Accepting request 1096213 from devel:languages:python:Factory

- Add downport-Sphinx-features.patch to make documentation buildable even on SLE-15. - Update to 3.9.17: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock. OBS-URL: https://build.opensuse.org/request/show/1096213 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=46
2023-07-01 21:18:01 +00:00 · 2023-07-01 21:18:01 +00:00 · 22c0faa015
commit 22c0faa015
parent ac33b94579 27cb2961b5
9 changed files with 157 additions and 2654 deletions
--- a/CVE-2007-4559-filter-tarfile_extractall.patch
+++ b/CVE-2007-4559-filter-tarfile_extractall.patch
--- a/CVE-2023-24329-blank-URL-bypass.patch
+++ b/CVE-2023-24329-blank-URL-bypass.patch
@ -1,55 +0,0 @@
-From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
-From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
-Date: Sat, 12 Nov 2022 15:43:33 -0500
-Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
- schemes that don't begin with an alphabetical ASCII character.
-
---
- Lib/test/test_urlparse.py                                              |   18 ++++++++++
- Lib/urllib/parse.py                                                    |    2 -
- Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
- 3 files changed, 21 insertions(+), 1 deletion(-)
-
--- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase
-                         with self.assertRaises(ValueError):
-                             p.port
- 
-+    def test_attributes_bad_scheme(self):
-+        """Check handling of invalid schemes."""
-+        for bytes in (False, True):
-+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
-+                for scheme in (".", "+", "-", "0", "http&", "६http"):
-+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
-+                        url = scheme + "://www.example.net"
-+                        if bytes:
-+                            if url.isascii():
-+                                url = url.encode("ascii")
-+                            else:
-+                                continue
-+                        p = parse(url)
-+                        if bytes:
-+                            self.assertEqual(p.scheme, b"")
-+                        else:
-+                            self.assertEqual(p.scheme, "")
-+
-     def test_attributes_without_netloc(self):
-         # This example is straight from RFC 3261.  It looks like it
-         # should allow the username, hostname, and port to be filled
--- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragm
-         clear_cache()
-     netloc = query = fragment = ''
-     i = url.find(':')
-    if i > 0:
-+    if i > 0 and url[0].isascii() and url[0].isalpha():
-         for c in url[:i]:
-             if c not in scheme_chars:
-                 break
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
-@@ -0,0 +1,2 @@
-+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
-+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--- a/Python-3.9.16.tar.xz
+++ b/Python-3.9.16.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:22dddc099246dd2760665561e8adb7394ea0cc43a72684c6480f9380f7786439
-size 19738796
--- a/Python-3.9.16.tar.xz.asc
+++ b/Python-3.9.16.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl
-BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD
-rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL
-257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV
-si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr
-fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO
-HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3
-4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi
-TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC
-GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5
-JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2
-U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E=
-=dXB5
-----END PGP SIGNATURE-----
--- a/Python-3.9.17.tar.xz
+++ b/Python-3.9.17.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30ce057c44f283f8ed93606ccbdb8d51dd526bdc4c62cce5e0dc217bfa3e8cee
+size 19647312
--- a/Python-3.9.17.tar.xz.asc
+++ b/Python-3.9.17.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmR/AFcACgkQsmmV4xAl
+BWg7Fg/7Bq3qKbUD+4LYCOEESdu1MQm4bxfySqFLrzfe0YML/Xvei3ot/MsoTxY+
+9dwLivBab6YVDw3x65Zm2Y1sKAwcKn80qcwfxkxKPFVzeFAIYaO48zACJ5gvNEwk
+tXxEcDV0Nirs5ksqjs439eWXFFSZJJjHUxrBKwVVXoVTl9P3wbvKzeAUGuWMdvBt
+8RYtaHMt24w+mtFBdBM5ODl9qHD30HvEdHItF1HFtnnIR2mvE5W3dNkytrEWckq7
+urrQZlIFqSffnK89oNrQBGQC1dipzfgb3Vdk52usIVq+3J9VeWEmw8my/HUtf6LM
+uSETKCDM6POcC1Hjn3Zar8pVg/5IrGfag2aOWPQwRf5+py+nHO9a8P0nAz1TvygJ
+Q4FPcGCRyxa6gw9TEoO3zutQrHG2q+bvr61hSx3bcnlTk5EwTgblxOw9A5L++uzQ
+JK6vkPIaid4KboIOgpgw2xYWu8uVl2KtEyOeNrvZubuYqKh3xy25lNZT0tT6Axtv
+jOKC84FSvp5fLRAAHAr9B6uycKRlNY2Ca6t8FkkD0v2NgsRVM2Mc11/i/NS+EFKc
+hCZgAvbIEX17DQQNcmki1FWeJ0LfoE7PZgte7f6o1J9lcBYhmfC6nIWJ6Q3zZX/y
+96EESfeEshigdMEwlkCtYSJTc5/WpdiZ0LQyI0x/RQFb8Q4XHS0=
+=xjRt
+-----END PGP SIGNATURE-----
--- a/downport-Sphinx-features.patch
+++ b/downport-Sphinx-features.patch
@ -0,0 +1,89 @@
+---
+ Doc/library/tarfile.rst |   11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/Doc/library/tarfile.rst
+++ b/Doc/library/tarfile.rst
+@@ -504,7 +504,6 @@ be finalized; only the internally used f
+       Return an :class:`io.BufferedReader` object.
+ 
+ .. attribute:: TarFile.errorlevel
+-   :type: int
+ 
+    If *errorlevel* is ``0``, errors are ignored when using :meth:`TarFile.extract`
+    and :meth:`TarFile.extractall`.
+@@ -683,19 +682,16 @@ A ``TarInfo`` object has the following p
+ 
+ 
+ .. attribute:: TarInfo.name
+-   :type: str
+ 
+    Name of the archive member.
+ 
+ 
+ .. attribute:: TarInfo.size
+-   :type: int
+ 
+    Size in bytes.
+ 
+ 
+ .. attribute:: TarInfo.mtime
+-   :type: int | float
+ 
+    Time of last modification in seconds since the :ref:`epoch <epoch>`,
+    as in :attr:`os.stat_result.st_mtime`.
+@@ -707,7 +703,6 @@ A ``TarInfo`` object has the following p
+       attribute.
+ 
+ .. attribute:: TarInfo.mode
+-   :type: int
+ 
+    Permission bits, as for :func:`os.chmod`.
+ 
+@@ -727,14 +722,12 @@ A ``TarInfo`` object has the following p
+ 
+ 
+ .. attribute:: TarInfo.linkname
+-   :type: str
+ 
+    Name of the target file name, which is only present in :class:`TarInfo` objects
+    of type :const:`LNKTYPE` and :const:`SYMTYPE`.
+ 
+ 
+ .. attribute:: TarInfo.uid
+-   :type: int
+ 
+    User ID of the user who originally stored this member.
+ 
+@@ -745,7 +738,6 @@ A ``TarInfo`` object has the following p
+       attribute.
+ 
+ .. attribute:: TarInfo.gid
+-   :type: int
+ 
+    Group ID of the user who originally stored this member.
+ 
+@@ -756,7 +748,6 @@ A ``TarInfo`` object has the following p
+       attribute.
+ 
+ .. attribute:: TarInfo.uname
+-   :type: str
+ 
+    User name.
+ 
+@@ -767,7 +758,6 @@ A ``TarInfo`` object has the following p
+       attribute.
+ 
+ .. attribute:: TarInfo.gname
+-   :type: str
+ 
+    Group name.
+ 
+@@ -778,7 +768,6 @@ A ``TarInfo`` object has the following p
+       attribute.
+ 
+ .. attribute:: TarInfo.pax_headers
+-   :type: dict
+ 
+    A dictionary containing key-value pairs of an associated pax extended header.
+ 
--- a/python39.changes
+++ b/python39.changes
@ -1,3 +1,45 @@
+-------------------------------------------------------------------
+Fri Jun 30 20:23:43 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add downport-Sphinx-features.patch to make documentation
+  buildable even on SLE-15.
+
+-------------------------------------------------------------------
+Wed Jun 28 19:12:12 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Update to 3.9.17:
+  - gh-103142: The version of OpenSSL used in Windows and
+    Mac installers has been upgraded to 1.1.1u to address
+    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
+    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
+    fixed previously in 1.1.1t (gh-101727).
+  - gh-102153: urllib.parse.urlsplit() now strips leading C0
+    control and space characters following the specification for
+    URLs defined by WHATWG in response to CVE-2023-24329
+    (bsc#1208471).
+  - gh-99889: Fixed a security in flaw in uu.decode() that could
+    allow for directory traversal based on the input if no
+    out_file was specified.
+  - gh-104049: Do not expose the local on-disk
+    location in directory indexes produced by
+    http.client.SimpleHTTPRequestHandler.
+  - gh-103935: trace.__main__ now uses io.open_code() for files
+    to be executed instead of raw open().
+  - gh-102953: The extraction methods in tarfile, and
+    shutil.unpack_archive(), have a new filter argument that
+    allows limiting tar features than may be surprising or
+    dangerous, such as creating files outside the destination
+    directory. See Extraction filters for details (fixing
+    CVE-2007-4559, bsc#1203750).
+  - gh-102126: Fixed a deadlock at shutdown when clearing thread
+    states if any finalizer tries to acquire the runtime head
+    lock.
+  - gh-100892: Fixed a crash due to a race while iterating over
+    thread states in clearing threading.local.
+- Remove upstreamed patches:
+  - CVE-2023-24329-blank-URL-bypass.patch
+  - CVE-2007-4559-filter-tarfile_extractall.patch
+
 -------------------------------------------------------------------
 Sat May  6 17:31:35 UTC 2023 - Matej Cepl <mcepl@suse.com>

@ -12,11 +54,6 @@ Wed May  3 14:09:37 UTC 2023 - Matej Cepl <mcepl@suse.com>
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

-------------------------------------------------------------------
-Sun Apr 30 18:16:37 UTC 2023 - Matej Cepl <mcepl@suse.com>
-
- Why in the world we download from HTTP?
-
 -------------------------------------------------------------------
 Tue Apr 18 05:00:11 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>

--- a/python39.spec
+++ b/python39.spec
@ -93,7 +93,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.16
+Version:        3.9.17
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@ -161,16 +161,12 @@ Patch35:        support-expat-CVE-2022-25236-patched.patch
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
 # this patch makes things totally awesome
 Patch37:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
-# blocklist bypass via the urllib.parse component when supplying
-# a URL that starts with blank characters
-Patch38:        CVE-2023-24329-blank-URL-bypass.patch
-# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
-# Implement PEP-706 to filter outcome of the tarball extracing
-Patch39:        CVE-2007-4559-filter-tarfile_extractall.patch
 # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
 # Patch for gh#python/cpython#98086
 Patch40:        99366-patch.dict-can-decorate-async.patch
+# PATCH-FIX-OPENSUSE downport-Sphinx-features.patch mcepl@suse.com
+# Make documentation build with older Sphinx
+Patch41:        downport-Sphinx-features.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -429,9 +425,10 @@ other applications.
 %endif
 %patch35 -p1
 %patch37 -p1
-%patch38 -p1
-%patch39 -p1
 %patch40 -p1
+%if 0%{?sle_version} && 0%{?sle_version} <= 150500
+%patch41 -p1
+%endif

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac