Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837.

- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401).
2025-12-18 16:07:31 +01:00
parent d6395a2d78
commit 022658b5d0
9 changed files with 935 additions and 505 deletions
--- a/CVE-2023-52425-libexpat-2.6.0-backport.patch
+++ b/CVE-2023-52425-libexpat-2.6.0-backport.patch
@@ -4,9 +4,11 @@
 Lib/test/test_xml_etree.py |    7 +++++++
 3 files changed, 14 insertions(+)
--- a/Lib/test/test_pyexpat.py
+Index: Python-3.10.19/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
+===================================================================
-@@ -766,6 +766,10 @@ class ReparseDeferralTest(unittest.TestC
+--- Python-3.10.19.orig/Lib/test/test_pyexpat.py	2025-10-09 17:25:03.000000000 +0200
 +++ Python-3.10.19/Lib/test/test_pyexpat.py	2025-12-19 23:10:22.001497953 +0100
@@ -802,6 +802,10 @@
         self.assertEqual(started, ['doc'])
     def test_reparse_deferral_disabled(self):
@@ -17,9 +19,11 @@
         started = []
         def start_element(name, _):
--- a/Lib/test/test_sax.py
+Index: Python-3.10.19/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
+===================================================================
-@@ -1240,6 +1240,9 @@ class ExpatReaderTest(XmlTestBase):
+--- Python-3.10.19.orig/Lib/test/test_sax.py	2025-10-09 17:25:03.000000000 +0200
 +++ Python-3.10.19/Lib/test/test_sax.py	2025-12-19 23:10:22.002078897 +0100
@@ -1240,6 +1240,9 @@
         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
@@ -29,9 +33,11 @@
     def test_flush_reparse_deferral_disabled(self):
         result = BytesIO()
         xmlgen = XMLGenerator(result)
--- a/Lib/test/test_xml_etree.py
+Index: Python-3.10.19/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
+===================================================================
-@@ -1420,9 +1420,13 @@ class XMLPullParserTest(unittest.TestCas
+--- Python-3.10.19.orig/Lib/test/test_xml_etree.py	2025-10-09 17:25:03.000000000 +0200
 +++ Python-3.10.19/Lib/test/test_xml_etree.py	2025-12-19 23:10:22.002413090 +0100
@@ -1420,9 +1420,13 @@
         self.assert_event_tags(parser, [('end', 'root')])
         self.assertIsNone(parser.close())
@@ -45,7 +51,7 @@
     def test_simple_xml_chunk_5(self):
         self.test_simple_xml(chunk_size=5, flush=True)
-@@ -1647,6 +1651,9 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1647,6 +1651,9 @@
         self.assert_event_tags(parser, [('end', 'doc')])
--- a/CVE-2025-12084-minidom-quad-search.patch
+++ b/CVE-2025-12084-minidom-quad-search.patch
@@ -0,0 +1,93 @@
 From f4eb9ab014545b521fb261b80adfa6d138e7e092 Mon Sep 17 00:00:00 2001
 From: Seth Michael Larson <seth@python.org>
 Date: Wed, 3 Dec 2025 01:16:37 -0600
 Subject: [PATCH] gh-142145: Remove quadratic behavior in node ID cache
 clearing (GH-142146)
 * Remove quadratic behavior in node ID cache clearing
 Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
 * Add news fragment
 ---------
 (cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
 Co-authored-by: Seth Michael Larson <seth@python.org>
 Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
 ---
 Lib/test/test_minidom.py                                                 |   18 ++++++++++
 Lib/xml/dom/minidom.py                                                   |    9 -----
 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst |    1 
 3 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
 Index: Python-3.10.19/Lib/test/test_minidom.py
 ===================================================================
 --- Python-3.10.19.orig/Lib/test/test_minidom.py	2025-12-19 23:10:45.263295780 +0100
 +++ Python-3.10.19/Lib/test/test_minidom.py	2025-12-19 23:10:50.342493590 +0100
@@ -2,6 +2,7 @@
 import copy
 import pickle
 +import time
 import io
 from test import support
 import unittest
@@ -176,6 +177,23 @@
         self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
         dom.unlink()
 +    def testAppendChildNoQuadraticComplexity(self):
 +        impl = getDOMImplementation()
 +
 +        newdoc = impl.createDocument(None, "some_tag", None)
 +        top_element = newdoc.documentElement
 +        children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
 +        element = top_element
 +
 +        start = time.time()
 +        for child in children:
 +            element.appendChild(child)
 +            element = child
 +        end = time.time()
 +
 +        # This example used to take at least 30 seconds.
 +        self.assertLess(end - start, 1)
 +
     def testAppendChildFragment(self):
         dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
         dom.documentElement.appendChild(frag)
 Index: Python-3.10.19/Lib/xml/dom/minidom.py
 ===================================================================
 --- Python-3.10.19.orig/Lib/xml/dom/minidom.py	2025-12-19 23:10:45.263295780 +0100
 +++ Python-3.10.19/Lib/xml/dom/minidom.py	2025-12-19 23:10:50.342898393 +0100
@@ -292,13 +292,6 @@
     childNodes.append(node)
     node.parentNode = self
 -def _in_document(node):
 -    # return True iff node is part of a document tree
 -    while node is not None:
 -        if node.nodeType == Node.DOCUMENT_NODE:
 -            return True
 -        node = node.parentNode
 -    return False
 def _write_data(writer, data):
     "Writes datachars to writer."
@@ -1539,7 +1532,7 @@
     if node.nodeType == Node.DOCUMENT_NODE:
         node._id_cache.clear()
         node._id_search_stack = None
 -    elif _in_document(node):
 +    elif node.ownerDocument:
         node.ownerDocument._id_cache.clear()
         node.ownerDocument._id_search_stack= None
 Index: Python-3.10.19/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
 +++ Python-3.10.19/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst	2025-12-19 23:10:50.343161277 +0100
@@ -0,0 +1 @@
 +Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.
--- a/CVE-2025-13836-http-resp-cont-len.patch
+++ b/CVE-2025-13836-http-resp-cont-len.patch
@@ -13,16 +13,16 @@ of sent data.
 Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 ---
- Lib/http/client.py                                                       |   28 +++-
+ Lib/http/client.py                            | 28 ++++++--
- Lib/test/test_httplib.py                                                 |   66 ++++++++++
+ Lib/test/test_httplib.py                      | 66 +++++++++++++++++++
- Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst |    5 
+ ...-05-23-11-47-48.gh-issue-119451.qkJe9-.rst |  5 ++
 3 files changed, 95 insertions(+), 4 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-Index: Python-3.10.19/Lib/http/client.py
+diff --git a/Lib/http/client.py b/Lib/http/client.py
-===================================================================
+index d1b7b1048c9171..c8ab5b7662c334 100644
--- Python-3.10.19.orig/Lib/http/client.py	2025-12-18 16:06:48.095762644 +0100
+--- a/Lib/http/client.py
-+++ Python-3.10.19/Lib/http/client.py	2025-12-18 16:07:05.770054507 +0100
+++ b/Lib/http/client.py
@@ -111,6 +111,11 @@
 _MAXLINE = 65536
 _MAXHEADERS = 100
@@ -35,7 +35,7 @@ Index: Python-3.10.19/Lib/http/client.py
 # Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
 #
 # VCHAR          = %x21-7E
-@@ -628,10 +633,25 @@
+@@ -628,10 +633,25 @@ def _safe_read(self, amt):
         reading. If the bytes are truly not available (due to EOF), then the
         IncompleteRead exception can be used to detect the problem.
         """
@@ -65,11 +65,11 @@ Index: Python-3.10.19/Lib/http/client.py
     def _safe_readinto(self, b):
         """Same as _safe_read, but for reading into a buffer."""
-Index: Python-3.10.19/Lib/test/test_httplib.py
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-===================================================================
+index 77152cf64565e0..89ec5f6f1c5383 100644
--- Python-3.10.19.orig/Lib/test/test_httplib.py	2025-12-18 16:06:49.569188742 +0100
+--- a/Lib/test/test_httplib.py
-+++ Python-3.10.19/Lib/test/test_httplib.py	2025-12-18 16:07:05.770432072 +0100
+++ b/Lib/test/test_httplib.py
-@@ -1226,6 +1226,72 @@
+@@ -1226,6 +1226,72 @@ def run_server():
         thread.join()
         self.assertEqual(result, b"proxied data\n")
@@ -142,10 +142,11 @@ Index: Python-3.10.19/Lib/test/test_httplib.py
     def test_putrequest_override_domain_validation(self):
         """
         It should be possible to override the default validation
-Index: Python-3.10.19/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
+diff --git a/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
-===================================================================
+new file mode 100644
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+index 00000000000000..6d6f25cd2f8bf7
-+++ Python-3.10.19/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst	2025-12-18 16:07:05.770739655 +0100
+--- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
@@ -0,0 +1,5 @@
 +Fix a potential memory denial of service in the :mod:`http.client` module.
 +When connecting to a malicious server, it could cause
--- a/CVE-2025-13837-plistlib-mailicious-length.patch
+++ b/CVE-2025-13837-plistlib-mailicious-length.patch
@@ -0,0 +1,160 @@
 From e99059d800b741504ef18693803927a0dc062be4 Mon Sep 17 00:00:00 2001
 From: Serhiy Storchaka <storchaka@gmail.com>
 Date: Mon, 1 Dec 2025 17:28:15 +0200
 Subject: [PATCH] [3.10] gh-119342: Fix a potential denial of service in
 plistlib (GH-119343)
 Reading a specially prepared small Plist file could cause OOM because file's
 read(n) preallocates a bytes object for reading the specified amount of
 data. Now plistlib reads large data by chunks, therefore the upper limit of
 consumed memory is proportional to the size of the input file.
 (cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
 Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 ---
 Lib/plistlib.py                               | 31 ++++++++++------
 Lib/test/test_plistlib.py                     | 37 +++++++++++++++++--
 ...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst |  5 +++
 3 files changed, 59 insertions(+), 14 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
 diff --git a/Lib/plistlib.py b/Lib/plistlib.py
 index d6c997efe9c5f5..c80dfee02a3335 100644
 --- a/Lib/plistlib.py
 +++ b/Lib/plistlib.py
@@ -73,6 +73,9 @@
 PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
 globals().update(PlistFormat.__members__)
 +# Data larger than this will be read in chunks, to prevent extreme
 +# overallocation.
 +_MIN_READ_BUF_SIZE = 1 << 20
 class UID:
     def __init__(self, data):
@@ -499,12 +502,24 @@ def _get_size(self, tokenL):
         return tokenL
 +    def _read(self, size):
 +        cursize = min(size, _MIN_READ_BUF_SIZE)
 +        data = self._fp.read(cursize)
 +        while True:
 +            if len(data) != cursize:
 +                raise InvalidFileException
 +            if cursize == size:
 +                return data
 +            delta = min(cursize, size - cursize)
 +            data += self._fp.read(delta)
 +            cursize += delta
 +
     def _read_ints(self, n, size):
 -        data = self._fp.read(size * n)
 +        data = self._read(size * n)
         if size in _BINARY_FORMAT:
             return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
         else:
 -            if not size or len(data) != size * n:
 +            if not size:
                 raise InvalidFileException()
             return tuple(int.from_bytes(data[i: i + size], 'big')
                          for i in range(0, size * n, size))
@@ -561,22 +576,16 @@ def _read_object(self, ref):
         elif tokenH == 0x40:  # data
             s = self._get_size(tokenL)
 -            result = self._fp.read(s)
 -            if len(result) != s:
 -                raise InvalidFileException()
 +            result = self._read(s)
         elif tokenH == 0x50:  # ascii string
             s = self._get_size(tokenL)
 -            data = self._fp.read(s)
 -            if len(data) != s:
 -                raise InvalidFileException()
 +            data = self._read(s)
             result = data.decode('ascii')
         elif tokenH == 0x60:  # unicode string
             s = self._get_size(tokenL) * 2
 -            data = self._fp.read(s)
 -            if len(data) != s:
 -                raise InvalidFileException()
 +            data = self._read(s)
             result = data.decode('utf-16be')
         elif tokenH == 0x80:  # UID
 diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
 index ef96c6ceda21a2..d3836991d212cd 100644
 --- a/Lib/test/test_plistlib.py
 +++ b/Lib/test/test_plistlib.py
@@ -838,8 +838,7 @@ def test_xml_plist_with_entity_decl(self):
 class TestBinaryPlistlib(unittest.TestCase):
 -    @staticmethod
 -    def decode(*objects, offset_size=1, ref_size=1):
 +    def build(self, *objects, offset_size=1, ref_size=1):
         data = [b'bplist00']
         offset = 8
         offsets = []
@@ -851,7 +850,11 @@ def decode(*objects, offset_size=1, ref_size=1):
                            len(objects), 0, offset)
         data.extend(offsets)
         data.append(tail)
 -        return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
 +        return b''.join(data)
 +
 +    def decode(self, *objects, offset_size=1, ref_size=1):
 +        data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
 +        return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
     def test_nonstandard_refs_size(self):
         # Issue #21538: Refs and offsets are 24-bit integers
@@ -959,6 +962,34 @@ def test_invalid_binary(self):
                 with self.assertRaises(plistlib.InvalidFileException):
                     plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
 +    def test_truncated_large_data(self):
 +        self.addCleanup(os_helper.unlink, os_helper.TESTFN)
 +        def check(data):
 +            with open(os_helper.TESTFN, 'wb') as f:
 +                f.write(data)
 +            # buffered file
 +            with open(os_helper.TESTFN, 'rb') as f:
 +                with self.assertRaises(plistlib.InvalidFileException):
 +                    plistlib.load(f, fmt=plistlib.FMT_BINARY)
 +            # unbuffered file
 +            with open(os_helper.TESTFN, 'rb', buffering=0) as f:
 +                with self.assertRaises(plistlib.InvalidFileException):
 +                    plistlib.load(f, fmt=plistlib.FMT_BINARY)
 +        for w in range(20, 64):
 +            s = 1 << w
 +            # data
 +            check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
 +            # ascii string
 +            check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
 +            # unicode string
 +            check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
 +            # array
 +            check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
 +            # dict
 +            check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
 +            # number of objects
 +            check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
 +
 class TestKeyedArchive(unittest.TestCase):
     def test_keyed_archive_data(self):
 diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
 new file mode 100644
 index 00000000000000..04fd8faca4cf7e
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
@@ -0,0 +1,5 @@
 +Fix a potential memory denial of service in the :mod:`plistlib` module.
 +When reading a Plist file received from untrusted source, it could cause
 +an arbitrary amount of memory to be allocated.
 +This could have led to symptoms including a :exc:`MemoryError`, swapping, out
 +of memory (OOM) killed processes or containers, or even system crashes.
--- a/fix_configure_rst.patch
+++ b/fix_configure_rst.patch
@@ -3,9 +3,11 @@
 Misc/NEWS               |    2 +-
 2 files changed, 1 insertion(+), 4 deletions(-)
--- a/Doc/using/configure.rst
+Index: Python-3.10.19/Doc/using/configure.rst
-+++ b/Doc/using/configure.rst
+===================================================================
-@@ -42,7 +42,6 @@ General Options
+--- Python-3.10.19.orig/Doc/using/configure.rst	2025-10-09 17:25:03.000000000 +0200
 +++ Python-3.10.19/Doc/using/configure.rst	2025-12-19 23:10:08.779794344 +0100
@@ -42,7 +42,6 @@
    See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
@@ -13,7 +15,7 @@
 .. cmdoption:: --with-cxx-main=COMPILER
    Compile the Python ``main()`` function and link Python executable with C++
-@@ -473,13 +472,11 @@ macOS Options
+@@ -473,13 +472,11 @@
 See ``Mac/README.rst``.
@@ -27,9 +29,11 @@
 .. cmdoption:: --enable-framework=INSTALLDIR
    Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS
+Index: Python-3.10.19/Misc/NEWS
-+++ b/Misc/NEWS
+===================================================================
-@@ -3942,7 +3942,7 @@ C API
+--- Python-3.10.19.orig/Misc/NEWS	2025-10-09 17:25:03.000000000 +0200
 +++ Python-3.10.19/Misc/NEWS	2025-12-19 23:10:08.784479751 +0100
@@ -4018,7 +4018,7 @@
 -----
 - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
--- a/no-skipif-doctests.patch
+++ b/no-skipif-doctests.patch
@@ -4,9 +4,11 @@ unchanged:
 Doc/library/turtle.rst |   82 -------------------------------------------------
 1 file changed, 82 deletions(-)
--- a/Doc/library/turtle.rst
+Index: Python-3.10.19/Doc/library/turtle.rst
-+++ b/Doc/library/turtle.rst
+===================================================================
-@@ -250,7 +250,6 @@ Turtle motion
+--- Python-3.10.19.orig/Doc/library/turtle.rst	2025-10-09 17:25:03.000000000 +0200
 +++ Python-3.10.19/Doc/library/turtle.rst	2025-12-19 23:10:03.998503888 +0100
@@ -250,7 +250,6 @@
    turtle is headed.
    .. doctest::
@@ -14,7 +16,7 @@ unchanged:
       >>> turtle.position()
       (0.00,0.00)
-@@ -277,7 +276,6 @@ Turtle motion
+@@ -277,7 +276,6 @@
       >>> turtle.goto(0, 0)
    .. doctest::
@@ -22,7 +24,7 @@ unchanged:
       >>> turtle.position()
       (0.00,0.00)
-@@ -296,13 +294,11 @@ Turtle motion
+@@ -296,13 +294,11 @@
    orientation depends on the turtle mode, see :func:`mode`.
    .. doctest::
@@ -36,7 +38,7 @@ unchanged:
       >>> turtle.heading()
       22.0
-@@ -321,13 +317,11 @@ Turtle motion
+@@ -321,13 +317,11 @@
    orientation depends on the turtle mode, see :func:`mode`.
    .. doctest::
@@ -50,7 +52,7 @@ unchanged:
       >>> turtle.heading()
       22.0
-@@ -350,13 +344,11 @@ Turtle motion
+@@ -350,13 +344,11 @@
    not change the turtle's orientation.
    .. doctest::
@@ -64,7 +66,7 @@ unchanged:
        >>> tp = turtle.pos()
        >>> tp
-@@ -380,13 +372,11 @@ Turtle motion
+@@ -380,13 +372,11 @@
    unchanged.
    .. doctest::
@@ -78,7 +80,7 @@ unchanged:
       >>> turtle.position()
       (0.00,240.00)
-@@ -402,13 +392,11 @@ Turtle motion
+@@ -402,13 +392,11 @@
    Set the turtle's second coordinate to *y*, leave first coordinate unchanged.
    .. doctest::
@@ -92,7 +94,7 @@ unchanged:
       >>> turtle.position()
       (0.00,40.00)
-@@ -435,7 +423,6 @@ Turtle motion
+@@ -435,7 +423,6 @@
    =================== ====================
    .. doctest::
@@ -100,7 +102,7 @@ unchanged:
       >>> turtle.setheading(90)
       >>> turtle.heading()
-@@ -448,14 +435,12 @@ Turtle motion
+@@ -448,14 +435,12 @@
    its start-orientation (which depends on the mode, see :func:`mode`).
    .. doctest::
@@ -115,7 +117,7 @@ unchanged:
       >>> turtle.heading()
       90.0
-@@ -487,7 +472,6 @@ Turtle motion
+@@ -487,7 +472,6 @@
    calculated automatically.  May be used to draw regular polygons.
    .. doctest::
@@ -123,7 +125,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.position()
-@@ -516,7 +500,6 @@ Turtle motion
+@@ -516,7 +500,6 @@
    .. doctest::
@@ -131,7 +133,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.dot()
-@@ -534,7 +517,6 @@ Turtle motion
+@@ -534,7 +517,6 @@
    it by calling ``clearstamp(stamp_id)``.
    .. doctest::
@@ -139,7 +141,7 @@ unchanged:
       >>> turtle.color("blue")
       >>> turtle.stamp()
-@@ -550,7 +532,6 @@ Turtle motion
+@@ -550,7 +532,6 @@
    Delete stamp with given *stampid*.
    .. doctest::
@@ -147,7 +149,7 @@ unchanged:
       >>> turtle.position()
       (150.00,-0.00)
-@@ -595,7 +576,6 @@ Turtle motion
+@@ -595,7 +576,6 @@
    undo actions is determined by the size of the undobuffer.
    .. doctest::
@@ -155,7 +157,7 @@ unchanged:
       >>> for i in range(4):
       ...     turtle.fd(50); turtle.lt(80)
-@@ -628,7 +608,6 @@ Turtle motion
+@@ -628,7 +608,6 @@
    turtle turn instantly.
    .. doctest::
@@ -163,7 +165,7 @@ unchanged:
       >>> turtle.speed()
       3
-@@ -649,7 +628,6 @@ Tell Turtle's state
+@@ -649,7 +628,6 @@
    Return the turtle's current location (x,y) (as a :class:`Vec2D` vector).
    .. doctest::
@@ -171,7 +173,7 @@ unchanged:
       >>> turtle.pos()
       (440.00,-0.00)
-@@ -665,7 +643,6 @@ Tell Turtle's state
+@@ -665,7 +643,6 @@
    orientation which depends on the mode - "standard"/"world" or "logo".
    .. doctest::
@@ -179,7 +181,7 @@ unchanged:
       >>> turtle.goto(10, 10)
       >>> turtle.towards(0,0)
-@@ -677,7 +654,6 @@ Tell Turtle's state
+@@ -677,7 +654,6 @@
    Return the turtle's x coordinate.
    .. doctest::
@@ -187,7 +189,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.left(50)
-@@ -693,7 +669,6 @@ Tell Turtle's state
+@@ -693,7 +669,6 @@
    Return the turtle's y coordinate.
    .. doctest::
@@ -195,7 +197,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.left(60)
-@@ -710,7 +685,6 @@ Tell Turtle's state
+@@ -710,7 +685,6 @@
    :func:`mode`).
    .. doctest::
@@ -203,7 +205,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.left(67)
-@@ -727,7 +701,6 @@ Tell Turtle's state
+@@ -727,7 +701,6 @@
    other turtle, in turtle step units.
    .. doctest::
@@ -211,7 +213,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.distance(30,40)
-@@ -751,7 +724,6 @@ Settings for measurement
+@@ -751,7 +724,6 @@
    Default value is 360 degrees.
    .. doctest::
@@ -219,7 +221,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.left(90)
-@@ -774,7 +746,6 @@ Settings for measurement
+@@ -774,7 +746,6 @@
    ``degrees(2*math.pi)``.
    .. doctest::
@@ -227,7 +229,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.left(90)
-@@ -785,7 +756,6 @@ Settings for measurement
+@@ -785,7 +756,6 @@
       1.5707963267948966
    .. doctest::
@@ -235,7 +237,7 @@ unchanged:
       :hide:
       >>> turtle.degrees(360)
-@@ -821,7 +791,6 @@ Drawing state
+@@ -821,7 +791,6 @@
    thickness.  If no argument is given, the current pensize is returned.
    .. doctest::
@@ -243,7 +245,7 @@ unchanged:
       >>> turtle.pensize()
       1
-@@ -853,7 +822,6 @@ Drawing state
+@@ -853,7 +822,6 @@
    attributes in one statement.
    .. doctest::
@@ -251,7 +253,7 @@ unchanged:
       :options: +NORMALIZE_WHITESPACE
       >>> turtle.pen(fillcolor="black", pencolor="red", pensize=10)
-@@ -876,7 +844,6 @@ Drawing state
+@@ -876,7 +844,6 @@
    Return ``True`` if pen is down, ``False`` if it's up.
    .. doctest::
@@ -259,7 +261,7 @@ unchanged:
       >>> turtle.penup()
       >>> turtle.isdown()
-@@ -917,7 +884,6 @@ Color control
+@@ -917,7 +884,6 @@
    newly set pencolor.
    .. doctest::
@@ -267,7 +269,7 @@ unchanged:
        >>> colormode()
        1.0
-@@ -966,7 +932,6 @@ Color control
+@@ -966,7 +932,6 @@
    with the newly set fillcolor.
    .. doctest::
@@ -275,7 +277,7 @@ unchanged:
        >>> turtle.fillcolor("violet")
        >>> turtle.fillcolor()
-@@ -1005,7 +970,6 @@ Color control
+@@ -1005,7 +970,6 @@
    with the newly set colors.
    .. doctest::
@@ -283,7 +285,7 @@ unchanged:
        >>> turtle.color("red", "green")
        >>> turtle.color()
-@@ -1022,7 +986,6 @@ Filling
+@@ -1022,7 +986,6 @@
 ~~~~~~~
 .. doctest::
@@ -291,7 +293,7 @@ unchanged:
    :hide:
    >>> turtle.home()
-@@ -1032,7 +995,6 @@ Filling
+@@ -1032,7 +995,6 @@
    Return fillstate (``True`` if filling, ``False`` else).
    .. doctest::
@@ -299,7 +301,7 @@ unchanged:
        >>> turtle.begin_fill()
        >>> if turtle.filling():
-@@ -1057,7 +1019,6 @@ Filling
+@@ -1057,7 +1019,6 @@
    above may be either all yellow or have some white regions.
    .. doctest::
@@ -307,7 +309,7 @@ unchanged:
       >>> turtle.color("black", "red")
       >>> turtle.begin_fill()
-@@ -1074,7 +1035,6 @@ More drawing control
+@@ -1074,7 +1035,6 @@
    variables to the default values.
    .. doctest::
@@ -315,7 +317,7 @@ unchanged:
       >>> turtle.goto(0,-22)
       >>> turtle.left(100)
-@@ -1125,7 +1085,6 @@ Visibility
+@@ -1125,7 +1085,6 @@
    drawing observably.
    .. doctest::
@@ -323,7 +325,7 @@ unchanged:
       >>> turtle.hideturtle()
-@@ -1136,7 +1095,6 @@ Visibility
+@@ -1136,7 +1095,6 @@
    Make the turtle visible.
    .. doctest::
@@ -331,7 +333,7 @@ unchanged:
       >>> turtle.showturtle()
-@@ -1167,7 +1125,6 @@ Appearance
+@@ -1167,7 +1125,6 @@
    deal with shapes see Screen method :func:`register_shape`.
    .. doctest::
@@ -339,7 +341,7 @@ unchanged:
       >>> turtle.shape()
       'classic'
-@@ -1193,7 +1150,6 @@ Appearance
+@@ -1193,7 +1150,6 @@
    ``resizemode("user")`` is called by :func:`shapesize` when used with arguments.
    .. doctest::
@@ -347,15 +349,15 @@ unchanged:
       >>> turtle.resizemode()
       'noresize'
-@@ -1217,7 +1173,6 @@ Appearance
+@@ -1217,7 +1173,6 @@
-    of the shapes's outline.
+    of the shape's outline.
    .. doctest::
 -      :skipif: _tkinter is None
       >>> turtle.shapesize()
       (1.0, 1.0, 1)
-@@ -1242,7 +1197,6 @@ Appearance
+@@ -1242,7 +1197,6 @@
    heading of the turtle are sheared.
    .. doctest::
@@ -363,7 +365,7 @@ unchanged:
        >>> turtle.shape("circle")
        >>> turtle.shapesize(5,2)
-@@ -1259,7 +1213,6 @@ Appearance
+@@ -1259,7 +1213,6 @@
    change the turtle's heading (direction of movement).
    .. doctest::
@@ -371,7 +373,7 @@ unchanged:
       >>> turtle.reset()
       >>> turtle.shape("circle")
-@@ -1279,7 +1232,6 @@ Appearance
+@@ -1279,7 +1232,6 @@
    (direction of movement).
    .. doctest::
@@ -379,7 +381,7 @@ unchanged:
       >>> turtle.reset()
       >>> turtle.shape("circle")
-@@ -1305,7 +1257,6 @@ Appearance
+@@ -1305,7 +1257,6 @@
    turtle (its direction of movement).
    .. doctest::
@@ -387,7 +389,7 @@ unchanged:
       >>> turtle.reset()
       >>> turtle.shape("circle")
-@@ -1334,7 +1285,6 @@ Appearance
+@@ -1334,7 +1285,6 @@
    given matrix.
    .. doctest::
@@ -395,7 +397,7 @@ unchanged:
       >>> turtle = Turtle()
       >>> turtle.shape("square")
-@@ -1350,7 +1300,6 @@ Appearance
+@@ -1350,7 +1300,6 @@
    can be used to define a new shape or components of a compound shape.
    .. doctest::
@@ -403,7 +405,7 @@ unchanged:
       >>> turtle.shape("square")
       >>> turtle.shapetransform(4, -1, 0, 2)
-@@ -1375,7 +1324,6 @@ Using events
+@@ -1375,7 +1324,6 @@
    procedural way:
    .. doctest::
@@ -411,7 +413,7 @@ unchanged:
       >>> def turn(x, y):
       ...     left(180)
-@@ -1396,7 +1344,6 @@ Using events
+@@ -1396,7 +1344,6 @@
    ``None``, existing bindings are removed.
    .. doctest::
@@ -419,7 +421,7 @@ unchanged:
       >>> class MyTurtle(Turtle):
       ...     def glow(self,x,y):
-@@ -1424,7 +1371,6 @@ Using events
+@@ -1424,7 +1371,6 @@
    mouse-click event on that turtle.
    .. doctest::
@@ -427,7 +429,7 @@ unchanged:
       >>> turtle.ondrag(turtle.goto)
-@@ -1452,7 +1398,6 @@ Special Turtle methods
+@@ -1452,7 +1398,6 @@
    Return the last recorded polygon.
    .. doctest::
@@ -435,7 +437,7 @@ unchanged:
       >>> turtle.home()
       >>> turtle.begin_poly()
-@@ -1472,7 +1417,6 @@ Special Turtle methods
+@@ -1472,7 +1417,6 @@
    turtle properties.
    .. doctest::
@@ -443,7 +445,7 @@ unchanged:
       >>> mick = Turtle()
       >>> joe = mick.clone()
-@@ -1485,7 +1429,6 @@ Special Turtle methods
+@@ -1485,7 +1429,6 @@
    return the "anonymous turtle":
    .. doctest::
@@ -451,7 +453,7 @@ unchanged:
       >>> pet = getturtle()
       >>> pet.fd(50)
-@@ -1499,7 +1442,6 @@ Special Turtle methods
+@@ -1499,7 +1442,6 @@
    TurtleScreen methods can then be called for that object.
    .. doctest::
@@ -459,7 +461,7 @@ unchanged:
       >>> ts = turtle.getscreen()
       >>> ts
-@@ -1517,7 +1459,6 @@ Special Turtle methods
+@@ -1517,7 +1459,6 @@
    ``None``, the undobuffer is disabled.
    .. doctest::
@@ -467,7 +469,7 @@ unchanged:
       >>> turtle.setundobuffer(42)
-@@ -1527,7 +1468,6 @@ Special Turtle methods
+@@ -1527,7 +1468,6 @@
    Return number of entries in the undobuffer.
    .. doctest::
@@ -475,7 +477,7 @@ unchanged:
       >>> while undobufferentries():
       ...     undo()
-@@ -1550,7 +1490,6 @@ below:
+@@ -1550,7 +1490,6 @@
    For example:
    .. doctest::
@@ -483,7 +485,7 @@ unchanged:
       >>> s = Shape("compound")
       >>> poly1 = ((0,0),(10,-5),(0,10),(-10,-5))
-@@ -1561,7 +1500,6 @@ below:
+@@ -1561,7 +1500,6 @@
 3. Now add the Shape to the Screen's shapelist and use it:
    .. doctest::
@@ -491,7 +493,7 @@ unchanged:
       >>> register_shape("myshape", s)
       >>> shape("myshape")
-@@ -1581,7 +1519,6 @@ Most of the examples in this section ref
+@@ -1581,7 +1519,6 @@
 ``screen``.
 .. doctest::
@@ -499,7 +501,7 @@ unchanged:
    :hide:
    >>> screen = Screen()
-@@ -1598,7 +1535,6 @@ Window control
+@@ -1598,7 +1535,6 @@
    Set or return background color of the TurtleScreen.
    .. doctest::
@@ -507,7 +509,7 @@ unchanged:
       >>> screen.bgcolor("orange")
       >>> screen.bgcolor()
-@@ -1690,7 +1626,6 @@ Window control
+@@ -1690,7 +1626,6 @@
    distorted.
    .. doctest::
@@ -515,7 +517,7 @@ unchanged:
       >>> screen.reset()
       >>> screen.setworldcoordinates(-50,-7.5,50,7.5)
-@@ -1701,7 +1636,6 @@ Window control
+@@ -1701,7 +1636,6 @@
       ...     left(45); fd(2)   # a regular octagon
    .. doctest::
@@ -523,7 +525,7 @@ unchanged:
       :hide:
       >>> screen.reset()
-@@ -1723,7 +1657,6 @@ Animation control
+@@ -1723,7 +1657,6 @@
    Optional argument:
    .. doctest::
@@ -531,7 +533,7 @@ unchanged:
       >>> screen.delay()
       10
-@@ -1745,7 +1678,6 @@ Animation control
+@@ -1745,7 +1678,6 @@
    :func:`delay`).
    .. doctest::
@@ -539,7 +541,7 @@ unchanged:
       >>> screen.tracer(8, 25)
       >>> dist = 2
-@@ -1782,7 +1714,6 @@ Using screen events
+@@ -1782,7 +1714,6 @@
    must have the focus. (See method :func:`listen`.)
    .. doctest::
@@ -547,7 +549,7 @@ unchanged:
       >>> def f():
       ...     fd(50)
-@@ -1803,7 +1734,6 @@ Using screen events
+@@ -1803,7 +1734,6 @@
    must have focus. (See method :func:`listen`.)
    .. doctest::
@@ -555,7 +557,7 @@ unchanged:
       >>> def f():
       ...     fd(50)
-@@ -1828,7 +1758,6 @@ Using screen events
+@@ -1828,7 +1758,6 @@
    named ``turtle``:
    .. doctest::
@@ -563,7 +565,7 @@ unchanged:
       >>> screen.onclick(turtle.goto) # Subsequently clicking into the TurtleScreen will
       >>>                             # make the turtle move to the clicked point.
-@@ -1848,7 +1777,6 @@ Using screen events
+@@ -1848,7 +1777,6 @@
    Install a timer that calls *fun* after *t* milliseconds.
    .. doctest::
@@ -571,7 +573,7 @@ unchanged:
       >>> running = True
       >>> def f():
-@@ -1930,7 +1858,6 @@ Settings and special methods
+@@ -1930,7 +1858,6 @@
    ============ ========================= ===================
    .. doctest::
@@ -579,7 +581,7 @@ unchanged:
       >>> mode("logo")   # resets turtle heading to north
       >>> mode()
-@@ -1945,7 +1872,6 @@ Settings and special methods
+@@ -1945,7 +1872,6 @@
    values of color triples have to be in the range 0..\ *cmode*.
    .. doctest::
@@ -587,7 +589,7 @@ unchanged:
       >>> screen.colormode(1)
       >>> turtle.pencolor(240, 160, 80)
-@@ -1966,7 +1892,6 @@ Settings and special methods
+@@ -1966,7 +1892,6 @@
    do with a Tkinter Canvas.
    .. doctest::
@@ -595,7 +597,7 @@ unchanged:
       >>> cv = screen.getcanvas()
       >>> cv
-@@ -1978,7 +1903,6 @@ Settings and special methods
+@@ -1978,7 +1903,6 @@
    Return a list of names of all currently available turtle shapes.
    .. doctest::
@@ -603,7 +605,7 @@ unchanged:
       >>> screen.getshapes()
       ['arrow', 'blank', 'circle', ..., 'turtle']
-@@ -2002,7 +1926,6 @@ Settings and special methods
+@@ -2002,7 +1926,6 @@
        coordinates: Install the corresponding polygon shape.
        .. doctest::
@@ -611,7 +613,7 @@ unchanged:
           >>> screen.register_shape("triangle", ((5,-3), (0,5), (-5,-3)))
-@@ -2018,7 +1941,6 @@ Settings and special methods
+@@ -2018,7 +1941,6 @@
    Return the list of turtles on the screen.
    .. doctest::
@@ -619,7 +621,7 @@ unchanged:
       >>> for turtle in screen.turtles():
       ...     turtle.color("red")
-@@ -2080,7 +2002,6 @@ Methods specific to Screen, not inherite
+@@ -2080,7 +2002,6 @@
                   center window vertically
    .. doctest::
@@ -627,7 +629,7 @@ unchanged:
       >>> screen.setup (width=200, height=200, startx=0, starty=0)
       >>>              # sets window to 200x200 pixels, in upper left of screen
-@@ -2096,7 +2017,6 @@ Methods specific to Screen, not inherite
+@@ -2096,7 +2017,6 @@
    Set title of turtle window to *titlestring*.
    .. doctest::
@@ -635,7 +637,7 @@ unchanged:
       >>> screen.title("Welcome to the turtle zoo!")
-@@ -2167,7 +2087,6 @@ Public classes
+@@ -2167,7 +2087,6 @@
       Example:
       .. doctest::
@@ -643,7 +645,7 @@ unchanged:
          >>> poly = ((0,0),(10,-5),(0,10),(-10,-5))
          >>> s = Shape("compound")
-@@ -2514,7 +2433,6 @@ Changes since Python 3.0
+@@ -2518,7 +2437,6 @@
 .. doctest::
--- a/python310.changes
+++ b/python310.changes
@@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
 - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
 - Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).
 -------------------------------------------------------------------
 Thu Dec 18 15:53:59 CET 2025 - Matej Cepl <mcepl@suse.com>
 - 
--- a/python310.spec
+++ b/python310.spec
@@ -210,6 +210,12 @@ Patch30:        CVE-2025-6075-expandvars-perf-degrad.patch
 # PATCH-FIX-UPSTREAM CVE-2025-13836-http-resp-cont-len.patch bsc#1254400 mcepl@suse.com
 # Avoid loading possibly compromised length of HTTP response
 Patch31:         CVE-2025-13836-http-resp-cont-len.patch
 # PATCH-FIX-UPSTREAM CVE-2025-12084-minidom-quad-search.patch bsc#1254997 mcepl@suse.com
 # prevent quadratic behavior in node ID cache clearing 
 Patch32:        CVE-2025-12084-minidom-quad-search.patch
 # PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com
 # protect against OOM when loading malicious content
 Patch33:        CVE-2025-13837-plistlib-mailicious-length.patch 
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
--- a/sphinx-72.patch
+++ b/sphinx-72.patch