diff --git a/CVE-2025-8194-tarfile-no-neg-offsets.patch b/CVE-2025-8194-tarfile-no-neg-offsets.patch deleted file mode 100644 index 96d08b0..0000000 --- a/CVE-2025-8194-tarfile-no-neg-offsets.patch +++ /dev/null @@ -1,212 +0,0 @@ -From fd29bcd380150035ef825b762d8cd085bdab6e53 Mon Sep 17 00:00:00 2001 -From: Alexander Urieles -Date: Mon, 28 Jul 2025 17:37:26 +0200 -Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member - offsets are non-negative (GH-137027) (cherry picked from commit - 7040aa54f14676938970e10c5f74ea93cd56aa38) - -Co-authored-by: Alexander Urieles -Co-authored-by: Gregory P. Smith ---- - Lib/tarfile.py | 3 - Lib/test/test_tarfile.py | 156 ++++++++++ - Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 - 3 files changed, 162 insertions(+) - create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst - -Index: Python-3.13.5/Lib/tarfile.py -=================================================================== ---- Python-3.13.5.orig/Lib/tarfile.py 2025-08-01 22:13:44.185826095 +0200 -+++ Python-3.13.5/Lib/tarfile.py 2025-08-01 22:13:45.524140183 +0200 -@@ -1636,6 +1636,9 @@ - """Round up a byte count by BLOCKSIZE and return it, - e.g. _block(834) => 1024. - """ -+ # Only non-negative offsets are allowed -+ if count < 0: -+ raise InvalidHeaderError("invalid offset") - blocks, remainder = divmod(count, BLOCKSIZE) - if remainder: - blocks += 1 -Index: Python-3.13.5/Lib/test/test_tarfile.py -=================================================================== ---- Python-3.13.5.orig/Lib/test/test_tarfile.py 2025-06-11 17:36:57.000000000 +0200 -+++ Python-3.13.5/Lib/test/test_tarfile.py 2025-08-01 22:13:45.524778259 +0200 -@@ -50,6 +50,7 @@ - xzname = os.path.join(TEMPDIR, "testtar.tar.xz") - tmpname = os.path.join(TEMPDIR, "tmp.tar") - dotlessname = os.path.join(TEMPDIR, "testtar") -+SPACE = b" " - - sha256_regtype = ( - "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce" -@@ -4578,6 +4579,161 @@ - ar.extractall(self.testdir, filter='fully_trusted') - - -+class OffsetValidationTests(unittest.TestCase): -+ tarname = tmpname -+ invalid_posix_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, space, null terminator: 8 bytes -+ + b"000755" + SPACE + tarfile.NUL -+ # uid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0011407" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # magic: 6 bytes, version: 2 bytes -+ + tarfile.POSIX_MAGIC -+ # uname: 32 bytes -+ + tarfile.NUL * 32 -+ # gname: 32 bytes -+ + tarfile.NUL * 32 -+ # devmajor, space, null terminator: 8 bytes -+ + tarfile.NUL * 6 + SPACE + tarfile.NUL -+ # devminor, space, null terminator: 8 bytes -+ + tarfile.NUL * 6 + SPACE + tarfile.NUL -+ # prefix: 155 bytes -+ + tarfile.NUL * tarfile.LENGTH_PREFIX -+ # padding: 12 bytes -+ + tarfile.NUL * 12 -+ ) -+ invalid_gnu_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, null terminator: 8 bytes -+ + b"0000755" + tarfile.NUL -+ # uid, null terminator: 8 bytes -+ + b"0000001" + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"0000001" + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0011327" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # magic: 8 bytes -+ + tarfile.GNU_MAGIC -+ # uname: 32 bytes -+ + tarfile.NUL * 32 -+ # gname: 32 bytes -+ + tarfile.NUL * 32 -+ # devmajor, null terminator: 8 bytes -+ + tarfile.NUL * 8 -+ # devminor, null terminator: 8 bytes -+ + tarfile.NUL * 8 -+ # padding: 167 bytes -+ + tarfile.NUL * 167 -+ ) -+ invalid_v7_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, space, null terminator: 8 bytes -+ + b"000755" + SPACE + tarfile.NUL -+ # uid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0010070" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # padding: 255 bytes -+ + tarfile.NUL * 255 -+ ) -+ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT) -+ data_block = b"\xff" * tarfile.BLOCKSIZE -+ -+ def _write_buffer(self, buffer): -+ with open(self.tarname, "wb") as f: -+ f.write(buffer) -+ -+ def _get_members(self, ignore_zeros=None): -+ with open(self.tarname, "rb") as f: -+ with tarfile.open( -+ mode="r", fileobj=f, ignore_zeros=ignore_zeros -+ ) as tar: -+ return tar.getmembers() -+ -+ def _assert_raises_read_error_exception(self): -+ with self.assertRaisesRegex( -+ tarfile.ReadError, "file could not be opened successfully" -+ ): -+ self._get_members() -+ -+ def test_invalid_offset_header_validations(self): -+ for tar_format, invalid_header in ( -+ ("posix", self.invalid_posix_header), -+ ("gnu", self.invalid_gnu_header), -+ ("v7", self.invalid_v7_header), -+ ): -+ with self.subTest(format=tar_format): -+ self._write_buffer(invalid_header) -+ self._assert_raises_read_error_exception() -+ -+ def test_early_stop_at_invalid_offset_header(self): -+ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header -+ self._write_buffer(buffer) -+ members = self._get_members() -+ self.assertEqual(len(members), 1) -+ self.assertEqual(members[0].name, "filename") -+ self.assertEqual(members[0].offset, 0) -+ -+ def test_ignore_invalid_archive(self): -+ # 3 invalid headers with their respective data -+ buffer = (self.invalid_gnu_header + self.data_block) * 3 -+ self._write_buffer(buffer) -+ members = self._get_members(ignore_zeros=True) -+ self.assertEqual(len(members), 0) -+ -+ def test_ignore_invalid_offset_headers(self): -+ for first_block, second_block, expected_offset in ( -+ ( -+ (self.valid_gnu_header), -+ (self.invalid_gnu_header + self.data_block), -+ 0, -+ ), -+ ( -+ (self.invalid_gnu_header + self.data_block), -+ (self.valid_gnu_header), -+ 1024, -+ ), -+ ): -+ self._write_buffer(first_block + second_block) -+ members = self._get_members(ignore_zeros=True) -+ self.assertEqual(len(members), 1) -+ self.assertEqual(members[0].name, "filename") -+ self.assertEqual(members[0].offset, expected_offset) -+ -+ - def setUpModule(): - os_helper.unlink(TEMPDIR) - os.makedirs(TEMPDIR) -Index: Python-3.13.5/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.13.5/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst 2025-08-01 22:13:45.525174751 +0200 -@@ -0,0 +1,3 @@ -+:mod:`tarfile` now validates archives to ensure member offsets are -+non-negative. (Contributed by Alexander Enrique Urieles Nieto in -+:gh:`130577`.) diff --git a/Python-3.13.5.tar.xz b/Python-3.13.5.tar.xz deleted file mode 100644 index 16b1f7d..0000000 --- a/Python-3.13.5.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:93e583f243454e6e9e4588ca2c2662206ad961659863277afcdb96801647d640 -size 22856016 diff --git a/Python-3.13.5.tar.xz.sigstore b/Python-3.13.5.tar.xz.sigstore deleted file mode 100644 index 225651c..0000000 --- a/Python-3.13.5.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyjCCAlCgAwIBAgIUdRfsw3XxSwqBsRu/Ryhu0kfD1TEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNjExMTc0NjIzWhcNMjUwNjExMTc1NjIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE616iCJ8T+boBEGZNSBgbHZ2TS6Bl7yRCs1F78fvUBWcO/fJl9vTWXF+oPaOhLWVl35iAkn1W04PDVWrqNpFntKOCAW8wggFrMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUlLnv2c6W2ETiqJdQsF9NjtUCVqEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGXYBmnGAAABAMARzBFAiBDOyOIs3CL2AVMb7j6sHu3PYA8pOzJQNmm7J+zPIYzlgIhAK5GqY5j781IK5E7NTaGuPzwcj08xstDLULewS3KRwLBMAoGCCqGSM49BAMDA2gAMGUCMQDn2SkdZvHZZ6RKG8bIgPJdW+qMM9DNUmRm0/F+ePCPjMNwNUY/VQHqgsD4+m7FoX0CMAoIIxK3JZiKBFcP0oUNpnoZcZzZg/SeCkY6fePDlrRMMh5guyKUvMjXOIFREzNaRA=="}, "tlogEntries": [{"logIndex": "235130253", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1749663983", "inclusionPromise": {"signedEntryTimestamp": "MEUCIEXmlLAwKmFPqJl0qZIn6l9LeN1eFpo/O29cweVvcLM6AiEAkPbiV9MFAugYnKigfY2M6d4/IlgLMlamVTNMjYG1Ujc="}, "inclusionProof": {"logIndex": "113225991", "rootHash": "+L93VCZOPa9BkLmARBWDo1xEWF+fT68+yQcazjpxAAU=", "treeSize": "113225992", "hashes": ["Rdu+myw6n6JxBUvJ8Q+8oqhqACFhkt/3w7I+DEesttk=", "RxFdYWKOAXBMCLz1xkC2n0/oY0PPGjB9g/1mK9X9Lpk=", "nRMGDo+FIXFJXJGmLI3xYofkA1BacK+jsaHI6Dah6SQ=", "P4PZCTzvD59p99NgLr2g5UaCSGBHniridbmhL+bTkOA=", "Ho1rvGrV8vApgV6ObQmLHUFtPdLht0dxaKIMr2L227A=", "bUrfsqt1y90MYAQSa4N7IMFLQ58Gr3kyGuZsXADQmyk=", "zQYNyoYKqtevNhM4z5didetaiTZZe4Ydpenxywyp2HM=", "yB2hiozejE1yTbQwbDQpScNo2G9QaqtVTvrtSzcAWLk=", "ni+UOcPDIr1WWONf2Z1uda+A31LRXKpMYBvhb3MyUvI=", "jak2gEavHKki8uP+13+VibRhrrjlEQ57Cu6sFEmzL98=", "x/DbUcJZd7Krichz/nbTRqNRynFXkcgDj6/SVp3Xpa8=", "KL733V6m2mKaszPoebRYld3g+XcUSNldm6GnXG4M7kM=", "f42cOIPnrB9x+HYKZ+7UAkXKjk7k9ttvx1Mm5/glCwo=", "G4CdPz/xjoqWI4G874tZWPeP98DJpseyihrtz0ivBtU=", "mta5fH/gFwxJ/0fT8yGpn3sFCY0G1RY555Iflm0LInM=", "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n113225992\n+L93VCZOPa9BkLmARBWDo1xEWF+fT68+yQcazjpxAAU=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiBKR6/aQGwMRmyBmdgiaLd8393XQqJh41H6LIYA8Y6SYgIgDMucmAXZHwIDjA6YXg9k2vhoOuscGewoHiSomHsf+kg=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5M2U1ODNmMjQzNDU0ZTZlOWU0NTg4Y2EyYzI2NjIyMDZhZDk2MTY1OTg2MzI3N2FmY2RiOTY4MDE2NDdkNjQwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRWVnU0xnMVBzNmNEMkpNbTJzK1o4dzBzbGlMazY0SCtHeHQ2VFpRb1NIaUFpRUE1b2FmTTJhNlJqQSszUFpVdmNjUWNhQ0QzRVFsQ1hSdmI3d2x3SU9JQ1IwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVd4RFowRjNTVUpCWjBsVlpGSm1jM2N6V0hoVGQzRkNjMUoxTDFKNWFIVXdhMlpFTVZSRmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDVxUlhoTlZHTXdUbXBKZWxkb1kwNU5hbFYzVG1wRmVFMVVZekZPYWtsNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVUyTVRacFEwbzRWQ3RpYjBKRlIxcE9VMEpuWWtoYU1sUlROa0pzTjNsU1EzTXhSamNLT0daMlZVSlhZMDh2Wmtwc09YWlVWMWhHSzI5UVlVOW9URmRXYkRNMWFVRnJiakZYTURSUVJGWlhjbkZPY0VadWRFdFBRMEZYT0hkblowWnlUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZzVEc1MkNqSmpObGN5UlZScGNVcGtVWE5HT1U1cWRGVkRWbkZGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwdENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpRS1FVaFpRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIV0ZsQ2JXNUhRVUZCUWtGTlFRcFNla0pHUVdsQ1JFOTVUMGx6TTBOTU1rRldUV0kzYWpaelNIVXpVRmxCT0hCUGVrcFJUbTF0TjBvcmVsQkpXWHBzWjBsb1FVczFSM0ZaTldvM09ERkpDa3MxUlRkT1ZHRkhkVkI2ZDJOcU1EaDRjM1JFVEZWTVpYZFRNMHRTZDB4Q1RVRnZSME5EY1VkVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRWJqSlRhMlFLV25aSVdsbzJVa3RIT0dKSloxQktaRmNyY1UxTk9VUk9WVzFTYlRBdlJpdGxVRU5RYWsxT2QwNVZXUzlXVVVoeFozTkVOQ3R0TjBadldEQkRUVUZ2U1FwSmVFc3pTbHBwUzBKR1kxQXdiMVZPY0c1dldtTmFlbHBuTDFObFEydFpObVpsVUVSc2NsSk5UV2cxWjNWNVMxVjJUV3BZVDBsR1VrVjZUbUZTUVQwOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "k+WD8kNFTm6eRYjKLCZiIGrZYWWYYyd6/NuWgBZH1kA="}, "signature": "MEUCIEegSLg1Ps6cD2JMm2s+Z8w0sliLk64H+Gxt6TZQoSHiAiEA5oafM2a6RjA+3PZUvccQcaCD3EQlCXRvb7wlwIOICR0="}} diff --git a/Python-3.13.6.tar.xz b/Python-3.13.6.tar.xz new file mode 100644 index 0000000..45693a9 --- /dev/null +++ b/Python-3.13.6.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:17ba5508819d8736a14fbfc47d36e184946a877851b2e9c4b6c43acb44a3b104 +size 22761268 diff --git a/Python-3.13.6.tar.xz.sigstore b/Python-3.13.6.tar.xz.sigstore new file mode 100644 index 0000000..849237d --- /dev/null +++ b/Python-3.13.6.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyjCCAlCgAwIBAgIUIT3VXYZsgJBBLFYgnUd3yPWDR14wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwODA2MTUxOTAzWhcNMjUwODA2MTUyOTAzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENQnI68efruhc/qXKi3t/8sqIuDaRnuIwRFUnkF4A2waeN+IzagQ0N+naFAZdKn36t/W21EFOB9NpdHOc4IsvBKOCAW8wggFrMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUwuKqH8hgzo3y/mXe+uV5YElD+wowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGYf/bkHAAABAMARzBFAiBHMrjIDQAwDBXoGbltVdYPHSUejHkEdNhg8tfNuKS9VgIhAJk8J4X1XqlMXJfd+WltTk33D4ktHK4bqmstq/9VVHyoMAoGCCqGSM49BAMDA2gAMGUCMQCvd2vT066cA2WufLrQmlcjJ5ibnPUWr/o8USFrCd/e3Rv3MycHOi6oTk78xXQdsw4CMGoE5ETpgkfvlDKM8HXMGUaX+mXDZYd4nwH5w+HpoDXmfKZHPdOS/jokolmPEK4EVw=="}, "tlogEntries": [{"logIndex": "357334837", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1754493543", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFB4cDBZVdygUBVVVwa50eFqQfnXia5VLvYT5La7DiPcAiBfeHQv6VwoCV8eWWkubfw7XiFTyZbFUztjsaEajCqStg=="}, "inclusionProof": {"logIndex": "235430575", "rootHash": "Glr+4g4bat4RwhMw/RhFX50HnBM1W7QEKz9sIHUzoo8=", "treeSize": "235430587", "hashes": ["EZsghZu+T1pEYnc5dQ4ku383SGmdF4Vi5z8QLvrUBiE=", "QdL10lLuyibm9U7VPxXiKCS5j3etGVR/zsL9Wb4YEic=", "hOdtwXckZXPPVGDipnQurns8YlGf7FvsPA0Bg0HjfoM=", "oMbtJ33vNBXJ3GRmCIyxtZ0DXj+U2hFPTn7LlduEhfo=", "FpgVGNakFzY7wY7H6BmgDJWiAJdJmnVEV+LVKLNGMA8=", "eYnyLnUnBAXk9NYcyFkkVWeeyY+IzzRJuFX5oNu7hjs=", "5/w4GgbnOf1ey9f5PsAJ/L+fUruO/pL4AkhrYlf1z6g=", "KOdSczh0sMksRbJ5MtuAQTd+ol7RSEMHTbScms6+yiY=", "pGvHucRuMO5oMlmhAUPoYfC7aUD0lGZQYzdyBWRotpM=", "Rdwnt8l+kitCx3q9MjvY521Vs1UGB65Yr5SL3DBIBZw=", "VlTxRYMi0uf0Jsl/dln/6MRW+6h4IwIRRM1h1l8YMnY=", "4UEb5oiYfLnEfmBDb+rZMlzYP20NXNd6288+yuM/qus=", "Q8AUdGrLOK/+q7Zpb5T3hpo2AMEg3qW2VHw5OtFthRI=", "wLANT0NMxIRh/p5rRcam4MppSIbUXIfT1Ht9FQA2XnI="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n235430587\nGlr+4g4bat4RwhMw/RhFX50HnBM1W7QEKz9sIHUzoo8=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiBXv2s18aClhm2gewXKAZaMl3AGewwjjak9sXp+A5beSAIgU3pnjQgePf6ndF2Oru+Ma7JS81eAJlWxP/uB2RjP61o=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIxN2JhNTUwODgxOWQ4NzM2YTE0ZmJmYzQ3ZDM2ZTE4NDk0NmE4Nzc4NTFiMmU5YzRiNmM0M2FjYjQ0YTNiMTA0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURqYW9uOGRjbDNGY2pWOHJobUlndEMrNUYvdVpDVk8vUjJUZnNucnVnVHhRSWhBUG9pTUdZczkrRm9OdFhNb1BBWko3Y203c2EvZnJodnJ0QU9JWUcySWRVLyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVd4RFowRjNTVUpCWjBsVlNWUXpWbGhaV25OblNrSkNURVpaWjI1VlpETjVVRmRFVWpFMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDlFUVRKTlZGVjRUMVJCZWxkb1kwNU5hbFYzVDBSQk1rMVVWWGxQVkVGNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZPVVc1Sk5qaGxabkoxYUdNdmNWaExhVE4wTHpoemNVbDFSR0ZTYm5WSmQxSkdWVzRLYTBZMFFUSjNZV1ZPSzBsNllXZFJNRTRyYm1GR1FWcGtTMjR6Tm5RdlZ6SXhSVVpQUWpsT2NHUklUMk0wU1hOMlFrdFBRMEZYT0hkblowWnlUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlYzZFV0eENrZzRhR2Q2YnpONUwyMVlaU3QxVmpWWlJXeEVLM2R2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwdENaMjl5UW1kRlJVRmtXalZCWjFGRFFraDNSV1ZuUWpRS1FVaFpRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIV1dZdlltdElRVUZCUWtGTlFRcFNla0pHUVdsQ1NFMXlha2xFVVVGM1JFSlliMGRpYkhSV1pGbFFTRk5WWldwSWEwVmtUbWhuT0hSbVRuVkxVemxXWjBsb1FVcHJPRW8wV0RGWWNXeE5DbGhLWm1RclYyeDBWR3N6TTBRMGEzUklTelJpY1cxemRIRXZPVlpXU0hsdlRVRnZSME5EY1VkVFRUUTVRa0ZOUkVFeVowRk5SMVZEVFZGRGRtUXlkbFFLTURZMlkwRXlWM1ZtVEhKUmJXeGpha28xYVdKdVVGVlhjaTl2T0ZWVFJuSkRaQzlsTTFKMk0wMTVZMGhQYVRadlZHczNPSGhZVVdSemR6UkRUVWR2UlFvMVJWUndaMnRtZG14RVMwMDRTRmhOUjFWaFdDdHRXRVJhV1dRMGJuZElOWGNyU0hCdlJGaHRaa3RhU0ZCa1QxTXZhbTlyYjJ4dFVFVkxORVZXZHowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "F7pVCIGdhzahT7/EfTbhhJRqh3hRsunEtsQ6y0SjsQQ="}, "signature": "MEYCIQDjaon8dcl3FcjV8rhmIgtC+5F/uZCVO/R2TfsnrugTxQIhAPoiMGYs9+FoNtXMoPAZJ7cm7sa/frhvrtAOIYG2IdU/"}} diff --git a/python313.changes b/python313.changes index a7bcaf0..d106598 100644 --- a/python313.changes +++ b/python313.changes @@ -1,3 +1,209 @@ +------------------------------------------------------------------- +Thu Aug 7 10:08:11 UTC 2025 - Matej Cepl + +- Update to 3.13.6: + - Security + - gh-135661: Fix parsing start and end tags in + html.parser.HTMLParser according to the HTML5 standard. + - Whitespaces no longer accepted between does not end the script section. + - Vertical tabulation (\v) and non-ASCII whitespaces no + longer recognized as whitespaces. The only whitespaces + are \t\n\r\f and space. + - Null character (U+0000) no longer ends the tag name. + - Attributes and slashes after the tag name in end tags + are now ignored, instead of terminating after the first + > in quoted attribute value. E.g. . + - Multiple slashes and whitespaces between the last + attribute and closing > are now ignored in both start + and end tags. E.g. . + - Multiple = between attribute name and value are no + longer collapsed. E.g. produces attribute + “foo” with value “=bar”. + - gh-102555: Fix comment parsing in html.parser.HTMLParser + according to the HTML5 standard. --!> now ends the comment. + -- > no longer ends the comment. Support abnormally ended + empty comments <--> and <--->. + - gh-135462: Fix quadratic complexity in processing specially + crafted input in html.parser.HTMLParser. End-of-file errors + are now handled according to the HTML5 specs – comments and + declarations are automatically closed, tags are ignored. + - gh-118350: Fix support of escapable raw text mode (elements + “textarea” and “title”) in html.parser.HTMLParser. + - Core and Builtins + - gh-58124: Fix name of the Python encoding in Unicode errors + of the code page codec: use “cp65000” and “cp65001” instead + of “CP_UTF7” and “CP_UTF8” which are not valid Python code + names. Patch by Victor Stinner. + - gh-137314: Fixed a regression where raw f-strings + incorrectly interpreted escape sequences in format + specifications. Raw f-strings now properly preserve literal + backslashes in format specs, matching the behavior from + Python 3.11. For example, rf"{obj:\xFF}" now correctly + produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo. + - gh-136541: Fix some issues with the perf trampolines + on x86-64 and aarch64. The trampolines were not being + generated correctly for some cases, which could lead to + the perf integration not working correctly. Patch by Pablo + Galindo. + - gh-109700: Fix memory error handling in + PyDict_SetDefault(). + - gh-78465: Fix error message for cls.__new__(cls, ...) where + cls is not instantiable builtin or extension type (with + tp_new set to NULL). + - gh-135871: Non-blocking mutex lock attempts now return + immediately when the lock is busy instead of briefly + spinning in the free threading build. + - gh-135607: Fix potential weakref races in an object’s + destructor on the free threaded build. + - gh-135496: Fix typo in the f-string conversion type error + (“exclamanation” -> “exclamation”). + - gh-130077: Properly raise custom syntax errors when + incorrect syntax containing names that are prefixes of soft + keywords is encountered. Patch by Pablo Galindo. + - gh-135148: Fixed a bug where f-string debug expressions + (using =) would incorrectly strip out parts of strings + containing escaped quotes and # characters. Patch by Pablo + Galindo. + - gh-133136: Limit excess memory usage in the free threading + build when a large dictionary or list is resized and + accessed by multiple threads. + - gh-132617: Fix dict.update() modification check that could + incorrectly raise a “dict mutated during update” error when + a different dictionary was modified that happens to share + the same underlying keys object. + - gh-91153: Fix a crash when a bytearray is concurrently + mutated during item assignment. + - gh-127971: Fix off-by-one read beyond the end of a string + in string search. + - gh-125723: Fix crash with gi_frame.f_locals when generator + frames outlive their generator. Patch by Mikhail Efimov. + - Library + - gh-132710: If possible, ensure that uuid.getnode() + returns the same result even across different processes. + Previously, the result was constant only within the same + process. Patch by Bénédikt Tran. + - gh-137273: Fix debug assertion failure in + locale.setlocale() on Windows. + - gh-137257: Bump the version of pip bundled in ensurepip to + version 25.2 + - gh-81325: tarfile.TarFile now accepts a path-like when + working on a tar archive. (Contributed by Alexander Enrique + Urieles Nieto in gh-81325.) + - gh-130522: Fix unraisable TypeError raised during + interpreter shutdown in the threading module. + - gh-130577: tarfile now validates archives to ensure member + offsets are non-negative. (Contributed by Alexander Enrique + Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249). + - gh-136549: Fix signature of threading.excepthook(). + - gh-136523: Fix wave.Wave_write emitting an unraisable when + open raises. + - gh-52876: Add missing keepends (default True) + parameter to codecs.StreamReaderWriter.readline() and + codecs.StreamReaderWriter.readlines(). + - gh-85702: If zoneinfo._common.load_tzdata is given a + package without a resource a zoneinfo.ZoneInfoNotFoundError + is raised rather than a PermissionError. Patch by Victor + Stinner. + - gh-134759: Fix UnboundLocalError in + email.message.Message.get_payload() when the payload to + decode is a bytes object. Patch by Kliment Lamonov. + - gh-136028: Fix parsing month names containing “İ” (U+0130, + LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). + This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. + - gh-135995: In the palmos encoding, make byte 0x9b decode to + › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). + - gh-53203: Fix time.strptime() for %c and %x formats on + locales byn_ER, wal_ET and lzh_TW, and for %X format on + locales ar_SA, bg_BG and lzh_TW. + - gh-91555: An earlier change, which was introduced in + 3.13.4, has been reverted. It disabled logging for a logger + during handling of log messages for that logger. Since the + reversion, the behaviour should be as it was before 3.13.4. + - gh-135878: Fixes a crash of types.SimpleNamespace on free + threading builds, when several threads were calling its + __repr__() method at the same time. + - gh-135836: Fix IndexError in + asyncio.loop.create_connection() that could occur when + non-OSError exception is raised during connection and + socket’s close() raises OSError. + - gh-135836: Fix IndexError in + asyncio.loop.create_connection() that could occur when the + Happy Eyeballs algorithm resulted in an empty exceptions + list during connection attempts. + - gh-135855: Raise TypeError instead of SystemError when + _interpreters.set___main___attrs() is passed a non-dict + object. Patch by Brian Schubert. + - gh-135815: netrc: skip security checks if os.getuid() is + missing. Patch by Bénédikt Tran. + - gh-135640: Address bug where it was possible to call + xml.etree.ElementTree.ElementTree.write() on an ElementTree + object with an invalid root element. This behavior blanked + the file passed to write if it already existed. + - gh-135444: Fix asyncio.DatagramTransport.sendto() to + account for datagram header size when data cannot be sent. + - gh-135497: Fix os.getlogin() failing for longer usernames + on BSD-based platforms. + - gh-135487: Fix reprlib.Repr.repr_int() when given integers + with more than sys.get_int_max_str_digits() digits. Patch + by Bénédikt Tran. + - gh-135335: multiprocessing: Flush stdout and stderr after + preloading modules in the forkserver. + - gh-135244: uuid: when the MAC address cannot be + determined, the 48-bit node ID is now generated with a + cryptographically-secure pseudo-random number generator + (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1(). + - gh-135069: Fix the “Invalid error handling” exception in + encodings.idna.IncrementalDecoder to correctly replace the + ‘errors’ parameter. + - gh-134698: Fix a crash when calling methods of + ssl.SSLContext or ssl.SSLSocket across multiple threads. + - gh-132124: On POSIX-compliant systems, + multiprocessing.util.get_temp_dir() now ignores TMPDIR + (and similar environment variables) if the path length of + AF_UNIX socket files exceeds the platform-specific maximum + length when using the forkserver start method. Patch by + Bénédikt Tran. + - gh-133439: Fix dot commands with trailing spaces are + mistaken for multi-line SQL statements in the sqlite3 + command-line interface. + - gh-132969: Prevent the ProcessPoolExecutor executor thread, + which remains running when shutdown(wait=False), from + attempting to adjust the pool’s worker processes after + the object state has already been reset during shutdown. + A combination of conditions, including a worker process + having terminated abormally, resulted in an exception and + a potential hang when the still-running executor thread + attempted to replace dead workers within the pool. + - gh-130664: Support the '_' digit separator in formatting + of the integral part of Decimal’s. Patch by Sergey B + Kirpichev. + - gh-85702: If zoneinfo._common.load_tzdata is given a + package without a resource a ZoneInfoNotFoundError is + raised rather than a IsADirectoryError. + - gh-130664: Handle corner-case for Fraction’s formatting: + treat zero-padding (preceding the width field by a zero + ('0') character) as an equivalent to a fill character of + '0' with an alignment type of '=', just as in case of + float’s. + - Tools/Demos + - gh-135968: Stubs for strip are now provided as part of an + iOS install. + - Tests + - gh-135966: The iOS testbed now handles the app_packages + folder as a site directory. + - gh-135494: Fix regrtest to support excluding tests from + --pgo tests. Patch by Victor Stinner. + - gh-135489: Show verbose output for failing tests during PGO + profiling step with –enable-optimizations. + - Documentation + - gh-135171: Document that the iterator for the leftmost for + clause in the generator expression is created immediately. + - Build + - gh-135497: Fix the detection of MAXLOGNAME in the + configure.ac script. +- Remove CVE-2025-8194-tarfile-no-neg-offsets.patch + ------------------------------------------------------------------- Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl diff --git a/python313.spec b/python313.spec index dce9b8e..8d27fc7 100644 --- a/python313.spec +++ b/python313.spec @@ -1,7 +1,7 @@ # # spec file for package python313 # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -167,7 +167,7 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.13.5 +Version: 3.13.6 %define tarversion %{version} %define tarname Python-%{tarversion} Release: 0 @@ -234,9 +234,6 @@ Patch43: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com # avoid quadratic complexity when processing malformed inputs with HTMLParser Patch44: CVE-2025-6069-quad-complex-HTMLParser.patch -# PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com -# tarfile now validates archives to ensure member offsets are non-negative -Patch45: CVE-2025-8194-tarfile-no-neg-offsets.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes