forked from pool/python313
Compare commits
157 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
b020ec1b9b
|
|||
|
6807e0fac4
|
|||
|
a8f3f2707f
|
|||
|
02c7c3ac57
|
|||
|
1b4b152007
|
|||
|
6823a127f7
|
|||
| 8490c35b5e | |||
| 216aee44d2 | |||
| 5c7e077e05 | |||
| 6ccfd57cb6 | |||
| f26b5dd668 | |||
| 97f2e50954 | |||
| d782ad00ca | |||
| b40f1d6405 | |||
| 45ae9e0091 | |||
| 0f5697e310 | |||
| f819c56b57 | |||
| 6ca12749fe | |||
| af83d0ea02 | |||
| 588cd5ec7f | |||
| 4a974dadae | |||
| 9a64481749 | |||
| c0f5d18c1e | |||
| 0c1f23a3d6 | |||
| 00d0af4ebb | |||
| f1f4736355 | |||
| 8fc89fce82 | |||
| e51fa4e692 | |||
| 5584dde572 | |||
| da11e6e10a | |||
| b30cd19ff8 | |||
| a7efa91dcd | |||
| cb554c7d4c | |||
| 92106b1aea | |||
| b58f975be7 | |||
| cf3b0e517c | |||
| f3df88065e | |||
| c7e438c2e0 | |||
| 7d8817d9bb | |||
| eb2298e3f2 | |||
| 308dfaef9b | |||
| f9c64528f8 | |||
| c2d30804e6 | |||
| 3386fc12ed | |||
| 70558652fc | |||
| e8c68d65d4 | |||
| 6072bbdbcd | |||
| f5a88d357f | |||
| 96acb778b3 | |||
| 6d5d3f96b0 | |||
| 820434f8e4 | |||
| 8d20edb449 | |||
| 487ae82f04 | |||
| 55fb9cd905 | |||
| 64bae1f84b | |||
| d8af743464 | |||
| c1d8c54913 | |||
| 201e349852 | |||
| bb17c93a2a | |||
| a90f4e560b | |||
| 55167f91bd | |||
| 0f47302d79 | |||
| b91bbdde1b | |||
| 24d06dc05c | |||
| 384d0f4194 | |||
| 3837884001 | |||
| 9e2287fa69 | |||
| a23dbf9cdf | |||
| 9624a1ae7e | |||
| 208ac0bda6 | |||
| 415df5f3cd | |||
| 88b70a09e9 | |||
| 3467717953 | |||
| 1ea8708b8d | |||
| 3bce06d06a | |||
| 1e079c98aa | |||
| 347e286045 | |||
| 279fe75cee | |||
| d6f4df3c91 | |||
| 7d140c532a | |||
| 875a6f6235 | |||
| c596c85ff5 | |||
| 5c3c7cecd2 | |||
| dfcfb5ce90 | |||
| 528339bd34 | |||
| d4f884437e | |||
| ecf4d377f8 | |||
| d6003ec835 | |||
| adc199414a | |||
| 64423e0ba5 | |||
| 183fa1a4f9 | |||
| 99d319aa5b | |||
| c9f290cdec | |||
| 6daf155ac4 | |||
| be126e03ea | |||
| d67c636211 | |||
| 9fd773a946 | |||
| 73ac4a887b | |||
| 994d248383 | |||
| b8a809b1cc | |||
| eb20745074 | |||
| d5a98f8796 | |||
| d24d58c01e | |||
| 9875af21c3 | |||
| 26d0509456 | |||
| e84b2a9ea2 | |||
| b7221c02d8 | |||
| 3029e09e6c | |||
| ed950ec431 | |||
| 5ddcd862f2 | |||
| 1474d9e3e7 | |||
| 6a96a3b53f | |||
| a96d28f6cd | |||
| 9d3910e32a | |||
| d566f66214 | |||
| 30eeed452e | |||
| d30e6ca376 | |||
| fa823e120f | |||
| 3827c5d408 | |||
| 6afb8e217a | |||
| 2325ab9130 | |||
| 8eb4d86563 | |||
| 34a67fa7c5 | |||
| 648323dfb5 | |||
| 18edb4412d | |||
| bb1b0a85b2 | |||
| 31416b1907 | |||
| da884a6e9b | |||
| 6912c8cc4e | |||
| b81fd3c63c | |||
| 727c999e70 | |||
| d6957de319 | |||
| 45a1da448a | |||
| ed93a74c21 | |||
| 8be8178387 | |||
| 8f89a6f1a9 | |||
| 58dda96c93 | |||
| 5a06fe7d3f | |||
| 2a85f6bbe8 | |||
| ed786f6cde | |||
| 4e91415a72 | |||
| f99fa3b4a5 | |||
| 2120051248 | |||
| 7eaae69a60 | |||
| a4dc42ba84 | |||
| ee738c9b79 | |||
| 447b043d69 | |||
| d51b4f3c7a | |||
| 46a04323e0 | |||
| 4dc8935b4f | |||
| 4a63e4ee14 | |||
| 8e49b262ea | |||
| edaef6893c | |||
| 5eff57c396 | |||
| cf67592415 | |||
| 9bce840ac0 | |||
| c9d84fa1ca |
1
.gitattributes
vendored
1
.gitattributes
vendored
@@ -21,3 +21,4 @@
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
||||
*.changes merge=merge-changes
|
||||
|
||||
6
.gitignore
vendored
Normal file
6
.gitignore
vendored
Normal file
@@ -0,0 +1,6 @@
|
||||
.osc
|
||||
*.obscpio
|
||||
*.osc
|
||||
_build.*
|
||||
.pbuild
|
||||
python313-*-build/
|
||||
@@ -1,247 +0,0 @@
|
||||
From 9043edabc7e2f0dd655146e0a4571e2a0b2906af Mon Sep 17 00:00:00 2001
|
||||
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Date: Fri, 13 Jun 2025 19:57:48 +0300
|
||||
Subject: [PATCH] gh-135462: Fix quadratic complexity in processing special
|
||||
input in HTMLParser (GH-135464)
|
||||
|
||||
End-of-file errors are now handled according to the HTML5 specs --
|
||||
comments and declarations are automatically closed, tags are ignored.
|
||||
(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
|
||||
|
||||
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||
---
|
||||
Lib/html/parser.py | 41 +++-
|
||||
Lib/test/test_htmlparser.py | 97 +++++++---
|
||||
Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst | 4
|
||||
3 files changed, 111 insertions(+), 31 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
|
||||
|
||||
Index: Python-3.13.5/Lib/html/parser.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Lib/html/parser.py 2025-06-11 17:36:57.000000000 +0200
|
||||
+++ Python-3.13.5/Lib/html/parser.py 2025-07-02 16:49:52.020175099 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
attr_charref = re.compile(r'&(#[0-9]+|#[xX][0-9a-fA-F]+|[a-zA-Z][a-zA-Z0-9]*)[;=]?')
|
||||
|
||||
starttagopen = re.compile('<[a-zA-Z]')
|
||||
+endtagopen = re.compile('</[a-zA-Z]')
|
||||
piclose = re.compile('>')
|
||||
commentclose = re.compile(r'--\s*>')
|
||||
# Note:
|
||||
@@ -195,7 +196,7 @@
|
||||
k = self.parse_pi(i)
|
||||
elif startswith("<!", i):
|
||||
k = self.parse_html_declaration(i)
|
||||
- elif (i + 1) < n:
|
||||
+ elif (i + 1) < n or end:
|
||||
self.handle_data("<")
|
||||
k = i + 1
|
||||
else:
|
||||
@@ -203,17 +204,35 @@
|
||||
if k < 0:
|
||||
if not end:
|
||||
break
|
||||
- k = rawdata.find('>', i + 1)
|
||||
- if k < 0:
|
||||
- k = rawdata.find('<', i + 1)
|
||||
- if k < 0:
|
||||
- k = i + 1
|
||||
+ if starttagopen.match(rawdata, i): # < + letter
|
||||
+ pass
|
||||
+ elif startswith("</", i):
|
||||
+ if i + 2 == n:
|
||||
+ self.handle_data("</")
|
||||
+ elif endtagopen.match(rawdata, i): # </ + letter
|
||||
+ pass
|
||||
+ else:
|
||||
+ # bogus comment
|
||||
+ self.handle_comment(rawdata[i+2:])
|
||||
+ elif startswith("<!--", i):
|
||||
+ j = n
|
||||
+ for suffix in ("--!", "--", "-"):
|
||||
+ if rawdata.endswith(suffix, i+4):
|
||||
+ j -= len(suffix)
|
||||
+ break
|
||||
+ self.handle_comment(rawdata[i+4:j])
|
||||
+ elif startswith("<![CDATA[", i):
|
||||
+ self.unknown_decl(rawdata[i+3:])
|
||||
+ elif rawdata[i:i+9].lower() == '<!doctype':
|
||||
+ self.handle_decl(rawdata[i+2:])
|
||||
+ elif startswith("<!", i):
|
||||
+ # bogus comment
|
||||
+ self.handle_comment(rawdata[i+2:])
|
||||
+ elif startswith("<?", i):
|
||||
+ self.handle_pi(rawdata[i+2:])
|
||||
else:
|
||||
- k += 1
|
||||
- if self.convert_charrefs and not self.cdata_elem:
|
||||
- self.handle_data(unescape(rawdata[i:k]))
|
||||
- else:
|
||||
- self.handle_data(rawdata[i:k])
|
||||
+ raise AssertionError("we should not get here!")
|
||||
+ k = n
|
||||
i = self.updatepos(i, k)
|
||||
elif startswith("&#", i):
|
||||
match = charref.match(rawdata, i)
|
||||
Index: Python-3.13.5/Lib/test/test_htmlparser.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Lib/test/test_htmlparser.py 2025-06-11 17:36:57.000000000 +0200
|
||||
+++ Python-3.13.5/Lib/test/test_htmlparser.py 2025-07-02 16:49:52.020821697 +0200
|
||||
@@ -5,6 +5,7 @@
|
||||
import unittest
|
||||
|
||||
from unittest.mock import patch
|
||||
+from test import support
|
||||
|
||||
|
||||
class EventCollector(html.parser.HTMLParser):
|
||||
@@ -430,28 +431,34 @@
|
||||
('data', '<'),
|
||||
('starttag', 'bc<', [('a', None)]),
|
||||
('endtag', 'html'),
|
||||
- ('data', '\n<img src="URL>'),
|
||||
- ('comment', '/img'),
|
||||
- ('endtag', 'html<')])
|
||||
+ ('data', '\n')])
|
||||
|
||||
def test_starttag_junk_chars(self):
|
||||
+ self._run_check("<", [('data', '<')])
|
||||
+ self._run_check("<>", [('data', '<>')])
|
||||
+ self._run_check("< >", [('data', '< >')])
|
||||
+ self._run_check("< ", [('data', '< ')])
|
||||
self._run_check("</>", [])
|
||||
+ self._run_check("<$>", [('data', '<$>')])
|
||||
self._run_check("</$>", [('comment', '$')])
|
||||
self._run_check("</", [('data', '</')])
|
||||
- self._run_check("</a", [('data', '</a')])
|
||||
+ self._run_check("</a", [])
|
||||
+ self._run_check("</ a>", [('endtag', 'a')])
|
||||
+ self._run_check("</ a", [('comment', ' a')])
|
||||
self._run_check("<a<a>", [('starttag', 'a<a', [])])
|
||||
self._run_check("</a<a>", [('endtag', 'a<a')])
|
||||
- self._run_check("<!", [('data', '<!')])
|
||||
- self._run_check("<a", [('data', '<a')])
|
||||
- self._run_check("<a foo='bar'", [('data', "<a foo='bar'")])
|
||||
- self._run_check("<a foo='bar", [('data', "<a foo='bar")])
|
||||
- self._run_check("<a foo='>'", [('data', "<a foo='>'")])
|
||||
- self._run_check("<a foo='>", [('data', "<a foo='>")])
|
||||
+ self._run_check("<!", [('comment', '')])
|
||||
+ self._run_check("<a", [])
|
||||
+ self._run_check("<a foo='bar'", [])
|
||||
+ self._run_check("<a foo='bar", [])
|
||||
+ self._run_check("<a foo='>'", [])
|
||||
+ self._run_check("<a foo='>", [])
|
||||
self._run_check("<a$>", [('starttag', 'a$', [])])
|
||||
self._run_check("<a$b>", [('starttag', 'a$b', [])])
|
||||
self._run_check("<a$b/>", [('startendtag', 'a$b', [])])
|
||||
self._run_check("<a$b >", [('starttag', 'a$b', [])])
|
||||
self._run_check("<a$b />", [('startendtag', 'a$b', [])])
|
||||
+ self._run_check("</a$b>", [('endtag', 'a$b')])
|
||||
|
||||
def test_slashes_in_starttag(self):
|
||||
self._run_check('<a foo="var"/>', [('startendtag', 'a', [('foo', 'var')])])
|
||||
@@ -576,21 +583,50 @@
|
||||
for html, expected in data:
|
||||
self._run_check(html, expected)
|
||||
|
||||
- def test_EOF_in_comments_or_decls(self):
|
||||
+ def test_eof_in_comments(self):
|
||||
data = [
|
||||
- ('<!', [('data', '<!')]),
|
||||
- ('<!-', [('data', '<!-')]),
|
||||
- ('<!--', [('data', '<!--')]),
|
||||
- ('<![', [('data', '<![')]),
|
||||
- ('<![CDATA[', [('data', '<![CDATA[')]),
|
||||
- ('<![CDATA[x', [('data', '<![CDATA[x')]),
|
||||
- ('<!DOCTYPE', [('data', '<!DOCTYPE')]),
|
||||
- ('<!DOCTYPE HTML', [('data', '<!DOCTYPE HTML')]),
|
||||
+ ('<!--', [('comment', '')]),
|
||||
+ ('<!---', [('comment', '')]),
|
||||
+ ('<!----', [('comment', '')]),
|
||||
+ ('<!-----', [('comment', '-')]),
|
||||
+ ('<!------', [('comment', '--')]),
|
||||
+ ('<!----!', [('comment', '')]),
|
||||
+ ('<!---!', [('comment', '-!')]),
|
||||
+ ('<!---!>', [('comment', '-!>')]),
|
||||
+ ('<!--foo', [('comment', 'foo')]),
|
||||
+ ('<!--foo-', [('comment', 'foo')]),
|
||||
+ ('<!--foo--', [('comment', 'foo')]),
|
||||
+ ('<!--foo--!', [('comment', 'foo')]),
|
||||
+ ('<!--<!--', [('comment', '<!')]),
|
||||
+ ('<!--<!--!', [('comment', '<!')]),
|
||||
]
|
||||
for html, expected in data:
|
||||
self._run_check(html, expected)
|
||||
+
|
||||
+ def test_eof_in_declarations(self):
|
||||
+ data = [
|
||||
+ ('<!', [('comment', '')]),
|
||||
+ ('<!-', [('comment', '-')]),
|
||||
+ ('<![', [('comment', '[')]),
|
||||
+ ('<![CDATA[', [('unknown decl', 'CDATA[')]),
|
||||
+ ('<![CDATA[x', [('unknown decl', 'CDATA[x')]),
|
||||
+ ('<![CDATA[x]', [('unknown decl', 'CDATA[x]')]),
|
||||
+ ('<![CDATA[x]]', [('unknown decl', 'CDATA[x]]')]),
|
||||
+ ('<!DOCTYPE', [('decl', 'DOCTYPE')]),
|
||||
+ ('<!DOCTYPE ', [('decl', 'DOCTYPE ')]),
|
||||
+ ('<!DOCTYPE html', [('decl', 'DOCTYPE html')]),
|
||||
+ ('<!DOCTYPE html ', [('decl', 'DOCTYPE html ')]),
|
||||
+ ('<!DOCTYPE html PUBLIC', [('decl', 'DOCTYPE html PUBLIC')]),
|
||||
+ ('<!DOCTYPE html PUBLIC "foo', [('decl', 'DOCTYPE html PUBLIC "foo')]),
|
||||
+ ('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo',
|
||||
+ [('decl', 'DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "foo')]),
|
||||
+ ]
|
||||
+ for html, expected in data:
|
||||
+ self._run_check(html, expected)
|
||||
+
|
||||
def test_bogus_comments(self):
|
||||
- html = ('<! not really a comment >'
|
||||
+ html = ('<!ELEMENT br EMPTY>'
|
||||
+ '<! not really a comment >'
|
||||
'<! not a comment either -->'
|
||||
'<! -- close enough -->'
|
||||
'<!><!<-- this was an empty comment>'
|
||||
@@ -604,6 +640,7 @@
|
||||
'<![CDATA]]>' # required '[' after CDATA
|
||||
)
|
||||
expected = [
|
||||
+ ('comment', 'ELEMENT br EMPTY'),
|
||||
('comment', ' not really a comment '),
|
||||
('comment', ' not a comment either --'),
|
||||
('comment', ' -- close enough --'),
|
||||
@@ -684,6 +721,26 @@
|
||||
('endtag', 'a'), ('data', ' bar & baz')]
|
||||
)
|
||||
|
||||
+ @support.requires_resource('cpu')
|
||||
+ def test_eof_no_quadratic_complexity(self):
|
||||
+ # Each of these examples used to take about an hour.
|
||||
+ # Now they take a fraction of a second.
|
||||
+ def check(source):
|
||||
+ parser = html.parser.HTMLParser()
|
||||
+ parser.feed(source)
|
||||
+ parser.close()
|
||||
+ n = 120_000
|
||||
+ check("<a " * n)
|
||||
+ check("<a a=" * n)
|
||||
+ check("</a " * 14 * n)
|
||||
+ check("</a a=" * 11 * n)
|
||||
+ check("<!--" * 4 * n)
|
||||
+ check("<!" * 60 * n)
|
||||
+ check("<?" * 19 * n)
|
||||
+ check("</$" * 15 * n)
|
||||
+ check("<![CDATA[" * 9 * n)
|
||||
+ check("<!doctype" * 35 * n)
|
||||
+
|
||||
|
||||
class AttributesTestCase(TestCaseBase):
|
||||
|
||||
Index: Python-3.13.5/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ Python-3.13.5/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst 2025-07-02 16:49:52.021124951 +0200
|
||||
@@ -0,0 +1,4 @@
|
||||
+Fix quadratic complexity in processing specially crafted input in
|
||||
+:class:`html.parser.HTMLParser`. End-of-file errors are now handled according
|
||||
+to the HTML5 specs -- comments and declarations are automatically closed,
|
||||
+tags are ignored.
|
||||
373
CVE-2025-6075-expandvars-perf-degrad.patch
Normal file
373
CVE-2025-6075-expandvars-perf-degrad.patch
Normal file
@@ -0,0 +1,373 @@
|
||||
From 4fc21099da844f85b799d3c4c8b1b5936faa4cdc Mon Sep 17 00:00:00 2001
|
||||
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Date: Fri, 31 Oct 2025 15:49:51 +0200
|
||||
Subject: [PATCH 1/2] [3.13] gh-136065: Fix quadratic complexity in
|
||||
os.path.expandvars() (GH-134952) (cherry picked from commit
|
||||
f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
||||
---
|
||||
Lib/ntpath.py | 126 +++-------
|
||||
Lib/posixpath.py | 43 +--
|
||||
Lib/test/test_genericpath.py | 21 +
|
||||
Lib/test/test_ntpath.py | 22 +
|
||||
Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1
|
||||
5 files changed, 96 insertions(+), 117 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
|
||||
|
||||
Index: Python-3.13.9/Lib/ntpath.py
|
||||
===================================================================
|
||||
--- Python-3.13.9.orig/Lib/ntpath.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Lib/ntpath.py 2025-11-14 01:47:08.155405483 +0100
|
||||
@@ -400,17 +400,23 @@
|
||||
# XXX With COMMAND.COM you can use any characters in a variable name,
|
||||
# XXX except '^|<>='.
|
||||
|
||||
+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
|
||||
+_varsub = None
|
||||
+_varsubb = None
|
||||
+
|
||||
def expandvars(path):
|
||||
"""Expand shell variables of the forms $var, ${var} and %var%.
|
||||
|
||||
Unknown variables are left unchanged."""
|
||||
path = os.fspath(path)
|
||||
+ global _varsub, _varsubb
|
||||
if isinstance(path, bytes):
|
||||
if b'$' not in path and b'%' not in path:
|
||||
return path
|
||||
- import string
|
||||
- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
|
||||
- quote = b'\''
|
||||
+ if not _varsubb:
|
||||
+ import re
|
||||
+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
|
||||
+ sub = _varsubb
|
||||
percent = b'%'
|
||||
brace = b'{'
|
||||
rbrace = b'}'
|
||||
@@ -419,94 +425,44 @@
|
||||
else:
|
||||
if '$' not in path and '%' not in path:
|
||||
return path
|
||||
- import string
|
||||
- varchars = string.ascii_letters + string.digits + '_-'
|
||||
- quote = '\''
|
||||
+ if not _varsub:
|
||||
+ import re
|
||||
+ _varsub = re.compile(_varpattern, re.ASCII).sub
|
||||
+ sub = _varsub
|
||||
percent = '%'
|
||||
brace = '{'
|
||||
rbrace = '}'
|
||||
dollar = '$'
|
||||
environ = os.environ
|
||||
- res = path[:0]
|
||||
- index = 0
|
||||
- pathlen = len(path)
|
||||
- while index < pathlen:
|
||||
- c = path[index:index+1]
|
||||
- if c == quote: # no expansion within single quotes
|
||||
- path = path[index + 1:]
|
||||
- pathlen = len(path)
|
||||
- try:
|
||||
- index = path.index(c)
|
||||
- res += c + path[:index + 1]
|
||||
- except ValueError:
|
||||
- res += c + path
|
||||
- index = pathlen - 1
|
||||
- elif c == percent: # variable or '%'
|
||||
- if path[index + 1:index + 2] == percent:
|
||||
- res += c
|
||||
- index += 1
|
||||
- else:
|
||||
- path = path[index+1:]
|
||||
- pathlen = len(path)
|
||||
- try:
|
||||
- index = path.index(percent)
|
||||
- except ValueError:
|
||||
- res += percent + path
|
||||
- index = pathlen - 1
|
||||
- else:
|
||||
- var = path[:index]
|
||||
- try:
|
||||
- if environ is None:
|
||||
- value = os.fsencode(os.environ[os.fsdecode(var)])
|
||||
- else:
|
||||
- value = environ[var]
|
||||
- except KeyError:
|
||||
- value = percent + var + percent
|
||||
- res += value
|
||||
- elif c == dollar: # variable or '$$'
|
||||
- if path[index + 1:index + 2] == dollar:
|
||||
- res += c
|
||||
- index += 1
|
||||
- elif path[index + 1:index + 2] == brace:
|
||||
- path = path[index+2:]
|
||||
- pathlen = len(path)
|
||||
- try:
|
||||
- index = path.index(rbrace)
|
||||
- except ValueError:
|
||||
- res += dollar + brace + path
|
||||
- index = pathlen - 1
|
||||
- else:
|
||||
- var = path[:index]
|
||||
- try:
|
||||
- if environ is None:
|
||||
- value = os.fsencode(os.environ[os.fsdecode(var)])
|
||||
- else:
|
||||
- value = environ[var]
|
||||
- except KeyError:
|
||||
- value = dollar + brace + var + rbrace
|
||||
- res += value
|
||||
- else:
|
||||
- var = path[:0]
|
||||
- index += 1
|
||||
- c = path[index:index + 1]
|
||||
- while c and c in varchars:
|
||||
- var += c
|
||||
- index += 1
|
||||
- c = path[index:index + 1]
|
||||
- try:
|
||||
- if environ is None:
|
||||
- value = os.fsencode(os.environ[os.fsdecode(var)])
|
||||
- else:
|
||||
- value = environ[var]
|
||||
- except KeyError:
|
||||
- value = dollar + var
|
||||
- res += value
|
||||
- if c:
|
||||
- index -= 1
|
||||
+
|
||||
+ def repl(m):
|
||||
+ lastindex = m.lastindex
|
||||
+ if lastindex is None:
|
||||
+ return m[0]
|
||||
+ name = m[lastindex]
|
||||
+ if lastindex == 1:
|
||||
+ if name == percent:
|
||||
+ return name
|
||||
+ if not name.endswith(percent):
|
||||
+ return m[0]
|
||||
+ name = name[:-1]
|
||||
else:
|
||||
- res += c
|
||||
- index += 1
|
||||
- return res
|
||||
+ if name == dollar:
|
||||
+ return name
|
||||
+ if name.startswith(brace):
|
||||
+ if not name.endswith(rbrace):
|
||||
+ return m[0]
|
||||
+ name = name[1:-1]
|
||||
+
|
||||
+ try:
|
||||
+ if environ is None:
|
||||
+ return os.fsencode(os.environ[os.fsdecode(name)])
|
||||
+ else:
|
||||
+ return environ[name]
|
||||
+ except KeyError:
|
||||
+ return m[0]
|
||||
+
|
||||
+ return sub(repl, path)
|
||||
|
||||
|
||||
# Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
|
||||
Index: Python-3.13.9/Lib/posixpath.py
|
||||
===================================================================
|
||||
--- Python-3.13.9.orig/Lib/posixpath.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Lib/posixpath.py 2025-11-14 01:47:08.155728503 +0100
|
||||
@@ -284,42 +284,41 @@
|
||||
# This expands the forms $variable and ${variable} only.
|
||||
# Non-existent variables are left unchanged.
|
||||
|
||||
-_varprog = None
|
||||
-_varprogb = None
|
||||
+_varpattern = r'\$(\w+|\{[^}]*\}?)'
|
||||
+_varsub = None
|
||||
+_varsubb = None
|
||||
|
||||
def expandvars(path):
|
||||
"""Expand shell variables of form $var and ${var}. Unknown variables
|
||||
are left unchanged."""
|
||||
path = os.fspath(path)
|
||||
- global _varprog, _varprogb
|
||||
+ global _varsub, _varsubb
|
||||
if isinstance(path, bytes):
|
||||
if b'$' not in path:
|
||||
return path
|
||||
- if not _varprogb:
|
||||
+ if not _varsubb:
|
||||
import re
|
||||
- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
|
||||
- search = _varprogb.search
|
||||
+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
|
||||
+ sub = _varsubb
|
||||
start = b'{'
|
||||
end = b'}'
|
||||
environ = getattr(os, 'environb', None)
|
||||
else:
|
||||
if '$' not in path:
|
||||
return path
|
||||
- if not _varprog:
|
||||
+ if not _varsub:
|
||||
import re
|
||||
- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
|
||||
- search = _varprog.search
|
||||
+ _varsub = re.compile(_varpattern, re.ASCII).sub
|
||||
+ sub = _varsub
|
||||
start = '{'
|
||||
end = '}'
|
||||
environ = os.environ
|
||||
- i = 0
|
||||
- while True:
|
||||
- m = search(path, i)
|
||||
- if not m:
|
||||
- break
|
||||
- i, j = m.span(0)
|
||||
- name = m.group(1)
|
||||
- if name.startswith(start) and name.endswith(end):
|
||||
+
|
||||
+ def repl(m):
|
||||
+ name = m[1]
|
||||
+ if name.startswith(start):
|
||||
+ if not name.endswith(end):
|
||||
+ return m[0]
|
||||
name = name[1:-1]
|
||||
try:
|
||||
if environ is None:
|
||||
@@ -327,13 +326,11 @@
|
||||
else:
|
||||
value = environ[name]
|
||||
except KeyError:
|
||||
- i = j
|
||||
+ return m[0]
|
||||
else:
|
||||
- tail = path[j:]
|
||||
- path = path[:i] + value
|
||||
- i = len(path)
|
||||
- path += tail
|
||||
- return path
|
||||
+ return value
|
||||
+
|
||||
+ return sub(repl, path)
|
||||
|
||||
|
||||
# Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
|
||||
Index: Python-3.13.9/Lib/test/test_genericpath.py
|
||||
===================================================================
|
||||
--- Python-3.13.9.orig/Lib/test/test_genericpath.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Lib/test/test_genericpath.py 2025-11-14 01:47:08.157575687 +0100
|
||||
@@ -7,9 +7,9 @@
|
||||
import sys
|
||||
import unittest
|
||||
import warnings
|
||||
-from test.support import (
|
||||
- is_apple, is_emscripten, os_helper, warnings_helper
|
||||
-)
|
||||
+from test import support
|
||||
+from test.support import os_helper, is_emscripten
|
||||
+from test.support import warnings_helper
|
||||
from test.support.script_helper import assert_python_ok
|
||||
from test.support.os_helper import FakePath
|
||||
|
||||
@@ -446,6 +446,19 @@
|
||||
os.fsencode('$bar%s bar' % nonascii))
|
||||
check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
|
||||
|
||||
+ @support.requires_resource('cpu')
|
||||
+ def test_expandvars_large(self):
|
||||
+ expandvars = self.pathmodule.expandvars
|
||||
+ with os_helper.EnvironmentVarGuard() as env:
|
||||
+ env.clear()
|
||||
+ env["A"] = "B"
|
||||
+ n = 100_000
|
||||
+ self.assertEqual(expandvars('$A'*n), 'B'*n)
|
||||
+ self.assertEqual(expandvars('${A}'*n), 'B'*n)
|
||||
+ self.assertEqual(expandvars('$A!'*n), 'B!'*n)
|
||||
+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
|
||||
+ self.assertEqual(expandvars('${'*10*n), '${'*10*n)
|
||||
+
|
||||
def test_abspath(self):
|
||||
self.assertIn("foo", self.pathmodule.abspath("foo"))
|
||||
with warnings.catch_warnings():
|
||||
@@ -503,7 +516,7 @@
|
||||
# directory (when the bytes name is used).
|
||||
and sys.platform not in {
|
||||
"win32", "emscripten", "wasi"
|
||||
- } and not is_apple
|
||||
+ } and not support.is_apple
|
||||
):
|
||||
name = os_helper.TESTFN_UNDECODABLE
|
||||
elif os_helper.TESTFN_NONASCII:
|
||||
Index: Python-3.13.9/Lib/test/test_ntpath.py
|
||||
===================================================================
|
||||
--- Python-3.13.9.orig/Lib/test/test_ntpath.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Lib/test/test_ntpath.py 2025-11-14 01:47:08.156225429 +0100
|
||||
@@ -8,8 +8,7 @@
|
||||
import warnings
|
||||
from ntpath import ALLOW_MISSING
|
||||
from test import support
|
||||
-from test.support import cpython_only, os_helper
|
||||
-from test.support import TestFailed, is_emscripten
|
||||
+from test.support import os_helper, is_emscripten
|
||||
from test.support.os_helper import FakePath
|
||||
from test import test_genericpath
|
||||
from tempfile import TemporaryFile
|
||||
@@ -59,7 +58,7 @@
|
||||
fn = fn.replace("\\", "\\\\")
|
||||
gotResult = eval(fn)
|
||||
if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
|
||||
- raise TestFailed("%s should return: %s but returned: %s" \
|
||||
+ raise support.TestFailed("%s should return: %s but returned: %s" \
|
||||
%(str(fn), str(wantResult), str(gotResult)))
|
||||
|
||||
# then with bytes
|
||||
@@ -75,7 +74,7 @@
|
||||
warnings.simplefilter("ignore", DeprecationWarning)
|
||||
gotResult = eval(fn)
|
||||
if _norm(wantResult) != _norm(gotResult):
|
||||
- raise TestFailed("%s should return: %s but returned: %s" \
|
||||
+ raise support.TestFailed("%s should return: %s but returned: %s" \
|
||||
%(str(fn), str(wantResult), repr(gotResult)))
|
||||
|
||||
|
||||
@@ -1022,6 +1021,19 @@
|
||||
check('%spam%bar', '%sbar' % nonascii)
|
||||
check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
|
||||
|
||||
+ @support.requires_resource('cpu')
|
||||
+ def test_expandvars_large(self):
|
||||
+ expandvars = ntpath.expandvars
|
||||
+ with os_helper.EnvironmentVarGuard() as env:
|
||||
+ env.clear()
|
||||
+ env["A"] = "B"
|
||||
+ n = 100_000
|
||||
+ self.assertEqual(expandvars('%A%'*n), 'B'*n)
|
||||
+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
|
||||
+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
|
||||
+ self.assertEqual(expandvars("%%"*n), "%"*n)
|
||||
+ self.assertEqual(expandvars("$$"*n), "$"*n)
|
||||
+
|
||||
def test_expanduser(self):
|
||||
tester('ntpath.expanduser("test")', 'test')
|
||||
|
||||
@@ -1440,7 +1452,7 @@
|
||||
self.assertTrue(os.path.exists(r"\\.\CON"))
|
||||
|
||||
@unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32")
|
||||
- @cpython_only
|
||||
+ @support.cpython_only
|
||||
def test_fast_paths_in_use(self):
|
||||
# There are fast paths of these functions implemented in posixmodule.c.
|
||||
# Confirm that they are being used, and not the Python fallbacks in
|
||||
Index: Python-3.13.9/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ Python-3.13.9/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2025-11-14 01:47:08.156533642 +0100
|
||||
@@ -0,0 +1 @@
|
||||
+Fix quadratic complexity in :func:`os.path.expandvars`.
|
||||
@@ -1,212 +0,0 @@
|
||||
From fd29bcd380150035ef825b762d8cd085bdab6e53 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Urieles <aeurielesn@users.noreply.github.com>
|
||||
Date: Mon, 28 Jul 2025 17:37:26 +0200
|
||||
Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member
|
||||
offsets are non-negative (GH-137027) (cherry picked from commit
|
||||
7040aa54f14676938970e10c5f74ea93cd56aa38)
|
||||
|
||||
Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
|
||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
||||
---
|
||||
Lib/tarfile.py | 3
|
||||
Lib/test/test_tarfile.py | 156 ++++++++++
|
||||
Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3
|
||||
3 files changed, 162 insertions(+)
|
||||
create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
|
||||
|
||||
Index: Python-3.13.5/Lib/tarfile.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Lib/tarfile.py 2025-08-01 22:13:44.185826095 +0200
|
||||
+++ Python-3.13.5/Lib/tarfile.py 2025-08-01 22:13:45.524140183 +0200
|
||||
@@ -1636,6 +1636,9 @@
|
||||
"""Round up a byte count by BLOCKSIZE and return it,
|
||||
e.g. _block(834) => 1024.
|
||||
"""
|
||||
+ # Only non-negative offsets are allowed
|
||||
+ if count < 0:
|
||||
+ raise InvalidHeaderError("invalid offset")
|
||||
blocks, remainder = divmod(count, BLOCKSIZE)
|
||||
if remainder:
|
||||
blocks += 1
|
||||
Index: Python-3.13.5/Lib/test/test_tarfile.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Lib/test/test_tarfile.py 2025-06-11 17:36:57.000000000 +0200
|
||||
+++ Python-3.13.5/Lib/test/test_tarfile.py 2025-08-01 22:13:45.524778259 +0200
|
||||
@@ -50,6 +50,7 @@
|
||||
xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
|
||||
tmpname = os.path.join(TEMPDIR, "tmp.tar")
|
||||
dotlessname = os.path.join(TEMPDIR, "testtar")
|
||||
+SPACE = b" "
|
||||
|
||||
sha256_regtype = (
|
||||
"e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
|
||||
@@ -4578,6 +4579,161 @@
|
||||
ar.extractall(self.testdir, filter='fully_trusted')
|
||||
|
||||
|
||||
+class OffsetValidationTests(unittest.TestCase):
|
||||
+ tarname = tmpname
|
||||
+ invalid_posix_header = (
|
||||
+ # name: 100 bytes
|
||||
+ tarfile.NUL * tarfile.LENGTH_NAME
|
||||
+ # mode, space, null terminator: 8 bytes
|
||||
+ + b"000755" + SPACE + tarfile.NUL
|
||||
+ # uid, space, null terminator: 8 bytes
|
||||
+ + b"000001" + SPACE + tarfile.NUL
|
||||
+ # gid, space, null terminator: 8 bytes
|
||||
+ + b"000001" + SPACE + tarfile.NUL
|
||||
+ # size, space: 12 bytes
|
||||
+ + b"\xff" * 11 + SPACE
|
||||
+ # mtime, space: 12 bytes
|
||||
+ + tarfile.NUL * 11 + SPACE
|
||||
+ # chksum: 8 bytes
|
||||
+ + b"0011407" + tarfile.NUL
|
||||
+ # type: 1 byte
|
||||
+ + tarfile.REGTYPE
|
||||
+ # linkname: 100 bytes
|
||||
+ + tarfile.NUL * tarfile.LENGTH_LINK
|
||||
+ # magic: 6 bytes, version: 2 bytes
|
||||
+ + tarfile.POSIX_MAGIC
|
||||
+ # uname: 32 bytes
|
||||
+ + tarfile.NUL * 32
|
||||
+ # gname: 32 bytes
|
||||
+ + tarfile.NUL * 32
|
||||
+ # devmajor, space, null terminator: 8 bytes
|
||||
+ + tarfile.NUL * 6 + SPACE + tarfile.NUL
|
||||
+ # devminor, space, null terminator: 8 bytes
|
||||
+ + tarfile.NUL * 6 + SPACE + tarfile.NUL
|
||||
+ # prefix: 155 bytes
|
||||
+ + tarfile.NUL * tarfile.LENGTH_PREFIX
|
||||
+ # padding: 12 bytes
|
||||
+ + tarfile.NUL * 12
|
||||
+ )
|
||||
+ invalid_gnu_header = (
|
||||
+ # name: 100 bytes
|
||||
+ tarfile.NUL * tarfile.LENGTH_NAME
|
||||
+ # mode, null terminator: 8 bytes
|
||||
+ + b"0000755" + tarfile.NUL
|
||||
+ # uid, null terminator: 8 bytes
|
||||
+ + b"0000001" + tarfile.NUL
|
||||
+ # gid, space, null terminator: 8 bytes
|
||||
+ + b"0000001" + tarfile.NUL
|
||||
+ # size, space: 12 bytes
|
||||
+ + b"\xff" * 11 + SPACE
|
||||
+ # mtime, space: 12 bytes
|
||||
+ + tarfile.NUL * 11 + SPACE
|
||||
+ # chksum: 8 bytes
|
||||
+ + b"0011327" + tarfile.NUL
|
||||
+ # type: 1 byte
|
||||
+ + tarfile.REGTYPE
|
||||
+ # linkname: 100 bytes
|
||||
+ + tarfile.NUL * tarfile.LENGTH_LINK
|
||||
+ # magic: 8 bytes
|
||||
+ + tarfile.GNU_MAGIC
|
||||
+ # uname: 32 bytes
|
||||
+ + tarfile.NUL * 32
|
||||
+ # gname: 32 bytes
|
||||
+ + tarfile.NUL * 32
|
||||
+ # devmajor, null terminator: 8 bytes
|
||||
+ + tarfile.NUL * 8
|
||||
+ # devminor, null terminator: 8 bytes
|
||||
+ + tarfile.NUL * 8
|
||||
+ # padding: 167 bytes
|
||||
+ + tarfile.NUL * 167
|
||||
+ )
|
||||
+ invalid_v7_header = (
|
||||
+ # name: 100 bytes
|
||||
+ tarfile.NUL * tarfile.LENGTH_NAME
|
||||
+ # mode, space, null terminator: 8 bytes
|
||||
+ + b"000755" + SPACE + tarfile.NUL
|
||||
+ # uid, space, null terminator: 8 bytes
|
||||
+ + b"000001" + SPACE + tarfile.NUL
|
||||
+ # gid, space, null terminator: 8 bytes
|
||||
+ + b"000001" + SPACE + tarfile.NUL
|
||||
+ # size, space: 12 bytes
|
||||
+ + b"\xff" * 11 + SPACE
|
||||
+ # mtime, space: 12 bytes
|
||||
+ + tarfile.NUL * 11 + SPACE
|
||||
+ # chksum: 8 bytes
|
||||
+ + b"0010070" + tarfile.NUL
|
||||
+ # type: 1 byte
|
||||
+ + tarfile.REGTYPE
|
||||
+ # linkname: 100 bytes
|
||||
+ + tarfile.NUL * tarfile.LENGTH_LINK
|
||||
+ # padding: 255 bytes
|
||||
+ + tarfile.NUL * 255
|
||||
+ )
|
||||
+ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
|
||||
+ data_block = b"\xff" * tarfile.BLOCKSIZE
|
||||
+
|
||||
+ def _write_buffer(self, buffer):
|
||||
+ with open(self.tarname, "wb") as f:
|
||||
+ f.write(buffer)
|
||||
+
|
||||
+ def _get_members(self, ignore_zeros=None):
|
||||
+ with open(self.tarname, "rb") as f:
|
||||
+ with tarfile.open(
|
||||
+ mode="r", fileobj=f, ignore_zeros=ignore_zeros
|
||||
+ ) as tar:
|
||||
+ return tar.getmembers()
|
||||
+
|
||||
+ def _assert_raises_read_error_exception(self):
|
||||
+ with self.assertRaisesRegex(
|
||||
+ tarfile.ReadError, "file could not be opened successfully"
|
||||
+ ):
|
||||
+ self._get_members()
|
||||
+
|
||||
+ def test_invalid_offset_header_validations(self):
|
||||
+ for tar_format, invalid_header in (
|
||||
+ ("posix", self.invalid_posix_header),
|
||||
+ ("gnu", self.invalid_gnu_header),
|
||||
+ ("v7", self.invalid_v7_header),
|
||||
+ ):
|
||||
+ with self.subTest(format=tar_format):
|
||||
+ self._write_buffer(invalid_header)
|
||||
+ self._assert_raises_read_error_exception()
|
||||
+
|
||||
+ def test_early_stop_at_invalid_offset_header(self):
|
||||
+ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
|
||||
+ self._write_buffer(buffer)
|
||||
+ members = self._get_members()
|
||||
+ self.assertEqual(len(members), 1)
|
||||
+ self.assertEqual(members[0].name, "filename")
|
||||
+ self.assertEqual(members[0].offset, 0)
|
||||
+
|
||||
+ def test_ignore_invalid_archive(self):
|
||||
+ # 3 invalid headers with their respective data
|
||||
+ buffer = (self.invalid_gnu_header + self.data_block) * 3
|
||||
+ self._write_buffer(buffer)
|
||||
+ members = self._get_members(ignore_zeros=True)
|
||||
+ self.assertEqual(len(members), 0)
|
||||
+
|
||||
+ def test_ignore_invalid_offset_headers(self):
|
||||
+ for first_block, second_block, expected_offset in (
|
||||
+ (
|
||||
+ (self.valid_gnu_header),
|
||||
+ (self.invalid_gnu_header + self.data_block),
|
||||
+ 0,
|
||||
+ ),
|
||||
+ (
|
||||
+ (self.invalid_gnu_header + self.data_block),
|
||||
+ (self.valid_gnu_header),
|
||||
+ 1024,
|
||||
+ ),
|
||||
+ ):
|
||||
+ self._write_buffer(first_block + second_block)
|
||||
+ members = self._get_members(ignore_zeros=True)
|
||||
+ self.assertEqual(len(members), 1)
|
||||
+ self.assertEqual(members[0].name, "filename")
|
||||
+ self.assertEqual(members[0].offset, expected_offset)
|
||||
+
|
||||
+
|
||||
def setUpModule():
|
||||
os_helper.unlink(TEMPDIR)
|
||||
os.makedirs(TEMPDIR)
|
||||
Index: Python-3.13.5/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ Python-3.13.5/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst 2025-08-01 22:13:45.525174751 +0200
|
||||
@@ -0,0 +1,3 @@
|
||||
+:mod:`tarfile` now validates archives to ensure member offsets are
|
||||
+non-negative. (Contributed by Alexander Enrique Urieles Nieto in
|
||||
+:gh:`130577`.)
|
||||
307
CVE-2025-8291-consistency-zip64.patch
Normal file
307
CVE-2025-8291-consistency-zip64.patch
Normal file
@@ -0,0 +1,307 @@
|
||||
From 1f2e4ec73cf7ece0a8c0a7a85cb73ec9ec0ef85a Mon Sep 17 00:00:00 2001
|
||||
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Date: Tue, 7 Oct 2025 20:15:26 +0300
|
||||
Subject: [PATCH] [3.13] gh-139700: Check consistency of the zip64 end of
|
||||
central directory record (GH-139702)
|
||||
|
||||
Support records with "zip64 extensible data" if there are no bytes
|
||||
prepended to the ZIP file.
|
||||
(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
|
||||
|
||||
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||
---
|
||||
Lib/test/test_zipfile/test_core.py | 82 ++++++++++++++++++-
|
||||
Lib/zipfile/__init__.py | 51 +++++++-----
|
||||
...-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +
|
||||
3 files changed, 113 insertions(+), 23 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||
|
||||
diff --git a/Lib/test/test_zipfile/test_core.py b/Lib/test/test_zipfile/test_core.py
|
||||
index 41ec6a437ba917..2212d9c91dc899 100644
|
||||
--- a/Lib/test/test_zipfile/test_core.py
|
||||
+++ b/Lib/test/test_zipfile/test_core.py
|
||||
@@ -884,6 +884,8 @@ def make_zip64_file(
|
||||
self, file_size_64_set=False, file_size_extra=False,
|
||||
compress_size_64_set=False, compress_size_extra=False,
|
||||
header_offset_64_set=False, header_offset_extra=False,
|
||||
+ extensible_data=b'',
|
||||
+ end_of_central_dir_size=None, offset_to_end_of_central_dir=None,
|
||||
):
|
||||
"""Generate bytes sequence for a zip with (incomplete) zip64 data.
|
||||
|
||||
@@ -937,6 +939,12 @@ def make_zip64_file(
|
||||
|
||||
central_dir_size = struct.pack('<Q', 58 + 8 * len(central_zip64_fields))
|
||||
offset_to_central_dir = struct.pack('<Q', 50 + 8 * len(local_zip64_fields))
|
||||
+ if end_of_central_dir_size is None:
|
||||
+ end_of_central_dir_size = 44 + len(extensible_data)
|
||||
+ if offset_to_end_of_central_dir is None:
|
||||
+ offset_to_end_of_central_dir = (108
|
||||
+ + 8 * len(local_zip64_fields)
|
||||
+ + 8 * len(central_zip64_fields))
|
||||
|
||||
local_extra_length = struct.pack("<H", 4 + 8 * len(local_zip64_fields))
|
||||
central_extra_length = struct.pack("<H", 4 + 8 * len(central_zip64_fields))
|
||||
@@ -965,14 +973,17 @@ def make_zip64_file(
|
||||
+ filename
|
||||
+ central_extra
|
||||
# Zip64 end of central directory
|
||||
- + b"PK\x06\x06,\x00\x00\x00\x00\x00\x00\x00-\x00-"
|
||||
- + b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
|
||||
+ + b"PK\x06\x06"
|
||||
+ + struct.pack('<Q', end_of_central_dir_size)
|
||||
+ + b"-\x00-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
|
||||
+ b"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
|
||||
+ central_dir_size
|
||||
+ offset_to_central_dir
|
||||
+ + extensible_data
|
||||
# Zip64 end of central directory locator
|
||||
- + b"PK\x06\x07\x00\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x01"
|
||||
- + b"\x00\x00\x00"
|
||||
+ + b"PK\x06\x07\x00\x00\x00\x00"
|
||||
+ + struct.pack('<Q', offset_to_end_of_central_dir)
|
||||
+ + b"\x01\x00\x00\x00"
|
||||
# end of central directory
|
||||
+ b"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x002\x00"
|
||||
+ b"\x00\x00\x00\x00"
|
||||
@@ -1003,6 +1014,7 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_file_size_extra))
|
||||
self.assertIn('file size', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_file_size_extra)))
|
||||
|
||||
# zip64 file size present, zip64 compress size present, one field in
|
||||
# extra, expecting two, equals missing compress size.
|
||||
@@ -1014,6 +1026,7 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
|
||||
self.assertIn('compress size', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
|
||||
|
||||
# zip64 compress size present, no fields in extra, expecting one,
|
||||
# equals missing compress size.
|
||||
@@ -1023,6 +1036,7 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_compress_size_extra))
|
||||
self.assertIn('compress size', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_compress_size_extra)))
|
||||
|
||||
# zip64 file size present, zip64 compress size present, zip64 header
|
||||
# offset present, two fields in extra, expecting three, equals missing
|
||||
@@ -1037,6 +1051,7 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
|
||||
self.assertIn('header offset', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
|
||||
|
||||
# zip64 compress size present, zip64 header offset present, one field
|
||||
# in extra, expecting two, equals missing header offset
|
||||
@@ -1049,6 +1064,7 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
|
||||
self.assertIn('header offset', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
|
||||
|
||||
# zip64 file size present, zip64 header offset present, one field in
|
||||
# extra, expecting two, equals missing header offset
|
||||
@@ -1061,6 +1077,7 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
|
||||
self.assertIn('header offset', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
|
||||
|
||||
# zip64 header offset present, no fields in extra, expecting one,
|
||||
# equals missing header offset
|
||||
@@ -1072,6 +1089,63 @@ def test_bad_zip64_extra(self):
|
||||
with self.assertRaises(zipfile.BadZipFile) as e:
|
||||
zipfile.ZipFile(io.BytesIO(missing_header_offset_extra))
|
||||
self.assertIn('header offset', str(e.exception).lower())
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(missing_header_offset_extra)))
|
||||
+
|
||||
+ def test_bad_zip64_end_of_central_dir(self):
|
||||
+ zipdata = self.make_zip64_file(end_of_central_dir_size=0)
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
|
||||
+ zipfile.ZipFile(io.BytesIO(zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ zipdata = self.make_zip64_file(end_of_central_dir_size=100)
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
|
||||
+ zipfile.ZipFile(io.BytesIO(zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ zipdata = self.make_zip64_file(offset_to_end_of_central_dir=0)
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*record'):
|
||||
+ zipfile.ZipFile(io.BytesIO(zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ zipdata = self.make_zip64_file(offset_to_end_of_central_dir=1000)
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Corrupt.*locator'):
|
||||
+ zipfile.ZipFile(io.BytesIO(zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ def test_zip64_end_of_central_dir_record_not_found(self):
|
||||
+ zipdata = self.make_zip64_file()
|
||||
+ zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
|
||||
+ zipfile.ZipFile(io.BytesIO(zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ zipdata = self.make_zip64_file(
|
||||
+ extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
|
||||
+ zipdata = zipdata.replace(b"PK\x06\x06", b'\x00'*4)
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
|
||||
+ zipfile.ZipFile(io.BytesIO(zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ def test_zip64_extensible_data(self):
|
||||
+ # These values are what is set in the make_zip64_file method.
|
||||
+ expected_file_size = 8
|
||||
+ expected_compress_size = 8
|
||||
+ expected_header_offset = 0
|
||||
+ expected_content = b"test1234"
|
||||
+
|
||||
+ zipdata = self.make_zip64_file(
|
||||
+ extensible_data=b'\xca\xfe\x04\x00\x00\x00data')
|
||||
+ with zipfile.ZipFile(io.BytesIO(zipdata)) as zf:
|
||||
+ zinfo = zf.infolist()[0]
|
||||
+ self.assertEqual(zinfo.file_size, expected_file_size)
|
||||
+ self.assertEqual(zinfo.compress_size, expected_compress_size)
|
||||
+ self.assertEqual(zinfo.header_offset, expected_header_offset)
|
||||
+ self.assertEqual(zf.read(zinfo), expected_content)
|
||||
+ self.assertTrue(zipfile.is_zipfile(io.BytesIO(zipdata)))
|
||||
+
|
||||
+ with self.assertRaisesRegex(zipfile.BadZipFile, 'record not found'):
|
||||
+ zipfile.ZipFile(io.BytesIO(b'prepended' + zipdata))
|
||||
+ self.assertFalse(zipfile.is_zipfile(io.BytesIO(b'prepended' + zipdata)))
|
||||
|
||||
def test_generated_valid_zip64_extra(self):
|
||||
# These values are what is set in the make_zip64_file method.
|
||||
diff --git a/Lib/zipfile/__init__.py b/Lib/zipfile/__init__.py
|
||||
index 05f387a950ba0a..c01f13729e1c99 100644
|
||||
--- a/Lib/zipfile/__init__.py
|
||||
+++ b/Lib/zipfile/__init__.py
|
||||
@@ -245,7 +245,7 @@ def is_zipfile(filename):
|
||||
else:
|
||||
with open(filename, "rb") as fp:
|
||||
result = _check_zipfile(fp)
|
||||
- except OSError:
|
||||
+ except (OSError, BadZipFile):
|
||||
pass
|
||||
return result
|
||||
|
||||
@@ -253,16 +253,15 @@ def _EndRecData64(fpin, offset, endrec):
|
||||
"""
|
||||
Read the ZIP64 end-of-archive records and use that to update endrec
|
||||
"""
|
||||
- try:
|
||||
- fpin.seek(offset - sizeEndCentDir64Locator, 2)
|
||||
- except OSError:
|
||||
- # If the seek fails, the file is not large enough to contain a ZIP64
|
||||
+ offset -= sizeEndCentDir64Locator
|
||||
+ if offset < 0:
|
||||
+ # The file is not large enough to contain a ZIP64
|
||||
# end-of-archive record, so just return the end record we were given.
|
||||
return endrec
|
||||
-
|
||||
+ fpin.seek(offset)
|
||||
data = fpin.read(sizeEndCentDir64Locator)
|
||||
if len(data) != sizeEndCentDir64Locator:
|
||||
- return endrec
|
||||
+ raise OSError("Unknown I/O error")
|
||||
sig, diskno, reloff, disks = struct.unpack(structEndArchive64Locator, data)
|
||||
if sig != stringEndArchive64Locator:
|
||||
return endrec
|
||||
@@ -270,16 +269,33 @@ def _EndRecData64(fpin, offset, endrec):
|
||||
if diskno != 0 or disks > 1:
|
||||
raise BadZipFile("zipfiles that span multiple disks are not supported")
|
||||
|
||||
- # Assume no 'zip64 extensible data'
|
||||
- fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2)
|
||||
+ offset -= sizeEndCentDir64
|
||||
+ if reloff > offset:
|
||||
+ raise BadZipFile("Corrupt zip64 end of central directory locator")
|
||||
+ # First, check the assumption that there is no prepended data.
|
||||
+ fpin.seek(reloff)
|
||||
+ extrasz = offset - reloff
|
||||
data = fpin.read(sizeEndCentDir64)
|
||||
if len(data) != sizeEndCentDir64:
|
||||
- return endrec
|
||||
+ raise OSError("Unknown I/O error")
|
||||
+ if not data.startswith(stringEndArchive64) and reloff != offset:
|
||||
+ # Since we already have seen the Zip64 EOCD Locator, it's
|
||||
+ # possible we got here because there is prepended data.
|
||||
+ # Assume no 'zip64 extensible data'
|
||||
+ fpin.seek(offset)
|
||||
+ extrasz = 0
|
||||
+ data = fpin.read(sizeEndCentDir64)
|
||||
+ if len(data) != sizeEndCentDir64:
|
||||
+ raise OSError("Unknown I/O error")
|
||||
+ if not data.startswith(stringEndArchive64):
|
||||
+ raise BadZipFile("Zip64 end of central directory record not found")
|
||||
+
|
||||
sig, sz, create_version, read_version, disk_num, disk_dir, \
|
||||
dircount, dircount2, dirsize, diroffset = \
|
||||
struct.unpack(structEndArchive64, data)
|
||||
- if sig != stringEndArchive64:
|
||||
- return endrec
|
||||
+ if (diroffset + dirsize != reloff or
|
||||
+ sz + 12 != sizeEndCentDir64 + extrasz):
|
||||
+ raise BadZipFile("Corrupt zip64 end of central directory record")
|
||||
|
||||
# Update the original endrec using data from the ZIP64 record
|
||||
endrec[_ECD_SIGNATURE] = sig
|
||||
@@ -289,6 +305,7 @@ def _EndRecData64(fpin, offset, endrec):
|
||||
endrec[_ECD_ENTRIES_TOTAL] = dircount2
|
||||
endrec[_ECD_SIZE] = dirsize
|
||||
endrec[_ECD_OFFSET] = diroffset
|
||||
+ endrec[_ECD_LOCATION] = offset - extrasz
|
||||
return endrec
|
||||
|
||||
|
||||
@@ -322,7 +339,7 @@ def _EndRecData(fpin):
|
||||
endrec.append(filesize - sizeEndCentDir)
|
||||
|
||||
# Try to read the "Zip64 end of central directory" structure
|
||||
- return _EndRecData64(fpin, -sizeEndCentDir, endrec)
|
||||
+ return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec)
|
||||
|
||||
# Either this is not a ZIP file, or it is a ZIP file with an archive
|
||||
# comment. Search the end of the file for the "end of central directory"
|
||||
@@ -346,8 +363,7 @@ def _EndRecData(fpin):
|
||||
endrec.append(maxCommentStart + start)
|
||||
|
||||
# Try to read the "Zip64 end of central directory" structure
|
||||
- return _EndRecData64(fpin, maxCommentStart + start - filesize,
|
||||
- endrec)
|
||||
+ return _EndRecData64(fpin, maxCommentStart + start, endrec)
|
||||
|
||||
# Unable to find a valid end of central directory structure
|
||||
return None
|
||||
@@ -1458,9 +1474,6 @@ def _RealGetContents(self):
|
||||
|
||||
# "concat" is zero, unless zip was concatenated to another file
|
||||
concat = endrec[_ECD_LOCATION] - size_cd - offset_cd
|
||||
- if endrec[_ECD_SIGNATURE] == stringEndArchive64:
|
||||
- # If Zip64 extension structures are present, account for them
|
||||
- concat -= (sizeEndCentDir64 + sizeEndCentDir64Locator)
|
||||
|
||||
if self.debug > 2:
|
||||
inferred = concat + offset_cd
|
||||
@@ -2082,7 +2095,7 @@ def _write_end_record(self):
|
||||
" would require ZIP64 extensions")
|
||||
zip64endrec = struct.pack(
|
||||
structEndArchive64, stringEndArchive64,
|
||||
- 44, 45, 45, 0, 0, centDirCount, centDirCount,
|
||||
+ sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount,
|
||||
centDirSize, centDirOffset)
|
||||
self.fp.write(zip64endrec)
|
||||
|
||||
diff --git a/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||
new file mode 100644
|
||||
index 00000000000000..a8e7a1f1878c6b
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
|
||||
@@ -0,0 +1,3 @@
|
||||
+Check consistency of the zip64 end of central directory record. Support
|
||||
+records with "zip64 extensible data" if there are no bytes prepended to the
|
||||
+ZIP file.
|
||||
@@ -28,10 +28,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
|
||||
Lib/test/test_sysconfig.py | 17 +++++++++++--
|
||||
2 files changed, 67 insertions(+), 7 deletions(-)
|
||||
|
||||
Index: Python-3.13.3/Lib/sysconfig/__init__.py
|
||||
Index: Python-3.13.9/Lib/sysconfig/__init__.py
|
||||
===================================================================
|
||||
--- Python-3.13.3.orig/Lib/sysconfig/__init__.py 2025-04-08 15:54:08.000000000 +0200
|
||||
+++ Python-3.13.3/Lib/sysconfig/__init__.py 2025-04-11 21:52:31.769387873 +0200
|
||||
--- Python-3.13.9.orig/Lib/sysconfig/__init__.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Lib/sysconfig/__init__.py 2025-11-04 17:41:28.521141323 +0100
|
||||
@@ -106,6 +106,11 @@
|
||||
else:
|
||||
_INSTALL_SCHEMES['venv'] = _INSTALL_SCHEMES['posix_venv']
|
||||
@@ -128,10 +128,10 @@ Index: Python-3.13.3/Lib/sysconfig/__init__.py
|
||||
_CONFIG_VARS['py_version'] = _PY_VERSION
|
||||
_CONFIG_VARS['py_version_short'] = _PY_VERSION_SHORT
|
||||
_CONFIG_VARS['py_version_nodot'] = _PY_VERSION_SHORT_NO_DOT
|
||||
Index: Python-3.13.3/Lib/test/test_sysconfig.py
|
||||
Index: Python-3.13.9/Lib/test/test_sysconfig.py
|
||||
===================================================================
|
||||
--- Python-3.13.3.orig/Lib/test/test_sysconfig.py 2025-04-08 15:54:08.000000000 +0200
|
||||
+++ Python-3.13.3/Lib/test/test_sysconfig.py 2025-04-11 21:52:31.769841915 +0200
|
||||
--- Python-3.13.9.orig/Lib/test/test_sysconfig.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Lib/test/test_sysconfig.py 2025-11-04 17:41:28.521386489 +0100
|
||||
@@ -130,8 +130,19 @@
|
||||
for scheme in _INSTALL_SCHEMES:
|
||||
for name in _INSTALL_SCHEMES[scheme]:
|
||||
@@ -153,7 +153,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
|
||||
os.path.normpath(expected),
|
||||
)
|
||||
|
||||
@@ -386,7 +397,7 @@
|
||||
@@ -393,7 +404,7 @@
|
||||
self.assertTrue(os.path.isfile(config_h), config_h)
|
||||
|
||||
def test_get_scheme_names(self):
|
||||
@@ -162,7 +162,7 @@ Index: Python-3.13.3/Lib/test/test_sysconfig.py
|
||||
if HAS_USER_BASE:
|
||||
wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
|
||||
self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
|
||||
@@ -398,6 +409,8 @@
|
||||
@@ -405,6 +416,8 @@
|
||||
cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
|
||||
self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
|
||||
|
||||
|
||||
BIN
Python-3.13.5.tar.xz
(Stored with Git LFS)
BIN
Python-3.13.5.tar.xz
(Stored with Git LFS)
Binary file not shown.
File diff suppressed because one or more lines are too long
BIN
Python-3.13.9.tar.xz
(Stored with Git LFS)
Normal file
BIN
Python-3.13.9.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
1
Python-3.13.9.tar.xz.sigstore
Normal file
1
Python-3.13.9.tar.xz.sigstore
Normal file
File diff suppressed because one or more lines are too long
@@ -27,10 +27,10 @@
|
||||
Doc/tools/extensions/pydoc_topics.py | 22 +++++-----
|
||||
18 files changed, 159 insertions(+), 130 deletions(-)
|
||||
|
||||
Index: Python-3.13.5/Doc/Makefile
|
||||
Index: Python-3.13.9/Doc/Makefile
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/Makefile 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/Makefile 2025-06-12 21:38:04.908380762 +0200
|
||||
--- Python-3.13.9.orig/Doc/Makefile 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/Makefile 2025-11-20 01:09:35.814292408 +0100
|
||||
@@ -14,15 +14,15 @@
|
||||
SOURCES =
|
||||
DISTVERSION = $(shell $(PYTHON) tools/extensions/patchlevel.py)
|
||||
@@ -51,10 +51,10 @@ Index: Python-3.13.5/Doc/Makefile
|
||||
$(PAPEROPT_$(PAPER)) \
|
||||
$(SPHINXOPTS) $(SPHINXERRORHANDLING) \
|
||||
. build/$(BUILDER) $(SOURCES)
|
||||
Index: Python-3.13.5/Doc/c-api/arg.rst
|
||||
Index: Python-3.13.9/Doc/c-api/arg.rst
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/c-api/arg.rst 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/c-api/arg.rst 2025-06-12 21:38:04.908705133 +0200
|
||||
--- Python-3.13.9.orig/Doc/c-api/arg.rst 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/c-api/arg.rst 2025-11-20 01:07:59.902914275 +0100
|
||||
@@ -334,7 +334,6 @@
|
||||
should raise an exception and leave the content of *address* unmodified.
|
||||
|
||||
@@ -63,10 +63,10 @@ Index: Python-3.13.5/Doc/c-api/arg.rst
|
||||
|
||||
If the *converter* returns :c:macro:`!Py_CLEANUP_SUPPORTED`, it may get called a
|
||||
second time if the argument parsing eventually fails, giving the converter a
|
||||
Index: Python-3.13.5/Doc/c-api/typeobj.rst
|
||||
Index: Python-3.13.9/Doc/c-api/typeobj.rst
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/c-api/typeobj.rst 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/c-api/typeobj.rst 2025-06-12 21:38:04.908874058 +0200
|
||||
--- Python-3.13.9.orig/Doc/c-api/typeobj.rst 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/c-api/typeobj.rst 2025-11-20 01:07:59.903382829 +0100
|
||||
@@ -610,7 +610,7 @@
|
||||
Functions like :c:func:`PyObject_NewVar` will take the value of N as an
|
||||
argument, and store in the instance's :c:member:`~PyVarObject.ob_size` field.
|
||||
@@ -97,10 +97,10 @@ Index: Python-3.13.5/Doc/c-api/typeobj.rst
|
||||
include :c:type:`PyObject` or :c:type:`PyVarObject` (depending on
|
||||
whether :c:member:`~PyVarObject.ob_size` should be included). These are
|
||||
usually defined by the macro :c:macro:`PyObject_HEAD` or
|
||||
Index: Python-3.13.5/Doc/conf.py
|
||||
Index: Python-3.13.9/Doc/conf.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/conf.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/conf.py 2025-06-12 21:38:04.909609597 +0200
|
||||
--- Python-3.13.9.orig/Doc/conf.py 2025-11-20 01:07:14.944126757 +0100
|
||||
+++ Python-3.13.9/Doc/conf.py 2025-11-20 01:07:59.903974303 +0100
|
||||
@@ -11,6 +11,8 @@
|
||||
from importlib import import_module
|
||||
from importlib.util import find_spec
|
||||
@@ -136,7 +136,7 @@ Index: Python-3.13.5/Doc/conf.py
|
||||
|
||||
# Create table of contents entries for domain objects (e.g. functions, classes,
|
||||
# attributes, etc.). Default is True.
|
||||
@@ -323,6 +325,9 @@
|
||||
@@ -257,6 +259,9 @@
|
||||
# Avoid a warning with Sphinx >= 4.0
|
||||
root_doc = 'contents'
|
||||
|
||||
@@ -146,7 +146,7 @@ Index: Python-3.13.5/Doc/conf.py
|
||||
# Allow translation of index directives
|
||||
gettext_additional_targets = [
|
||||
'index',
|
||||
@@ -362,7 +367,7 @@
|
||||
@@ -296,7 +301,7 @@
|
||||
# (See .readthedocs.yml and https://docs.readthedocs.io/en/stable/reference/environment-variables.html)
|
||||
is_deployment_preview = os.getenv("READTHEDOCS_VERSION_TYPE") == "external"
|
||||
repository_url = os.getenv("READTHEDOCS_GIT_CLONE_URL", "")
|
||||
@@ -172,22 +172,22 @@ Index: Python-3.13.5/Doc/conf.py
|
||||
# Options for c_annotations extension
|
||||
# -----------------------------------
|
||||
|
||||
Index: Python-3.13.5/Doc/library/doctest.rst
|
||||
Index: Python-3.13.9/Doc/library/doctest.rst
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/library/doctest.rst 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/library/doctest.rst 2025-06-12 21:38:04.909944989 +0200
|
||||
@@ -308,7 +308,6 @@
|
||||
searched. Objects imported into the module are not searched.
|
||||
--- Python-3.13.9.orig/Doc/library/doctest.rst 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/library/doctest.rst 2025-11-20 01:07:59.904511686 +0100
|
||||
@@ -310,7 +310,6 @@
|
||||
.. currentmodule:: None
|
||||
|
||||
.. attribute:: module.__test__
|
||||
- :no-typesetting:
|
||||
|
||||
In addition, there are cases when you want tests to be part of a module but not part
|
||||
of the help text, which requires that the tests not be included in the docstring.
|
||||
Index: Python-3.13.5/Doc/library/email.compat32-message.rst
|
||||
.. currentmodule:: doctest
|
||||
|
||||
Index: Python-3.13.9/Doc/library/email.compat32-message.rst
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/library/email.compat32-message.rst 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/library/email.compat32-message.rst 2025-06-12 21:38:04.910320877 +0200
|
||||
--- Python-3.13.9.orig/Doc/library/email.compat32-message.rst 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/library/email.compat32-message.rst 2025-11-20 01:07:59.905009154 +0100
|
||||
@@ -7,7 +7,6 @@
|
||||
:synopsis: The base class representing email messages in a fashion
|
||||
backward compatible with Python 3.2
|
||||
@@ -196,11 +196,11 @@ Index: Python-3.13.5/Doc/library/email.compat32-message.rst
|
||||
|
||||
|
||||
The :class:`Message` class is very similar to the
|
||||
Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
|
||||
Index: Python-3.13.9/Doc/library/xml.etree.elementtree.rst
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/library/xml.etree.elementtree.rst 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/library/xml.etree.elementtree.rst 2025-06-12 21:38:04.910594893 +0200
|
||||
@@ -874,7 +874,6 @@
|
||||
--- Python-3.13.9.orig/Doc/library/xml.etree.elementtree.rst 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/library/xml.etree.elementtree.rst 2025-11-20 01:07:59.905273001 +0100
|
||||
@@ -873,7 +873,6 @@
|
||||
|
||||
.. module:: xml.etree.ElementTree
|
||||
:noindex:
|
||||
@@ -208,10 +208,10 @@ Index: Python-3.13.5/Doc/library/xml.etree.elementtree.rst
|
||||
|
||||
.. class:: Element(tag, attrib={}, **extra)
|
||||
|
||||
Index: Python-3.13.5/Doc/tools/check-warnings.py
|
||||
Index: Python-3.13.9/Doc/tools/check-warnings.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/check-warnings.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/check-warnings.py 2025-06-12 21:38:04.910896050 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/check-warnings.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/check-warnings.py 2025-11-20 01:07:59.905613002 +0100
|
||||
@@ -228,7 +228,8 @@
|
||||
print(filename)
|
||||
for warning in warnings:
|
||||
@@ -231,10 +231,10 @@ Index: Python-3.13.5/Doc/tools/check-warnings.py
|
||||
for warning in warnings
|
||||
if "Doc/" in warning
|
||||
}
|
||||
Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/audit_events.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/audit_events.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/audit_events.py 2025-06-12 21:38:04.911151491 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/audit_events.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/audit_events.py 2025-11-20 01:08:35.819222654 +0100
|
||||
@@ -1,9 +1,6 @@
|
||||
"""Support for documenting audit events."""
|
||||
|
||||
@@ -370,10 +370,10 @@ Index: Python-3.13.5/Doc/tools/extensions/audit_events.py
|
||||
) -> nodes.row:
|
||||
row = nodes.row()
|
||||
name_node = nodes.paragraph("", nodes.Text(name))
|
||||
Index: Python-3.13.5/Doc/tools/extensions/availability.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/availability.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/availability.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/availability.py 2025-06-12 21:38:04.911376735 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/availability.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/availability.py 2025-11-20 01:07:59.906156697 +0100
|
||||
@@ -1,8 +1,6 @@
|
||||
"""Support for documenting platform availability"""
|
||||
|
||||
@@ -427,10 +427,10 @@ Index: Python-3.13.5/Doc/tools/extensions/availability.py
|
||||
app.add_directive("availability", Availability)
|
||||
|
||||
return {
|
||||
Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/c_annotations.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/c_annotations.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/c_annotations.py 2025-06-12 21:38:04.911575881 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/c_annotations.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/c_annotations.py 2025-11-20 01:07:59.906354780 +0100
|
||||
@@ -9,22 +9,26 @@
|
||||
* Set ``stable_abi_file`` to the path to stable ABI list.
|
||||
"""
|
||||
@@ -568,10 +568,10 @@ Index: Python-3.13.5/Doc/tools/extensions/c_annotations.py
|
||||
return {
|
||||
"version": "1.0",
|
||||
"parallel_read_safe": True,
|
||||
Index: Python-3.13.5/Doc/tools/extensions/changes.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/changes.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/changes.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/changes.py 2025-06-12 21:38:04.911758715 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/changes.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/changes.py 2025-11-20 01:07:59.906539198 +0100
|
||||
@@ -1,7 +1,5 @@
|
||||
"""Support for documenting version of changes, additions, deprecations."""
|
||||
|
||||
@@ -607,10 +607,10 @@ Index: Python-3.13.5/Doc/tools/extensions/changes.py
|
||||
# Override Sphinx's directives with support for 'next'
|
||||
app.add_directive("versionadded", PyVersionChange, override=True)
|
||||
app.add_directive("versionchanged", PyVersionChange, override=True)
|
||||
Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/glossary_search.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/glossary_search.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/glossary_search.py 2025-06-12 21:38:04.911907976 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/glossary_search.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/glossary_search.py 2025-11-20 01:07:59.906696224 +0100
|
||||
@@ -1,21 +1,27 @@
|
||||
"""Feature search results for glossary items prominently."""
|
||||
|
||||
@@ -654,10 +654,10 @@ Index: Python-3.13.5/Doc/tools/extensions/glossary_search.py
|
||||
app.connect('doctree-resolved', process_glossary_nodes)
|
||||
app.connect('build-finished', write_glossary_json)
|
||||
|
||||
Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/implementation_detail.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/implementation_detail.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/implementation_detail.py 2025-06-12 21:38:04.912061736 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/implementation_detail.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/implementation_detail.py 2025-11-20 01:07:59.906853200 +0100
|
||||
@@ -1,17 +1,10 @@
|
||||
"""Support for marking up implementation details."""
|
||||
|
||||
@@ -708,10 +708,10 @@ Index: Python-3.13.5/Doc/tools/extensions/implementation_detail.py
|
||||
app.add_directive("impl-detail", ImplementationDetail)
|
||||
|
||||
return {
|
||||
Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/issue_role.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/issue_role.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/issue_role.py 2025-06-12 21:38:04.912236134 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/issue_role.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/issue_role.py 2025-11-20 01:07:59.907010386 +0100
|
||||
@@ -1,22 +1,18 @@
|
||||
"""Support for referencing issues in the tracker."""
|
||||
|
||||
@@ -757,10 +757,10 @@ Index: Python-3.13.5/Doc/tools/extensions/issue_role.py
|
||||
app.add_role("issue", BPOIssue())
|
||||
app.add_role("gh", GitHubIssue())
|
||||
|
||||
Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/misc_news.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/misc_news.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/misc_news.py 2025-06-12 21:38:04.912390144 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/misc_news.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/misc_news.py 2025-11-20 01:07:59.907170899 +0100
|
||||
@@ -1,7 +1,5 @@
|
||||
"""Support for including Misc/NEWS."""
|
||||
|
||||
@@ -813,10 +813,10 @@ Index: Python-3.13.5/Doc/tools/extensions/misc_news.py
|
||||
app.add_directive("miscnews", MiscNews)
|
||||
|
||||
return {
|
||||
Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/patchlevel.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/patchlevel.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/patchlevel.py 2025-06-12 21:38:04.912563631 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/patchlevel.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/patchlevel.py 2025-11-20 01:07:59.907494228 +0100
|
||||
@@ -3,7 +3,7 @@
|
||||
import re
|
||||
import sys
|
||||
@@ -854,10 +854,10 @@ Index: Python-3.13.5/Doc/tools/extensions/patchlevel.py
|
||||
version = f"{info.major}.{info.minor}"
|
||||
release = f"{info.major}.{info.minor}.{info.micro}"
|
||||
if info.releaselevel != "final":
|
||||
Index: Python-3.13.5/Doc/tools/extensions/pydoc_topics.py
|
||||
Index: Python-3.13.9/Doc/tools/extensions/pydoc_topics.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Doc/tools/extensions/pydoc_topics.py 2025-06-12 21:37:37.257659788 +0200
|
||||
+++ Python-3.13.5/Doc/tools/extensions/pydoc_topics.py 2025-06-12 21:38:04.912726688 +0200
|
||||
--- Python-3.13.9.orig/Doc/tools/extensions/pydoc_topics.py 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Doc/tools/extensions/pydoc_topics.py 2025-11-20 01:07:59.907684617 +0100
|
||||
@@ -1,21 +1,23 @@
|
||||
"""Support for building "topic help" for pydoc."""
|
||||
|
||||
|
||||
@@ -8,10 +8,10 @@ Date: Tue Nov 26 13:46:33 2024 +0000
|
||||
Lib/test/test_sysconfig.py | 67 ---------------------------------------------
|
||||
1 file changed, 1 insertion(+), 66 deletions(-)
|
||||
|
||||
Index: Python-3.13.5/Lib/test/test_sysconfig.py
|
||||
Index: Python-3.13.9/Lib/test/test_sysconfig.py
|
||||
===================================================================
|
||||
--- Python-3.13.5.orig/Lib/test/test_sysconfig.py 2025-06-12 19:55:42.184491497 +0200
|
||||
+++ Python-3.13.5/Lib/test/test_sysconfig.py 2025-06-12 19:56:05.737665419 +0200
|
||||
--- Python-3.13.9.orig/Lib/test/test_sysconfig.py 2025-11-04 17:41:28.521386489 +0100
|
||||
+++ Python-3.13.9/Lib/test/test_sysconfig.py 2025-11-04 17:42:36.888243505 +0100
|
||||
@@ -110,6 +110,7 @@
|
||||
**venv_create_args,
|
||||
)
|
||||
@@ -20,7 +20,7 @@ Index: Python-3.13.5/Lib/test/test_sysconfig.py
|
||||
def test_get_path_names(self):
|
||||
self.assertEqual(get_path_names(), sysconfig._SCHEME_KEYS)
|
||||
|
||||
@@ -604,72 +605,6 @@
|
||||
@@ -611,72 +612,6 @@
|
||||
suffix = sysconfig.get_config_var('EXT_SUFFIX')
|
||||
self.assertTrue(suffix.endswith('-darwin.so'), suffix)
|
||||
|
||||
|
||||
30
gh138131-exclude-pycache-from-digest.patch
Normal file
30
gh138131-exclude-pycache-from-digest.patch
Normal file
@@ -0,0 +1,30 @@
|
||||
From 4bb41b28d5bac09bccd636d8c5fefe1a462f63a7 Mon Sep 17 00:00:00 2001
|
||||
From: Alm <alon.menczer@gmail.com>
|
||||
Date: Mon, 25 Aug 2025 08:56:38 +0300
|
||||
Subject: [PATCH 1/4] Exclude .pyc files from the computed digest in the jit
|
||||
stencils
|
||||
|
||||
---
|
||||
Tools/jit/_targets.py | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
Index: Python-3.13.7/Tools/jit/_targets.py
|
||||
===================================================================
|
||||
--- Python-3.13.7.orig/Tools/jit/_targets.py
|
||||
+++ Python-3.13.7/Tools/jit/_targets.py
|
||||
@@ -53,6 +53,9 @@ class _Target(typing.Generic[_S, _R]):
|
||||
hasher.update(PYTHON_EXECUTOR_CASES_C_H.read_bytes())
|
||||
hasher.update((out / "pyconfig.h").read_bytes())
|
||||
for dirpath, _, filenames in sorted(os.walk(TOOLS_JIT)):
|
||||
+ # Exclude cache files from digest computation to ensure reproducible builds.
|
||||
+ if dirpath.endswith("__pycache__"):
|
||||
+ continue
|
||||
for filename in filenames:
|
||||
hasher.update(pathlib.Path(dirpath, filename).read_bytes())
|
||||
return hasher.hexdigest()
|
||||
Index: Python-3.13.7/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ Python-3.13.7/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Ensure reproducible builds by making JIT stencil header generation deterministic.
|
||||
36
gh139257-Support-docutils-0.22.patch
Normal file
36
gh139257-Support-docutils-0.22.patch
Normal file
@@ -0,0 +1,36 @@
|
||||
From 19b61747df3d62c822285c488753d6fbdf91e3ac Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Garcia Moreno <daniel.garcia@suse.com>
|
||||
Date: Tue, 23 Sep 2025 10:20:16 +0200
|
||||
Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
|
||||
|
||||
---
|
||||
Doc/tools/extensions/pyspecific.py | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: Python-3.13.7/Doc/tools/extensions/pyspecific.py
|
||||
===================================================================
|
||||
--- Python-3.13.7.orig/Doc/tools/extensions/pyspecific.py
|
||||
+++ Python-3.13.7/Doc/tools/extensions/pyspecific.py
|
||||
@@ -25,11 +25,21 @@ from sphinx.util.docutils import SphinxD
|
||||
SOURCE_URI = 'https://github.com/python/cpython/tree/3.13/%s'
|
||||
|
||||
# monkey-patch reST parser to disable alphabetic and roman enumerated lists
|
||||
+def _disable_alphabetic_and_roman(text):
|
||||
+ try:
|
||||
+ # docutils >= 0.22
|
||||
+ from docutils.parsers.rst.states import InvalidRomanNumeralError
|
||||
+ raise InvalidRomanNumeralError(text)
|
||||
+ except ImportError:
|
||||
+ # docutils < 0.22
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
from docutils.parsers.rst.states import Body
|
||||
Body.enum.converters['loweralpha'] = \
|
||||
Body.enum.converters['upperalpha'] = \
|
||||
Body.enum.converters['lowerroman'] = \
|
||||
- Body.enum.converters['upperroman'] = lambda x: None
|
||||
+ Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
|
||||
|
||||
|
||||
class PyAwaitableMixin(object):
|
||||
@@ -1,16 +1,16 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<!-- Copyright 2017 Zbigniew Jędrzejewski-Szmek -->
|
||||
<application>
|
||||
<id type="desktop">idle3.desktop</id>
|
||||
<component type="desktop-application">
|
||||
<id>org.python.IDLE3</id>
|
||||
<launchable type="desktop-id">idle3.desktop</launchable>
|
||||
|
||||
<name>IDLE3</name>
|
||||
<metadata_licence>CC0</metadata_licence>
|
||||
<project_license>Python-2.0</project_license>
|
||||
<summary>Python 3 Integrated Development and Learning Environment</summary>
|
||||
|
||||
<description>
|
||||
<p>
|
||||
IDLE is Python’s Integrated Development and Learning Environment.
|
||||
The GUI is uniform between Windows, Unix, and Mac OS X.
|
||||
The GUI is uniform between Windows, Unix, and macOS.
|
||||
IDLE provides an easy way to start writing, running, and debugging
|
||||
Python code.
|
||||
</p>
|
||||
@@ -19,17 +19,33 @@
|
||||
It provides:
|
||||
</p>
|
||||
<ul>
|
||||
<li>a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,</li>
|
||||
<li>a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,</li>
|
||||
<li>search within any window, replace within editor windows, and search through multiple files (grep),</li>
|
||||
<li>a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.</li>
|
||||
<li>a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,</li>
|
||||
<li>a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,</li>
|
||||
<li>search within any window, replace within editor windows, and search through multiple files (grep),</li>
|
||||
<li>a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.</li>
|
||||
</ul>
|
||||
</description>
|
||||
|
||||
<developer id="org.python">
|
||||
<name>Python Software Foundation</name>
|
||||
</developer>
|
||||
|
||||
<url type="homepage">https://docs.python.org/3/library/idle.html</url>
|
||||
|
||||
<screenshots>
|
||||
<screenshot type="default">http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</screenshot>
|
||||
<screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</screenshot>
|
||||
<screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</screenshot>
|
||||
<screenshot type="default">
|
||||
<image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</image>
|
||||
</screenshot>
|
||||
<screenshot>
|
||||
<image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</image>
|
||||
</screenshot>
|
||||
<screenshot>
|
||||
<image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</image>
|
||||
</screenshot>
|
||||
</screenshots>
|
||||
|
||||
<project_license>Python-2.0</project_license>
|
||||
<metadata_license>CC0-1.0</metadata_license>
|
||||
<update_contact>zbyszek@in.waw.pl</update_contact>
|
||||
</application>
|
||||
</component>
|
||||
|
||||
|
||||
45
pass-test_write_read_limited_history.patch
Normal file
45
pass-test_write_read_limited_history.patch
Normal file
@@ -0,0 +1,45 @@
|
||||
---
|
||||
Modules/readline.c | 23 +++++++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
Index: Python-3.13.9/Modules/readline.c
|
||||
===================================================================
|
||||
--- Python-3.13.9.orig/Modules/readline.c 2025-10-14 15:52:31.000000000 +0200
|
||||
+++ Python-3.13.9/Modules/readline.c 2025-11-20 00:46:45.594286346 +0100
|
||||
@@ -175,6 +175,8 @@
|
||||
return PyUnicode_DecodeLocale(s, "surrogateescape");
|
||||
}
|
||||
|
||||
+static int _py_get_history_length(void);
|
||||
+static void _py_free_history_entry(HIST_ENTRY *entry);
|
||||
|
||||
/*
|
||||
Explicitly disable bracketed paste in the interactive interpreter, even if it's
|
||||
@@ -399,6 +401,27 @@
|
||||
/*[clinic end generated code: output=e161a53e45987dc7 input=b8901bf16488b760]*/
|
||||
{
|
||||
_history_length = length;
|
||||
+
|
||||
+ if (length < 0) {
|
||||
+ stifle_history(-1);
|
||||
+ }
|
||||
+ else {
|
||||
+ int current_length = _py_get_history_length();
|
||||
+ if (length < current_length) {
|
||||
+#if defined(RL_READLINE_VERSION) && RL_READLINE_VERSION >= 0x0500
|
||||
+ HISTORY_STATE *state = history_get_history_state();
|
||||
+ if (state) {
|
||||
+ int i;
|
||||
+ for (i = 0; i < current_length - length; i++) {
|
||||
+ _py_free_history_entry(remove_history(0));
|
||||
+ }
|
||||
+ state->length = length;
|
||||
+ free(state);
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+ stifle_history(length);
|
||||
+ }
|
||||
Py_RETURN_NONE;
|
||||
}
|
||||
|
||||
@@ -1,3 +1,487 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 19 19:21:41 UTC 2025 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
- Add pass-test_write_read_limited_history.patch:
|
||||
|
||||
Fix readline history truncation when length is reduced
|
||||
|
||||
The `readline.set_history_length()` function did not previously
|
||||
truncate the in-memory history when the new length was set to
|
||||
a value smaller than the current number of history items. This
|
||||
could lead to unexpected behavior where `get_history_length()`
|
||||
would still report the old length and writing the history to a
|
||||
file would write more entries than the new limit.
|
||||
|
||||
This patch modifies `set_history_length()` to explicitly
|
||||
remove the oldest history entries using `remove_history()`
|
||||
when the length is decreased, ensuring the in-memory history
|
||||
is correctly truncated to the new limit. This brings the
|
||||
function's behavior in line with expectations and fixes
|
||||
failures in `test_write_read_limited_history`.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
|
||||
quadratic complexity vulnerabilities of os.path.expandvars()
|
||||
(CVE-2025-6075, bsc#1252974).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 4 16:44:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Add CVE-2025-8291-consistency-zip64.patch which checks
|
||||
consistency of the zip64 end of central directory record, and
|
||||
preventing obfuscation of the payload, i.e., you scanning for
|
||||
malicious content in a ZIP file with one ZIP parser (let's say
|
||||
a Rust one) then unpack it in production with another (e.g.,
|
||||
the Python one) and get malicious content that the other parser
|
||||
did not see (CVE-2025-8291, bsc#1251305)
|
||||
- Readjust patches while synchronizing between openSUSE and SLE trees:
|
||||
- F00251-change-user-install-location.patch
|
||||
- doc-py38-to-py36.patch
|
||||
- gh126985-mv-pyvenv.cfg2getpath.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 15 09:15:38 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Update to 3.13.9:
|
||||
- Library
|
||||
- gh-139783: Fix inspect.getsourcelines() for the case when a
|
||||
decorator is followed by a comment or an empty line.
|
||||
- Update to 3.13.8:
|
||||
- macOS
|
||||
- gh-124111: Update macOS installer to use Tcl/Tk 8.6.17.
|
||||
- gh-139573: Updated bundled version of OpenSSL to 3.0.18.
|
||||
- Windows
|
||||
- gh-139573: Updated bundled version of OpenSSL to 3.0.18.
|
||||
- gh-138896: Fix error installing C runtime on non-updated Windows
|
||||
machines
|
||||
- Tools/Demos
|
||||
- gh-139330: SBOM generation tool didn’t cross-check the version
|
||||
and checksum values against the Modules/expat/refresh.sh script,
|
||||
leading to the values becoming out-of-date during routine
|
||||
updates.
|
||||
- gh-137873: The iOS test runner has been simplified, resolving
|
||||
some issues that have been observed using the runner in GitHub
|
||||
Actions and Azure Pipelines test environments.
|
||||
- Tests
|
||||
- gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
|
||||
--verbose option anymore. Patch by Victor Stinner.
|
||||
- Security
|
||||
- gh-139400: xml.parsers.expat: Make sure that parent Expat
|
||||
parsers are only garbage-collected once they are no longer
|
||||
referenced by subparsers created by
|
||||
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
|
||||
- gh-139283: sqlite3: correctly handle maximum number of rows to
|
||||
fetch in Cursor.fetchmany and reject negative values for
|
||||
Cursor.arraysize. Patch by Bénédikt Tran.
|
||||
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
|
||||
according to the HTML5 standard: ] ]> and ]] > no longer end the
|
||||
CDATA section. Add private method _set_support_cdata() which can
|
||||
be used to specify how to parse <[CDATA[ — as a CDATA section in
|
||||
foreign content (SVG or MathML) or as a bogus comment in the
|
||||
HTML namespace.
|
||||
- Library
|
||||
- gh-139312: Upgrade bundled libexpat to 2.7.3
|
||||
- gh-139289: Do a real lazy-import on rlcompleter in pdb and
|
||||
restore the existing completer after importing rlcompleter.
|
||||
- gh-139210: Fix use-after-free when reporting unknown event in
|
||||
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
|
||||
- gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in
|
||||
subprocess.
|
||||
- gh-112729: Fix crash when calling _interpreters.create when the
|
||||
process is out of memory.
|
||||
- gh-139076: Fix a bug in the pydoc module that was hiding
|
||||
functions in a Python module if they were implemented in an
|
||||
extension module and the module did not have __all__.
|
||||
- gh-138998: Update bundled libexpat to 2.7.2
|
||||
- gh-130567: Fix possible crash in locale.strxfrm() due to a
|
||||
platform bug on macOS.
|
||||
- gh-138779: Support device numbers larger than 2**63-1 for the
|
||||
st_rdev field of the os.stat_result structure.
|
||||
- gh-128636: Fix crash in PyREPL when os.environ is overwritten
|
||||
with an invalid value for mac
|
||||
- gh-88375: Fix normalization of the robots.txt rules and URLs in
|
||||
the urllib.robotparser module. No longer ignore trailing ?.
|
||||
Distinguish raw special characters ?, = and & from the
|
||||
percent-encoded ones.
|
||||
- gh-138515: email is added to Emscripten build.
|
||||
- gh-111788: Fix parsing errors in the urllib.robotparser module.
|
||||
Don’t fail trying to parse weird paths. Don’t fail trying to
|
||||
decode non-UTF-8 robots.txt files.
|
||||
- gh-138432: zoneinfo.reset_tzpath() will now convert any
|
||||
os.PathLike objects it receives into strings before adding them
|
||||
to TZPATH. It will raise TypeError if anything other than a
|
||||
string is found after this conversion. If given an os.PathLike
|
||||
object that represents a relative path, it will now raise
|
||||
ValueError instead of TypeError, and present a more informative
|
||||
error message.
|
||||
- gh-138008: Fix segmentation faults in the ctypes module due to
|
||||
invalid argtypes. Patch by Dung Nguyen.
|
||||
- gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
|
||||
platforms).
|
||||
- gh-138204: Forbid expansion of shared anonymous memory maps on
|
||||
Linux, which caused a bus error.
|
||||
- gh-138010: Fix an issue where defining a class with a
|
||||
@warnings.deprecated-decorated base class may not invoke the
|
||||
correct __init_subclass__() method in cases involving multiple
|
||||
inheritance. Patch by Brian Schubert.
|
||||
- gh-138133: Prevent infinite traceback loop when sending CTRL^C
|
||||
to Python through strace.
|
||||
- gh-134869: Fix an issue where pressing Ctrl+C during tab
|
||||
completion in the REPL would leave the autocompletion menu in a
|
||||
corrupted state.
|
||||
- gh-137317: inspect.signature() now correctly handles classes
|
||||
that use a descriptor on a wrapped __init__() or __new__()
|
||||
method. Contributed by Yongyu Yan.
|
||||
- gh-137754: Fix import of the zoneinfo module if the C
|
||||
implementation of the datetime module is not available.
|
||||
- gh-137490: Handle ECANCELED in the same way as EINTR in
|
||||
signal.sigwaitinfo() on NetBSD.
|
||||
- gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and
|
||||
inspect.getsource() for generator expressions.
|
||||
- gh-137017: Fix threading.Thread.is_alive to remain True until
|
||||
the underlying OS thread is fully cleaned up. This avoids false
|
||||
negatives in edge cases involving thread monitoring or premature
|
||||
threading.Thread.is_alive calls.
|
||||
- gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
|
||||
instead of a ValueError if Python has been built without MD5
|
||||
support. In particular, SMTP clients will not attempt to use
|
||||
this method even if the remote server is assumed to support it.
|
||||
Patch by Bénédikt Tran.
|
||||
- gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if
|
||||
CRAM-MD5 authentication is not supported. Patch by Bénédikt
|
||||
Tran.
|
||||
- gh-135386: Fix opening a dbm.sqlite3 database for reading from
|
||||
read-only file or directory.
|
||||
- gh-126631: Fix multiprocessing forkserver bug which prevented
|
||||
__main__ from being preloaded.
|
||||
- gh-123085: In a bare call to importlib.resources.files(), ensure
|
||||
the caller’s frame is properly detected when importlib.resources
|
||||
is itself available as a compiled module only (no source).
|
||||
- gh-118981: Fix potential hang in
|
||||
multiprocessing.popen_spawn_posix that can happen when the child
|
||||
proc dies early by closing the child fds right away.
|
||||
- gh-78319: UTF8 support for the IMAP APPEND command has been made
|
||||
RFC compliant.
|
||||
- bpo-38735: Fix failure when importing a module from the root
|
||||
directory on unix-like platforms with sys.pycache_prefix set.
|
||||
- bpo-41839: Allow negative priority values from
|
||||
os.sched_get_priority_min() and os.sched_get_priority_max()
|
||||
functions.
|
||||
- Core and Builtins
|
||||
- gh-134466: Don’t run PyREPL in a degraded environment where
|
||||
setting termios attributes is not allowed.
|
||||
- gh-71810: Raise OverflowError for (-1).to_bytes() for signed
|
||||
conversions when bytes count is zero. Patch by Sergey B
|
||||
Kirpichev.
|
||||
- gh-105487: Remove non-existent __copy__(), __deepcopy__(), and
|
||||
__bases__ from the __dir__() entries of types.GenericAlias.
|
||||
- gh-134163: Fix a hang when the process is out of memory inside
|
||||
an exception handler.
|
||||
- gh-138479: Fix a crash when a generic object’s __typing_subst__
|
||||
returns an object that isn’t a tuple.
|
||||
- gh-137576: Fix for incorrect source code being shown in
|
||||
tracebacks from the Basic REPL when PYTHONSTARTUP is given.
|
||||
Patch by Adam Hartz.
|
||||
- gh-132744: Certain calls now check for runaway recursion and
|
||||
respect the system recursion limit.
|
||||
- C API
|
||||
- gh-87135: Attempting to acquire the GIL after runtime
|
||||
finalization has begun in a different thread now causes the
|
||||
thread to hang rather than terminate, which avoids potential
|
||||
crashes or memory corruption caused by attempting to terminate a
|
||||
thread that is running code not specifically designed to support
|
||||
termination. In most cases this hanging is harmless since the
|
||||
process will soon exit anyway.
|
||||
While not officially marked deprecated until 3.14,
|
||||
PyThread_exit_thread is no longer called internally and remains
|
||||
solely for interface compatibility. Its behavior is inconsistent
|
||||
across platforms, and it can only be used safely in the unlikely
|
||||
case that every function in the entire call stack has been
|
||||
designed to support the platform-dependent termination
|
||||
mechanism. It is recommended that users of this function change
|
||||
their design to not require thread termination. In the unlikely
|
||||
case that thread termination is needed and can be done safely,
|
||||
users may migrate to calling platform-specific APIs such as
|
||||
pthread_exit (POSIX) or _endthreadex (Windows) directly.
|
||||
- Build
|
||||
- gh-135734: Python can correctly be configured and built with
|
||||
./configure --enable-optimizations --disable-test-modules.
|
||||
Previously, the profile data generation step failed due to PGO
|
||||
tests where immortalization couldn’t be properly suppressed.
|
||||
Patch by Bénédikt Tran.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
|
||||
docutils (>=0.22) gh#python/cpython#139257
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 22 06:41:53 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Drop AppStream: this results in a different cycle than
|
||||
appstream-glib. As the appdata.xml is controlled by ourselves, we
|
||||
can get away with just manually validating it when changing it.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 18 08:15:31 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Require AppStream to validate appdata file instead of deprecated
|
||||
appstream-glib.
|
||||
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 9 10:11:58 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Add gh138131-exclude-pycache-from-digest.patch fixing reproducible
|
||||
build for python-nogil.
|
||||
(bsc#1244680, gh#python/cpython#138131)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 15 12:31:08 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Update to 3.13.7:
|
||||
- gh-137583: Fix a deadlock introduced in 3.13.6 when a call
|
||||
to ssl.SSLSocket.recv was blocked in one thread, and then
|
||||
another method on the object (such as ssl.SSLSocket.send) was
|
||||
subsequently called in another thread.
|
||||
- gh-137044: Return large limit values as positive integers
|
||||
instead of negative integers in resource.getrlimit().
|
||||
Accept large values and reject negative values (except
|
||||
RLIM_INFINITY) for limits in resource.setrlimit().
|
||||
- gh-136914: Fix retrieval of doctest.DocTest.lineno
|
||||
for objects decorated with functools.cache() or
|
||||
functools.cached_property.
|
||||
- gh-131788: Make ResourceTracker.send from multiprocessing
|
||||
re-entrant safe
|
||||
- gh-136155: We are now checking for fatal errors in EPUB
|
||||
builds in CI.
|
||||
- gh-137400: Fix a crash in the free threading build when
|
||||
disabling profiling or tracing across all threads with
|
||||
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
|
||||
or their Python equivalents threading.settrace_all_threads()
|
||||
and threading.setprofile_all_threads().
|
||||
- Remove upstreamed patch:
|
||||
- gh137583-only-lock-SSL-context.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 12 09:16:40 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Add gh137583-only-lock-SSL-context.patch fixing the
|
||||
regression in 3.13.6 by breaking non-blocking TLS connections
|
||||
(gh#python/cpython#137583).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 7 10:08:11 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Update to 3.13.6:
|
||||
- Security
|
||||
- gh-135661: Fix parsing start and end tags in
|
||||
html.parser.HTMLParser according to the HTML5 standard.
|
||||
- Whitespaces no longer accepted between </ and the tag
|
||||
name. E.g. </ script> does not end the script section.
|
||||
- Vertical tabulation (\v) and non-ASCII whitespaces no
|
||||
longer recognized as whitespaces. The only whitespaces
|
||||
are \t\n\r\f and space.
|
||||
- Null character (U+0000) no longer ends the tag name.
|
||||
- Attributes and slashes after the tag name in end tags
|
||||
are now ignored, instead of terminating after the first
|
||||
> in quoted attribute value. E.g. </script/foo=">"/>.
|
||||
- Multiple slashes and whitespaces between the last
|
||||
attribute and closing > are now ignored in both start
|
||||
and end tags. E.g. <a foo=bar/ //>.
|
||||
- Multiple = between attribute name and value are no
|
||||
longer collapsed. E.g. <a foo==bar> produces attribute
|
||||
“foo” with value “=bar”.
|
||||
- gh-102555: Fix comment parsing in html.parser.HTMLParser
|
||||
according to the HTML5 standard. --!> now ends the comment.
|
||||
-- > no longer ends the comment. Support abnormally ended
|
||||
empty comments <--> and <--->.
|
||||
- gh-135462: Fix quadratic complexity in processing specially
|
||||
crafted input in html.parser.HTMLParser. End-of-file errors
|
||||
are now handled according to the HTML5 specs – comments and
|
||||
declarations are automatically closed, tags are ignored
|
||||
(CVE-2025-6069, bsc#1244705).
|
||||
- gh-118350: Fix support of escapable raw text mode (elements
|
||||
“textarea” and “title”) in html.parser.HTMLParser.
|
||||
- Core and Builtins
|
||||
- gh-58124: Fix name of the Python encoding in Unicode errors
|
||||
of the code page codec: use “cp65000” and “cp65001” instead
|
||||
of “CP_UTF7” and “CP_UTF8” which are not valid Python code
|
||||
names. Patch by Victor Stinner.
|
||||
- gh-137314: Fixed a regression where raw f-strings
|
||||
incorrectly interpreted escape sequences in format
|
||||
specifications. Raw f-strings now properly preserve literal
|
||||
backslashes in format specs, matching the behavior from
|
||||
Python 3.11. For example, rf"{obj:\xFF}" now correctly
|
||||
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
|
||||
- gh-136541: Fix some issues with the perf trampolines
|
||||
on x86-64 and aarch64. The trampolines were not being
|
||||
generated correctly for some cases, which could lead to
|
||||
the perf integration not working correctly. Patch by Pablo
|
||||
Galindo.
|
||||
- gh-109700: Fix memory error handling in
|
||||
PyDict_SetDefault().
|
||||
- gh-78465: Fix error message for cls.__new__(cls, ...) where
|
||||
cls is not instantiable builtin or extension type (with
|
||||
tp_new set to NULL).
|
||||
- gh-135871: Non-blocking mutex lock attempts now return
|
||||
immediately when the lock is busy instead of briefly
|
||||
spinning in the free threading build.
|
||||
- gh-135607: Fix potential weakref races in an object’s
|
||||
destructor on the free threaded build.
|
||||
- gh-135496: Fix typo in the f-string conversion type error
|
||||
(“exclamanation” -> “exclamation”).
|
||||
- gh-130077: Properly raise custom syntax errors when
|
||||
incorrect syntax containing names that are prefixes of soft
|
||||
keywords is encountered. Patch by Pablo Galindo.
|
||||
- gh-135148: Fixed a bug where f-string debug expressions
|
||||
(using =) would incorrectly strip out parts of strings
|
||||
containing escaped quotes and # characters. Patch by Pablo
|
||||
Galindo.
|
||||
- gh-133136: Limit excess memory usage in the free threading
|
||||
build when a large dictionary or list is resized and
|
||||
accessed by multiple threads.
|
||||
- gh-132617: Fix dict.update() modification check that could
|
||||
incorrectly raise a “dict mutated during update” error when
|
||||
a different dictionary was modified that happens to share
|
||||
the same underlying keys object.
|
||||
- gh-91153: Fix a crash when a bytearray is concurrently
|
||||
mutated during item assignment.
|
||||
- gh-127971: Fix off-by-one read beyond the end of a string
|
||||
in string search.
|
||||
- gh-125723: Fix crash with gi_frame.f_locals when generator
|
||||
frames outlive their generator. Patch by Mikhail Efimov.
|
||||
- Library
|
||||
- gh-132710: If possible, ensure that uuid.getnode()
|
||||
returns the same result even across different processes.
|
||||
Previously, the result was constant only within the same
|
||||
process. Patch by Bénédikt Tran.
|
||||
- gh-137273: Fix debug assertion failure in
|
||||
locale.setlocale() on Windows.
|
||||
- gh-137257: Bump the version of pip bundled in ensurepip to
|
||||
version 25.2
|
||||
- gh-81325: tarfile.TarFile now accepts a path-like when
|
||||
working on a tar archive. (Contributed by Alexander Enrique
|
||||
Urieles Nieto in gh-81325.)
|
||||
- gh-130522: Fix unraisable TypeError raised during
|
||||
interpreter shutdown in the threading module.
|
||||
- gh-130577: tarfile now validates archives to ensure member
|
||||
offsets are non-negative. (Contributed by Alexander Enrique
|
||||
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
|
||||
- gh-136549: Fix signature of threading.excepthook().
|
||||
- gh-136523: Fix wave.Wave_write emitting an unraisable when
|
||||
open raises.
|
||||
- gh-52876: Add missing keepends (default True)
|
||||
parameter to codecs.StreamReaderWriter.readline() and
|
||||
codecs.StreamReaderWriter.readlines().
|
||||
- gh-85702: If zoneinfo._common.load_tzdata is given a
|
||||
package without a resource a zoneinfo.ZoneInfoNotFoundError
|
||||
is raised rather than a PermissionError. Patch by Victor
|
||||
Stinner.
|
||||
- gh-134759: Fix UnboundLocalError in
|
||||
email.message.Message.get_payload() when the payload to
|
||||
decode is a bytes object. Patch by Kliment Lamonov.
|
||||
- gh-136028: Fix parsing month names containing “İ” (U+0130,
|
||||
LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
|
||||
This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
|
||||
- gh-135995: In the palmos encoding, make byte 0x9b decode to
|
||||
› (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
|
||||
- gh-53203: Fix time.strptime() for %c and %x formats on
|
||||
locales byn_ER, wal_ET and lzh_TW, and for %X format on
|
||||
locales ar_SA, bg_BG and lzh_TW.
|
||||
- gh-91555: An earlier change, which was introduced in
|
||||
3.13.4, has been reverted. It disabled logging for a logger
|
||||
during handling of log messages for that logger. Since the
|
||||
reversion, the behaviour should be as it was before 3.13.4.
|
||||
- gh-135878: Fixes a crash of types.SimpleNamespace on free
|
||||
threading builds, when several threads were calling its
|
||||
__repr__() method at the same time.
|
||||
- gh-135836: Fix IndexError in
|
||||
asyncio.loop.create_connection() that could occur when
|
||||
non-OSError exception is raised during connection and
|
||||
socket’s close() raises OSError.
|
||||
- gh-135836: Fix IndexError in
|
||||
asyncio.loop.create_connection() that could occur when the
|
||||
Happy Eyeballs algorithm resulted in an empty exceptions
|
||||
list during connection attempts.
|
||||
- gh-135855: Raise TypeError instead of SystemError when
|
||||
_interpreters.set___main___attrs() is passed a non-dict
|
||||
object. Patch by Brian Schubert.
|
||||
- gh-135815: netrc: skip security checks if os.getuid() is
|
||||
missing. Patch by Bénédikt Tran.
|
||||
- gh-135640: Address bug where it was possible to call
|
||||
xml.etree.ElementTree.ElementTree.write() on an ElementTree
|
||||
object with an invalid root element. This behavior blanked
|
||||
the file passed to write if it already existed.
|
||||
- gh-135444: Fix asyncio.DatagramTransport.sendto() to
|
||||
account for datagram header size when data cannot be sent.
|
||||
- gh-135497: Fix os.getlogin() failing for longer usernames
|
||||
on BSD-based platforms.
|
||||
- gh-135487: Fix reprlib.Repr.repr_int() when given integers
|
||||
with more than sys.get_int_max_str_digits() digits. Patch
|
||||
by Bénédikt Tran.
|
||||
- gh-135335: multiprocessing: Flush stdout and stderr after
|
||||
preloading modules in the forkserver.
|
||||
- gh-135244: uuid: when the MAC address cannot be
|
||||
determined, the 48-bit node ID is now generated with a
|
||||
cryptographically-secure pseudo-random number generator
|
||||
(CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
|
||||
- gh-135069: Fix the “Invalid error handling” exception in
|
||||
encodings.idna.IncrementalDecoder to correctly replace the
|
||||
‘errors’ parameter.
|
||||
- gh-134698: Fix a crash when calling methods of
|
||||
ssl.SSLContext or ssl.SSLSocket across multiple threads.
|
||||
- gh-132124: On POSIX-compliant systems,
|
||||
multiprocessing.util.get_temp_dir() now ignores TMPDIR
|
||||
(and similar environment variables) if the path length of
|
||||
AF_UNIX socket files exceeds the platform-specific maximum
|
||||
length when using the forkserver start method. Patch by
|
||||
Bénédikt Tran.
|
||||
- gh-133439: Fix dot commands with trailing spaces are
|
||||
mistaken for multi-line SQL statements in the sqlite3
|
||||
command-line interface.
|
||||
- gh-132969: Prevent the ProcessPoolExecutor executor thread,
|
||||
which remains running when shutdown(wait=False), from
|
||||
attempting to adjust the pool’s worker processes after
|
||||
the object state has already been reset during shutdown.
|
||||
A combination of conditions, including a worker process
|
||||
having terminated abormally, resulted in an exception and
|
||||
a potential hang when the still-running executor thread
|
||||
attempted to replace dead workers within the pool.
|
||||
- gh-130664: Support the '_' digit separator in formatting
|
||||
of the integral part of Decimal’s. Patch by Sergey B
|
||||
Kirpichev.
|
||||
- gh-85702: If zoneinfo._common.load_tzdata is given a
|
||||
package without a resource a ZoneInfoNotFoundError is
|
||||
raised rather than a IsADirectoryError.
|
||||
- gh-130664: Handle corner-case for Fraction’s formatting:
|
||||
treat zero-padding (preceding the width field by a zero
|
||||
('0') character) as an equivalent to a fill character of
|
||||
'0' with an alignment type of '=', just as in case of
|
||||
float’s.
|
||||
- Tools/Demos
|
||||
- gh-135968: Stubs for strip are now provided as part of an
|
||||
iOS install.
|
||||
- Tests
|
||||
- gh-135966: The iOS testbed now handles the app_packages
|
||||
folder as a site directory.
|
||||
- gh-135494: Fix regrtest to support excluding tests from
|
||||
--pgo tests. Patch by Victor Stinner.
|
||||
- gh-135489: Show verbose output for failing tests during PGO
|
||||
profiling step with –enable-optimizations.
|
||||
- Documentation
|
||||
- gh-135171: Document that the iterator for the leftmost for
|
||||
clause in the generator expression is created immediately.
|
||||
- Build
|
||||
- gh-135497: Fix the detection of MAXLOGNAME in the
|
||||
configure.ac script.
|
||||
- Remove upstreamed patches:
|
||||
- CVE-2025-8194-tarfile-no-neg-offsets.patch
|
||||
- CVE-2025-6069-quad-complex-HTMLParser.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package python313
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC and contributors
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -167,7 +167,7 @@
|
||||
# _md5.cpython-38m-x86_64-linux-gnu.so
|
||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||
Name: %{python_pkg_name}%{psuffix}
|
||||
Version: 3.13.5
|
||||
Version: 3.13.9
|
||||
%define tarversion %{version}
|
||||
%define tarname Python-%{tarversion}
|
||||
Release: 0
|
||||
@@ -231,12 +231,19 @@ Patch42: gh126985-mv-pyvenv.cfg2getpath.patch
|
||||
# PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com
|
||||
# Doc: Generate ids for audit_events using docname
|
||||
Patch43: bsc1243155-sphinx-non-determinism.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com
|
||||
# avoid quadratic complexity when processing malformed inputs with HTMLParser
|
||||
Patch44: CVE-2025-6069-quad-complex-HTMLParser.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com
|
||||
# tarfile now validates archives to ensure member offsets are non-negative
|
||||
Patch45: CVE-2025-8194-tarfile-no-neg-offsets.patch
|
||||
# PATCH-FIX-UPSTREAM gh138131-exclude-pycache-from-digest.patch bsc#1244680 daniel.garcia@suse.com
|
||||
Patch44: gh138131-exclude-pycache-from-digest.patch
|
||||
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
|
||||
Patch45: gh139257-Support-docutils-0.22.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
|
||||
# Check consistency of the zip64 end of central directory record
|
||||
Patch46: CVE-2025-8291-consistency-zip64.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com
|
||||
# Avoid potential quadratic complexity vulnerabilities in path modules
|
||||
Patch47: CVE-2025-6075-expandvars-perf-degrad.patch
|
||||
# PATCH-FIX-UPSTREAM pass-test_write_read_limited_history.patch bsc#[0-9]+ mcepl@suse.com
|
||||
# Fix readline history truncation when length is reduced
|
||||
Patch48: pass-test_write_read_limited_history.patch
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: fdupes
|
||||
@@ -291,8 +298,6 @@ ExcludeArch: aarch64
|
||||
%endif
|
||||
|
||||
%if %{with general}
|
||||
# required for idle3 (.desktop and .appdata.xml files)
|
||||
BuildRequires: appstream-glib
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gdbm-devel
|
||||
BuildRequires: gettext
|
||||
@@ -558,9 +563,6 @@ rm Lib/site-packages/README.txt
|
||||
# Add vendored bluez-devel files
|
||||
tar xvf %{SOURCE21}
|
||||
|
||||
# Don't fail on warnings when building documentation
|
||||
# sed -i -e '/^SPHINXERRORHANDLING/s/-W//' Doc/Makefile
|
||||
|
||||
%build
|
||||
export SUSE_VERSION="0%{?suse_version}"
|
||||
export SLE_VERSION="0%{?sle_version}"
|
||||
@@ -784,7 +786,6 @@ install -m 644 -D -t %{buildroot}%{_datadir}/applications idle%{python_abi}.desk
|
||||
cp %{SOURCE20} idle%{python_abi}.appdata.xml
|
||||
sed -i -e 's:idle3.desktop:idle%{python_abi}.desktop:g' idle%{python_abi}.appdata.xml
|
||||
install -m 644 -D -t %{buildroot}%{_datadir}/metainfo idle%{python_abi}.appdata.xml
|
||||
appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/idle%{python_abi}.appdata.xml
|
||||
|
||||
%fdupes %{buildroot}/%{_libdir}/python%{python_abi}
|
||||
%endif
|
||||
|
||||
Reference in New Issue
Block a user