Accepting request 1269058 from devel:languages:python:Factory

- Update to 3.9.22:
  - gh-131809: Update bundled libexpat to 2.7.1
  - gh-131261: Upgrade to libexpat 2.7.0
  - gh-105704: When using urllib.parse.urlsplit() and
    urllib.parse.urlparse() host parsing would not reject domain
    names containing square brackets ([ and ]). Square brackets
    are only valid for IPv6 and IPvFuture hosts according to RFC
    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
    gh#python/cpython#105704).
  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
    when flattening an email message using a modern email
    policy. Previously when an encoded-word was too long for
    a line, it would be decoded, split across lines, and
    re-encoded. But commas and other special characters in the
    original text could be left unencoded and unquoted. This
    could theoretically be used to spoof header lines using a
    carefully constructed encoded-word if the resulting rendered
    email was transmitted or re-parsed.
  - gh-119511: Fix a potential denial of service in the imaplib
    module. When connecting to a malicious server, it could
    cause an arbitrary amount of memory to be allocated. On many
    systems this is harmless as unused virtual memory is only
    a mapping, but if this hit a virtual address size limit
    it could lead to a MemoryError or other process crash. On
    unusual systems or builds where all allocated memory is
    touched and backed by actual ram or storage it could’ve
    consumed resources doing so until similarly crashing.
  - gh-121277: Writers of CPython’s documentation can now use
    next as the version for the versionchanged, versionadded,
    deprecated directives.

OBS-URL: https://build.opensuse.org/request/show/1269058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=73

98437-sphinx.locale._-as-gettext-in-pyspecific.patch

@@ -10,9 +10,11 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
  Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst |    1 +
  2 files changed, 5 insertions(+), 4 deletions(-)
 
---- a/Doc/tools/extensions/pyspecific.py
-+++ b/Doc/tools/extensions/pyspecific.py
-@@ -26,7 +26,7 @@ try:
+Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py	2025-04-11 09:49:58.417019238 +0200
++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py	2025-04-11 09:50:56.818993764 +0200
+@@ -27,7 +27,7 @@
      from sphinx.errors import NoUri
  except ImportError:
      from sphinx.environment import NoUri
@@ -21,7 +23,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
  from sphinx.util import status_iterator, logging
  from sphinx.util.nodes import split_explicit_title
  from sphinx.writers.text import TextWriter, TextTranslator
-@@ -110,7 +110,7 @@ class ImplementationDetail(Directive):
+@@ -111,7 +111,7 @@
  
      def run(self):
          pnode = nodes.compound(classes=['impl-detail'])
@@ -30,7 +32,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
          content = self.content
          add_text = nodes.strong(label, label)
          if self.arguments:
-@@ -179,7 +179,7 @@ class AuditEvent(Directive):
+@@ -180,7 +180,7 @@
          else:
              args = []
  
@@ -39,16 +41,18 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
          text = label.format(name="``{}``".format(name),
                              args=", ".join("``{}``".format(a) for a in args if a))
  
-@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive):
+@@ -380,7 +380,7 @@
          else:
              label = self._removed_label
  
 -        label = translators['sphinx'].gettext(label)
 +        label = sphinx_gettext(label)
-         text = label.format(deprecated=self.arguments[0], removed=self.arguments[1])
+         text = label.format(deprecated=version[0], removed=version[1])
          if len(self.arguments) == 3:
              inodes, messages = self.state.inline_text(self.arguments[2],
---- /dev/null
-+++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
+Index: Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst	2025-04-11 09:50:08.952333342 +0200
 @@ -0,0 +1 @@
 +Use sphinx.locale._ as the gettext function in pyspecific.py.

CVE-2025-0938-sq-brackets-domain-names.patch

@@ -1,127 +0,0 @@
-From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Fri, 31 Jan 2025 11:41:34 -0600
-Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain
- names for parsed URLs (GH-129418)
-
-* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs
-
-* Use Sphinx references
-
-Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
-
-* Add mismatched bracket test cases, fix news format
-
-* Add more test coverage for ports
-
----------
-
-(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a)
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
-Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
----
- Lib/test/test_urlparse.py                                                |   37 +++++++++-
- Lib/urllib/parse.py                                                      |   20 ++++-
- Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |    4 +
- 3 files changed, 58 insertions(+), 3 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
- 
-     def test_splitting_bracketed_hosts(self):
--        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
-+        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
-         self.assertEqual(p1.hostname, 'v6a.ip')
-         self.assertEqual(p1.username, 'user')
-         self.assertEqual(p1.path, '/path')
-+        self.assertEqual(p1.port, 1234)
-         p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
-         self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
-         self.assertEqual(p2.username, 'user')
-         self.assertEqual(p2.path, '/path')
-+        self.assertIs(p2.port, None)
-         p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
-         self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
-         self.assertEqual(p3.username, 'user')
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -443,6 +443,23 @@ def _checknetloc(netloc):
-             raise ValueError("netloc '" + netloc + "' contains invalid " +
-                              "characters under NFKC normalization")
- 
-+def _check_bracketed_netloc(netloc):
-+    # Note that this function must mirror the splitting
-+    # done in NetlocResultMixins._hostinfo().
-+    hostname_and_port = netloc.rpartition('@')[2]
-+    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
-+    if have_open_br:
-+        # No data is allowed before a bracket.
-+        if before_bracket:
-+            raise ValueError("Invalid IPv6 URL")
-+        hostname, _, port = bracketed.partition(']')
-+        # No data is allowed after the bracket but before the port delimiter.
-+        if port and not port.startswith(":"):
-+            raise ValueError("Invalid IPv6 URL")
-+    else:
-+        hostname, _, port = hostname_and_port.partition(':')
-+    _check_bracketed_host(hostname)
-+
- # Valid bracketed hosts are defined in
- # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
- def _check_bracketed_host(hostname):
-@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragm
-                 (']' in netloc and '[' not in netloc)):
-             raise ValueError("Invalid IPv6 URL")
-         if '[' in netloc and ']' in netloc:
--            bracketed_host = netloc.partition('[')[2].partition(']')[0]
--            _check_bracketed_host(bracketed_host)
-+            _check_bracketed_netloc(netloc)
-     if allow_fragments and '#' in url:
-         url, fragment = url.split('#', 1)
-     if '?' in url:
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-@@ -0,0 +1,4 @@
-+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
-+parsing would not reject domain names containing square brackets (``[`` and
-+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
-+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

Python-3.9.21.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3126f59592c9b0d798584755f2bf7b081fa1ca35ce7a6fea980108d752a05bb1
-size 19647056

Python-3.9.22.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c136d199d3637a1fce98a16adc809c1d83c922d02d41f3614b34f8b6e7d38ec
+size 19652572

python39.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Wed Apr  9 20:04:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.9.22:
+  - gh-131809: Update bundled libexpat to 2.7.1
+  - gh-131261: Upgrade to libexpat 2.7.0
+  - gh-105704: When using urllib.parse.urlsplit() and
+    urllib.parse.urlparse() host parsing would not reject domain
+    names containing square brackets ([ and ]). Square brackets
+    are only valid for IPv6 and IPvFuture hosts according to RFC
+    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
+    gh#python/cpython#105704).
+  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
+    when flattening an email message using a modern email
+    policy. Previously when an encoded-word was too long for
+    a line, it would be decoded, split across lines, and
+    re-encoded. But commas and other special characters in the
+    original text could be left unencoded and unquoted. This
+    could theoretically be used to spoof header lines using a
+    carefully constructed encoded-word if the resulting rendered
+    email was transmitted or re-parsed.
+  - gh-119511: Fix a potential denial of service in the imaplib
+    module. When connecting to a malicious server, it could
+    cause an arbitrary amount of memory to be allocated. On many
+    systems this is harmless as unused virtual memory is only
+    a mapping, but if this hit a virtual address size limit
+    it could lead to a MemoryError or other process crash. On
+    unusual systems or builds where all allocated memory is
+    touched and backed by actual ram or storage it could’ve
+    consumed resources doing so until similarly crashing.
+  - gh-121277: Writers of CPython’s documentation can now use
+    next as the version for the versionchanged, versionadded,
+    deprecated directives.
+- Remote upstreamed patch:
+  - CVE-2025-0938-sq-brackets-domain-names.patch
+
 -------------------------------------------------------------------
 Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
 

python39.spec

@@ -99,7 +99,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.21
+Version:        3.9.22
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -194,9 +194,6 @@ Patch50:        gh120226-fix-sendfile-test-kernel-610.patch
 # PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com
 # status_iterator method moved between the Sphinx versions
 Patch51:        sphinx-802.patch
-# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com
-# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets
-Patch52:        CVE-2025-0938-sq-brackets-domain-names.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -469,7 +466,6 @@ other applications.
 %patch -p1 -P 48
 %patch -p1 -P 50
 %patch -p1 -P 51
-%patch -p1 -P 52
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

sphinx-802.patch

@@ -2,9 +2,11 @@
  Doc/tools/extensions/pyspecific.py |    8 +++++++-
  1 file changed, 7 insertions(+), 1 deletion(-)
 
---- a/Doc/tools/extensions/pyspecific.py
-+++ b/Doc/tools/extensions/pyspecific.py
-@@ -27,7 +27,13 @@ try:
+Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py	2025-04-11 09:50:56.818993764 +0200
++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py	2025-04-11 09:51:18.844485631 +0200
+@@ -28,7 +28,13 @@
  except ImportError:
      from sphinx.environment import NoUri
  from sphinx.locale import _ as sphinx_gettext

sphinx-update-removed-function.patch

@@ -2,9 +2,11 @@
  Doc/tools/extensions/pyspecific.py |    7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
---- a/Doc/tools/extensions/pyspecific.py
-+++ b/Doc/tools/extensions/pyspecific.py
-@@ -385,7 +385,12 @@ class DeprecatedRemoved(Directive):
+Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py	2025-04-08 17:21:55.000000000 +0200
++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py	2025-04-11 09:49:58.417019238 +0200
+@@ -407,7 +407,12 @@
                                     translatable=False)
              node.append(para)
          env = self.state.document.settings.env