Accepting request 822056 from home:gmbr3:Active

- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream - Removed recursion.tar: contained in upstream - Update to 3.9.0b5: - bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801). - bpo-41162: Audit hooks are now cleared later during finalization to avoid missing events. - bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523). - bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…). - bpo-41295: Resolve a regression in CPython 3.8.4 where defining “__setattr__” in a multi-inheritance setup and calling up the hierarchy chain could fail if builtins/extension types were involved in the base types. - bpo-41247: Always cache the running loop holder when running asyncio.set_running_loop. - bpo-41252: Fix incorrect refcounting in _ssl.c’s _servername_callback(). - bpo-41215: Use non-NULL default values in the PEG parser keyword list to overcome a bug that was ' preventing Python from being properly compiled when using the XLC compiler. Patch by Pablo Galindo. - bpo-41218: Python 3.8.3 had a regression where compiling with ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would aggressively mark list comprehension with CO_COROUTINE. Now only list comprehension making use of async/await will tagged as so. - bpo-41175: Guard against a NULL pointer dereference within bytearrayobject triggered by the bytearray() + bytearray() operation. - bpo-39960: The “hackcheck” that prevents sneaking around a type’s __setattr__() by calling the superclass method was rewritten to allow C implemented heap types. - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. - bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907, bsc#1174091). - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params(). - bpo-41207: In distutils.spawn, restore expectation that DistutilsExecError is raised when the command is not found. - bpo-39168: Remove the __new__ method of typing.Generic. - bpo-41194: Fix a crash in the _ast module: it can no longer be loaded more than once. It now uses a global state rather than a module state. - bpo-39384: Fixed email.contentmanager to allow set_content() to set a null string. - bpo-41300: Save files with non-ascii chars. Fix regression released in 3.9.0b4 and 3.8.4. - bpo-37765: Add keywords to module name completion list. Rewrite Completions section of IDLE doc. - bpo-40170: Revert PyType_HasFeature() change: it reads again directly the PyTypeObject.tp_flags member when the limited C API is not used, rather than always calling PyType_GetFlags() which hides implementation details. OBS-URL: https://build.opensuse.org/request/show/822056 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=18
2020-07-21 11:16:21 +00:00 · 2020-07-21 11:16:21 +00:00 · 63a4856637
commit 63a4856637
parent 71ac2aa56c
8 changed files with 76 additions and 72 deletions
--- a/CVE-2019-20907_tarfile-inf-loop.patch
+++ b/CVE-2019-20907_tarfile-inf-loop.patch
@ -1,43 +0,0 @@
-From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001
-From: Rajarishi Devarajan <rishi93dev@gmail.com>
-Date: Sun, 12 Jul 2020 23:47:42 +0200
-Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module
-
-Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
---
- Lib/tarfile.py           |   2 ++
- Lib/test/test_tarfile.py |   5 +++++
- 3 files changed, 7 insertions(+)
- create mode 100644 Lib/test/recursion.tar
-
--- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -1249,6 +1249,8 @@ class TarInfo(object):
- 
-             length, keyword = match.groups()
-             length = int(length)
-+            if length == 0:
-+                raise InvalidHeaderError("invalid header")
-             value = buf[match.end(2) + 1:match.start(1) + length - 1]
- 
-             # Normally, we could just use "utf-8" as the encoding and "strict"
--- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -429,6 +429,13 @@ class CommonReadTest(ReadTest):
-                 with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"):
-                     tar.extractfile(t).read()
- 
-+    def test_length_zero_header(self):
-+        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
-+        # with an exception
-+        with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
-+            with tarfile.open(support.findfile('recursion.tar')) as tar:
-+                pass
-+
- class MiscReadTestBase(CommonReadTest):
-     def requires_name_attribute(self):
-         pass
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-@@ -0,0 +1 @@
-+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
--- a/Python-3.9.0b4.tar.xz
+++ b/Python-3.9.0b4.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:344634bc7f3327284ad1349699d289aafd85a426524651dffdd5eb6cec216304
-size 18602256
--- a/Python-3.9.0b4.tar.xz.asc
+++ b/Python-3.9.0b4.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl7+IiYACgkQsmmV4xAl
-BWhWXg//QfKt/XvTTwS4OYi9u2/BYewVRCwhF9xle1r+Q8yaZKqD5ptjIvlMDFD5
-SbUR4yoZTwFnWRh1xO+LO8ysuqQgweF/swtIaygqcgIJhOieaOOZFhOROdMOjlqK
-h9yjvWIz4RYJiB3ASg3DTTYvWDQhu/7mCMhybaeUqh630+cOjb3oxmVCalZCimun
-DTXLcb4XY5X4p0JrndJZGWwIIKAAoUNf04PYPY/Y2xfsSyIFEf9dVbtDwT5eYU4J
-bmm+8yPHhCotWZSLZzRMw+4pn+bKoTEYLpEellzmhv6Nd8tZ+Ig2atjUD9vmblEH
-PqnrLu9s4qHCMSK+38qCIYA6VN7ykZgPMScHSjtcUOz8Nx5SnyFqV6RZwlMV71Hd
-llifxqvgehY6+EnFPhVsgVbW+N1ueD26UalU0YmpXKScfVJe8mzbSFHN/EDfjEto
-tYxAaX8KcUgyLMurCRItLTbZ6Ycqod1IUsJY9AQtrYYl2uS93jh5Nb+u+lC11jnH
-KUHUSVchCcQi298noYRlYcrGyJo+8X5kEWKxM9nO0KNogArBoGg+TcZKHgm1Ar8R
-gTX5dcWWqUmGxDoMdPW8WJ4YOq0MCY2+DgnOQ6HpgPoIpgM72c+RVvh8E/WW5C+B
-w7Fx3jri9EB6VY/0gpkrADHsW5js54EBM4GyzL+UnRXwNgwFAgQ=
-=nWKR
-----END PGP SIGNATURE-----
--- a/Python-3.9.0b5.tar.xz
+++ b/Python-3.9.0b5.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6ce1d77cba57cccb3e43cdb76217beacd7c7cd66a17d065523e4139cb5401564
+size 18588472
--- a/Python-3.9.0b5.tar.xz.asc
+++ b/Python-3.9.0b5.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl8V2nYACgkQsmmV4xAl
+BWhkNg//agICRI2yfh2xqQnHouaZAL202BnL8ZSXWYq6qRRIqUaf1oUB2ib/icCt
+t95n3JP3AkY4+T8r3xHvEdSCMrmW4LrNUKGj4dJFzblmig8ikmYwOJPDVbIs7Vi7
+uvY2fUBXecJPHvmjL0MghjzLGSl5+yaxdVky/8IcxAFyPMZ4MvV8Z83YLAa7aCx9
+tmcwCtVHQLeeo3EHqmgsaBlzFukPnkGbgn5/33T6aRxsX5ZNTnNMpZ+HeF9VsZ3h
+mDRwa+/JLcGdSj4ZkN+nisxLXFBm78mbf7a4hi+nyADCVMwb1R0pRS597nhNm4nP
+tPp34STZbAQCG+wCwgz12aR/bcZx86cxUAi+24ds6d3nRZQ8FG0KiuucY/Y7FTOS
+fSRPW9PLURYIoMacj9TJHdLecHl3fUBCNMOPUmM6Qmb6BwAuyau30QFrMkdY759W
+CYHlJxDaNLBjovMva9oitq+k5U710B+hdSPZa9S/7miIX0QRHAdgCE7FJ5AZNjg8
+9BYpjoJgyeVg/FP43348K11A8Qke4sLbBQJnCRBNxQK32S2nmI5QkEGswCoIICwj
+j7chIHx4YHzLjD0qxlqyz+xara+JcjvJXM3/NZ5uHo3lGEJW+933muc9isJMZ/S9
+FoNwZsRX7EWUAOYVb3u24Um6F9LdPPJEUMpwl7M/XUOnSZZPir4=
+=S8sB
+-----END PGP SIGNATURE-----
--- a/python39.changes
+++ b/python39.changes
@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
+
+- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
+- Removed recursion.tar: contained in upstream
+- Update to 3.9.0b5:
+  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused 
+    by the fix for bpo-29778 (CVE-2020-15801).
+  - bpo-41162: Audit hooks are now cleared later during
+    finalization to avoid missing events.
+  - bpo-29778: Ensure python3.dll is loaded from correct locations 
+    when Python is embedded (CVE-2020-15523).
+  - bpo-39603: Prevent http header injection by rejecting control 
+    characters in http.client.putrequest(…).
+  - bpo-41295: Resolve a regression in CPython 3.8.4 where defining
+    “__setattr__” in a multi-inheritance setup and 
+    calling up the hierarchy chain could fail if builtins/extension
+    types were involved in the base types.
+  - bpo-41247: Always cache the running loop holder when running 
+    asyncio.set_running_loop.
+  - bpo-41252: Fix incorrect refcounting in 
+    _ssl.c’s _servername_callback().
+  - bpo-41215: Use non-NULL default values in the PEG parser 
+    keyword list to overcome a bug that was '
+    preventing Python from being properly compiled when using the
+    XLC compiler. Patch by Pablo Galindo.
+  - bpo-41218: Python 3.8.3 had a regression where compiling with 
+    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would 
+    aggressively mark list comprehension with CO_COROUTINE. Now only
+    list comprehension making use of async/await will tagged as so.
+  - bpo-41175: Guard against a NULL pointer dereference within 
+    bytearrayobject triggered by the bytearray() + bytearray() operation.
+  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s 
+    __setattr__() by calling the superclass method was 
+    rewritten to allow C implemented heap types.
+  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the 
+    C implementation raises now UnpicklingError instead of crashing.
+  - bpo-39017: Avoid infinite loop when reading specially crafted 
+    TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
+  - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
+  - bpo-41207: In distutils.spawn, restore expectation that 
+    DistutilsExecError is raised when the command is not found.
+  - bpo-39168: Remove the __new__ method of typing.Generic.
+  - bpo-41194: Fix a crash in the _ast module: it can no longer be 
+    loaded more than once. It now uses a global state rather than a module state.
+  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a 
+    null string.
+  - bpo-41300: Save files with non-ascii chars. 
+    Fix regression released in 3.9.0b4 and 3.8.4.
+  - bpo-37765: Add keywords to module name completion list. 
+    Rewrite Completions section of IDLE doc.
+  - bpo-40170: Revert PyType_HasFeature() change: it reads 
+    again directly the PyTypeObject.tp_flags 
+    member when the limited C API is not used, rather than always calling 
+    PyType_GetFlags() which hides implementation details.
+
 -------------------------------------------------------------------
 Mon Jul 20 12:06:41 UTC 2020 - Matej Cepl <mcepl@suse.com>

--- a/python39.spec
+++ b/python39.spec
@ -86,7 +86,7 @@
 %bcond_without profileopt
 %endif
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.0b4
+Version:        3.9.0b5
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@ -102,8 +102,6 @@ Source10:       pre_checkin.sh
 Source11:       skipped_tests.py
 Source19:       idle3.desktop
 Source20:       idle3.appdata.xml
-# For Patch 32
-Source32:       recursion.tar
 Source99:       python.keyring
 # The following files are not used in the build.
 # They are listed here to work around missing functionality in rpmbuild,
@ -140,10 +138,6 @@ Patch29:        bpo-31046_ensurepip_honours_prefix.patch
 # PATCH-FIX-UPSTREAM bsc1167501-invalid-alignment.patch gh#python/cpython#19133 mcepl@suse.com
 # Fix wrong misalignment of pointer to vectorcallfunc
 Patch31:        bsc1167501-invalid-alignment.patch
-# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
-# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
-# REQUIRES SOURCE 32
-Patch32:        CVE-2019-20907_tarfile-inf-loop.patch
 BuildRequires:  automake
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
@ -397,10 +391,7 @@ other applications.
 %patch27 -p1
 %patch29 -p1
 %patch31 -p1
-%patch32 -p1

-# For patch 32
-cp -v %{SOURCE32} Lib/test/recursion.tar

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
--- a/recursion.tar
+++ b/recursion.tar