From 99211863738f20427dfb1df54c499e67fe113c839fb84c8248040097bffc943b Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 21 Mar 2024 20:34:23 +0000 Subject: [PATCH 1/2] =?UTF-8?q?-=20Update=20to=203.8.19:=20=20=20-=20Secur?= =?UTF-8?q?ity=20=20=20=20=20-=20gh-115398:=20Allow=20controlling=20Expat?= =?UTF-8?q?=20>=3D2.6.0=20reparse=20deferral=20=20=20=20=20=20=20(CVE-2023?= =?UTF-8?q?-52425)=20by=20adding=20five=20new=20methods:=20=20=20=20=20=20?= =?UTF-8?q?=20=20=20xml.etree.ElementTree.XMLParser.flush()=20=20=20=20=20?= =?UTF-8?q?=20=20=20=20xml.etree.ElementTree.XMLPullParser.flush()=20=20?= =?UTF-8?q?=20=20=20=20=20=20=20xml.parsers.expat.xmlparser.GetReparseDefe?= =?UTF-8?q?rralEnabled()=20=20=20=20=20=20=20=20=20xml.parsers.expat.xmlpa?= =?UTF-8?q?rser.SetReparseDeferralEnabled()=20=20=20=20=20=20=20=20=20xml.?= =?UTF-8?q?sax.expatreader.ExpatParser.flush()=20=20=20=20=20-=20gh-115399?= =?UTF-8?q?:=20Update=20bundled=20libexpat=20to=202.6.0=20=20=20=20=20-=20?= =?UTF-8?q?gh-113659:=20Skip=20.pth=20files=20with=20names=20starting=20wi?= =?UTF-8?q?th=20a=20dot=20=20=20=20=20=20=20or=20hidden=20file=20attribute?= =?UTF-8?q?.=20=20=20-=20Core=20and=20Builtins=20=20=20=20=20-=20gh-102388?= =?UTF-8?q?:=20Fix=20a=20bug=20where=20iso2022=5Fjp=5F3=20and=20iso2022=5F?= =?UTF-8?q?jp=5F2004=20=20=20=20=20=20=20codecs=20read=20out=20of=20bounds?= =?UTF-8?q?=20=20=20-=20Library=20=20=20=20=20-=20gh-115197:=20urllib.requ?= =?UTF-8?q?est=20no=20longer=20resolves=20the=20hostname=20=20=20=20=20=20?= =?UTF-8?q?=20before=20checking=20it=20against=20the=20system=E2=80=99s=20?= =?UTF-8?q?proxy=20bypass=20list=20=20=20=20=20=20=20on=20macOS=20and=20Wi?= =?UTF-8?q?ndows.=20=20=20=20=20-=20gh-115133:=20Fix=20tests=20for=20XMLPu?= =?UTF-8?q?llParser=20with=20Expat=202.6.0.=20=20=20=20=20-=20gh-81194:=20?= =?UTF-8?q?Fix=20a=20crash=20in=20socket.if=5Findextoname()=20with=20=20?= =?UTF-8?q?=20=20=20=20=20specific=20value=20(UINT=5FMAX).=20Fix=20an=20in?= =?UTF-8?q?teger=20overflow=20in=20=20=20=20=20=20=20socket.if=5Findextona?= =?UTF-8?q?me()=20on=2064-bit=20non-Windows=20platforms.=20=20=20=20=20-?= =?UTF-8?q?=20gh-109858:=20Protect=20zipfile=20from=20=E2=80=9Cquoted-over?= =?UTF-8?q?lap=E2=80=9D=20=20=20=20=20=20=20zipbomb.=20It=20now=20raises?= =?UTF-8?q?=20BadZipFile=20when=20try=20to=20read=20an=20entry=20=20=20=20?= =?UTF-8?q?=20=20=20that=20overlaps=20with=20other=20entry=20or=20central?= =?UTF-8?q?=20directory.=20=20=20=20=20-=20gh-107077:=20Seems=20that=20in?= =?UTF-8?q?=20some=20conditions,=20OpenSSL=20will=20=20=20=20=20=20=20retu?= =?UTF-8?q?rn=20SSL=5FERROR=5FSYSCALL=20instead=20of=20SSL=5FERROR=5FSSL?= =?UTF-8?q?=20=20=20=20=20=20=20when=20a=20certification=20verification=20?= =?UTF-8?q?has=20failed,=20but=20=20=20=20=20=20=20the=20error=20parameter?= =?UTF-8?q?s=20will=20still=20contain=20ERR=5FLIB=5FSSL?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=149 --- CVE-2019-5010-null-defer-x509-cert-DOS.patch | 2 +- CVE-2023-6597-TempDir-cleaning-symlink.patch | 191 ------------------- F00102-lib64.patch | 6 +- F00251-change-user-install-location.patch | 13 +- Python-3.8.18.tar.xz | 3 - Python-3.8.18.tar.xz.asc | 16 -- Python-3.8.19.tar.xz | 3 + Python-3.8.19.tar.xz.asc | 16 ++ SUSE-FEDORA-multilib.patch | 8 +- libexpat260.patch | 107 ----------- python-3.3.0b1-localpath.patch | 8 +- python38.changes | 57 ++++++ python38.spec | 10 +- skip_random_failing_tests.patch | 5 +- 14 files changed, 97 insertions(+), 348 deletions(-) delete mode 100644 CVE-2023-6597-TempDir-cleaning-symlink.patch delete mode 100644 Python-3.8.18.tar.xz delete mode 100644 Python-3.8.18.tar.xz.asc create mode 100644 Python-3.8.19.tar.xz create mode 100644 Python-3.8.19.tar.xz.asc delete mode 100644 libexpat260.patch diff --git a/CVE-2019-5010-null-defer-x509-cert-DOS.patch b/CVE-2019-5010-null-defer-x509-cert-DOS.patch index 5efb16a..3ff39d9 100644 --- a/CVE-2019-5010-null-defer-x509-cert-DOS.patch +++ b/CVE-2019-5010-null-defer-x509-cert-DOS.patch @@ -21,7 +21,7 @@ https://bugs.python.org/issue35746 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -501,6 +501,27 @@ class BasicSocketTests(unittest.TestCase +@@ -507,6 +507,27 @@ class BasicSocketTests(unittest.TestCase } ) diff --git a/CVE-2023-6597-TempDir-cleaning-symlink.patch b/CVE-2023-6597-TempDir-cleaning-symlink.patch deleted file mode 100644 index 087c2e7..0000000 --- a/CVE-2023-6597-TempDir-cleaning-symlink.patch +++ /dev/null @@ -1,191 +0,0 @@ ---- - Lib/tempfile.py | 26 +- - Lib/test/test_tempfile.py | 117 +++++++++- - Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst | 2 - 3 files changed, 136 insertions(+), 9 deletions(-) - ---- a/Lib/tempfile.py -+++ b/Lib/tempfile.py -@@ -263,6 +263,22 @@ def _mkstemp_inner(dir, pre, suf, flags, - raise FileExistsError(_errno.EEXIST, - "No usable temporary file name found") - -+def _dont_follow_symlinks(func, path, *args): -+ # Pass follow_symlinks=False, unless not supported on this platform. -+ if func in _os.supports_follow_symlinks: -+ func(path, *args, follow_symlinks=False) -+ elif _os.name == 'nt' or not _os.path.islink(path): -+ func(path, *args) -+ -+def _resetperms(path): -+ try: -+ chflags = _os.chflags -+ except AttributeError: -+ pass -+ else: -+ _dont_follow_symlinks(chflags, path, 0) -+ _dont_follow_symlinks(_os.chmod, path, 0o700) -+ - - # User visible interfaces. - -@@ -786,17 +802,11 @@ class TemporaryDirectory(object): - def _rmtree(cls, name): - def onerror(func, path, exc_info): - if issubclass(exc_info[0], PermissionError): -- def resetperms(path): -- try: -- _os.chflags(path, 0) -- except AttributeError: -- pass -- _os.chmod(path, 0o700) - - try: - if path != name: -- resetperms(_os.path.dirname(path)) -- resetperms(path) -+ _resetperms(_os.path.dirname(path)) -+ _resetperms(path) - - try: - _os.unlink(path) ---- a/Lib/test/test_tempfile.py -+++ b/Lib/test/test_tempfile.py -@@ -1377,6 +1377,103 @@ class TestTemporaryDirectory(BaseTestCas - "were deleted") - d2.cleanup() - -+ @support.skip_unless_symlink -+ def test_cleanup_with_symlink_modes(self): -+ # cleanup() should not follow symlinks when fixing mode bits (#91133) -+ with self.do_create(recurse=0) as d2: -+ file1 = os.path.join(d2, 'file1') -+ open(file1, 'wb').close() -+ dir1 = os.path.join(d2, 'dir1') -+ os.mkdir(dir1) -+ for mode in range(8): -+ mode <<= 6 -+ with self.subTest(mode=format(mode, '03o')): -+ def test(target, target_is_directory): -+ d1 = self.do_create(recurse=0) -+ symlink = os.path.join(d1.name, 'symlink') -+ os.symlink(target, symlink, -+ target_is_directory=target_is_directory) -+ try: -+ os.chmod(symlink, mode, follow_symlinks=False) -+ except NotImplementedError: -+ pass -+ try: -+ os.chmod(symlink, mode) -+ except FileNotFoundError: -+ pass -+ os.chmod(d1.name, mode) -+ d1.cleanup() -+ self.assertFalse(os.path.exists(d1.name)) -+ -+ with self.subTest('nonexisting file'): -+ test('nonexisting', target_is_directory=False) -+ with self.subTest('nonexisting dir'): -+ test('nonexisting', target_is_directory=True) -+ -+ with self.subTest('existing file'): -+ os.chmod(file1, mode) -+ old_mode = os.stat(file1).st_mode -+ test(file1, target_is_directory=False) -+ new_mode = os.stat(file1).st_mode -+ self.assertEqual(new_mode, old_mode, -+ '%03o != %03o' % (new_mode, old_mode)) -+ -+ with self.subTest('existing dir'): -+ os.chmod(dir1, mode) -+ old_mode = os.stat(dir1).st_mode -+ test(dir1, target_is_directory=True) -+ new_mode = os.stat(dir1).st_mode -+ self.assertEqual(new_mode, old_mode, -+ '%03o != %03o' % (new_mode, old_mode)) -+ -+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags') -+ @support.skip_unless_symlink -+ def test_cleanup_with_symlink_flags(self): -+ # cleanup() should not follow symlinks when fixing flags (#91133) -+ flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK -+ self.check_flags(flags) -+ -+ with self.do_create(recurse=0) as d2: -+ file1 = os.path.join(d2, 'file1') -+ open(file1, 'wb').close() -+ dir1 = os.path.join(d2, 'dir1') -+ os.mkdir(dir1) -+ def test(target, target_is_directory): -+ d1 = self.do_create(recurse=0) -+ symlink = os.path.join(d1.name, 'symlink') -+ os.symlink(target, symlink, -+ target_is_directory=target_is_directory) -+ try: -+ os.chflags(symlink, flags, follow_symlinks=False) -+ except NotImplementedError: -+ pass -+ try: -+ os.chflags(symlink, flags) -+ except FileNotFoundError: -+ pass -+ os.chflags(d1.name, flags) -+ d1.cleanup() -+ self.assertFalse(os.path.exists(d1.name)) -+ -+ with self.subTest('nonexisting file'): -+ test('nonexisting', target_is_directory=False) -+ with self.subTest('nonexisting dir'): -+ test('nonexisting', target_is_directory=True) -+ -+ with self.subTest('existing file'): -+ os.chflags(file1, flags) -+ old_flags = os.stat(file1).st_flags -+ test(file1, target_is_directory=False) -+ new_flags = os.stat(file1).st_flags -+ self.assertEqual(new_flags, old_flags) -+ -+ with self.subTest('existing dir'): -+ os.chflags(dir1, flags) -+ old_flags = os.stat(dir1).st_flags -+ test(dir1, target_is_directory=True) -+ new_flags = os.stat(dir1).st_flags -+ self.assertEqual(new_flags, old_flags) -+ - @support.cpython_only - def test_del_on_collection(self): - # A TemporaryDirectory is deleted when garbage collected -@@ -1489,9 +1586,27 @@ class TestTemporaryDirectory(BaseTestCas - d.cleanup() - self.assertFalse(os.path.exists(d.name)) - -- @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.lchflags') -+ def check_flags(self, flags): -+ # skip the test if these flags are not supported (ex: FreeBSD 13) -+ filename = support.TESTFN -+ try: -+ open(filename, "w").close() -+ try: -+ os.chflags(filename, flags) -+ except OSError as exc: -+ # "OSError: [Errno 45] Operation not supported" -+ self.skipTest(f"chflags() doesn't support flags " -+ f"{flags:#b}: {exc}") -+ else: -+ os.chflags(filename, 0) -+ finally: -+ support.unlink(filename) -+ -+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags') - def test_flags(self): - flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK -+ self.check_flags(flags) -+ - d = self.do_create(recurse=3, dirs=2, files=2) - with d: - # Change files and directories flags recursively. ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst -@@ -0,0 +1,2 @@ -+Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no longer -+dereferences symlinks when working around file system permission errors. diff --git a/F00102-lib64.patch b/F00102-lib64.patch index 7475bb1..b91424a 100644 --- a/F00102-lib64.patch +++ b/F00102-lib64.patch @@ -82,7 +82,7 @@ Co-authored-by: Iryna Shcherbina os.path.join(destination, "include", "python", "foopkg")) --- a/Lib/site.py +++ b/Lib/site.py -@@ -335,11 +335,15 @@ def getsitepackages(prefixes=None): +@@ -344,11 +344,15 @@ def getsitepackages(prefixes=None): seen.add(prefix) if os.sep == '/': @@ -130,7 +130,7 @@ Co-authored-by: Iryna Shcherbina 'data': '{userbase}', --- a/Lib/test/test_site.py +++ b/Lib/test/test_site.py -@@ -268,8 +268,8 @@ class HelperFunctionsTests(unittest.Test +@@ -307,8 +307,8 @@ class HelperFunctionsTests(unittest.Test dirs = site.getsitepackages() if os.sep == '/': # OS X, Linux, FreeBSD, etc @@ -183,7 +183,7 @@ Co-authored-by: Iryna Shcherbina } --- a/configure +++ b/configure -@@ -15264,9 +15264,9 @@ fi +@@ -15276,9 +15276,9 @@ fi if test x$PLATFORM_TRIPLET = x; then diff --git a/F00251-change-user-install-location.patch b/F00251-change-user-install-location.patch index 99d06be..6dada6c 100644 --- a/F00251-change-user-install-location.patch +++ b/F00251-change-user-install-location.patch @@ -9,12 +9,10 @@ is not detected to make pip and distutils install into separate location. Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe --- - Lib/distutils/command/install.py | 15 +++++++++++++-- - Lib/site.py | 9 ++++++++- + Lib/distutils/command/install.py | 15 +++++++++++++-- + Lib/site.py | 9 ++++++++- 2 files changed, 21 insertions(+), 3 deletions(-) -diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py -index ae4f915669..0e4fd5b74a 100644 --- a/Lib/distutils/command/install.py +++ b/Lib/distutils/command/install.py @@ -418,8 +418,19 @@ class install(Command): @@ -39,11 +37,9 @@ index ae4f915669..0e4fd5b74a 100644 else: if self.exec_prefix is None: -diff --git a/Lib/site.py b/Lib/site.py -index 22d53fa562..9513526109 100644 --- a/Lib/site.py +++ b/Lib/site.py -@@ -348,7 +348,14 @@ def getsitepackages(prefixes=None): +@@ -357,7 +357,14 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): @@ -59,6 +55,3 @@ index 22d53fa562..9513526109 100644 for sitedir in getsitepackages(prefixes): if os.path.isdir(sitedir): addsitedir(sitedir, known_paths) --- -2.21.0 - diff --git a/Python-3.8.18.tar.xz b/Python-3.8.18.tar.xz deleted file mode 100644 index 9701bff..0000000 --- a/Python-3.8.18.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3ffb71cd349a326ba7b2fadc7e7df86ba577dd9c4917e52a8401adbda7405e3f -size 20696952 diff --git a/Python-3.8.18.tar.xz.asc b/Python-3.8.18.tar.xz.asc deleted file mode 100644 index 256e456..0000000 --- a/Python-3.8.18.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmTnuvoACgkQsmmV4xAl -BWj4nA//brAaCYj+V6woO1gcYScI2xk2Ncmq3Mj1T/s0tkLxpFcaevsu4snnY4tV -VhGVTMZPBSi7F1stLXwwb2WLisuNsr2oYCdze2BKyMWyRrF1SlLX+Uj7R5PQbZRn -b7PuFTQcfUxXISkof6fL8dhfF+uWkLUO83xxb/Yxl37IXZVIXaJbOFQtIVRxhbFC -U4yAwKdzMLpvwOdzHgc5l6GewUdIkBWGVObalSXs8jCOeu+GY/Q17oUQv9pxsSp6 -UY1nnvfYSPzOeIB5QzdNVoISP4DZRacZu5k26niK2QhUUdey66KWPBUgxQ5jFoJl -bhpA1Idp9p54sNgZOSYkWsMvoLSBkXuzfcmfgGCANZ2FYkGCs0En6YbUHwBTjWdk -ll+ZrxZuYTy1JfP0fFEp1vLBBSdjla5MIDFp5DRT0GL82GvwGvPyH5JEhhinFReZ -kkdk2leRUWKhNhGfv9Ln3A/glNX2txIDKuXT1/N2CQXxfOpQA6QqFGjkUVAQa8iY -LqpHyTs66pmrTqqEzbRUv6o+fEvJPzMzhs526EBvpzj/xhCY2we84FEAzKtF6Vmm -vT4bHKhw6eKfpGZFbSQrH2mnl4b7B/6zPfzsotec44tNijeuc/fAlJfaINg2Xvcg -9rhOV6KGsNI6K5PNdemQxJ1hoeDS7WnKJPAutQQor1uqrvekby0= -=F51n ------END PGP SIGNATURE----- diff --git a/Python-3.8.19.tar.xz b/Python-3.8.19.tar.xz new file mode 100644 index 0000000..e6424c0 --- /dev/null +++ b/Python-3.8.19.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2807ac69f69b84fd46a0b93bbd02a4fa48d3e70f4b2835ff0f72a2885040076 +size 18975156 diff --git a/Python-3.8.19.tar.xz.asc b/Python-3.8.19.tar.xz.asc new file mode 100644 index 0000000..5378cc6 --- /dev/null +++ b/Python-3.8.19.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmX5t/gACgkQsmmV4xAl +BWgW0RAAkQYR6L3LNvuAg3OS/wD6Kouv3CnXeAwYY/BHglsHawtz+gM4jZRK8fIo +vEKBk6uoZBvXX1yJR+cxLZOxb9K/X7zYJXyBxRav8veBzXePTVhJBNSS/ckE0ARN +bD8M2P/7byMlm616aNNE1hrIIaxNoX8/yTEK3DmISQonc8vCW6ygIXm3Vw/6rqG8 +n16MGG2r4dNEI+pEs8LPj8/VBaHHkbyvK9y2DQ8ywBqsaE459bN4HdzTkMxh28s0 +scDl33PwTabFgVUTXILs+vBNnHc6ylo6gEd6fAe7Epec5wnvexKykel9ZtidxHwB +KQl2YKErJGF97T1Aj/Cru82jBYS/YS2QVy2cX0sYhiTgOXsvB7vOViFESR3IlSEL +aQv+f+lBXZp8T4MbDuzz2H7dqNY0sYqmTcqJU9r4H+RGLw43PHLSRVfIDPiaheA+ +n1ZYzzgfm2uucO+iIpDwAOvTWznj4YcFwX116fn2kJYLtJeI58wVIbtMTDCl/l9U +hNY+b5L5JsHlyoRSjDwAtQVBm3fS0YqV4OhWglhvvuEdobRK+F3+hmHvo18YxZyl +WXLBUwZy9LQoEyuc1YFemWYw7g3u1ru8WTCFtPm91OeErkKq3QuqwiCjROgUmN9D +xUypHTocPhkdF1yEVqG+HMDin9Rw+l2KMgFt5XLNYFvAycGlsk4= +=Uo2Y +-----END PGP SIGNATURE----- diff --git a/SUSE-FEDORA-multilib.patch b/SUSE-FEDORA-multilib.patch index 20ef979..7c40741 100644 --- a/SUSE-FEDORA-multilib.patch +++ b/SUSE-FEDORA-multilib.patch @@ -86,7 +86,7 @@ else: --- a/Lib/site.py +++ b/Lib/site.py -@@ -335,12 +335,18 @@ def getsitepackages(prefixes=None): +@@ -344,12 +344,18 @@ def getsitepackages(prefixes=None): seen.add(prefix) if os.sep == '/': @@ -107,7 +107,7 @@ else: sitepackages.append(prefix) sitepackages.append(os.path.join(prefix, "lib64", "site-packages")) -@@ -348,14 +354,7 @@ def getsitepackages(prefixes=None): +@@ -357,14 +363,7 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): @@ -198,7 +198,7 @@ os.makedirs(lib_dynload) --- a/Lib/test/test_site.py +++ b/Lib/test/test_site.py -@@ -268,8 +268,11 @@ class HelperFunctionsTests(unittest.Test +@@ -307,8 +307,11 @@ class HelperFunctionsTests(unittest.Test dirs = site.getsitepackages() if os.sep == '/': # OS X, Linux, FreeBSD, etc @@ -341,7 +341,7 @@ } --- a/configure +++ b/configure -@@ -15264,9 +15264,9 @@ fi +@@ -15276,9 +15276,9 @@ fi if test x$PLATFORM_TRIPLET = x; then diff --git a/libexpat260.patch b/libexpat260.patch deleted file mode 100644 index 0153868..0000000 --- a/libexpat260.patch +++ /dev/null @@ -1,107 +0,0 @@ -From f2eebf3c38eae77765247791576b437ec25ccfe2 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Sun, 11 Feb 2024 12:08:39 +0200 -Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 - (GH-115164) - -Feeding the parser by too small chunks defers parsing to prevent -CVE-2023-52425. Future versions of Expat may be more reactive. -(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) - -Co-authored-by: Serhiy Storchaka ---- - Lib/test/test_xml_etree.py | 58 ++++++++++++------- - ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 + - 2 files changed, 38 insertions(+), 22 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst - -Index: Python-3.8.18/Lib/test/test_xml_etree.py -=================================================================== ---- Python-3.8.18.orig/Lib/test/test_xml_etree.py -+++ Python-3.8.18/Lib/test/test_xml_etree.py -@@ -14,6 +14,7 @@ import locale - import operator - import os - import pickle -+import pyexpat - import sys - import textwrap - import types -@@ -103,6 +104,10 @@ EXTERNAL_ENTITY_XML = """\ - &entity; - """ - -+fails_with_expat_2_6_0 = (unittest.expectedFailure -+ if pyexpat.version_info >= (2, 6, 0) else -+ lambda test: test) -+ - def checkwarnings(*filters, quiet=False): - def decorator(test): - def newtest(*args, **kwargs): -@@ -1266,28 +1271,37 @@ class XMLPullParserTest(unittest.TestCas - self.assertEqual([(action, elem.tag) for action, elem in events], - expected) - -- def test_simple_xml(self): -- for chunk_size in (None, 1, 5): -- with self.subTest(chunk_size=chunk_size): -- parser = ET.XMLPullParser() -- self.assert_event_tags(parser, []) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, []) -- self._feed(parser, -- "\n text\n", chunk_size) -- self.assert_event_tags(parser, [('end', 'element')]) -- self._feed(parser, "texttail\n", chunk_size) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, [ -- ('end', 'element'), -- ('end', 'empty-element'), -- ]) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, [('end', 'root')]) -- self.assertIsNone(parser.close()) -+ def test_simple_xml(self, chunk_size=None): -+ parser = ET.XMLPullParser() -+ self.assert_event_tags(parser, []) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, []) -+ self._feed(parser, -+ "\n text\n", chunk_size) -+ self.assert_event_tags(parser, [('end', 'element')]) -+ self._feed(parser, "texttail\n", chunk_size) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, [ -+ ('end', 'element'), -+ ('end', 'empty-element'), -+ ]) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, [('end', 'root')]) -+ self.assertIsNone(parser.close()) -+ -+ @fails_with_expat_2_6_0 -+ def test_simple_xml_chunk_1(self): -+ self.test_simple_xml(chunk_size=1) -+ -+ @fails_with_expat_2_6_0 -+ def test_simple_xml_chunk_5(self): -+ self.test_simple_xml(chunk_size=5) -+ -+ def test_simple_xml_chunk_22(self): -+ self.test_simple_xml(chunk_size=22) - - def test_feed_while_iterating(self): - parser = ET.XMLPullParser() -Index: Python-3.8.18/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst -=================================================================== ---- /dev/null -+++ Python-3.8.18/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst -@@ -0,0 +1,2 @@ -+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat -+2.6.0. diff --git a/python-3.3.0b1-localpath.patch b/python-3.3.0b1-localpath.patch index ff9a376..f527f1f 100644 --- a/python-3.3.0b1-localpath.patch +++ b/python-3.3.0b1-localpath.patch @@ -1,7 +1,11 @@ +--- + Lib/site.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + --- a/Lib/site.py +++ b/Lib/site.py -@@ -76,7 +76,7 @@ import _sitebuiltins - import io +@@ -77,7 +77,7 @@ import io + import stat # Prefixes for site-packages; add additional prefixes like /usr/local here -PREFIXES = [sys.prefix, sys.exec_prefix] diff --git a/python38.changes b/python38.changes index beda1e2..8d993bc 100644 --- a/python38.changes +++ b/python38.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Thu Mar 21 20:29:12 UTC 2024 - Matej Cepl + +- Update to 3.8.19: + - Security + - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral + (CVE-2023-52425) by adding five new methods: + xml.etree.ElementTree.XMLParser.flush() + xml.etree.ElementTree.XMLPullParser.flush() + xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() + xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() + xml.sax.expatreader.ExpatParser.flush() + - gh-115399: Update bundled libexpat to 2.6.0 + - gh-113659: Skip .pth files with names starting with a dot + or hidden file attribute. + - Core and Builtins + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - Library + - gh-115197: urllib.request no longer resolves the hostname + before checking it against the system’s proxy bypass list + on macOS and Windows. + - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. + - gh-81194: Fix a crash in socket.if_indextoname() with + specific value (UINT_MAX). Fix an integer overflow in + socket.if_indextoname() on 64-bit non-Windows platforms. + - gh-109858: Protect zipfile from “quoted-overlap” + zipbomb. It now raises BadZipFile when try to read an entry + that overlaps with other entry or central directory. + - gh-107077: Seems that in some conditions, OpenSSL will + return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL + when a certification verification has failed, but + the error parameters will still contain ERR_LIB_SSL + and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now + detecting this situation and raising the appropiate + ssl.SSLCertVerificationError. Patch by Pablo Galindo + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working + around file system permission errors. + - Documentation + - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under + “XML vulnerabilities”. + - Tests + - gh-108310: SSL tests for pre-handshake close were + previously not enabled on Python 3.8 due to an incorrect + backport. This is now fixed. Patch by Lumír Balhar. +- Remove upstreamed patches: + - CVE-2023-6597-TempDir-cleaning-symlink.patch + - libexpat260.patch +- Refreshed patches: + - CVE-2019-5010-null-defer-x509-cert-DOS.patch + - F00102-lib64.patch + - F00251-change-user-install-location.patch + - python-3.3.0b1-localpath.patch + - skip_random_failing_tests.patch + - SUSE-FEDORA-multilib.patch + ------------------------------------------------------------------- Wed Mar 6 14:13:58 UTC 2024 - Pedro Monreal diff --git a/python38.spec b/python38.spec index 56b5ec6..061a1d0 100644 --- a/python38.spec +++ b/python38.spec @@ -92,7 +92,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.8.18 +Version: 3.8.19 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -183,12 +183,6 @@ Patch41: 99366-patch.dict-can-decorate-async.patch # Detect email address parsing errors and return empty tuple to # indicate the parsing error (old API), from gh#python/cpython!105127 Patch42: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289 -# Fix tests for XMLPullParser with Expat 2.6.0 -Patch43: libexpat260.patch -# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com -# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930) -Patch44: CVE-2023-6597-TempDir-cleaning-symlink.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -461,8 +455,6 @@ other applications. %patch -P 38 -p1 %patch -P 41 -p1 %patch -P 42 -p1 -%patch -P 43 -p1 -%patch -P 44 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/skip_random_failing_tests.patch b/skip_random_failing_tests.patch index 209ce06..9ec0f25 100644 --- a/skip_random_failing_tests.patch +++ b/skip_random_failing_tests.patch @@ -78,7 +78,8 @@ Signed-off-by: Michel Normand --- Lib/test/_test_multiprocessing.py | 3 +++ Lib/test/test_asyncio/test_events.py | 4 +++- - 2 files changed, 6 insertions(+), 1 deletion(-) + Lib/test/test_buffer.py | 1 + + 3 files changed, 7 insertions(+), 1 deletion(-) --- a/Lib/test/_test_multiprocessing.py +++ b/Lib/test/_test_multiprocessing.py @@ -98,7 +99,7 @@ Signed-off-by: Michel Normand def test_async_timeout(self): res = self.pool.apply_async(sqr, (6, TIMEOUT2 + 1.0)) get = TimingWrapper(res.get) -@@ -4643,6 +4645,7 @@ class TestWait(unittest.TestCase): +@@ -4651,6 +4653,7 @@ class TestWait(unittest.TestCase): sem.release() time.sleep(period) From 1084a46358ebc4fadc988f22666ed4513e123a507489e89c221bd5132661530e Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 22 Mar 2024 09:14:13 +0000 Subject: [PATCH 2/2] Fix *.changes OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=150 --- python38.changes | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/python38.changes b/python38.changes index 8d993bc..44e238b 100644 --- a/python38.changes +++ b/python38.changes @@ -4,7 +4,7 @@ Thu Mar 21 20:29:12 UTC 2024 - Matej Cepl - Update to 3.8.19: - Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral - (CVE-2023-52425) by adding five new methods: + (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() @@ -26,7 +26,8 @@ Thu Mar 21 20:29:12 UTC 2024 - Matej Cepl socket.if_indextoname() on 64-bit non-Windows platforms. - gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry - that overlaps with other entry or central directory. + that overlaps with other entry or central directory + (CVE-2024-0450, bsc#1221854). - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but @@ -36,7 +37,8 @@ Thu Mar 21 20:29:12 UTC 2024 - Matej Cepl ssl.SSLCertVerificationError. Patch by Pablo Galindo - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer dereferences symlinks when working - around file system permission errors. + around file system permission errors (CVE-2023-6597, + bsc#1219666). - Documentation - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML vulnerabilities”.