python-interpreters/python313
SHA256
6
0
Fork 0
forked from pool/python313
Code Pull Requests Activity

declarations are automatically closed, tags are ignored

Browse Source 
(CVE-2025-6069, bsc#1244705).
- Remove upstreamed patches:
  - CVE-2025-8194-tarfile-no-neg-offsets.patch
  - CVE-2025-6069-quad-complex-HTMLParser.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=116
This commit is contained in:
Matej Cepl
2025-08-07 10:56:04 +00:00
committed by Git OBS Bridge
parent 4a974dadae
commit 588cd5ec7f
5 changed files with 71 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

247
CVE-2025-6069-quad-complex-HTMLParser.patch
View File

@@ -1,247 +0,0 @@
From 9043edabc7e2f0dd655146e0a4571e2a0b2906af Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Fri, 13 Jun 2025 19:57:48 +0300
Subject: [PATCH] gh-135462: Fix quadratic complexity in processing special
input in HTMLParser (GH-135464)
End-of-file errors are now handled according to the HTML5 specs --
comments and declarations are automatically closed, tags are ignored.
(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Lib/html/parser.py | 41 +++-
Lib/test/test_htmlparser.py | 97 +++++++---
Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst | 4
3 files changed, 111 insertions(+), 31 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
Index: Python-3.13.5/Lib/html/parser.py
===================================================================
--- Python-3.13.5.orig/Lib/html/parser.py 2025-06-11 17:36:57.000000000 +0200
+++ Python-3.13.5/Lib/html/parser.py 2025-07-02 16:49:52.020175099 +0200
@@ -27,6 +27,7 @@
attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?')
starttagopen = re.compile('<[a-zA-Z]')
+endtagopen = re.compile('</[a-zA-Z]')
piclose = re.compile('>')
commentclose = re.compile(r'--\s*>')
# Note:
@@ -195,7 +196,7 @@
k = self.parse_pi(i)
elif startswith("<!", i):
k = self.parse_html_declaration(i)
- elif (i + 1) < n:
+ elif (i + 1) < n or end:
self.handle_data("<")
k = i + 1
else:
@@ -203,17 +204,35 @@
if k < 0:
if not end:
break
- k = rawdata.find('>', i + 1)
- if k < 0:
- k = rawdata.find('<', i + 1)
- if k < 0:
- k = i + 1
+ if starttagopen.match(rawdata, i): # < + letter
+ pass
+ elif startswith("</", i):
+ if i + 2 == n:
+ self.handle_data("</")
+ elif endtagopen.match(rawdata, i): # </ + letter
+ pass
+ else:
+ # bogus comment
+ self.handle_comment(rawdata[i+2:])
+ elif startswith("<!--", i):
+ j = n
+ for suffix in ("--!", "--", "-"):
+ if rawdata.endswith(suffix, i+4):
+ j -= len(suffix)
+ break
+ self.handle_comment(rawdata[i+4:j])
+ elif startswith("<![CDATA[", i):
+ self.unknown_decl(rawdata[i+3:])
+ elif rawdata[i:i+9].lower() == '<!doctype':
+ self.handle_decl(rawdata[i+2:])
+ elif startswith("<!", i):
+ # bogus comment
+ self.handle_comment(rawdata[i+2:])
+ elif startswith("<?", i):
+ self.handle_pi(rawdata[i+2:])
else:
- k += 1
- if self.convert_charrefs and not self.cdata_elem:
- self.handle_data(unescape(rawdata[i:k]))
- else:
- self.handle_data(rawdata[i:k])
+ raise AssertionError("we should not get here!")
+ k = n
i = self.updatepos(i, k)
elif startswith("&#", i):
match = charref.match(rawdata, i)
Index: Python-3.13.5/Lib/test/test_htmlparser.py
===================================================================
--- Python-3.13.5.orig/Lib/test/test_htmlparser.py 2025-06-11 17:36:57.000000000 +0200
+++ Python-3.13.5/Lib/test/test_htmlparser.py 2025-07-02 16:49:52.020821697 +0200
@@ -5,6 +5,7 @@
import unittest
from unittest.mock import patch
+from test import support
class EventCollector(html.parser.HTMLParser):
@@ -430,28 +431,34 @@
('data', '<'),
('starttag', 'bc<', [('a', None)]),
('endtag', 'html'),
- ('data', '\n<img src="URL>'),
- ('comment', '/img'),
- ('endtag', 'html<')])
+ ('data', '\n')])
def test_starttag_junk_chars(self):
+ self._run_check("<", [('data', '<')])
+ self._run_check("<>", [('data', '<>')])
+ self._run_check("< >", [('data', '< >')])
+ self._run_check("< ", [('data', '< ')])
self._run_check("</>", [])
+ self._run_check("<$>", [('data', '<$>')])
self._run_check("</$>", [('comment', '$')])
self._run_check("</", [('data', '</')])
- self._run_check("</a", [('data', '</a')])
+ self._run_check("</a", [])
+ self._run_check("</ a>", [('endtag', 'a')])
+ self._run_check("</ a", [('comment', ' a')])
self._run_check("<a<a>", [('starttag', 'a<a', [])])
self._run_check("</a<a>", [('endtag', 'a<a')])
- self._run_check("<!", [('data', '<!')])
- self._run_check("<a", [('data', '<a')])
- self._run_check("<a foo='bar'", [('data', "<a foo='bar'")])
- self._run_check("<a foo='bar", [('data', "<a foo='bar")])
- self._run_check("<a foo='>'", [('data', "<a foo='>'")])
- self._run_check("<a foo='>", [('data', "<a foo='>")])
+ self._run_check("<!", [('comment', '')])
+ self._run_check("<a", [])
+ self._run_check("<a foo='bar'", [])
+ self._run_check("<a foo='bar", [])
+ self._run_check("<a foo='>'", [])
+ self._run_check("<a foo='>", [])
self._run_check("<a$>", [('starttag', 'a$', [])])
self._run_check("<a$b>", [('starttag', 'a$b', [])])
self._run_check("<a$b/>", [('startendtag', 'a$b', [])])
self._run_check("<a$b >", [('starttag', 'a$b', [])])
self._run_check("<a$b />", [('startendtag', 'a$b', [])])
+ self._run_check("</a$b>", [('endtag', 'a$b')])
def test_slashes_in_starttag(self):
self._run_check('<a foo="var"/>', [('startendtag', 'a', [('foo', 'var')])])
@@ -576,21 +583,50 @@
for html, expected in data:
self._run_check(html, expected)
- def test_EOF_in_comments_or_decls(self):
+ def test_eof_in_comments(self):
data = [
- ('<!', [('data', '<!')]),
- ('<!-', [('data', '<!-')]),
- ('<!--', [('data', '<!--')]),
- ('<![', [('data', '<![')]),
- ('<![CDATA[', [('data', '<![CDATA[')]),
- ('<![CDATA[x', [('data', '<![CDATA[x')]),
- ('<!DOCTYPE', [('data', '<!DOCTYPE')]),
- ('<!DOCTYPE HTML', [('data', '<!DOCTYPE HTML')]),
+ ('<!--', [('comment', '')]),
+ ('<!---', [('comment', '')]),
+ ('<!----', [('comment', '')]),
+ ('<!-----', [('comment', '-')]),
+ ('<!------', [('comment', '--')]),
+ ('<!----!', [('comment', '')]),
+ ('<!---!', [('comment', '-!')]),
+ ('<!---!>', [('comment', '-!>')]),
+ ('<!--foo', [('comment', 'foo')]),
+ ('<!--foo-', [('comment', 'foo')]),
+ ('<!--foo--', [('comment', 'foo')]),
+ ('<!--foo--!', [('comment', 'foo')]),
+ ('<!--<!--', [('comment', '<!')]),
+ ('<!--<!--!', [('comment', '<!')]),
]
for html, expected in data:
self._run_check(html, expected)
+
+ def test_eof_in_declarations(self):
+ data = [
+ ('<!', [('comment', '')]),
+ ('<!-', [('comment', '-')]),
+ ('<![', [('comment', '[')]),
+ ('<![CDATA[', [('unknown decl', 'CDATA[')]),
+ ('<![CDATA[x', [('unknown decl', 'CDATA[x')]),
+ ('<![CDATA[x]', [('unknown decl', 'CDATA[x]')]),
+ ('<![CDATA[x]]', [('unknown decl', 'CDATA[x]]')]),
+ ('<!DOCTYPE', [('decl', 'DOCTYPE')]),
+ ('<!DOCTYPE ', [('decl', 'DOCTYPE ')]),
+ ('<!DOCTYPE html', [('decl', 'DOCTYPE html')]),
+ ('<!DOCTYPE html ', [('decl', 'DOCTYPE html ')]),
+ ('<!DOCTYPE html PUBLIC', [('decl', 'DOCTYPE html PUBLIC')]),
+ ('<!DOCTYPE html PUBLIC "foo', [('decl', 'DOCTYPE html PUBLIC "foo')]),
+ ('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo',
+ [('decl', 'DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo')]),
+ ]
+ for html, expected in data:
+ self._run_check(html, expected)
+
def test_bogus_comments(self):
- html = ('<! not really a comment >'
+ html = ('<!ELEMENT br EMPTY>'
+ '<! not really a comment >'
'<! not a comment either -->'
'<! -- close enough -->'
'<!><!<-- this was an empty comment>'
@@ -604,6 +640,7 @@
'<![CDATA]]>' # required '[' after CDATA
)
expected = [
+ ('comment', 'ELEMENT br EMPTY'),
('comment', ' not really a comment '),
('comment', ' not a comment either --'),
('comment', ' -- close enough --'),
@@ -684,6 +721,26 @@
('endtag', 'a'), ('data', ' bar & baz')]
)
+ @support.requires_resource('cpu')
+ def test_eof_no_quadratic_complexity(self):
+ # Each of these examples used to take about an hour.
+ # Now they take a fraction of a second.
+ def check(source):
+ parser = html.parser.HTMLParser()
+ parser.feed(source)
+ parser.close()
+ n = 120_000
+ check("<a " * n)
+ check("<a a=" * n)
+ check("</a " * 14 * n)
+ check("</a a=" * 11 * n)
+ check("<!--" * 4 * n)
+ check("<!" * 60 * n)
+ check("<?" * 19 * n)
+ check("</$" * 15 * n)
+ check("<![CDATA[" * 9 * n)
+ check("<!doctype" * 35 * n)
+
class AttributesTestCase(TestCaseBase):
Index: Python-3.13.5/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.13.5/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst 2025-07-02 16:49:52.021124951 +0200
@@ -0,0 +1,4 @@
+Fix quadratic complexity in processing specially crafted input in
+:class:`html.parser.HTMLParser`. End-of-file errors are now handled according
+to the HTML5 specs -- comments and declarations are automatically closed,
+tags are ignored.

6
bsc1243155-sphinx-non-determinism.patch
View File

@@ -14,10 +14,10 @@ https://github.com/python/cpython/issues/130979
Doc/tools/extensions/audit_events.py | 11 ++++++++--- Doc/tools/extensions/audit_events.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-) 1 file changed, 8 insertions(+), 3 deletions(-)
Index: Python-3.13.5/Doc/tools/extensions/audit_events.py Index: Python-3.13.6/Doc/tools/extensions/audit_events.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/audit_events.py 2025-07-02 15:51:58.388560540 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/audit_events.py 2025-08-07 12:16:58.257103336 +0200
+++ Python-3.13.5/Doc/tools/extensions/audit_events.py 2025-07-02 15:51:58.411254070 +0200 +++ Python-3.13.6/Doc/tools/extensions/audit_events.py 2025-08-07 12:17:02.709401389 +0200
@@ -72,8 +72,13 @@ @@ -72,8 +72,13 @@
logger.warning(msg) logger.warning(msg)
return return

126
doc-py38-to-py36.patch
View File

@@ -27,10 +27,10 @@
Doc/tools/extensions/pydoc_topics.py | 22 +++++----- Doc/tools/extensions/pydoc_topics.py | 22 +++++-----
18 files changed, 159 insertions(+), 130 deletions(-) 18 files changed, 159 insertions(+), 130 deletions(-)
Index: Python-3.13.5/Doc/Makefile Index: Python-3.13.6/Doc/Makefile
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/Makefile 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/Makefile 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/Makefile 2025-06-12 21:38:04.908380762 +0200 +++ Python-3.13.6/Doc/Makefile 2025-08-07 12:16:58.253706854 +0200
@@ -14,15 +14,15 @@ @@ -14,15 +14,15 @@
SOURCES = SOURCES =
DISTVERSION = $(shell $(PYTHON) tools/extensions/patchlevel.py) DISTVERSION = $(shell $(PYTHON) tools/extensions/patchlevel.py)
@@ -51,10 +51,10 @@ Index: Python-3.13.5/Doc/Makefile
$(PAPEROPT_$(PAPER)) \ $(PAPEROPT_$(PAPER)) \
$(SPHINXOPTS) $(SPHINXERRORHANDLING) \ $(SPHINXOPTS) $(SPHINXERRORHANDLING) \
. build/$(BUILDER) $(SOURCES) . build/$(BUILDER) $(SOURCES)
Index: Python-3.13.5/Doc/c-api/arg.rst Index: Python-3.13.6/Doc/c-api/arg.rst
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/c-api/arg.rst 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/c-api/arg.rst 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/c-api/arg.rst 2025-06-12 21:38:04.908705133 +0200 +++ Python-3.13.6/Doc/c-api/arg.rst 2025-08-07 12:16:58.254160756 +0200
@@ -334,7 +334,6 @@ @@ -334,7 +334,6 @@
should raise an exception and leave the content of *address* unmodified. should raise an exception and leave the content of *address* unmodified.
@@ -63,10 +63,10 @@ Index: Python-3.13.5/Doc/c-api/arg.rst
If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
second time if the argument parsing eventually fails, giving the converter a second time if the argument parsing eventually fails, giving the converter a
Index: Python-3.13.5/Doc/c-api/typeobj.rst Index: Python-3.13.6/Doc/c-api/typeobj.rst
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/c-api/typeobj.rst 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/c-api/typeobj.rst 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/c-api/typeobj.rst 2025-06-12 21:38:04.908874058 +0200 +++ Python-3.13.6/Doc/c-api/typeobj.rst 2025-08-07 12:16:58.254692184 +0200
@@ -610,7 +610,7 @@ @@ -610,7 +610,7 @@
Functions like :c:func:`PyObject_NewVar` will take the value of N as an Functions like :c:func:`PyObject_NewVar` will take the value of N as an
argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field. argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
@@ -97,10 +97,10 @@ Index: Python-3.13.5/Doc/c-api/typeobj.rst
include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
whether :c:member:`~PyVarObject.ob_size` should be included). These are whether :c:member:`~PyVarObject.ob_size` should be included). These are
usually defined by the macro :c:macro:`PyObject_HEAD` or usually defined by the macro :c:macro:`PyObject_HEAD` or
Index: Python-3.13.5/Doc/conf.py Index: Python-3.13.6/Doc/conf.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/conf.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/conf.py 2025-08-07 12:16:45.115568663 +0200
+++ Python-3.13.5/Doc/conf.py 2025-06-12 21:38:04.909609597 +0200 +++ Python-3.13.6/Doc/conf.py 2025-08-07 12:16:58.255236531 +0200
@@ -11,6 +11,8 @@ @@ -11,6 +11,8 @@
from importlib import import_module from importlib import import_module
from importlib.util import find_spec from importlib.util import find_spec
@@ -127,7 +127,7 @@ Index: Python-3.13.5/Doc/conf.py
''' '''
manpages_url = 'https://manpages.debian.org/{path}' manpages_url = 'https://manpages.debian.org/{path}'
@@ -92,7 +94,7 @@ @@ -96,7 +98,7 @@
# Minimum version of sphinx required # Minimum version of sphinx required
# Keep this version in sync with ``Doc/requirements.txt``. # Keep this version in sync with ``Doc/requirements.txt``.
@@ -136,7 +136,7 @@ Index: Python-3.13.5/Doc/conf.py
# Create table of contents entries for domain objects (e.g. functions, classes, # Create table of contents entries for domain objects (e.g. functions, classes,
# attributes, etc.). Default is True. # attributes, etc.). Default is True.
@@ -323,6 +325,9 @@ @@ -258,6 +260,9 @@
# Avoid a warning with Sphinx >= 4.0 # Avoid a warning with Sphinx >= 4.0
root_doc = 'contents' root_doc = 'contents'
@@ -146,7 +146,7 @@ Index: Python-3.13.5/Doc/conf.py
# Allow translation of index directives # Allow translation of index directives
gettext_additional_targets = [ gettext_additional_targets = [
'index', 'index',
@@ -362,7 +367,7 @@ @@ -297,7 +302,7 @@
# (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html) # (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external" is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "") repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
@@ -155,7 +155,7 @@ Index: Python-3.13.5/Doc/conf.py
html_context = { html_context = {
"is_deployment_preview": is_deployment_preview, "is_deployment_preview": is_deployment_preview,
"repository_url": repository_url or None, "repository_url": repository_url or None,
@@ -607,6 +612,16 @@ @@ -542,6 +547,16 @@
} }
extlinks_detect_hardcoded_links = True extlinks_detect_hardcoded_links = True
@@ -172,22 +172,22 @@ Index: Python-3.13.5/Doc/conf.py
# Options for c_annotations extension # Options for c_annotations extension
# ----------------------------------- # -----------------------------------
Index: Python-3.13.5/Doc/library/doctest.rst Index: Python-3.13.6/Doc/library/doctest.rst
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/library/doctest.rst 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/library/doctest.rst 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/library/doctest.rst 2025-06-12 21:38:04.909944989 +0200 +++ Python-3.13.6/Doc/library/doctest.rst 2025-08-07 12:16:58.255583157 +0200
@@ -308,7 +308,6 @@ @@ -310,7 +310,6 @@
searched. Objects imported into the module are not searched. .. currentmodule:: None
.. attribute:: module.__test__ .. attribute:: module.__test__
- :no-typesetting: - :no-typesetting:
In addition, there are cases when you want tests to be part of a module but not part .. currentmodule:: doctest
of the help text, which requires that the tests not be included in the docstring.
Index: Python-3.13.5/Doc/library/email.compat32-message.rst Index: Python-3.13.6/Doc/library/email.compat32-message.rst
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/library/email.compat32-message.rst 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/library/email.compat32-message.rst 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/library/email.compat32-message.rst 2025-06-12 21:38:04.910320877 +0200 +++ Python-3.13.6/Doc/library/email.compat32-message.rst 2025-08-07 12:16:58.256095517 +0200
@@ -7,7 +7,6 @@ @@ -7,7 +7,6 @@
:synopsis: The base class representing email messages in a fashion :synopsis: The base class representing email messages in a fashion
backward compatible with Python 3.2 backward compatible with Python 3.2
@@ -196,11 +196,11 @@ Index: Python-3.13.5/Doc/library/email.compat32-message.rst
The :class:`Message` class is very similar to the The :class:`Message` class is very similar to the
Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst Index: Python-3.13.6/Doc/library/xml.etree.elementtree.rst
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/library/xml.etree.elementtree.rst 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/library/xml.etree.elementtree.rst 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/library/xml.etree.elementtree.rst 2025-06-12 21:38:04.910594893 +0200 +++ Python-3.13.6/Doc/library/xml.etree.elementtree.rst 2025-08-07 12:16:58.256380542 +0200
@@ -874,7 +874,6 @@ @@ -873,7 +873,6 @@
.. module:: xml.etree.ElementTree .. module:: xml.etree.ElementTree
:noindex: :noindex:
@@ -208,10 +208,10 @@ Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
.. class:: Element(tag, attrib={}, **extra) .. class:: Element(tag, attrib={}, **extra)
Index: Python-3.13.5/Doc/tools/check-warnings.py Index: Python-3.13.6/Doc/tools/check-warnings.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/check-warnings.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/check-warnings.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/check-warnings.py 2025-06-12 21:38:04.910896050 +0200 +++ Python-3.13.6/Doc/tools/check-warnings.py 2025-08-07 12:16:58.256796101 +0200
@@ -228,7 +228,8 @@ @@ -228,7 +228,8 @@
print(filename) print(filename)
for warning in warnings: for warning in warnings:
@@ -231,10 +231,10 @@ Index: Python-3.13.5/Doc/tools/check-warnings.py
for warning in warnings for warning in warnings
if "Doc/" in warning if "Doc/" in warning
} }
Index: Python-3.13.5/Doc/tools/extensions/audit_events.py Index: Python-3.13.6/Doc/tools/extensions/audit_events.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/audit_events.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/audit_events.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/audit_events.py 2025-06-12 21:38:04.911151491 +0200 +++ Python-3.13.6/Doc/tools/extensions/audit_events.py 2025-08-07 12:16:58.257103336 +0200
@@ -1,9 +1,6 @@ @@ -1,9 +1,6 @@
"""Support for documenting audit events.""" """Support for documenting audit events."""
@@ -370,10 +370,10 @@ Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
) -> nodes.row: ) -> nodes.row:
row = nodes.row() row = nodes.row()
name_node = nodes.paragraph("", nodes.Text(name)) name_node = nodes.paragraph("", nodes.Text(name))
Index: Python-3.13.5/Doc/tools/extensions/availability.py Index: Python-3.13.6/Doc/tools/extensions/availability.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/availability.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/availability.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/availability.py 2025-06-12 21:38:04.911376735 +0200 +++ Python-3.13.6/Doc/tools/extensions/availability.py 2025-08-07 12:16:58.257352322 +0200
@@ -1,8 +1,6 @@ @@ -1,8 +1,6 @@
"""Support for documenting platform availability""" """Support for documenting platform availability"""
@@ -427,10 +427,10 @@ Index: Python-3.13.5/Doc/tools/extensions/availability.py
app.add_directive("availability", Availability) app.add_directive("availability", Availability)
return { return {
Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py Index: Python-3.13.6/Doc/tools/extensions/c_annotations.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/c_annotations.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/c_annotations.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/c_annotations.py 2025-06-12 21:38:04.911575881 +0200 +++ Python-3.13.6/Doc/tools/extensions/c_annotations.py 2025-08-07 12:16:58.257571556 +0200
@@ -9,22 +9,26 @@ @@ -9,22 +9,26 @@
* Set ``stable_abi_file`` to the path to stable ABI list. * Set ``stable_abi_file`` to the path to stable ABI list.
""" """
@@ -568,10 +568,10 @@ Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
return { return {
"version": "1.0", "version": "1.0",
"parallel_read_safe": True, "parallel_read_safe": True,
Index: Python-3.13.5/Doc/tools/extensions/changes.py Index: Python-3.13.6/Doc/tools/extensions/changes.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/changes.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/changes.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/changes.py 2025-06-12 21:38:04.911758715 +0200 +++ Python-3.13.6/Doc/tools/extensions/changes.py 2025-08-07 12:16:58.257773818 +0200
@@ -1,7 +1,5 @@ @@ -1,7 +1,5 @@
"""Support for documenting version of changes, additions, deprecations.""" """Support for documenting version of changes, additions, deprecations."""
@@ -607,10 +607,10 @@ Index: Python-3.13.5/Doc/tools/extensions/changes.py
# Override Sphinx's directives with support for 'next' # Override Sphinx's directives with support for 'next'
app.add_directive("versionadded", PyVersionChange, override=True) app.add_directive("versionadded", PyVersionChange, override=True)
app.add_directive("versionchanged", PyVersionChange, override=True) app.add_directive("versionchanged", PyVersionChange, override=True)
Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py Index: Python-3.13.6/Doc/tools/extensions/glossary_search.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/glossary_search.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/glossary_search.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/glossary_search.py 2025-06-12 21:38:04.911907976 +0200 +++ Python-3.13.6/Doc/tools/extensions/glossary_search.py 2025-08-07 12:16:58.257959947 +0200
@@ -1,21 +1,27 @@ @@ -1,21 +1,27 @@
"""Feature search results for glossary items prominently.""" """Feature search results for glossary items prominently."""
@@ -654,10 +654,10 @@ Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
app.connect('doctree-resolved', process_glossary_nodes) app.connect('doctree-resolved', process_glossary_nodes)
app.connect('build-finished', write_glossary_json) app.connect('build-finished', write_glossary_json)
Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py Index: Python-3.13.6/Doc/tools/extensions/implementation_detail.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/implementation_detail.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/implementation_detail.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/implementation_detail.py 2025-06-12 21:38:04.912061736 +0200 +++ Python-3.13.6/Doc/tools/extensions/implementation_detail.py 2025-08-07 12:16:58.258140488 +0200
@@ -1,17 +1,10 @@ @@ -1,17 +1,10 @@
"""Support for marking up implementation details.""" """Support for marking up implementation details."""
@@ -708,10 +708,10 @@ Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
app.add_directive("impl-detail", ImplementationDetail) app.add_directive("impl-detail", ImplementationDetail)
return { return {
Index: Python-3.13.5/Doc/tools/extensions/issue_role.py Index: Python-3.13.6/Doc/tools/extensions/issue_role.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/issue_role.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/issue_role.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/issue_role.py 2025-06-12 21:38:04.912236134 +0200 +++ Python-3.13.6/Doc/tools/extensions/issue_role.py 2025-08-07 12:16:58.258306293 +0200
@@ -1,22 +1,18 @@ @@ -1,22 +1,18 @@
"""Support for referencing issues in the tracker.""" """Support for referencing issues in the tracker."""
@@ -757,10 +757,10 @@ Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
app.add_role("issue", BPOIssue()) app.add_role("issue", BPOIssue())
app.add_role("gh", GitHubIssue()) app.add_role("gh", GitHubIssue())
Index: Python-3.13.5/Doc/tools/extensions/misc_news.py Index: Python-3.13.6/Doc/tools/extensions/misc_news.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/misc_news.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/misc_news.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/misc_news.py 2025-06-12 21:38:04.912390144 +0200 +++ Python-3.13.6/Doc/tools/extensions/misc_news.py 2025-08-07 12:16:58.258481107 +0200
@@ -1,7 +1,5 @@ @@ -1,7 +1,5 @@
"""Support for including Misc/NEWS.""" """Support for including Misc/NEWS."""
@@ -813,10 +813,10 @@ Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
app.add_directive("miscnews", MiscNews) app.add_directive("miscnews", MiscNews)
return { return {
Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py Index: Python-3.13.6/Doc/tools/extensions/patchlevel.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/patchlevel.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/patchlevel.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/patchlevel.py 2025-06-12 21:38:04.912563631 +0200 +++ Python-3.13.6/Doc/tools/extensions/patchlevel.py 2025-08-07 12:16:58.258716335 +0200
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
import re import re
import sys import sys
@@ -854,10 +854,10 @@ Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
version = f"{info.major}.{info.minor}" version = f"{info.major}.{info.minor}"
release = f"{info.major}.{info.minor}.{info.micro}" release = f"{info.major}.{info.minor}.{info.micro}"
if info.releaselevel != "final": if info.releaselevel != "final":
Index: Python-3.13.5/Doc/tools/extensions/pydoc_topics.py Index: Python-3.13.6/Doc/tools/extensions/pydoc_topics.py
=================================================================== ===================================================================
--- Python-3.13.5.orig/Doc/tools/extensions/pydoc_topics.py 2025-06-12 21:37:37.257659788 +0200 --- Python-3.13.6.orig/Doc/tools/extensions/pydoc_topics.py 2025-08-06 15:05:20.000000000 +0200
+++ Python-3.13.5/Doc/tools/extensions/pydoc_topics.py 2025-06-12 21:38:04.912726688 +0200 +++ Python-3.13.6/Doc/tools/extensions/pydoc_topics.py 2025-08-07 12:16:58.258911962 +0200
@@ -1,21 +1,23 @@ @@ -1,21 +1,23 @@
"""Support for building "topic help" for pydoc.""" """Support for building "topic help" for pydoc."""

7
python313.changes
View File

@@ -27,7 +27,8 @@ Thu Aug 7 10:08:11 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- gh-135462: Fix quadratic complexity in processing specially - gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs comments and are now handled according to the HTML5 specs comments and
declarations are automatically closed, tags are ignored. declarations are automatically closed, tags are ignored
(CVE-2025-6069, bsc#1244705).
- gh-118350: Fix support of escapable raw text mode (elements - gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser. “textarea” and “title”) in html.parser.HTMLParser.
- Core and Builtins - Core and Builtins
@@ -202,7 +203,9 @@ Thu Aug 7 10:08:11 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Build - Build
- gh-135497: Fix the detection of MAXLOGNAME in the - gh-135497: Fix the detection of MAXLOGNAME in the
configure.ac script. configure.ac script.
- Remove CVE-2025-8194-tarfile-no-neg-offsets.patch - Remove upstreamed patches:
- CVE-2025-8194-tarfile-no-neg-offsets.patch
- CVE-2025-6069-quad-complex-HTMLParser.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu> Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

3
python313.spec
View File

@@ -231,9 +231,6 @@ Patch42: gh126985-mv-pyvenv.cfg2getpath.patch
# PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com # PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com
# Doc: Generate ids for audit_events using docname # Doc: Generate ids for audit_events using docname
Patch43: bsc1243155-sphinx-non-determinism.patch Patch43: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com
# avoid quadratic complexity when processing malformed inputs with HTMLParser
Patch44: CVE-2025-6069-quad-complex-HTMLParser.patch
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes