- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix

CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=141
2023-05-03 14:35:47 +00:00 · 2023-05-03 14:35:47 +00:00 · 7ce77a1280
commit 7ce77a1280
parent cbc1e5d930
3 changed files with 2590 additions and 0 deletions
--- a/CVE-2007-4559-filter-tarfile_extractall.patch
+++ b/CVE-2007-4559-filter-tarfile_extractall.patch
--- a/python39.changes
+++ b/python39.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed May  3 14:09:37 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
+  CVE-2007-4559 (bsc#1203750) by adding the filter for
+  tarfile.extractall (PEP 706).
+
 -------------------------------------------------------------------
 Sun Apr 30 18:16:37 UTC 2023 - Matej Cepl <mcepl@suse.com>

--- a/python39.spec
+++ b/python39.spec
@ -165,6 +165,9 @@ Patch37:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
 # blocklist bypass via the urllib.parse component when supplying
 # a URL that starts with blank characters
 Patch38:        CVE-2023-24329-blank-URL-bypass.patch
+# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
+# Implement PEP-706 to filter outcome of the tarball extracing
+Patch39:        CVE-2007-4559-filter-tarfile_extractall.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -424,6 +427,7 @@ other applications.
 %patch35 -p1
 %patch37 -p1
 %patch38 -p1
+%patch39 -p1

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac