diff --git a/CVE-2025-6075-expandvars-perf-degrad.patch b/CVE-2025-6075-expandvars-perf-degrad.patch new file mode 100644 index 0000000..f867760 --- /dev/null +++ b/CVE-2025-6075-expandvars-perf-degrad.patch @@ -0,0 +1,382 @@ +From 122a417f8000eb904a3cac9aacf4de8d288d7148 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Fri, 31 Oct 2025 15:49:51 +0200 +Subject: [PATCH 1/2] [3.12] gh-136065: Fix quadratic complexity in + os.path.expandvars() (GH-134952) (cherry picked from commit + f029e8db626ddc6e3a3beea4eff511a71aaceb5c) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Serhiy Storchaka +Co-authored-by: Ɓukasz Langa +--- + Lib/ntpath.py | 126 ++++++------------ + Lib/posixpath.py | 43 +++--- + Lib/test/test_genericpath.py | 14 ++ + Lib/test/test_ntpath.py | 22 ++- + ...-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 + + 5 files changed, 93 insertions(+), 113 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst + +diff --git a/Lib/ntpath.py b/Lib/ntpath.py +index 1bef630bd9c0ff..393d358b0afb8c 100644 +--- a/Lib/ntpath.py ++++ b/Lib/ntpath.py +@@ -409,17 +409,23 @@ def expanduser(path): + # XXX With COMMAND.COM you can use any characters in a variable name, + # XXX except '^|<>='. + ++_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)" ++_varsub = None ++_varsubb = None ++ + def expandvars(path): + """Expand shell variables of the forms $var, ${var} and %var%. + + Unknown variables are left unchanged.""" + path = os.fspath(path) ++ global _varsub, _varsubb + if isinstance(path, bytes): + if b'$' not in path and b'%' not in path: + return path +- import string +- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii') +- quote = b'\'' ++ if not _varsubb: ++ import re ++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub ++ sub = _varsubb + percent = b'%' + brace = b'{' + rbrace = b'}' +@@ -428,94 +434,44 @@ def expandvars(path): + else: + if '$' not in path and '%' not in path: + return path +- import string +- varchars = string.ascii_letters + string.digits + '_-' +- quote = '\'' ++ if not _varsub: ++ import re ++ _varsub = re.compile(_varpattern, re.ASCII).sub ++ sub = _varsub + percent = '%' + brace = '{' + rbrace = '}' + dollar = '$' + environ = os.environ +- res = path[:0] +- index = 0 +- pathlen = len(path) +- while index < pathlen: +- c = path[index:index+1] +- if c == quote: # no expansion within single quotes +- path = path[index + 1:] +- pathlen = len(path) +- try: +- index = path.index(c) +- res += c + path[:index + 1] +- except ValueError: +- res += c + path +- index = pathlen - 1 +- elif c == percent: # variable or '%' +- if path[index + 1:index + 2] == percent: +- res += c +- index += 1 +- else: +- path = path[index+1:] +- pathlen = len(path) +- try: +- index = path.index(percent) +- except ValueError: +- res += percent + path +- index = pathlen - 1 +- else: +- var = path[:index] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = percent + var + percent +- res += value +- elif c == dollar: # variable or '$$' +- if path[index + 1:index + 2] == dollar: +- res += c +- index += 1 +- elif path[index + 1:index + 2] == brace: +- path = path[index+2:] +- pathlen = len(path) +- try: +- index = path.index(rbrace) +- except ValueError: +- res += dollar + brace + path +- index = pathlen - 1 +- else: +- var = path[:index] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = dollar + brace + var + rbrace +- res += value +- else: +- var = path[:0] +- index += 1 +- c = path[index:index + 1] +- while c and c in varchars: +- var += c +- index += 1 +- c = path[index:index + 1] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = dollar + var +- res += value +- if c: +- index -= 1 ++ ++ def repl(m): ++ lastindex = m.lastindex ++ if lastindex is None: ++ return m[0] ++ name = m[lastindex] ++ if lastindex == 1: ++ if name == percent: ++ return name ++ if not name.endswith(percent): ++ return m[0] ++ name = name[:-1] + else: +- res += c +- index += 1 +- return res ++ if name == dollar: ++ return name ++ if name.startswith(brace): ++ if not name.endswith(rbrace): ++ return m[0] ++ name = name[1:-1] ++ ++ try: ++ if environ is None: ++ return os.fsencode(os.environ[os.fsdecode(name)]) ++ else: ++ return environ[name] ++ except KeyError: ++ return m[0] ++ ++ return sub(repl, path) + + + # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B. +diff --git a/Lib/posixpath.py b/Lib/posixpath.py +index 90a6f545f90529..6306f14f53491b 100644 +--- a/Lib/posixpath.py ++++ b/Lib/posixpath.py +@@ -314,42 +314,41 @@ def expanduser(path): + # This expands the forms $variable and ${variable} only. + # Non-existent variables are left unchanged. + +-_varprog = None +-_varprogb = None ++_varpattern = r'\$(\w+|\{[^}]*\}?)' ++_varsub = None ++_varsubb = None + + def expandvars(path): + """Expand shell variables of form $var and ${var}. Unknown variables + are left unchanged.""" + path = os.fspath(path) +- global _varprog, _varprogb ++ global _varsub, _varsubb + if isinstance(path, bytes): + if b'$' not in path: + return path +- if not _varprogb: ++ if not _varsubb: + import re +- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII) +- search = _varprogb.search ++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub ++ sub = _varsubb + start = b'{' + end = b'}' + environ = getattr(os, 'environb', None) + else: + if '$' not in path: + return path +- if not _varprog: ++ if not _varsub: + import re +- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII) +- search = _varprog.search ++ _varsub = re.compile(_varpattern, re.ASCII).sub ++ sub = _varsub + start = '{' + end = '}' + environ = os.environ +- i = 0 +- while True: +- m = search(path, i) +- if not m: +- break +- i, j = m.span(0) +- name = m.group(1) +- if name.startswith(start) and name.endswith(end): ++ ++ def repl(m): ++ name = m[1] ++ if name.startswith(start): ++ if not name.endswith(end): ++ return m[0] + name = name[1:-1] + try: + if environ is None: +@@ -357,13 +356,11 @@ def expandvars(path): + else: + value = environ[name] + except KeyError: +- i = j ++ return m[0] + else: +- tail = path[j:] +- path = path[:i] + value +- i = len(path) +- path += tail +- return path ++ return value ++ ++ return sub(repl, path) + + + # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B. +diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py +index 3eefb722b81e55..1cec587e875888 100644 +--- a/Lib/test/test_genericpath.py ++++ b/Lib/test/test_genericpath.py +@@ -7,6 +7,7 @@ + import sys + import unittest + import warnings ++from test import support + from test.support import is_emscripten + from test.support import os_helper + from test.support import warnings_helper +@@ -443,6 +444,19 @@ def check(value, expected): + os.fsencode('$bar%s bar' % nonascii)) + check(b'$spam}bar', os.fsencode('%s}bar' % nonascii)) + ++ @support.requires_resource('cpu') ++ def test_expandvars_large(self): ++ expandvars = self.pathmodule.expandvars ++ with os_helper.EnvironmentVarGuard() as env: ++ env.clear() ++ env["A"] = "B" ++ n = 100_000 ++ self.assertEqual(expandvars('$A'*n), 'B'*n) ++ self.assertEqual(expandvars('${A}'*n), 'B'*n) ++ self.assertEqual(expandvars('$A!'*n), 'B!'*n) ++ self.assertEqual(expandvars('${A}A'*n), 'BA'*n) ++ self.assertEqual(expandvars('${'*10*n), '${'*10*n) ++ + def test_abspath(self): + self.assertIn("foo", self.pathmodule.abspath("foo")) + with warnings.catch_warnings(): +diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py +index ced9dc4fffb41e..72f89ebb21c478 100644 +--- a/Lib/test/test_ntpath.py ++++ b/Lib/test/test_ntpath.py +@@ -7,8 +7,7 @@ + import unittest + import warnings + from ntpath import ALLOW_MISSING +-from test.support import cpython_only, os_helper +-from test.support import TestFailed, is_emscripten ++from test.support import os_helper, is_emscripten + from test.support.os_helper import FakePath + from test import test_genericpath + from tempfile import TemporaryFile +@@ -58,7 +57,7 @@ def tester(fn, wantResult): + fn = fn.replace("\\", "\\\\") + gotResult = eval(fn) + if wantResult != gotResult and _norm(wantResult) != _norm(gotResult): +- raise TestFailed("%s should return: %s but returned: %s" \ ++ raise support.TestFailed("%s should return: %s but returned: %s" \ + %(str(fn), str(wantResult), str(gotResult))) + + # then with bytes +@@ -74,7 +73,7 @@ def tester(fn, wantResult): + warnings.simplefilter("ignore", DeprecationWarning) + gotResult = eval(fn) + if _norm(wantResult) != _norm(gotResult): +- raise TestFailed("%s should return: %s but returned: %s" \ ++ raise support.TestFailed("%s should return: %s but returned: %s" \ + %(str(fn), str(wantResult), repr(gotResult))) + + +@@ -882,6 +881,19 @@ def check(value, expected): + check('%spam%bar', '%sbar' % nonascii) + check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii) + ++ @support.requires_resource('cpu') ++ def test_expandvars_large(self): ++ expandvars = ntpath.expandvars ++ with os_helper.EnvironmentVarGuard() as env: ++ env.clear() ++ env["A"] = "B" ++ n = 100_000 ++ self.assertEqual(expandvars('%A%'*n), 'B'*n) ++ self.assertEqual(expandvars('%A%A'*n), 'BA'*n) ++ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%') ++ self.assertEqual(expandvars("%%"*n), "%"*n) ++ self.assertEqual(expandvars("$$"*n), "$"*n) ++ + def test_expanduser(self): + tester('ntpath.expanduser("test")', 'test') + +@@ -1207,7 +1219,7 @@ def test_con_device(self): + self.assertTrue(os.path.exists(r"\\.\CON")) + + @unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32") +- @cpython_only ++ @support.cpython_only + def test_fast_paths_in_use(self): + # There are fast paths of these functions implemented in posixmodule.c. + # Confirm that they are being used, and not the Python fallbacks in +diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +new file mode 100644 +index 00000000000000..1d152bb5318380 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +@@ -0,0 +1 @@ ++Fix quadratic complexity in :func:`os.path.expandvars`. + +From 27eb90f676ced2a2a6f2a3ea9d0555d045a0d976 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Langa?= +Date: Fri, 31 Oct 2025 17:32:52 +0100 +Subject: [PATCH 2/2] Oops + +--- + Lib/test/test_ntpath.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py +index 72f89ebb21c478..7c42d4f5894788 100644 +--- a/Lib/test/test_ntpath.py ++++ b/Lib/test/test_ntpath.py +@@ -7,6 +7,7 @@ + import unittest + import warnings + from ntpath import ALLOW_MISSING ++from test import support + from test.support import os_helper, is_emscripten + from test.support.os_helper import FakePath + from test import test_genericpath diff --git a/bsc1243155-sphinx-non-determinism.patch b/bsc1243155-sphinx-non-determinism.patch index d5e2f11..3762e7c 100644 --- a/bsc1243155-sphinx-non-determinism.patch +++ b/bsc1243155-sphinx-non-determinism.patch @@ -14,10 +14,10 @@ https://github.com/python/cpython/issues/130979 Doc/tools/extensions/audit_events.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) -Index: Python-3.12.11/Doc/tools/extensions/audit_events.py +Index: Python-3.12.12/Doc/tools/extensions/audit_events.py =================================================================== ---- Python-3.12.11.orig/Doc/tools/extensions/audit_events.py 2025-07-02 16:10:55.447792590 +0200 -+++ Python-3.12.11/Doc/tools/extensions/audit_events.py 2025-07-02 16:12:00.124596479 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/audit_events.py 2025-11-15 16:09:06.279580426 +0100 ++++ Python-3.12.12/Doc/tools/extensions/audit_events.py 2025-11-15 18:14:28.878403685 +0100 @@ -64,8 +64,13 @@ logger.warning(msg) return diff --git a/doc-py38-to-py36.patch b/doc-py38-to-py36.patch index 1df4894..0554ec7 100644 --- a/doc-py38-to-py36.patch +++ b/doc-py38-to-py36.patch @@ -14,16 +14,16 @@ Doc/tools/extensions/pydoc_topics.py | 22 +++++----- 13 files changed, 126 insertions(+), 118 deletions(-) -Index: Python-3.12.10/Doc/Makefile +Index: Python-3.12.12/Doc/Makefile =================================================================== ---- Python-3.12.10.orig/Doc/Makefile 2025-04-29 22:11:50.013198738 +0200 -+++ Python-3.12.10/Doc/Makefile 2025-04-29 22:11:52.047098026 +0200 +--- Python-3.12.12.orig/Doc/Makefile 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/Makefile 2025-11-16 00:10:17.204996992 +0100 @@ -14,15 +14,15 @@ SOURCES = DISTVERSION = $(shell $(PYTHON) tools/extensions/patchlevel.py) REQUIREMENTS = requirements.txt -SPHINXERRORHANDLING = --fail-on-warning -+SPHINXERRORHANDLING = -W ++SPHINXERRORHANDLING = # Internal variables. PAPEROPT_a4 = --define latex_elements.papersize=a4paper @@ -38,10 +38,10 @@ Index: Python-3.12.10/Doc/Makefile $(PAPEROPT_$(PAPER)) \ $(SPHINXOPTS) $(SPHINXERRORHANDLING) \ . build/$(BUILDER) $(SOURCES) -Index: Python-3.12.10/Doc/conf.py +Index: Python-3.12.12/Doc/conf.py =================================================================== ---- Python-3.12.10.orig/Doc/conf.py 2025-04-29 22:11:46.161835452 +0200 -+++ Python-3.12.10/Doc/conf.py 2025-04-29 22:11:52.047459667 +0200 +--- Python-3.12.12.orig/Doc/conf.py 2025-11-16 00:09:22.481046078 +0100 ++++ Python-3.12.12/Doc/conf.py 2025-11-16 00:09:33.435219937 +0100 @@ -11,6 +11,8 @@ from importlib import import_module from importlib.util import find_spec @@ -86,10 +86,10 @@ Index: Python-3.12.10/Doc/conf.py # Options for c_annotations extension # ----------------------------------- -Index: Python-3.12.10/Doc/tools/check-warnings.py +Index: Python-3.12.12/Doc/tools/check-warnings.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/check-warnings.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/check-warnings.py 2025-04-29 22:11:52.047704324 +0200 +--- Python-3.12.12.orig/Doc/tools/check-warnings.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/check-warnings.py 2025-11-16 00:09:33.435482474 +0100 @@ -228,7 +228,8 @@ print(filename) for warning in warnings: @@ -109,10 +109,10 @@ Index: Python-3.12.10/Doc/tools/check-warnings.py for warning in warnings if "Doc/" in warning } -Index: Python-3.12.10/Doc/tools/extensions/audit_events.py +Index: Python-3.12.12/Doc/tools/extensions/audit_events.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/audit_events.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/audit_events.py 2025-04-29 22:11:52.047967558 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/audit_events.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/audit_events.py 2025-11-16 00:09:38.867031380 +0100 @@ -1,9 +1,6 @@ """Support for documenting audit events.""" @@ -253,10 +253,10 @@ Index: Python-3.12.10/Doc/tools/extensions/audit_events.py ) -> nodes.row: row = nodes.row() name_node = nodes.paragraph("", nodes.Text(name)) -Index: Python-3.12.10/Doc/tools/extensions/availability.py +Index: Python-3.12.12/Doc/tools/extensions/availability.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/availability.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/availability.py 2025-04-29 22:11:52.048206976 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/availability.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/availability.py 2025-11-16 00:09:33.436104069 +0100 @@ -1,8 +1,6 @@ """Support for documenting platform availability""" @@ -310,10 +310,10 @@ Index: Python-3.12.10/Doc/tools/extensions/availability.py app.add_directive("availability", Availability) return { -Index: Python-3.12.10/Doc/tools/extensions/c_annotations.py +Index: Python-3.12.12/Doc/tools/extensions/c_annotations.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/c_annotations.py 2025-04-29 22:11:52.033400629 +0200 -+++ Python-3.12.10/Doc/tools/extensions/c_annotations.py 2025-04-29 22:11:52.048411194 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/c_annotations.py 2025-11-16 00:09:33.421429756 +0100 ++++ Python-3.12.12/Doc/tools/extensions/c_annotations.py 2025-11-16 00:09:33.436337970 +0100 @@ -9,22 +9,18 @@ * Set ``stable_abi_file`` to the path to stable ABI list. """ @@ -443,10 +443,10 @@ Index: Python-3.12.10/Doc/tools/extensions/c_annotations.py return { "version": "1.0", "parallel_read_safe": True, -Index: Python-3.12.10/Doc/tools/extensions/changes.py +Index: Python-3.12.12/Doc/tools/extensions/changes.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/changes.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/changes.py 2025-04-29 22:11:52.048619113 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/changes.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/changes.py 2025-11-16 00:09:33.436590030 +0100 @@ -1,7 +1,5 @@ """Support for documenting version of changes, additions, deprecations.""" @@ -482,10 +482,10 @@ Index: Python-3.12.10/Doc/tools/extensions/changes.py # Override Sphinx's directives with support for 'next' app.add_directive("versionadded", PyVersionChange, override=True) app.add_directive("versionchanged", PyVersionChange, override=True) -Index: Python-3.12.10/Doc/tools/extensions/glossary_search.py +Index: Python-3.12.12/Doc/tools/extensions/glossary_search.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/glossary_search.py 2025-04-29 22:11:52.033722879 +0200 -+++ Python-3.12.10/Doc/tools/extensions/glossary_search.py 2025-04-29 22:11:52.048797629 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/glossary_search.py 2025-11-16 00:09:33.421856281 +0100 ++++ Python-3.12.12/Doc/tools/extensions/glossary_search.py 2025-11-16 00:09:33.436945736 +0100 @@ -1,18 +1,14 @@ """Feature search results for glossary items prominently.""" @@ -516,10 +516,10 @@ Index: Python-3.12.10/Doc/tools/extensions/glossary_search.py app.connect('doctree-resolved', process_glossary_nodes) app.connect('build-finished', write_glossary_json) -Index: Python-3.12.10/Doc/tools/extensions/implementation_detail.py +Index: Python-3.12.12/Doc/tools/extensions/implementation_detail.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/implementation_detail.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/implementation_detail.py 2025-04-29 22:48:23.397548211 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/implementation_detail.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/implementation_detail.py 2025-11-16 00:09:33.437321346 +0100 @@ -1,17 +1,10 @@ """Support for marking up implementation details.""" @@ -570,10 +570,10 @@ Index: Python-3.12.10/Doc/tools/extensions/implementation_detail.py app.add_directive("impl-detail", ImplementationDetail) return { -Index: Python-3.12.10/Doc/tools/extensions/issue_role.py +Index: Python-3.12.12/Doc/tools/extensions/issue_role.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/issue_role.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/issue_role.py 2025-04-29 22:21:55.278961032 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/issue_role.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/issue_role.py 2025-11-16 00:09:33.437543863 +0100 @@ -1,22 +1,18 @@ """Support for referencing issues in the tracker.""" @@ -619,10 +619,10 @@ Index: Python-3.12.10/Doc/tools/extensions/issue_role.py app.add_role("issue", BPOIssue()) app.add_role("gh", GitHubIssue()) -Index: Python-3.12.10/Doc/tools/extensions/misc_news.py +Index: Python-3.12.12/Doc/tools/extensions/misc_news.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/misc_news.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/misc_news.py 2025-04-29 22:11:52.049046825 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/misc_news.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/misc_news.py 2025-11-16 00:09:33.437781606 +0100 @@ -1,7 +1,5 @@ """Support for including Misc/NEWS.""" @@ -675,10 +675,10 @@ Index: Python-3.12.10/Doc/tools/extensions/misc_news.py app.add_directive("miscnews", MiscNews) return { -Index: Python-3.12.10/Doc/tools/extensions/patchlevel.py +Index: Python-3.12.12/Doc/tools/extensions/patchlevel.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/patchlevel.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/patchlevel.py 2025-04-29 22:11:52.049253068 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/patchlevel.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/patchlevel.py 2025-11-16 00:09:33.437983170 +0100 @@ -3,7 +3,7 @@ import re import sys @@ -716,10 +716,10 @@ Index: Python-3.12.10/Doc/tools/extensions/patchlevel.py version = f"{info.major}.{info.minor}" release = f"{info.major}.{info.minor}.{info.micro}" if info.releaselevel != "final": -Index: Python-3.12.10/Doc/tools/extensions/pydoc_topics.py +Index: Python-3.12.12/Doc/tools/extensions/pydoc_topics.py =================================================================== ---- Python-3.12.10.orig/Doc/tools/extensions/pydoc_topics.py 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Doc/tools/extensions/pydoc_topics.py 2025-04-29 22:33:59.916893510 +0200 +--- Python-3.12.12.orig/Doc/tools/extensions/pydoc_topics.py 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/tools/extensions/pydoc_topics.py 2025-11-16 00:09:33.438175026 +0100 @@ -1,21 +1,23 @@ """Support for building "topic help" for pydoc.""" diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index cacfcc3..2528ab1 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -3,9 +3,11 @@ Misc/NEWS | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) ---- a/Doc/using/configure.rst -+++ b/Doc/using/configure.rst -@@ -640,13 +640,11 @@ macOS Options +Index: Python-3.12.12/Doc/using/configure.rst +=================================================================== +--- Python-3.12.12.orig/Doc/using/configure.rst 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Doc/using/configure.rst 2025-11-15 16:08:56.030736737 +0100 +@@ -640,13 +640,11 @@ See ``Mac/README.rst``. @@ -19,9 +21,11 @@ .. option:: --enable-framework=INSTALLDIR Create a Python.framework rather than a traditional Unix install. Optional ---- a/Misc/NEWS -+++ b/Misc/NEWS -@@ -15146,7 +15146,7 @@ C API +Index: Python-3.12.12/Misc/NEWS +=================================================================== +--- Python-3.12.12.orig/Misc/NEWS 2025-10-09 13:07:00.000000000 +0200 ++++ Python-3.12.12/Misc/NEWS 2025-11-15 16:08:56.040736728 +0100 +@@ -15234,7 +15234,7 @@ - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - bpo-43795: The list in :ref:`limited-api-list` now shows the public name diff --git a/python312.changes b/python312.changes index f5a287f..4158f2b 100644 --- a/python312.changes +++ b/python312.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl + +- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple + quadratic complexity vulnerabilities of os.path.expandvars() + (CVE-2025-6075, bsc#1252974). +- Reapply patches: + - bsc1243155-sphinx-non-determinism.patch + - doc-py38-to-py36.patch + - fix_configure_rst.patch + ------------------------------------------------------------------- Wed Oct 15 09:10:21 UTC 2025 - Daniel Garcia diff --git a/python312.spec b/python312.spec index 3d588e9..5637dac 100644 --- a/python312.spec +++ b/python312.spec @@ -189,6 +189,9 @@ Patch44: doc-py38-to-py36.patch Patch45: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch46: gh139257-Support-docutils-0.22.patch +# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com +# Avoid potential quadratic complexity vulnerabilities in path modules +Patch47: CVE-2025-6075-expandvars-perf-degrad.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -479,10 +482,6 @@ rm Lib/site-packages/README.txt # Add vendored bluez-devel files tar xvf %{SOURCE21} -# Don't fail on warnings when building documentation -sed -i -e '/^SPHINXERRORHANDLING/s/--fail-on-warning//' Doc/Makefile -sed -i -e '/^SPHINXERRORHANDLING/s/-W//' Doc/Makefile - %build %if %{with doc} TODAY_DATE=`date -r %{SOURCE0} "+%%B %%d, %%Y"`