From 02c7c3ac57dfc53819d484e989b7c74d2faf650d825ad01f11f74047dee1da18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Tue, 4 Nov 2025 17:47:42 +0100
Subject: [PATCH] Add CVE-2025-8291-consistency-zip64.patch

Checks consistency of the zip64 end of central directory record,
and preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say a
Rust one) then unpack it in production with another (e.g., the
Python one) and get malicious content that the other parser did
not see (CVE-2025-8291, bsc#1251305)

Readjust patches while synchronizing between openSUSE and SLE trees:
  - F00251-change-user-install-location.patch
  - doc-py38-to-py36.patch
  - gh126985-mv-pyvenv.cfg2getpath.patch
---
 CVE-2025-6069-quad-complex-HTMLParser.patch | 247 ----------------
 CVE-2025-8291-consistency-zip64.patch       | 307 ++++++++++++++++++++
 F00251-change-user-install-location.patch   |  16 +-
 doc-py38-to-py36.patch                      | 122 ++++----
 gh126985-mv-pyvenv.cfg2getpath.patch        |   8 +-
 python313.changes                           |  15 +
 python313.spec                              |   3 +
 7 files changed, 398 insertions(+), 320 deletions(-)
 delete mode 100644 CVE-2025-6069-quad-complex-HTMLParser.patch
 create mode 100644 CVE-2025-8291-consistency-zip64.patch

diff --git a/CVE-2025-6069-quad-complex-HTMLParser.patch b/CVE-2025-6069-quad-complex-HTMLParser.patch
deleted file mode 100644
index 3336e74..0000000
--- a/CVE-2025-6069-quad-complex-HTMLParser.patch
+++ /dev/null
@@ -1,247 +0,0 @@
-From 9043edabc7e2f0dd655146e0a4571e2a0b2906af Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 13 Jun 2025 19:57:48 +0300
-Subject: [PATCH] gh-135462: Fix quadratic complexity in processing special
- input in HTMLParser (GH-135464)
-
-End-of-file errors are now handled according to the HTML5 specs --
-comments and declarations are automatically closed, tags are ignored.
-(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
----
- Lib/html/parser.py                                                       |   41 +++-
- Lib/test/test_htmlparser.py                                              |   97 +++++++---
- Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst |    4 
- 3 files changed, 111 insertions(+), 31 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
-
-Index: Python-3.13.5/Lib/html/parser.py
-===================================================================
---- Python-3.13.5.orig/Lib/html/parser.py	2025-06-11 17:36:57.000000000 +0200
-+++ Python-3.13.5/Lib/html/parser.py	2025-07-02 16:49:52.020175099 +0200
-@@ -27,6 +27,7 @@
- attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?')
- 
- starttagopen = re.compile('<[a-zA-Z]')
-+endtagopen = re.compile('</[a-zA-Z]')
- piclose = re.compile('>')
- commentclose = re.compile(r'--\s*>')
- # Note:
-@@ -195,7 +196,7 @@
-                     k = self.parse_pi(i)
-                 elif startswith("<!", i):
-                     k = self.parse_html_declaration(i)
--                elif (i + 1) < n:
-+                elif (i + 1) < n or end:
-                     self.handle_data("<")
-                     k = i + 1
-                 else:
-@@ -203,17 +204,35 @@
-                 if k < 0:
-                     if not end:
-                         break
--                    k = rawdata.find('>', i + 1)
--                    if k < 0:
--                        k = rawdata.find('<', i + 1)
--                        if k < 0:
--                            k = i + 1
-+                    if starttagopen.match(rawdata, i):  # < + letter
-+                        pass
-+                    elif startswith("</", i):
-+                        if i + 2 == n:
-+                            self.handle_data("</")
-+                        elif endtagopen.match(rawdata, i):  # </ + letter
-+                            pass
-+                        else:
-+                            # bogus comment
-+                            self.handle_comment(rawdata[i+2:])
-+                    elif startswith("<!--", i):
-+                        j = n
-+                        for suffix in ("--!", "--", "-"):
-+                            if rawdata.endswith(suffix, i+4):
-+                                j -= len(suffix)
-+                                break
-+                        self.handle_comment(rawdata[i+4:j])
-+                    elif startswith("<![CDATA[", i):
-+                        self.unknown_decl(rawdata[i+3:])
-+                    elif rawdata[i:i+9].lower() == '<!doctype':
-+                        self.handle_decl(rawdata[i+2:])
-+                    elif startswith("<!", i):
-+                        # bogus comment
-+                        self.handle_comment(rawdata[i+2:])
-+                    elif startswith("<?", i):
-+                        self.handle_pi(rawdata[i+2:])
-                     else:
--                        k += 1
--                    if self.convert_charrefs and not self.cdata_elem:
--                        self.handle_data(unescape(rawdata[i:k]))
--                    else:
--                        self.handle_data(rawdata[i:k])
-+                        raise AssertionError("we should not get here!")
-+                    k = n
-                 i = self.updatepos(i, k)
-             elif startswith("&#", i):
-                 match = charref.match(rawdata, i)
-Index: Python-3.13.5/Lib/test/test_htmlparser.py
-===================================================================
---- Python-3.13.5.orig/Lib/test/test_htmlparser.py	2025-06-11 17:36:57.000000000 +0200
-+++ Python-3.13.5/Lib/test/test_htmlparser.py	2025-07-02 16:49:52.020821697 +0200
-@@ -5,6 +5,7 @@
- import unittest
- 
- from unittest.mock import patch
-+from test import support
- 
- 
- class EventCollector(html.parser.HTMLParser):
-@@ -430,28 +431,34 @@
-                             ('data', '<'),
-                             ('starttag', 'bc<', [('a', None)]),
-                             ('endtag', 'html'),
--                            ('data', '\n<img src="URL>'),
--                            ('comment', '/img'),
--                            ('endtag', 'html<')])
-+                            ('data', '\n')])
- 
-     def test_starttag_junk_chars(self):
-+        self._run_check("<", [('data', '<')])
-+        self._run_check("<>", [('data', '<>')])
-+        self._run_check("< >", [('data', '< >')])
-+        self._run_check("< ", [('data', '< ')])
-         self._run_check("</>", [])
-+        self._run_check("<$>", [('data', '<$>')])
-         self._run_check("</$>", [('comment', '$')])
-         self._run_check("</", [('data', '</')])
--        self._run_check("</a", [('data', '</a')])
-+        self._run_check("</a", [])
-+        self._run_check("</ a>", [('endtag', 'a')])
-+        self._run_check("</ a", [('comment', ' a')])
-         self._run_check("<a<a>", [('starttag', 'a<a', [])])
-         self._run_check("</a<a>", [('endtag', 'a<a')])
--        self._run_check("<!", [('data', '<!')])
--        self._run_check("<a", [('data', '<a')])
--        self._run_check("<a foo='bar'", [('data', "<a foo='bar'")])
--        self._run_check("<a foo='bar", [('data', "<a foo='bar")])
--        self._run_check("<a foo='>'", [('data', "<a foo='>'")])
--        self._run_check("<a foo='>", [('data', "<a foo='>")])
-+        self._run_check("<!", [('comment', '')])
-+        self._run_check("<a", [])
-+        self._run_check("<a foo='bar'", [])
-+        self._run_check("<a foo='bar", [])
-+        self._run_check("<a foo='>'", [])
-+        self._run_check("<a foo='>", [])
-         self._run_check("<a$>", [('starttag', 'a$', [])])
-         self._run_check("<a$b>", [('starttag', 'a$b', [])])
-         self._run_check("<a$b/>", [('startendtag', 'a$b', [])])
-         self._run_check("<a$b  >", [('starttag', 'a$b', [])])
-         self._run_check("<a$b  />", [('startendtag', 'a$b', [])])
-+        self._run_check("</a$b>", [('endtag', 'a$b')])
- 
-     def test_slashes_in_starttag(self):
-         self._run_check('<a foo="var"/>', [('startendtag', 'a', [('foo', 'var')])])
-@@ -576,21 +583,50 @@
-         for html, expected in data:
-             self._run_check(html, expected)
- 
--    def test_EOF_in_comments_or_decls(self):
-+    def test_eof_in_comments(self):
-         data = [
--            ('<!', [('data', '<!')]),
--            ('<!-', [('data', '<!-')]),
--            ('<!--', [('data', '<!--')]),
--            ('<![', [('data', '<![')]),
--            ('<![CDATA[', [('data', '<![CDATA[')]),
--            ('<![CDATA[x', [('data', '<![CDATA[x')]),
--            ('<!DOCTYPE', [('data', '<!DOCTYPE')]),
--            ('<!DOCTYPE HTML', [('data', '<!DOCTYPE HTML')]),
-+            ('<!--', [('comment', '')]),
-+            ('<!---', [('comment', '')]),
-+            ('<!----', [('comment', '')]),
-+            ('<!-----', [('comment', '-')]),
-+            ('<!------', [('comment', '--')]),
-+            ('<!----!', [('comment', '')]),
-+            ('<!---!', [('comment', '-!')]),
-+            ('<!---!>', [('comment', '-!>')]),
-+            ('<!--foo', [('comment', 'foo')]),
-+            ('<!--foo-', [('comment', 'foo')]),
-+            ('<!--foo--', [('comment', 'foo')]),
-+            ('<!--foo--!', [('comment', 'foo')]),
-+            ('<!--<!--', [('comment', '<!')]),
-+            ('<!--<!--!', [('comment', '<!')]),
-         ]
-         for html, expected in data:
-             self._run_check(html, expected)
-+
-+    def test_eof_in_declarations(self):
-+        data = [
-+            ('<!', [('comment', '')]),
-+            ('<!-', [('comment', '-')]),
-+            ('<![', [('comment', '[')]),
-+            ('<![CDATA[', [('unknown decl', 'CDATA[')]),
-+            ('<![CDATA[x', [('unknown decl', 'CDATA[x')]),
-+            ('<![CDATA[x]', [('unknown decl', 'CDATA[x]')]),
-+            ('<![CDATA[x]]', [('unknown decl', 'CDATA[x]]')]),
-+            ('<!DOCTYPE', [('decl', 'DOCTYPE')]),
-+            ('<!DOCTYPE ', [('decl', 'DOCTYPE ')]),
-+            ('<!DOCTYPE html', [('decl', 'DOCTYPE html')]),
-+            ('<!DOCTYPE html ', [('decl', 'DOCTYPE html ')]),
-+            ('<!DOCTYPE html PUBLIC', [('decl', 'DOCTYPE html PUBLIC')]),
-+            ('<!DOCTYPE html PUBLIC "foo', [('decl', 'DOCTYPE html PUBLIC "foo')]),
-+            ('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo',
-+             [('decl', 'DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo')]),
-+        ]
-+        for html, expected in data:
-+            self._run_check(html, expected)
-+
-     def test_bogus_comments(self):
--        html = ('<! not really a comment >'
-+        html = ('<!ELEMENT br EMPTY>'
-+                '<! not really a comment >'
-                 '<! not a comment either -->'
-                 '<! -- close enough -->'
-                 '<!><!<-- this was an empty comment>'
-@@ -604,6 +640,7 @@
-                 '<![CDATA]]>'  # required '[' after CDATA
-         )
-         expected = [
-+            ('comment', 'ELEMENT br EMPTY'),
-             ('comment', ' not really a comment '),
-             ('comment', ' not a comment either --'),
-             ('comment', ' -- close enough --'),
-@@ -684,6 +721,26 @@
-              ('endtag', 'a'), ('data', ' bar & baz')]
-         )
- 
-+    @support.requires_resource('cpu')
-+    def test_eof_no_quadratic_complexity(self):
-+        # Each of these examples used to take about an hour.
-+        # Now they take a fraction of a second.
-+        def check(source):
-+            parser = html.parser.HTMLParser()
-+            parser.feed(source)
-+            parser.close()
-+        n = 120_000
-+        check("<a " * n)
-+        check("<a a=" * n)
-+        check("</a " * 14 * n)
-+        check("</a a=" * 11 * n)
-+        check("<!--" * 4 * n)
-+        check("<!" * 60 * n)
-+        check("<?" * 19 * n)
-+        check("</$" * 15 * n)
-+        check("<![CDATA[" * 9 * n)
-+        check("<!doctype" * 35 * n)
-+
- 
- class AttributesTestCase(TestCaseBase):
- 
-Index: Python-3.13.5/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.13.5/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst	2025-07-02 16:49:52.021124951 +0200
-@@ -0,0 +1,4 @@
-+Fix quadratic complexity in processing specially crafted input in
-+:class:`html.parser.HTMLParser`. End-of-file errors are now handled according
-+to the HTML5 specs -- comments and declarations are automatically closed,
-+tags are ignored.
diff --git a/CVE-2025-8291-consistency-zip64.patch b/CVE-2025-8291-consistency-zip64.patch
new file mode 100644
index 0000000..0fd5e99
--- /dev/null
+++ b/CVE-2025-8291-consistency-zip64.patch
@@ -0,0 +1,307 @@
+From 1f2e4ec73cf7ece0a8c0a7a85cb73ec9ec0ef85a Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Tue, 7 Oct 2025 20:15:26 +0300
+Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
+ central directory record (GH-139702)
+
+Support records with "zip64 extensible data" if there are no bytes
+prepended to the ZIP file.
+(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/test/test_zipfile/test_core.py            | 82 ++++++++++++++++++-
+ Lib/zipfile/__init__.py                       | 51 +++++++-----
+ ...-10-07-19-31-34.gh-issue-139700.vNHU1O.rst |  3 +
+ 3 files changed, 113 insertions(+), 23 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+
+diff --git a/Lib/test/test_zipfile/test_core.py b/Lib/test/test_zipfile/test_core.py
+index 41ec6a437ba917..2212d9c91dc899 100644
+--- a/Lib/test/test_zipfile/test_core.py
++++ b/Lib/test/test_zipfile/test_core.py
+@@ -884,6 +884,8 @@ def make_zip64_file(
+         self, file_size_64_set=False, file_size_extra=False,
+         compress_size_64_set=False, compress_size_extra=False,
+         header_offset_64_set=False, header_offset_extra=False,
++        extensible_data=b'',
++        end_of_central_dir_size=None, offset_to_end_of_central_dir=None,
+     ):
+         """Generate bytes sequence for a zip with (incomplete) zip64 data.
+ 
+@@ -937,6 +939,12 @@ def make_zip64_file(
+ 
+         central_dir_size = struct.pack('<Q', 58 + 8 * len(central_zip64_fields))
+         offset_to_central_dir = struct.pack('<Q', 50 + 8 * len(local_zip64_fields))
++        if end_of_central_dir_size is None:
++            end_of_central_dir_size = 44 + len(extensible_data)
++        if offset_to_end_of_central_dir is None:
++            offset_to_end_of_central_dir = (108
++                                            + 8 * len(local_zip64_fields)
++                                            + 8 * len(central_zip64_fields))
+ 
+         local_extra_length = struct.pack("<H", 4 + 8 * len(local_zip64_fields))
+         central_extra_length = struct.pack("<H", 4 + 8 * len(central_zip64_fields))
+@@ -965,14 +973,17 @@ def make_zip64_file(
+             + filename
+             + central_extra
+             # Zip64 end of central directory
+-            + b"PK\x06\x06,\x00\x00\x00\x00\x00\x00\x00-\x00-"
+-            + b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
++            + b"PK\x06\x06"
++            + struct.pack('<Q', end_of_central_dir_size)
++            + b"-\x00-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
+             + b"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
+             + central_dir_size
+             + offset_to_central_dir
++            + extensible_data
+             # Zip64 end of central directory locator
+-            + b"PK\x06\x07\x00\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x01"
+-            + b"\x00\x00\x00"
++            + b"PK\x06\x07\x00\x00\x00\x00"
++            + struct.pack('<Q', offset_to_end_of_central_dir)
++            + b"\x01\x00\x00\x00"
+             # end of central directory
+             + b"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x002\x00"
+             + b"\x00\x00\x00\x00"
+@@ -1003,6 +1014,7 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_file_size_extra))
+         self.assertIn('file size', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_file_size_extra)))
+ 
+         # zip64 file size present, zip64 compress size present, one field in
+         # extra, expecting two, equals missing compress size.
+@@ -1014,6 +1026,7 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
+         self.assertIn('compress size', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
+ 
+         # zip64 compress size present, no fields in extra, expecting one,
+         # equals missing compress size.
+@@ -1023,6 +1036,7 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
+         self.assertIn('compress size', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
+ 
+         # zip64 file size present, zip64 compress size present, zip64 header
+         # offset present, two fields in extra, expecting three, equals missing
+@@ -1037,6 +1051,7 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+ 
+         # zip64 compress size present, zip64 header offset present, one field
+         # in extra, expecting two, equals missing header offset
+@@ -1049,6 +1064,7 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+ 
+         # zip64 file size present, zip64 header offset present, one field in
+         # extra, expecting two, equals missing header offset
+@@ -1061,6 +1077,7 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
+ 
+         # zip64 header offset present, no fields in extra, expecting one,
+         # equals missing header offset
+@@ -1072,6 +1089,63 @@ def test_bad_zip64_extra(self):
+         with self.assertRaises(zipfile.BadZipFile) as e:
+             zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
+         self.assertIn('header offset', str(e.exception).lower())
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
++
++    def test_bad_zip64_end_of_central_dir(self):
++        zipdata = self.make_zip64_file(end_of_central_dir_size=0)
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
++            zipfile.ZipFile(io.BytesIO(zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++        zipdata = self.make_zip64_file(end_of_central_dir_size=100)
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
++            zipfile.ZipFile(io.BytesIO(zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=0)
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
++            zipfile.ZipFile(io.BytesIO(zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++        zipdata = self.make_zip64_file(offset_to_end_of_central_dir=1000)
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*locator'):
++            zipfile.ZipFile(io.BytesIO(zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++    def test_zip64_end_of_central_dir_record_not_found(self):
++        zipdata = self.make_zip64_file()
++        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
++            zipfile.ZipFile(io.BytesIO(zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++        zipdata = self.make_zip64_file(
++            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
++        zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
++            zipfile.ZipFile(io.BytesIO(zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++    def test_zip64_extensible_data(self):
++        # These values are what is set in the make_zip64_file method.
++        expected_file_size = 8
++        expected_compress_size = 8
++        expected_header_offset = 0
++        expected_content = b"test1234"
++
++        zipdata = self.make_zip64_file(
++            extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
++        with zipfile.ZipFile(io.BytesIO(zipdata)) as zf:
++            zinfo = zf.infolist()[0]
++            self.assertEqual(zinfo.file_size, expected_file_size)
++            self.assertEqual(zinfo.compress_size, expected_compress_size)
++            self.assertEqual(zinfo.header_offset, expected_header_offset)
++            self.assertEqual(zf.read(zinfo), expected_content)
++        self.assertTrue(zipfile.is_zipfile(io.BytesIO(zipdata)))
++
++        with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
++            zipfile.ZipFile(io.BytesIO(b'prepended' + zipdata))
++        self.assertFalse(zipfile.is_zipfile(io.BytesIO(b'prepended' + zipdata)))
+ 
+     def test_generated_valid_zip64_extra(self):
+         # These values are what is set in the make_zip64_file method.
+diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py
+index 05f387a950ba0a..c01f13729e1c99 100644
+--- a/Lib/zipfile/__init__.py
++++ b/Lib/zipfile/__init__.py
+@@ -245,7 +245,7 @@ def is_zipfile(filename):
+         else:
+             with open(filename, "rb") as fp:
+                 result = _check_zipfile(fp)
+-    except OSError:
++    except (OSError, BadZipFile):
+         pass
+     return result
+ 
+@@ -253,16 +253,15 @@ def _EndRecData64(fpin, offset, endrec):
+     """
+     Read the ZIP64 end-of-archive records and use that to update endrec
+     """
+-    try:
+-        fpin.seek(offset - sizeEndCentDir64Locator, 2)
+-    except OSError:
+-        # If the seek fails, the file is not large enough to contain a ZIP64
++    offset -= sizeEndCentDir64Locator
++    if offset < 0:
++        # The file is not large enough to contain a ZIP64
+         # end-of-archive record, so just return the end record we were given.
+         return endrec
+-
++    fpin.seek(offset)
+     data = fpin.read(sizeEndCentDir64Locator)
+     if len(data) != sizeEndCentDir64Locator:
+-        return endrec
++        raise OSError("Unknown I/O error")
+     sig, diskno, reloff, disks = struct.unpack(structEndArchive64Locator, data)
+     if sig != stringEndArchive64Locator:
+         return endrec
+@@ -270,16 +269,33 @@ def _EndRecData64(fpin, offset, endrec):
+     if diskno != 0 or disks > 1:
+         raise BadZipFile("zipfiles that span multiple disks are not supported")
+ 
+-    # Assume no 'zip64 extensible data'
+-    fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2)
++    offset -= sizeEndCentDir64
++    if reloff > offset:
++        raise BadZipFile("Corrupt zip64 end of central directory locator")
++    # First, check the assumption that there is no prepended data.
++    fpin.seek(reloff)
++    extrasz = offset - reloff
+     data = fpin.read(sizeEndCentDir64)
+     if len(data) != sizeEndCentDir64:
+-        return endrec
++        raise OSError("Unknown I/O error")
++    if not data.startswith(stringEndArchive64) and reloff != offset:
++        # Since we already have seen the Zip64 EOCD Locator, it's
++        # possible we got here because there is prepended data.
++        # Assume no 'zip64 extensible data'
++        fpin.seek(offset)
++        extrasz = 0
++        data = fpin.read(sizeEndCentDir64)
++        if len(data) != sizeEndCentDir64:
++            raise OSError("Unknown I/O error")
++    if not data.startswith(stringEndArchive64):
++        raise BadZipFile("Zip64 end of central directory record not found")
++
+     sig, sz, create_version, read_version, disk_num, disk_dir, \
+         dircount, dircount2, dirsize, diroffset = \
+         struct.unpack(structEndArchive64, data)
+-    if sig != stringEndArchive64:
+-        return endrec
++    if (diroffset + dirsize != reloff or
++        sz + 12 != sizeEndCentDir64 + extrasz):
++        raise BadZipFile("Corrupt zip64 end of central directory record")
+ 
+     # Update the original endrec using data from the ZIP64 record
+     endrec[_ECD_SIGNATURE] = sig
+@@ -289,6 +305,7 @@ def _EndRecData64(fpin, offset, endrec):
+     endrec[_ECD_ENTRIES_TOTAL] = dircount2
+     endrec[_ECD_SIZE] = dirsize
+     endrec[_ECD_OFFSET] = diroffset
++    endrec[_ECD_LOCATION] = offset - extrasz
+     return endrec
+ 
+ 
+@@ -322,7 +339,7 @@ def _EndRecData(fpin):
+         endrec.append(filesize - sizeEndCentDir)
+ 
+         # Try to read the "Zip64 end of central directory" structure
+-        return _EndRecData64(fpin, -sizeEndCentDir, endrec)
++        return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec)
+ 
+     # Either this is not a ZIP file, or it is a ZIP file with an archive
+     # comment.  Search the end of the file for the "end of central directory"
+@@ -346,8 +363,7 @@ def _EndRecData(fpin):
+         endrec.append(maxCommentStart + start)
+ 
+         # Try to read the "Zip64 end of central directory" structure
+-        return _EndRecData64(fpin, maxCommentStart + start - filesize,
+-                             endrec)
++        return _EndRecData64(fpin, maxCommentStart + start, endrec)
+ 
+     # Unable to find a valid end of central directory structure
+     return None
+@@ -1458,9 +1474,6 @@ def _RealGetContents(self):
+ 
+         # "concat" is zero, unless zip was concatenated to another file
+         concat = endrec[_ECD_LOCATION] - size_cd - offset_cd
+-        if endrec[_ECD_SIGNATURE] == stringEndArchive64:
+-            # If Zip64 extension structures are present, account for them
+-            concat -= (sizeEndCentDir64 + sizeEndCentDir64Locator)
+ 
+         if self.debug > 2:
+             inferred = concat + offset_cd
+@@ -2082,7 +2095,7 @@ def _write_end_record(self):
+                                    " would require ZIP64 extensions")
+             zip64endrec = struct.pack(
+                 structEndArchive64, stringEndArchive64,
+-                44, 45, 45, 0, 0, centDirCount, centDirCount,
++                sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount,
+                 centDirSize, centDirOffset)
+             self.fp.write(zip64endrec)
+ 
+diff --git a/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+new file mode 100644
+index 00000000000000..a8e7a1f1878c6b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
+@@ -0,0 +1,3 @@
++Check consistency of the zip64 end of central directory record. Support
++records with "zip64 extensible data" if there are no bytes prepended to the
++ZIP file.
diff --git a/F00251-change-user-install-location.patch b/F00251-change-user-install-location.patch
index 0e67e07..a1aa69d 100644
--- a/F00251-change-user-install-location.patch
+++ b/F00251-change-user-install-location.patch
@@ -28,10 +28,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
  Lib/test/test_sysconfig.py |   17 +++++++++++--
  2 files changed, 67 insertions(+), 7 deletions(-)
 
-Index: Python-3.13.3/Lib/sysconfig/__init__.py
+Index: Python-3.13.9/Lib/sysconfig/__init__.py
 ===================================================================
---- Python-3.13.3.orig/Lib/sysconfig/__init__.py	2025-04-08 15:54:08.000000000 +0200
-+++ Python-3.13.3/Lib/sysconfig/__init__.py	2025-04-11 21:52:31.769387873 +0200
+--- Python-3.13.9.orig/Lib/sysconfig/__init__.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Lib/sysconfig/__init__.py	2025-11-04 17:41:28.521141323 +0100
 @@ -106,6 +106,11 @@
  else:
      _INSTALL_SCHEMES['venv'] = _INSTALL_SCHEMES['posix_venv']
@@ -128,10 +128,10 @@ Index: Python-3.13.3/Lib/sysconfig/__init__.py
      _CONFIG_VARS['py_version'] = _PY_VERSION
      _CONFIG_VARS['py_version_short'] = _PY_VERSION_SHORT
      _CONFIG_VARS['py_version_nodot'] = _PY_VERSION_SHORT_NO_DOT
-Index: Python-3.13.3/Lib/test/test_sysconfig.py
+Index: Python-3.13.9/Lib/test/test_sysconfig.py
 ===================================================================
---- Python-3.13.3.orig/Lib/test/test_sysconfig.py	2025-04-08 15:54:08.000000000 +0200
-+++ Python-3.13.3/Lib/test/test_sysconfig.py	2025-04-11 21:52:31.769841915 +0200
+--- Python-3.13.9.orig/Lib/test/test_sysconfig.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Lib/test/test_sysconfig.py	2025-11-04 17:41:28.521386489 +0100
 @@ -130,8 +130,19 @@
          for scheme in _INSTALL_SCHEMES:
              for name in _INSTALL_SCHEMES[scheme]:
@@ -153,7 +153,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
                      os.path.normpath(expected),
                  )
  
-@@ -386,7 +397,7 @@
+@@ -393,7 +404,7 @@
          self.assertTrue(os.path.isfile(config_h), config_h)
  
      def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
          if HAS_USER_BASE:
              wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
          self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -398,6 +409,8 @@
+@@ -405,6 +416,8 @@
              cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
              self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
  
diff --git a/doc-py38-to-py36.patch b/doc-py38-to-py36.patch
index 8b10ad3..5389a41 100644
--- a/doc-py38-to-py36.patch
+++ b/doc-py38-to-py36.patch
@@ -27,10 +27,10 @@
  Doc/tools/extensions/pydoc_topics.py          |   22 +++++-----
  18 files changed, 159 insertions(+), 130 deletions(-)
 
-Index: Python-3.13.5/Doc/Makefile
+Index: Python-3.13.9/Doc/Makefile
 ===================================================================
---- Python-3.13.5.orig/Doc/Makefile	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/Makefile	2025-06-12 21:38:04.908380762 +0200
+--- Python-3.13.9.orig/Doc/Makefile	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/Makefile	2025-11-20 01:09:35.814292408 +0100
 @@ -14,15 +14,15 @@
  SOURCES      =
  DISTVERSION  = $(shell $(PYTHON) tools/extensions/patchlevel.py)
@@ -51,10 +51,10 @@ Index: Python-3.13.5/Doc/Makefile
                  $(PAPEROPT_$(PAPER)) \
                  $(SPHINXOPTS) $(SPHINXERRORHANDLING) \
                  . build/$(BUILDER) $(SOURCES)
-Index: Python-3.13.5/Doc/c-api/arg.rst
+Index: Python-3.13.9/Doc/c-api/arg.rst
 ===================================================================
---- Python-3.13.5.orig/Doc/c-api/arg.rst	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/c-api/arg.rst	2025-06-12 21:38:04.908705133 +0200
+--- Python-3.13.9.orig/Doc/c-api/arg.rst	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/c-api/arg.rst	2025-11-20 01:07:59.902914275 +0100
 @@ -334,7 +334,6 @@
     should raise an exception and leave the content of *address* unmodified.
  
@@ -63,10 +63,10 @@ Index: Python-3.13.5/Doc/c-api/arg.rst
  
     If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
     second time if the argument parsing eventually fails, giving the converter a
-Index: Python-3.13.5/Doc/c-api/typeobj.rst
+Index: Python-3.13.9/Doc/c-api/typeobj.rst
 ===================================================================
---- Python-3.13.5.orig/Doc/c-api/typeobj.rst	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/c-api/typeobj.rst	2025-06-12 21:38:04.908874058 +0200
+--- Python-3.13.9.orig/Doc/c-api/typeobj.rst	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/c-api/typeobj.rst	2025-11-20 01:07:59.903382829 +0100
 @@ -610,7 +610,7 @@
     Functions like :c:func:`PyObject_NewVar` will take the value of N as an
     argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
@@ -97,10 +97,10 @@ Index: Python-3.13.5/Doc/c-api/typeobj.rst
     include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
     whether :c:member:`~PyVarObject.ob_size` should be included). These are
     usually defined by the macro :c:macro:`PyObject_HEAD` or
-Index: Python-3.13.5/Doc/conf.py
+Index: Python-3.13.9/Doc/conf.py
 ===================================================================
---- Python-3.13.5.orig/Doc/conf.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/conf.py	2025-06-12 21:38:04.909609597 +0200
+--- Python-3.13.9.orig/Doc/conf.py	2025-11-20 01:07:14.944126757 +0100
++++ Python-3.13.9/Doc/conf.py	2025-11-20 01:07:59.903974303 +0100
 @@ -11,6 +11,8 @@
  from importlib import import_module
  from importlib.util import find_spec
@@ -136,7 +136,7 @@ Index: Python-3.13.5/Doc/conf.py
  
  # Create table of contents entries for domain objects (e.g. functions, classes,
  # attributes, etc.). Default is True.
-@@ -323,6 +325,9 @@
+@@ -257,6 +259,9 @@
  # Avoid a warning with Sphinx >= 4.0
  root_doc = 'contents'
  
@@ -146,7 +146,7 @@ Index: Python-3.13.5/Doc/conf.py
  # Allow translation of index directives
  gettext_additional_targets = [
      'index',
-@@ -362,7 +367,7 @@
+@@ -296,7 +301,7 @@
  # (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
  is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
  repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -172,22 +172,22 @@ Index: Python-3.13.5/Doc/conf.py
  # Options for c_annotations extension
  # -----------------------------------
  
-Index: Python-3.13.5/Doc/library/doctest.rst
+Index: Python-3.13.9/Doc/library/doctest.rst
 ===================================================================
---- Python-3.13.5.orig/Doc/library/doctest.rst	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/library/doctest.rst	2025-06-12 21:38:04.909944989 +0200
-@@ -308,7 +308,6 @@
- searched.  Objects imported into the module are not searched.
+--- Python-3.13.9.orig/Doc/library/doctest.rst	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/library/doctest.rst	2025-11-20 01:07:59.904511686 +0100
+@@ -310,7 +310,6 @@
+ .. currentmodule:: None
  
  .. attribute:: module.__test__
 -   :no-typesetting:
  
- In addition, there are cases when you want tests to be part of a module but not part
- of the help text, which requires that the tests not be included in the docstring.
-Index: Python-3.13.5/Doc/library/email.compat32-message.rst
+ .. currentmodule:: doctest
+ 
+Index: Python-3.13.9/Doc/library/email.compat32-message.rst
 ===================================================================
---- Python-3.13.5.orig/Doc/library/email.compat32-message.rst	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/library/email.compat32-message.rst	2025-06-12 21:38:04.910320877 +0200
+--- Python-3.13.9.orig/Doc/library/email.compat32-message.rst	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/library/email.compat32-message.rst	2025-11-20 01:07:59.905009154 +0100
 @@ -7,7 +7,6 @@
     :synopsis: The base class representing email messages in a fashion
                backward compatible with Python 3.2
@@ -196,11 +196,11 @@ Index: Python-3.13.5/Doc/library/email.compat32-message.rst
  
  
  The :class:`Message` class is very similar to the
-Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
+Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
 ===================================================================
---- Python-3.13.5.orig/Doc/library/xml.etree.elementtree.rst	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/library/xml.etree.elementtree.rst	2025-06-12 21:38:04.910594893 +0200
-@@ -874,7 +874,6 @@
+--- Python-3.13.9.orig/Doc/library/xml.etree.elementtree.rst	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/library/xml.etree.elementtree.rst	2025-11-20 01:07:59.905273001 +0100
+@@ -873,7 +873,6 @@
  
  .. module:: xml.etree.ElementTree
     :noindex:
@@ -208,10 +208,10 @@ Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
  
  .. class:: Element(tag, attrib={}, **extra)
  
-Index: Python-3.13.5/Doc/tools/check-warnings.py
+Index: Python-3.13.9/Doc/tools/check-warnings.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/check-warnings.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/check-warnings.py	2025-06-12 21:38:04.910896050 +0200
+--- Python-3.13.9.orig/Doc/tools/check-warnings.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/check-warnings.py	2025-11-20 01:07:59.905613002 +0100
 @@ -228,7 +228,8 @@
              print(filename)
              for warning in warnings:
@@ -231,10 +231,10 @@ Index: Python-3.13.5/Doc/tools/check-warnings.py
          for warning in warnings
          if "Doc/" in warning
      }
-Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
+Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/audit_events.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/audit_events.py	2025-06-12 21:38:04.911151491 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/audit_events.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/audit_events.py	2025-11-20 01:08:35.819222654 +0100
 @@ -1,9 +1,6 @@
  """Support for documenting audit events."""
  
@@ -370,10 +370,10 @@ Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
      ) -> nodes.row:
          row = nodes.row()
          name_node = nodes.paragraph("", nodes.Text(name))
-Index: Python-3.13.5/Doc/tools/extensions/availability.py
+Index: Python-3.13.9/Doc/tools/extensions/availability.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/availability.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/availability.py	2025-06-12 21:38:04.911376735 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/availability.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/availability.py	2025-11-20 01:07:59.906156697 +0100
 @@ -1,8 +1,6 @@
  """Support for documenting platform availability"""
  
@@ -427,10 +427,10 @@ Index: Python-3.13.5/Doc/tools/extensions/availability.py
      app.add_directive("availability", Availability)
  
      return {
-Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
+Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/c_annotations.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/c_annotations.py	2025-06-12 21:38:04.911575881 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/c_annotations.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/c_annotations.py	2025-11-20 01:07:59.906354780 +0100
 @@ -9,22 +9,26 @@
  * Set ``stable_abi_file`` to the path to stable ABI list.
  """
@@ -568,10 +568,10 @@ Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
      return {
          "version": "1.0",
          "parallel_read_safe": True,
-Index: Python-3.13.5/Doc/tools/extensions/changes.py
+Index: Python-3.13.9/Doc/tools/extensions/changes.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/changes.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/changes.py	2025-06-12 21:38:04.911758715 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/changes.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/changes.py	2025-11-20 01:07:59.906539198 +0100
 @@ -1,7 +1,5 @@
  """Support for documenting version of changes, additions, deprecations."""
  
@@ -607,10 +607,10 @@ Index: Python-3.13.5/Doc/tools/extensions/changes.py
      # Override Sphinx's directives with support for 'next'
      app.add_directive("versionadded", PyVersionChange, override=True)
      app.add_directive("versionchanged", PyVersionChange, override=True)
-Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
+Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/glossary_search.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/glossary_search.py	2025-06-12 21:38:04.911907976 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/glossary_search.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/glossary_search.py	2025-11-20 01:07:59.906696224 +0100
 @@ -1,21 +1,27 @@
  """Feature search results for glossary items prominently."""
  
@@ -654,10 +654,10 @@ Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
      app.connect('doctree-resolved', process_glossary_nodes)
      app.connect('build-finished', write_glossary_json)
  
-Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
+Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/implementation_detail.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/implementation_detail.py	2025-06-12 21:38:04.912061736 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/implementation_detail.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/implementation_detail.py	2025-11-20 01:07:59.906853200 +0100
 @@ -1,17 +1,10 @@
  """Support for marking up implementation details."""
  
@@ -708,10 +708,10 @@ Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
      app.add_directive("impl-detail", ImplementationDetail)
  
      return {
-Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
+Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/issue_role.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/issue_role.py	2025-06-12 21:38:04.912236134 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/issue_role.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/issue_role.py	2025-11-20 01:07:59.907010386 +0100
 @@ -1,22 +1,18 @@
  """Support for referencing issues in the tracker."""
  
@@ -757,10 +757,10 @@ Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
      app.add_role("issue", BPOIssue())
      app.add_role("gh", GitHubIssue())
  
-Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
+Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/misc_news.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/misc_news.py	2025-06-12 21:38:04.912390144 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/misc_news.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/misc_news.py	2025-11-20 01:07:59.907170899 +0100
 @@ -1,7 +1,5 @@
  """Support for including Misc/NEWS."""
  
@@ -813,10 +813,10 @@ Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
      app.add_directive("miscnews", MiscNews)
  
      return {
-Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
+Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/patchlevel.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/patchlevel.py	2025-06-12 21:38:04.912563631 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/patchlevel.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/patchlevel.py	2025-11-20 01:07:59.907494228 +0100
 @@ -3,7 +3,7 @@
  import re
  import sys
@@ -854,10 +854,10 @@ Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
      version = f"{info.major}.{info.minor}"
      release = f"{info.major}.{info.minor}.{info.micro}"
      if info.releaselevel != "final":
-Index: Python-3.13.5/Doc/tools/extensions/pydoc_topics.py
+Index: Python-3.13.9/Doc/tools/extensions/pydoc_topics.py
 ===================================================================
---- Python-3.13.5.orig/Doc/tools/extensions/pydoc_topics.py	2025-06-12 21:37:37.257659788 +0200
-+++ Python-3.13.5/Doc/tools/extensions/pydoc_topics.py	2025-06-12 21:38:04.912726688 +0200
+--- Python-3.13.9.orig/Doc/tools/extensions/pydoc_topics.py	2025-10-14 15:52:31.000000000 +0200
++++ Python-3.13.9/Doc/tools/extensions/pydoc_topics.py	2025-11-20 01:07:59.907684617 +0100
 @@ -1,21 +1,23 @@
  """Support for building "topic help" for pydoc."""
  
diff --git a/gh126985-mv-pyvenv.cfg2getpath.patch b/gh126985-mv-pyvenv.cfg2getpath.patch
index d4dace5..810464f 100644
--- a/gh126985-mv-pyvenv.cfg2getpath.patch
+++ b/gh126985-mv-pyvenv.cfg2getpath.patch
@@ -8,10 +8,10 @@ Date:   Tue Nov 26 13:46:33 2024 +0000
  Lib/test/test_sysconfig.py |   67 ---------------------------------------------
  1 file changed, 1 insertion(+), 66 deletions(-)
 
-Index: Python-3.13.5/Lib/test/test_sysconfig.py
+Index: Python-3.13.9/Lib/test/test_sysconfig.py
 ===================================================================
---- Python-3.13.5.orig/Lib/test/test_sysconfig.py	2025-06-12 19:55:42.184491497 +0200
-+++ Python-3.13.5/Lib/test/test_sysconfig.py	2025-06-12 19:56:05.737665419 +0200
+--- Python-3.13.9.orig/Lib/test/test_sysconfig.py	2025-11-04 17:41:28.521386489 +0100
++++ Python-3.13.9/Lib/test/test_sysconfig.py	2025-11-04 17:42:36.888243505 +0100
 @@ -110,6 +110,7 @@
              **venv_create_args,
          )
@@ -20,7 +20,7 @@ Index: Python-3.13.5/Lib/test/test_sysconfig.py
      def test_get_path_names(self):
          self.assertEqual(get_path_names(), sysconfig._SCHEME_KEYS)
  
-@@ -604,72 +605,6 @@
+@@ -611,72 +612,6 @@
          suffix = sysconfig.get_config_var('EXT_SUFFIX')
          self.assertTrue(suffix.endswith('-darwin.so'), suffix)
  
diff --git a/python313.changes b/python313.changes
index 0793f2d..ed8b40c 100644
--- a/python313.changes
+++ b/python313.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Nov  4 16:44:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-8291-consistency-zip64.patch which checks
+  consistency of the zip64 end of central directory record, and
+  preventing obfuscation of the payload, i.e., you scanning for
+  malicious content in a ZIP file with one ZIP parser (let's say
+  a Rust one) then unpack it in production with another (e.g.,
+  the Python one) and get malicious content that the other parser
+  did not see (CVE-2025-8291, bsc#1251305)
+- Readjust patches while synchronizing between openSUSE and SLE trees:
+  - F00251-change-user-install-location.patch
+  - doc-py38-to-py36.patch
+  - gh126985-mv-pyvenv.cfg2getpath.patch
+
 -------------------------------------------------------------------
 Wed Oct 15 09:15:38 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 
diff --git a/python313.spec b/python313.spec
index 81167a9..f6a745e 100644
--- a/python313.spec
+++ b/python313.spec
@@ -235,6 +235,9 @@ Patch43:        bsc1243155-sphinx-non-determinism.patch
 Patch44:        gh138131-exclude-pycache-from-digest.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch45:        gh139257-Support-docutils-0.22.patch
+# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
+# Check consistency of the zip64 end of central directory record
+Patch46:        CVE-2025-8291-consistency-zip64.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes