python-interpreters/python311
SHA256
6
0
Fork 0
forked from pool/python311
Code Pull Requests Activity
Files
factory
python311/CVE-2023-52425-libexpat-2.6.0-backport.patch

234 lines
8.6 KiB
Diff
Raw Permalink Normal View History

- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
---
Lib/test/support/__init__.py | 16 ++++++++++++++--
Lib/test/test_minidom.py | 23 +++++++++--------------
Lib/test/test_pyexpat.py | 12 +++++-------
Lib/test/test_sax.py | 18 +++++++++---------
Lib/test/test_xml_etree.py | 12 ------------
5 files changed, 37 insertions(+), 44 deletions(-)
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
Index: Python-3.11.14/Lib/test/support/__init__.py
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
===================================================================
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
--- Python-3.11.14.orig/Lib/test/support/__init__.py 2025-11-15 19:15:08.449938538 +0100
+++ Python-3.11.14/Lib/test/support/__init__.py 2025-11-15 19:15:12.859120260 +0100
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
@@ -8,6 +8,7 @@
import functools
import os
import re
+import pyexpat
import stat
import sys
import sysconfig
@@ -56,7 +57,7 @@
"run_with_tz", "PGO", "missing_compiler_executable",
"ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST",
"LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT",
- "skip_on_s390x",
+ "skip_on_s390x", "fails_with_expat_2_6_0", "is_expat_2_6_0"
]
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
@@ -2279,6 +2280,17 @@
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
}
return ignored
-#Windows doesn't have os.uname() but it doesn't support s390x.
+
+# Windows doesn't have os.uname() but it doesn't support s390x.
skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
'skipped on s390x')
+
+
+@functools.lru_cache
+def _is_expat_2_6_0():
+ return hasattr(pyexpat.ParserCreate(), 'SetReparseDeferralEnabled')
+is_expat_2_6_0 = _is_expat_2_6_0()
+
+fails_with_expat_2_6_0 = (unittest.expectedFailure
+ if is_expat_2_6_0
+ else lambda test: test)
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
Index: Python-3.11.14/Lib/test/test_minidom.py
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
===================================================================
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
--- Python-3.11.14.orig/Lib/test/test_minidom.py 2025-11-15 19:14:53.915952608 +0100
+++ Python-3.11.14/Lib/test/test_minidom.py 2025-11-15 19:15:12.859877278 +0100
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
@@ -6,7 +6,6 @@
from test import support
import unittest
-import pyexpat
import xml.dom.minidom
from xml.dom.minidom import parse, Attr, Node, Document, parseString
@@ -1163,13 +1162,11 @@
# Verify that character decoding errors raise exceptions instead
# of crashing
- if pyexpat.version_info >= (2, 4, 5):
- self.assertRaises(ExpatError, parseString,
- b'<fran\xe7ais></fran\xe7ais>')
- self.assertRaises(ExpatError, parseString,
- b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
- else:
- self.assertRaises(UnicodeDecodeError, parseString,
+ # It doesnt make any sense to insist on the exact text of the
+ # error message, or even the exact Exception … it is enough that
+ # the error has been discovered.
+ with self.assertRaises((UnicodeDecodeError, ExpatError)):
+ parseString(
b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
doc.unlink()
@@ -1631,12 +1628,10 @@
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
def testExceptionOnSpacesInXMLNSValue(self):
- if pyexpat.version_info >= (2, 4, 5):
- context = self.assertRaisesRegex(ExpatError, 'syntax error')
- else:
- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
-
- with context:
+ # It doesnt make any sense to insist on the exact text of the
+ # error message, or even the exact Exception … it is enough that
+ # the error has been discovered.
+ with self.assertRaises((ExpatError, ValueError)):
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
def testDocRemoveChild(self):
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
Index: Python-3.11.14/Lib/test/test_pyexpat.py
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
===================================================================
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
--- Python-3.11.14.orig/Lib/test/test_pyexpat.py 2025-11-15 19:14:53.915952608 +0100
+++ Python-3.11.14/Lib/test/test_pyexpat.py 2025-11-15 19:15:12.860334045 +0100
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
@@ -14,8 +14,7 @@
from xml.parsers import expat
from xml.parsers.expat import errors
-from test.support import sortdict, is_emscripten, is_wasi
-
+from test.support import sortdict, is_emscripten, is_wasi, is_expat_2_6_0
class SetAttributeTest(unittest.TestCase):
def setUp(self):
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
@@ -806,9 +805,8 @@
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
def test_reparse_deferral_enabled(self):
- if expat.version_info < (2, 6, 0):
- self.skipTest(f'Expat {expat.version_info} does not '
- 'support reparse deferral')
+ if not is_expat_2_6_0:
+ self.skipTest("Linked libexpat doesn't support reparse deferral")
started = []
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
@@ -837,9 +835,9 @@
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
parser = expat.ParserCreate()
parser.StartElementHandler = start_element
- if expat.version_info >= (2, 6, 0):
+ if is_expat_2_6_0:
parser.SetReparseDeferralEnabled(False)
- self.assertFalse(parser.GetReparseDeferralEnabled())
+ self.assertFalse(parser.GetReparseDeferralEnabled())
for chunk in (b'<doc', b'/>'):
parser.Parse(chunk, False)
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
Index: Python-3.11.14/Lib/test/test_sax.py
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
===================================================================
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
--- Python-3.11.14.orig/Lib/test/test_sax.py 2025-11-15 19:14:53.915952608 +0100
+++ Python-3.11.14/Lib/test/test_sax.py 2025-11-15 19:15:12.860746114 +0100
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
@@ -19,13 +19,11 @@
from io import BytesIO, StringIO
import codecs
import os.path
-import pyexpat
import shutil
import sys
from urllib.error import URLError
import urllib.request
-from test.support import os_helper
-from test.support import findfile
+from test.support import os_helper, findfile, is_expat_2_6_0
from test.support.os_helper import FakePath, TESTFN
@@ -1215,10 +1213,10 @@
self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
- @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
- f'Expat {pyexpat.version_info} does not '
- 'support reparse deferral')
def test_flush_reparse_deferral_enabled(self):
+ if not is_expat_2_6_0:
+ self.skipTest("Linked libexpat doesn't support reparse deferral")
+
result = BytesIO()
xmlgen = XMLGenerator(result)
parser = create_parser()
@@ -1241,6 +1239,9 @@
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
def test_flush_reparse_deferral_disabled(self):
+ if not is_expat_2_6_0:
+ self.skipTest("Linked libexpat doesn't support reparse deferral")
+
result = BytesIO()
xmlgen = XMLGenerator(result)
parser = create_parser()
@@ -1249,9 +1250,8 @@
for chunk in ("<doc", ">"):
parser.feed(chunk)
- if pyexpat.version_info >= (2, 6, 0):
- parser._parser.SetReparseDeferralEnabled(False)
- self.assertEqual(result.getvalue(), start) # i.e. no elements started
+ parser._parser.SetReparseDeferralEnabled(False)
+ self.assertEqual(result.getvalue(), start) # i.e. no elements started
self.assertFalse(parser._parser.GetReparseDeferralEnabled())
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
Index: Python-3.11.14/Lib/test/test_xml_etree.py
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
===================================================================
Add CVE-2025-6075-expandvars-perf-degrad.patch Avoid simple quadratic complexity vulnerabilities of os.path.expandvars() (CVE-2025-6075, bsc#1252974). Readjusted patches: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
2025-11-15 19:16:35 +01:00
--- Python-3.11.14.orig/Lib/test/test_xml_etree.py 2025-11-15 19:14:53.915952608 +0100
+++ Python-3.11.14/Lib/test/test_xml_etree.py 2025-11-15 19:15:12.861491049 +0100
- Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
2025-04-11 08:56:48 +00:00
@@ -13,7 +13,6 @@
import operator
import os
import pickle
-import pyexpat
import sys
import textwrap
import types
@@ -1424,12 +1423,6 @@
self.assert_event_tags(parser, [('end', 'root')])
self.assertIsNone(parser.close())
- def test_simple_xml_chunk_1(self):
- self.test_simple_xml(chunk_size=1, flush=True)
-
- def test_simple_xml_chunk_5(self):
- self.test_simple_xml(chunk_size=5, flush=True)
-
def test_simple_xml_chunk_22(self):
self.test_simple_xml(chunk_size=22)
@@ -1627,9 +1620,6 @@
with self.assertRaises(ValueError):
ET.XMLPullParser(events=('start', 'end', 'bogus'))
- @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
- f'Expat {pyexpat.version_info} does not '
- 'support reparse deferral')
def test_flush_reparse_deferral_enabled(self):
parser = ET.XMLPullParser(events=('start', 'end'))
@@ -1656,8 +1646,6 @@
for chunk in ("<doc", ">"):
parser.feed(chunk)
-
- if pyexpat.version_info >= (2, 6, 0):
if not ET is pyET:
self.skipTest(f'XMLParser.(Get|Set)ReparseDeferralEnabled '
'methods not available in C')
Copy Permalink