python-interpreters/python311
SHA256
6
0
Fork 0
forked from pool/python311
Code Pull Requests Activity

Compare commits

merge into: python-interpreters:sle-15-sp4
Branches Tags
python-interpreters:factory python-interpreters:sle-15-sp4 python-interpreters:sle-15-sp6 python-interpreters:slfo-1.0 python-interpreters:slfo-1.1 pool:factory
...
pull from: python-interpreters:factory
Branches Tags
python-interpreters:factory python-interpreters:sle-15-sp4 python-interpreters:sle-15-sp6 python-interpreters:slfo-1.0 python-interpreters:slfo-1.1 pool:factory

6 Commits
sle-15-sp4 ... factory

Author SHA256 Message Date
Matěj Cepl
d7ebe63704 Update to 3.11.15: 
- Security
    - gh-144125: BytesGenerator will now refuse to serialize
      (write) headers that are unsafely folded or delimited; see
      verify_generated_headers. (Contributed by Bas Bloemsaat and
      Petr Viktorin in gh-121650).
    - gh-143935: Fixed a bug in the folding of comments when
      flattening an email message using a modern email policy.
      Comments consisting of a very long sequence of non-foldable
      characters could trigger a forced line wrap that omitted
      the required leading space on the continuation line,
      causing the remainder of the comment to be interpreted as
      a new header field. This enabled header injection with
      carefully crafted inputs (bsc#1257029 CVE-2025-11468).
    - gh-143925: Reject control characters in data: URL media
      types (bsc#1257046, CVE-2025-15282).
    - gh-143919: Reject control characters in http.cookies.Morsel
      fields and values (bsc#1257031, CVE-2026-0672).
    - gh-143916: Reject C0 control characters within
      wsgiref.headers.Headers fields, values, and parameters
      (bsc#1257042, CVE-2026-0865).
    - gh-142145: Remove quadratic behavior in xml.minidom node ID
      cache clearing. In order to do this without breaking
      existing users, we also add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead
      (bsc#1254997, CVE-2025-12084).
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (bsc#1252974, CVE-2025-6075).
    - gh-119451: Fix a potential memory denial of service in the
      http.client module. When connecting to a malicious server,
      it could cause an arbitrary amount of memory to be
      allocated. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes
      (CVE-2025-13836, bsc#1254400).
    - gh-119452: Fix a potential memory denial of service in the
      http.server module. When a malicious user is connected to
      the CGI server on Windows, it could cause an arbitrary
      amount of memory to be allocated. This could have led to
      symptoms including a MemoryError, swapping, out of memory
      (OOM) killed processes or containers, or even system
      crashes.
    - gh-119342: Fix a potential memory denial of service in the
      plistlib module. When reading a Plist file received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated. This could have led to symptoms
      including a MemoryError, swapping, out of memory (OOM)
      killed processes or containers, or even system crashes
      (bsc#1254401, CVE-2025-13837).
  - Library
    - gh-144833: Fixed a use-after-free in ssl when SSL_new()
      returns NULL in newPySSLSocket(). The error was reported
      via a dangling pointer after the object had already been
      freed.
    - gh-144363: Update bundled libexpat to 2.7.4
    - gh-90949: Add SetAllocTrackerActivationThreshold() and
      SetAllocTrackerMaximumAmplification() to xmlparser objects
      to prevent use of disproportional amounts of dynamic memory
      from within an Expat parser. Patch by Bénédikt Tran.
  - Core and Builtins
    - gh-120384: Fix an array out of bounds crash in
      list_ass_subscript, which could be invoked via some
      specificly tailored input: including concurrent
      modification of a list object, where one thread assigns
      a slice and another clears it.
    - gh-120298: Fix use-after free in list_richcompare_impl
      which can be invoked via some specificly tailored evil
      input.
Remove upstreamed patches:
  - CVE-2025-11468-email-hdr-fold-comment.patch
  - CVE-2025-12084-minidom-quad-search.patch
  - CVE-2025-13836-http-resp-cont-len.patch
  - CVE-2025-13837-plistlib-mailicious-length.patch
  - CVE-2025-6075-expandvars-perf-degrad.patch
  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
  - CVE-2026-0865-wsgiref-ctrl-chars.patch
  - CVE-2025-15282-urllib-ctrl-chars.patch
 2026-03-09 00:26:16 +01:00
Matěj Cepl
26a31005ec Merge branch 'factory' into sle-15-sp4 2026-02-24 09:14:57 +01:00
Matěj Cepl
02f09793e7 Fix seven CVEs 
CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch
CVE-2025-12781: fix decoding with non-standard Base64 alphabet
  (bsc#1257108, gh#python/cpython#125346)
  CVE-2025-12781-b64decode-alt-chars.patch
 2026-02-13 00:45:50 +01:00
Matěj Cepl
cd09787966 Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837. 
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).
 2026-01-08 13:42:27 +01:00
Matěj Cepl
162a9695a4 Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837. 
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).
 2025-12-19 23:09:22 +01:00
Matěj Cepl
48953809e4 Add CVE-2025-6075-expandvars-perf-degrad.patch 
Avoid simple quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).
Readjusted patches:
  - CVE-2023-52425-libexpat-2.6.0-backport.patch
  - CVE-2023-52425-remove-reparse_deferral-tests.patch
  - fix_configure_rst.patch
  - skip_if_buildbot-extend.patch
 2025-11-20 23:16:35 +01:00
14 changed files with 531 additions and 64 deletions
Expand all files Collapse all files

71
CVE-2023-52425-libexpat-2.6.0-backport.patch
View File

@@ -1,15 +1,15 @@
---
Lib/test/support/__init__.py | 16 ++++++++++++++--
Lib/test/support/__init__.py | 22 ++++++++++++++++------
Lib/test/test_minidom.py | 23 +++++++++--------------
Lib/test/test_pyexpat.py | 12 +++++-------
Lib/test/test_sax.py | 18 +++++++++---------
Lib/test/test_xml_etree.py | 12 ------------
5 files changed, 37 insertions(+), 44 deletions(-)
5 files changed, 39 insertions(+), 48 deletions(-)
Index: Python-3.11.12/Lib/test/support/__init__.py
Index: Python-3.11.15/Lib/test/support/__init__.py
===================================================================
--- Python-3.11.12.orig/Lib/test/support/__init__.py 2025-04-11 10:52:43.191010503 +0200
+++ Python-3.11.12/Lib/test/support/__init__.py 2025-04-11 10:52:44.802161741 +0200
--- Python-3.11.15.orig/Lib/test/support/__init__.py 2026-03-09 00:22:05.833623479 +0100
+++ Python-3.11.15/Lib/test/support/__init__.py 2026-03-09 00:25:45.751482485 +0100
@@ -8,6 +8,7 @@
import functools
import os
@@ -18,7 +18,7 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
import stat
import sys
import sysconfig
@@ -56,7 +57,7 @@
@@ -56,10 +57,9 @@
"run_with_tz", "PGO", "missing_compiler_executable",
"ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST",
"LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT",
@@ -26,39 +26,48 @@ Index: Python-3.11.12/Lib/test/support/__init__.py
+ "skip_on_s390x", "fails_with_expat_2_6_0", "is_expat_2_6_0"
]
@@ -2244,6 +2245,17 @@
-
# Timeout in seconds for tests using a network server listening on the network
# local loopback interface like 127.0.0.1.
#
@@ -2279,10 +2279,20 @@
}
return ignored
-#Windows doesn't have os.uname() but it doesn't support s390x.
+
-skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
- 'skipped on s390x')
-
+# Windows doesn't have os.uname() but it doesn't support s390x.
skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
'skipped on s390x')
+
+skip_on_s390x = unittest.skipIf(
+ hasattr(os, 'uname') and os.uname().machine == 's390x',
+ 'skipped on s390x')
+
+@functools.lru_cache
+def _is_expat_2_6_0():
+ return hasattr(pyexpat.ParserCreate(), 'SetReparseDeferralEnabled')
+
+is_expat_2_6_0 = _is_expat_2_6_0()
+
+fails_with_expat_2_6_0 = (unittest.expectedFailure
+ if is_expat_2_6_0
+ else lambda test: test)
Index: Python-3.11.12/Lib/test/test_minidom.py
def control_characters_c0() -> list[str]:
"""Returns a list of C0 control characters as strings.
Index: Python-3.11.15/Lib/test/test_minidom.py
===================================================================
--- Python-3.11.12.orig/Lib/test/test_minidom.py 2025-04-11 10:52:21.907086938 +0200
+++ Python-3.11.12/Lib/test/test_minidom.py 2025-04-11 10:52:44.802522893 +0200
@@ -6,7 +6,6 @@
--- Python-3.11.15.orig/Lib/test/test_minidom.py 2026-03-09 00:22:01.870138109 +0100
+++ Python-3.11.15/Lib/test/test_minidom.py 2026-03-09 00:22:05.864561664 +0100
@@ -7,7 +7,6 @@
from test import support
import unittest
-import pyexpat
import xml.dom.minidom
from xml.dom.minidom import parse, Attr, Node, Document, parseString
@@ -1163,13 +1162,11 @@
from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
@@ -1194,13 +1193,11 @@
# Verify that character decoding errors raise exceptions instead
# of crashing
@@ -77,7 +86,7 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
doc.unlink()
@@ -1631,12 +1628,10 @@
@@ -1662,12 +1659,10 @@
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
def testExceptionOnSpacesInXMLNSValue(self):
@@ -94,11 +103,11 @@ Index: Python-3.11.12/Lib/test/test_minidom.py
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
def testDocRemoveChild(self):
Index: Python-3.11.12/Lib/test/test_pyexpat.py
Index: Python-3.11.15/Lib/test/test_pyexpat.py
===================================================================
--- Python-3.11.12.orig/Lib/test/test_pyexpat.py 2025-04-11 10:52:22.076696906 +0200
+++ Python-3.11.12/Lib/test/test_pyexpat.py 2025-04-11 10:52:44.803228085 +0200
@@ -14,8 +14,7 @@
--- Python-3.11.15.orig/Lib/test/test_pyexpat.py 2026-03-09 00:22:02.085337730 +0100
+++ Python-3.11.15/Lib/test/test_pyexpat.py 2026-03-09 00:22:21.434819111 +0100
@@ -18,8 +18,7 @@
from xml.parsers import expat
from xml.parsers.expat import errors
@@ -108,7 +117,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
class SetAttributeTest(unittest.TestCase):
def setUp(self):
@@ -770,9 +769,8 @@
@@ -810,9 +809,8 @@
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
def test_reparse_deferral_enabled(self):
@@ -120,7 +129,7 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
started = []
@@ -801,9 +799,9 @@
@@ -841,9 +839,9 @@
parser = expat.ParserCreate()
parser.StartElementHandler = start_element
@@ -132,10 +141,10 @@ Index: Python-3.11.12/Lib/test/test_pyexpat.py
for chunk in (b'<doc', b'/>'):
parser.Parse(chunk, False)
Index: Python-3.11.12/Lib/test/test_sax.py
Index: Python-3.11.15/Lib/test/test_sax.py
===================================================================
--- Python-3.11.12.orig/Lib/test/test_sax.py 2025-04-11 10:52:22.111440337 +0200
+++ Python-3.11.12/Lib/test/test_sax.py 2025-04-11 10:52:44.803567098 +0200
--- Python-3.11.15.orig/Lib/test/test_sax.py 2026-03-09 00:22:02.128712585 +0100
+++ Python-3.11.15/Lib/test/test_sax.py 2026-03-09 00:22:21.434819111 +0100
@@ -19,13 +19,11 @@
from io import BytesIO, StringIO
import codecs
@@ -187,10 +196,10 @@ Index: Python-3.11.12/Lib/test/test_sax.py
self.assertFalse(parser._parser.GetReparseDeferralEnabled())
Index: Python-3.11.12/Lib/test/test_xml_etree.py
Index: Python-3.11.15/Lib/test/test_xml_etree.py
===================================================================
--- Python-3.11.12.orig/Lib/test/test_xml_etree.py 2025-04-11 10:52:22.425637912 +0200
+++ Python-3.11.12/Lib/test/test_xml_etree.py 2025-04-11 10:52:44.804234785 +0200
--- Python-3.11.15.orig/Lib/test/test_xml_etree.py 2026-03-09 00:22:02.529714798 +0100
+++ Python-3.11.15/Lib/test/test_xml_etree.py 2026-03-09 00:22:21.434819111 +0100
@@ -13,7 +13,6 @@
import operator
import os

30
CVE-2023-52425-remove-reparse_deferral-tests.patch
View File

@@ -4,9 +4,11 @@
Lib/test/test_xml_etree.py | 2 ++
3 files changed, 6 insertions(+)
--- a/Lib/test/test_pyexpat.py
+++ b/Lib/test/test_pyexpat.py
@@ -768,6 +768,7 @@ class ReparseDeferralTest(unittest.TestC
Index: Python-3.11.15/Lib/test/test_pyexpat.py
===================================================================
--- Python-3.11.15.orig/Lib/test/test_pyexpat.py 2026-03-06 16:07:07.713428031 +0100
+++ Python-3.11.15/Lib/test/test_pyexpat.py 2026-03-06 18:23:34.307976750 +0100
@@ -808,6 +808,7 @@
parser.SetReparseDeferralEnabled(True)
self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
@@ -14,7 +16,7 @@
def test_reparse_deferral_enabled(self):
if not is_expat_2_6_0:
self.skipTest("Linked libexpat doesn't support reparse deferral")
@@ -791,6 +792,7 @@ class ReparseDeferralTest(unittest.TestC
@@ -831,6 +832,7 @@
self.assertEqual(started, ['doc'])
@@ -22,9 +24,11 @@
def test_reparse_deferral_disabled(self):
started = []
--- a/Lib/test/test_sax.py
+++ b/Lib/test/test_sax.py
@@ -1213,6 +1213,7 @@ class ExpatReaderTest(XmlTestBase):
Index: Python-3.11.15/Lib/test/test_sax.py
===================================================================
--- Python-3.11.15.orig/Lib/test/test_sax.py 2026-03-06 16:07:07.713855947 +0100
+++ Python-3.11.15/Lib/test/test_sax.py 2026-03-06 18:23:34.309155833 +0100
@@ -1213,6 +1213,7 @@
self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
@@ -32,7 +36,7 @@
def test_flush_reparse_deferral_enabled(self):
if not is_expat_2_6_0:
self.skipTest("Linked libexpat doesn't support reparse deferral")
@@ -1238,6 +1239,7 @@ class ExpatReaderTest(XmlTestBase):
@@ -1238,6 +1239,7 @@
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
@@ -40,9 +44,11 @@
def test_flush_reparse_deferral_disabled(self):
if not is_expat_2_6_0:
self.skipTest("Linked libexpat doesn't support reparse deferral")
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1620,6 +1620,7 @@ class XMLPullParserTest(unittest.TestCas
Index: Python-3.11.15/Lib/test/test_xml_etree.py
===================================================================
--- Python-3.11.15.orig/Lib/test/test_xml_etree.py 2026-03-06 16:07:07.714503769 +0100
+++ Python-3.11.15/Lib/test/test_xml_etree.py 2026-03-06 18:23:34.309977052 +0100
@@ -1620,6 +1620,7 @@
with self.assertRaises(ValueError):
ET.XMLPullParser(events=('start', 'end', 'bogus'))
@@ -50,7 +56,7 @@
def test_flush_reparse_deferral_enabled(self):
parser = ET.XMLPullParser(events=('start', 'end'))
@@ -1641,6 +1642,7 @@ class XMLPullParserTest(unittest.TestCas
@@ -1641,6 +1642,7 @@
self.assert_event_tags(parser, [('end', 'doc')])

193
CVE-2025-12781-b64decode-alt-chars.patch Normal file
View File

@@ -0,0 +1,193 @@
From f922c02c529d25d61aa9c28a8192639c1fce8d4d Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Wed, 5 Nov 2025 20:12:31 +0200
Subject: [PATCH] gh-125346: Add more base64 tests
Add more tests for the altchars argument of b64decode() and for the map01
argument of b32decode().
---
Doc/library/base64.rst | 18 +++-
Lib/base64.py | 40 ++++++++-
Lib/test/test_base64.py | 42 +++++++++-
Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst | 5 +
4 files changed, 91 insertions(+), 14 deletions(-)
Index: Python-3.11.15/Doc/library/base64.rst
===================================================================
--- Python-3.11.15.orig/Doc/library/base64.rst 2026-03-03 01:52:57.000000000 +0100
+++ Python-3.11.15/Doc/library/base64.rst 2026-03-06 19:52:36.492967768 +0100
@@ -74,15 +74,20 @@
A :exc:`binascii.Error` exception is raised
if *s* is incorrectly padded.
- If *validate* is ``False`` (the default), characters that are neither
+ If *validate* is false (the default), characters that are neither
in the normal base-64 alphabet nor the alternative alphabet are
- discarded prior to the padding check. If *validate* is ``True``,
- these non-alphabet characters in the input result in a
- :exc:`binascii.Error`.
+ discarded prior to the padding check, but the ``+`` and ``/`` characters
+ keep their meaning if they are not in *altchars* (they will be discarded
+ in future Python versions).
+ If *validate* is true, these non-alphabet characters in the input
+ result in a :exc:`binascii.Error`.
For more information about the strict base64 check, see :func:`binascii.a2b_base64`
- May assert or raise a :exc:`ValueError` if the length of *altchars* is not 2.
+ .. deprecated:: next
+ Accepting the ``+`` and ``/`` characters with an alternative alphabet
+ is now deprecated.
+
.. function:: standard_b64encode(s)
@@ -113,6 +118,9 @@
``/`` in the standard Base64 alphabet, and return the decoded
:class:`bytes`.
+ .. deprecated:: next
+ Accepting the ``+`` and ``/`` characters is now deprecated.
+
.. function:: b32encode(s)
Index: Python-3.11.15/Lib/base64.py
===================================================================
--- Python-3.11.15.orig/Lib/base64.py 2026-03-06 16:06:30.195774827 +0100
+++ Python-3.11.15/Lib/base64.py 2026-03-06 19:52:36.493488040 +0100
@@ -71,20 +71,39 @@
The result is returned as a bytes object. A binascii.Error is raised if
s is incorrectly padded.
- If validate is False (the default), characters that are neither in the
+ If validate is false (the default), characters that are neither in the
normal base-64 alphabet nor the alternative alphabet are discarded prior
- to the padding check. If validate is True, these non-alphabet characters
+ to the padding check. If validate is true, these non-alphabet characters
in the input result in a binascii.Error.
For more information about the strict base64 check, see:
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
"""
s = _bytes_from_decode_data(s)
+ badchar = None
if altchars is not None:
altchars = _bytes_from_decode_data(altchars)
- assert len(altchars) == 2, repr(altchars)
+ if len(altchars) != 2:
+ raise ValueError(f'invalid altchars: {altchars!r}')
+ for b in b'+/':
+ if b not in altchars and b in s:
+ badchar = b
+ break
s = s.translate(bytes.maketrans(altchars, b'+/'))
- return binascii.a2b_base64(s, strict_mode=validate)
+ result = binascii.a2b_base64(s, strict_mode=validate)
+ if badchar is not None:
+ import warnings
+ if validate:
+ warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
+ f'with altchars={altchars!r} and validate=True '
+ f'will be an error in future Python versions',
+ DeprecationWarning, stacklevel=2)
+ else:
+ warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
+ f'with altchars={altchars!r} and validate=False '
+ f'will be discarded in future Python versions',
+ FutureWarning, stacklevel=2)
+ return result
def standard_b64encode(s):
@@ -129,8 +148,19 @@
The alphabet uses '-' instead of '+' and '_' instead of '/'.
"""
s = _bytes_from_decode_data(s)
+ badchar = None
+ for b in b'+/':
+ if b in s:
+ badchar = b
+ break
s = s.translate(_urlsafe_decode_translation)
- return b64decode(s)
+ result = binascii.a2b_base64(s, strict_mode=False)
+ if badchar is not None:
+ import warnings
+ warnings.warn(f'invalid character {chr(badchar)!a} in URL-safe Base64 data '
+ f'will be discarded in future Python versions',
+ FutureWarning, stacklevel=2)
+ return result
Index: Python-3.11.15/Lib/test/test_base64.py
===================================================================
--- Python-3.11.15.orig/Lib/test/test_base64.py 2026-03-06 16:06:32.552854037 +0100
+++ Python-3.11.15/Lib/test/test_base64.py 2026-03-06 19:52:36.494050069 +0100
@@ -228,6 +228,25 @@
b'\xd3V\xbeo\xf7\x1d')
self.check_decode_type_errors(base64.urlsafe_b64decode)
+ def test_b64decode_altchars(self):
+ # Test with arbitrary alternative characters
+ eq = self.assertEqual
+ res = b'\xd3V\xbeo\xf7\x1d'
+ for altchars in b'*$', b'+/', b'/+', b'+_', b'-+', b'-/', b'/_':
+ data = b'01a%cb%ccd' % tuple(altchars)
+ data_str = data.decode('ascii')
+ altchars_str = altchars.decode('ascii')
+
+ eq(base64.b64decode(data, altchars=altchars), res)
+ eq(base64.b64decode(data_str, altchars=altchars), res)
+ eq(base64.b64decode(data, altchars=altchars_str), res)
+ eq(base64.b64decode(data_str, altchars=altchars_str), res)
+
+ self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+')
+ self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+/-')
+ self.assertRaises(ValueError, base64.b64decode, '', altchars='+')
+ self.assertRaises(ValueError, base64.b64decode, '', altchars='+/-')
+
def test_b64decode_padding_error(self):
self.assertRaises(binascii.Error, base64.b64decode, b'abc')
self.assertRaises(binascii.Error, base64.b64decode, 'abc')
@@ -259,10 +278,25 @@
with self.assertRaises(binascii.Error):
base64.b64decode(bstr.decode('ascii'), validate=True)
- # Normal alphabet characters not discarded when alternative given
- res = b'\xFB\xEF\xBE\xFF\xFF\xFF'
- self.assertEqual(base64.b64decode(b'++[[//]]', b'[]'), res)
- self.assertEqual(base64.urlsafe_b64decode(b'++--//__'), res)
+ # Normal alphabet characters will be discarded when alternative given
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.b64decode(b'++++', altchars=b'-_'),
+ b'\xfb\xef\xbe')
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.b64decode(b'////', altchars=b'-_'),
+ b'\xff\xff\xff')
+ with self.assertWarns(DeprecationWarning):
+ self.assertEqual(base64.b64decode(b'++++', altchars=b'-_', validate=True),
+ b'\xfb\xef\xbe')
+ with self.assertWarns(DeprecationWarning):
+ self.assertEqual(base64.b64decode(b'////', altchars=b'-_', validate=True),
+ b'\xff\xff\xff')
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.urlsafe_b64decode(b'++++'), b'\xfb\xef\xbe')
+ with self.assertWarns(FutureWarning):
+ self.assertEqual(base64.urlsafe_b64decode(b'////'), b'\xff\xff\xff')
+ with self.assertRaises(binascii.Error):
+ base64.b64decode(b'+/!', altchars=b'-_')
def test_b32encode(self):
eq = self.assertEqual
Index: Python-3.11.15/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.11.15/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst 2026-03-06 19:52:36.494404708 +0100
@@ -0,0 +1,5 @@
+Accepting ``+`` and ``/`` characters with an alternative alphabet in
+:func:`base64.b64decode` and :func:`base64.urlsafe_b64decode` is now
+deprecated.
+In future Python versions they will be errors in the strict mode and
+discarded in the non-strict mode.

38
CVE-2025-15366-imap-ctrl-chars.patch Normal file
View File

@@ -0,0 +1,38 @@
From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
---
Lib/imaplib.py | 4 +++-
Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
Index: Python-3.11.15/Lib/imaplib.py
===================================================================
--- Python-3.11.15.orig/Lib/imaplib.py 2026-03-06 16:06:31.545110864 +0100
+++ Python-3.11.15/Lib/imaplib.py 2026-03-06 19:51:51.838695961 +0100
@@ -132,7 +132,7 @@
# We compile these in _mode_xxx.
_Literal = br'.*{(?P<size>\d+)}$'
_Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
-
+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
class IMAP4:
@@ -994,6 +994,8 @@
if arg is None: continue
if isinstance(arg, str):
arg = bytes(arg, self._encoding)
+ if _control_chars.search(arg):
+ raise ValueError("Control characters not allowed in commands")
data = data + b' ' + arg
literal = self.literal
Index: Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst 2026-03-06 19:51:51.839096617 +0100
@@ -0,0 +1 @@
+Reject control characters in IMAP commands.

56
CVE-2025-15367-poplib-ctrl-chars.patch Normal file
View File

@@ -0,0 +1,56 @@
From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 16 Jan 2026 10:54:09 -0600
Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
---
Lib/poplib.py | 2 ++
Lib/test/test_poplib.py | 8 ++++++++
Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst | 1 +
3 files changed, 11 insertions(+)
Index: Python-3.11.15/Lib/poplib.py
===================================================================
--- Python-3.11.15.orig/Lib/poplib.py 2026-03-06 16:06:32.025693538 +0100
+++ Python-3.11.15/Lib/poplib.py 2026-03-06 19:52:31.051258464 +0100
@@ -122,6 +122,8 @@
def _putcmd(self, line):
if self._debugging: print('*cmd*', repr(line))
line = bytes(line, self.encoding)
+ if re.search(b'[\x00-\x1F\x7F]', line):
+ raise ValueError('Control characters not allowed in commands')
self._putline(line)
Index: Python-3.11.15/Lib/test/test_poplib.py
===================================================================
--- Python-3.11.15.orig/Lib/test/test_poplib.py 2026-03-06 16:06:33.708669394 +0100
+++ Python-3.11.15/Lib/test/test_poplib.py 2026-03-06 19:52:31.052258474 +0100
@@ -16,6 +16,7 @@
from test.support import socket_helper
from test.support import threading_helper
from test.support import warnings_helper
+from test.support import control_characters_c0
asynchat = warnings_helper.import_deprecated('asynchat')
@@ -367,6 +368,13 @@
self.assertIsNone(self.client.sock)
self.assertIsNone(self.client.file)
+ def test_control_characters(self):
+ for c0 in control_characters_c0():
+ with self.assertRaises(ValueError):
+ self.client.user(f'user{c0}')
+ with self.assertRaises(ValueError):
+ self.client.pass_(f'{c0}pass')
+
@requires_ssl
def test_stls_capa(self):
capa = self.client.capa()
Index: Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.11.15/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst 2026-03-06 19:52:31.053950556 +0100
@@ -0,0 +1 @@
+Reject control characters in POP3 commands.

BIN
Python-3.11.14.tar.xz LFS
View File

Binary file not shown.

1
Python-3.11.14.tar.xz.sigstore
View File

File diff suppressed because one or more lines are too long

BIN
Python-3.11.15.tar.xz LFS Normal file
View File

Binary file not shown.

1
Python-3.11.15.tar.xz.sigstore Normal file
View File

File diff suppressed because one or more lines are too long

16
bso1227999-reproducible-builds.patch
View File

@@ -12,9 +12,11 @@ for the definition of this variable.
Doc/library/functions.rst | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/Doc/conf.py
+++ b/Doc/conf.py
@@ -316,7 +316,8 @@ html_context = {
Index: Python-3.11.15/Doc/conf.py
===================================================================
--- Python-3.11.15.orig/Doc/conf.py 2026-03-03 01:52:57.000000000 +0100
+++ Python-3.11.15/Doc/conf.py 2026-03-06 18:23:39.828089970 +0100
@@ -316,7 +316,8 @@
}
# This 'Last updated on:' timestamp is inserted at the bottom of every page.
@@ -24,9 +26,11 @@ for the definition of this variable.
# Path to find HTML templates.
templates_path = ['tools/templates']
--- a/Doc/library/functions.rst
+++ b/Doc/library/functions.rst
@@ -1356,7 +1356,7 @@ are always available. They are listed h
Index: Python-3.11.15/Doc/library/functions.rst
===================================================================
--- Python-3.11.15.orig/Doc/library/functions.rst 2026-03-03 01:52:57.000000000 +0100
+++ Python-3.11.15/Doc/library/functions.rst 2026-03-06 18:23:39.829089979 +0100
@@ -1356,7 +1356,7 @@
(where :func:`open` is declared), :mod:`os`, :mod:`os.path`, :mod:`tempfile`,
and :mod:`shutil`.

18
fix_configure_rst.patch
View File

@@ -3,9 +3,11 @@
Misc/NEWS | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
@@ -43,7 +43,6 @@ General Options
Index: Python-3.11.15/Doc/using/configure.rst
===================================================================
--- Python-3.11.15.orig/Doc/using/configure.rst 2026-03-06 16:06:43.304945441 +0100
+++ Python-3.11.15/Doc/using/configure.rst 2026-03-06 16:06:55.576758292 +0100
@@ -43,7 +43,6 @@
See :data:`sys.int_info.bits_per_digit <sys.int_info>`.
@@ -13,7 +15,7 @@
.. option:: --with-cxx-main=COMPILER
Compile the Python ``main()`` function and link Python executable with C++
@@ -529,13 +528,11 @@ macOS Options
@@ -529,13 +528,11 @@
See ``Mac/README.rst``.
@@ -27,9 +29,11 @@
.. option:: --enable-framework=INSTALLDIR
Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -9911,7 +9911,7 @@ C API
Index: Python-3.11.15/Misc/NEWS
===================================================================
--- Python-3.11.15.orig/Misc/NEWS 2026-03-06 16:06:43.304945441 +0100
+++ Python-3.11.15/Misc/NEWS 2026-03-06 16:06:55.580059032 +0100
@@ -10081,7 +10081,7 @@
- bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
- bpo-43795: The list in :ref:`limited-api-list` now shows the public name

142
python311.changes
View File

@@ -1,3 +1,145 @@
-------------------------------------------------------------------
Fri Mar 6 18:54:51 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.11.15:
- Security
- gh-144125: BytesGenerator will now refuse to serialize
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs (bsc#1257029 CVE-2025-11468).
- gh-143925: Reject control characters in data: URL media
types (bsc#1257046, CVE-2025-15282).
- gh-143919: Reject control characters in http.cookies.Morsel
fields and values (bsc#1257031, CVE-2026-0672).
- gh-143916: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters
(bsc#1257042, CVE-2026-0865).
- gh-142145: Remove quadratic behavior in xml.minidom node ID
cache clearing. In order to do this without breaking
existing users, we also add the ownerDocument attribute to
xml.dom.minidom elements and attributes created by directly
instantiating the Element or Attr class. Note that this way
of creating nodes is not supported; creator functions like
xml.dom.Document.documentElement() should be used instead
(bsc#1254997, CVE-2025-12084).
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in
os.path.expandvars() (bsc#1252974, CVE-2025-6075).
- gh-119451: Fix a potential memory denial of service in the
http.client module. When connecting to a malicious server,
it could cause an arbitrary amount of memory to be
allocated. This could have led to symptoms including
a MemoryError, swapping, out of memory (OOM) killed
processes or containers, or even system crashes
(CVE-2025-13836, bsc#1254400).
- gh-119452: Fix a potential memory denial of service in the
http.server module. When a malicious user is connected to
the CGI server on Windows, it could cause an arbitrary
amount of memory to be allocated. This could have led to
symptoms including a MemoryError, swapping, out of memory
(OOM) killed processes or containers, or even system
crashes.
- gh-119342: Fix a potential memory denial of service in the
plistlib module. When reading a Plist file received from
untrusted source, it could cause an arbitrary amount of
memory to be allocated. This could have led to symptoms
including a MemoryError, swapping, out of memory (OOM)
killed processes or containers, or even system crashes
(bsc#1254401, CVE-2025-13837).
- Library
- gh-144833: Fixed a use-after-free in ssl when SSL_new()
returns NULL in newPySSLSocket(). The error was reported
via a dangling pointer after the object had already been
freed.
- gh-144363: Update bundled libexpat to 2.7.4
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects
to prevent use of disproportional amounts of dynamic memory
from within an Expat parser. Patch by Bénédikt Tran.
- Core and Builtins
- gh-120384: Fix an array out of bounds crash in
list_ass_subscript, which could be invoked via some
specificly tailored input: including concurrent
modification of a list object, where one thread assigns
a slice and another clears it.
- gh-120298: Fix use-after free in list_richcompare_impl
which can be invoked via some specificly tailored evil
input.
Remove upstreamed patches:
- CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2025-12084-minidom-quad-search.patch
- CVE-2025-13836-http-resp-cont-len.patch
- CVE-2025-13837-plistlib-mailicious-length.patch
- CVE-2025-6075-expandvars-perf-degrad.patch
- CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15282-urllib-ctrl-chars.patch
-------------------------------------------------------------------
Wed Feb 11 19:09:06 CET 2026 - Matej Cepl <mcepl@suse.com>
- CVE-2025-11468: preserving parens when folding comments in
email headers (bsc#1257029, gh#python/cpython#143935).
CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672: rejects control characters in http cookies.
(bsc#1257031, gh#python/cpython#143919)
CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
wsgiref.headers.Headers, which could be abused for injecting
false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15282: basically the same as the previous patch for
urllib library. (bsc#1257046, gh#python/cpython#143925)
CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
poplib library. (bsc#1257041, gh#python/cpython#143923)
CVE-2025-15367-poplib-ctrl-chars.patch
- CVE-2025-12781: fix decoding with non-standard Base64 alphabet
(bsc#1257108, gh#python/cpython#125346)
CVE-2025-12781-b64decode-alt-chars.patch
-------------------------------------------------------------------
Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
-------------------------------------------------------------------
Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Readjusted patches:
- CVE-2023-52425-libexpat-2.6.0-backport.patch
- CVE-2023-52425-remove-reparse_deferral-tests.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
-------------------------------------------------------------------
Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>

15
python311.spec
View File

@@ -107,7 +107,7 @@
# _md5.cpython-38m-x86_64-linux-gnu.so
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
Name: %{python_pkg_name}%{psuffix}
Version: 3.11.14
Version: 3.11.15
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -188,6 +188,16 @@ Patch22: gh120226-fix-sendfile-test-kernel-610.patch
Patch24: add-loongarch64-support.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch25: gh139257-Support-docutils-0.22.patch
# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
# Reject control characters in wsgiref.headers.Headers
Patch33: CVE-2025-15366-imap-ctrl-chars.patch
# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com
# Reject control characters in poplib
Patch35: CVE-2025-15367-poplib-ctrl-chars.patch
# PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 mcepl@suse.com
# Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346
Patch36: CVE-2025-12781-b64decode-alt-chars.patch
### END OF PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: crypto-policies-scripts
@@ -543,6 +553,9 @@ LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH \
%check
export SUSE_VERSION="0%{?suse_version}"
export SLE_VERSION="0%{?sle_version}"
echo "Show the openssl version"
openssl version -a
echo ""
%if %{with general}
# exclude test_gdb -- it doesn't run in buildservice anyway, and fails on missing debuginfos
# when you install gdb into your test env

8
skip_if_buildbot-extend.patch
View File

@@ -2,9 +2,11 @@
Lib/test/support/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -384,7 +384,7 @@ def skip_if_buildbot(reason=None):
Index: Python-3.11.14/Lib/test/support/__init__.py
===================================================================
--- Python-3.11.14.orig/Lib/test/support/__init__.py 2025-11-15 19:14:54.049952478 +0100
+++ Python-3.11.14/Lib/test/support/__init__.py 2025-11-15 19:15:08.449938538 +0100
@@ -394,7 +394,7 @@
if not reason:
reason = 'not suitable for buildbots'
try: