemporaryFile.writelines(). Previously, disk spillover was only checked after the lines iterator had been exhausted. This is now done after each line is written. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=87	2025-04-11 19:56:43 +00:00
Matej Cepl	208ac0bda6	revert OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=86	2025-04-11 06:10:15 +00:00
Matej Cepl	88b70a09e9	- don't require rpm-build-python for base to fix bootstrap issue after primary_python change - replace rpm-build-python alias with python-rpm-packaging package name OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=85	2025-03-14 22:57:44 +00:00