From 63a48566373ad0cb59c67083fac21e5274930c365be6ee4318fd0c26bbe70cf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 21 Jul 2020 11:16:21 +0000 Subject: [PATCH] Accepting request 822056 from home:gmbr3:Active MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream - Removed recursion.tar: contained in upstream - Update to 3.9.0b5: - bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801). - bpo-41162: Audit hooks are now cleared later during finalization to avoid missing events. - bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523). - bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…). - bpo-41295: Resolve a regression in CPython 3.8.4 where defining “__setattr__” in a multi-inheritance setup and calling up the hierarchy chain could fail if builtins/extension types were involved in the base types. - bpo-41247: Always cache the running loop holder when running asyncio.set_running_loop. - bpo-41252: Fix incorrect refcounting in _ssl.c’s _servername_callback(). - bpo-41215: Use non-NULL default values in the PEG parser keyword list to overcome a bug that was ' preventing Python from being properly compiled when using the XLC compiler. Patch by Pablo Galindo. - bpo-41218: Python 3.8.3 had a regression where compiling with ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would aggressively mark list comprehension with CO_COROUTINE. Now only list comprehension making use of async/await will tagged as so. - bpo-41175: Guard against a NULL pointer dereference within bytearrayobject triggered by the bytearray() + bytearray() operation. - bpo-39960: The “hackcheck” that prevents sneaking around a type’s __setattr__() by calling the superclass method was rewritten to allow C implemented heap types. - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. - bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907, bsc#1174091). - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params(). - bpo-41207: In distutils.spawn, restore expectation that DistutilsExecError is raised when the command is not found. - bpo-39168: Remove the __new__ method of typing.Generic. - bpo-41194: Fix a crash in the _ast module: it can no longer be loaded more than once. It now uses a global state rather than a module state. - bpo-39384: Fixed email.contentmanager to allow set_content() to set a null string. - bpo-41300: Save files with non-ascii chars. Fix regression released in 3.9.0b4 and 3.8.4. - bpo-37765: Add keywords to module name completion list. Rewrite Completions section of IDLE doc. - bpo-40170: Revert PyType_HasFeature() change: it reads again directly the PyTypeObject.tp_flags member when the limited C API is not used, rather than always calling PyType_GetFlags() which hides implementation details. OBS-URL: https://build.opensuse.org/request/show/822056 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=18 --- CVE-2019-20907_tarfile-inf-loop.patch | 43 -------------------- Python-3.9.0b4.tar.xz | 3 -- Python-3.9.0b4.tar.xz.asc | 16 -------- Python-3.9.0b5.tar.xz | 3 ++ Python-3.9.0b5.tar.xz.asc | 16 ++++++++ python39.changes | 56 ++++++++++++++++++++++++++ python39.spec | 11 +---- recursion.tar | Bin 516 -> 0 bytes 8 files changed, 76 insertions(+), 72 deletions(-) delete mode 100644 CVE-2019-20907_tarfile-inf-loop.patch delete mode 100644 Python-3.9.0b4.tar.xz delete mode 100644 Python-3.9.0b4.tar.xz.asc create mode 100644 Python-3.9.0b5.tar.xz create mode 100644 Python-3.9.0b5.tar.xz.asc delete mode 100644 recursion.tar diff --git a/CVE-2019-20907_tarfile-inf-loop.patch b/CVE-2019-20907_tarfile-inf-loop.patch deleted file mode 100644 index eb9790f..0000000 --- a/CVE-2019-20907_tarfile-inf-loop.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001 -From: Rajarishi Devarajan -Date: Sun, 12 Jul 2020 23:47:42 +0200 -Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module - -Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop ---- - Lib/tarfile.py | 2 ++ - Lib/test/test_tarfile.py | 5 +++++ - 3 files changed, 7 insertions(+) - create mode 100644 Lib/test/recursion.tar - ---- a/Lib/tarfile.py -+++ b/Lib/tarfile.py -@@ -1249,6 +1249,8 @@ class TarInfo(object): - - length, keyword = match.groups() - length = int(length) -+ if length == 0: -+ raise InvalidHeaderError("invalid header") - value = buf[match.end(2) + 1:match.start(1) + length - 1] - - # Normally, we could just use "utf-8" as the encoding and "strict" ---- a/Lib/test/test_tarfile.py -+++ b/Lib/test/test_tarfile.py -@@ -429,6 +429,13 @@ class CommonReadTest(ReadTest): - with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"): - tar.extractfile(t).read() - -+ def test_length_zero_header(self): -+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail -+ # with an exception -+ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): -+ with tarfile.open(support.findfile('recursion.tar')) as tar: -+ pass -+ - class MiscReadTestBase(CommonReadTest): - def requires_name_attribute(self): - pass ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst -@@ -0,0 +1 @@ -+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). diff --git a/Python-3.9.0b4.tar.xz b/Python-3.9.0b4.tar.xz deleted file mode 100644 index 56178d9..0000000 --- a/Python-3.9.0b4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:344634bc7f3327284ad1349699d289aafd85a426524651dffdd5eb6cec216304 -size 18602256 diff --git a/Python-3.9.0b4.tar.xz.asc b/Python-3.9.0b4.tar.xz.asc deleted file mode 100644 index a54d194..0000000 --- a/Python-3.9.0b4.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl7+IiYACgkQsmmV4xAl -BWhWXg//QfKt/XvTTwS4OYi9u2/BYewVRCwhF9xle1r+Q8yaZKqD5ptjIvlMDFD5 -SbUR4yoZTwFnWRh1xO+LO8ysuqQgweF/swtIaygqcgIJhOieaOOZFhOROdMOjlqK -h9yjvWIz4RYJiB3ASg3DTTYvWDQhu/7mCMhybaeUqh630+cOjb3oxmVCalZCimun -DTXLcb4XY5X4p0JrndJZGWwIIKAAoUNf04PYPY/Y2xfsSyIFEf9dVbtDwT5eYU4J -bmm+8yPHhCotWZSLZzRMw+4pn+bKoTEYLpEellzmhv6Nd8tZ+Ig2atjUD9vmblEH -PqnrLu9s4qHCMSK+38qCIYA6VN7ykZgPMScHSjtcUOz8Nx5SnyFqV6RZwlMV71Hd -llifxqvgehY6+EnFPhVsgVbW+N1ueD26UalU0YmpXKScfVJe8mzbSFHN/EDfjEto -tYxAaX8KcUgyLMurCRItLTbZ6Ycqod1IUsJY9AQtrYYl2uS93jh5Nb+u+lC11jnH -KUHUSVchCcQi298noYRlYcrGyJo+8X5kEWKxM9nO0KNogArBoGg+TcZKHgm1Ar8R -gTX5dcWWqUmGxDoMdPW8WJ4YOq0MCY2+DgnOQ6HpgPoIpgM72c+RVvh8E/WW5C+B -w7Fx3jri9EB6VY/0gpkrADHsW5js54EBM4GyzL+UnRXwNgwFAgQ= -=nWKR ------END PGP SIGNATURE----- diff --git a/Python-3.9.0b5.tar.xz b/Python-3.9.0b5.tar.xz new file mode 100644 index 0000000..ef15739 --- /dev/null +++ b/Python-3.9.0b5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6ce1d77cba57cccb3e43cdb76217beacd7c7cd66a17d065523e4139cb5401564 +size 18588472 diff --git a/Python-3.9.0b5.tar.xz.asc b/Python-3.9.0b5.tar.xz.asc new file mode 100644 index 0000000..41097cb --- /dev/null +++ b/Python-3.9.0b5.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl8V2nYACgkQsmmV4xAl +BWhkNg//agICRI2yfh2xqQnHouaZAL202BnL8ZSXWYq6qRRIqUaf1oUB2ib/icCt +t95n3JP3AkY4+T8r3xHvEdSCMrmW4LrNUKGj4dJFzblmig8ikmYwOJPDVbIs7Vi7 +uvY2fUBXecJPHvmjL0MghjzLGSl5+yaxdVky/8IcxAFyPMZ4MvV8Z83YLAa7aCx9 +tmcwCtVHQLeeo3EHqmgsaBlzFukPnkGbgn5/33T6aRxsX5ZNTnNMpZ+HeF9VsZ3h +mDRwa+/JLcGdSj4ZkN+nisxLXFBm78mbf7a4hi+nyADCVMwb1R0pRS597nhNm4nP +tPp34STZbAQCG+wCwgz12aR/bcZx86cxUAi+24ds6d3nRZQ8FG0KiuucY/Y7FTOS +fSRPW9PLURYIoMacj9TJHdLecHl3fUBCNMOPUmM6Qmb6BwAuyau30QFrMkdY759W +CYHlJxDaNLBjovMva9oitq+k5U710B+hdSPZa9S/7miIX0QRHAdgCE7FJ5AZNjg8 +9BYpjoJgyeVg/FP43348K11A8Qke4sLbBQJnCRBNxQK32S2nmI5QkEGswCoIICwj +j7chIHx4YHzLjD0qxlqyz+xara+JcjvJXM3/NZ5uHo3lGEJW+933muc9isJMZ/S9 +FoNwZsRX7EWUAOYVb3u24Um6F9LdPPJEUMpwl7M/XUOnSZZPir4= +=S8sB +-----END PGP SIGNATURE----- diff --git a/python39.changes b/python39.changes index 7dccb31..e40dceb 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,59 @@ +------------------------------------------------------------------- +Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer + +- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream +- Removed recursion.tar: contained in upstream +- Update to 3.9.0b5: + - bpo-41304: Fixes python3x._pth being ignored on Windows, caused + by the fix for bpo-29778 (CVE-2020-15801). + - bpo-41162: Audit hooks are now cleared later during + finalization to avoid missing events. + - bpo-29778: Ensure python3.dll is loaded from correct locations + when Python is embedded (CVE-2020-15523). + - bpo-39603: Prevent http header injection by rejecting control + characters in http.client.putrequest(…). + - bpo-41295: Resolve a regression in CPython 3.8.4 where defining + “__setattr__” in a multi-inheritance setup and + calling up the hierarchy chain could fail if builtins/extension + types were involved in the base types. + - bpo-41247: Always cache the running loop holder when running + asyncio.set_running_loop. + - bpo-41252: Fix incorrect refcounting in + _ssl.c’s _servername_callback(). + - bpo-41215: Use non-NULL default values in the PEG parser + keyword list to overcome a bug that was ' + preventing Python from being properly compiled when using the + XLC compiler. Patch by Pablo Galindo. + - bpo-41218: Python 3.8.3 had a regression where compiling with + ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would + aggressively mark list comprehension with CO_COROUTINE. Now only + list comprehension making use of async/await will tagged as so. + - bpo-41175: Guard against a NULL pointer dereference within + bytearrayobject triggered by the bytearray() + bytearray() operation. + - bpo-39960: The “hackcheck” that prevents sneaking around a type’s + __setattr__() by calling the superclass method was + rewritten to allow C implemented heap types. + - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the + C implementation raises now UnpicklingError instead of crashing. + - bpo-39017: Avoid infinite loop when reading specially crafted + TAR files using the tarfile module (CVE-2019-20907, bsc#1174091). + - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params(). + - bpo-41207: In distutils.spawn, restore expectation that + DistutilsExecError is raised when the command is not found. + - bpo-39168: Remove the __new__ method of typing.Generic. + - bpo-41194: Fix a crash in the _ast module: it can no longer be + loaded more than once. It now uses a global state rather than a module state. + - bpo-39384: Fixed email.contentmanager to allow set_content() to set a + null string. + - bpo-41300: Save files with non-ascii chars. + Fix regression released in 3.9.0b4 and 3.8.4. + - bpo-37765: Add keywords to module name completion list. + Rewrite Completions section of IDLE doc. + - bpo-40170: Revert PyType_HasFeature() change: it reads + again directly the PyTypeObject.tp_flags + member when the limited C API is not used, rather than always calling + PyType_GetFlags() which hides implementation details. + ------------------------------------------------------------------- Mon Jul 20 12:06:41 UTC 2020 - Matej Cepl diff --git a/python39.spec b/python39.spec index a69c741..fa73e41 100644 --- a/python39.spec +++ b/python39.spec @@ -86,7 +86,7 @@ %bcond_without profileopt %endif Name: %{python_pkg_name}%{psuffix} -Version: 3.9.0b4 +Version: 3.9.0b5 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -102,8 +102,6 @@ Source10: pre_checkin.sh Source11: skipped_tests.py Source19: idle3.desktop Source20: idle3.appdata.xml -# For Patch 32 -Source32: recursion.tar Source99: python.keyring # The following files are not used in the build. # They are listed here to work around missing functionality in rpmbuild, @@ -140,10 +138,6 @@ Patch29: bpo-31046_ensurepip_honours_prefix.patch # PATCH-FIX-UPSTREAM bsc1167501-invalid-alignment.patch gh#python/cpython#19133 mcepl@suse.com # Fix wrong misalignment of pointer to vectorcallfunc Patch31: bsc1167501-invalid-alignment.patch -# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com -# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) -# REQUIRES SOURCE 32 -Patch32: CVE-2019-20907_tarfile-inf-loop.patch BuildRequires: automake BuildRequires: fdupes BuildRequires: gmp-devel @@ -397,10 +391,7 @@ other applications. %patch27 -p1 %patch29 -p1 %patch31 -p1 -%patch32 -p1 -# For patch 32 -cp -v %{SOURCE32} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/recursion.tar b/recursion.tar deleted file mode 100644 index e1d2b905523c3ae157706f237042c8e26e90d41494b2b930a3afa5fb21f8aaaf..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 516 zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e I1_}|j06>QaCIA2c