From 3d0b1fd2f36c0e443772c08304a4ca9791a7bca397aa063d8db09f03e1daef37 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 27 May 2025 19:09:08 +0000 Subject: [PATCH] fix the patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=144 --- CVE-2025-4516-DecodeError-handler.patch | 39 +++++++++++++------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/CVE-2025-4516-DecodeError-handler.patch b/CVE-2025-4516-DecodeError-handler.patch index 90b9ac8..81e1ec6 100644 --- a/CVE-2025-4516-DecodeError-handler.patch +++ b/CVE-2025-4516-DecodeError-handler.patch @@ -20,13 +20,13 @@ Co-authored-by: Serhiy Storchaka --- Include/cpython/bytesobject.h | 4 Include/cpython/unicodeobject.h | 13 ++ - Lib/test/test_codeccallbacks.py | 36 +++++ + Lib/test/test_codeccallbacks.py | 39 ++++++ Lib/test/test_codecs.py | 52 ++++++-- Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst | 2 Objects/bytesobject.c | 54 +++++--- Objects/unicodeobject.c | 61 +++++++--- Parser/string_parser.c | 26 ++-- - 8 files changed, 191 insertions(+), 57 deletions(-) + 8 files changed, 194 insertions(+), 57 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst Index: Python-3.12.10/Include/cpython/bytesobject.h @@ -71,7 +71,7 @@ Index: Python-3.12.10/Include/cpython/unicodeobject.h Index: Python-3.12.10/Lib/test/test_codeccallbacks.py =================================================================== --- Python-3.12.10.orig/Lib/test/test_codeccallbacks.py 2025-05-27 17:27:04.334768069 +0200 -+++ Python-3.12.10/Lib/test/test_codeccallbacks.py 2025-05-27 20:45:06.747118127 +0200 ++++ Python-3.12.10/Lib/test/test_codeccallbacks.py 2025-05-27 21:05:08.061522938 +0200 @@ -1,6 +1,7 @@ import codecs import html.entities @@ -89,7 +89,7 @@ Index: Python-3.12.10/Lib/test/test_codeccallbacks.py baddata = [ ("ascii", b"\xff"), ("utf-7", b"++"), -@@ -1159,6 +1160,39 @@ +@@ -1159,6 +1160,42 @@ for (encoding, data) in baddata: self.assertEqual(data.decode(encoding, "test.mutating"), "\u4242") @@ -114,17 +114,20 @@ Index: Python-3.12.10/Lib/test/test_codeccallbacks.py + self.assertEqual(decode(input, 'test.mutating2'), (expected, len(input))) + self.assertIn(msg, str(cm.warning)) + -+ # The warning message for invalid escape sequences dynamically escapes the backslash. -+ # Using re.escape to handle the backslash and then formatting the character directly. -+ check(br'\x0n\z', '\u0404\n\\z', r"invalid escape sequence '%s'" % r'\z') -+ check(br'\x0n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\\501'") ++ check(br'\x0n\z', '\u0404\n\\z', r"invalid escape sequence '\z'") ++ check(br'\x0n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\501'") ++ check(br'\x0z', '\u0404\\z', r"invalid escape sequence '\z'") + -+ check(br'\x0z', '\u0404\\z', r"invalid escape sequence '%s'" % r'\z') -+ check(br'\x3n\zr', '\u0404\n\\zr', r"invalid escape sequence '%s'" % r'\z') -+ check(br'\x3zr', '\u0404\\zr', r"invalid escape sequence '%s'" % r'\z') -+ check(br'\x3z5', '\u0404\\z5', r"invalid escape sequence '%s'" % r'\z') -+ check(memoryview(br'\x3z5x')[:-1], '\u0404\\z5', r"invalid escape sequence '%s'" % r'\z') -+ check(memoryview(br'\x3z5xy')[:-2], '\u0404\\z5', r"invalid escape sequence '%s'" % r'\z') ++ check(br'\x3n\zr', '\u0404\n\\zr', r"invalid escape sequence '\z'") ++ check(br'\x3zr', '\u0404\\zr', r"invalid escape sequence '\z'") ++ check(br'\x3z5', '\u0404\\z5', r"invalid escape sequence '\z'") ++ check(memoryview(br'\x3z5x')[:-1], '\u0404\\z5', r"invalid escape sequence '\z'") ++ check(memoryview(br'\x3z5xy')[:-2], '\u0404\\z5', r"invalid escape sequence '\z'") ++ ++ check(br'\x5n\z', '\u0404\n\\z', r"invalid escape sequence '\z'") ++ check(br'\x5n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\501'") ++ check(br'\x5z', '\u0404\\z', r"invalid escape sequence '\z'") ++ check(memoryview(br'\x5zy')[:-1], '\u0404\\z', r"invalid escape sequence '\z'") + # issue32583 def test_crashing_decode_handler(self): @@ -234,7 +237,7 @@ Index: Python-3.12.10/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133 Index: Python-3.12.10/Objects/bytesobject.c =================================================================== --- Python-3.12.10.orig/Objects/bytesobject.c 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Objects/bytesobject.c 2025-05-27 17:27:08.581189399 +0200 ++++ Python-3.12.10/Objects/bytesobject.c 2025-05-27 21:08:20.056554751 +0200 @@ -1048,10 +1048,11 @@ } @@ -328,7 +331,7 @@ Index: Python-3.12.10/Objects/bytesobject.c if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, - "invalid octal escape sequence '\\%.3s'", - first_invalid_escape) < 0) -+ "invalid octal escape sequence '\\%o'", ++ "invalid octal escape sequence '\\\\%o'", + first_invalid_escape_char) < 0) { Py_DECREF(result); @@ -345,7 +348,7 @@ Index: Python-3.12.10/Objects/bytesobject.c Index: Python-3.12.10/Objects/unicodeobject.c =================================================================== --- Python-3.12.10.orig/Objects/unicodeobject.c 2025-04-08 13:35:47.000000000 +0200 -+++ Python-3.12.10/Objects/unicodeobject.c 2025-05-27 17:27:08.583127021 +0200 ++++ Python-3.12.10/Objects/unicodeobject.c 2025-05-27 21:08:02.745636052 +0200 @@ -6046,13 +6046,15 @@ /* --- Unicode Escape Codec ----------------------------------------------- */ @@ -450,7 +453,7 @@ Index: Python-3.12.10/Objects/unicodeobject.c if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, - "invalid octal escape sequence '\\%.3s'", - first_invalid_escape) < 0) -+ "invalid octal escape sequence '\\%o'", ++ "invalid octal escape sequence '\\\\%o'", + first_invalid_escape_char) < 0) { Py_DECREF(result);