Update to 3.13.11

2025-12-19 19:38:03 +01:00
10 changed files with 490 additions and 767 deletions
--- a/CVE-2025-6075-expandvars-perf-degrad.patch
+++ b/CVE-2025-6075-expandvars-perf-degrad.patch
@@ -1,373 +0,0 @@
 From 4fc21099da844f85b799d3c4c8b1b5936faa4cdc Mon Sep 17 00:00:00 2001
 From: Serhiy Storchaka <storchaka@gmail.com>
 Date: Fri, 31 Oct 2025 15:49:51 +0200
 Subject: [PATCH 1/2] [3.13] gh-136065: Fix quadratic complexity in
 os.path.expandvars() (GH-134952) (cherry picked from commit
 f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 Co-authored-by: Łukasz Langa <lukasz@langa.pl>
 ---
 Lib/ntpath.py                                                            |  126 +++-------
 Lib/posixpath.py                                                         |   43 +--
 Lib/test/test_genericpath.py                                             |   21 +
 Lib/test/test_ntpath.py                                                  |   22 +
 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst |    1 
 5 files changed, 96 insertions(+), 117 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
 Index: Python-3.13.9/Lib/ntpath.py
 ===================================================================
 --- Python-3.13.9.orig/Lib/ntpath.py	2025-10-14 15:52:31.000000000 +0200
 +++ Python-3.13.9/Lib/ntpath.py	2025-11-14 01:47:08.155405483 +0100
@@ -400,17 +400,23 @@
 # XXX With COMMAND.COM you can use any characters in a variable name,
 # XXX except '^|<>='.
 +_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
 +_varsub = None
 +_varsubb = None
 +
 def expandvars(path):
     """Expand shell variables of the forms $var, ${var} and %var%.
     Unknown variables are left unchanged."""
     path = os.fspath(path)
 +    global _varsub, _varsubb
     if isinstance(path, bytes):
         if b'$' not in path and b'%' not in path:
             return path
 -        import string
 -        varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
 -        quote = b'\''
 +        if not _varsubb:
 +            import re
 +            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
 +        sub = _varsubb
         percent = b'%'
         brace = b'{'
         rbrace = b'}'
@@ -419,94 +425,44 @@
     else:
         if '$' not in path and '%' not in path:
             return path
 -        import string
 -        varchars = string.ascii_letters + string.digits + '_-'
 -        quote = '\''
 +        if not _varsub:
 +            import re
 +            _varsub = re.compile(_varpattern, re.ASCII).sub
 +        sub = _varsub
         percent = '%'
         brace = '{'
         rbrace = '}'
         dollar = '$'
         environ = os.environ
 -    res = path[:0]
 -    index = 0
 -    pathlen = len(path)
 -    while index < pathlen:
 -        c = path[index:index+1]
 -        if c == quote:   # no expansion within single quotes
 -            path = path[index + 1:]
 -            pathlen = len(path)
 -            try:
 -                index = path.index(c)
 -                res += c + path[:index + 1]
 -            except ValueError:
 -                res += c + path
 -                index = pathlen - 1
 -        elif c == percent:  # variable or '%'
 -            if path[index + 1:index + 2] == percent:
 -                res += c
 -                index += 1
 -            else:
 -                path = path[index+1:]
 -                pathlen = len(path)
 -                try:
 -                    index = path.index(percent)
 -                except ValueError:
 -                    res += percent + path
 -                    index = pathlen - 1
 -                else:
 -                    var = path[:index]
 -                    try:
 -                        if environ is None:
 -                            value = os.fsencode(os.environ[os.fsdecode(var)])
 -                        else:
 -                            value = environ[var]
 -                    except KeyError:
 -                        value = percent + var + percent
 -                    res += value
 -        elif c == dollar:  # variable or '$$'
 -            if path[index + 1:index + 2] == dollar:
 -                res += c
 -                index += 1
 -            elif path[index + 1:index + 2] == brace:
 -                path = path[index+2:]
 -                pathlen = len(path)
 -                try:
 -                    index = path.index(rbrace)
 -                except ValueError:
 -                    res += dollar + brace + path
 -                    index = pathlen - 1
 -                else:
 -                    var = path[:index]
 -                    try:
 -                        if environ is None:
 -                            value = os.fsencode(os.environ[os.fsdecode(var)])
 -                        else:
 -                            value = environ[var]
 -                    except KeyError:
 -                        value = dollar + brace + var + rbrace
 -                    res += value
 -            else:
 -                var = path[:0]
 -                index += 1
 -                c = path[index:index + 1]
 -                while c and c in varchars:
 -                    var += c
 -                    index += 1
 -                    c = path[index:index + 1]
 -                try:
 -                    if environ is None:
 -                        value = os.fsencode(os.environ[os.fsdecode(var)])
 -                    else:
 -                        value = environ[var]
 -                except KeyError:
 -                    value = dollar + var
 -                res += value
 -                if c:
 -                    index -= 1
 +
 +    def repl(m):
 +        lastindex = m.lastindex
 +        if lastindex is None:
 +            return m[0]
 +        name = m[lastindex]
 +        if lastindex == 1:
 +            if name == percent:
 +                return name
 +            if not name.endswith(percent):
 +                return m[0]
 +            name = name[:-1]
         else:
 -            res += c
 -        index += 1
 -    return res
 +            if name == dollar:
 +                return name
 +            if name.startswith(brace):
 +                if not name.endswith(rbrace):
 +                    return m[0]
 +                name = name[1:-1]
 +
 +        try:
 +            if environ is None:
 +                return os.fsencode(os.environ[os.fsdecode(name)])
 +            else:
 +                return environ[name]
 +        except KeyError:
 +            return m[0]
 +
 +    return sub(repl, path)
 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
 Index: Python-3.13.9/Lib/posixpath.py
 ===================================================================
 --- Python-3.13.9.orig/Lib/posixpath.py	2025-10-14 15:52:31.000000000 +0200
 +++ Python-3.13.9/Lib/posixpath.py	2025-11-14 01:47:08.155728503 +0100
@@ -284,42 +284,41 @@
 # This expands the forms $variable and ${variable} only.
 # Non-existent variables are left unchanged.
 -_varprog = None
 -_varprogb = None
 +_varpattern = r'\$(\w+|\{[^}]*\}?)'
 +_varsub = None
 +_varsubb = None
 def expandvars(path):
     """Expand shell variables of form $var and ${var}.  Unknown variables
     are left unchanged."""
     path = os.fspath(path)
 -    global _varprog, _varprogb
 +    global _varsub, _varsubb
     if isinstance(path, bytes):
         if b'$' not in path:
             return path
 -        if not _varprogb:
 +        if not _varsubb:
             import re
 -            _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
 -        search = _varprogb.search
 +            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
 +        sub = _varsubb
         start = b'{'
         end = b'}'
         environ = getattr(os, 'environb', None)
     else:
         if '$' not in path:
             return path
 -        if not _varprog:
 +        if not _varsub:
             import re
 -            _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
 -        search = _varprog.search
 +            _varsub = re.compile(_varpattern, re.ASCII).sub
 +        sub = _varsub
         start = '{'
         end = '}'
         environ = os.environ
 -    i = 0
 -    while True:
 -        m = search(path, i)
 -        if not m:
 -            break
 -        i, j = m.span(0)
 -        name = m.group(1)
 -        if name.startswith(start) and name.endswith(end):
 +
 +    def repl(m):
 +        name = m[1]
 +        if name.startswith(start):
 +            if not name.endswith(end):
 +                return m[0]
             name = name[1:-1]
         try:
             if environ is None:
@@ -327,13 +326,11 @@
             else:
                 value = environ[name]
         except KeyError:
 -            i = j
 +            return m[0]
         else:
 -            tail = path[j:]
 -            path = path[:i] + value
 -            i = len(path)
 -            path += tail
 -    return path
 +            return value
 +
 +    return sub(repl, path)
 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
 Index: Python-3.13.9/Lib/test/test_genericpath.py
 ===================================================================
 --- Python-3.13.9.orig/Lib/test/test_genericpath.py	2025-10-14 15:52:31.000000000 +0200
 +++ Python-3.13.9/Lib/test/test_genericpath.py	2025-11-14 01:47:08.157575687 +0100
@@ -7,9 +7,9 @@
 import sys
 import unittest
 import warnings
 -from test.support import (
 -    is_apple, is_emscripten, os_helper, warnings_helper
 -)
 +from test import support
 +from test.support import os_helper, is_emscripten
 +from test.support import warnings_helper
 from test.support.script_helper import assert_python_ok
 from test.support.os_helper import FakePath
@@ -446,6 +446,19 @@
                   os.fsencode('$bar%s bar' % nonascii))
             check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
 +    @support.requires_resource('cpu')
 +    def test_expandvars_large(self):
 +        expandvars = self.pathmodule.expandvars
 +        with os_helper.EnvironmentVarGuard() as env:
 +            env.clear()
 +            env["A"] = "B"
 +            n = 100_000
 +            self.assertEqual(expandvars('$A'*n), 'B'*n)
 +            self.assertEqual(expandvars('${A}'*n), 'B'*n)
 +            self.assertEqual(expandvars('$A!'*n), 'B!'*n)
 +            self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
 +            self.assertEqual(expandvars('${'*10*n), '${'*10*n)
 +
     def test_abspath(self):
         self.assertIn("foo", self.pathmodule.abspath("foo"))
         with warnings.catch_warnings():
@@ -503,7 +516,7 @@
             # directory (when the bytes name is used).
             and sys.platform not in {
                 "win32", "emscripten", "wasi"
 -            } and not is_apple
 +            } and not support.is_apple
         ):
             name = os_helper.TESTFN_UNDECODABLE
         elif os_helper.TESTFN_NONASCII:
 Index: Python-3.13.9/Lib/test/test_ntpath.py
 ===================================================================
 --- Python-3.13.9.orig/Lib/test/test_ntpath.py	2025-10-14 15:52:31.000000000 +0200
 +++ Python-3.13.9/Lib/test/test_ntpath.py	2025-11-14 01:47:08.156225429 +0100
@@ -8,8 +8,7 @@
 import warnings
 from ntpath import ALLOW_MISSING
 from test import support
 -from test.support import cpython_only, os_helper
 -from test.support import TestFailed, is_emscripten
 +from test.support import os_helper, is_emscripten
 from test.support.os_helper import FakePath
 from test import test_genericpath
 from tempfile import TemporaryFile
@@ -59,7 +58,7 @@
     fn = fn.replace("\\", "\\\\")
     gotResult = eval(fn)
     if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
 -        raise TestFailed("%s should return: %s but returned: %s" \
 +        raise support.TestFailed("%s should return: %s but returned: %s" \
               %(str(fn), str(wantResult), str(gotResult)))
     # then with bytes
@@ -75,7 +74,7 @@
         warnings.simplefilter("ignore", DeprecationWarning)
         gotResult = eval(fn)
     if _norm(wantResult) != _norm(gotResult):
 -        raise TestFailed("%s should return: %s but returned: %s" \
 +        raise support.TestFailed("%s should return: %s but returned: %s" \
               %(str(fn), str(wantResult), repr(gotResult)))
@@ -1022,6 +1021,19 @@
             check('%spam%bar', '%sbar' % nonascii)
             check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
 +    @support.requires_resource('cpu')
 +    def test_expandvars_large(self):
 +        expandvars = ntpath.expandvars
 +        with os_helper.EnvironmentVarGuard() as env:
 +            env.clear()
 +            env["A"] = "B"
 +            n = 100_000
 +            self.assertEqual(expandvars('%A%'*n), 'B'*n)
 +            self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
 +            self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
 +            self.assertEqual(expandvars("%%"*n), "%"*n)
 +            self.assertEqual(expandvars("$$"*n), "$"*n)
 +
     def test_expanduser(self):
         tester('ntpath.expanduser("test")', 'test')
@@ -1440,7 +1452,7 @@
         self.assertTrue(os.path.exists(r"\\.\CON"))
     @unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32")
 -    @cpython_only
 +    @support.cpython_only
     def test_fast_paths_in_use(self):
         # There are fast paths of these functions implemented in posixmodule.c.
         # Confirm that they are being used, and not the Python fallbacks in
 Index: Python-3.13.9/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
 +++ Python-3.13.9/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst	2025-11-14 01:47:08.156533642 +0100
@@ -0,0 +1 @@
 +Fix quadratic complexity in :func:`os.path.expandvars`.
--- a/CVE-2025-8291-consistency-zip64.patch
+++ b/CVE-2025-8291-consistency-zip64.patch
@@ -1,307 +0,0 @@
 From 1f2e4ec73cf7ece0a8c0a7a85cb73ec9ec0ef85a Mon Sep 17 00:00:00 2001
 From: Serhiy Storchaka <storchaka@gmail.com>
 Date: Tue, 7 Oct 2025 20:15:26 +0300
 Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
 central directory record (GH-139702)
 Support records with "zip64 extensible data" if there are no bytes
 prepended to the ZIP file.
 (cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
 Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 ---
 Lib/test/test_zipfile/test_core.py            | 82 ++++++++++++++++++-
 Lib/zipfile/__init__.py                       | 51 +++++++-----
 ...-10-07-19-31-34.gh-issue-139700.vNHU1O.rst |  3 +
 3 files changed, 113 insertions(+), 23 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
 diff --git a/Lib/test/test_zipfile/test_core.py b/Lib/test/test_zipfile/test_core.py
 index 41ec6a437ba917..2212d9c91dc899 100644
 --- a/Lib/test/test_zipfile/test_core.py
 +++ b/Lib/test/test_zipfile/test_core.py
@@ -884,6 +884,8 @@ def make_zip64_file(
         self, file_size_64_set=False, file_size_extra=False,
         compress_size_64_set=False, compress_size_extra=False,
         header_offset_64_set=False, header_offset_extra=False,
 +        extensible_data=b'',
 +        end_of_central_dir_size=None, offset_to_end_of_central_dir=None,
     ):
         """Generate bytes sequence for a zip with (incomplete) zip64 data.
@@ -937,6 +939,12 @@ def make_zip64_file(
         central_dir_size = struct.pack('<Q', 58 + 8 * len(central_zip64_fields))
         offset_to_central_dir = struct.pack('<Q', 50 + 8 * len(local_zip64_fields))
 +        if end_of_central_dir_size is None:
 +            end_of_central_dir_size = 44 + len(extensible_data)
 +        if offset_to_end_of_central_dir is None:
 +            offset_to_end_of_central_dir = (108
 +                                            + 8 * len(local_zip64_fields)
 +                                            + 8 * len(central_zip64_fields))
         local_extra_length = struct.pack("<H", 4 + 8 * len(local_zip64_fields))
         central_extra_length = struct.pack("<H", 4 + 8 * len(central_zip64_fields))
@@ -965,14 +973,17 @@ def make_zip64_file(
             + filename
             + central_extra
             # Zip64 end of central directory
 -            + b"PK\x06\x06,\x00\x00\x00\x00\x00\x00\x00-\x00-"
 -            + b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
 +            + b"PK\x06\x06"
 +            + struct.pack('<Q', end_of_central_dir_size)
 +            + b"-\x00-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
             + b"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
             + central_dir_size
             + offset_to_central_dir
 +            + extensible_data
             # Zip64 end of central directory locator
 -            + b"PK\x06\x07\x00\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x01"
 -            + b"\x00\x00\x00"
 +            + b"PK\x06\x07\x00\x00\x00\x00"
 +            + struct.pack('<Q', offset_to_end_of_central_dir)
 +            + b"\x01\x00\x00\x00"
             # end of central directory
             + b"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x002\x00"
             + b"\x00\x00\x00\x00"
@@ -1003,6 +1014,7 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_file_size_extra))
         self.assertIn('file size', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_file_size_extra)))
         # zip64 file size present, zip64 compress size present, one field in
         # extra, expecting two, equals missing compress size.
@@ -1014,6 +1026,7 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
         self.assertIn('compress size', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
         # zip64 compress size present, no fields in extra, expecting one,
         # equals missing compress size.
@@ -1023,6 +1036,7 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
         self.assertIn('compress size', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
         # zip64 file size present, zip64 compress size present, zip64 header
         # offset present, two fields in extra, expecting three, equals missing
@@ -1037,6 +1051,7 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
         self.assertIn('header offset', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
         # zip64 compress size present, zip64 header offset present, one field
         # in extra, expecting two, equals missing header offset
@@ -1049,6 +1064,7 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
         self.assertIn('header offset', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
         # zip64 file size present, zip64 header offset present, one field in
         # extra, expecting two, equals missing header offset
@@ -1061,6 +1077,7 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
         self.assertIn('header offset', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
         # zip64 header offset present, no fields in extra, expecting one,
         # equals missing header offset
@@ -1072,6 +1089,63 @@ def test_bad_zip64_extra(self):
         with self.assertRaises(zipfile.BadZipFile) as e:
             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
         self.assertIn('header offset', str(e.exception).lower())
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
 +
 +    def test_bad_zip64_end_of_central_dir(self):
 +        zipdata = self.make_zip64_file(end_of_central_dir_size=0)
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
 +            zipfile.ZipFile(io.BytesIO(zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +        zipdata = self.make_zip64_file(end_of_central_dir_size=100)
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
 +            zipfile.ZipFile(io.BytesIO(zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=0)
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
 +            zipfile.ZipFile(io.BytesIO(zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=1000)
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*locator'):
 +            zipfile.ZipFile(io.BytesIO(zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +    def test_zip64_end_of_central_dir_record_not_found(self):
 +        zipdata = self.make_zip64_file()
 +        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
 +            zipfile.ZipFile(io.BytesIO(zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +        zipdata = self.make_zip64_file(
 +            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
 +        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
 +            zipfile.ZipFile(io.BytesIO(zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +    def test_zip64_extensible_data(self):
 +        # These values are what is set in the make_zip64_file method.
 +        expected_file_size = 8
 +        expected_compress_size = 8
 +        expected_header_offset = 0
 +        expected_content = b"test1234"
 +
 +        zipdata = self.make_zip64_file(
 +            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
 +        with zipfile.ZipFile(io.BytesIO(zipdata)) as zf:
 +            zinfo = zf.infolist()[0]
 +            self.assertEqual(zinfo.file_size, expected_file_size)
 +            self.assertEqual(zinfo.compress_size, expected_compress_size)
 +            self.assertEqual(zinfo.header_offset, expected_header_offset)
 +            self.assertEqual(zf.read(zinfo), expected_content)
 +        self.assertTrue(zipfile.is_zipfile(io.BytesIO(zipdata)))
 +
 +        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
 +            zipfile.ZipFile(io.BytesIO(b'prepended' + zipdata))
 +        self.assertFalse(zipfile.is_zipfile(io.BytesIO(b'prepended' + zipdata)))
     def test_generated_valid_zip64_extra(self):
         # These values are what is set in the make_zip64_file method.
 diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py
 index 05f387a950ba0a..c01f13729e1c99 100644
 --- a/Lib/zipfile/__init__.py
 +++ b/Lib/zipfile/__init__.py
@@ -245,7 +245,7 @@ def is_zipfile(filename):
         else:
             with open(filename, "rb") as fp:
                 result = _check_zipfile(fp)
 -    except OSError:
 +    except (OSError, BadZipFile):
         pass
     return result
@@ -253,16 +253,15 @@ def _EndRecData64(fpin, offset, endrec):
     """
     Read the ZIP64 end-of-archive records and use that to update endrec
     """
 -    try:
 -        fpin.seek(offset - sizeEndCentDir64Locator, 2)
 -    except OSError:
 -        # If the seek fails, the file is not large enough to contain a ZIP64
 +    offset -= sizeEndCentDir64Locator
 +    if offset < 0:
 +        # The file is not large enough to contain a ZIP64
         # end-of-archive record, so just return the end record we were given.
         return endrec
 -
 +    fpin.seek(offset)
     data = fpin.read(sizeEndCentDir64Locator)
     if len(data) != sizeEndCentDir64Locator:
 -        return endrec
 +        raise OSError("Unknown I/O error")
     sig, diskno, reloff, disks = struct.unpack(structEndArchive64Locator, data)
     if sig != stringEndArchive64Locator:
         return endrec
@@ -270,16 +269,33 @@ def _EndRecData64(fpin, offset, endrec):
     if diskno != 0 or disks > 1:
         raise BadZipFile("zipfiles that span multiple disks are not supported")
 -    # Assume no 'zip64 extensible data'
 -    fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2)
 +    offset -= sizeEndCentDir64
 +    if reloff > offset:
 +        raise BadZipFile("Corrupt zip64 end of central directory locator")
 +    # First, check the assumption that there is no prepended data.
 +    fpin.seek(reloff)
 +    extrasz = offset - reloff
     data = fpin.read(sizeEndCentDir64)
     if len(data) != sizeEndCentDir64:
 -        return endrec
 +        raise OSError("Unknown I/O error")
 +    if not data.startswith(stringEndArchive64) and reloff != offset:
 +        # Since we already have seen the Zip64 EOCD Locator, it's
 +        # possible we got here because there is prepended data.
 +        # Assume no 'zip64 extensible data'
 +        fpin.seek(offset)
 +        extrasz = 0
 +        data = fpin.read(sizeEndCentDir64)
 +        if len(data) != sizeEndCentDir64:
 +            raise OSError("Unknown I/O error")
 +    if not data.startswith(stringEndArchive64):
 +        raise BadZipFile("Zip64 end of central directory record not found")
 +
     sig, sz, create_version, read_version, disk_num, disk_dir, \
         dircount, dircount2, dirsize, diroffset = \
         struct.unpack(structEndArchive64, data)
 -    if sig != stringEndArchive64:
 -        return endrec
 +    if (diroffset + dirsize != reloff or
 +        sz + 12 != sizeEndCentDir64 + extrasz):
 +        raise BadZipFile("Corrupt zip64 end of central directory record")
     # Update the original endrec using data from the ZIP64 record
     endrec[_ECD_SIGNATURE] = sig
@@ -289,6 +305,7 @@ def _EndRecData64(fpin, offset, endrec):
     endrec[_ECD_ENTRIES_TOTAL] = dircount2
     endrec[_ECD_SIZE] = dirsize
     endrec[_ECD_OFFSET] = diroffset
 +    endrec[_ECD_LOCATION] = offset - extrasz
     return endrec
@@ -322,7 +339,7 @@ def _EndRecData(fpin):
         endrec.append(filesize - sizeEndCentDir)
         # Try to read the "Zip64 end of central directory" structure
 -        return _EndRecData64(fpin, -sizeEndCentDir, endrec)
 +        return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec)
     # Either this is not a ZIP file, or it is a ZIP file with an archive
     # comment.  Search the end of the file for the "end of central directory"
@@ -346,8 +363,7 @@ def _EndRecData(fpin):
         endrec.append(maxCommentStart + start)
         # Try to read the "Zip64 end of central directory" structure
 -        return _EndRecData64(fpin, maxCommentStart + start - filesize,
 -                             endrec)
 +        return _EndRecData64(fpin, maxCommentStart + start, endrec)
     # Unable to find a valid end of central directory structure
     return None
@@ -1458,9 +1474,6 @@ def _RealGetContents(self):
         # "concat" is zero, unless zip was concatenated to another file
         concat = endrec[_ECD_LOCATION] - size_cd - offset_cd
 -        if endrec[_ECD_SIGNATURE] == stringEndArchive64:
 -            # If Zip64 extension structures are present, account for them
 -            concat -= (sizeEndCentDir64 + sizeEndCentDir64Locator)
         if self.debug > 2:
             inferred = concat + offset_cd
@@ -2082,7 +2095,7 @@ def _write_end_record(self):
                                    " would require ZIP64 extensions")
             zip64endrec = struct.pack(
                 structEndArchive64, stringEndArchive64,
 -                44, 45, 45, 0, 0, centDirCount, centDirCount,
 +                sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount,
                 centDirSize, centDirOffset)
             self.fp.write(zip64endrec)
 diff --git a/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
 new file mode 100644
 index 00000000000000..a8e7a1f1878c6b
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
@@ -0,0 +1,3 @@
 +Check consistency of the zip64 end of central directory record. Support
 +records with "zip64 extensible data" if there are no bytes prepended to the
 +ZIP file.
--- a/Python-3.13.11.tar.xz
+++ b/Python-3.13.11.tar.xz
--- a/Python-3.13.11.tar.xz.sigstore
+++ b/Python-3.13.11.tar.xz.sigstore
@@ -0,0 +1 @@
 {"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyTCCAk+gAwIBAgIUMZ9OrU89PmgWXWiYxq/s1e8xVkkwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjA1MTY1NjU1WhcNMjUxMjA1MTcwNjU1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ3Wq/mhAIwL1ZNOiCgOmVYXqwl8rWBi+hwTYY+NJLvmuRW7wblbWyTJ1RSZrS9dVGhVdWZP7tT2hvkt56ibycaOCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUCukYhSJA3LGmELdmyGSLM/sNqPowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGa73H4UAAABAMARjBEAiAoqadI7BCu3G3jmK140KSkRC+uTKIS7K/yAUtT8zfdiwIgV51hPZZYKSjHglktFhqcxzHLdRyb96/caoR4m+DHvT8wCgYIKoZIzj0EAwMDaAAwZQIwSuCW4+VibjHM96ArSncpYew+tvp7bMlc21AHsgr12ZO6p//IiSdjJlqOTpYwCWtFAjEA0BxY6Y7zl4+baG4+BZ+EEiwDwoCOVTR7ORMuDYeZ/Dy6g47hohxRqtssCYdRKRZq"}, "tlogEntries": [{"logIndex": "743450012", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1764953815", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFAmMfakwQScJ3jGB7ufmmWcvXbT/sQYyb/iIbRyJXYmAiB25k62mSSsvteAacdB4SjQJ100UGRI02mHOZykKqirrQ=="}, "inclusionProof": {"logIndex": "621545750", "rootHash": "lTjgILAqSIIoraXAj/bseL/7BMbChIzmHVo5P84pPO8=", "treeSize": "621545755", "hashes": ["FqRC4Ydg7KClKWZIe5BLdSoxPOl3L+wXnnctnBbxa5E=", "hyHMJXZjRrPr7N8JDpms6tqWbIuqgBLKkoDomNSzO8g=", "XV5KmKAmcumiCPrjB89usazCvsWagxoKoI5P3Rn5mDQ=", "FKJNSf/yPWGSGCwEZ4ybeMVy+zECYaK/u2yKEboKDQs=", "4wbyhSYvHHiszMmrsBtjXwOt9um81zByZQLFAXJAu0g=", "q0tC4xtUswgodVV8T7OYpkNlp/XC4qAM541kvTHkq4o=", "se5pDnKcF+idDdO0PdbWjF+rFNUWlCzxj+pSmkASRQU=", "YYvp7Leoq6lF3zEs+Bux7BQt/UrxFbOOJAwVroBevek=", "pQtmpjszxrel2u+2I5HrLBwlwvhc19nfAUsa5EHZAe4=", "0jEq6eagxqoSOor9OR//fY6uOsPzLaE1q1n9tZRzfSc=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n621545755\nlTjgILAqSIIoraXAj/bseL/7BMbChIzmHVo5P84pPO8=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAS9t8HEV2fPKq2rB20KvscWBUzqlzyZr6asuXxp8whiAIgUxc+PuVjTYduOZ2zKNeaSos22BXxAn7hKgxBroQmIkE=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNmVkZTdiYjdjZGJmYTg5NWQxMWIwNjQyZmEwZTUyM2YyOTFlNjQ4NzE5NGQ1M2NmNmQzYjMzOGMzYTE3ZWEyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURENENYVTNMNGlMSkVCb0xFSVlnVU5kTXhjN3VENWdMcUgyeXRFNFQxTnd3SWdKbHBhMHJFbDV0MGdtbTlTYzRoQnpFOG9QK2JLSlVZeExUTmd4dEdnSmo0PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVWRU5EUVdzclowRjNTVUpCWjBsVlRWbzVUM0pWT0RsUWJXZFhXRmRwV1hoeEwzTXhaVGg0Vm10cmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUVRGTlZGa3hUbXBWTVZkb1kwNU5hbFY0VFdwQk1VMVVZM2RPYWxVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZSTTFkeEwyMW9RVWwzVERGYVRrOXBRMmRQYlZaWldIRjNiRGh5VjBKcEsyaDNWRmtLV1N0T1NreDJiWFZTVnpkM1lteGlWM2xVU2pGU1UxcHlVemxrVmtkb1ZtUlhXbEEzZEZReWFIWnJkRFUyYVdKNVkyRlBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZEZFd0WkNtaFRTa0V6VEVkdFJVeGtiWGxIVTB4TkwzTk9jVkJ2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwcENaMjl5UW1kRlJVRmtXalZCWjFGRFFraHpSV1ZSUWpNS1FVaFZRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIWVRjelNEUlZRVUZCUWtGTlFRcFNha0pGUVdsQmIzRmhaRWszUWtOMU0wY3phbTFMTVRRd1MxTnJVa01yZFZSTFNWTTNTeTk1UVZWMFZEaDZabVJwZDBsblZqVXhhRkJhV2xsTFUycElDbWRzYTNSR2FIRmplSHBJVEdSU2VXSTVOaTlqWVc5U05HMHJSRWgyVkRoM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGQlFYZGFVVWwzVTNWRFZ6UXJWbWtLWW1wSVRUazJRWEpUYm1Od1dXVjNLM1IyY0RkaVRXeGpNakZCU0hObmNqRXlXazgyY0M4dlNXbFRaR3BLYkhGUFZIQlpkME5YZEVaQmFrVkJNRUo0V1FvMldUZDZiRFFyWW1GSE5DdENXaXRGUldsM1JIZHZRMDlXVkZJM1QxSk5kVVJaWlZvdlJIazJaelEzYUc5b2VGSnhkSE56UTFsa1VrdFNXbkVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "Fu3nu3zb+oldEbBkL6DlI/KR5khxlNU89tOzOMOhfqI="}, "signature": "MEUCIQDD4CXU3L4iLJEBoLEIYgUNdMxc7uD5gLqH2ytE4T1NwwIgJlpa0rEl5t0gmm9Sc4hBzE8oP+bKJUYxLTNgxtGgJj4="}}
--- a/Python-3.13.9.tar.xz
+++ b/Python-3.13.9.tar.xz
--- a/Python-3.13.9.tar.xz.sigstore
+++ b/Python-3.13.9.tar.xz.sigstore
--- a/doc-py38-to-py36.patch
+++ b/doc-py38-to-py36.patch
@@ -27,10 +27,10 @@
 Doc/tools/extensions/pydoc_topics.py          |   22 +++++-----
 18 files changed, 159 insertions(+), 130 deletions(-)
-Index: Python-3.13.9/Doc/Makefile
+Index: Python-3.13.11/Doc/Makefile
 ===================================================================
--- Python-3.13.9.orig/Doc/Makefile	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/Makefile	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/Makefile	2025-11-20 01:09:35.814292408 +0100
+++ Python-3.13.11/Doc/Makefile	2025-12-18 23:36:11.845184450 +0100
@@ -14,15 +14,15 @@
 SOURCES      =
 DISTVERSION  = $(shell $(PYTHON) tools/extensions/patchlevel.py)
@@ -51,10 +51,10 @@ Index: Python-3.13.9/Doc/Makefile
                 $(PAPEROPT_$(PAPER)) \
                 $(SPHINXOPTS) $(SPHINXERRORHANDLING) \
                 . build/$(BUILDER) $(SOURCES)
-Index: Python-3.13.9/Doc/c-api/arg.rst
+Index: Python-3.13.11/Doc/c-api/arg.rst
 ===================================================================
--- Python-3.13.9.orig/Doc/c-api/arg.rst	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/c-api/arg.rst	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/c-api/arg.rst	2025-11-20 01:07:59.902914275 +0100
+++ Python-3.13.11/Doc/c-api/arg.rst	2025-12-18 23:36:11.845570257 +0100
@@ -334,7 +334,6 @@
    should raise an exception and leave the content of *address* unmodified.
@@ -63,10 +63,10 @@ Index: Python-3.13.9/Doc/c-api/arg.rst
    If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
    second time if the argument parsing eventually fails, giving the converter a
-Index: Python-3.13.9/Doc/c-api/typeobj.rst
+Index: Python-3.13.11/Doc/c-api/typeobj.rst
 ===================================================================
--- Python-3.13.9.orig/Doc/c-api/typeobj.rst	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/c-api/typeobj.rst	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/c-api/typeobj.rst	2025-11-20 01:07:59.903382829 +0100
+++ Python-3.13.11/Doc/c-api/typeobj.rst	2025-12-18 23:36:11.846211337 +0100
@@ -610,7 +610,7 @@
    Functions like :c:func:`PyObject_NewVar` will take the value of N as an
    argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
@@ -97,10 +97,10 @@ Index: Python-3.13.9/Doc/c-api/typeobj.rst
    include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
    whether :c:member:`~PyVarObject.ob_size` should be included). These are
    usually defined by the macro :c:macro:`PyObject_HEAD` or
-Index: Python-3.13.9/Doc/conf.py
+Index: Python-3.13.11/Doc/conf.py
 ===================================================================
--- Python-3.13.9.orig/Doc/conf.py	2025-11-20 01:07:14.944126757 +0100
+--- Python-3.13.11.orig/Doc/conf.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/conf.py	2025-11-20 01:07:59.903974303 +0100
+++ Python-3.13.11/Doc/conf.py	2025-12-18 23:36:11.846742416 +0100
@@ -11,6 +11,8 @@
 from importlib import import_module
 from importlib.util import find_spec
@@ -127,7 +127,7 @@ Index: Python-3.13.9/Doc/conf.py
 '''
 manpages_url = 'https://manpages.debian.org/{path}'
-@@ -92,7 +94,7 @@
+@@ -96,7 +98,7 @@
 # Minimum version of sphinx required
 # Keep this version in sync with ``Doc/requirements.txt``.
@@ -136,7 +136,7 @@ Index: Python-3.13.9/Doc/conf.py
 # Create table of contents entries for domain objects (e.g. functions, classes,
 # attributes, etc.). Default is True.
-@@ -257,6 +259,9 @@
+@@ -246,6 +248,9 @@
 # Avoid a warning with Sphinx >= 4.0
 root_doc = 'contents'
@@ -146,7 +146,7 @@ Index: Python-3.13.9/Doc/conf.py
 # Allow translation of index directives
 gettext_additional_targets = [
     'index',
-@@ -296,7 +301,7 @@
+@@ -285,7 +290,7 @@
 # (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
 is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
 repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -155,7 +155,7 @@ Index: Python-3.13.9/Doc/conf.py
 html_context = {
     "is_deployment_preview": is_deployment_preview,
     "repository_url": repository_url or None,
-@@ -607,6 +612,16 @@
+@@ -551,6 +556,16 @@
 }
 extlinks_detect_hardcoded_links = True
@@ -172,10 +172,10 @@ Index: Python-3.13.9/Doc/conf.py
 # Options for c_annotations extension
 # -----------------------------------
-Index: Python-3.13.9/Doc/library/doctest.rst
+Index: Python-3.13.11/Doc/library/doctest.rst
 ===================================================================
--- Python-3.13.9.orig/Doc/library/doctest.rst	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/library/doctest.rst	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/library/doctest.rst	2025-11-20 01:07:59.904511686 +0100
+++ Python-3.13.11/Doc/library/doctest.rst	2025-12-18 23:36:11.847131855 +0100
@@ -310,7 +310,6 @@
 .. currentmodule:: None
@@ -184,10 +184,10 @@ Index: Python-3.13.9/Doc/library/doctest.rst
 .. currentmodule:: doctest
-Index: Python-3.13.9/Doc/library/email.compat32-message.rst
+Index: Python-3.13.11/Doc/library/email.compat32-message.rst
 ===================================================================
--- Python-3.13.9.orig/Doc/library/email.compat32-message.rst	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/library/email.compat32-message.rst	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/library/email.compat32-message.rst	2025-11-20 01:07:59.905009154 +0100
+++ Python-3.13.11/Doc/library/email.compat32-message.rst	2025-12-18 23:36:11.847579332 +0100
@@ -7,7 +7,6 @@
    :synopsis: The base class representing email messages in a fashion
               backward compatible with Python 3.2
@@ -196,10 +196,10 @@ Index: Python-3.13.9/Doc/library/email.compat32-message.rst
 The :class:`Message` class is very similar to the
-Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
+Index: Python-3.13.11/Doc/library/xml.etree.elementtree.rst
 ===================================================================
--- Python-3.13.9.orig/Doc/library/xml.etree.elementtree.rst	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/library/xml.etree.elementtree.rst	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/library/xml.etree.elementtree.rst	2025-11-20 01:07:59.905273001 +0100
+++ Python-3.13.11/Doc/library/xml.etree.elementtree.rst	2025-12-18 23:36:11.847865126 +0100
@@ -873,7 +873,6 @@
 .. module:: xml.etree.ElementTree
@@ -208,10 +208,10 @@ Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
 .. class:: Element(tag, attrib={}, **extra)
-Index: Python-3.13.9/Doc/tools/check-warnings.py
+Index: Python-3.13.11/Doc/tools/check-warnings.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/check-warnings.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/check-warnings.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/check-warnings.py	2025-11-20 01:07:59.905613002 +0100
+++ Python-3.13.11/Doc/tools/check-warnings.py	2025-12-18 23:36:11.848175434 +0100
@@ -228,7 +228,8 @@
             print(filename)
             for warning in warnings:
@@ -231,10 +231,10 @@ Index: Python-3.13.9/Doc/tools/check-warnings.py
         for warning in warnings
         if "Doc/" in warning
     }
-Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
+Index: Python-3.13.11/Doc/tools/extensions/audit_events.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/audit_events.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/audit_events.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/audit_events.py	2025-11-20 01:08:35.819222654 +0100
+++ Python-3.13.11/Doc/tools/extensions/audit_events.py	2025-12-18 23:36:11.848442160 +0100
@@ -1,9 +1,6 @@
 """Support for documenting audit events."""
@@ -370,10 +370,10 @@ Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
     ) -> nodes.row:
         row = nodes.row()
         name_node = nodes.paragraph("", nodes.Text(name))
-Index: Python-3.13.9/Doc/tools/extensions/availability.py
+Index: Python-3.13.11/Doc/tools/extensions/availability.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/availability.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/availability.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/availability.py	2025-11-20 01:07:59.906156697 +0100
+++ Python-3.13.11/Doc/tools/extensions/availability.py	2025-12-18 23:36:11.848697922 +0100
@@ -1,8 +1,6 @@
 """Support for documenting platform availability"""
@@ -427,10 +427,10 @@ Index: Python-3.13.9/Doc/tools/extensions/availability.py
     app.add_directive("availability", Availability)
     return {
-Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
+Index: Python-3.13.11/Doc/tools/extensions/c_annotations.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/c_annotations.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/c_annotations.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/c_annotations.py	2025-11-20 01:07:59.906354780 +0100
+++ Python-3.13.11/Doc/tools/extensions/c_annotations.py	2025-12-18 23:37:01.590377119 +0100
@@ -9,22 +9,26 @@
 * Set ``stable_abi_file`` to the path to stable ABI list.
 """
@@ -525,7 +525,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
             if ROLE_TO_OBJECT_TYPE[record.role] != objtype:
                 msg = (
                     f"Object type mismatch in limited API annotation for {name}: "
-@@ -234,7 +241,7 @@
+@@ -256,7 +263,7 @@
     )
@@ -534,7 +534,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
     classes = ["refcount"]
     if result_refs is None:
         rc = sphinx_gettext("Return value: Always NULL.")
-@@ -254,7 +261,7 @@
+@@ -276,7 +283,7 @@
     optional_arguments = 0
     final_argument_whitespace = True
@@ -543,7 +543,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
         state = self.env.domaindata["c_annotations"]
         content = [
             f"* :c:{record.role}:`{record.name}`"
-@@ -277,13 +284,23 @@
+@@ -344,7 +351,7 @@
     )
@@ -552,6 +552,7 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
     app.add_config_value("refcount_file", "", "env", types={str})
     app.add_config_value("stable_abi_file", "", "env", types={str})
     app.add_directive("limited-api-list", LimitedAPIList)
@@ -352,6 +359,16 @@
     app.connect("builder-inited", init_annotations)
     app.connect("doctree-read", add_annotations)
@@ -568,10 +569,10 @@ Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
     return {
         "version": "1.0",
         "parallel_read_safe": True,
-Index: Python-3.13.9/Doc/tools/extensions/changes.py
+Index: Python-3.13.11/Doc/tools/extensions/changes.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/changes.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/changes.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/changes.py	2025-11-20 01:07:59.906539198 +0100
+++ Python-3.13.11/Doc/tools/extensions/changes.py	2025-12-18 23:36:11.849240594 +0100
@@ -1,7 +1,5 @@
 """Support for documenting version of changes, additions, deprecations."""
@@ -607,10 +608,10 @@ Index: Python-3.13.9/Doc/tools/extensions/changes.py
     # Override Sphinx's directives with support for 'next'
     app.add_directive("versionadded", PyVersionChange, override=True)
     app.add_directive("versionchanged", PyVersionChange, override=True)
-Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
+Index: Python-3.13.11/Doc/tools/extensions/glossary_search.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/glossary_search.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/glossary_search.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/glossary_search.py	2025-11-20 01:07:59.906696224 +0100
+++ Python-3.13.11/Doc/tools/extensions/glossary_search.py	2025-12-18 23:36:11.849448932 +0100
@@ -1,21 +1,27 @@
 """Feature search results for glossary items prominently."""
@@ -654,10 +655,10 @@ Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
     app.connect('doctree-resolved', process_glossary_nodes)
     app.connect('build-finished', write_glossary_json)
-Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
+Index: Python-3.13.11/Doc/tools/extensions/implementation_detail.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/implementation_detail.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/implementation_detail.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/implementation_detail.py	2025-11-20 01:07:59.906853200 +0100
+++ Python-3.13.11/Doc/tools/extensions/implementation_detail.py	2025-12-18 23:36:11.849650427 +0100
@@ -1,17 +1,10 @@
 """Support for marking up implementation details."""
@@ -708,10 +709,10 @@ Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
     app.add_directive("impl-detail", ImplementationDetail)
     return {
-Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
+Index: Python-3.13.11/Doc/tools/extensions/issue_role.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/issue_role.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/issue_role.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/issue_role.py	2025-11-20 01:07:59.907010386 +0100
+++ Python-3.13.11/Doc/tools/extensions/issue_role.py	2025-12-18 23:36:11.849838302 +0100
@@ -1,22 +1,18 @@
 """Support for referencing issues in the tracker."""
@@ -757,10 +758,10 @@ Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
     app.add_role("issue", BPOIssue())
     app.add_role("gh", GitHubIssue())
-Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
+Index: Python-3.13.11/Doc/tools/extensions/misc_news.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/misc_news.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/misc_news.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/misc_news.py	2025-11-20 01:07:59.907170899 +0100
+++ Python-3.13.11/Doc/tools/extensions/misc_news.py	2025-12-18 23:36:11.850033510 +0100
@@ -1,7 +1,5 @@
 """Support for including Misc/NEWS."""
@@ -813,10 +814,10 @@ Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
     app.add_directive("miscnews", MiscNews)
     return {
-Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
+Index: Python-3.13.11/Doc/tools/extensions/patchlevel.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/patchlevel.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/patchlevel.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/patchlevel.py	2025-11-20 01:07:59.907494228 +0100
+++ Python-3.13.11/Doc/tools/extensions/patchlevel.py	2025-12-18 23:36:11.850217264 +0100
@@ -3,7 +3,7 @@
 import re
 import sys
@@ -854,10 +855,10 @@ Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
     version = f"{info.major}.{info.minor}"
     release = f"{info.major}.{info.minor}.{info.micro}"
     if info.releaselevel != "final":
-Index: Python-3.13.9/Doc/tools/extensions/pydoc_topics.py
+Index: Python-3.13.11/Doc/tools/extensions/pydoc_topics.py
 ===================================================================
--- Python-3.13.9.orig/Doc/tools/extensions/pydoc_topics.py	2025-10-14 15:52:31.000000000 +0200
+--- Python-3.13.11.orig/Doc/tools/extensions/pydoc_topics.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.9/Doc/tools/extensions/pydoc_topics.py	2025-11-20 01:07:59.907684617 +0100
+++ Python-3.13.11/Doc/tools/extensions/pydoc_topics.py	2025-12-18 23:36:11.850437755 +0100
@@ -1,21 +1,23 @@
 """Support for building "topic help" for pydoc."""
--- a/gh139257-Support-docutils-0.22.patch
+++ b/gh139257-Support-docutils-0.22.patch
@@ -4,33 +4,145 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200
 Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
 ---
- Doc/tools/extensions/pyspecific.py | 12 +++++++++++-
+ Doc/tools/extensions/pyspecific.py |   69 +++++++++++++++++++++++++------------
- 1 file changed, 11 insertions(+), 1 deletion(-)
+ 1 file changed, 47 insertions(+), 22 deletions(-)
-Index: Python-3.13.7/Doc/tools/extensions/pyspecific.py
+Index: Python-3.13.11/Doc/tools/extensions/pyspecific.py
 ===================================================================
--- Python-3.13.7.orig/Doc/tools/extensions/pyspecific.py
+--- Python-3.13.11.orig/Doc/tools/extensions/pyspecific.py	2025-12-05 17:06:33.000000000 +0100
-+++ Python-3.13.7/Doc/tools/extensions/pyspecific.py
+++ Python-3.13.11/Doc/tools/extensions/pyspecific.py	2025-12-18 23:38:44.804668556 +0100
-@@ -25,11 +25,21 @@ from sphinx.util.docutils import SphinxD
+@@ -1,12 +1,12 @@
- SOURCE_URI = 'https://github.com/python/cpython/tree/3.13/%s'
+ # -*- coding: utf-8 -*-
 """
 -    pyspecific.py
 -    ~~~~~~~~~~~~~
 +pyspecific.py
 +~~~~~~~~~~~~~
- # monkey-patch reST parser to disable alphabetic and roman enumerated lists
+-    Sphinx extension with Python doc-specific markup.
 +Sphinx extension with Python doc-specific markup.
 -    :copyright: 2008-2014 by Georg Brandl.
 -    :license: Python license.
 +:copyright: 2008-2014 by Georg Brandl.
 +:license: Python license.
 """
 import re
@@ -22,30 +22,50 @@
 from sphinx.util.docutils import SphinxDirective
 # Used in conf.py and updated here by python/release-tools/run_release.py
 -SOURCE_URI = 'https://github.com/python/cpython/tree/3.13/%s'
 +SOURCE_URI = "https://github.com/python/cpython/tree/3.13/%s"
 +
 +
 +# monkey-patch reST parser to disable alphabetic and roman enumerated lists
 +def _disable_alphabetic_and_roman(text):
 +    try:
 +        # docutils >= 0.22
 +        from docutils.parsers.rst.states import InvalidRomanNumeralError
 +
 +        raise InvalidRomanNumeralError(text)
 +    except ImportError:
 +        # docutils < 0.22
 +        return None
 +
 +
- from docutils.parsers.rst.states import Body
+from docutils.parsers.rst.states import Body
- Body.enum.converters['loweralpha'] = \
+
-     Body.enum.converters['upperalpha'] = \
+Body.enum.converters["loweralpha"] = Body.enum.converters["upperalpha"] = (
-     Body.enum.converters['lowerroman'] = \
+    Body.enum.converters["lowerroman"]
-    Body.enum.converters['upperroman'] = lambda x: None
+) = Body.enum.converters["upperroman"] = _disable_alphabetic_and_roman
-+    Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
+
 class PyAwaitableMixin(object):
     def handle_signature(self, sig, signode):
         ret = super(PyAwaitableMixin, self).handle_signature(sig, signode)
 -        signode.insert(0, addnodes.desc_annotation('awaitable ', 'awaitable '))
 +        signode.insert(0, addnodes.desc_annotation("awaitable ", "awaitable "))
         return ret
 class PyAwaitableFunction(PyAwaitableMixin, PyFunction):
     def run(self):
 -        self.name = 'py:function'
 +        self.name = "py:function"
         return PyFunction.run(self)
 class PyAwaitableMethod(PyAwaitableMixin, PyMethod):
     def run(self):
 -        self.name = 'py:method'
 +        self.name = "py:method"
         return PyMethod.run(self)
 # Support for documenting Opcodes
 -opcode_sig_re = re.compile(r'(\w+(?:\+\d)?)(?:\s*\((.*)\))?')
 +opcode_sig_re = re.compile(r"(\w+(?:\+\d)?)(?:\s*\((.*)\))?")
 def parse_opcode_signature(env, sig, signode):
@@ -64,7 +84,7 @@
 # Support for documenting pdb commands
 -pdbcmd_sig_re = re.compile(r'([a-z()!]+)\s*(.*)')
 +pdbcmd_sig_re = re.compile(r"([a-z()!]+)\s*(.*)")
 # later...
 # pdbargs_tokens_re = re.compile(r'''[a-zA-Z]+  |  # identifiers
@@ -80,16 +100,16 @@
     if m is None:
         raise ValueError
     name, args = m.groups()
 -    fullname = name.replace('(', '').replace(')', '')
 +    fullname = name.replace("(", "").replace(")", "")
     signode += addnodes.desc_name(name, name)
     if args:
 -        signode += addnodes.desc_addname(' '+args, ' '+args)
 +        signode += addnodes.desc_addname(" " + args, " " + args)
     return fullname
 def parse_monitoring_event(env, sig, signode):
     """Transform a monitoring event signature into RST nodes."""
 -    signode += addnodes.desc_addname('sys.monitoring.events.', 'sys.monitoring.events.')
 +    signode += addnodes.desc_addname("sys.monitoring.events.", "sys.monitoring.events.")
     signode += addnodes.desc_name(sig, sig)
     return sig
@@ -102,7 +122,7 @@
     As such, we link this to ``env-check-consistency``, even though it has
     nothing to do with the environment consistency check.
     """
 -    if app.builder.name != 'gettext':
 +    if app.builder.name != "gettext":
         return
     # allow translating deprecated index entries
@@ -119,10 +139,15 @@
 def setup(app):
 -    app.add_object_type('opcode', 'opcode', '%s (opcode)', parse_opcode_signature)
 -    app.add_object_type('pdbcommand', 'pdbcmd', '%s (pdb command)', parse_pdb_command)
 -    app.add_object_type('monitoring-event', 'monitoring-event', '%s (monitoring event)', parse_monitoring_event)
 -    app.add_directive_to_domain('py', 'awaitablefunction', PyAwaitableFunction)
 -    app.add_directive_to_domain('py', 'awaitablemethod', PyAwaitableMethod)
 -    app.connect('env-check-consistency', patch_pairindextypes)
 -    return {'version': '1.0', 'parallel_read_safe': True}
 +    app.add_object_type("opcode", "opcode", "%s (opcode)", parse_opcode_signature)
 +    app.add_object_type("pdbcommand", "pdbcmd", "%s (pdb command)", parse_pdb_command)
 +    app.add_object_type(
 +        "monitoring-event",
 +        "monitoring-event",
 +        "%s (monitoring event)",
 +        parse_monitoring_event,
 +    )
 +    app.add_directive_to_domain("py", "awaitablefunction", PyAwaitableFunction)
 +    app.add_directive_to_domain("py", "awaitablemethod", PyAwaitableMethod)
 +    app.connect("env-check-consistency", patch_pairindextypes)
 +    return {"version": "1.0", "parallel_read_safe": True}
--- a/python313.changes
+++ b/python313.changes
@@ -1,3 +1,299 @@
 -------------------------------------------------------------------
 Thu Dec 11 21:36:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 - Update to 3.13.11:
    - gh-142145: Remove quadratic behavior in xml.minidom node ID
      cache clearing (CVE-2025-12084, bsc#1254997).
    - gh-119451: Fix a potential memory denial of service in the
      http.client module. When connecting to a malicious server,
      it could cause an arbitrary amount of memory to be
      allocated. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes
      (bsc#1254400, CVE-2025-13836).
    - gh-119452: Fix a potential memory denial of service in the
      http.server module. When a malicious user is connected to
      the CGI server on Windows, it could cause an arbitrary
      amount of memory to be allocated. This could have led to
      symptoms including a MemoryError, swapping, out of memory
      (OOM) killed processes or containers, or even system
      crashes.
 - Library
    - gh-140797: Revert changes to the undocumented re.Scanner
      class. Capturing groups are still allowed for backward
      compatibility, although using them can lead to incorrect
      result. They will be forbidden in future Python versions.
    - gh-142206: The resource tracker in the multiprocessing
      module now uses the original communication protocol, as in
      Python 3.14.0 and below, by default. This avoids issues
      with upgrading Python while it is running. (Note that such
      ‘in-place’ upgrades are not tested.) The tracker remains
      compatible with subprocesses that use new protocol (that
      is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
 - Core and Builtins
    - gh-142218: Fix crash when inserting into a split table
      dictionary with a non str key that matches an existing key.
 - Update to 3.13.10:
 - Tools/Demos
    - gh-141442: The iOS testbed now correctly handles test
      arguments that contain spaces.
 - Tests
    - gh-140482: Preserve and restore the state of stty echo as
      part of the test environment.
    - gh-140082: Update python -m test to set FORCE_COLOR=1 when
      being run with color enabled so that unittest which is run
      by it with redirected output will output in color.
    - gh-136442: Use exitcode 1 instead of 5 if
      unittest.TestCase.setUpClass() raises an exception
 - Security
    - gh-139700: Check consistency of the zip64 end of central
      directory record. Support records with “zip64 extensible
      data” if there are no bytes prepended to the ZIP file.
      (CVE-2025-8291, bsc#1251305)
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (CVE-2025-6075, bsc#1252974).
    - gh-119342: Fix a potential memory denial of service in the
      plistlib module. When reading a Plist file received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated. This could have led to symptoms
      including a MemoryError, swapping, out of memory (OOM)
      killed processes or containers, or even system crashes
      (CVE-2025-13837, bsc#1254401).
 - Library
    - gh-74389: When the stdin being used by a subprocess.Popen
      instance is closed, this is now ignored in
      subprocess.Popen.communicate() instead of leaving the class
      in an inconsistent state.
    - gh-87512: Fix subprocess.Popen.communicate() timeout
      handling on Windows when writing large input. Previously,
      the timeout was ignored during stdin writing, causing the
      method to block indefinitely if the child process did not
      consume input quickly. The stdin write is now performed in
      a background thread, allowing the timeout to be properly
      enforced.
    - gh-141473: When subprocess.Popen.communicate() was called
      with input and a timeout and is called for a second time
      after a TimeoutExpired exception before the process has
      died, it should no longer hang.
    - gh-59000: Fix pdb breakpoint resolution for class methods
      when the module defining the class is not imported.
    - gh-141570: Support file-like object raising OSError from
      fileno() in color detection (_colorize.can_colorize()).
      This can occur when sys.stdout is redirected.
    - gh-141659: Fix bad file descriptor errors from
      _posixsubprocess on AIX.
    - gh-141497: ipaddress: ensure that the methods
      IPv4Network.hosts() and IPv6Network.hosts() always return
      an iterator.
    - gh-140938: The statistics.stdev() and statistics.pstdev()
      functions now raise a ValueError when the input contains an
      infinity or a NaN.
    - gh-124111: Updated Tcl threading configuration in _tkinter
      to assume that threads are always available in Tcl 9 and
      later.
    - gh-137109: The os.fork and related forking APIs will no
      longer warn in the common case where Linux or macOS
      platform APIs return the number of threads in a process and
      find the answer to be 1 even when a os.register_at_fork()
      after_in_parent= callback (re)starts a thread.
    - gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
      when reading files with standalone carriage return (\r)
      line endings.
    - gh-141311: Fix assertion failure in io.BytesIO.readinto()
      and undefined behavior arising when read position is above
      capcity in io.BytesIO.
    - gh-141141: Fix a thread safety issue with
      base64.b85decode(). Contributed by Benel Tayar.
    - gh-140911: collections: Ensure that the methods
      UserString.rindex() and UserString.index() accept
      collections.UserString instances as the sub argument.
    - gh-140797: The undocumented re.Scanner class now forbids
      regular expressions containing capturing groups in its
      lexicon patterns. Patterns using capturing groups could
      previously lead to crashes with segmentation fault. Use
      non-capturing groups (?:…) instead.
    - gh-140815: faulthandler now detects if a frame or a code
      object is invalid or freed. Patch by Victor Stinner.
    - gh-100218: Correctly set errno when socket.if_nametoindex()
      or socket.if_indextoname() raise an OSError. Patch by
      Bénédikt Tran.
    - gh-140875: Fix handling of unclosed character references
      (named and numerical) followed by the end of file in
      html.parser.HTMLParser with convert_charrefs=False.
    - gh-140734: multiprocessing: fix off-by-one error when
      checking the length of a temporary socket file path. Patch
      by Bénédikt Tran.
    - gh-140874: Bump the version of pip bundled in ensurepip to
      version 25.3
    - gh-140691: In urllib.request, when opening a FTP URL fails
      because a data connection cannot be made, the control
      connection’s socket is now closed to avoid
      a ResourceWarning.
    - gh-103847: Fix hang when cancelling process created by
      asyncio.create_subprocess_exec() or
      asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
    - gh-140590: Fix arguments checking for the
      functools.partial.__setstate__() that may lead to internal
      state corruption and crash. Patch by Sergey Miryanov.
    - gh-140634: Fix a reference counting bug in
      os.sched_param.__reduce__().
    - gh-140633: Ignore AttributeError when setting a module’s
      __file__ attribute when loading an extension module
      packaged as Apple Framework.
    - gh-140593: xml.parsers.expat: Fix a memory leak that could
      affect users with ElementDeclHandler() set to a custom
      element declaration handler. Patch by Sebastian Pipping.
    - gh-140607: Inside io.RawIOBase.read(), validate that the
      count of bytes returned by io.RawIOBase.readinto() is valid
      (inside the provided buffer).
    - gh-138162: Fix logging.LoggerAdapter with merge_extra=True
      and without the extra argument.
    - gh-140474: Fix memory leak in array.array when creating
      arrays from an empty str and the u type code.
    - gh-140272: Fix memory leak in the clear() method of the
      dbm.gnu database.
    - gh-140041: Fix import of ctypes on Android and Cygwin when
      ABI flags are present.
    - gh-139905: Add suggestion to error message for
      typing.Generic subclasses when cls.__parameters__ is
      missing due to a parent class failing to call
      super().__init_subclass__() in its __init_subclass__.
    - gh-139845: Fix to not print KeyboardInterrupt twice in
      default asyncio REPL.
    - gh-139783: Fix inspect.getsourcelines() for the case when
      a decorator is followed by a comment or an empty line.
    - gh-70765: http.server: fix default handling of HTTP/0.9
      requests in BaseHTTPRequestHandler. Previously,
      BaseHTTPRequestHandler.parse_request() incorrectly waited
      for headers in the request although those are not supported
      in HTTP/0.9. Patch by Bénédikt Tran.
    - gh-139391: Fix an issue when, on non-Windows platforms, it
      was not possible to gracefully exit a python -m asyncio
      process suspended by Ctrl+Z and later resumed by fg other
      than with kill.
    - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
      'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
      chars as they were treated as part of multi-character
      sequences.
    - gh-139246: fix: paste zero-width in default repl width is
      wrong.
    - gh-90949: Add SetAllocTrackerActivationThreshold() and
      SetAllocTrackerMaximumAmplification() to xmlparser objects
      to prevent use of disproportional amounts of dynamic memory
      from within an Expat parser. Patch by Bénédikt Tran.
    - gh-139065: Fix trailing space before a wrapped long word if
      the line length is exactly width in textwrap.
    - gh-138993: Dedent credits text.
    - gh-138859: Fix generic type parameterization raising
      a TypeError when omitting a ParamSpec that has a default
      which is not a list of types.
    - gh-138775: Use of python -m with base64 has been fixed to
      detect input from a terminal so that it properly notices
      EOF.
    - gh-98896: Fix a failure in multiprocessing resource_tracker
      when SharedMemory names contain colons. Patch by Rani
      Pinchuk.
    - gh-75989: tarfile.TarFile.extractall() and
      tarfile.TarFile.extract() now overwrite symlinks when
      extracting hardlinks. (Contributed by Alexander Enrique
      Urieles Nieto in gh-75989.)
    - gh-83424: Allows creating a ctypes.CDLL without name when
      passing a handle as an argument.
    - gh-136234: Fix asyncio.WriteTransport.writelines() to be
      robust to connection failure, by using the same behavior as
      write().
    - gh-136057: Fixed the bug in pdb and bdb where next and step
      can’t go over the line if a loop exists in the line.
    - gh-135307: email: Fix exception in set_content() when
      encoding text and max_line_length is set to 0 or None
      (unlimited).
    - gh-134453: Fixed subprocess.Popen.communicate() input=
      handling of memoryview instances that were non-byte shaped
      on POSIX platforms. Those are now properly cast to a byte
      shaped view instead of truncating the input. Windows
      platforms did not have this bug.
    - gh-102431: Clarify constraints for “logical” arguments in
      methods of decimal.Context.
 - IDLE
    - gh-96491: Deduplicate version number in IDLE shell title
      bar after saving to a file.
 - Documentation
    - gh-141994: xml.sax.handler: Make Documentation of
      xml.sax.handler.feature_external_ges warn of opening up to
      external entity attacks. Patch by Sebastian Pipping.
    - gh-140578: Remove outdated sencence in the documentation
      for multiprocessing, that implied that
      concurrent.futures.ThreadPoolExecutor did not exist.
 - Core and Builtins
    - gh-142048: Fix quadratically increasing garbage collection
      delays in free-threaded build.
    - gh-141930: When importing a module, use Python’s regular
      file object to ensure that writes to .pyc files are
      complete or an appropriate error is raised.
    - gh-120158: Fix inconsistent state when enabling or
      disabling monitoring events too many times.
    - gh-141579: Fix sys.activate_stack_trampoline() to properly
      support the perf_jit backend. Patch by Pablo Galindo.
    - gh-141312: Fix the assertion failure in the __setstate__
      method of the range iterator when a non-integer argument is
      passed. Patch by Sergey Miryanov.
    - gh-140939: Fix memory leak when bytearray or bytes is
      formated with the
      %*b format with a large width that results in
      %a MemoryError.
    - gh-140530: Fix a reference leak when raise exc from cause
      fails. Patch by Bénédikt Tran.
    - gh-140576: Fixed crash in tokenize.generate_tokens() in
      case of specific incorrect input. Patch by Mikhail Efimov.
    - gh-140551: Fixed crash in dict if dict.clear() is called at
      the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
    - gh-140471: Fix potential buffer overflow in ast.AST node
      initialization when encountering malformed _fields
      containing non-str.
    - gh-140406: Fix memory leak when an object’s __hash__()
      method returns an object that isn’t an int.
    - gh-140306: Fix memory leaks in cross-interpreter channel
      operations and shared namespace handling.
    - gh-140301: Fix memory leak of PyConfig in subinterpreters.
    - gh-140000: Fix potential memory leak when a reference cycle
      exists between an instance of typing.TypeAliasType,
      typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
      and its __name__ attribute. Patch by Mikhail Efimov.
    - gh-139748: Fix reference leaks in error branches of
      functions accepting path strings or bytes such as compile()
      and os.system(). Patch by Bénédikt Tran.
    - gh-139516: Fix lambda colon erroneously start format spec
      in f-string in tokenizer.
    - gh-139640: Fix swallowing some syntax warnings in different
      modules if they accidentally have the same message and are
      emitted from the same line. Fix duplicated warnings in the
      finally block.
    - gh-137400: Fix a crash in the free threading build when
      disabling profiling or tracing across all threads with
      PyEval_SetProfileAllThreads() or
      PyEval_SetTraceAllThreads() or their Python equivalents
      threading.settrace_all_threads() and
      threading.setprofile_all_threads().
    - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
      match old pre-3.13 REPL behavior.
 - C API
    - gh-140042: Removed the sqlite3_shutdown call that could
      cause closing connections for sqlite when used with
      multiple sub interpreters.
    - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
      3.11 and older: don’t treat Py_NotImplemented as immortal.
      Patch by Victor Stinner.
 - Remove upstreamed patches:
  - CVE-2025-13836-http-resp-cont-len.patch
  - CVE-2025-8291-consistency-zip64.patch
  - CVE-2025-6075-expandvars-perf-degrad.patch
 -------------------------------------------------------------------
 Wed Nov 19 19:21:41 UTC 2025 - Matej Cepl <mcepl@suse.com>
--- a/python313.spec
+++ b/python313.spec
@@ -167,7 +167,7 @@
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.13.9
+Version:        3.13.11
 %define         tarversion %{version}
 %define         tarname    Python-%{tarversion}
 Release:        0
@@ -235,12 +235,6 @@ Patch43:        bsc1243155-sphinx-non-determinism.patch
 Patch44:        gh138131-exclude-pycache-from-digest.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch45:        gh139257-Support-docutils-0.22.patch
 # PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
 # Check consistency of the zip64 end of central directory record
 Patch46:        CVE-2025-8291-consistency-zip64.patch
 # PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com
 # Avoid potential quadratic complexity vulnerabilities in path modules
 Patch47:        CVE-2025-6075-expandvars-perf-degrad.patch
 # PATCH-FIX-UPSTREAM pass-test_write_read_limited_history.patch bsc#[0-9]+ mcepl@suse.com
 # Fix readline history truncation when length is reduced
 Patch48:        pass-test_write_read_limited_history.patch
		`@@ -0,0 +1 @@`
							{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyTCCAk+gAwIBAgIUMZ9OrU89PmgWXWiYxq/s1e8xVkkwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjA1MTY1NjU1WhcNMjUxMjA1MTcwNjU1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ3Wq/mhAIwL1ZNOiCgOmVYXqwl8rWBi+hwTYY+NJLvmuRW7wblbWyTJ1RSZrS9dVGhVdWZP7tT2hvkt56ibycaOCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUCukYhSJA3LGmELdmyGSLM/sNqPowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGa73H4UAAABAMARjBEAiAoqadI7BCu3G3jmK140KSkRC+uTKIS7K/yAUtT8zfdiwIgV51hPZZYKSjHglktFhqcxzHLdRyb96/caoR4m+DHvT8wCgYIKoZIzj0EAwMDaAAwZQIwSuCW4+VibjHM96ArSncpYew+tvp7bMlc21AHsgr12ZO6p//IiSdjJlqOTpYwCWtFAjEA0BxY6Y7zl4+baG4+BZ+EEiwDwoCOVTR7ORMuDYeZ/Dy6g47hohxRqtssCYdRKRZq"}, "tlogEntries": [{"logIndex": "743450012", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1764953815", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFAmMfakwQScJ3jGB7ufmmWcvXbT/sQYyb/iIbRyJXYmAiB25k62mSSsvteAacdB4SjQJ100UGRI02mHOZykKqirrQ=="}, "inclusionProof": {"logIndex": "621545750", "rootHash": "lTjgILAqSIIoraXAj/bseL/7BMbChIzmHVo5P84pPO8=", "treeSize": "621545755", "hashes": ["FqRC4Ydg7KClKWZIe5BLdSoxPOl3L+wXnnctnBbxa5E=", "hyHMJXZjRrPr7N8JDpms6tqWbIuqgBLKkoDomNSzO8g=", "XV5KmKAmcumiCPrjB89usazCvsWagxoKoI5P3Rn5mDQ=", "FKJNSf/yPWGSGCwEZ4ybeMVy+zECYaK/u2yKEboKDQs=", "4wbyhSYvHHiszMmrsBtjXwOt9um81zByZQLFAXJAu0g=", "q0tC4xtUswgodVV8T7OYpkNlp/XC4qAM541kvTHkq4o=", "se5pDnKcF+idDdO0PdbWjF+rFNUWlCzxj+pSmkASRQU=", "YYvp7Leoq6lF3zEs+Bux7BQt/UrxFbOOJAwVroBevek=", "pQtmpjszxrel2u+2I5HrLBwlwvhc19nfAUsa5EHZAe4=", "0jEq6eagxqoSOor9OR//fY6uOsPzLaE1q1n9tZRzfSc=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n621545755\nlTjgILAqSIIoraXAj/bseL/7BMbChIzmHVo5P84pPO8=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAS9t8HEV2fPKq2rB20KvscWBUzqlzyZr6asuXxp8whiAIgUxc+PuVjTYduOZ2zKNeaSos22BXxAn7hKgxBroQmIkE=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxNmVkZTdiYjdjZGJmYTg5NWQxMWIwNjQyZmEwZTUyM2YyOTFlNjQ4NzE5NGQ1M2NmNmQzYjMzOGMzYTE3ZWEyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURENENYVTNMNGlMSkVCb0xFSVlnVU5kTXhjN3VENWdMcUgyeXRFNFQxTnd3SWdKbHBhMHJFbDV0MGdtbTlTYzRoQnpFOG9QK2JLSlVZeExUTmd4dEdnSmo0PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVWRU5EUVdzclowRjNTVUpCWjBsVlRWbzVUM0pWT0RsUWJXZFhXRmRwV1hoeEwzTXhaVGg0Vm10cmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUVRGTlZGa3hUbXBWTVZkb1kwNU5hbFY0VFdwQk1VMVVZM2RPYWxVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZSTTFkeEwyMW9RVWwzVERGYVRrOXBRMmRQYlZaWldIRjNiRGh5VjBKcEsyaDNWRmtLV1N0T1NreDJiWFZTVnpkM1lteGlWM2xVU2pGU1UxcHlVemxrVmtkb1ZtUlhXbEEzZEZReWFIWnJkRFUyYVdKNVkyRlBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZEZFd0WkNtaFRTa0V6VEVkdFJVeGtiWGxIVTB4TkwzTk9jVkJ2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwcENaMjl5UW1kRlJVRmtXalZCWjFGRFFraHpSV1ZSUWpNS1FVaFZRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIWVRjelNEUlZRVUZCUWtGTlFRcFNha0pGUVdsQmIzRmhaRWszUWtOMU0wY3phbTFMTVRRd1MxTnJVa01yZFZSTFNWTTNTeTk1UVZWMFZEaDZabVJwZDBsblZqVXhhRkJhV2xsTFUycElDbWRzYTNSR2FIRmplSHBJVEdSU2VXSTVOaTlqWVc5U05HMHJSRWgyVkRoM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGQlFYZGFVVWwzVTNWRFZ6UXJWbWtLWW1wSVRUazJRWEpUYm1Od1dXVjNLM1IyY0RkaVRXeGpNakZCU0hObmNqRXlXazgyY0M4dlNXbFRaR3BLYkhGUFZIQlpkME5YZEVaQmFrVkJNRUo0V1FvMldUZDZiRFFyWW1GSE5DdENXaXRGUldsM1JIZHZRMDlXVkZJM1QxSk5kVVJaWlZvdlJIazJaelEzYUc5b2VGSnhkSE56UTFsa1VrdFNXbkVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "Fu3nu3zb+oldEbBkL6DlI/KR5khxlNU89tOzOMOhfqI="}, "signature": "MEUCIQDD4CXU3L4iLJEBoLEIYgUNdMxc7uD5gLqH2ytE4T1NwwIgJlpa0rEl5t0gmm9Sc4hBzE8oP+bKJUYxLTNgxtGgJj4="}}