python-interpreters/python311
SHA256
6
0
Fork 0
forked from pool/python311
Code Pull Requests Activity

Accepting request 1281358 from devel:languages:python:Factory

Browse Source 
- Add CVE-2025-4516-DecodeError-handler.patch fixing
  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.

- Use extended %autopatch.

  attributes on /usr/bin/ scripts (bsc#1227378).
  %%files.
- restrict PEP668 to ALP/Tumbleweed
- add externally_managed.in to label this build as PEP-668 managed
  * Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
  * remove importlib_resources and importlib-metadata
  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
  - bpo-29778: Ensure python3.dll is loaded from correct locations
  - bpo-39603: Prevent http header injection by rejecting control
    “__setattr__” in a multi-inheritance setup and
  - bpo-41247: Always cache the running loop holder when running
  - bpo-41252: Fix incorrect refcounting in
  - bpo-41215: Use non-NULL default values in the PEG parser
  - bpo-41218: Python 3.8.3 had a regression where compiling with
    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
  - bpo-41175: Guard against a NULL pointer dereference within
  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
    __setattr__() by calling the superclass method was
  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
  - bpo-39017: Avoid infinite loop when reading specially crafted
  - bpo-41207: In distutils.spawn, restore expectation that
  - bpo-41194: Fix a crash in the _ast module: it can no longer be
  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a

OBS-URL: https://build.opensuse.org/request/show/1281358
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=53
This commit is contained in:
Ana Guerrero
2025-06-02 19:58:44 +00:00
committed by Git OBS Bridge
parent a5f5fb5fd9 d399a5a815
commit c93ae83637
4 changed files with 570 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

504
CVE-2025-4516-DecodeError-handler.patch Normal file
View File

@@ -0,0 +1,504 @@
From 0c33e5baedf18ebcb04bc41dff7cfc614d5ea5fe Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Tue, 20 May 2025 15:46:57 +0300
Subject: [PATCH] [3.11] gh-133767: Fix use-after-free in the unicode-escape
decoder with an error handler (GH-129648) (GH-133944)
If the error handler is used, a new bytes object is created to set as
the object attribute of UnicodeDecodeError, and that bytes object then
replaces the original data. A pointer to the decoded data will became invalid
after destroying that temporary bytes object. So we need other way to return
the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().
_PyBytes_DecodeEscape() does not have such issue, because it does not
use the error handlers registry, but it should be changed for compatibility
with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e)
(cherry picked from commit 6279eb8c076d89d3739a6edb393e43c7929b429d)
(cherry picked from commit a75953b347716fff694aa59a7c7c2489fa50d1f5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Include/cpython/bytesobject.h | 4
Include/cpython/unicodeobject.h | 13 ++
Lib/test/test_codeccallbacks.py | 39 ++++++
Lib/test/test_codecs.py | 52 ++++++--
Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst | 2
Objects/bytesobject.c | 56 ++++++--
Objects/unicodeobject.c | 63 +++++++---
Parser/string_parser.c | 24 ++-
8 files changed, 197 insertions(+), 56 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst
--- a/Include/cpython/bytesobject.h
+++ b/Include/cpython/bytesobject.h
@@ -25,6 +25,10 @@ PyAPI_FUNC(PyObject*) _PyBytes_FromHex(
int use_bytearray);
/* Helper for PyBytes_DecodeEscape that detects invalid escape chars. */
+PyAPI_FUNC(PyObject*) _PyBytes_DecodeEscape2(const char *, Py_ssize_t,
+ const char *,
+ int *, const char **);
+// Export for binary compatibility.
PyAPI_FUNC(PyObject *) _PyBytes_DecodeEscape(const char *, Py_ssize_t,
const char *, const char **);
--- a/Include/cpython/unicodeobject.h
+++ b/Include/cpython/unicodeobject.h
@@ -914,6 +914,19 @@ PyAPI_FUNC(PyObject*) _PyUnicode_DecodeU
);
/* Helper for PyUnicode_DecodeUnicodeEscape that detects invalid escape
chars. */
+PyAPI_FUNC(PyObject*) _PyUnicode_DecodeUnicodeEscapeInternal2(
+ const char *string, /* Unicode-Escape encoded string */
+ Py_ssize_t length, /* size of string */
+ const char *errors, /* error handling */
+ Py_ssize_t *consumed, /* bytes consumed */
+ int *first_invalid_escape_char, /* on return, if not -1, contain the first
+ invalid escaped char (<= 0xff) or invalid
+ octal escape (> 0xff) in string. */
+ const char **first_invalid_escape_ptr); /* on return, if not NULL, may
+ point to the first invalid escaped
+ char in string.
+ May be NULL if errors is not NULL. */
+// Export for binary compatibility.
PyAPI_FUNC(PyObject*) _PyUnicode_DecodeUnicodeEscapeInternal(
const char *string, /* Unicode-Escape encoded string */
Py_ssize_t length, /* size of string */
--- a/Lib/test/test_codeccallbacks.py
+++ b/Lib/test/test_codeccallbacks.py
@@ -1,6 +1,7 @@
import codecs
import html.entities
import itertools
+import re
import sys
import unicodedata
import unittest
@@ -1124,7 +1125,7 @@ class CodecCallbackTest(unittest.TestCas
text = 'abc<def>ghi'*n
text.translate(charmap)
- def test_mutatingdecodehandler(self):
+ def test_mutating_decode_handler(self):
baddata = [
("ascii", b"\xff"),
("utf-7", b"++"),
@@ -1159,6 +1160,42 @@ class CodecCallbackTest(unittest.TestCas
for (encoding, data) in baddata:
self.assertEqual(data.decode(encoding, "test.mutating"), "\u4242")
+ def test_mutating_decode_handler_unicode_escape(self):
+ decode = codecs.unicode_escape_decode
+ def mutating(exc):
+ if isinstance(exc, UnicodeDecodeError):
+ r = data.get(exc.object[:exc.end])
+ if r is not None:
+ exc.object = r[0] + exc.object[exc.end:]
+ return ('\u0404', r[1])
+ raise AssertionError("don't know how to handle %r" % exc)
+
+ codecs.register_error('test.mutating2', mutating)
+ data = {
+ br'\x0': (b'\\', 0),
+ br'\x3': (b'xxx\\', 3),
+ br'\x5': (b'x\\', 1),
+ }
+ def check(input, expected, msg):
+ with self.assertWarns(DeprecationWarning) as cm:
+ self.assertEqual(decode(input, 'test.mutating2'), (expected, len(input)))
+ self.assertIn(msg, str(cm.warning))
+
+ check(br'\x0n\z', '\u0404\n\\z', r"invalid escape sequence '\z'")
+ check(br'\x0n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\501'")
+ check(br'\x0z', '\u0404\\z', r"invalid escape sequence '\z'")
+
+ check(br'\x3n\zr', '\u0404\n\\zr', r"invalid escape sequence '\z'")
+ check(br'\x3zr', '\u0404\\zr', r"invalid escape sequence '\z'")
+ check(br'\x3z5', '\u0404\\z5', r"invalid escape sequence '\z'")
+ check(memoryview(br'\x3z5x')[:-1], '\u0404\\z5', r"invalid escape sequence '\z'")
+ check(memoryview(br'\x3z5xy')[:-2], '\u0404\\z5', r"invalid escape sequence '\z'")
+
+ check(br'\x5n\z', '\u0404\n\\z', r"invalid escape sequence '\z'")
+ check(br'\x5n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\501'")
+ check(br'\x5z', '\u0404\\z', r"invalid escape sequence '\z'")
+ check(memoryview(br'\x5zy')[:-1], '\u0404\\z', r"invalid escape sequence '\z'")
+
# issue32583
def test_crashing_decode_handler(self):
# better generating one more character to fill the extra space slot
--- a/Lib/test/test_codecs.py
+++ b/Lib/test/test_codecs.py
@@ -1198,23 +1198,39 @@ class EscapeDecodeTest(unittest.TestCase
check(br"[\1010]", b"[A0]")
check(br"[\x41]", b"[A]")
check(br"[\x410]", b"[A0]")
+
+ def test_warnings(self):
+ decode = codecs.escape_decode
+ check = coding_checker(self, decode)
for i in range(97, 123):
b = bytes([i])
if b not in b'abfnrtvx':
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\%c'" % i):
check(b"\\" + b, b"\\" + b)
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\%c'" % (i-32)):
check(b"\\" + b.upper(), b"\\" + b.upper())
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\8'"):
check(br"\8", b"\\8")
with self.assertWarns(DeprecationWarning):
check(br"\9", b"\\9")
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\\xfa'") as cm:
check(b"\\\xfa", b"\\\xfa")
for i in range(0o400, 0o1000):
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid octal escape sequence '\\%o'" % i):
check(rb'\%o' % i, bytes([i & 0o377]))
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\z'"):
+ self.assertEqual(decode(br'\x\z', 'ignore'), (b'\\z', 4))
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid octal escape sequence '\\501'"):
+ self.assertEqual(decode(br'\x\501', 'ignore'), (b'A', 6))
+
def test_errors(self):
decode = codecs.escape_decode
self.assertRaises(ValueError, decode, br"\x")
@@ -2487,24 +2503,40 @@ class UnicodeEscapeTest(ReadTest, unitte
check(br"[\x410]", "[A0]")
check(br"\u20ac", "\u20ac")
check(br"\U0001d120", "\U0001d120")
+
+ def test_decode_warnings(self):
+ decode = codecs.unicode_escape_decode
+ check = coding_checker(self, decode)
for i in range(97, 123):
b = bytes([i])
if b not in b'abfnrtuvx':
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\%c'" % i):
check(b"\\" + b, "\\" + chr(i))
if b.upper() not in b'UN':
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\%c'" % (i-32)):
check(b"\\" + b.upper(), "\\" + chr(i-32))
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\8'"):
check(br"\8", "\\8")
with self.assertWarns(DeprecationWarning):
check(br"\9", "\\9")
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\\xfa'") as cm:
check(b"\\\xfa", "\\\xfa")
for i in range(0o400, 0o1000):
- with self.assertWarns(DeprecationWarning):
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid octal escape sequence '\\%o'" % i):
check(rb'\%o' % i, chr(i))
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid escape sequence '\\z'"):
+ self.assertEqual(decode(br'\x\z', 'ignore'), ('\\z', 4))
+ with self.assertWarnsRegex(DeprecationWarning,
+ r"invalid octal escape sequence '\\501'"):
+ self.assertEqual(decode(br'\x\501', 'ignore'), ('\u0141', 6))
+
def test_decode_errors(self):
decode = codecs.unicode_escape_decode
for c, d in (b'x', 2), (b'u', 4), (b'U', 4):
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst
@@ -0,0 +1,2 @@
+Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error
+handler.
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1057,10 +1057,11 @@ _PyBytes_FormatEx(const char *format, Py
}
/* Unescape a backslash-escaped string. */
-PyObject *_PyBytes_DecodeEscape(const char *s,
+PyObject *_PyBytes_DecodeEscape2(const char *s,
Py_ssize_t len,
const char *errors,
- const char **first_invalid_escape)
+ int *first_invalid_escape_char,
+ const char **first_invalid_escape_ptr)
{
int c;
char *p;
@@ -1074,7 +1075,8 @@ PyObject *_PyBytes_DecodeEscape(const ch
return NULL;
writer.overallocate = 1;
- *first_invalid_escape = NULL;
+ *first_invalid_escape_char = -1;
+ *first_invalid_escape_ptr = NULL;
end = s + len;
while (s < end) {
@@ -1112,9 +1114,10 @@ PyObject *_PyBytes_DecodeEscape(const ch
c = (c<<3) + *s++ - '0';
}
if (c > 0377) {
- if (*first_invalid_escape == NULL) {
- *first_invalid_escape = s-3; /* Back up 3 chars, since we've
- already incremented s. */
+ if (*first_invalid_escape_char == -1) {
+ *first_invalid_escape_char = c;
+ /* Back up 3 chars, since we've already incremented s. */
+ *first_invalid_escape_ptr = s - 3;
}
}
*p++ = c;
@@ -1155,9 +1158,10 @@ PyObject *_PyBytes_DecodeEscape(const ch
break;
default:
- if (*first_invalid_escape == NULL) {
- *first_invalid_escape = s-1; /* Back up one char, since we've
- already incremented s. */
+ if (*first_invalid_escape_char == -1) {
+ *first_invalid_escape_char = (unsigned char)s[-1];
+ /* Back up one char, since we've already incremented s. */
+ *first_invalid_escape_ptr = s - 1;
}
*p++ = '\\';
s--;
@@ -1171,23 +1175,39 @@ PyObject *_PyBytes_DecodeEscape(const ch
return NULL;
}
+// Export for binary compatibility.
+PyObject *_PyBytes_DecodeEscape(const char *s,
+ Py_ssize_t len,
+ const char *errors,
+ const char **first_invalid_escape)
+{
+ int first_invalid_escape_char;
+ return _PyBytes_DecodeEscape2(
+ s, len, errors,
+ &first_invalid_escape_char,
+ first_invalid_escape);
+}
+
PyObject *PyBytes_DecodeEscape(const char *s,
Py_ssize_t len,
const char *errors,
Py_ssize_t Py_UNUSED(unicode),
const char *Py_UNUSED(recode_encoding))
{
- const char* first_invalid_escape;
- PyObject *result = _PyBytes_DecodeEscape(s, len, errors,
- &first_invalid_escape);
+ int first_invalid_escape_char;
+ const char *first_invalid_escape_ptr;
+ PyObject *result = _PyBytes_DecodeEscape2(s, len, errors,
+ &first_invalid_escape_char,
+ &first_invalid_escape_ptr);
if (result == NULL)
return NULL;
- if (first_invalid_escape != NULL) {
- unsigned char c = *first_invalid_escape;
- if ('4' <= c && c <= '7') {
+ if (first_invalid_escape_char != -1) {
+ if (first_invalid_escape_char > 0xff) {
+ char buf[12] = "";
+ snprintf(buf, sizeof buf, "%o", first_invalid_escape_char);
if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1,
- "invalid octal escape sequence '\\%.3s'",
- first_invalid_escape) < 0)
+ "invalid octal escape sequence '\\%s'",
+ buf) < 0)
{
Py_DECREF(result);
return NULL;
@@ -1196,7 +1216,7 @@ PyObject *PyBytes_DecodeEscape(const cha
else {
if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1,
"invalid escape sequence '\\%c'",
- c) < 0)
+ first_invalid_escape_char) < 0)
{
Py_DECREF(result);
return NULL;
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -6301,20 +6301,23 @@ PyUnicode_AsUTF16String(PyObject *unicod
static _PyUnicode_Name_CAPI *ucnhash_capi = NULL;
PyObject *
-_PyUnicode_DecodeUnicodeEscapeInternal(const char *s,
+_PyUnicode_DecodeUnicodeEscapeInternal2(const char *s,
Py_ssize_t size,
const char *errors,
Py_ssize_t *consumed,
- const char **first_invalid_escape)
+ int *first_invalid_escape_char,
+ const char **first_invalid_escape_ptr)
{
const char *starts = s;
+ const char *initial_starts = starts;
_PyUnicodeWriter writer;
const char *end;
PyObject *errorHandler = NULL;
PyObject *exc = NULL;
// so we can remember if we've seen an invalid escape char or not
- *first_invalid_escape = NULL;
+ *first_invalid_escape_char = -1;
+ *first_invalid_escape_ptr = NULL;
if (size == 0) {
if (consumed) {
@@ -6402,9 +6405,12 @@ _PyUnicode_DecodeUnicodeEscapeInternal(c
}
}
if (ch > 0377) {
- if (*first_invalid_escape == NULL) {
- *first_invalid_escape = s-3; /* Back up 3 chars, since we've
- already incremented s. */
+ if (*first_invalid_escape_char == -1) {
+ *first_invalid_escape_char = ch;
+ if (starts == initial_starts) {
+ /* Back up 3 chars, since we've already incremented s. */
+ *first_invalid_escape_ptr = s - 3;
+ }
}
}
WRITE_CHAR(ch);
@@ -6503,9 +6509,12 @@ _PyUnicode_DecodeUnicodeEscapeInternal(c
goto error;
default:
- if (*first_invalid_escape == NULL) {
- *first_invalid_escape = s-1; /* Back up one char, since we've
- already incremented s. */
+ if (*first_invalid_escape_char == -1) {
+ *first_invalid_escape_char = c;
+ if (starts == initial_starts) {
+ /* Back up one char, since we've already incremented s. */
+ *first_invalid_escape_ptr = s - 1;
+ }
}
WRITE_ASCII_CHAR('\\');
WRITE_CHAR(c);
@@ -6544,24 +6553,42 @@ _PyUnicode_DecodeUnicodeEscapeInternal(c
return NULL;
}
+// Export for binary compatibility.
+PyObject *
+_PyUnicode_DecodeUnicodeEscapeInternal(const char *s,
+ Py_ssize_t size,
+ const char *errors,
+ Py_ssize_t *consumed,
+ const char **first_invalid_escape)
+{
+ int first_invalid_escape_char;
+ return _PyUnicode_DecodeUnicodeEscapeInternal2(
+ s, size, errors, consumed,
+ &first_invalid_escape_char,
+ first_invalid_escape);
+}
+
PyObject *
_PyUnicode_DecodeUnicodeEscapeStateful(const char *s,
Py_ssize_t size,
const char *errors,
Py_ssize_t *consumed)
{
- const char *first_invalid_escape;
- PyObject *result = _PyUnicode_DecodeUnicodeEscapeInternal(s, size, errors,
+ int first_invalid_escape_char;
+ const char *first_invalid_escape_ptr;
+ PyObject *result = _PyUnicode_DecodeUnicodeEscapeInternal2(s, size, errors,
consumed,
- &first_invalid_escape);
+ &first_invalid_escape_char,
+ &first_invalid_escape_ptr);
if (result == NULL)
return NULL;
- if (first_invalid_escape != NULL) {
- unsigned char c = *first_invalid_escape;
- if ('4' <= c && c <= '7') {
+ if (first_invalid_escape_char != -1) {
+ if (first_invalid_escape_char > 0xff) {
+ char buf[12] = "";
+ snprintf(buf, sizeof buf, "%o", first_invalid_escape_char);
if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1,
- "invalid octal escape sequence '\\%.3s'",
- first_invalid_escape) < 0)
+ "invalid octal escape sequence '\\%s'",
+ buf) < 0)
{
Py_DECREF(result);
return NULL;
@@ -6570,7 +6597,7 @@ _PyUnicode_DecodeUnicodeEscapeStateful(c
else {
if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1,
"invalid escape sequence '\\%c'",
- c) < 0)
+ first_invalid_escape_char) < 0)
{
Py_DECREF(result);
return NULL;
--- a/Parser/string_parser.c
+++ b/Parser/string_parser.c
@@ -130,12 +130,15 @@ decode_unicode_with_escapes(Parser *pars
len = p - buf;
s = buf;
- const char *first_invalid_escape;
- v = _PyUnicode_DecodeUnicodeEscapeInternal(s, len, NULL, NULL, &first_invalid_escape);
+ int first_invalid_escape_char;
+ const char *first_invalid_escape_ptr;
+ v = _PyUnicode_DecodeUnicodeEscapeInternal2(s, (Py_ssize_t)len, NULL, NULL,
+ &first_invalid_escape_char,
+ &first_invalid_escape_ptr);
- if (v != NULL && first_invalid_escape != NULL) {
- if (warn_invalid_escape_sequence(parser, first_invalid_escape, t) < 0) {
- /* We have not decref u before because first_invalid_escape points
+ if (v != NULL && first_invalid_escape_ptr != NULL) {
+ if (warn_invalid_escape_sequence(parser, first_invalid_escape_ptr, t) < 0) {
+ /* We have not decref u before because first_invalid_escape_ptr points
inside u. */
Py_XDECREF(u);
Py_DECREF(v);
@@ -149,14 +152,17 @@ decode_unicode_with_escapes(Parser *pars
static PyObject *
decode_bytes_with_escapes(Parser *p, const char *s, Py_ssize_t len, Token *t)
{
- const char *first_invalid_escape;
- PyObject *result = _PyBytes_DecodeEscape(s, len, NULL, &first_invalid_escape);
+ int first_invalid_escape_char;
+ const char *first_invalid_escape_ptr;
+ PyObject *result = _PyBytes_DecodeEscape2(s, len, NULL,
+ &first_invalid_escape_char,
+ &first_invalid_escape_ptr);
if (result == NULL) {
return NULL;
}
- if (first_invalid_escape != NULL) {
- if (warn_invalid_escape_sequence(p, first_invalid_escape, t) < 0) {
+ if (first_invalid_escape_ptr != NULL) {
+ if (warn_invalid_escape_sequence(p, first_invalid_escape_ptr, t) < 0) {
Py_DECREF(result);
return NULL;
}

10
gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
View File

@@ -38,7 +38,7 @@ Index: Python-3.11.12/Lib/test/test_ssl.py
@@ -2651,10 +2650,6 @@
self.close()
self.running = False
- # normally, we'd just stop here, but for the test
- # harness, we want to stop the server
- self.server.stop()
@@ -51,7 +51,7 @@ Index: Python-3.11.12/Lib/test/test_ssl.py
threading.Thread.__init__(self)
self.daemon = True
+ self._in_context = False
def __enter__(self):
+ if self._in_context:
+ raise ValueError('Re-entering ThreadedEchoServer context')
@@ -59,20 +59,20 @@ Index: Python-3.11.12/Lib/test/test_ssl.py
self.start(threading.Event())
self.flag.wait()
return self
def __exit__(self, *args):
+ assert self._in_context
+ self._in_context = False
self.stop()
self.join()
def start(self, flag=None):
+ if not self._in_context:
+ raise ValueError(
+ 'ThreadedEchoServer must be used as a context manager')
self.flag = flag
threading.Thread.start(self)
def run(self):
+ if not self._in_context:
+ raise ValueError(

100
python311.changes
View File

@@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
-------------------------------------------------------------------
Sat May 17 10:02:27 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Use extended %autopatch.
-------------------------------------------------------------------
Sat May 10 11:38:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
@@ -261,7 +273,7 @@ Thu Jul 18 22:37:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
Mon Jul 15 12:14:05 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).
attributes on /usr/bin/ scripts (bsc#1227378).
-------------------------------------------------------------------
Tue Jul 2 10:32:58 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -602,7 +614,7 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Remove double definition of /usr/bin/idle%%{version} in
%%files.
%%files.
-------------------------------------------------------------------
Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -1522,12 +1534,12 @@ Wed Sep 6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
-------------------------------------------------------------------
Thu Aug 10 09:33:26 UTC 2023 - Dirk Müller <dmueller@suse.com>
- restrict PEP668 to ALP/Tumbleweed
- restrict PEP668 to ALP/Tumbleweed
-------------------------------------------------------------------
Fri Aug 4 06:37:41 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add externally_managed.in to label this build as PEP-668 managed
- add externally_managed.in to label this build as PEP-668 managed
-------------------------------------------------------------------
Thu Aug 3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -2882,7 +2894,7 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-expat-245.patch:
* Support Expat >= 2.4.5
* Support Expat >= 2.4.5
-------------------------------------------------------------------
Tue Feb 15 23:05:55 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -3072,7 +3084,7 @@ Sat Jun 5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
-------------------------------------------------------------------
Fri Jun 4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>
- allow build with Sphinx >= 3.x
- allow build with Sphinx >= 3.x
-------------------------------------------------------------------
Wed Jun 2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -3624,7 +3636,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>
- Last try before this results in an editwar:
* remove importlib_resources and importlib-metadata
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
@@ -3741,54 +3753,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
- Removed recursion.tar: contained in upstream
- Update to 3.9.0b5:
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
by the fix for bpo-29778 (CVE-2020-15801).
- bpo-41162: Audit hooks are now cleared later during
finalization to avoid missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations
- bpo-29778: Ensure python3.dll is loaded from correct locations
when Python is embedded (CVE-2020-15523).
- bpo-39603: Prevent http header injection by rejecting control
- bpo-39603: Prevent http header injection by rejecting control
characters in http.client.putrequest(…).
- bpo-41295: Resolve a regression in CPython 3.8.4 where defining
“__setattr__” in a multi-inheritance setup and
“__setattr__” in a multi-inheritance setup and
calling up the hierarchy chain could fail if builtins/extension
types were involved in the base types.
- bpo-41247: Always cache the running loop holder when running
- bpo-41247: Always cache the running loop holder when running
asyncio.set_running_loop.
- bpo-41252: Fix incorrect refcounting in
- bpo-41252: Fix incorrect refcounting in
_ssl.cs _servername_callback().
- bpo-41215: Use non-NULL default values in the PEG parser
- bpo-41215: Use non-NULL default values in the PEG parser
keyword list to overcome a bug that was '
preventing Python from being properly compiled when using the
XLC compiler. Patch by Pablo Galindo.
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
aggressively mark list comprehension with CO_COROUTINE. Now only
list comprehension making use of async/await will tagged as so.
- bpo-41175: Guard against a NULL pointer dereference within
- bpo-41175: Guard against a NULL pointer dereference within
bytearrayobject triggered by the bytearray() + bytearray() operation.
- bpo-39960: The “hackcheck” that prevents sneaking around a types
__setattr__() by calling the superclass method was
- bpo-39960: The “hackcheck” that prevents sneaking around a types
__setattr__() by calling the superclass method was
rewritten to allow C implemented heap types.
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
C implementation raises now UnpicklingError instead of crashing.
- bpo-39017: Avoid infinite loop when reading specially crafted
- bpo-39017: Avoid infinite loop when reading specially crafted
TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
- bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
- bpo-41207: In distutils.spawn, restore expectation that
- bpo-41207: In distutils.spawn, restore expectation that
DistutilsExecError is raised when the command is not found.
- bpo-39168: Remove the __new__ method of typing.Generic.
- bpo-41194: Fix a crash in the _ast module: it can no longer be
- bpo-41194: Fix a crash in the _ast module: it can no longer be
loaded more than once. It now uses a global state rather than a module state.
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
null string.
- bpo-41300: Save files with non-ascii chars.
- bpo-41300: Save files with non-ascii chars.
Fix regression released in 3.9.0b4 and 3.8.4.
- bpo-37765: Add keywords to module name completion list.
- bpo-37765: Add keywords to module name completion list.
Rewrite Completions section of IDLE doc.
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
PyType_GetFlags() which hides implementation details.
-------------------------------------------------------------------
@@ -4309,7 +4321,7 @@ Wed Jun 5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
pickling costs between processes
- typed_ast is merged back to CPython
- LOAD_GLOBAL is now 40% faster
- pickle now uses Protocol 4 by default, improving performance
- pickle now uses Protocol 4 by default, improving performance
- Remove patches which were included in the upstream:
- 00251-change-user-install-location.patch
- 00316-mark-bdist_wininst-unsupported.patch
@@ -4454,7 +4466,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com
- Upgrade to 3.7.2rc1:
* bugfix release, for the full list of all changes see
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
- Make run of the test suite more verbose
-------------------------------------------------------------------
@@ -4881,7 +4893,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com
- Add 0001-allow-for-reproducible-builds-of-python-packages.patch
upstream https://github.com/python/cpython/pull/296
upstream https://github.com/python/cpython/pull/296
-------------------------------------------------------------------
Wed Feb 8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -4947,7 +4959,7 @@ Mon Mar 7 20:38:11 UTC 2016 - toddrme2178@gmail.com
- Add Python-3.5.1-fix_lru_cache_copying.patch
Fix copying the lru_cache() wrapper object.
Fixes deep-copying lru_cache regression, which worked on
Fixes deep-copying lru_cache regression, which worked on
previous versions of python but fails on python 3.5.
This fixes a bunch of packages in devel:languages:python3.
See: https://bugs.python.org/issue25447
@@ -5085,7 +5097,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
-------------------------------------------------------------------
Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org
- Only pkgconfig(x11) is required for build, not the whole
- Only pkgconfig(x11) is required for build, not the whole
set of packages provided by xorg-x11-devel metapackage.
-------------------------------------------------------------------
@@ -5145,7 +5157,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
-------------------------------------------------------------------
Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
-------------------------------------------------------------------
Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -5248,7 +5260,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
-------------------------------------------------------------------
Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org
- build with -DOPENSSL_LOAD_CONF for the same reasons
- build with -DOPENSSL_LOAD_CONF for the same reasons
described in the python2 package.
-------------------------------------------------------------------
@@ -5260,7 +5272,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
-------------------------------------------------------------------
Thu Aug 8 14:54:49 UTC 2013 - dvaleev@suse.com
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
-------------------------------------------------------------------
Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -5319,7 +5331,7 @@ Fri Mar 1 07:42:21 UTC 2013 - dmueller@suse.com
- add ctypes-libffi-aarch64.patch:
* import aarch64 support for libffi in _ctypes module
- add aarch64 to the list of lib64 based archs
- add aarch64 to the list of lib64 based archs
- add movetogetdents64.diff:
* port to getdents64, as SYS_getdents is not implemented everywhere
@@ -5373,9 +5385,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
-------------------------------------------------------------------
Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
- exclude test_math for SLE 11; math library fails on negative
- exclude test_math for SLE 11; math library fails on negative
gamma function values close to integers and 0, probably
due to imprecision in -lm on SLE_11_SP2.
due to imprecision in -lm on SLE_11_SP2.
-------------------------------------------------------------------
Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -5399,7 +5411,7 @@ Mon Oct 1 08:53:03 UTC 2012 - idonmez@suse.com
-------------------------------------------------------------------
Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
- Correct dependency for python3-testsuite,
- Correct dependency for python3-testsuite,
python3-tkinter -> python3-tk
-------------------------------------------------------------------
@@ -5432,7 +5444,7 @@ Fri Aug 3 12:09:34 UTC 2012 - jmatejek@suse.com
-------------------------------------------------------------------
Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
- skip test_io on ppc
- skip test_io on ppc
- drop test_io ppc patch
-------------------------------------------------------------------
@@ -5481,8 +5493,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
-------------------------------------------------------------------
Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
http://bugs.python.org/issue12081
-------------------------------------------------------------------

23
python311.spec
View File

@@ -189,6 +189,9 @@ Patch24: add-loongarch64-support.patch
# PATCH-FIX-UPSTREAM gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch bsc#1241067 mcepl@suse.com
# don't stop ThreadedEchoServer on OSError, makes test_ssl fail with OpenSSL 3.5
Patch25: gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
# PATCH-FIX-UPSTREAM CVE-2025-4516-DecodeError-handler.patch bsc#1243273 mcepl@suse.com
# this patch makes things totally awesome
Patch26: CVE-2025-4516-DecodeError-handler.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: crypto-policies-scripts
@@ -432,27 +435,11 @@ other applications.
%prep
%setup -q -n %{tarname}
%patch -p1 -P 02
%patch -p1 -P 03
%patch -p1 -P 04
%patch -p1 -P 05
%patch -p1 -P 07
%patch -p1 -P 08
%autopatch -p1 -M 08
%if 0%{?suse_version} <= 1500
%patch -P 09 -p1
%endif
%patch -p1 -P 10
%patch -p1 -P 11
%patch -p1 -P 13
%patch -p1 -P 15
%patch -p1 -P 16
%patch -p1 -P 17
%patch -p1 -P 19
%patch -p1 -P 22
%patch -p1 -P 24
%patch -p1 -P 25
%autopatch -p1 -m 10
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac