forked from pool/python311
Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) Readjust patches while synchronizing between openSUSE and SLE trees: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
This commit is contained in:
@@ -6,10 +6,10 @@
|
||||
Lib/test/test_xml_etree.py | 12 ------------
|
||||
5 files changed, 37 insertions(+), 44 deletions(-)
|
||||
|
||||
Index: Python-3.11.12/Lib/test/support/__init__.py
|
||||
Index: Python-3.11.14/Lib/test/support/__init__.py
|
||||
===================================================================
|
||||
--- Python-3.11.12.orig/Lib/test/support/__init__.py 2025-04-11 10:52:43.191010503 +0200
|
||||
+++ Python-3.11.12/Lib/test/support/__init__.py 2025-04-11 10:52:44.802161741 +0200
|
||||
--- Python-3.11.14.orig/Lib/test/support/__init__.py 2025-11-11 22:19:39.694606976 +0100
|
||||
+++ Python-3.11.14/Lib/test/support/__init__.py 2025-11-11 22:19:43.416608482 +0100
|
||||
@@ -8,6 +8,7 @@
|
||||
import functools
|
||||
import os
|
||||
@@ -27,7 +27,7 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
|
||||
]
|
||||
|
||||
|
||||
@@ -2244,6 +2245,17 @@
|
||||
@@ -2279,6 +2280,17 @@
|
||||
}
|
||||
return ignored
|
||||
|
||||
@@ -46,10 +46,10 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
|
||||
+fails_with_expat_2_6_0 = (unittest.expectedFailure
|
||||
+ if is_expat_2_6_0
|
||||
+ else lambda test: test)
|
||||
Index: Python-3.11.12/Lib/test/test_minidom.py
|
||||
Index: Python-3.11.14/Lib/test/test_minidom.py
|
||||
===================================================================
|
||||
--- Python-3.11.12.orig/Lib/test/test_minidom.py 2025-04-11 10:52:21.907086938 +0200
|
||||
+++ Python-3.11.12/Lib/test/test_minidom.py 2025-04-11 10:52:44.802522893 +0200
|
||||
--- Python-3.11.14.orig/Lib/test/test_minidom.py 2025-11-11 22:19:20.357789592 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_minidom.py 2025-11-11 22:19:43.417174481 +0100
|
||||
@@ -6,7 +6,6 @@
|
||||
from test import support
|
||||
import unittest
|
||||
@@ -94,10 +94,10 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
|
||||
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
|
||||
|
||||
def testDocRemoveChild(self):
|
||||
Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
||||
Index: Python-3.11.14/Lib/test/test_pyexpat.py
|
||||
===================================================================
|
||||
--- Python-3.11.12.orig/Lib/test/test_pyexpat.py 2025-04-11 10:52:22.076696906 +0200
|
||||
+++ Python-3.11.12/Lib/test/test_pyexpat.py 2025-04-11 10:52:44.803228085 +0200
|
||||
--- Python-3.11.14.orig/Lib/test/test_pyexpat.py 2025-11-11 22:19:20.528295478 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_pyexpat.py 2025-11-11 22:19:43.417558052 +0100
|
||||
@@ -14,8 +14,7 @@
|
||||
from xml.parsers import expat
|
||||
from xml.parsers.expat import errors
|
||||
@@ -108,7 +108,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
||||
|
||||
class SetAttributeTest(unittest.TestCase):
|
||||
def setUp(self):
|
||||
@@ -770,9 +769,8 @@
|
||||
@@ -806,9 +805,8 @@
|
||||
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
|
||||
|
||||
def test_reparse_deferral_enabled(self):
|
||||
@@ -120,7 +120,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
||||
|
||||
started = []
|
||||
|
||||
@@ -801,9 +799,9 @@
|
||||
@@ -837,9 +835,9 @@
|
||||
|
||||
parser = expat.ParserCreate()
|
||||
parser.StartElementHandler = start_element
|
||||
@@ -132,10 +132,10 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
||||
|
||||
for chunk in (b'<doc', b'/>'):
|
||||
parser.Parse(chunk, False)
|
||||
Index: Python-3.11.12/Lib/test/test_sax.py
|
||||
Index: Python-3.11.14/Lib/test/test_sax.py
|
||||
===================================================================
|
||||
--- Python-3.11.12.orig/Lib/test/test_sax.py 2025-04-11 10:52:22.111440337 +0200
|
||||
+++ Python-3.11.12/Lib/test/test_sax.py 2025-04-11 10:52:44.803567098 +0200
|
||||
--- Python-3.11.14.orig/Lib/test/test_sax.py 2025-11-11 22:19:20.561791922 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_sax.py 2025-11-11 22:19:43.417906074 +0100
|
||||
@@ -19,13 +19,11 @@
|
||||
from io import BytesIO, StringIO
|
||||
import codecs
|
||||
@@ -187,10 +187,10 @@ Index: Python-3.11.12/Lib/test/test_sax.py
|
||||
|
||||
self.assertFalse(parser._parser.GetReparseDeferralEnabled())
|
||||
|
||||
Index: Python-3.11.12/Lib/test/test_xml_etree.py
|
||||
Index: Python-3.11.14/Lib/test/test_xml_etree.py
|
||||
===================================================================
|
||||
--- Python-3.11.12.orig/Lib/test/test_xml_etree.py 2025-04-11 10:52:22.425637912 +0200
|
||||
+++ Python-3.11.12/Lib/test/test_xml_etree.py 2025-04-11 10:52:44.804234785 +0200
|
||||
--- Python-3.11.14.orig/Lib/test/test_xml_etree.py 2025-11-11 22:19:20.877591822 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_xml_etree.py 2025-11-11 22:19:43.418467184 +0100
|
||||
@@ -13,7 +13,6 @@
|
||||
import operator
|
||||
import os
|
||||
|
||||
@@ -4,9 +4,11 @@
|
||||
Lib/test/test_xml_etree.py | 2 ++
|
||||
3 files changed, 6 insertions(+)
|
||||
|
||||
--- a/Lib/test/test_pyexpat.py
|
||||
+++ b/Lib/test/test_pyexpat.py
|
||||
@@ -768,6 +768,7 @@ class ReparseDeferralTest(unittest.TestC
|
||||
Index: Python-3.11.14/Lib/test/test_pyexpat.py
|
||||
===================================================================
|
||||
--- Python-3.11.14.orig/Lib/test/test_pyexpat.py 2025-11-11 22:19:43.417558052 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_pyexpat.py 2025-11-11 22:19:46.300106206 +0100
|
||||
@@ -804,6 +804,7 @@
|
||||
parser.SetReparseDeferralEnabled(True)
|
||||
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
|
||||
|
||||
@@ -14,7 +16,7 @@
|
||||
def test_reparse_deferral_enabled(self):
|
||||
if not is_expat_2_6_0:
|
||||
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
||||
@@ -791,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC
|
||||
@@ -827,6 +828,7 @@
|
||||
|
||||
self.assertEqual(started, ['doc'])
|
||||
|
||||
@@ -22,9 +24,11 @@
|
||||
def test_reparse_deferral_disabled(self):
|
||||
started = []
|
||||
|
||||
--- a/Lib/test/test_sax.py
|
||||
+++ b/Lib/test/test_sax.py
|
||||
@@ -1213,6 +1213,7 @@ class ExpatReaderTest(XmlTestBase):
|
||||
Index: Python-3.11.14/Lib/test/test_sax.py
|
||||
===================================================================
|
||||
--- Python-3.11.14.orig/Lib/test/test_sax.py 2025-11-11 22:19:43.417906074 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_sax.py 2025-11-11 22:19:46.300752803 +0100
|
||||
@@ -1213,6 +1213,7 @@
|
||||
|
||||
self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
|
||||
|
||||
@@ -32,7 +36,7 @@
|
||||
def test_flush_reparse_deferral_enabled(self):
|
||||
if not is_expat_2_6_0:
|
||||
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
||||
@@ -1238,6 +1239,7 @@ class ExpatReaderTest(XmlTestBase):
|
||||
@@ -1238,6 +1239,7 @@
|
||||
|
||||
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
|
||||
|
||||
@@ -40,9 +44,11 @@
|
||||
def test_flush_reparse_deferral_disabled(self):
|
||||
if not is_expat_2_6_0:
|
||||
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
||||
--- a/Lib/test/test_xml_etree.py
|
||||
+++ b/Lib/test/test_xml_etree.py
|
||||
@@ -1620,6 +1620,7 @@ class XMLPullParserTest(unittest.TestCas
|
||||
Index: Python-3.11.14/Lib/test/test_xml_etree.py
|
||||
===================================================================
|
||||
--- Python-3.11.14.orig/Lib/test/test_xml_etree.py 2025-11-11 22:19:43.418467184 +0100
|
||||
+++ Python-3.11.14/Lib/test/test_xml_etree.py 2025-11-11 22:19:46.301413227 +0100
|
||||
@@ -1620,6 +1620,7 @@
|
||||
with self.assertRaises(ValueError):
|
||||
ET.XMLPullParser(events=('start', 'end', 'bogus'))
|
||||
|
||||
@@ -50,7 +56,7 @@
|
||||
def test_flush_reparse_deferral_enabled(self):
|
||||
parser = ET.XMLPullParser(events=('start', 'end'))
|
||||
|
||||
@@ -1641,6 +1642,7 @@ class XMLPullParserTest(unittest.TestCas
|
||||
@@ -1641,6 +1642,7 @@
|
||||
|
||||
self.assert_event_tags(parser, [('end', 'doc')])
|
||||
|
||||
|
||||
24
CVE-2025-8291-consistency-zip64.patch
Normal file
24
CVE-2025-8291-consistency-zip64.patch
Normal file
@@ -0,0 +1,24 @@
|
||||
From d8a71bec60ca197650bd93196a804083ba529b53 Mon Sep 17 00:00:00 2001
|
||||
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Date: Tue, 7 Oct 2025 20:55:44 +0300
|
||||
Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
|
||||
central directory record (GH-139702) (GH-139708) (cherry picked from commit
|
||||
333d4a6f4967d3ace91492a39ededbcf3faa76a6)
|
||||
|
||||
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Support records with "zip64 extensible data" if there are no bytes
|
||||
prepended to the ZIP file.
|
||||
(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
|
||||
---
|
||||
Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||
|
||||
Index: Python-3.9.24/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ Python-3.9.24/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst 2025-11-10 01:01:51.449057588 +0100
|
||||
@@ -0,0 +1,3 @@
|
||||
+Check consistency of the zip64 end of central directory record. Support
|
||||
+records with "zip64 extensible data" if there are no bytes prepended to the
|
||||
+ZIP file.
|
||||
@@ -3,9 +3,11 @@
|
||||
Misc/NEWS | 2 +-
|
||||
2 files changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
--- a/Doc/using/configure.rst
|
||||
+++ b/Doc/using/configure.rst
|
||||
@@ -43,7 +43,6 @@ General Options
|
||||
Index: Python-3.11.14/Doc/using/configure.rst
|
||||
===================================================================
|
||||
--- Python-3.11.14.orig/Doc/using/configure.rst 2025-10-09 18:16:55.000000000 +0200
|
||||
+++ Python-3.11.14/Doc/using/configure.rst 2025-11-11 22:19:35.846411673 +0100
|
||||
@@ -43,7 +43,6 @@
|
||||
|
||||
See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
|
||||
|
||||
@@ -13,7 +15,7 @@
|
||||
.. option:: --with-cxx-main=COMPILER
|
||||
|
||||
Compile the Python ``main()`` function and link Python executable with C++
|
||||
@@ -529,13 +528,11 @@ macOS Options
|
||||
@@ -529,13 +528,11 @@
|
||||
|
||||
See ``Mac/README.rst``.
|
||||
|
||||
@@ -27,9 +29,11 @@
|
||||
.. option:: --enable-framework=INSTALLDIR
|
||||
|
||||
Create a Python.framework rather than a traditional Unix install. Optional
|
||||
--- a/Misc/NEWS
|
||||
+++ b/Misc/NEWS
|
||||
@@ -9911,7 +9911,7 @@ C API
|
||||
Index: Python-3.11.14/Misc/NEWS
|
||||
===================================================================
|
||||
--- Python-3.11.14.orig/Misc/NEWS 2025-10-09 18:16:55.000000000 +0200
|
||||
+++ Python-3.11.14/Misc/NEWS 2025-11-11 22:19:35.850828264 +0100
|
||||
@@ -9987,7 +9987,7 @@
|
||||
- bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
|
||||
|
||||
- bpo-43795: The list in :ref:`limited-api-list` now shows the public name
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 4 16:44:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Add CVE-2025-8291-consistency-zip64.patch which checks
|
||||
consistency of the zip64 end of central directory record, and
|
||||
preventing obfuscation of the payload, i.e., you scanning for
|
||||
malicious content in a ZIP file with one ZIP parser (let's say
|
||||
a Rust one) then unpack it in production with another (e.g.,
|
||||
the Python one) and get malicious content that the other parser
|
||||
did not see (CVE-2025-8291, bsc#1251305)
|
||||
- Readjust patches while synchronizing between openSUSE and SLE trees:
|
||||
- CVE-2023-52425-libexpat-2.6.0-backport.patch
|
||||
- CVE-2023-52425-remove-reparse_deferral-tests.patch
|
||||
- fix_configure_rst.patch
|
||||
- skip_if_buildbot-extend.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
|
||||
@@ -188,6 +188,9 @@ Patch22: gh120226-fix-sendfile-test-kernel-610.patch
|
||||
Patch24: add-loongarch64-support.patch
|
||||
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
|
||||
Patch25: gh139257-Support-docutils-0.22.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
|
||||
# Check consistency of the zip64 end of central directory record
|
||||
Patch26: CVE-2025-8291-consistency-zip64.patch
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: crypto-policies-scripts
|
||||
|
||||
@@ -2,9 +2,11 @@
|
||||
Lib/test/support/__init__.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/Lib/test/support/__init__.py
|
||||
+++ b/Lib/test/support/__init__.py
|
||||
@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None):
|
||||
Index: Python-3.11.14/Lib/test/support/__init__.py
|
||||
===================================================================
|
||||
--- Python-3.11.14.orig/Lib/test/support/__init__.py 2025-11-11 22:19:19.440964849 +0100
|
||||
+++ Python-3.11.14/Lib/test/support/__init__.py 2025-11-11 22:19:39.694606976 +0100
|
||||
@@ -394,7 +394,7 @@
|
||||
if not reason:
|
||||
reason = 'not suitable for buildbots'
|
||||
try:
|
||||
|
||||
Reference in New Issue
Block a user