pool/python39
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886).

Browse Source 
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).
 
  - (bsc#1215454, gh-108310) Fixed an issue where instances
- Refresh all patches:
  - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
  - 99366-patch.dict-can-decorate-async.patch
  - Revert-gh105127-left-tests.patch
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - distutils-reproducible-compile.patch
  - gh-78214-marshal_stabilize_FLAG_REF.patch
  - python-3.3.0b1-localpath.patch
  - python-3.3.0b1-test-posix_fadvise.patch
  - python3-imp-returntype.patch
  - subprocess-raise-timeout.patch
  - support-expat-CVE-2022-25236-patched.patch
  - downport-Sphinx-features.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=172
This commit is contained in:
Matej Cepl 2024-02-28 22:56:56 +00:00 committed by Git OBS Bridge
parent 7c8ca681d6
commit 7ff141432c
3 changed files with 227 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
CVE-2023-6597-TempDir-cleaning-symlink.patch Normal file
View File

@ -0,0 +1,191 @@
---
Lib/tempfile.py | 26 +-
Lib/test/test_tempfile.py | 117 +++++++++-
Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst | 2
3 files changed, 136 insertions(+), 9 deletions(-)
--- a/Lib/tempfile.py
+++ b/Lib/tempfile.py
@@ -268,6 +268,22 @@ def _mkstemp_inner(dir, pre, suf, flags,
raise FileExistsError(_errno.EEXIST,
"No usable temporary file name found")
+def _dont_follow_symlinks(func, path, *args):
+ # Pass follow_symlinks=False, unless not supported on this platform.
+ if func in _os.supports_follow_symlinks:
+ func(path, *args, follow_symlinks=False)
+ elif _os.name == 'nt' or not _os.path.islink(path):
+ func(path, *args)
+
+def _resetperms(path):
+ try:
+ chflags = _os.chflags
+ except AttributeError:
+ pass
+ else:
+ _dont_follow_symlinks(chflags, path, 0)
+ _dont_follow_symlinks(_os.chmod, path, 0o700)
+
# User visible interfaces.
@@ -789,17 +805,11 @@ class TemporaryDirectory(object):
def _rmtree(cls, name):
def onerror(func, path, exc_info):
if issubclass(exc_info[0], PermissionError):
- def resetperms(path):
- try:
- _os.chflags(path, 0)
- except AttributeError:
- pass
- _os.chmod(path, 0o700)
try:
if path != name:
- resetperms(_os.path.dirname(path))
- resetperms(path)
+ _resetperms(_os.path.dirname(path))
+ _resetperms(path)
try:
_os.unlink(path)
--- a/Lib/test/test_tempfile.py
+++ b/Lib/test/test_tempfile.py
@@ -1394,6 +1394,103 @@ class TestTemporaryDirectory(BaseTestCas
"were deleted")
d2.cleanup()
+ @support.skip_unless_symlink
+ def test_cleanup_with_symlink_modes(self):
+ # cleanup() should not follow symlinks when fixing mode bits (#91133)
+ with self.do_create(recurse=0) as d2:
+ file1 = os.path.join(d2, 'file1')
+ open(file1, 'wb').close()
+ dir1 = os.path.join(d2, 'dir1')
+ os.mkdir(dir1)
+ for mode in range(8):
+ mode <<= 6
+ with self.subTest(mode=format(mode, '03o')):
+ def test(target, target_is_directory):
+ d1 = self.do_create(recurse=0)
+ symlink = os.path.join(d1.name, 'symlink')
+ os.symlink(target, symlink,
+ target_is_directory=target_is_directory)
+ try:
+ os.chmod(symlink, mode, follow_symlinks=False)
+ except NotImplementedError:
+ pass
+ try:
+ os.chmod(symlink, mode)
+ except FileNotFoundError:
+ pass
+ os.chmod(d1.name, mode)
+ d1.cleanup()
+ self.assertFalse(os.path.exists(d1.name))
+
+ with self.subTest('nonexisting file'):
+ test('nonexisting', target_is_directory=False)
+ with self.subTest('nonexisting dir'):
+ test('nonexisting', target_is_directory=True)
+
+ with self.subTest('existing file'):
+ os.chmod(file1, mode)
+ old_mode = os.stat(file1).st_mode
+ test(file1, target_is_directory=False)
+ new_mode = os.stat(file1).st_mode
+ self.assertEqual(new_mode, old_mode,
+ '%03o != %03o' % (new_mode, old_mode))
+
+ with self.subTest('existing dir'):
+ os.chmod(dir1, mode)
+ old_mode = os.stat(dir1).st_mode
+ test(dir1, target_is_directory=True)
+ new_mode = os.stat(dir1).st_mode
+ self.assertEqual(new_mode, old_mode,
+ '%03o != %03o' % (new_mode, old_mode))
+
+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags')
+ @support.skip_unless_symlink
+ def test_cleanup_with_symlink_flags(self):
+ # cleanup() should not follow symlinks when fixing flags (#91133)
+ flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK
+ self.check_flags(flags)
+
+ with self.do_create(recurse=0) as d2:
+ file1 = os.path.join(d2, 'file1')
+ open(file1, 'wb').close()
+ dir1 = os.path.join(d2, 'dir1')
+ os.mkdir(dir1)
+ def test(target, target_is_directory):
+ d1 = self.do_create(recurse=0)
+ symlink = os.path.join(d1.name, 'symlink')
+ os.symlink(target, symlink,
+ target_is_directory=target_is_directory)
+ try:
+ os.chflags(symlink, flags, follow_symlinks=False)
+ except NotImplementedError:
+ pass
+ try:
+ os.chflags(symlink, flags)
+ except FileNotFoundError:
+ pass
+ os.chflags(d1.name, flags)
+ d1.cleanup()
+ self.assertFalse(os.path.exists(d1.name))
+
+ with self.subTest('nonexisting file'):
+ test('nonexisting', target_is_directory=False)
+ with self.subTest('nonexisting dir'):
+ test('nonexisting', target_is_directory=True)
+
+ with self.subTest('existing file'):
+ os.chflags(file1, flags)
+ old_flags = os.stat(file1).st_flags
+ test(file1, target_is_directory=False)
+ new_flags = os.stat(file1).st_flags
+ self.assertEqual(new_flags, old_flags)
+
+ with self.subTest('existing dir'):
+ os.chflags(dir1, flags)
+ old_flags = os.stat(dir1).st_flags
+ test(dir1, target_is_directory=True)
+ new_flags = os.stat(dir1).st_flags
+ self.assertEqual(new_flags, old_flags)
+
@support.cpython_only
def test_del_on_collection(self):
# A TemporaryDirectory is deleted when garbage collected
@@ -1506,9 +1603,27 @@ class TestTemporaryDirectory(BaseTestCas
d.cleanup()
self.assertFalse(os.path.exists(d.name))
- @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.lchflags')
+ def check_flags(self, flags):
+ # skip the test if these flags are not supported (ex: FreeBSD 13)
+ filename = support.TESTFN
+ try:
+ open(filename, "w").close()
+ try:
+ os.chflags(filename, flags)
+ except OSError as exc:
+ # "OSError: [Errno 45] Operation not supported"
+ self.skipTest(f"chflags() doesn't support flags "
+ f"{flags:#b}: {exc}")
+ else:
+ os.chflags(filename, 0)
+ finally:
+ support.unlink(filename)
+
+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags')
def test_flags(self):
flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK
+ self.check_flags(flags)
+
d = self.do_create(recurse=3, dirs=2, files=2)
with d:
# Change files and directories flags recursively.
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst
@@ -0,0 +1,2 @@
+Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no longer
+dereferences symlinks when working around file system permission errors.

32
python39.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Wed Feb 28 19:49:12 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886).
-------------------------------------------------------------------
Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu> Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@ -22,7 +38,7 @@ Mon Dec 18 16:20:58 UTC 2023 - Matej Cepl <mcepl@cepl.eu>
Wed Sep 6 06:38:27 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com> Wed Sep 6 06:38:27 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Update to 3.9.18 (bsc#1214692): - Update to 3.9.18 (bsc#1214692):
- (bsc#1215454, gh-108310)Fixed an issue where instances - (bsc#1215454, gh-108310) Fixed an issue where instances
of ssl.SSLSocket were vulnerable to a bypass of the TLS of ssl.SSLSocket were vulnerable to a bypass of the TLS
handshake and included protections (like certificate handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it verification) and treating sent unencrypted data as if it
@ -35,6 +51,20 @@ Wed Sep 6 06:38:27 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
LinkOutsideDestinationError. LinkOutsideDestinationError.
- gh-107565: Update multissltests and GitHub CI workflows to use - gh-107565: Update multissltests and GitHub CI workflows to use
OpenSSL 1.1.1v, 3.0.10, and 3.1.2. OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
- Refresh all patches:
- 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
- 99366-patch.dict-can-decorate-async.patch
- Revert-gh105127-left-tests.patch
- bpo-31046_ensurepip_honours_prefix.patch
- decimal.patch
- distutils-reproducible-compile.patch
- gh-78214-marshal_stabilize_FLAG_REF.patch
- python-3.3.0b1-localpath.patch
- python-3.3.0b1-test-posix_fadvise.patch
- python3-imp-returntype.patch
- subprocess-raise-timeout.patch
- support-expat-CVE-2022-25236-patched.patch
- downport-Sphinx-features.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com> Thu Aug 3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>

6
python39.spec
View File

@ -181,6 +181,9 @@ Patch42: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289 # PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289
# Fix tests for XMLPullParser with Expat 2.6.0 # Fix tests for XMLPullParser with Expat 2.6.0
Patch43: libexpat260.patch Patch43: libexpat260.patch
# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com
# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930)
Patch44: CVE-2023-6597-TempDir-cleaning-symlink.patch
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes
@ -429,7 +432,7 @@ other applications.
%patch -P 25 -p1 %patch -P 25 -p1
%patch -P 29 -p1 %patch -P 29 -p1
%patch -P 32 -p1 %patch -P 32 -p1
%if 0%{?sle_version} && 0%{?sle_version} <= 150300 %if 0%{?sle_version}
%patch -P 33 -p1 %patch -P 33 -p1
%patch -P 34 -p1 %patch -P 34 -p1
%endif %endif
@ -446,6 +449,7 @@ other applications.
%endif %endif
%patch -P 42 -p1 %patch -P 42 -p1
%patch -P 43 -p1 %patch -P 43 -p1
%patch -P 44 -p1
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac