update the patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=189

CVE-2025-8194-tarfile-no-neg-offsets.patch

@@ -1,23 +1,23 @@
-From 28d130238bfb5604eef4b594d597f7b5ec951eba Mon Sep 17 00:00:00 2001
+From 898ac93eeeabfaffbc008dc3201e17cb39c1a957 Mon Sep 17 00:00:00 2001
 From: Alexander Urieles <aeurielesn@users.noreply.github.com>
 Date: Mon, 28 Jul 2025 17:37:26 +0200
-Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member
+Subject: [PATCH] [3.10] gh-130577: tarfile now validates archives to ensure
- offsets are non-negative (GH-137027) (cherry picked from commit
+ member offsets are non-negative (GH-137027) (cherry picked from commit
  7040aa54f14676938970e10c5f74ea93cd56aa38)
 
 Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
  Lib/tarfile.py                                                          |    3 
- Lib/test/test_tarfile.py                                                |  156 ++++++++++
+ Lib/test/test_tarfile.py                                                |  188 ++++++++++
  Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst |    3 
- 3 files changed, 162 insertions(+)
+ 3 files changed, 194 insertions(+)
  create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
 
 Index: Python-3.10.18/Lib/tarfile.py
 ===================================================================
---- Python-3.10.18.orig/Lib/tarfile.py	2025-08-01 22:19:32.977960762 +0200
+--- Python-3.10.18.orig/Lib/tarfile.py	2025-08-01 22:22:33.661509420 +0200
-+++ Python-3.10.18/Lib/tarfile.py	2025-08-01 22:19:36.731047446 +0200
++++ Python-3.10.18/Lib/tarfile.py	2025-08-01 22:22:37.753515863 +0200
 @@ -1612,6 +1612,9 @@
          """Round up a byte count by BLOCKSIZE and return it,
             e.g. _block(834) => 1024.
@@ -30,8 +30,8 @@ Index: Python-3.10.18/Lib/tarfile.py
              blocks += 1
 Index: Python-3.10.18/Lib/test/test_tarfile.py
 ===================================================================
---- Python-3.10.18.orig/Lib/test/test_tarfile.py	2025-08-01 22:19:34.277975756 +0200
+--- Python-3.10.18.orig/Lib/test/test_tarfile.py	2025-08-01 22:22:34.991018210 +0200
-+++ Python-3.10.18/Lib/test/test_tarfile.py	2025-08-01 22:19:36.731272825 +0200
++++ Python-3.10.18/Lib/test/test_tarfile.py	2025-08-01 22:22:37.754065449 +0200
 @@ -49,6 +49,7 @@
  xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
  tmpname = os.path.join(TEMPDIR, "tmp.tar")
@@ -40,10 +40,42 @@ Index: Python-3.10.18/Lib/test/test_tarfile.py
  
  sha256_regtype = (
      "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
-@@ -4273,6 +4274,161 @@
+@@ -4273,6 +4274,193 @@
              self.expect_exception(TypeError)  # errorlevel is not int
  
  
++class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
++    testdir = os.path.join(TEMPDIR, "testoverwrite")
++
++    @classmethod
++    def setUpClass(cls):
++        p = cls.ar_with_file = os.path.join(TEMPDIR, 'tar-with-file.tar')
++        cls.addClassCleanup(os_helper.unlink, p)
++        with tarfile.open(p, 'w') as tar:
++            t = tarfile.TarInfo('test')
++            t.size = 10
++            tar.addfile(t, io.BytesIO(b'newcontent'))
++
++        p = cls.ar_with_dir = os.path.join(TEMPDIR, 'tar-with-dir.tar')
++        cls.addClassCleanup(os_helper.unlink, p)
++        with tarfile.open(p, 'w') as tar:
++            tar.addfile(tar.gettarinfo(os.curdir, 'test'))
++
++        p = os.path.join(TEMPDIR, 'tar-with-implicit-dir.tar')
++        cls.ar_with_implicit_dir = p
++        cls.addClassCleanup(os_helper.unlink, p)
++        with tarfile.open(p, 'w') as tar:
++            t = tarfile.TarInfo('test/file')
++            t.size = 10
++            tar.addfile(t, io.BytesIO(b'newcontent'))
++
++    def open(self, path):
++        return tarfile.open(path, 'r')
++
++    def extractall(self, ar):
++        ar.extractall(self.testdir, filter='fully_trusted')
++
++
 +class OffsetValidationTests(unittest.TestCase):
 +    tarname = tmpname
 +    invalid_posix_header = (
@@ -205,7 +237,7 @@ Index: Python-3.10.18/Lib/test/test_tarfile.py
 Index: Python-3.10.18/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.10.18/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst	2025-08-01 22:19:36.732214922 +0200
++++ Python-3.10.18/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst	2025-08-01 22:22:37.754445878 +0200
 @@ -0,0 +1,3 @@
 +:mod:`tarfile` now validates archives to ensure member offsets are
 +non-negative.  (Contributed by Alexander Enrique Urieles Nieto in