diff --git a/CVE-2025-8194-tarfile-no-neg-offsets.patch b/CVE-2025-8194-tarfile-no-neg-offsets.patch deleted file mode 100644 index d6ff6cd..0000000 --- a/CVE-2025-8194-tarfile-no-neg-offsets.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 28d130238bfb5604eef4b594d597f7b5ec951eba Mon Sep 17 00:00:00 2001 -From: Alexander Urieles -Date: Mon, 28 Jul 2025 17:37:26 +0200 -Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member - offsets are non-negative (GH-137027) (cherry picked from commit - 7040aa54f14676938970e10c5f74ea93cd56aa38) - -Co-authored-by: Alexander Urieles -Co-authored-by: Gregory P. Smith ---- - Lib/tarfile.py | 3 - Lib/test/test_tarfile.py | 156 ++++++++++ - Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 - 3 files changed, 162 insertions(+) - create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst - -Index: Python-3.14.0rc1/Lib/tarfile.py -=================================================================== ---- Python-3.14.0rc1.orig/Lib/tarfile.py 2025-08-01 22:10:15.833118580 +0200 -+++ Python-3.14.0rc1/Lib/tarfile.py 2025-08-01 22:10:21.970557323 +0200 -@@ -1647,6 +1647,9 @@ - """Round up a byte count by BLOCKSIZE and return it, - e.g. _block(834) => 1024. - """ -+ # Only non-negative offsets are allowed -+ if count < 0: -+ raise InvalidHeaderError("invalid offset") - blocks, remainder = divmod(count, BLOCKSIZE) - if remainder: - blocks += 1 -Index: Python-3.14.0rc1/Lib/test/test_tarfile.py -=================================================================== ---- Python-3.14.0rc1.orig/Lib/test/test_tarfile.py 2025-08-01 22:10:17.621793551 +0200 -+++ Python-3.14.0rc1/Lib/test/test_tarfile.py 2025-08-01 22:10:21.971238980 +0200 -@@ -55,6 +55,7 @@ - zstname = os.path.join(TEMPDIR, "testtar.tar.zst") - tmpname = os.path.join(TEMPDIR, "tmp.tar") - dotlessname = os.path.join(TEMPDIR, "testtar") -+SPACE = b" " - - sha256_regtype = ( - "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce" -@@ -4602,6 +4603,161 @@ - ar.extractall(self.testdir, filter='fully_trusted') - - -+class OffsetValidationTests(unittest.TestCase): -+ tarname = tmpname -+ invalid_posix_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, space, null terminator: 8 bytes -+ + b"000755" + SPACE + tarfile.NUL -+ # uid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0011407" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # magic: 6 bytes, version: 2 bytes -+ + tarfile.POSIX_MAGIC -+ # uname: 32 bytes -+ + tarfile.NUL * 32 -+ # gname: 32 bytes -+ + tarfile.NUL * 32 -+ # devmajor, space, null terminator: 8 bytes -+ + tarfile.NUL * 6 + SPACE + tarfile.NUL -+ # devminor, space, null terminator: 8 bytes -+ + tarfile.NUL * 6 + SPACE + tarfile.NUL -+ # prefix: 155 bytes -+ + tarfile.NUL * tarfile.LENGTH_PREFIX -+ # padding: 12 bytes -+ + tarfile.NUL * 12 -+ ) -+ invalid_gnu_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, null terminator: 8 bytes -+ + b"0000755" + tarfile.NUL -+ # uid, null terminator: 8 bytes -+ + b"0000001" + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"0000001" + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0011327" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # magic: 8 bytes -+ + tarfile.GNU_MAGIC -+ # uname: 32 bytes -+ + tarfile.NUL * 32 -+ # gname: 32 bytes -+ + tarfile.NUL * 32 -+ # devmajor, null terminator: 8 bytes -+ + tarfile.NUL * 8 -+ # devminor, null terminator: 8 bytes -+ + tarfile.NUL * 8 -+ # padding: 167 bytes -+ + tarfile.NUL * 167 -+ ) -+ invalid_v7_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, space, null terminator: 8 bytes -+ + b"000755" + SPACE + tarfile.NUL -+ # uid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0010070" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # padding: 255 bytes -+ + tarfile.NUL * 255 -+ ) -+ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT) -+ data_block = b"\xff" * tarfile.BLOCKSIZE -+ -+ def _write_buffer(self, buffer): -+ with open(self.tarname, "wb") as f: -+ f.write(buffer) -+ -+ def _get_members(self, ignore_zeros=None): -+ with open(self.tarname, "rb") as f: -+ with tarfile.open( -+ mode="r", fileobj=f, ignore_zeros=ignore_zeros -+ ) as tar: -+ return tar.getmembers() -+ -+ def _assert_raises_read_error_exception(self): -+ with self.assertRaisesRegex( -+ tarfile.ReadError, "file could not be opened successfully" -+ ): -+ self._get_members() -+ -+ def test_invalid_offset_header_validations(self): -+ for tar_format, invalid_header in ( -+ ("posix", self.invalid_posix_header), -+ ("gnu", self.invalid_gnu_header), -+ ("v7", self.invalid_v7_header), -+ ): -+ with self.subTest(format=tar_format): -+ self._write_buffer(invalid_header) -+ self._assert_raises_read_error_exception() -+ -+ def test_early_stop_at_invalid_offset_header(self): -+ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header -+ self._write_buffer(buffer) -+ members = self._get_members() -+ self.assertEqual(len(members), 1) -+ self.assertEqual(members[0].name, "filename") -+ self.assertEqual(members[0].offset, 0) -+ -+ def test_ignore_invalid_archive(self): -+ # 3 invalid headers with their respective data -+ buffer = (self.invalid_gnu_header + self.data_block) * 3 -+ self._write_buffer(buffer) -+ members = self._get_members(ignore_zeros=True) -+ self.assertEqual(len(members), 0) -+ -+ def test_ignore_invalid_offset_headers(self): -+ for first_block, second_block, expected_offset in ( -+ ( -+ (self.valid_gnu_header), -+ (self.invalid_gnu_header + self.data_block), -+ 0, -+ ), -+ ( -+ (self.invalid_gnu_header + self.data_block), -+ (self.valid_gnu_header), -+ 1024, -+ ), -+ ): -+ self._write_buffer(first_block + second_block) -+ members = self._get_members(ignore_zeros=True) -+ self.assertEqual(len(members), 1) -+ self.assertEqual(members[0].name, "filename") -+ self.assertEqual(members[0].offset, expected_offset) -+ -+ - def setUpModule(): - os_helper.unlink(TEMPDIR) - os.makedirs(TEMPDIR) -Index: Python-3.14.0rc1/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.0rc1/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst 2025-08-01 22:10:21.971763003 +0200 -@@ -0,0 +1,3 @@ -+:mod:`tarfile` now validates archives to ensure member offsets are -+non-negative. (Contributed by Alexander Enrique Urieles Nieto in -+:gh:`130577`.) diff --git a/Python-3.14.0rc1.tar.xz b/Python-3.14.0rc1.tar.xz deleted file mode 100644 index 79d6716..0000000 --- a/Python-3.14.0rc1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8707780ae9f19c5bf5b9f27827181ba11cdad7bb292ea49cad5424331e40ee8b -size 23661916 diff --git a/Python-3.14.0rc1.tar.xz.sigstore b/Python-3.14.0rc1.tar.xz.sigstore deleted file mode 100644 index a018dee..0000000 --- a/Python-3.14.0rc1.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlOgAwIBAgIUdd8Nx/fQW+uFwmE/iUr4kZfPhYAwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNzIyMTg1ODAyWhcNMjUwNzIyMTkwODAyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfsWgKoIKVbY0hNXKG8Zj2NxMgIzBIBkiPUHMxv07NxzE/XxK88SKPh3h12yIH6JUjxbOHbT0ssdy++5hJKXp2qOCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUoI7k3LZWDSJYSZc0N3Hv2r0AmXUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmDN/+94AAAQDAEYwRAIgTWnzXuzYUkeZC3JqfGd3Oly1wUFVpL8WLDbAVY8X1cICIEa/Oa16EIjIY72RbdpVBnJZzkP+KSEmv8FAZXniZK9/MAoGCCqGSM49BAMDA2kAMGYCMQC3APqICLinna3xOyQgpaQBzhuVnqxhlcEXgPMNJSzVd9zBKPATEIg5omaAryLZnRYCMQCz0crFmeNQpCFqTD4CPQyPciWKnp59irTy6DyLxAAucY8zka8mpkUozq5B19rqynQ="}, "tlogEntries": [{"logIndex": "302609759", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1753210682", "inclusionPromise": {"signedEntryTimestamp": "MEQCIDm0AZXn9C5yMWTEaBUVvO8Y6Xk/YBTtB+OPrl2fzdZrAiBYCmISH8sx8G5+HkYoGzgqZQRHSsbJBowWzZgvr//yVQ=="}, "inclusionProof": {"logIndex": "180705497", "rootHash": "EvMBuCgM4SESVaa95s8M/1bCdGKsWUzG4TsyMWZBtZc=", "treeSize": "180705504", "hashes": ["usmhE+uQ6Xgu9KJntJljw1FnnK3kRsexzQ+P7NIj2o0=", "c/qDV+bvaEgbBXtU1oUBbhLLdWedEud3CxhgsAt0cpc=", "PIkWaNlCl7teBondUwN7+xzWSmlX7EKC1viOefX0WQg=", "k46hbMh2nnDRaBUo81gBlFOScHPrTEXM0eYO4wd4We0=", "JltBeOV/z1XKpcvkfKsKEzifRaavT9DioO8vhkBHaNo=", "tkZqbm7tJo5HXychVpFLhR6H8FUaGhs4n7y2oKw2AnE=", "6/DlAJpt7oJU7PDKiNosXtLiJcLT2bIxagp/GbXbIX0=", "mPlI7tl4EiMHvUqKga7G9mEAMnAtCSKpD4hSbKSkBmw=", "TYFYy4quP+zFCLjdVj6xMsYgFjihtGK9XPdJ+YEX/m0=", "3m7vEGcH91GfZrtO8pTLAsvbxCChxcYUpM3zcC4aTBY=", "eXthxH/NJrHSD0Ii37odpnwTNQPBumMo1q0nK6TxImk=", "iogV552ADppSjZcABXSLxhclXNJzQsAWcMc9y/Vs9vk=", "aiJG7xq94AFTfW/qXktvWGzxHfWHz+XR/VuefwZbciE=", "iR2mIeu/7jQ4TXDRGbULJSgzFAWIyMmQiPrz7EjqFcg=", "HouMZeE2XjlPmxVnP7fw6rUjyw+RRQ8qbLEEKlq2uOA=", "wLANT0NMxIRh/p5rRcam4MppSIbUXIfT1Ht9FQA2XnI="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n180705504\nEvMBuCgM4SESVaa95s8M/1bCdGKsWUzG4TsyMWZBtZc=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiAWXPgGSmMzZbxdHMffj0TSXmYgLMNM1ZtScQ0gtUg/9AIhALFQzvFSpPF4P+n6FCCaeXeUqpJMUuDJ6egOmMLnEKKV\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4NzA3NzgwYWU5ZjE5YzViZjViOWYyNzgyNzE4MWJhMTFjZGFkN2JiMjkyZWE0OWNhZDU0MjQzMzFlNDBlZThiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURId3FqWEZyUGlpSEM5dkoycXlPNEhyRmFYWUF2WUgrS3BaZjdhRm8xOVVBSWhBSXc1ZzJRY1oya1hWd2szN3EzdEc0V1NqRkx1TzF1ay9TdDhjYi9oMnUyVSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4UFowRjNTVUpCWjBsVlpHUTRUbmd2WmxGWEszVkdkMjFGTDJsVmNqUnJXbVpRYUZsQmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDU2U1hsTlZHY3hUMFJCZVZkb1kwNU5hbFYzVG5wSmVVMVVhM2RQUkVGNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZtYzFkblMyOUpTMVppV1RCb1RsaExSemhhYWpKT2VFMW5TWHBDU1VKcmFWQlZTRTBLZUhZd04wNTRla1V2V0hoTE9EaFRTMUJvTTJneE1ubEpTRFpLVldwNFlrOUlZbFF3YzNOa2VTc3JOV2hLUzFod01uRlBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ2U1RkckNqTk1XbGRFVTBwWlUxcGpNRTR6U0hZeWNqQkJiVmhWZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpjS1FraHJRV1IzUWpGQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRSRTR2S3prMFFRcEJRVkZFUVVWWmQxSkJTV2RVVjI1NldIVjZXVlZyWlZwRE0wcHhaa2RrTTA5c2VURjNWVVpXY0V3NFYweEVZa0ZXV1RoWU1XTkpRMGxGWVM5UFlURTJDa1ZKYWtsWk56SlNZbVJ3VmtKdVNscDZhMUFyUzFORmJYWTRSa0ZhV0c1cFdrczVMMDFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbXRCVFVkWlEwMVJRek1LUVZCeFNVTk1hVzV1WVRONFQzbFJaM0JoVVVKNmFIVldibkY0YUd4alJWaG5VRTFPU2xONlZtUTVla0pMVUVGVVJVbG5OVzl0WVVGeWVVeGFibEpaUXdwTlVVTjZNR055Um0xbFRsRndRMFp4VkVRMFExQlJlVkJqYVZkTGJuQTFPV2x5VkhrMlJIbE1lRUZCZFdOWk9IcHJZVGh0Y0d0VmIzcHhOVUl4T1hKeENubHVVVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "hwd4CunxnFv1ufJ4JxgboRza17spLqScrVQkMx5A7os="}, "signature": "MEYCIQDHwqjXFrPiiHC9vJ2qyO4HrFaXYAvYH+KpZf7aFo19UAIhAIw5g2QcZ2kXVwk37q3tG4WSjFLuO1uk/St8cb/h2u2U"}} diff --git a/Python-3.14.0rc2.tar.xz b/Python-3.14.0rc2.tar.xz new file mode 100644 index 0000000..bdef8ce --- /dev/null +++ b/Python-3.14.0rc2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc62854cf232345bd22c9091a68464e01e056c6473a3fffa84572c8a342da656 +size 23566140 diff --git a/Python-3.14.0rc2.tar.xz.sigstore b/Python-3.14.0rc2.tar.xz.sigstore new file mode 100644 index 0000000..f82b630 --- /dev/null +++ b/Python-3.14.0rc2.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlWgAwIBAgIUQEKlmQNoiRh225QSksqkOM8IenYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwODE0MTYxMzQ5WhcNMjUwODE0MTYyMzQ5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzLzYWrCTywpp57eT75o3g3u6mOfvUPEMby52aGbaPWs6j4uhVv7mk94AHJ749z2LBWt2TKEEjBsH9JQcSt7+6qOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUIX8DXq8+NzGXp255fluKplNtcZowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmKlb6QAAAAQDAEgwRgIhAOpd5jpOMj0+E4zoUZknrn/0le429dCWtvrHqIkUcM3pAiEAyznt+7Rvlhx3bP0EcJe0LCtLO1KW2akdk1VoE2Lb+g4wCgYIKoZIzj0EAwMDaAAwZQIxAOaIcKm8k3VYCA/RFC6KO5i4yoxZLFFhjcydtPYyKetokpzUC5yZKkIRl3hySNaf5QIwKfloit/Poo4P3JOYhjSWK7qIJKF1r/5ZZWnvBpKhURIiFxQx7s9kL01MPCgRUeoa"}, "tlogEntries": [{"logIndex": "394682202", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1755188030", "inclusionPromise": {"signedEntryTimestamp": "MEUCIAavOG9MuKTYRE4q0Fns77HsUjPrRZ1bISheGxlDgbNZAiEA89315EfGt+C+C5GkBDLYMSr6bXkxXzT9PWgE56yVYYk="}, "inclusionProof": {"logIndex": "272777940", "rootHash": "94fZD9GTMc7ctVFYACd2ZmRetfuK9mpq5+VMWJJwmak=", "treeSize": "272777950", "hashes": ["izf5arJPLLyctcMaEwaxxYH8VGWnw9xsgWX3S2WpEV0=", "jARpwTi7gTCzrOOaEjEoCS/kS2bSHKmaNlWm6yut4Yo=", "6sOUCbaiDMXdWNdb4hzsJHyMl1sT3ib1ZC9ztLiug34=", "PNNoFA8l82Dr10vRBqmpGmJ4NBff8yyEzZceO2roeMA=", "xDogK8v4jzKZw6K+weJL+I415z4YGKlaNYbpu4pIHJw=", "RhKVrhK6HuUb1JRqZW25xWciggk7FUc5UKgfyA1w2cI=", "diHzb0EkmL9xXR57YrJSHiTf0lPiHRm1YiCBvr6u+Yk=", "VFCarORkpugC03FeEE1qleQGuDOGuNw1cHLdsQRQNOc=", "SQrQA1o0sqMm1AvDow2P8FTn8h2ANcuz3QfFE1PJuk0=", "TlYW0zjr+tiOJcOsfXER0SPRMMqX0hniotB3gsI+t5o=", "W+k28CiT95aBszrjZFbfyGpEsCOH+n3gc9sBqBw5vqs=", "vS7O4ozHIQZJWBiov+mkpI27GE8zAmVCEkRcP3NDyNE="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n272777950\n94fZD9GTMc7ctVFYACd2ZmRetfuK9mpq5+VMWJJwmak=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAPQipm3l7c4F/4rKjw7KOGX//0IM93z657ckzFBHd5TgIgJQscKWLcVlFhrZO7/8E8ywgLhOeDZeu0ltQlEaFFv8g=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiYzYyODU0Y2YyMzIzNDViZDIyYzkwOTFhNjg0NjRlMDFlMDU2YzY0NzNhM2ZmZmE4NDU3MmM4YTM0MmRhNjU2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQlgvR2hwOG45TUhNTHdCc3lOR2RSZUwwNjFGVFIzb3A2ZmhXTWw2YXQ3L0FpQURtWEtaWXBFNDZqUk1UMTJjYk92cTVHcEZBLzQ1Tzh6MUV2VDRiK3hGRlE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4WFowRjNTVUpCWjBsVlVVVkxiRzFSVG05cFVtZ3lNalZSVTJ0emNXdFBUVGhKWlc1WmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDlFUlRCTlZGbDRUWHBSTlZkb1kwNU5hbFYzVDBSRk1FMVVXWGxOZWxFMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVY2VEhwWlYzSkRWSGwzY0hBMU4yVlVOelZ2TTJjemRUWnRUMloyVlZCRlRXSjVOVElLWVVkaVlWQlhjelpxTkhWb1ZuWTNiV3M1TkVGSVNqYzBPWG95VEVKWGRESlVTMFZGYWtKelNEbEtVV05UZERjck5uRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZKV0RoRUNsaHhPQ3RPZWtkWWNESTFOV1pzZFV0d2JFNTBZMXB2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRTMnhpTmxGQlFRcEJRVkZFUVVWbmQxSm5TV2hCVDNCa05XcHdUMDFxTUN0Rk5IcHZWVnByYm5KdUx6QnNaVFF5T1dSRFYzUjJja2h4U1d0VlkwMHpjRUZwUlVGNWVtNTBDaXMzVW5ac2FIZ3pZbEF3UldOS1pUQk1RM1JNVHpGTFZ6SmhhMlJyTVZadlJUSk1ZaXRuTkhkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVVGQmQxcFJTWGdLUVU5aFNXTkxiVGhyTTFaWlEwRXZVa1pETmt0UE5XazBlVzk0V2t4R1JtaHFZM2xrZEZCWmVVdGxkRzlyY0hwVlF6VjVXa3RyU1ZKc00yaDVVMDVoWmdvMVVVbDNTMlpzYjJsMEwxQnZielJRTTBwUFdXaHFVMWRMTjNGSlNrdEdNWEl2TlZwYVYyNTJRbkJMYUZWU1NXbEdlRkY0TjNNNWEwd3dNVTFRUTJkU0NsVmxiMkVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "vGKFTPIyNFvSLJCRpoRk4B4FbGRzo//6hFcsijQtplY="}, "signature": "MEQCIBX/Ghp8n9MHMLwBsyNGdReL061FTR3op6fhWMl6at7/AiADmXKZYpE46jRMT12cbOvq5GpFA/45O8z1EvT4b+xFFQ=="}} diff --git a/python314.changes b/python314.changes index cd51b04..8177f2e 100644 --- a/python314.changes +++ b/python314.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Fri Aug 15 14:12:35 UTC 2025 - Matej Cepl + +- Update to 3.14.0~rc2: + - Library + - gh-137426: Remove the code deprecation of + importlib.abc.ResourceLoader. It is documented as + deprecated, but left for backwards compatibility with other + classes in importlib.abc. + - gh-137282: Fix tab completion and dir() on + concurrent.futures. + - gh-137257: Bump the version of pip bundled in ensurepip to + version 25.2 + - gh-137226: Fix behavior of + annotationlib.ForwardRef.evaluate() when the type_params + parameter is passed and the name of a type param is also + present in an enclosing scope. + - gh-130522: Fix unraisable TypeError raised during + interpreter shutdown in the threading module. + - gh-137059: Fix handling of file URLs with a + Windows drive letter in the URL authority by + urllib.request.url2pathname(). This fixes a regression in + earlier pre-releases of Python 3.14. + - gh-130577: tarfile now validates archives to ensure member + offsets are non-negative. (Contributed by Alexander Enrique + Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249). + - gh-135228: When dataclasses replaces a class with a slotted + dataclass, the original class can now be garbage collected + again. Earlier changes in Python 3.14 caused this class to + always remain in existence together with the replacement + class synthesized by dataclasses. + - Documentation + - gh-136155: We are now checking for fatal errors in EPUB + builds in CI. + - Core and Builtins + - gh-137400: Fix a crash in the free threading + build when disabling profiling or tracing across + all threads with PyEval_SetProfileAllThreads() + or PyEval_SetTraceAllThreads() or their Python + equivalents threading.settrace_all_threads() and + threading.setprofile_all_threads(). + - gh-137314: Fixed a regression where raw f-strings + incorrectly interpreted escape sequences in format + specifications. Raw f-strings now properly preserve literal + backslashes in format specs, matching the behavior from + Python 3.11. For example, rf"{obj:\xFF}" now correctly + produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo. + - gh-137308: A standalone docstring in a node body is + optimized as a pass statement to ensure that the node’s + body is never empty. There was a ValueError in compile() + otherwise. + - gh-137288: Fix bug where some bytecode instructions of a + boolean expression are not associated with the correct + exception handler. + - gh-134291: Remove some newer macOS API usage from the JIT + compiler in order to restore compatibility with older OSX + 10.15 deployment targets. + - gh-131338: Disable computed stack limit checks on non-glibc + linux platforms to fix crashes on deep recursion. + - gh-136870: Fix data races while de-instrumenting bytecode + of code objects running concurrently in threads. + - C API + - gh-137573: Mark _PyOptimizer_Optimize as Py_NO_INLINE to + prevent stack overflow crashes on macOS. + - Build + - gh-132339: Add support for OpenSSL 3.5. +- Replaces upstreamed patches: + - CVE-2025-8194-tarfile-no-neg-offsets.patch + ------------------------------------------------------------------- Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl diff --git a/python314.spec b/python314.spec index 6d4c28e..a48871f 100644 --- a/python314.spec +++ b/python314.spec @@ -1,7 +1,7 @@ # # spec file for package python314 # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -162,8 +162,8 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.14.0~rc1 -%define tarversion 3.14.0rc1 +Version: 3.14.0~rc2 +%define tarversion 3.14.0rc2 %define tarname Python-%{tarversion} Release: 0 Summary: Python 3 Interpreter @@ -222,9 +222,6 @@ Patch40: fix-test-recursion-limit-15.6.patch # PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com # Doc: Generate ids for audit_events using docname Patch41: bsc1243155-sphinx-non-determinism.patch -# PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com -# tarfile now validates archives to ensure member offsets are non-negative -Patch42: CVE-2025-8194-tarfile-no-neg-offsets.patch #### Python 3.14 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake