- Update to 3.9.16:

- python -m http.server no longer allows terminal control
    characters sent within a garbage request to be printed to the
    stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter audit hooks
    via the gc module
  - The IDNA codec decoder used on DNS hostnames by socket or
    asyncio related name resolution functions no longer involves
    a quadratic algorithm. This prevents a potential CPU denial
    of service if an out-of-spec excessive length hostname
    involving bidirectional characters were decoded. Some
    protocols such as urllib http 3xx redirects potentially allow
    for an attacker to supply such a name (CVE-2015-20107).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns to using
    filesystem backed unix domain sockets for communication with
    the forkserver process instead of the Linux abstract socket
    namespace. Only code that chooses to use the “forkserver”
    start method is affected.
    Abstract sockets have no permissions and could allow any
    user on the system in the same network namespace (often
    the whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict this
    to the forkserver process user as was the default in Python

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=126

98437-sphinx.locale._-as-gettext-in-pyspecific.patch

@@ -30,7 +30,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
          content = self.content
          add_text = nodes.strong(label, label)
          if self.arguments:
-@@ -266,7 +266,7 @@ class AuditEvent(Directive):
+@@ -179,7 +179,7 @@ class AuditEvent(Directive):
          else:
              args = []
  
@@ -39,7 +39,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
          text = label.format(name="``{}``".format(name),
                              args=", ".join("``{}``".format(a) for a in args if a))
  
-@@ -445,7 +445,7 @@ class DeprecatedRemoved(Directive):
+@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive):
          else:
              label = self._removed_label
  

CVE-2015-20107-mailcap-unsafe-filenames.patch

@@ -1,136 +0,0 @@
-From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 27 Apr 2022 18:17:33 +0200
-Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
- filenames/types/params
-
----
- Doc/library/mailcap.rst                                                 |   12 ++++
- Lib/mailcap.py                                                          |   26 +++++++++-
- Lib/test/test_mailcap.py                                                |    8 ++-
- Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |    4 +
- 4 files changed, 46 insertions(+), 4 deletions(-)
-
---- a/Doc/library/mailcap.rst
-+++ b/Doc/library/mailcap.rst
-@@ -60,6 +60,18 @@ standard.  However, mailcap files are su
-    use) to determine whether or not the mailcap line applies.  :func:`findmatch`
-    will automatically check such conditions and skip the entry if the check fails.
- 
-+   .. versionchanged:: 3.11
-+
-+      To prevent security issues with shell metacharacters (symbols that have
-+      special effects in a shell command line), ``findmatch`` will refuse
-+      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
-+      into the returned command line.
-+
-+      If a disallowed character appears in *filename*, ``findmatch`` will always
-+      return ``(None, None)`` as if no entry was found.
-+      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
-+      ``findmatch`` will ignore all mailcap entries which use that value.
-+      A :mod:`warning <warnings>` will be raised in either case.
- 
- .. function:: getcaps()
- 
---- a/Lib/mailcap.py
-+++ b/Lib/mailcap.py
-@@ -2,6 +2,7 @@
- 
- import os
- import warnings
-+import re
- 
- __all__ = ["getcaps","findmatch"]
- 
-@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
-     else:
-         return 1, 0
- 
-+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
-+
-+class UnsafeMailcapInput(Warning):
-+    """Warning raised when refusing unsafe input"""
-+
- 
- # Part 1: top-level interface.
- 
-@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view'
-     entry to use.
- 
-     """
-+    if _find_unsafe(filename):
-+        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
-+        warnings.warn(msg, UnsafeMailcapInput)
-+        return None, None
-     entries = lookup(caps, MIMEtype, key)
-     # XXX This code should somehow check for the needsterminal flag.
-     for e in entries:
-         if 'test' in e:
-             test = subst(e['test'], filename, plist)
-+            if test is None:
-+                continue
-             if test and os.system(test) != 0:
-                 continue
-         command = subst(e[key], MIMEtype, filename, plist)
--        return command, e
-+        if command is not None:
-+            return command, e
-     return None, None
- 
- def lookup(caps, MIMEtype, key=None):
-@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli
-             elif c == 's':
-                 res = res + filename
-             elif c == 't':
-+                if _find_unsafe(MIMEtype):
-+                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
-+                    warnings.warn(msg, UnsafeMailcapInput)
-+                    return None
-                 res = res + MIMEtype
-             elif c == '{':
-                 start = i
-@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli
-                     i = i+1
-                 name = field[start:i]
-                 i = i+1
--                res = res + findparam(name, plist)
-+                param = findparam(name, plist)
-+                if _find_unsafe(param):
-+                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
-+                    warnings.warn(msg, UnsafeMailcapInput)
-+                    return None
-+                res = res + param
-             # XXX To do:
-             # %n == number of parts if type is multipart/*
-             # %F == list of alternating type and filename for parts
---- a/Lib/test/test_mailcap.py
-+++ b/Lib/test/test_mailcap.py
-@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCa
-             (["", "audio/*", "foo.txt"], ""),
-             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
-             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
--            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
-+            (["echo %t", "audio/*", "foo.txt"], None),
-+            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
-             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
-             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
-             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
-@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
-              ('"An audio fragment"', audio_basic_entry)),
-             ([c, "audio/*"],
-              {"filename": fname},
--             ("/usr/local/bin/showaudio audio/*", audio_entry)),
-+             (None, None)),
-+            ([c, "audio/wav"],
-+             {"filename": fname},
-+             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
-             ([c, "message/external-body"],
-              {"plist": plist},
-              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
-@@ -0,0 +1,4 @@
-+The deprecated mailcap module now refuses to inject unsafe text (filenames,
-+MIME types, parameters) into shell commands. Instead of using such text, it
-+will warn and act as if a match was not found (or for test commands, as if
-+the test failed).

CVE-2022-42919-loc-priv-mulitproc-forksrv.patch

@@ -1,59 +0,0 @@
-From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001
-From: "Gregory P. Smith" <greg@krypto.org>
-Date: Thu, 20 Oct 2022 15:30:09 -0700
-Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for
- multiprocessing (GH-98501)
-
-Linux abstract sockets are insecure as they lack any form of filesystem
-permissions so their use allows anyone on the system to inject code into
-the process.
-
-This removes the default preference for abstract sockets in
-multiprocessing introduced in Python 3.9+ via
-https://github.com/python/cpython/pull/18866 while fixing
-https://github.com/python/cpython/issues/84031.
-
-Explicit use of an abstract socket by a user now generates a
-RuntimeWarning.  If we choose to keep this warning, it should be
-backported to the 3.7 and 3.8 branches.
-(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
-
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
----
- Lib/multiprocessing/connection.py                                       |    5 ---
- Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst |   15 ++++++++++
- 2 files changed, 15 insertions(+), 5 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
-
---- a/Lib/multiprocessing/connection.py
-+++ b/Lib/multiprocessing/connection.py
-@@ -73,11 +73,6 @@ def arbitrary_address(family):
-     if family == 'AF_INET':
-         return ('localhost', 0)
-     elif family == 'AF_UNIX':
--        # Prefer abstract sockets if possible to avoid problems with the address
--        # size.  When coding portable applications, some implementations have
--        # sun_path as short as 92 bytes in the sockaddr_un struct.
--        if util.abstract_sockets_supported:
--            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
-         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
-     elif family == 'AF_PIPE':
-         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
-@@ -0,0 +1,15 @@
-+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
-+unix domain sockets for communication with the *forkserver* process instead of
-+the Linux abstract socket namespace.  Only code that chooses to use the
-+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
-+
-+Abstract sockets have no permissions and could allow any user on the system in
-+the same `network namespace
-+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
-+whole system) to inject code into the multiprocessing *forkserver* process.
-+This was a potential privilege escalation. Filesystem based socket permissions
-+restrict this to the *forkserver* process user as was the default in Python 3.8
-+and earlier.
-+
-+This prevents Linux `CVE-2022-42919
-+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.

Python-3.9.15.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:12daff6809528d9f6154216950423c9e30f0e47336cb57c6aa0b4387dd5eb4b2
-size 19712208

Python-3.9.15.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFhjEACgkQsmmV4xAl
-BWhJRA/9H5hksRFz3av1uOB/HDVlglMwxIPJOzk57z6aknzc/ItxVz54UXK46XL7
-t9kSmb2zFo+TVfusE/By17ozf+j1WK8uTr8LrO2uvUC+Sck22U4WIwTkqj95/6sP
-Fmzrqsx1OyyCc6zJAMO6yo2hpxGmDcpxqVrn+lJ+INpuvf54bKerbFwV3+z6MxSe
-s48b2YGuLK1ttjFEOrrsGxf8sS7SNByckBMQDHf++5g95zUczlZ4j5UH15GZ+wHn
-NDW3/kccFGHjBHGGsNjZCIwmFN0+yA6BtbTEsX/nAyfcD45u7w5TQEmVp+knTtU8
-G3Z3C6aCATxBG4UKpO5DxL+UqcC5IvFT1mcKN+TgFluX5X7ENo3QPMGiww906NGr
-/6KztH7kURjUfI0cNQIxkJcnjNXGAbIumgokKOjcyIlWzxnb0I6cQsaj0yg0zUQG
-zIwugTjwoA00JZiV+WZxsFfkrOpxOWCLXFLdA2ph5BM1W0nqBFH21ZIBns77uoHe
-1wM0A1meu6AFFgQZREGV6twyqAnsGGgf+x2Y4a/s9MTLYphoMSEIUOvnbwAzsBbL
-+FThjD2o1bsm8E1V9d18hvw/jhsOCievKt4a3Fqnl2wPMjvoRaEYevyv3QNBjg1i
-bLAhT0QpnE68h6doi7FgKd5sdp6OGQT5wUOUseQSAINO9k8R7RQ=
-=Qc71
------END PGP SIGNATURE-----

Python-3.9.16.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:22dddc099246dd2760665561e8adb7394ea0cc43a72684c6480f9380f7786439
+size 19738796

Python-3.9.16.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl
+BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD
+rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL
+257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV
+si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr
+fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO
+HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3
+4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi
+TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC
+GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5
+JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2
+U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E=
+=dXB5
+-----END PGP SIGNATURE-----

python39.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Thu Dec  8 10:43:43 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Update to 3.9.16:
+  - python -m http.server no longer allows terminal control
+    characters sent within a garbage request to be printed to the
+    stderr server log.
+    This is done by changing the http.server
+    BaseHTTPRequestHandler .log_message method to replace control
+    characters with a \xHH hex escape before printing.
+  - Avoid publishing list of active per-interpreter audit hooks
+    via the gc module
+  - The IDNA codec decoder used on DNS hostnames by socket or
+    asyncio related name resolution functions no longer involves
+    a quadratic algorithm. This prevents a potential CPU denial
+    of service if an out-of-spec excessive length hostname
+    involving bidirectional characters were decoded. Some
+    protocols such as urllib http 3xx redirects potentially allow
+    for an attacker to supply such a name (CVE-2015-20107).
+  - Update bundled libexpat to 2.5.0
+  - Port XKCP’s fix for the buffer overflows in SHA-3
+    (CVE-2022-37454).
+  - On Linux the multiprocessing module returns to using
+    filesystem backed unix domain sockets for communication with
+    the forkserver process instead of the Linux abstract socket
+    namespace. Only code that chooses to use the “forkserver”
+    start method is affected.
+    Abstract sockets have no permissions and could allow any
+    user on the system in the same network namespace (often
+    the whole system) to inject code into the multiprocessing
+    forkserver process. This was a potential privilege
+    escalation. Filesystem based socket permissions restrict this
+    to the forkserver process user as was the default in Python
+    3.8 and earlier.
+    This prevents Linux CVE-2022-42919.
+  - The deprecated mailcap module now refuses to inject unsafe
+    text (filenames, MIME types, parameters) into shell
+    commands. Instead of using such text, it will warn and act
+    as if a match was not found (or for test commands, as if the
+    test failed).
+- Removed upstreamed patches:
+  - CVE-2015-20107-mailcap-unsafe-filenames.patch
+  - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
+
 -------------------------------------------------------------------
 Wed Nov  9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
 

python39.spec

@@ -93,7 +93,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.15
+Version:        3.9.16
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -158,18 +158,9 @@ Patch34:        skip-test_pyobject_freed_is_freed.patch
 # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
 # Makes Python resilient to changes of API of libexpat
 Patch35:        support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
-# avoid the command injection in the mailcap module.
-Patch36:        CVE-2015-20107-mailcap-unsafe-filenames.patch
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
 # this patch makes things totally awesome
 Patch37:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mcepl@suse.com
-# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method
-Patch38:        CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
-# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
-# Avoid DoS by decoding IDNA for too long domain names
-Patch39:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -428,10 +419,7 @@ other applications.
 %patch05 -p1
 %endif
 %patch35 -p1
-%patch36 -p1
 %patch37 -p1
-%patch38 -p1
-%patch39 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac