From 5fc7c9de92e9624514383220fec8c69d6568e576570c6ca52f2db5bb3fd412d9 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 5 Jun 2023 15:08:18 +0000 Subject: [PATCH] Do not use :type: option of :attribute: rST element. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=146 --- CVE-2007-4559-filter-tarfile_extractall.patch | 91 ++++++++----------- python39.changes | 5 - 2 files changed, 37 insertions(+), 59 deletions(-) diff --git a/CVE-2007-4559-filter-tarfile_extractall.patch b/CVE-2007-4559-filter-tarfile_extractall.patch index 3c439d2..f91a87c 100644 --- a/CVE-2007-4559-filter-tarfile_extractall.patch +++ b/CVE-2007-4559-filter-tarfile_extractall.patch @@ -1,15 +1,17 @@ --- Doc/library/shutil.rst | 25 - Doc/library/tarfile.rst | 458 ++++ + Doc/library/tarfile.rst | 447 ++++ Lib/shutil.py | 17 Lib/tarfile.py | 351 +++ Lib/test/test_shutil.py | 40 Lib/test/test_tarfile.py | 968 +++++++++- Misc/NEWS.d/next/Library/2023-03-23-15-24-38.gh-issue-102953.YR4KaK.rst | 4 - 7 files changed, 1766 insertions(+), 97 deletions(-) + 7 files changed, 1755 insertions(+), 97 deletions(-) ---- a/Doc/library/shutil.rst -+++ b/Doc/library/shutil.rst +Index: Python-3.9.16/Doc/library/shutil.rst +=================================================================== +--- Python-3.9.16.orig/Doc/library/shutil.rst ++++ Python-3.9.16/Doc/library/shutil.rst @@ -614,7 +614,7 @@ provided. They rely on the :mod:`zipfil Remove the archive format *name* from the list of supported formats. @@ -64,8 +66,10 @@ *description* can be provided to describe the format, and will be returned by the :func:`get_unpack_formats` function. ---- a/Doc/library/tarfile.rst -+++ b/Doc/library/tarfile.rst +Index: Python-3.9.16/Doc/library/tarfile.rst +=================================================================== +--- Python-3.9.16.orig/Doc/library/tarfile.rst ++++ Python-3.9.16/Doc/library/tarfile.rst @@ -206,6 +206,38 @@ The :mod:`tarfile` module defines the fo Is raised by :meth:`TarInfo.frombuf` if the buffer it gets is invalid. @@ -195,12 +199,11 @@ .. method:: TarFile.extractfile(member) -@@ -457,6 +503,57 @@ be finalized; only the internally used f +@@ -457,6 +503,56 @@ be finalized; only the internally used f .. versionchanged:: 3.3 Return an :class:`io.BufferedReader` object. +.. attribute:: TarFile.errorlevel -+ :type: int + + If *errorlevel* is ``0``, errors are ignored when using :meth:`TarFile.extract` + and :meth:`TarFile.extractall`. @@ -253,7 +256,7 @@ .. method:: TarFile.add(name, arcname=None, recursive=True, *, filter=None) -@@ -532,7 +629,27 @@ permissions, owner etc.), it provides so +@@ -532,7 +628,27 @@ permissions, owner etc.), it provides so It does *not* contain the file's data itself. :class:`TarInfo` objects are returned by :class:`TarFile`'s methods @@ -282,23 +285,9 @@ .. class:: TarInfo(name="") -@@ -566,24 +683,39 @@ A ``TarInfo`` object has the following p - - - .. attribute:: TarInfo.name -+ :type: str - - Name of the archive member. - - - .. attribute:: TarInfo.size -+ :type: int - - Size in bytes. - +@@ -577,13 +693,24 @@ A ``TarInfo`` object has the following p .. attribute:: TarInfo.mtime -+ :type: int | float - Time of last modification. + Time of last modification in seconds since the :ref:`epoch `, @@ -311,11 +300,10 @@ + attribute. .. attribute:: TarInfo.mode -+ :type: int -+ -+ Permission bits, as for :func:`os.chmod`. - Permission bits. ++ Permission bits, as for :func:`os.chmod`. ++ + .. versionchanged:: 3.11.4 + Can be set to ``None`` for :meth:`~TarFile.extract` and @@ -324,18 +312,7 @@ .. attribute:: TarInfo.type -@@ -595,35 +727,76 @@ A ``TarInfo`` object has the following p - - - .. attribute:: TarInfo.linkname -+ :type: str - - Name of the target file name, which is only present in :class:`TarInfo` objects - of type :const:`LNKTYPE` and :const:`SYMTYPE`. - - - .. attribute:: TarInfo.uid -+ :type: int +@@ -604,26 +731,61 @@ A ``TarInfo`` object has the following p User ID of the user who originally stored this member. @@ -346,7 +323,6 @@ + attribute. .. attribute:: TarInfo.gid -+ :type: int Group ID of the user who originally stored this member. @@ -357,7 +333,6 @@ + attribute. .. attribute:: TarInfo.uname -+ :type: str User name. @@ -368,7 +343,6 @@ + attribute. .. attribute:: TarInfo.gname -+ :type: str Group name. @@ -379,7 +353,6 @@ + attribute. .. attribute:: TarInfo.pax_headers -+ :type: dict A dictionary containing key-value pairs of an associated pax extended header. @@ -401,7 +374,7 @@ A :class:`TarInfo` object also provides some convenient query methods: -@@ -673,9 +846,259 @@ A :class:`TarInfo` object also provides +@@ -673,9 +835,259 @@ A :class:`TarInfo` object also provides Return :const:`True` if it is one of character device, block device or FIFO. @@ -661,7 +634,7 @@ Command-Line Interface ---------------------- -@@ -745,6 +1168,15 @@ Command-line options +@@ -745,6 +1157,15 @@ Command-line options Verbose output. @@ -677,8 +650,10 @@ .. _tar-examples: Examples ---- a/Lib/shutil.py -+++ b/Lib/shutil.py +Index: Python-3.9.16/Lib/shutil.py +=================================================================== +--- Python-3.9.16.orig/Lib/shutil.py ++++ Python-3.9.16/Lib/shutil.py @@ -1191,7 +1191,7 @@ def _unpack_zipfile(filename, extract_di finally: zip.close() @@ -745,8 +720,10 @@ func(filename, extract_dir, **kwargs) ---- a/Lib/tarfile.py -+++ b/Lib/tarfile.py +Index: Python-3.9.16/Lib/tarfile.py +=================================================================== +--- Python-3.9.16.orig/Lib/tarfile.py ++++ Python-3.9.16/Lib/tarfile.py @@ -45,6 +45,7 @@ import time import struct import copy @@ -1341,8 +1318,10 @@ if args.verbose: if curdir == '.': msg = '{!r} file is extracted.'.format(src) ---- a/Lib/test/test_shutil.py -+++ b/Lib/test/test_shutil.py +Index: Python-3.9.16/Lib/test/test_shutil.py +=================================================================== +--- Python-3.9.16.orig/Lib/test/test_shutil.py ++++ Python-3.9.16/Lib/test/test_shutil.py @@ -31,6 +31,7 @@ except ImportError: from test import support @@ -1427,8 +1406,10 @@ def test_unpack_registry(self): ---- a/Lib/test/test_tarfile.py -+++ b/Lib/test/test_tarfile.py +Index: Python-3.9.16/Lib/test/test_tarfile.py +=================================================================== +--- Python-3.9.16.orig/Lib/test/test_tarfile.py ++++ Python-3.9.16/Lib/test/test_tarfile.py @@ -5,6 +5,10 @@ from hashlib import sha256 from contextlib import contextmanager from random import Random @@ -2556,8 +2537,10 @@ def setUpModule(): support.unlink(TEMPDIR) os.makedirs(TEMPDIR) +Index: Python-3.9.16/Misc/NEWS.d/next/Library/2023-03-23-15-24-38.gh-issue-102953.YR4KaK.rst +=================================================================== --- /dev/null -+++ b/Misc/NEWS.d/next/Library/2023-03-23-15-24-38.gh-issue-102953.YR4KaK.rst ++++ Python-3.9.16/Misc/NEWS.d/next/Library/2023-03-23-15-24-38.gh-issue-102953.YR4KaK.rst @@ -0,0 +1,4 @@ +The extraction methods in :mod:`tarfile`, and :func:`shutil.unpack_archive`, +have a new a *filter* argument that allows limiting tar features than may be diff --git a/python39.changes b/python39.changes index 31d1ec2..f7ec1a3 100644 --- a/python39.changes +++ b/python39.changes @@ -12,11 +12,6 @@ Wed May 3 14:09:37 UTC 2023 - Matej Cepl CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706). -------------------------------------------------------------------- -Sun Apr 30 18:16:37 UTC 2023 - Matej Cepl - -- Why in the world we download from HTTP? - ------------------------------------------------------------------- Tue Apr 18 05:00:11 UTC 2023 - Steve Kowalik