- Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886).
- (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Repurpose skip-failing-tests.patch to increase timeout for test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time, which fails on slow machines in IBS (s390x). - (bsc#1215454, gh-108310) Fixed an issue where instances - Refresh all patches: - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch - 99366-patch.dict-can-decorate-async.patch - Revert-gh105127-left-tests.patch - bpo-31046_ensurepip_honours_prefix.patch - decimal.patch - distutils-reproducible-compile.patch - gh-78214-marshal_stabilize_FLAG_REF.patch - python-3.3.0b1-localpath.patch - python-3.3.0b1-test-posix_fadvise.patch - python3-imp-returntype.patch - subprocess-raise-timeout.patch - support-expat-CVE-2022-25236-patched.patch - downport-Sphinx-features.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=172
This commit is contained in:
parent
7c8ca681d6
commit
7ff141432c
191
CVE-2023-6597-TempDir-cleaning-symlink.patch
Normal file
191
CVE-2023-6597-TempDir-cleaning-symlink.patch
Normal file
@ -0,0 +1,191 @@
|
|||||||
|
---
|
||||||
|
Lib/tempfile.py | 26 +-
|
||||||
|
Lib/test/test_tempfile.py | 117 +++++++++-
|
||||||
|
Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst | 2
|
||||||
|
3 files changed, 136 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
--- a/Lib/tempfile.py
|
||||||
|
+++ b/Lib/tempfile.py
|
||||||
|
@@ -268,6 +268,22 @@ def _mkstemp_inner(dir, pre, suf, flags,
|
||||||
|
raise FileExistsError(_errno.EEXIST,
|
||||||
|
"No usable temporary file name found")
|
||||||
|
|
||||||
|
+def _dont_follow_symlinks(func, path, *args):
|
||||||
|
+ # Pass follow_symlinks=False, unless not supported on this platform.
|
||||||
|
+ if func in _os.supports_follow_symlinks:
|
||||||
|
+ func(path, *args, follow_symlinks=False)
|
||||||
|
+ elif _os.name == 'nt' or not _os.path.islink(path):
|
||||||
|
+ func(path, *args)
|
||||||
|
+
|
||||||
|
+def _resetperms(path):
|
||||||
|
+ try:
|
||||||
|
+ chflags = _os.chflags
|
||||||
|
+ except AttributeError:
|
||||||
|
+ pass
|
||||||
|
+ else:
|
||||||
|
+ _dont_follow_symlinks(chflags, path, 0)
|
||||||
|
+ _dont_follow_symlinks(_os.chmod, path, 0o700)
|
||||||
|
+
|
||||||
|
|
||||||
|
# User visible interfaces.
|
||||||
|
|
||||||
|
@@ -789,17 +805,11 @@ class TemporaryDirectory(object):
|
||||||
|
def _rmtree(cls, name):
|
||||||
|
def onerror(func, path, exc_info):
|
||||||
|
if issubclass(exc_info[0], PermissionError):
|
||||||
|
- def resetperms(path):
|
||||||
|
- try:
|
||||||
|
- _os.chflags(path, 0)
|
||||||
|
- except AttributeError:
|
||||||
|
- pass
|
||||||
|
- _os.chmod(path, 0o700)
|
||||||
|
|
||||||
|
try:
|
||||||
|
if path != name:
|
||||||
|
- resetperms(_os.path.dirname(path))
|
||||||
|
- resetperms(path)
|
||||||
|
+ _resetperms(_os.path.dirname(path))
|
||||||
|
+ _resetperms(path)
|
||||||
|
|
||||||
|
try:
|
||||||
|
_os.unlink(path)
|
||||||
|
--- a/Lib/test/test_tempfile.py
|
||||||
|
+++ b/Lib/test/test_tempfile.py
|
||||||
|
@@ -1394,6 +1394,103 @@ class TestTemporaryDirectory(BaseTestCas
|
||||||
|
"were deleted")
|
||||||
|
d2.cleanup()
|
||||||
|
|
||||||
|
+ @support.skip_unless_symlink
|
||||||
|
+ def test_cleanup_with_symlink_modes(self):
|
||||||
|
+ # cleanup() should not follow symlinks when fixing mode bits (#91133)
|
||||||
|
+ with self.do_create(recurse=0) as d2:
|
||||||
|
+ file1 = os.path.join(d2, 'file1')
|
||||||
|
+ open(file1, 'wb').close()
|
||||||
|
+ dir1 = os.path.join(d2, 'dir1')
|
||||||
|
+ os.mkdir(dir1)
|
||||||
|
+ for mode in range(8):
|
||||||
|
+ mode <<= 6
|
||||||
|
+ with self.subTest(mode=format(mode, '03o')):
|
||||||
|
+ def test(target, target_is_directory):
|
||||||
|
+ d1 = self.do_create(recurse=0)
|
||||||
|
+ symlink = os.path.join(d1.name, 'symlink')
|
||||||
|
+ os.symlink(target, symlink,
|
||||||
|
+ target_is_directory=target_is_directory)
|
||||||
|
+ try:
|
||||||
|
+ os.chmod(symlink, mode, follow_symlinks=False)
|
||||||
|
+ except NotImplementedError:
|
||||||
|
+ pass
|
||||||
|
+ try:
|
||||||
|
+ os.chmod(symlink, mode)
|
||||||
|
+ except FileNotFoundError:
|
||||||
|
+ pass
|
||||||
|
+ os.chmod(d1.name, mode)
|
||||||
|
+ d1.cleanup()
|
||||||
|
+ self.assertFalse(os.path.exists(d1.name))
|
||||||
|
+
|
||||||
|
+ with self.subTest('nonexisting file'):
|
||||||
|
+ test('nonexisting', target_is_directory=False)
|
||||||
|
+ with self.subTest('nonexisting dir'):
|
||||||
|
+ test('nonexisting', target_is_directory=True)
|
||||||
|
+
|
||||||
|
+ with self.subTest('existing file'):
|
||||||
|
+ os.chmod(file1, mode)
|
||||||
|
+ old_mode = os.stat(file1).st_mode
|
||||||
|
+ test(file1, target_is_directory=False)
|
||||||
|
+ new_mode = os.stat(file1).st_mode
|
||||||
|
+ self.assertEqual(new_mode, old_mode,
|
||||||
|
+ '%03o != %03o' % (new_mode, old_mode))
|
||||||
|
+
|
||||||
|
+ with self.subTest('existing dir'):
|
||||||
|
+ os.chmod(dir1, mode)
|
||||||
|
+ old_mode = os.stat(dir1).st_mode
|
||||||
|
+ test(dir1, target_is_directory=True)
|
||||||
|
+ new_mode = os.stat(dir1).st_mode
|
||||||
|
+ self.assertEqual(new_mode, old_mode,
|
||||||
|
+ '%03o != %03o' % (new_mode, old_mode))
|
||||||
|
+
|
||||||
|
+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags')
|
||||||
|
+ @support.skip_unless_symlink
|
||||||
|
+ def test_cleanup_with_symlink_flags(self):
|
||||||
|
+ # cleanup() should not follow symlinks when fixing flags (#91133)
|
||||||
|
+ flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK
|
||||||
|
+ self.check_flags(flags)
|
||||||
|
+
|
||||||
|
+ with self.do_create(recurse=0) as d2:
|
||||||
|
+ file1 = os.path.join(d2, 'file1')
|
||||||
|
+ open(file1, 'wb').close()
|
||||||
|
+ dir1 = os.path.join(d2, 'dir1')
|
||||||
|
+ os.mkdir(dir1)
|
||||||
|
+ def test(target, target_is_directory):
|
||||||
|
+ d1 = self.do_create(recurse=0)
|
||||||
|
+ symlink = os.path.join(d1.name, 'symlink')
|
||||||
|
+ os.symlink(target, symlink,
|
||||||
|
+ target_is_directory=target_is_directory)
|
||||||
|
+ try:
|
||||||
|
+ os.chflags(symlink, flags, follow_symlinks=False)
|
||||||
|
+ except NotImplementedError:
|
||||||
|
+ pass
|
||||||
|
+ try:
|
||||||
|
+ os.chflags(symlink, flags)
|
||||||
|
+ except FileNotFoundError:
|
||||||
|
+ pass
|
||||||
|
+ os.chflags(d1.name, flags)
|
||||||
|
+ d1.cleanup()
|
||||||
|
+ self.assertFalse(os.path.exists(d1.name))
|
||||||
|
+
|
||||||
|
+ with self.subTest('nonexisting file'):
|
||||||
|
+ test('nonexisting', target_is_directory=False)
|
||||||
|
+ with self.subTest('nonexisting dir'):
|
||||||
|
+ test('nonexisting', target_is_directory=True)
|
||||||
|
+
|
||||||
|
+ with self.subTest('existing file'):
|
||||||
|
+ os.chflags(file1, flags)
|
||||||
|
+ old_flags = os.stat(file1).st_flags
|
||||||
|
+ test(file1, target_is_directory=False)
|
||||||
|
+ new_flags = os.stat(file1).st_flags
|
||||||
|
+ self.assertEqual(new_flags, old_flags)
|
||||||
|
+
|
||||||
|
+ with self.subTest('existing dir'):
|
||||||
|
+ os.chflags(dir1, flags)
|
||||||
|
+ old_flags = os.stat(dir1).st_flags
|
||||||
|
+ test(dir1, target_is_directory=True)
|
||||||
|
+ new_flags = os.stat(dir1).st_flags
|
||||||
|
+ self.assertEqual(new_flags, old_flags)
|
||||||
|
+
|
||||||
|
@support.cpython_only
|
||||||
|
def test_del_on_collection(self):
|
||||||
|
# A TemporaryDirectory is deleted when garbage collected
|
||||||
|
@@ -1506,9 +1603,27 @@ class TestTemporaryDirectory(BaseTestCas
|
||||||
|
d.cleanup()
|
||||||
|
self.assertFalse(os.path.exists(d.name))
|
||||||
|
|
||||||
|
- @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.lchflags')
|
||||||
|
+ def check_flags(self, flags):
|
||||||
|
+ # skip the test if these flags are not supported (ex: FreeBSD 13)
|
||||||
|
+ filename = support.TESTFN
|
||||||
|
+ try:
|
||||||
|
+ open(filename, "w").close()
|
||||||
|
+ try:
|
||||||
|
+ os.chflags(filename, flags)
|
||||||
|
+ except OSError as exc:
|
||||||
|
+ # "OSError: [Errno 45] Operation not supported"
|
||||||
|
+ self.skipTest(f"chflags() doesn't support flags "
|
||||||
|
+ f"{flags:#b}: {exc}")
|
||||||
|
+ else:
|
||||||
|
+ os.chflags(filename, 0)
|
||||||
|
+ finally:
|
||||||
|
+ support.unlink(filename)
|
||||||
|
+
|
||||||
|
+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags')
|
||||||
|
def test_flags(self):
|
||||||
|
flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK
|
||||||
|
+ self.check_flags(flags)
|
||||||
|
+
|
||||||
|
d = self.do_create(recurse=3, dirs=2, files=2)
|
||||||
|
with d:
|
||||||
|
# Change files and directories flags recursively.
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no longer
|
||||||
|
+dereferences symlinks when working around file system permission errors.
|
@ -1,3 +1,19 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 28 19:49:12 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- (bsc#1219666, CVE-2023-6597) Add
|
||||||
|
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
|
||||||
|
gh#python/cpython!99930) fixing symlink bug in cleanup of
|
||||||
|
tempfile.TemporaryDirectory.
|
||||||
|
- Repurpose skip-failing-tests.patch to increase timeout for
|
||||||
|
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
|
||||||
|
which fails on slow machines in IBS (s390x).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
||||||
|
|
||||||
@ -22,7 +38,7 @@ Mon Dec 18 16:20:58 UTC 2023 - Matej Cepl <mcepl@cepl.eu>
|
|||||||
Wed Sep 6 06:38:27 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
Wed Sep 6 06:38:27 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
||||||
|
|
||||||
- Update to 3.9.18 (bsc#1214692):
|
- Update to 3.9.18 (bsc#1214692):
|
||||||
- (bsc#1215454, gh-108310)Fixed an issue where instances
|
- (bsc#1215454, gh-108310) Fixed an issue where instances
|
||||||
of ssl.SSLSocket were vulnerable to a bypass of the TLS
|
of ssl.SSLSocket were vulnerable to a bypass of the TLS
|
||||||
handshake and included protections (like certificate
|
handshake and included protections (like certificate
|
||||||
verification) and treating sent unencrypted data as if it
|
verification) and treating sent unencrypted data as if it
|
||||||
@ -35,6 +51,20 @@ Wed Sep 6 06:38:27 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
|||||||
LinkOutsideDestinationError.
|
LinkOutsideDestinationError.
|
||||||
- gh-107565: Update multissltests and GitHub CI workflows to use
|
- gh-107565: Update multissltests and GitHub CI workflows to use
|
||||||
OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
|
OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
|
||||||
|
- Refresh all patches:
|
||||||
|
- 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
|
||||||
|
- 99366-patch.dict-can-decorate-async.patch
|
||||||
|
- Revert-gh105127-left-tests.patch
|
||||||
|
- bpo-31046_ensurepip_honours_prefix.patch
|
||||||
|
- decimal.patch
|
||||||
|
- distutils-reproducible-compile.patch
|
||||||
|
- gh-78214-marshal_stabilize_FLAG_REF.patch
|
||||||
|
- python-3.3.0b1-localpath.patch
|
||||||
|
- python-3.3.0b1-test-posix_fadvise.patch
|
||||||
|
- python3-imp-returntype.patch
|
||||||
|
- subprocess-raise-timeout.patch
|
||||||
|
- support-expat-CVE-2022-25236-patched.patch
|
||||||
|
- downport-Sphinx-features.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Aug 3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
Thu Aug 3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||||
|
@ -181,6 +181,9 @@ Patch42: CVE-2023-27043-email-parsing-errors.patch
|
|||||||
# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289
|
# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289
|
||||||
# Fix tests for XMLPullParser with Expat 2.6.0
|
# Fix tests for XMLPullParser with Expat 2.6.0
|
||||||
Patch43: libexpat260.patch
|
Patch43: libexpat260.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com
|
||||||
|
# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930)
|
||||||
|
Patch44: CVE-2023-6597-TempDir-cleaning-symlink.patch
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
@ -429,7 +432,7 @@ other applications.
|
|||||||
%patch -P 25 -p1
|
%patch -P 25 -p1
|
||||||
%patch -P 29 -p1
|
%patch -P 29 -p1
|
||||||
%patch -P 32 -p1
|
%patch -P 32 -p1
|
||||||
%if 0%{?sle_version} && 0%{?sle_version} <= 150300
|
%if 0%{?sle_version}
|
||||||
%patch -P 33 -p1
|
%patch -P 33 -p1
|
||||||
%patch -P 34 -p1
|
%patch -P 34 -p1
|
||||||
%endif
|
%endif
|
||||||
@ -446,6 +449,7 @@ other applications.
|
|||||||
%endif
|
%endif
|
||||||
%patch -P 42 -p1
|
%patch -P 42 -p1
|
||||||
%patch -P 43 -p1
|
%patch -P 43 -p1
|
||||||
|
%patch -P 44 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
Loading…
Reference in New Issue
Block a user