From 452f54cf1b81a513d98f49f73d6a29767ce479c4c56d4d7c208db87e72daef88 Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Sat, 3 Sep 2022 02:23:54 +0000
Subject: [PATCH] - (bsc#1196784, CVE-2022-25236) Add patch  
 support-expat-CVE-2022-25236-patched.patch to allow working   with different
 versions of libexpat.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=97
---
 python38.changes                           |  7 +++
 python38.spec                              |  4 ++
 support-expat-CVE-2022-25236-patched.patch | 71 ++++++++++++++++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 support-expat-CVE-2022-25236-patched.patch

diff --git a/python38.changes b/python38.changes
index 74bfb48..e6f73f6 100644
--- a/python38.changes
+++ b/python38.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep  3 02:20:54 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1196784, CVE-2022-25236) Add patch
+  support-expat-CVE-2022-25236-patched.patch to allow working
+  with different versions of libexpat.
+
 -------------------------------------------------------------------
 Thu Sep  1 04:20:04 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
 
diff --git a/python38.spec b/python38.spec
index 23c9d8b..87e978d 100644
--- a/python38.spec
+++ b/python38.spec
@@ -170,6 +170,9 @@ Patch34:        bpo34990-2038-problem-compileall.patch
 # PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94094
 # Coerce // to / in Lib/http/server.py
 Patch35:        CVE-2021-28861-double-slash-path.patch
+# PATCH-FIX-UPSTREAM gh#python/cpython#90967 gh#python/cpython#93900  mcepl@suse.com
+# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
+Patch36:        support-expat-CVE-2022-25236-patched.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -436,6 +439,7 @@ other applications.
 %patch33 -p1
 %patch34 -p1
 %patch35 -p1
+%patch36 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
diff --git a/support-expat-CVE-2022-25236-patched.patch b/support-expat-CVE-2022-25236-patched.patch
new file mode 100644
index 0000000..c225a8f
--- /dev/null
+++ b/support-expat-CVE-2022-25236-patched.patch
@@ -0,0 +1,71 @@
+From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 21 Feb 2022 08:16:09 -0800
+Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
+ (GH-31472)
+
+Curly brackets were never allowed in namespace URIs
+according to RFC 3986, and so-called namespace-validating
+XML parsers have the right to reject them a invalid URIs.
+
+libexpat >=2.4.5 has become strcter in that regard due to
+related security issues; with ET.XML instantiating a
+namespace-aware parser under the hood, this test has no
+future in CPython.
+
+References:
+- https://datatracker.ietf.org/doc/html/rfc3968
+- https://www.w3.org/TR/xml-names/
+
+Also, test_minidom.py: Support Expat >=2.4.5
+(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ Lib/test/test_minidom.py |   25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
+
+--- a/Lib/test/test_minidom.py
++++ b/Lib/test/test_minidom.py
+@@ -1149,14 +1149,12 @@ class MinidomTest(unittest.TestCase):
+ 
+         # Verify that character decoding errors raise exceptions instead
+         # of crashing
+-        if pyexpat.version_info >= (2, 4, 5):
+-            self.assertRaises(ExpatError, parseString,
+-                    b'<fran\xe7ais></fran\xe7ais>')
+-            self.assertRaises(ExpatError, parseString,
+-                    b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
+-        else:
+-            self.assertRaises(UnicodeDecodeError, parseString,
+-                b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
++        # It doesn’t make any sense to insist on the exact text of the
++        # error message, or even the exact Exception … it is enough that
++        # the error has been discovered.
++        with self.assertRaises((UnicodeDecodeError, ExpatError)):
++            parseString(
++                 b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
+ 
+         doc.unlink()
+ 
+@@ -1601,13 +1599,12 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
+ 
+     def testExceptionOnSpacesInXMLNSValue(self):
+-        if pyexpat.version_info >= (2, 4, 5):
+-            context = self.assertRaisesRegex(ExpatError, 'syntax error')
+-        else:
+-            context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
++        # It doesn’t make any sense to insist on the exact text of the
++        # error message, or even the exact Exception … it is enough that
++        # the error has been discovered.
++        with self.assertRaises((ExpatError, ValueError)):
++             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
+ 
+-        with context:
+-            parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
+ 
+     def testDocRemoveChild(self):
+         doc = parse(tstfile)