forked from pool/python311
Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and preventing obfuscation of the payload, i.e., you scanning for malicious content in a ZIP file with one ZIP parser (let's say a Rust one) then unpack it in production with another (e.g., the Python one) and get malicious content that the other parser did not see (CVE-2025-8291, bsc#1251305) Readjust patches while synchronizing between openSUSE and SLE trees: - CVE-2023-52425-libexpat-2.6.0-backport.patch - CVE-2023-52425-remove-reparse_deferral-tests.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch
This commit is contained in:
@@ -6,10 +6,10 @@
|
|||||||
Lib/test/test_xml_etree.py | 12 ------------
|
Lib/test/test_xml_etree.py | 12 ------------
|
||||||
5 files changed, 37 insertions(+), 44 deletions(-)
|
5 files changed, 37 insertions(+), 44 deletions(-)
|
||||||
|
|
||||||
Index: Python-3.11.12/Lib/test/support/__init__.py
|
Index: Python-3.11.14/Lib/test/support/__init__.py
|
||||||
===================================================================
|
===================================================================
|
||||||
--- Python-3.11.12.orig/Lib/test/support/__init__.py 2025-04-11 10:52:43.191010503 +0200
|
--- Python-3.11.14.orig/Lib/test/support/__init__.py 2025-11-11 22:19:39.694606976 +0100
|
||||||
+++ Python-3.11.12/Lib/test/support/__init__.py 2025-04-11 10:52:44.802161741 +0200
|
+++ Python-3.11.14/Lib/test/support/__init__.py 2025-11-11 22:19:43.416608482 +0100
|
||||||
@@ -8,6 +8,7 @@
|
@@ -8,6 +8,7 @@
|
||||||
import functools
|
import functools
|
||||||
import os
|
import os
|
||||||
@@ -27,7 +27,7 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
|
|||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
@@ -2244,6 +2245,17 @@
|
@@ -2279,6 +2280,17 @@
|
||||||
}
|
}
|
||||||
return ignored
|
return ignored
|
||||||
|
|
||||||
@@ -46,10 +46,10 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
|
|||||||
+fails_with_expat_2_6_0 = (unittest.expectedFailure
|
+fails_with_expat_2_6_0 = (unittest.expectedFailure
|
||||||
+ if is_expat_2_6_0
|
+ if is_expat_2_6_0
|
||||||
+ else lambda test: test)
|
+ else lambda test: test)
|
||||||
Index: Python-3.11.12/Lib/test/test_minidom.py
|
Index: Python-3.11.14/Lib/test/test_minidom.py
|
||||||
===================================================================
|
===================================================================
|
||||||
--- Python-3.11.12.orig/Lib/test/test_minidom.py 2025-04-11 10:52:21.907086938 +0200
|
--- Python-3.11.14.orig/Lib/test/test_minidom.py 2025-11-11 22:19:20.357789592 +0100
|
||||||
+++ Python-3.11.12/Lib/test/test_minidom.py 2025-04-11 10:52:44.802522893 +0200
|
+++ Python-3.11.14/Lib/test/test_minidom.py 2025-11-11 22:19:43.417174481 +0100
|
||||||
@@ -6,7 +6,6 @@
|
@@ -6,7 +6,6 @@
|
||||||
from test import support
|
from test import support
|
||||||
import unittest
|
import unittest
|
||||||
@@ -94,10 +94,10 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
|
|||||||
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
|
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
|
||||||
|
|
||||||
def testDocRemoveChild(self):
|
def testDocRemoveChild(self):
|
||||||
Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
Index: Python-3.11.14/Lib/test/test_pyexpat.py
|
||||||
===================================================================
|
===================================================================
|
||||||
--- Python-3.11.12.orig/Lib/test/test_pyexpat.py 2025-04-11 10:52:22.076696906 +0200
|
--- Python-3.11.14.orig/Lib/test/test_pyexpat.py 2025-11-11 22:19:20.528295478 +0100
|
||||||
+++ Python-3.11.12/Lib/test/test_pyexpat.py 2025-04-11 10:52:44.803228085 +0200
|
+++ Python-3.11.14/Lib/test/test_pyexpat.py 2025-11-11 22:19:43.417558052 +0100
|
||||||
@@ -14,8 +14,7 @@
|
@@ -14,8 +14,7 @@
|
||||||
from xml.parsers import expat
|
from xml.parsers import expat
|
||||||
from xml.parsers.expat import errors
|
from xml.parsers.expat import errors
|
||||||
@@ -108,7 +108,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
|||||||
|
|
||||||
class SetAttributeTest(unittest.TestCase):
|
class SetAttributeTest(unittest.TestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
@@ -770,9 +769,8 @@
|
@@ -806,9 +805,8 @@
|
||||||
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
|
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
|
||||||
|
|
||||||
def test_reparse_deferral_enabled(self):
|
def test_reparse_deferral_enabled(self):
|
||||||
@@ -120,7 +120,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
|||||||
|
|
||||||
started = []
|
started = []
|
||||||
|
|
||||||
@@ -801,9 +799,9 @@
|
@@ -837,9 +835,9 @@
|
||||||
|
|
||||||
parser = expat.ParserCreate()
|
parser = expat.ParserCreate()
|
||||||
parser.StartElementHandler = start_element
|
parser.StartElementHandler = start_element
|
||||||
@@ -132,10 +132,10 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
|
|||||||
|
|
||||||
for chunk in (b'<doc', b'/>'):
|
for chunk in (b'<doc', b'/>'):
|
||||||
parser.Parse(chunk, False)
|
parser.Parse(chunk, False)
|
||||||
Index: Python-3.11.12/Lib/test/test_sax.py
|
Index: Python-3.11.14/Lib/test/test_sax.py
|
||||||
===================================================================
|
===================================================================
|
||||||
--- Python-3.11.12.orig/Lib/test/test_sax.py 2025-04-11 10:52:22.111440337 +0200
|
--- Python-3.11.14.orig/Lib/test/test_sax.py 2025-11-11 22:19:20.561791922 +0100
|
||||||
+++ Python-3.11.12/Lib/test/test_sax.py 2025-04-11 10:52:44.803567098 +0200
|
+++ Python-3.11.14/Lib/test/test_sax.py 2025-11-11 22:19:43.417906074 +0100
|
||||||
@@ -19,13 +19,11 @@
|
@@ -19,13 +19,11 @@
|
||||||
from io import BytesIO, StringIO
|
from io import BytesIO, StringIO
|
||||||
import codecs
|
import codecs
|
||||||
@@ -187,10 +187,10 @@ Index: Python-3.11.12/Lib/test/test_sax.py
|
|||||||
|
|
||||||
self.assertFalse(parser._parser.GetReparseDeferralEnabled())
|
self.assertFalse(parser._parser.GetReparseDeferralEnabled())
|
||||||
|
|
||||||
Index: Python-3.11.12/Lib/test/test_xml_etree.py
|
Index: Python-3.11.14/Lib/test/test_xml_etree.py
|
||||||
===================================================================
|
===================================================================
|
||||||
--- Python-3.11.12.orig/Lib/test/test_xml_etree.py 2025-04-11 10:52:22.425637912 +0200
|
--- Python-3.11.14.orig/Lib/test/test_xml_etree.py 2025-11-11 22:19:20.877591822 +0100
|
||||||
+++ Python-3.11.12/Lib/test/test_xml_etree.py 2025-04-11 10:52:44.804234785 +0200
|
+++ Python-3.11.14/Lib/test/test_xml_etree.py 2025-11-11 22:19:43.418467184 +0100
|
||||||
@@ -13,7 +13,6 @@
|
@@ -13,7 +13,6 @@
|
||||||
import operator
|
import operator
|
||||||
import os
|
import os
|
||||||
|
|||||||
@@ -4,9 +4,11 @@
|
|||||||
Lib/test/test_xml_etree.py | 2 ++
|
Lib/test/test_xml_etree.py | 2 ++
|
||||||
3 files changed, 6 insertions(+)
|
3 files changed, 6 insertions(+)
|
||||||
|
|
||||||
--- a/Lib/test/test_pyexpat.py
|
Index: Python-3.11.14/Lib/test/test_pyexpat.py
|
||||||
+++ b/Lib/test/test_pyexpat.py
|
===================================================================
|
||||||
@@ -768,6 +768,7 @@ class ReparseDeferralTest(unittest.TestC
|
--- Python-3.11.14.orig/Lib/test/test_pyexpat.py 2025-11-11 22:19:43.417558052 +0100
|
||||||
|
+++ Python-3.11.14/Lib/test/test_pyexpat.py 2025-11-11 22:19:46.300106206 +0100
|
||||||
|
@@ -804,6 +804,7 @@
|
||||||
parser.SetReparseDeferralEnabled(True)
|
parser.SetReparseDeferralEnabled(True)
|
||||||
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
|
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
|
||||||
|
|
||||||
@@ -14,7 +16,7 @@
|
|||||||
def test_reparse_deferral_enabled(self):
|
def test_reparse_deferral_enabled(self):
|
||||||
if not is_expat_2_6_0:
|
if not is_expat_2_6_0:
|
||||||
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
||||||
@@ -791,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC
|
@@ -827,6 +828,7 @@
|
||||||
|
|
||||||
self.assertEqual(started, ['doc'])
|
self.assertEqual(started, ['doc'])
|
||||||
|
|
||||||
@@ -22,9 +24,11 @@
|
|||||||
def test_reparse_deferral_disabled(self):
|
def test_reparse_deferral_disabled(self):
|
||||||
started = []
|
started = []
|
||||||
|
|
||||||
--- a/Lib/test/test_sax.py
|
Index: Python-3.11.14/Lib/test/test_sax.py
|
||||||
+++ b/Lib/test/test_sax.py
|
===================================================================
|
||||||
@@ -1213,6 +1213,7 @@ class ExpatReaderTest(XmlTestBase):
|
--- Python-3.11.14.orig/Lib/test/test_sax.py 2025-11-11 22:19:43.417906074 +0100
|
||||||
|
+++ Python-3.11.14/Lib/test/test_sax.py 2025-11-11 22:19:46.300752803 +0100
|
||||||
|
@@ -1213,6 +1213,7 @@
|
||||||
|
|
||||||
self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
|
self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
|
||||||
|
|
||||||
@@ -32,7 +36,7 @@
|
|||||||
def test_flush_reparse_deferral_enabled(self):
|
def test_flush_reparse_deferral_enabled(self):
|
||||||
if not is_expat_2_6_0:
|
if not is_expat_2_6_0:
|
||||||
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
||||||
@@ -1238,6 +1239,7 @@ class ExpatReaderTest(XmlTestBase):
|
@@ -1238,6 +1239,7 @@
|
||||||
|
|
||||||
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
|
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
|
||||||
|
|
||||||
@@ -40,9 +44,11 @@
|
|||||||
def test_flush_reparse_deferral_disabled(self):
|
def test_flush_reparse_deferral_disabled(self):
|
||||||
if not is_expat_2_6_0:
|
if not is_expat_2_6_0:
|
||||||
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
self.skipTest("Linked libexpat doesn't support reparse deferral")
|
||||||
--- a/Lib/test/test_xml_etree.py
|
Index: Python-3.11.14/Lib/test/test_xml_etree.py
|
||||||
+++ b/Lib/test/test_xml_etree.py
|
===================================================================
|
||||||
@@ -1620,6 +1620,7 @@ class XMLPullParserTest(unittest.TestCas
|
--- Python-3.11.14.orig/Lib/test/test_xml_etree.py 2025-11-11 22:19:43.418467184 +0100
|
||||||
|
+++ Python-3.11.14/Lib/test/test_xml_etree.py 2025-11-11 22:19:46.301413227 +0100
|
||||||
|
@@ -1620,6 +1620,7 @@
|
||||||
with self.assertRaises(ValueError):
|
with self.assertRaises(ValueError):
|
||||||
ET.XMLPullParser(events=('start', 'end', 'bogus'))
|
ET.XMLPullParser(events=('start', 'end', 'bogus'))
|
||||||
|
|
||||||
@@ -50,7 +56,7 @@
|
|||||||
def test_flush_reparse_deferral_enabled(self):
|
def test_flush_reparse_deferral_enabled(self):
|
||||||
parser = ET.XMLPullParser(events=('start', 'end'))
|
parser = ET.XMLPullParser(events=('start', 'end'))
|
||||||
|
|
||||||
@@ -1641,6 +1642,7 @@ class XMLPullParserTest(unittest.TestCas
|
@@ -1641,6 +1642,7 @@
|
||||||
|
|
||||||
self.assert_event_tags(parser, [('end', 'doc')])
|
self.assert_event_tags(parser, [('end', 'doc')])
|
||||||
|
|
||||||
|
|||||||
24
CVE-2025-8291-consistency-zip64.patch
Normal file
24
CVE-2025-8291-consistency-zip64.patch
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
From d8a71bec60ca197650bd93196a804083ba529b53 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||||
|
Date: Tue, 7 Oct 2025 20:55:44 +0300
|
||||||
|
Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
|
||||||
|
central directory record (GH-139702) (GH-139708) (cherry picked from commit
|
||||||
|
333d4a6f4967d3ace91492a39ededbcf3faa76a6)
|
||||||
|
|
||||||
|
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||||
|
Support records with "zip64 extensible data" if there are no bytes
|
||||||
|
prepended to the ZIP file.
|
||||||
|
(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
|
||||||
|
---
|
||||||
|
Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||||
|
|
||||||
|
Index: Python-3.9.24/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||||
|
+++ Python-3.9.24/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst 2025-11-10 01:01:51.449057588 +0100
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+Check consistency of the zip64 end of central directory record. Support
|
||||||
|
+records with "zip64 extensible data" if there are no bytes prepended to the
|
||||||
|
+ZIP file.
|
||||||
@@ -3,9 +3,11 @@
|
|||||||
Misc/NEWS | 2 +-
|
Misc/NEWS | 2 +-
|
||||||
2 files changed, 1 insertion(+), 4 deletions(-)
|
2 files changed, 1 insertion(+), 4 deletions(-)
|
||||||
|
|
||||||
--- a/Doc/using/configure.rst
|
Index: Python-3.11.14/Doc/using/configure.rst
|
||||||
+++ b/Doc/using/configure.rst
|
===================================================================
|
||||||
@@ -43,7 +43,6 @@ General Options
|
--- Python-3.11.14.orig/Doc/using/configure.rst 2025-10-09 18:16:55.000000000 +0200
|
||||||
|
+++ Python-3.11.14/Doc/using/configure.rst 2025-11-11 22:19:35.846411673 +0100
|
||||||
|
@@ -43,7 +43,6 @@
|
||||||
|
|
||||||
See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
|
See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
|
||||||
|
|
||||||
@@ -13,7 +15,7 @@
|
|||||||
.. option:: --with-cxx-main=COMPILER
|
.. option:: --with-cxx-main=COMPILER
|
||||||
|
|
||||||
Compile the Python ``main()`` function and link Python executable with C++
|
Compile the Python ``main()`` function and link Python executable with C++
|
||||||
@@ -529,13 +528,11 @@ macOS Options
|
@@ -529,13 +528,11 @@
|
||||||
|
|
||||||
See ``Mac/README.rst``.
|
See ``Mac/README.rst``.
|
||||||
|
|
||||||
@@ -27,9 +29,11 @@
|
|||||||
.. option:: --enable-framework=INSTALLDIR
|
.. option:: --enable-framework=INSTALLDIR
|
||||||
|
|
||||||
Create a Python.framework rather than a traditional Unix install. Optional
|
Create a Python.framework rather than a traditional Unix install. Optional
|
||||||
--- a/Misc/NEWS
|
Index: Python-3.11.14/Misc/NEWS
|
||||||
+++ b/Misc/NEWS
|
===================================================================
|
||||||
@@ -9911,7 +9911,7 @@ C API
|
--- Python-3.11.14.orig/Misc/NEWS 2025-10-09 18:16:55.000000000 +0200
|
||||||
|
+++ Python-3.11.14/Misc/NEWS 2025-11-11 22:19:35.850828264 +0100
|
||||||
|
@@ -9987,7 +9987,7 @@
|
||||||
- bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
|
- bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
|
||||||
|
|
||||||
- bpo-43795: The list in :ref:`limited-api-list` now shows the public name
|
- bpo-43795: The list in :ref:`limited-api-list` now shows the public name
|
||||||
|
|||||||
@@ -1,3 +1,19 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 4 16:44:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||||
|
|
||||||
|
- Add CVE-2025-8291-consistency-zip64.patch which checks
|
||||||
|
consistency of the zip64 end of central directory record, and
|
||||||
|
preventing obfuscation of the payload, i.e., you scanning for
|
||||||
|
malicious content in a ZIP file with one ZIP parser (let's say
|
||||||
|
a Rust one) then unpack it in production with another (e.g.,
|
||||||
|
the Python one) and get malicious content that the other parser
|
||||||
|
did not see (CVE-2025-8291, bsc#1251305)
|
||||||
|
- Readjust patches while synchronizing between openSUSE and SLE trees:
|
||||||
|
- CVE-2023-52425-libexpat-2.6.0-backport.patch
|
||||||
|
- CVE-2023-52425-remove-reparse_deferral-tests.patch
|
||||||
|
- fix_configure_rst.patch
|
||||||
|
- skip_if_buildbot-extend.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||||
|
|
||||||
|
|||||||
@@ -188,6 +188,9 @@ Patch22: gh120226-fix-sendfile-test-kernel-610.patch
|
|||||||
Patch24: add-loongarch64-support.patch
|
Patch24: add-loongarch64-support.patch
|
||||||
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
|
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
|
||||||
Patch25: gh139257-Support-docutils-0.22.patch
|
Patch25: gh139257-Support-docutils-0.22.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
|
||||||
|
# Check consistency of the zip64 end of central directory record
|
||||||
|
Patch26: CVE-2025-8291-consistency-zip64.patch
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: crypto-policies-scripts
|
BuildRequires: crypto-policies-scripts
|
||||||
|
|||||||
@@ -2,9 +2,11 @@
|
|||||||
Lib/test/support/__init__.py | 2 +-
|
Lib/test/support/__init__.py | 2 +-
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
--- a/Lib/test/support/__init__.py
|
Index: Python-3.11.14/Lib/test/support/__init__.py
|
||||||
+++ b/Lib/test/support/__init__.py
|
===================================================================
|
||||||
@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None):
|
--- Python-3.11.14.orig/Lib/test/support/__init__.py 2025-11-11 22:19:19.440964849 +0100
|
||||||
|
+++ Python-3.11.14/Lib/test/support/__init__.py 2025-11-11 22:19:39.694606976 +0100
|
||||||
|
@@ -394,7 +394,7 @@
|
||||||
if not reason:
|
if not reason:
|
||||||
reason = 'not suitable for buildbots'
|
reason = 'not suitable for buildbots'
|
||||||
try:
|
try:
|
||||||
|
|||||||
Reference in New Issue
Block a user