diff --git a/CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch b/CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch new file mode 100644 index 0000000..967eda5 --- /dev/null +++ b/CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch @@ -0,0 +1,176 @@ +From 34df10a9a16b38d54421eeeaf73ec89828563be7 Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 18 Jan 2021 15:11:46 -0600 +Subject: [PATCH] [3.6] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24250) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 +++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 55 +++++++------------ + 3 files changed, 66 insertions(+), 34 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ class SimpleTypesTestCase(unittest.TestC + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,19 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); +- break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/F00102-lib64.patch b/F00102-lib64.patch index 8b07d52..e1a179e 100644 --- a/F00102-lib64.patch +++ b/F00102-lib64.patch @@ -183,7 +183,7 @@ Co-authored-by: Iryna Shcherbina } --- a/configure +++ b/configure -@@ -15214,9 +15214,9 @@ fi +@@ -15233,9 +15233,9 @@ fi if test x$PLATFORM_TRIPLET = x; then @@ -197,7 +197,7 @@ Co-authored-by: Iryna Shcherbina --- a/configure.ac +++ b/configure.ac -@@ -4689,9 +4689,9 @@ fi +@@ -4691,9 +4691,9 @@ fi dnl define LIBPL after ABIFLAGS and LDVERSION is defined. AC_SUBST(PY_ENABLE_SHARED) if test x$PLATFORM_TRIPLET = x; then diff --git a/Python-3.8.6.tar.xz b/Python-3.8.6.tar.xz deleted file mode 100644 index d1fdeef..0000000 --- a/Python-3.8.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a -size 18233864 diff --git a/Python-3.8.6.tar.xz.asc b/Python-3.8.6.tar.xz.asc deleted file mode 100644 index 8d228f0..0000000 --- a/Python-3.8.6.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl9rVG4ACgkQsmmV4xAl -BWjO7Q//c53m2UmRypzJxgxF1EizNzmPGmc1w87X9oaDJNsMhNBwgHCbMkwDdyO3 -mh+MjfkvLhIS1tXj4X+FYl+XURB1FGO1qhtXlpPTHVw+z5l5RmZwyAJIm3TgjPL5 -p/3jG9p/LqB3sADhds2lhbc4cEtXOhrm789FqjEz6r1hAYieo/frx4RbrmIF+OER -rmRp6Z7MdMwYDxaIvR5yZicbUFoMl8wvN0WAjLpXb7BAHb+l0zjc00803rmi9xaR -u0tIjz3jn25Mw81gpgjfnnqOSncap1F6OHhw2AzUN5GzgoG3/cPA96VjqJuAXpSC -RjhHdV7DMvVh806Ck6BX98Ed3wLGbAVAIXKsdZSSZ67s1CTXfyp+wf5NeIKU70wA -1NCxPosQsrzGr6TpUts9MXed45dg9EPPuf7MjTeyKx8m7JaOsQOo8rkI8B5Sw+bf -QIilcSHJnWOKjMQUsCqFI96ZF/zwfyFMKZ6zd+9bIH7iIqXgQ2wiWgR17AGH9uBW -CVPIw5ucnt+1VR5+eZqYU+mLjqgJILkOkNlvpJBywtNOivUcBZVt8LHpt6tD60bI -EbOBVrQveY8mmiQsXEDCza7PnRDk83iqHS2BPOCLFAeNdN6JAGfVdr0WA5ZM9EmT -kbLICbAABfJSFXoPeEqnCLIFP4omsT7R7rTv29K8/lPGbc2VTaA= -=/x9a ------END PGP SIGNATURE----- diff --git a/Python-3.8.7.tar.xz b/Python-3.8.7.tar.xz new file mode 100644 index 0000000..42c2395 --- /dev/null +++ b/Python-3.8.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a +size 18261096 diff --git a/Python-3.8.7.tar.xz.asc b/Python-3.8.7.tar.xz.asc new file mode 100644 index 0000000..072b6bc --- /dev/null +++ b/Python-3.8.7.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl/g2ZIACgkQsmmV4xAl +BWigoA//XACPIIS3b3qikD2t1CAmaNhkZQLUznmuvpiQolx+yHl0XEENjb9i2ZJ5 +lPWwJUgea3C6qnXzBrGhrDrO/mg4ICXiQWNOF2BHDfe8OSPdMyE4DFJ/yWoElGBU +x1KylvgnJGP5DCTjCaR75kODprEWzePz2Pks3Wc4dFFchDoGHNgvdh0abj5NTdU8 +RQzBBYfIrgBEWvacXzGdgtdg/PuSMWKHYq1054P+Bpa3an0yQongzeuhqtsEKurM +3ZTbo1/hJZsucgNfTFBf3SamLik16yZ4wgNulnIqENnOJ0BU20GT9FVSOp+W+0XG +Okt0S2sSuBxI+jf5kjNfnuh7Ew34/7VA/VlB6ASqCmtRt0MckEjzP8aGW3Ssb+yQ +Vdjh8sCQD+eDS6QbCs3h2G2AuStYo28UX52OrLqZRUAHQ0M/pKJs+/H0WAeb8MhV +MqWeuXyv60OYBnoTEE1i7g+FRsedpLvHdgtUy8EPa3715hIXIK+0oG73cUd1w+ba +RmxcxQMlnSqrnpdI9EAfQ0xobdcvewNP9RZsIKdLFlvk5qBb28bI2bCIFT3tq9i5 +dDCN2XAHFvQb/JTYIJddBuGe2tf4z0e9VgOo3QZfpA0A07l94dmx7e89xORg2S21 +HVWobZGyfCpOJ5GGzjhuQF+07AAv+cZMd8zHnhHsHzpTrCk0SyY= +=GtoI +-----END PGP SIGNATURE----- diff --git a/SUSE-FEDORA-multilib.patch b/SUSE-FEDORA-multilib.patch index a386007..0c41941 100644 --- a/SUSE-FEDORA-multilib.patch +++ b/SUSE-FEDORA-multilib.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -4686,12 +4686,26 @@ else +@@ -4688,12 +4688,26 @@ else LIBPYTHON='' fi @@ -314,7 +314,7 @@ # just making sure _main() runs and returns things in the stdout --- a/configure +++ b/configure -@@ -15214,9 +15214,9 @@ fi +@@ -15233,9 +15233,9 @@ fi if test x$PLATFORM_TRIPLET = x; then diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch index d29b5ef..f975b73 100644 --- a/bpo-31046_ensurepip_honours_prefix.patch +++ b/bpo-31046_ensurepip_honours_prefix.patch @@ -55,7 +55,7 @@ Co-Authored-By: Xavier de Gaye .. note:: --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py -@@ -56,27 +56,27 @@ def _disable_pip_configuration_settings( +@@ -53,27 +53,27 @@ def _disable_pip_configuration_settings( os.environ['PIP_CONFIG_FILE'] = os.devnull @@ -88,7 +88,7 @@ Co-Authored-By: Xavier de Gaye Note that calling this function will alter both sys.path and os.environ. """ -@@ -119,6 +119,8 @@ def _bootstrap(*, root=None, upgrade=Fal +@@ -116,6 +116,8 @@ def _bootstrap(*, root=None, upgrade=Fal args = ["install", "--no-cache-dir", "--no-index", "--find-links", tmpdir] if root: args += ["--root", root] @@ -97,7 +97,7 @@ Co-Authored-By: Xavier de Gaye if upgrade: args += ["--upgrade"] if user: -@@ -191,6 +193,11 @@ def _main(argv=None): +@@ -188,6 +190,11 @@ def _main(argv=None): help="Install everything relative to this alternate root directory.", ) parser.add_argument( @@ -109,7 +109,7 @@ Co-Authored-By: Xavier de Gaye "--altinstall", action="store_true", default=False, -@@ -209,6 +216,7 @@ def _main(argv=None): +@@ -206,6 +213,7 @@ def _main(argv=None): return _bootstrap( root=args.root, diff --git a/python38.changes b/python38.changes index b000185..f52daa2 100644 --- a/python38.changes +++ b/python38.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Fri Jan 29 17:22:48 UTC 2021 - Matej Cepl + +- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing + bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in + _ctypes/callproc.c, which may lead to remote code execution. + +------------------------------------------------------------------- +Tue Jan 5 09:15:36 UTC 2021 - Matej Cepl + +- (bsc#1180125) We really don't Require python-rpm-macros package. + Unnecessary dependency. + +------------------------------------------------------------------- +Tue Dec 22 08:27:08 UTC 2020 - Matej Cepl + +- Update to 3.8.7: + - bugfix release + - multiple patches realigned: + - F00102-lib64.patch + - SUSE-FEDORA-multilib.patch + - bpo-31046_ensurepip_honours_prefix.patch + - skip_random_failing_tests.patch + +------------------------------------------------------------------- +Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner + +- Last try before this results in an editwar: + * remove importlib_resources and importlib-metadata + provides/obsoletes + * import importlib_resources is not the same as + import importlib.resources, same for metadata + * The backport packages from PyPI needed for older flavors are + specified as such for setuptools or in pyproject.toml. If a + package requires them they typically add them with a python + version qualifier and the packages have their own version + numbers. + +------------------------------------------------------------------- +Sat Dec 5 16:55:12 UTC 2020 - Matej Cepl + +- Add patch sphinx-update-removed-function.patch to no longer call + a now removed function and to make documentation build independent of + the Sphinx version (bsc#1179630, gh#python/cpython#13236). + +------------------------------------------------------------------- +Wed Dec 2 10:57:45 UTC 2020 - Matej Cepl + +- Add importlib_resources provide/obsolete as it is integral + part of the lang since 3.7 release + ------------------------------------------------------------------- Fri Nov 20 14:40:09 UTC 2020 - Benjamin Greiner diff --git a/python38.spec b/python38.spec index 2d50928..8d95307 100644 --- a/python38.spec +++ b/python38.spec @@ -1,7 +1,7 @@ # -# spec file for package python38 +# spec file for package python38-core # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -87,7 +87,7 @@ %bcond_without profileopt %endif Name: %{python_pkg_name}%{psuffix} -Version: 3.8.6 +Version: 3.8.7 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -152,6 +152,11 @@ Patch29: bpo-31046_ensurepip_honours_prefix.patch # PATCH-FIX-UPSTREAM bsc1167501-invalid-alignment.patch gh#python/cpython#19133 mcepl@suse.com # Fix wrong misalignment of pointer to vectorcallfunc Patch31: bsc1167501-invalid-alignment.patch +# PATCH-FIX-UPSTREAM stop calling removed Sphinx function gh#python/cpython#13236 +Patch32: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com +# buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution +Patch33: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch BuildRequires: automake BuildRequires: fdupes BuildRequires: gmp-devel @@ -174,9 +179,11 @@ BuildRequires: pkgconfig(libtirpc) # Here we just run sphinx and we can use generic one, we don't need # the flavor variant BuildRequires: python3-Sphinx < 3.0 +%if 0%{?suse_version} > 1500 BuildRequires: python3-python-docs-theme BuildRequires: python3-sphinxcontrib-qthelp >= 1.0.2 %endif +%endif %if %{with general} # required for idle3 (.desktop and .appdata.xml files) BuildRequires: appstream-glib @@ -286,7 +293,6 @@ Python, and Macintosh Module Reference in format for devhelp. %package -n %{python_pkg_name}-base Summary: Python 3 Interpreter and Stdlib Core Requires: libpython%{so_version} = %{version} -Requires: python-rpm-macros Recommends: %{python_pkg_name} = %{version} #Recommends: python3-ensurepip # python 3.1 didn't have a separate python-base, so it is wrongly @@ -406,6 +412,8 @@ other applications. %patch28 -p1 %patch29 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/skip_random_failing_tests.patch b/skip_random_failing_tests.patch index aa92541..209ce06 100644 --- a/skip_random_failing_tests.patch +++ b/skip_random_failing_tests.patch @@ -82,7 +82,7 @@ Signed-off-by: Michel Normand --- a/Lib/test/_test_multiprocessing.py +++ b/Lib/test/_test_multiprocessing.py -@@ -1521,6 +1521,7 @@ class _TestCondition(BaseTestCase): +@@ -1542,6 +1542,7 @@ class _TestCondition(BaseTestCase): success.value = True @unittest.skipUnless(HAS_SHAREDCTYPES, 'needs sharedctypes') @@ -90,7 +90,7 @@ Signed-off-by: Michel Normand def test_waitfor_timeout(self): # based on test in test/lock_tests.py cond = self.Condition() -@@ -2411,6 +2412,7 @@ class _TestPool(BaseTestCase): +@@ -2432,6 +2433,7 @@ class _TestPool(BaseTestCase): self.assertEqual(get(), 49) self.assertTimingAlmostEqual(get.elapsed, TIMEOUT1) @@ -98,7 +98,7 @@ Signed-off-by: Michel Normand def test_async_timeout(self): res = self.pool.apply_async(sqr, (6, TIMEOUT2 + 1.0)) get = TimingWrapper(res.get) -@@ -4564,6 +4566,7 @@ class TestWait(unittest.TestCase): +@@ -4643,6 +4645,7 @@ class TestWait(unittest.TestCase): sem.release() time.sleep(period) @@ -108,7 +108,7 @@ Signed-off-by: Michel Normand --- a/Lib/test/test_asyncio/test_events.py +++ b/Lib/test/test_asyncio/test_events.py -@@ -266,6 +266,7 @@ class EventLoopTestsMixin: +@@ -268,11 +268,12 @@ class EventLoopTestsMixin: # Note: because of the default Windows timing granularity of # 15.6 msec, we use fairly long sleep times here (~100 msec). @@ -116,16 +116,13 @@ Signed-off-by: Michel Normand def test_run_until_complete(self): t0 = self.loop.time() self.loop.run_until_complete(asyncio.sleep(0.1)) -@@ -293,7 +294,7 @@ class EventLoopTestsMixin: - self.loop.run_forever() - t1 = time.monotonic() - self.assertEqual(results, ['hello world']) + t1 = self.loop.time() - self.assertTrue(0.08 <= t1-t0 <= 0.8, t1-t0) + self.assertTrue(0.08 <= t1-t0 <= 5.0, t1-t0) - def test_call_soon(self): - results = [] -@@ -478,6 +479,7 @@ class EventLoopTestsMixin: + def test_run_until_complete_stopped(self): + +@@ -477,6 +478,7 @@ class EventLoopTestsMixin: self.assertEqual(caught, 1) @unittest.skipUnless(hasattr(signal, 'SIGALRM'), 'No SIGALRM') @@ -135,7 +132,7 @@ Signed-off-by: Michel Normand caught = 0 --- a/Lib/test/test_buffer.py +++ b/Lib/test/test_buffer.py -@@ -2504,6 +2504,7 @@ class TestBufferProtocol(unittest.TestCa +@@ -2506,6 +2506,7 @@ class TestBufferProtocol(unittest.TestCa a = ndarray(items, shape=[2, 2, 2], format="b") check(memoryview(a), vsize(base_struct + 3 * per_dim)) diff --git a/sphinx-update-removed-function.patch b/sphinx-update-removed-function.patch new file mode 100644 index 0000000..c9278c5 --- /dev/null +++ b/sphinx-update-removed-function.patch @@ -0,0 +1,26 @@ +From 960bb883769e5c64a63b014590d75654db87ffb0 Mon Sep 17 00:00:00 2001 +From: Pablo Galindo +Date: Fri, 10 May 2019 22:58:17 +0100 +Subject: [PATCH] Fix sphinx deprecation warning about env.note_versionchange() + (GH-13236) + +--- + Doc/tools/extensions/pyspecific.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Doc/tools/extensions/pyspecific.py ++++ b/Doc/tools/extensions/pyspecific.py +@@ -361,7 +361,12 @@ class DeprecatedRemoved(Directive): + translatable=False) + node.append(para) + env = self.state.document.settings.env +- env.get_domain('changeset').note_changeset(node) ++ # new method ++ if hasattr(env, 'get_domain'): ++ env.get_domain('changeset').note_changeset(node) ++ # deprecated pre-Sphinx-2 method ++ else: ++ env.note_versionchange('deprecated', version[0], node, self.lineno) + return [node] + messages + +