python-interpreters/python314
SHA256
7
0
Fork 0
forked from pool/python314
Code Pull Requests Activity

Accepting request 1299840 from devel:languages:python:Factory

Browse Source 
- Update to 3.14.0~rc2:
  - Library
    - gh-137426: Remove the code deprecation of
      importlib.abc.ResourceLoader. It is documented as
      deprecated, but left for backwards compatibility with other
      classes in importlib.abc.
    - gh-137282: Fix tab completion and dir() on
      concurrent.futures.
    - gh-137257: Bump the version of pip bundled in ensurepip to
      version 25.2
    - gh-137226: Fix behavior of
      annotationlib.ForwardRef.evaluate() when the type_params
      parameter is passed and the name of a type param is also
      present in an enclosing scope.
    - gh-130522: Fix unraisable TypeError raised during
      interpreter shutdown in the threading module.
    - gh-137059: Fix handling of file URLs with a
      Windows drive letter in the URL authority by
      urllib.request.url2pathname(). This fixes a regression in
      earlier pre-releases of Python 3.14.
    - gh-130577: tarfile now validates archives to ensure member
      offsets are non-negative. (Contributed by Alexander Enrique
      Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
    - gh-135228: When dataclasses replaces a class with a slotted
      dataclass, the original class can now be garbage collected
      again. Earlier changes in Python 3.14 caused this class to
      always remain in existence together with the replacement
      class synthesized by dataclasses.
  - Documentation
    - gh-136155: We are now checking for fatal errors in EPUB
      builds in CI.
  - Core and Builtins
    - gh-137400: Fix a crash in the free threading
      build when disabling profiling or tracing across
      all threads with PyEval_SetProfileAllThreads()
      or PyEval_SetTraceAllThreads() or their Python
      equivalents threading.settrace_all_threads() and
      threading.setprofile_all_threads().
    - gh-137314: Fixed a regression where raw f-strings
      incorrectly interpreted escape sequences in format
      specifications. Raw f-strings now properly preserve literal
      backslashes in format specs, matching the behavior from
      Python 3.11. For example, rf"{obj:\xFF}" now correctly
      produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
    - gh-137308: A standalone docstring in a node body is
      optimized as a pass statement to ensure that the node’s
      body is never empty. There was a ValueError in compile()
      otherwise.
    - gh-137288: Fix bug where some bytecode instructions of a
      boolean expression are not associated with the correct
      exception handler.
    - gh-134291: Remove some newer macOS API usage from the JIT
      compiler in order to restore compatibility with older OSX
      10.15 deployment targets.
    - gh-131338: Disable computed stack limit checks on non-glibc
      linux platforms to fix crashes on deep recursion.
    - gh-136870: Fix data races while de-instrumenting bytecode
      of code objects running concurrently in threads.
  - C API
    - gh-137573: Mark _PyOptimizer_Optimize as Py_NO_INLINE to
      prevent stack overflow crashes on macOS.
  - Build
    - gh-132339: Add support for OpenSSL 3.5.
- Replaces upstreamed patches:
  - CVE-2025-8194-tarfile-no-neg-offsets.patch

OBS-URL: https://build.opensuse.org/request/show/1299840
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python314?expand=0&rev=21
This commit is contained in:
Dominique Leuenberger
2025-08-15 19:52:50 +00:00
committed by Git OBS Bridge
parent dc2622e3f9 4bde241d1c
commit 8d43ea1432
7 changed files with 76 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
CVE-2025-8194-tarfile-no-neg-offsets.patch
View File

@@ -1,212 +0,0 @@
From 28d130238bfb5604eef4b594d597f7b5ec951eba Mon Sep 17 00:00:00 2001
From: Alexander Urieles <aeurielesn@users.noreply.github.com>
Date: Mon, 28 Jul 2025 17:37:26 +0200
Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member
offsets are non-negative (GH-137027) (cherry picked from commit
7040aa54f14676938970e10c5f74ea93cd56aa38)
Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/tarfile.py | 3
Lib/test/test_tarfile.py | 156 ++++++++++
Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3
3 files changed, 162 insertions(+)
create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
Index: Python-3.14.0rc1/Lib/tarfile.py
===================================================================
--- Python-3.14.0rc1.orig/Lib/tarfile.py 2025-08-01 22:10:15.833118580 +0200
+++ Python-3.14.0rc1/Lib/tarfile.py 2025-08-01 22:10:21.970557323 +0200
@@ -1647,6 +1647,9 @@
"""Round up a byte count by BLOCKSIZE and return it,
e.g. _block(834) => 1024.
"""
+ # Only non-negative offsets are allowed
+ if count < 0:
+ raise InvalidHeaderError("invalid offset")
blocks, remainder = divmod(count, BLOCKSIZE)
if remainder:
blocks += 1
Index: Python-3.14.0rc1/Lib/test/test_tarfile.py
===================================================================
--- Python-3.14.0rc1.orig/Lib/test/test_tarfile.py 2025-08-01 22:10:17.621793551 +0200
+++ Python-3.14.0rc1/Lib/test/test_tarfile.py 2025-08-01 22:10:21.971238980 +0200
@@ -55,6 +55,7 @@
zstname = os.path.join(TEMPDIR, "testtar.tar.zst")
tmpname = os.path.join(TEMPDIR, "tmp.tar")
dotlessname = os.path.join(TEMPDIR, "testtar")
+SPACE = b" "
sha256_regtype = (
"e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
@@ -4602,6 +4603,161 @@
ar.extractall(self.testdir, filter='fully_trusted')
+class OffsetValidationTests(unittest.TestCase):
+ tarname = tmpname
+ invalid_posix_header = (
+ # name: 100 bytes
+ tarfile.NUL * tarfile.LENGTH_NAME
+ # mode, space, null terminator: 8 bytes
+ + b"000755" + SPACE + tarfile.NUL
+ # uid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # gid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # size, space: 12 bytes
+ + b"\xff" * 11 + SPACE
+ # mtime, space: 12 bytes
+ + tarfile.NUL * 11 + SPACE
+ # chksum: 8 bytes
+ + b"0011407" + tarfile.NUL
+ # type: 1 byte
+ + tarfile.REGTYPE
+ # linkname: 100 bytes
+ + tarfile.NUL * tarfile.LENGTH_LINK
+ # magic: 6 bytes, version: 2 bytes
+ + tarfile.POSIX_MAGIC
+ # uname: 32 bytes
+ + tarfile.NUL * 32
+ # gname: 32 bytes
+ + tarfile.NUL * 32
+ # devmajor, space, null terminator: 8 bytes
+ + tarfile.NUL * 6 + SPACE + tarfile.NUL
+ # devminor, space, null terminator: 8 bytes
+ + tarfile.NUL * 6 + SPACE + tarfile.NUL
+ # prefix: 155 bytes
+ + tarfile.NUL * tarfile.LENGTH_PREFIX
+ # padding: 12 bytes
+ + tarfile.NUL * 12
+ )
+ invalid_gnu_header = (
+ # name: 100 bytes
+ tarfile.NUL * tarfile.LENGTH_NAME
+ # mode, null terminator: 8 bytes
+ + b"0000755" + tarfile.NUL
+ # uid, null terminator: 8 bytes
+ + b"0000001" + tarfile.NUL
+ # gid, space, null terminator: 8 bytes
+ + b"0000001" + tarfile.NUL
+ # size, space: 12 bytes
+ + b"\xff" * 11 + SPACE
+ # mtime, space: 12 bytes
+ + tarfile.NUL * 11 + SPACE
+ # chksum: 8 bytes
+ + b"0011327" + tarfile.NUL
+ # type: 1 byte
+ + tarfile.REGTYPE
+ # linkname: 100 bytes
+ + tarfile.NUL * tarfile.LENGTH_LINK
+ # magic: 8 bytes
+ + tarfile.GNU_MAGIC
+ # uname: 32 bytes
+ + tarfile.NUL * 32
+ # gname: 32 bytes
+ + tarfile.NUL * 32
+ # devmajor, null terminator: 8 bytes
+ + tarfile.NUL * 8
+ # devminor, null terminator: 8 bytes
+ + tarfile.NUL * 8
+ # padding: 167 bytes
+ + tarfile.NUL * 167
+ )
+ invalid_v7_header = (
+ # name: 100 bytes
+ tarfile.NUL * tarfile.LENGTH_NAME
+ # mode, space, null terminator: 8 bytes
+ + b"000755" + SPACE + tarfile.NUL
+ # uid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # gid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # size, space: 12 bytes
+ + b"\xff" * 11 + SPACE
+ # mtime, space: 12 bytes
+ + tarfile.NUL * 11 + SPACE
+ # chksum: 8 bytes
+ + b"0010070" + tarfile.NUL
+ # type: 1 byte
+ + tarfile.REGTYPE
+ # linkname: 100 bytes
+ + tarfile.NUL * tarfile.LENGTH_LINK
+ # padding: 255 bytes
+ + tarfile.NUL * 255
+ )
+ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
+ data_block = b"\xff" * tarfile.BLOCKSIZE
+
+ def _write_buffer(self, buffer):
+ with open(self.tarname, "wb") as f:
+ f.write(buffer)
+
+ def _get_members(self, ignore_zeros=None):
+ with open(self.tarname, "rb") as f:
+ with tarfile.open(
+ mode="r", fileobj=f, ignore_zeros=ignore_zeros
+ ) as tar:
+ return tar.getmembers()
+
+ def _assert_raises_read_error_exception(self):
+ with self.assertRaisesRegex(
+ tarfile.ReadError, "file could not be opened successfully"
+ ):
+ self._get_members()
+
+ def test_invalid_offset_header_validations(self):
+ for tar_format, invalid_header in (
+ ("posix", self.invalid_posix_header),
+ ("gnu", self.invalid_gnu_header),
+ ("v7", self.invalid_v7_header),
+ ):
+ with self.subTest(format=tar_format):
+ self._write_buffer(invalid_header)
+ self._assert_raises_read_error_exception()
+
+ def test_early_stop_at_invalid_offset_header(self):
+ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
+ self._write_buffer(buffer)
+ members = self._get_members()
+ self.assertEqual(len(members), 1)
+ self.assertEqual(members[0].name, "filename")
+ self.assertEqual(members[0].offset, 0)
+
+ def test_ignore_invalid_archive(self):
+ # 3 invalid headers with their respective data
+ buffer = (self.invalid_gnu_header + self.data_block) * 3
+ self._write_buffer(buffer)
+ members = self._get_members(ignore_zeros=True)
+ self.assertEqual(len(members), 0)
+
+ def test_ignore_invalid_offset_headers(self):
+ for first_block, second_block, expected_offset in (
+ (
+ (self.valid_gnu_header),
+ (self.invalid_gnu_header + self.data_block),
+ 0,
+ ),
+ (
+ (self.invalid_gnu_header + self.data_block),
+ (self.valid_gnu_header),
+ 1024,
+ ),
+ ):
+ self._write_buffer(first_block + second_block)
+ members = self._get_members(ignore_zeros=True)
+ self.assertEqual(len(members), 1)
+ self.assertEqual(members[0].name, "filename")
+ self.assertEqual(members[0].offset, expected_offset)
+
+
def setUpModule():
os_helper.unlink(TEMPDIR)
os.makedirs(TEMPDIR)
Index: Python-3.14.0rc1/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.14.0rc1/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst 2025-08-01 22:10:21.971763003 +0200
@@ -0,0 +1,3 @@
+:mod:`tarfile` now validates archives to ensure member offsets are
+non-negative. (Contributed by Alexander Enrique Urieles Nieto in
+:gh:`130577`.)

BIN
Python-3.14.0rc1.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

1
Python-3.14.0rc1.tar.xz.sigstore
View File

File diff suppressed because one or more lines are too long

BIN
Python-3.14.0rc2.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

1
Python-3.14.0rc2.tar.xz.sigstore Normal file
View File

@@ -0,0 +1 @@
{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlWgAwIBAgIUQEKlmQNoiRh225QSksqkOM8IenYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwODE0MTYxMzQ5WhcNMjUwODE0MTYyMzQ5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzLzYWrCTywpp57eT75o3g3u6mOfvUPEMby52aGbaPWs6j4uhVv7mk94AHJ749z2LBWt2TKEEjBsH9JQcSt7+6qOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUIX8DXq8+NzGXp255fluKplNtcZowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmKlb6QAAAAQDAEgwRgIhAOpd5jpOMj0+E4zoUZknrn/0le429dCWtvrHqIkUcM3pAiEAyznt+7Rvlhx3bP0EcJe0LCtLO1KW2akdk1VoE2Lb+g4wCgYIKoZIzj0EAwMDaAAwZQIxAOaIcKm8k3VYCA/RFC6KO5i4yoxZLFFhjcydtPYyKetokpzUC5yZKkIRl3hySNaf5QIwKfloit/Poo4P3JOYhjSWK7qIJKF1r/5ZZWnvBpKhURIiFxQx7s9kL01MPCgRUeoa"}, "tlogEntries": [{"logIndex": "394682202", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1755188030", "inclusionPromise": {"signedEntryTimestamp": "MEUCIAavOG9MuKTYRE4q0Fns77HsUjPrRZ1bISheGxlDgbNZAiEA89315EfGt+C+C5GkBDLYMSr6bXkxXzT9PWgE56yVYYk="}, "inclusionProof": {"logIndex": "272777940", "rootHash": "94fZD9GTMc7ctVFYACd2ZmRetfuK9mpq5+VMWJJwmak=", "treeSize": "272777950", "hashes": ["izf5arJPLLyctcMaEwaxxYH8VGWnw9xsgWX3S2WpEV0=", "jARpwTi7gTCzrOOaEjEoCS/kS2bSHKmaNlWm6yut4Yo=", "6sOUCbaiDMXdWNdb4hzsJHyMl1sT3ib1ZC9ztLiug34=", "PNNoFA8l82Dr10vRBqmpGmJ4NBff8yyEzZceO2roeMA=", "xDogK8v4jzKZw6K+weJL+I415z4YGKlaNYbpu4pIHJw=", "RhKVrhK6HuUb1JRqZW25xWciggk7FUc5UKgfyA1w2cI=", "diHzb0EkmL9xXR57YrJSHiTf0lPiHRm1YiCBvr6u+Yk=", "VFCarORkpugC03FeEE1qleQGuDOGuNw1cHLdsQRQNOc=", "SQrQA1o0sqMm1AvDow2P8FTn8h2ANcuz3QfFE1PJuk0=", "TlYW0zjr+tiOJcOsfXER0SPRMMqX0hniotB3gsI+t5o=", "W+k28CiT95aBszrjZFbfyGpEsCOH+n3gc9sBqBw5vqs=", "vS7O4ozHIQZJWBiov+mkpI27GE8zAmVCEkRcP3NDyNE="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n272777950\n94fZD9GTMc7ctVFYACd2ZmRetfuK9mpq5+VMWJJwmak=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiAPQipm3l7c4F/4rKjw7KOGX//0IM93z657ckzFBHd5TgIgJQscKWLcVlFhrZO7/8E8ywgLhOeDZeu0ltQlEaFFv8g=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiYzYyODU0Y2YyMzIzNDViZDIyYzkwOTFhNjg0NjRlMDFlMDU2YzY0NzNhM2ZmZmE4NDU3MmM4YTM0MmRhNjU2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQlgvR2hwOG45TUhNTHdCc3lOR2RSZUwwNjFGVFIzb3A2ZmhXTWw2YXQ3L0FpQURtWEtaWXBFNDZqUk1UMTJjYk92cTVHcEZBLzQ1Tzh6MUV2VDRiK3hGRlE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4WFowRjNTVUpCWjBsVlVVVkxiRzFSVG05cFVtZ3lNalZSVTJ0emNXdFBUVGhKWlc1WmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDlFUlRCTlZGbDRUWHBSTlZkb1kwNU5hbFYzVDBSRk1FMVVXWGxOZWxFMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVY2VEhwWlYzSkRWSGwzY0hBMU4yVlVOelZ2TTJjemRUWnRUMloyVlZCRlRXSjVOVElLWVVkaVlWQlhjelpxTkhWb1ZuWTNiV3M1TkVGSVNqYzBPWG95VEVKWGRESlVTMFZGYWtKelNEbEtVV05UZERjck5uRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZKV0RoRUNsaHhPQ3RPZWtkWWNESTFOV1pzZFV0d2JFNTBZMXB2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRTMnhpTmxGQlFRcEJRVkZFUVVWbmQxSm5TV2hCVDNCa05XcHdUMDFxTUN0Rk5IcHZWVnByYm5KdUx6QnNaVFF5T1dSRFYzUjJja2h4U1d0VlkwMHpjRUZwUlVGNWVtNTBDaXMzVW5ac2FIZ3pZbEF3UldOS1pUQk1RM1JNVHpGTFZ6SmhhMlJyTVZadlJUSk1ZaXRuTkhkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVVGQmQxcFJTWGdLUVU5aFNXTkxiVGhyTTFaWlEwRXZVa1pETmt0UE5XazBlVzk0V2t4R1JtaHFZM2xrZEZCWmVVdGxkRzlyY0hwVlF6VjVXa3RyU1ZKc00yaDVVMDVoWmdvMVVVbDNTMlpzYjJsMEwxQnZielJRTTBwUFdXaHFVMWRMTjNGSlNrdEdNWEl2TlZwYVYyNTJRbkJMYUZWU1NXbEdlRkY0TjNNNWEwd3dNVTFRUTJkU0NsVmxiMkVLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "vGKFTPIyNFvSLJCRpoRk4B4FbGRzo//6hFcsijQtplY="}, "signature": "MEQCIBX/Ghp8n9MHMLwBsyNGdReL061FTR3op6fhWMl6at7/AiADmXKZYpE46jRMT12cbOvq5GpFA/45O8z1EvT4b+xFFQ=="}}

69
python314.changes
View File

@@ -1,3 +1,72 @@
-------------------------------------------------------------------
Fri Aug 15 14:12:35 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.14.0~rc2:
- Library
- gh-137426: Remove the code deprecation of
importlib.abc.ResourceLoader. It is documented as
deprecated, but left for backwards compatibility with other
classes in importlib.abc.
- gh-137282: Fix tab completion and dir() on
concurrent.futures.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-137226: Fix behavior of
annotationlib.ForwardRef.evaluate() when the type_params
parameter is passed and the name of a type param is also
present in an enclosing scope.
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-137059: Fix handling of file URLs with a
Windows drive letter in the URL authority by
urllib.request.url2pathname(). This fixes a regression in
earlier pre-releases of Python 3.14.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-135228: When dataclasses replaces a class with a slotted
dataclass, the original class can now be garbage collected
again. Earlier changes in Python 3.14 caused this class to
always remain in existence together with the replacement
class synthesized by dataclasses.
- Documentation
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- Core and Builtins
- gh-137400: Fix a crash in the free threading
build when disabling profiling or tracing across
all threads with PyEval_SetProfileAllThreads()
or PyEval_SetTraceAllThreads() or their Python
equivalents threading.settrace_all_threads() and
threading.setprofile_all_threads().
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf"{obj:\xFF}" now correctly
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
- gh-137308: A standalone docstring in a node body is
optimized as a pass statement to ensure that the nodes
body is never empty. There was a ValueError in compile()
otherwise.
- gh-137288: Fix bug where some bytecode instructions of a
boolean expression are not associated with the correct
exception handler.
- gh-134291: Remove some newer macOS API usage from the JIT
compiler in order to restore compatibility with older OSX
10.15 deployment targets.
- gh-131338: Disable computed stack limit checks on non-glibc
linux platforms to fix crashes on deep recursion.
- gh-136870: Fix data races while de-instrumenting bytecode
of code objects running concurrently in threads.
- C API
- gh-137573: Mark _PyOptimizer_Optimize as Py_NO_INLINE to
prevent stack overflow crashes on macOS.
- Build
- gh-132339: Add support for OpenSSL 3.5.
- Replaces upstreamed patches:
- CVE-2025-8194-tarfile-no-neg-offsets.patch
-------------------------------------------------------------------
Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

9
python314.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python314
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -162,8 +162,8 @@
# _md5.cpython-38m-x86_64-linux-gnu.so
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
Name: %{python_pkg_name}%{psuffix}
Version: 3.14.0~rc1
%define tarversion 3.14.0rc1
Version: 3.14.0~rc2
%define tarversion 3.14.0rc2
%define tarname Python-%{tarversion}
Release: 0
Summary: Python 3 Interpreter
@@ -222,9 +222,6 @@ Patch40: fix-test-recursion-limit-15.6.patch
# PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com
# Doc: Generate ids for audit_events using docname
Patch41: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com
# tarfile now validates archives to ensure member offsets are non-negative
Patch42: CVE-2025-8194-tarfile-no-neg-offsets.patch
#### Python 3.14 DEVELOPMENT PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake