From f41d0d940bfb139f1bd8ddc630fe85e7edf56b20e013678006f27fc77ce652c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Thu, 5 Feb 2026 17:15:58 +0100 Subject: [PATCH] Update to 3.14.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Tools/Demos - gh-142095: Make gdb ‘py-bt’ command use frame from thread local state when available. Patch by Sam Gross and Victor Stinner. - Tests - gh-144415: The Android testbed now distinguishes between stdout/stderr messages which were triggered by a newline, and those triggered by a manual call to flush. This fixes logging of progress indicators and similar content. - gh-143460: Skip tests relying on infinite recusion if stack size is unlimited. - gh-65784: Add support for parametrized resource wantobjects in regrtests, which allows to run Tkinter tests with the specified value of tkinter.wantobjects, for example -u wantobjects=0. - gh-143553: Add support for parametrized resources, such as -u xpickle=2.7. - gh-142836: Accommodated Solaris in test_pdb.test_script_target_anonymous_pipe. - bpo-31391: Forward-port test_xpickle from Python 2 to Python 3 and add the resource back to test’s command line. - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029, CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types. - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters. - Library - gh-144380: Improve performance of io.BufferedReader line iteration by ~49%. - gh-144169: Fix three crashes when non-string keyword arguments are supplied to objects in the ast module. - gh-144100: Fixed a crash in ctypes when using a deprecated POINTER(str) type in argtypes. Instead of aborting, ctypes now raises a proper Python exception when the pointer target type is unresolved. - gh-144050: Fix stat.filemode() in the pure-Python implementation to avoid misclassifying invalid mode values as block devices. - gh-144023: Fixed validation of file descriptor 0 in posix functions when used with follow_symlinks parameter. - gh-143999: Fix an issue where inspect.getgeneratorstate() and inspect.getcoroutinestate() could fail for generators wrapped by types.coroutine() in the suspended state. - gh-143831: annotationlib.ForwardRef objects are now hashable when created from annotation scopes with closures. Previously, hashing such objects would throw an exception. Patch by Bartosz Sławecki. - gh-143874: Fixed a bug in pdb where expression results were not sent back to remote client. - gh-143880: Fix data race in functools.partial() in the free threading build. - gh-143706: Fix multiprocessing forkserver so that sys.argv is correctly set before __main__ is preloaded. Previously, sys.argv was empty during main module import in forkserver child processes. This fixes a regression introduced in 3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test provided by Thomas Watson, thanks! - gh-143638: Forbid reentrant calls of the pickle.Pickler and pickle.Unpickler methods for the C implementation. Previously, this could cause crash or data corruption, now concurrent calls of methods of the same object raise RuntimeError. - gh-78724: Raise RuntimeError’s when user attempts to call methods on half-initialized Struct objects, For example, created by Struct.__new__(Struct). Patch by Sergey B Kirpichev. - gh-143196: Fix crash when the internal encoder object returned by undocumented function json.encoder.c_make_encoder() was called with non-zero second (_current_indent_level) argument. - gh-143191: _thread.stack_size() now raises ValueError if the stack size is too small. Patch by Victor Stinner. - gh-143602: Fix a inconsistency issue in write() that leads to unexpected buffer overwrite by deduplicating the buffer exports. - gh-143547: Fix sys.unraisablehook() when the hook raises an exception and changes sys.unraisablehook(): hold a strong reference to the old hook. Patch by Victor Stinner. - gh-143517: annotationlib.get_annotations() no longer raises a SyntaxError when evaluating a stringified starred annotation that starts with one or more whitespace characters followed by a *. Patch by Bartosz Sławecki. - gh-143378: Fix use-after-free crashes when a BytesIO object is concurrently mutated during write() or writelines(). - gh-143346: Fix incorrect wrapping of the Base64 data in plistlib._PlistWriter when the indent contains a mix of tabs and spaces. - gh-143310: tkinter: fix a crash when a Python list is mutated during the conversion to a Tcl object (e.g., when setting a Tcl variable). Patch by Bénédikt Tran. - gh-143309: Fix a crash in os.execve() on non-Windows platforms when given a custom environment mapping which is then mutated during parsing. Patch by Bénédikt Tran. - gh-143308: pickle: fix use-after-free crashes when a PickleBuffer is concurrently mutated by a custom buffer callback during pickling. Patch by Bénédikt Tran and Aaron Wieczorek. - gh-143237: Fix support of named pipes in the rotating logging handlers. - gh-143249: Fix possible buffer leaks in Windows overlapped I/O on error handling. - gh-143241: zoneinfo: fix infinite loop in ZoneInfo.from_file when parsing a malformed TZif file. Patch by Fatih Celik. - gh-142830: sqlite3: fix use-after-free crashes when the connection’s callbacks are mutated during a callback execution. Patch by Bénédikt Tran. - gh-143200: xml.etree.ElementTree: fix use-after-free crashes in __getitem__() and __setitem__() methods of Element when the element is concurrently mutated. Patch by Bénédikt Tran. - gh-142195: Updated timeout evaluation logic in subprocess to be compatible with deterministic environments like Shadow where time moves exactly as requested. - gh-142164: Fix the ctypes bitfield overflow error message to report the correct offset and size calculation. - gh-143145: Fixed a possible reference leak in ctypes when constructing results with multiple output parameters on error. - gh-122431: Corrected the error message in readline.append_history_file() to state that nelements must be non-negative instead of positive. - gh-143004: Fix a potential use-after-free in collections.Counter.update() when user code mutates the Counter during an update. - gh-143046: The asyncio REPL no longer prints copyright and version messages in the quiet mode (-q). Patch by Bartosz Sławecki. - gh-140648: The asyncio REPL now respects the -I flag (isolated mode). Previously, it would load and execute PYTHONSTARTUP even if the flag was set. Contributed by Bartosz Sławecki. - gh-142991: Fixed socket operations such as recvfrom() and sendto() for FreeBSD divert(4) socket. - gh-143010: Fixed a bug in mailbox where the precise timing of an external event could result in the library opening an existing file instead of a file it expected to create. - gh-142881: Fix concurrent and reentrant call of atexit.unregister(). - gh-112127: Fix possible use-after-free in atexit.unregister() when the callback is unregistered during comparison. - gh-142783: Fix zoneinfo use-after-free with descriptor _weak_cache. a descriptor as _weak_cache could cause crashes during object creation. The fix ensures proper reference counting for descriptor-provided objects. - gh-142754: Add the ownerDocument attribute to xml.dom.minidom elements and attributes created by directly instantiating the Element or Attr class. Note that this way of creating nodes is not supported; creator functions like xml.dom.Document.documentElement() should be used instead. - gh-142784: The asyncio REPL now properly closes the loop upon the end of interactive session. Previously, it could cause surprising warnings. Contributed by Bartosz Sławecki. - gh-142555: array: fix a crash in a[i] = v when converting i to an index via i.__index__ or i.__float__ mutates the array. - gh-142594: Fix crash in TextIOWrapper.close() when the underlying buffer’s closed property calls detach(). - gh-142451: hmac: Ensure that the HMAC.block_size attribute is correctly copied by HMAC.copy. Patch by Bénédikt Tran. - gh-142495: collections.defaultdict now prioritizes __setitem__() when inserting default values from default_factory. This prevents race conditions where a default value would overwrite a value set before default_factory returns. - gh-142651: unittest.mock: fix a thread safety issue where Mock.call_count may return inaccurate values when the mock is called concurrently from multiple threads. - gh-142595: Added type check during initialization of the decimal module to prevent a crash in case of broken stdlib. Patch by Sergey B Kirpichev. - gh-142556: Fix crash when a task gets re-registered during finalization in asyncio. Patch by Kumar Aditya. - gh-123241: Avoid reference count operations in garbage collection of ctypes objects. - gh-142517: The non-compat32 email policies now correctly handle refolding encoded words that contain bytes that can not be decoded in their specified character set. Previously this resulted in an encoding exception during folding. - gh-112527: The help text for required options in argparse no longer extended with “ (default: None)”. - gh-142346: Fix usage formatting for mutually exclusive groups in argparse when they are preceded by positional arguments or followed or intermixed with other optional arguments. - gh-142315: Pdb can now run scripts from anonymous pipes used in process substitution. Patch by Bartosz Sławecki. - gh-142332: Fix usage formatting for positional arguments in mutually exclusive groups in argparse. in argparse. - gh-142282: Fix winreg.QueryValueEx() to not accidentally read garbage buffer under race condition. - gh-75949: Fix argparse to preserve | separators in mutually exclusive groups when the usage line wraps due to length. - gh-142267: Improve argparse performance by caching the formatter used for argument validation. - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header name defects are now correctly passed to the handle_defect method of policy in FeedParser. - gh-142006: Fix a bug in the email.policy.default folding algorithm which incorrectly resulted in a doubled newline when a line ending at exactly max_line_length was followed by an unfoldable token. - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving underlying cancelled asyncio task running. - gh-139971: pydoc: Ensure that the link to the online documentation of a stdlib module is correct. - gh-139262: Some keystrokes can be swallowed in the new PyREPL on Windows, especially when used together with the ALT key. Fix by Chris Eibl. - gh-138897: Improved license/copyright/credits display in the REPL: now uses a pager. - gh-79986: Add parsing for References and In-Reply-To headers to the email library that parses the header content as lists of message id tokens. This prevents them from being folded incorrectly. - gh-136282: Add support for UNNAMED_SECTION when creating a section via the mapping protocol access - gh-109263: Starting a process from spawn context in multiprocessing no longer sets the start method globally. - gh-133253: Fix thread-safety issues in linecache. - gh-132715: Skip writing objects during marshalling once a failure has occurred. - IDLE - gh-143774: Better explain the operation of Format / Format Paragraph. - Documentation - gh-140806: Add documentation for enum.bin(). - Core and Builtins - gh-144307: Prevent a reference leak in module teardown at interpreter finalization. - gh-144194: Fix error handling in perf jitdump initialization on memory allocation failure. - gh-144012: Check if the result is NULL in BINARY_OP_EXTENT opcode. - gh-141805: Fix crash in set when objects with the same hash are concurrently added to the set after removing an element with the same hash while the set still contains elements with the same hash. - gh-143670: Fixes a crash in ga_repr_items_list function. - gh-143377: Fix a crash in _interpreters.capture_exception() when the exception is incorrectly formatted. Patch by Bénédikt Tran. - gh-136924: The interactive help mode in the REPL no longer incorrectly syntax highlights text input as Python code. Contributed by Olga Matoula. - gh-143189: Fix crash when inserting a non-str key into a split table dictionary when the key matches an existing key in the split table but has no corresponding value in the dict. - gh-143228: Fix use-after-free in perf trampoline when toggling profiling while threads are running or during interpreter finalization with daemon threads active. The fix uses reference counting to ensure trampolines are not freed while any code object could still reference them. Pach by Pablo Galindo - gh-142664: Fix a use-after-free crash in memoryview.__hash__ when the __hash__ method of the referenced object mutates that object or the view. Patch by Bénédikt Tran. - gh-142557: Fix a use-after-free crash in bytearray.__mod__ when the bytearray is mutated while formatting the %-style arguments. Patch by Bénédikt Tran. - gh-143195: Fix use-after-free crashes in bytearray.hex() and memoryview.hex() when the separator’s __len__() mutates the original object. Patch by Bénédikt Tran. - gh-142975: Fix crash after unfreezing all objects tracked by the garbage collector on the free threaded build. - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is 0. Previously, it was set to 0 in this case. - gh-143003: Fix an overflow of the shared empty buffer in bytearray.extend() when __length_hint__() returns 0 for non-empty iterator. - gh-143006: Fix a possible assertion error when comparing negative non-integer float and int with the same number of bits in the integer part. - gh-143057: Avoid locking in PyTraceMalloc_Track() and PyTraceMalloc_Untrack() when tracemalloc is not enabled. - gh-142776: Fix a file descriptor leak in import.c - gh-142829: Fix a use-after-free crash in contextvars.Context comparison when a custom __eq__ method modifies the context via set(). - gh-142766: Clear the frame of a generator when generator.close() is called. - gh-142737: Tracebacks will be displayed in fallback mode even if io.open() is lost. Previously, this would crash the interpreter. Patch by Bartosz Sławecki. - gh-142554: Fix a crash in divmod() when _pylong.int_divmod() does not return a tuple of length two exactly. Patch by Bénédikt Tran. - gh-142560: Fix use-after-free in bytearray search-like methods (find(), count(), index(), rindex(), and rfind()) by marking the storage as exported which causes reallocation attempts to raise BufferError. For contains(), split(), and rsplit() the buffer protocol is used for this. - gh-142531: Fix a free-threaded GC performance regression. If there are many untracked tuples, the GC will run too often, resulting in poor performance. The fix is to include untracked tuples in the “long lived” object count. The number of frozen objects is also now included since the free-threaded GC must scan those too. - gh-142402: Fix reference counting when adjacent literal parts are merged while constructing string.templatelib.Template, preventing the displaced string object from leaking. - gh-133932: Fix crash in the free threading build when clearing frames that hold tagged integers. - gh-142343: Fix SIGILL crash on m68k due to incorrect assembly constraint. - gh-100964: Fix reference cycle in exhausted generator frames. Patch by Savannah Ostrowski. - gh-69605: Fix edge-cases around already imported modules in the REPL auto-completion of imports. - gh-138568: Adjusted the built-in help() function so that empty inputs are ignored in interactive mode. - gh-137007: Fix a bug during JIT compilation failure which caused garbage collection debug assertions to fail. - C API - gh-142589: Fix PyUnstable_Object_IsUniqueReferencedTemporary() handling of tagged ints on the interpreter stack. - gh-142571: PyUnstable_CopyPerfMapFile() now checks that opening the file succeeded before flushing. - Build - gh-142454: When calculating the digest of the JIT stencils input, sort the hashed files by filenames before adding their content to the hasher. This ensures deterministic hash input and hence deterministic hash, independent on filesystem order. - gh-141808: When running make clean-retain-profile, keep the generated JIT stencils. That way, the stencils are not generated twice when Profile-guided optimization (PGO) is used. It also allows distributors to supply their own pre-built JIT stencils. - gh-138061: Ensure reproducible builds by making JIT stencil header generation deterministic. Remove upstreamed patches: - CVE-2024-6923-follow-up-EOL-email-headers.patch - CVE-2025-11468-email-hdr-fold-comment.patch - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch - gh138131-exclude-pycache-from-digest.patch by a factor of 3.8x (bsc#1257031, CVE-2026-0672). --- ...024-6923-follow-up-EOL-email-headers.patch | 104 ----- CVE-2025-11468-email-hdr-fold-comment.patch | 109 ------ ...6-0672-http-hdr-inject-cookie-Morsel.patch | 209 ---------- Python-3.14.2.tar.xz | 3 - Python-3.14.2.tar.xz.sigstore | 1 - Python-3.14.3.tar.xz | 3 + Python-3.14.3.tar.xz.sigstore | 1 + gh138131-exclude-pycache-from-digest.patch | 30 -- gh139257-Support-docutils-0.22.patch | 6 +- python314.changes | 362 +++++++++++++++++- python314.spec | 16 +- 11 files changed, 370 insertions(+), 474 deletions(-) delete mode 100644 CVE-2024-6923-follow-up-EOL-email-headers.patch delete mode 100644 CVE-2025-11468-email-hdr-fold-comment.patch delete mode 100644 CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch delete mode 100644 Python-3.14.2.tar.xz delete mode 100644 Python-3.14.2.tar.xz.sigstore create mode 100644 Python-3.14.3.tar.xz create mode 100644 Python-3.14.3.tar.xz.sigstore delete mode 100644 gh138131-exclude-pycache-from-digest.patch diff --git a/CVE-2024-6923-follow-up-EOL-email-headers.patch b/CVE-2024-6923-follow-up-EOL-email-headers.patch deleted file mode 100644 index 0491c18..0000000 --- a/CVE-2024-6923-follow-up-EOL-email-headers.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Fri, 23 Jan 2026 08:59:35 -0600 -Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator - (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Denis Ledoux -Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com> -Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com> -Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com> ---- - Lib/email/generator.py | 12 +++++++++- - Lib/test/test_email/test_generator.py | 4 ++- - Lib/test/test_email/test_policy.py | 6 ++++- - Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++ - 4 files changed, 23 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst - -Index: Python-3.14.2/Lib/email/generator.py -=================================================================== ---- Python-3.14.2.orig/Lib/email/generator.py 2026-01-28 22:15:51.075267925 +0100 -+++ Python-3.14.2/Lib/email/generator.py 2026-01-28 22:15:56.251194626 +0100 -@@ -22,6 +22,7 @@ - NLCRE = re.compile(r'\r\n|\r|\n') - fcre = re.compile(r'^From ', re.MULTILINE) - NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') -+NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') - - - class Generator: -@@ -429,7 +430,16 @@ - # This is almost the same as the string version, except for handling - # strings with 8bit bytes. - for h, v in msg.raw_items(): -- self._fp.write(self.policy.fold_binary(h, v)) -+ folded = self.policy.fold_binary(h, v) -+ if self.policy.verify_generated_headers: -+ linesep = self.policy.linesep.encode() -+ if not folded.endswith(linesep): -+ raise HeaderWriteError( -+ f'folded header does not end with {linesep!r}: {folded!r}') -+ if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)): -+ raise HeaderWriteError( -+ f'folded header contains newline: {folded!r}') -+ self._fp.write(folded) - # A blank line always separates headers from body - self.write(self._NL) - -Index: Python-3.14.2/Lib/test/test_email/test_generator.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/test_email/test_generator.py 2026-01-28 22:15:52.693627763 +0100 -+++ Python-3.14.2/Lib/test/test_email/test_generator.py 2026-01-28 22:15:56.251344799 +0100 -@@ -313,7 +313,7 @@ - self.assertEqual(s.getvalue(), self.typ(expected)) - - def test_verify_generated_headers(self): -- """gh-121650: by default the generator prevents header injection""" -+ # gh-121650: by default the generator prevents header injection - class LiteralHeader(str): - name = 'Header' - def fold(self, **kwargs): -@@ -334,6 +334,8 @@ - - with self.assertRaises(email.errors.HeaderWriteError): - message.as_string() -+ with self.assertRaises(email.errors.HeaderWriteError): -+ message.as_bytes() - - - class TestBytesGenerator(TestGeneratorBase, TestEmailBase): -Index: Python-3.14.2/Lib/test/test_email/test_policy.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/test_email/test_policy.py 2026-01-28 22:15:52.703671956 +0100 -+++ Python-3.14.2/Lib/test/test_email/test_policy.py 2026-01-28 22:15:56.251499922 +0100 -@@ -296,7 +296,7 @@ - policy.fold("Subject", subject) - - def test_verify_generated_headers(self): -- """Turning protection off allows header injection""" -+ # Turning protection off allows header injection - policy = email.policy.default.clone(verify_generated_headers=False) - for text in ( - 'Header: Value\r\nBad: Injection\r\n', -@@ -319,6 +319,10 @@ - message.as_string(), - f"{text}\nBody", - ) -+ self.assertEqual( -+ message.as_bytes(), -+ f"{text}\nBody".encode(), -+ ) - - # XXX: Need subclassing tests. - # For adding subclassed objects, make sure the usual rules apply (subclass -Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-01-28 22:15:56.251667056 +0100 -@@ -0,0 +1,4 @@ -+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers -+that are unsafely folded or delimited; see -+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas -+Bloemsaat and Petr Viktorin in :gh:`121650`). diff --git a/CVE-2025-11468-email-hdr-fold-comment.patch b/CVE-2025-11468-email-hdr-fold-comment.patch deleted file mode 100644 index e9b79e3..0000000 --- a/CVE-2025-11468-email-hdr-fold-comment.patch +++ /dev/null @@ -1,109 +0,0 @@ -From df45bd1aafc3b6792d43661207d2b7eb3a14d214 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Mon, 19 Jan 2026 06:38:22 -0600 -Subject: [PATCH] gh-143935: Email preserve parens when folding comments - (GH-143936) - -Fix a bug in the folding of comments when flattening an email message -using a modern email policy. Comments consisting of a very long sequence of -non-foldable characters could trigger a forced line wrap that omitted the -required leading space on the continuation line, causing the remainder of -the comment to be interpreted as a new header field. This enabled header -injection with carefully crafted inputs. -(cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Denis Ledoux ---- - Lib/email/_header_value_parser.py | 15 +++++++++++- - .../test_email/test__header_value_parser.py | 23 +++++++++++++++++++ - ...-01-16-14-40-31.gh-issue-143935.U2YtKl.rst | 6 +++++ - 3 files changed, 43 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst - -diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py -index 68c2cf9585c5b4..51727688c059ed 100644 ---- a/Lib/email/_header_value_parser.py -+++ b/Lib/email/_header_value_parser.py -@@ -101,6 +101,12 @@ def make_quoted_pairs(value): - return str(value).replace('\\', '\\\\').replace('"', '\\"') - - -+def make_parenthesis_pairs(value): -+ """Escape parenthesis and backslash for use within a comment.""" -+ return str(value).replace('\\', '\\\\') \ -+ .replace('(', '\\(').replace(')', '\\)') -+ -+ - def quote_string(value): - escaped = make_quoted_pairs(value) - return f'"{escaped}"' -@@ -939,7 +945,7 @@ def value(self): - return ' ' - - def startswith_fws(self): -- return True -+ return self and self[0] in WSP - - - class ValueTerminal(Terminal): -@@ -2959,6 +2965,13 @@ def _refold_parse_tree(parse_tree, *, policy): - [ValueTerminal(make_quoted_pairs(p), 'ptext') - for p in newparts] + - [ValueTerminal('"', 'ptext')]) -+ if part.token_type == 'comment': -+ newparts = ( -+ [ValueTerminal('(', 'ptext')] + -+ [ValueTerminal(make_parenthesis_pairs(p), 'ptext') -+ if p.token_type == 'ptext' else p -+ for p in newparts] + -+ [ValueTerminal(')', 'ptext')]) - if not part.as_ew_allowed: - wrap_as_ew_blocked += 1 - newparts.append(end_ew_not_allowed) -diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py -index 426ec4644e3096..e28fe3892015b9 100644 ---- a/Lib/test/test_email/test__header_value_parser.py -+++ b/Lib/test/test_email/test__header_value_parser.py -@@ -3294,6 +3294,29 @@ def test_address_list_with_specials_in_long_quoted_string(self): - with self.subTest(to=to): - self._test(parser.get_address_list(to)[0], folded, policy=policy) - -+ def test_address_list_with_long_unwrapable_comment(self): -+ policy = self.policy.clone(max_line_length=40) -+ cases = [ -+ # (to, folded) -+ ('(loremipsumdolorsitametconsecteturadipi)', -+ '(loremipsumdolorsitametconsecteturadipi)\n'), -+ ('(loremipsumdolorsitametconsecteturadipi)', -+ '(loremipsumdolorsitametconsecteturadipi)\n'), -+ ('(loremipsum dolorsitametconsecteturadipi)', -+ '(loremipsum dolorsitametconsecteturadipi)\n'), -+ ('(loremipsum dolorsitametconsecteturadipi)', -+ '(loremipsum\n dolorsitametconsecteturadipi)\n'), -+ ('(Escaped \\( \\) chars \\\\ in comments stay escaped)', -+ '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)\n'), -+ ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))', -+ '((loremipsum)(loremipsum)(loremipsum)(loremipsum))\n'), -+ ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))', -+ '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))\n'), -+ ] -+ for (to, folded) in cases: -+ with self.subTest(to=to): -+ self._test(parser.get_address_list(to)[0], folded, policy=policy) -+ - # XXX Need tests with comments on various sides of a unicode token, - # and with unicode tokens in the comments. Spaces inside the quotes - # currently don't do the right thing. -diff --git a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst -new file mode 100644 -index 00000000000000..c3d864936884ac ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst -@@ -0,0 +1,6 @@ -+Fixed a bug in the folding of comments when flattening an email message -+using a modern email policy. Comments consisting of a very long sequence of -+non-foldable characters could trigger a forced line wrap that omitted the -+required leading space on the continuation line, causing the remainder of -+the comment to be interpreted as a new header field. This enabled header -+injection with carefully crafted inputs. diff --git a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch b/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch deleted file mode 100644 index 76351cc..0000000 --- a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 2bb0ca857e7d2593da6f6936187465a49a63c2d5 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Tue, 20 Jan 2026 15:23:42 -0600 -Subject: [PATCH] gh-143919: Reject control characters in http cookies (cherry - picked from commit 95746b3a13a985787ef53b977129041971ed7f70) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-authored-by: Seth Michael Larson -Co-authored-by: Bartosz Sławecki -Co-authored-by: sobolevn ---- - Doc/library/http.cookies.rst | 4 - Lib/http/cookies.py | 25 ++++ - Lib/test/support/__init__.py | 10 + - Lib/test/test_http_cookies.py | 52 +++++++++- - Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1 - 5 files changed, 82 insertions(+), 10 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst - -Index: Python-3.14.2/Doc/library/http.cookies.rst -=================================================================== ---- Python-3.14.2.orig/Doc/library/http.cookies.rst 2025-12-05 17:49:16.000000000 +0100 -+++ Python-3.14.2/Doc/library/http.cookies.rst 2026-01-30 14:25:26.265077841 +0100 -@@ -292,9 +292,9 @@ - Set-Cookie: chips=ahoy - Set-Cookie: vienna=finger - >>> C = cookies.SimpleCookie() -- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";') -+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";') - >>> print(C) -- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;" -+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;" - >>> C = cookies.SimpleCookie() - >>> C["oreo"] = "doublestuff" - >>> C["oreo"]["path"] = "/" -Index: Python-3.14.2/Lib/http/cookies.py -=================================================================== ---- Python-3.14.2.orig/Lib/http/cookies.py 2026-01-30 14:25:21.316524119 +0100 -+++ Python-3.14.2/Lib/http/cookies.py 2026-01-30 14:25:26.265560727 +0100 -@@ -87,9 +87,9 @@ - such trickeries do not confuse it. - - >>> C = cookies.SimpleCookie() -- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";') -+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";') - >>> print(C) -- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;" -+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;" - - Each element of the Cookie also supports all of the RFC 2109 - Cookie attributes. Here's an example which sets the Path -@@ -170,6 +170,15 @@ - }) - - _is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch -+_control_character_re = re.compile(r'[\x00-\x1F\x7F]') -+ -+ -+def _has_control_character(*val): -+ """Detects control characters within a value. -+ Supports any type, as header values can be any type. -+ """ -+ return any(_control_character_re.search(str(v)) for v in val) -+ - - def _quote(str): - r"""Quote a string for use in a cookie header. -@@ -294,12 +303,16 @@ - K = K.lower() - if not K in self._reserved: - raise CookieError("Invalid attribute %r" % (K,)) -+ if _has_control_character(K, V): -+ raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}") - dict.__setitem__(self, K, V) - - def setdefault(self, key, val=None): - key = key.lower() - if key not in self._reserved: - raise CookieError("Invalid attribute %r" % (key,)) -+ if _has_control_character(key, val): -+ raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,)) - return dict.setdefault(self, key, val) - - def __eq__(self, morsel): -@@ -335,6 +348,9 @@ - raise CookieError('Attempt to set a reserved key %r' % (key,)) - if not _is_legal_key(key): - raise CookieError('Illegal key %r' % (key,)) -+ if _has_control_character(key, val, coded_val): -+ raise CookieError( -+ "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,)) - - # It's a good key, so save it. - self._key = key -@@ -488,7 +504,10 @@ - result = [] - items = sorted(self.items()) - for key, value in items: -- result.append(value.output(attrs, header)) -+ value_output = value.output(attrs, header) -+ if _has_control_character(value_output): -+ raise CookieError("Control characters are not allowed in cookies") -+ result.append(value_output) - return sep.join(result) - - __str__ = output -Index: Python-3.14.2/Lib/test/support/__init__.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/support/__init__.py 2026-01-30 14:25:22.035209804 +0100 -+++ Python-3.14.2/Lib/test/support/__init__.py 2026-01-30 14:26:31.354376277 +0100 -@@ -68,7 +68,8 @@ - "BrokenIter", - "in_systemd_nspawn_sync_suppressed", - "run_no_yield_async_fn", "run_yielding_async_fn", "async_yield", -- "reset_code", "on_github_actions" -+ "reset_code", "on_github_actions", -+ "control_characters_c0", - ] - - -@@ -3185,3 +3186,10 @@ - return _linked_to_musl - _linked_to_musl = tuple(map(int, version.split('.'))) - return _linked_to_musl -+ -+ -+def control_characters_c0() -> list[str]: -+ """Returns a list of C0 control characters as strings. -+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F. -+ """ -+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"] -Index: Python-3.14.2/Lib/test/test_http_cookies.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/test_http_cookies.py 2026-01-30 14:25:22.919203244 +0100 -+++ Python-3.14.2/Lib/test/test_http_cookies.py 2026-01-30 14:25:26.265943668 +0100 -@@ -17,10 +17,10 @@ - 'repr': "", - 'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'}, - -- {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"', -- 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'}, -- 'repr': '''''', -- 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'}, -+ {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"', -+ 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'}, -+ 'repr': '''''', -+ 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'}, - - # Check illegal cookies that have an '=' char in an unquoted value - {'data': 'keebler=E=mc2', -@@ -571,6 +571,50 @@ - r'Set-Cookie: key=coded_val; ' - r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+') - -+ def test_control_characters(self): -+ for c0 in support.control_characters_c0(): -+ morsel = cookies.Morsel() -+ -+ # .__setitem__() -+ with self.assertRaises(cookies.CookieError): -+ morsel[c0] = "val" -+ with self.assertRaises(cookies.CookieError): -+ morsel["path"] = c0 -+ -+ # .setdefault() -+ with self.assertRaises(cookies.CookieError): -+ morsel.setdefault("path", c0) -+ with self.assertRaises(cookies.CookieError): -+ morsel.setdefault(c0, "val") -+ -+ # .set() -+ with self.assertRaises(cookies.CookieError): -+ morsel.set(c0, "val", "coded-value") -+ with self.assertRaises(cookies.CookieError): -+ morsel.set("path", c0, "coded-value") -+ with self.assertRaises(cookies.CookieError): -+ morsel.set("path", "val", c0) -+ -+ def test_control_characters_output(self): -+ # Tests that even if the internals of Morsel are modified -+ # that a call to .output() has control character safeguards. -+ for c0 in support.control_characters_c0(): -+ morsel = cookies.Morsel() -+ morsel.set("key", "value", "coded-value") -+ morsel._key = c0 # Override private variable. -+ cookie = cookies.SimpleCookie() -+ cookie["cookie"] = morsel -+ with self.assertRaises(cookies.CookieError): -+ cookie.output() -+ -+ morsel = cookies.Morsel() -+ morsel.set("key", "value", "coded-value") -+ morsel._coded_value = c0 # Override private variable. -+ cookie = cookies.SimpleCookie() -+ cookie["cookie"] = morsel -+ with self.assertRaises(cookies.CookieError): -+ cookie.output() -+ - - def load_tests(loader, tests, pattern): - tests.addTest(doctest.DocTestSuite(cookies)) -Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-30 14:25:26.266224501 +0100 -@@ -0,0 +1 @@ -+Reject control characters in :class:`http.cookies.Morsel` fields and values. diff --git a/Python-3.14.2.tar.xz b/Python-3.14.2.tar.xz deleted file mode 100644 index 3b03ed3..0000000 --- a/Python-3.14.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ce543ab854bc256b61b71e9b27f831ffd1bfd60a479d639f8be7f9757cf573e9 -size 23566248 diff --git a/Python-3.14.2.tar.xz.sigstore b/Python-3.14.2.tar.xz.sigstore deleted file mode 100644 index 5c9cd40..0000000 --- a/Python-3.14.2.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUDsC7oWnW0l9pHr41nnkmS1oOYd4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjA1MjAwMTUzWhcNMjUxMjA1MjAxMTUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZEAAJg3xeYECyl7becytac2kIE1oFgQuGjrjBzXQG27d8TeQqTZtRdL5oZOCZt1y/DDoBfdbWul1CPovG+7z2aOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUl4K9C9akjTSm/al0xnJmeooQq/kwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmvAbUOYAAAQDAEcwRQIgRbXsQrWV8kdhD5tMMwX5Iy2LWWHxil6V5J/mXp+/9/gCIQCwBHKBpWN3SR6/TLPr7oZCZYQB+z5q8lVqybvZSaLS4TAKBggqhkjOPQQDAwNoADBlAjBL6XGjsOPP/N74Rcw3v7CCoe23bfyE18w/XdxmJAsj9Xr6pRdpcRuEytFeLdZWIqICMQDJL2czjBTiWUkqrLq31Cvp+fQhuGSp9IZsVbTo+j6tSzfa1dwu0sy2kjBtlcRbYVs="}, "tlogEntries": [{"logIndex": "743606302", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1764964913", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFnGvsHdMeYy8nrwtVTdv/PaR1aTDwf9Yrv2GjdsNsw+AiAR2o0BrjcFe8TjxbWreTwZ/Kt3zeGSi15x+znz2Ocr9g=="}, "inclusionProof": {"logIndex": "621702040", "rootHash": "dVHtSx74n1EVKTr8ZkEoUDJHV2piMrM5Jyo3x2f8GEU=", "treeSize": "621702042", "hashes": ["Kn+73i6MNIgHE1cdeyArBBdDm+sBwxxKKBO/Y8hPFik=", "21huZMFAhYUSB3tH7/d0+H+OjdndnWoE53mHoRBShZo=", "t3/3NnomBwpQQ/dit38qL8n8ICrN1dqZtiqcYM17fxU=", "e5OOoHIJrUS+lsIZNNLgCqLnU7fsgOINTlSFPPMOK+4=", "ETAkx6N//tEwnhFB+hjwavO9F2M4JBBCbK+W/kZLg0Q=", "mamQezujujSnmKn/0+ueS2xlFZCYg0G6tTjNZ1ezFH0=", "KY+mZ6XMnzG1xo3I/kVu9Uw9DK3UKfa4PXt7i4ElYpQ=", "IaVIX1Ns+gb7uyNW1PFOI2Eko8sf6VyOvY+1txNb27I=", "NTzWPyfxc1IPzv49Nng3yy1Ri5Y94teOI4RQNzzPwik=", "NxaZXwQFBXq44JqVMKZx4KkC0y7CIoG4GsV3H+ntf6w=", "YYvp7Leoq6lF3zEs+Bux7BQt/UrxFbOOJAwVroBevek=", "pQtmpjszxrel2u+2I5HrLBwlwvhc19nfAUsa5EHZAe4=", "0jEq6eagxqoSOor9OR//fY6uOsPzLaE1q1n9tZRzfSc=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n621702042\ndVHtSx74n1EVKTr8ZkEoUDJHV2piMrM5Jyo3x2f8GEU=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiBERVmx1IGpoQwrsH/RebrgT8NR5mfKLcAa+Mr2DM8VuwIgYHEm0SHrV47gTZwUWt6Ck5Tk3SR6JNQgUCbIntbUQyc=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjZTU0M2FiODU0YmMyNTZiNjFiNzFlOWIyN2Y4MzFmZmQxYmZkNjBhNDc5ZDYzOWY4YmU3Zjk3NTdjZjU3M2U5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNnZFNxNGV0K0J5OTRMS2o1Zyt6MHlTcnlwbW03KzliQlBsVS8vNlVlYmJBSWdZSWFTUG5NSGp2a2wvMFMyTGFJU0lFZmZueVVSKzJsYWRZT21ZdnhNNFVJPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlJITkROMjlYYmxjd2JEbHdTSEkwTVc1dWEyMVRNVzlQV1dRMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUVRGTmFrRjNUVlJWZWxkb1kwNU5hbFY0VFdwQk1VMXFRWGhOVkZWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZhUlVGQlNtY3plR1ZaUlVONWJEZGlaV041ZEdGak1tdEpSVEZ2Um1kUmRVZHFjbW9LUW5wWVVVY3lOMlE0VkdWUmNWUmFkRkprVERWdldrOURXblF4ZVM5RVJHOUNabVJpVjNWc01VTlFiM1pIS3pkNk1tRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZzTkVzNUNrTTVZV3RxVkZOdEwyRnNNSGh1U20xbGIyOVJjUzlyZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRka0ZpVlU5WlFRcEJRVkZFUVVWamQxSlJTV2RTWWxoelVYSlhWamhyWkdoRU5YUk5UWGRZTlVsNU1reFhWMGg0YVd3MlZqVktMMjFZY0Nzdk9TOW5RMGxSUTNkQ1NFdENDbkJYVGpOVFVqWXZWRXhRY2pkdldrTmFXVkZDSzNvMWNUaHNWbkY1WW5aYVUyRk1VelJVUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFRa3dLTmxoSGFuTlBVRkF2VGpjMFVtTjNNM1kzUTBOdlpUSXpZbVo1UlRFNGR5OVlaSGh0U2tGemFqbFljalp3VW1Sd1kxSjFSWGwwUm1WTVpGcFhTWEZKUXdwTlVVUktUREpqZW1wQ1ZHbFhWV3R4Y2t4eE16RkRkbkFyWmxGb2RVZFRjRGxKV25OV1lsUnZLMm8yZEZONlptRXhaSGQxTUhONU1tdHFRblJzWTFKaUNsbFdjejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "zlQ6uFS8JWthtx6bJ/gx/9G/1gpHnWOfi+f5dXz1c+k="}, "signature": "MEUCIQCgdSq4et+By94LKj5g+z0ySrypmm7+9bBPlU//6UebbAIgYIaSPnMHjvkl/0S2LaISIEffnyUR+2ladYOmYvxM4UI="}} diff --git a/Python-3.14.3.tar.xz b/Python-3.14.3.tar.xz new file mode 100644 index 0000000..4a73558 --- /dev/null +++ b/Python-3.14.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a97d5549e9ad81fe17159ed02c68774ad5d266c72f8d9a0b5a9c371fe85d902b +size 23778568 diff --git a/Python-3.14.3.tar.xz.sigstore b/Python-3.14.3.tar.xz.sigstore new file mode 100644 index 0000000..615fe1b --- /dev/null +++ b/Python-3.14.3.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlSgAwIBAgIUBx87ORotwES9Tr9/5NZTngeQhtUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjYwMjAzMTgyOTIwWhcNMjYwMjAzMTgzOTIwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw1f5ikJaSUOwVvytG3fHa2lOz7WjZ19hYmJshJl5Ila9TjVqJCTCJF7KNYRkz9b9N6eZXeukwF8PKBZIS4TzoaOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU20u9xd3ZaH6WWnir8qLg+cbGJNowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABnCTEJRMAAAQDAEcwRQIhAJI6KotoJjZIkucqFuGRaEJTgXyeS2lhlXH0gpvbwnA8AiAL5zIOhGAfKfm81Qv7VX6sAILt+RaFQneJNxUYis/zwzAKBggqhkjOPQQDAwNpADBmAjEA1EiYSJkPzBo30auPquS4i4aS28iJQ5ZjMn0MYFswmwoC7Uo9H3n/c1DcsEnzBzaKAjEA8ySQOh4FRmbxIWYWb5KLlJUplny3HyGYi1URxV7hsa+lNgEaO5o3LV/BbB5lnO4s"}, "tlogEntries": [{"logIndex": "908836744", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1770143360", "inclusionPromise": {"signedEntryTimestamp": "MEYCIQDvK2No1zzRFayBeyzvA42BK6xuXOlV6KMe66YHqPGpyQIhAIgzTnzAjblnl+WzNN7oH2DK/qj4pl9JaBLNHPQrOQrI"}, "inclusionProof": {"logIndex": "786932482", "rootHash": "dGVFvc1oLbLyJiHnFEycV208nQJKUBJwroHzkkEqIIo=", "treeSize": "786932485", "hashes": ["h2AO7cQ01eF2B8CkF2PIO4su+qg6eQB2J/Ig0br85HA=", "O3EIEcvyyn5ZYNiBc8YSrN/mREv4Poj9WCpv8jE/oyI=", "IpLe03oVtHPl1LgYBblTCahhLhs6wFvzdlGZgJzQ1uk=", "go/Nm4TUqqeO6DxsYqK/L32zREpElrXy7C2euZySNzg=", "L2xrC73coSdSyPb0X33W6SDKVMxsk74ZnFRJINpON8I=", "fRNx1tBqRqL5Yibyg7EjJbHuiShPUD+wS5BZPO9nBEM=", "QdVJN4pI2za6IrM4/I4o9aeZMiXnx7faJSZQMhMmtU8=", "sCWg+jViEKkz6QEEx56tYG4vykLu2WiALyfOcM96toQ=", "AAtQsmfrXzumS5rosvNxszWd2XG1lRck4WtRuwVAiU8=", "bGXXJ36FovKuLHu/UAyDMaXYRCr5fKcrc9rlbjQ7HDs=", "iEKYdHrZdRVr6DbpjA8Lcwmot+QZOoeZ1BAEuu/Bvro=", "RBHg3kfW74vkatMSjoUEMZxs4pXkX6y3f906Fc2Yc0Y=", "YEPMagC4YFWQMmrwdZHLOWJudK6RRRuGHVQ8/uADabI=", "yeCWAa93hha1YBKuFn93zBzKbqQW3tYHrgkSp5U7ndU=", "4O6YxKguFZGEr7Xsa3hqNAN2Qq7uVVat/IV4masT570=", "F9MSQ5SmoFr+hoADclpdFY52/TLfHDnNPYb9ZNYO5gI=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n786932485\ndGVFvc1oLbLyJiHnFEycV208nQJKUBJwroHzkkEqIIo=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiAif/bJOkEHuQeaIivryOmrr7YAKYb3T2xrD88l009VuQIhANUlyrkF5XOL10+83p09JViRO8CzJmGsjKL6OMXbObWE\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhOTdkNTU0OWU5YWQ4MWZlMTcxNTllZDAyYzY4Nzc0YWQ1ZDI2NmM3MmY4ZDlhMGI1YTljMzcxZmU4NWQ5MDJiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRkNjcW9UaGdhUnhWSGpqd3hsaHVxNWJOSTFicHJxRlhwSkM5dGVsNGNHOEFpQkhzQmUzeFhHU0hvbVFrc25FOWVVVSs5bHlQR3lhRUlqcGllaUxVSzVER2c9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4VFowRjNTVUpCWjBsVlFuZzROMDlTYjNSM1JWTTVWSEk1THpWT1dsUnVaMlZSYUhSVmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFpkMDFxUVhwTlZHZDVUMVJKZDFkb1kwNU5hbGwzVFdwQmVrMVVaM3BQVkVsM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVYzTVdZMWFXdEtZVk5WVDNkV2RubDBSek5tU0dFeWJFOTZOMWRxV2pFNWFGbHRTbk1LYUVwc05VbHNZVGxVYWxaeFNrTlVRMHBHTjB0T1dWSnJlamxpT1U0MlpWcFlaWFZyZDBZNFVFdENXa2xUTkZSNmIyRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV5TUhVNUNuaGtNMXBoU0RaWFYyNXBjamh4VEdjclkySkhTazV2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnVRMVJGU2xKTlFRcEJRVkZFUVVWamQxSlJTV2hCU2trMlMyOTBiMHBxV2tscmRXTnhSblZIVW1GRlNsUm5XSGxsVXpKc2FHeFlTREJuY0haaWQyNUJPRUZwUVV3MWVrbFBDbWhIUVdaTFptMDRNVkYyTjFaWU5uTkJTVXgwSzFKaFJsRnVaVXBPZUZWWmFYTXZlbmQ2UVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV3UVVSQ2JVRnFSVUVLTVVWcFdWTkthMUI2UW04ek1HRjFVSEYxVXpScE5HRlRNamhwU2xFMVdtcE5iakJOV1VaemQyMTNiME0zVlc4NVNETnVMMk14UkdOelJXNTZRbnBoU3dwQmFrVkJPSGxUVVU5b05FWlNiV0o0U1ZkWlYySTFTMHhzU2xWd2JHNTVNMGg1UjFscE1WVlNlRlkzYUhOaEsyeE9aMFZoVHpWdk0weFdMMEppUWpWc0NtNVBOSE1LTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "qX1VSemtgf4XFZ7QLGh3StXSZscvjZoLWpw3H+hdkCs="}, "signature": "MEQCIFCcqoThgaRxVHjjwxlhuq5bNI1bprqFXpJC9tel4cG8AiBHsBe3xXGSHomQksnE9eUU+9lyPGyaEIjpieiLUK5DGg=="}} diff --git a/gh138131-exclude-pycache-from-digest.patch b/gh138131-exclude-pycache-from-digest.patch deleted file mode 100644 index c5e371d..0000000 --- a/gh138131-exclude-pycache-from-digest.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 4bb41b28d5bac09bccd636d8c5fefe1a462f63a7 Mon Sep 17 00:00:00 2001 -From: Alm -Date: Mon, 25 Aug 2025 08:56:38 +0300 -Subject: [PATCH 1/4] Exclude .pyc files from the computed digest in the jit - stencils - ---- - Tools/jit/_targets.py | 3 +++ - 1 file changed, 3 insertions(+) - -Index: Python-3.14.0rc2/Tools/jit/_targets.py -=================================================================== ---- Python-3.14.0rc2.orig/Tools/jit/_targets.py -+++ Python-3.14.0rc2/Tools/jit/_targets.py -@@ -69,6 +69,9 @@ class _Target(typing.Generic[_S, _R]): - hasher.update(PYTHON_EXECUTOR_CASES_C_H.read_bytes()) - hasher.update((self.pyconfig_dir / "pyconfig.h").read_bytes()) - for dirpath, _, filenames in sorted(os.walk(TOOLS_JIT)): -+ # Exclude cache files from digest computation to ensure reproducible builds. -+ if dirpath.endswith("__pycache__"): -+ continue - for filename in filenames: - hasher.update(pathlib.Path(dirpath, filename).read_bytes()) - return hasher.hexdigest() -Index: Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst -=================================================================== ---- /dev/null -+++ Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst -@@ -0,0 +1 @@ -+Ensure reproducible builds by making JIT stencil header generation deterministic. diff --git a/gh139257-Support-docutils-0.22.patch b/gh139257-Support-docutils-0.22.patch index fa52df3..031a094 100644 --- a/gh139257-Support-docutils-0.22.patch +++ b/gh139257-Support-docutils-0.22.patch @@ -7,10 +7,10 @@ Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22 Doc/tools/extensions/pyspecific.py | 68 +++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 22 deletions(-) -Index: Python-3.14.2/Doc/tools/extensions/pyspecific.py +Index: Python-3.14.3/Doc/tools/extensions/pyspecific.py =================================================================== ---- Python-3.14.2.orig/Doc/tools/extensions/pyspecific.py 2025-12-05 17:49:16.000000000 +0100 -+++ Python-3.14.2/Doc/tools/extensions/pyspecific.py 2025-12-11 18:15:44.936875242 +0100 +--- Python-3.14.3.orig/Doc/tools/extensions/pyspecific.py 2026-02-03 16:32:20.000000000 +0100 ++++ Python-3.14.3/Doc/tools/extensions/pyspecific.py 2026-02-05 16:01:45.363997744 +0100 @@ -1,12 +1,12 @@ # -*- coding: utf-8 -*- """ diff --git a/python314.changes b/python314.changes index f1a954a..212899c 100644 --- a/python314.changes +++ b/python314.changes @@ -1,3 +1,363 @@ +------------------------------------------------------------------- +Thu Feb 5 12:57:09 UTC 2026 - Matej Cepl + +- Update to 3.14.3: + - Tools/Demos + - gh-142095: Make gdb ‘py-bt’ command use frame from thread + local state when available. Patch by Sam Gross and Victor + Stinner. + - Tests + - gh-144415: The Android testbed now distinguishes between + stdout/stderr messages which were triggered by a newline, + and those triggered by a manual call to flush. This fixes + logging of progress indicators and similar content. + - gh-143460: Skip tests relying on infinite recusion if stack + size is unlimited. + - gh-65784: Add support for parametrized resource wantobjects + in regrtests, which allows to run Tkinter tests with the + specified value of tkinter.wantobjects, for example -u + wantobjects=0. + - gh-143553: Add support for parametrized resources, such as + -u xpickle=2.7. + - gh-142836: Accommodated Solaris in + test_pdb.test_script_target_anonymous_pipe. + - bpo-31391: Forward-port test_xpickle from Python 2 to + Python 3 and add the resource back to test’s command line. + - Security + - gh-144125: BytesGenerator will now refuse to serialize + (write) headers that are unsafely folded or delimited; see + verify_generated_headers. (Contributed by Bas Bloemsaat and + Petr Viktorin in gh-121650). + - gh-143935: Fixed a bug in the folding of comments when + flattening an email message using a modern email policy. + Comments consisting of a very long sequence of non-foldable + characters could trigger a forced line wrap that omitted + the required leading space on the continuation line, + causing the remainder of the comment to be interpreted as + a new header field. This enabled header injection with + carefully crafted inputs (bsc#1257029, CVE-2025-11468). + - gh-143925: Reject control characters in data: URL media + types. + - gh-143919: Reject control characters in http.cookies.Morsel + fields and values (bsc#1257031, CVE-2026-0672). + - gh-143916: Reject C0 control characters within + wsgiref.headers.Headers fields, values, and parameters. + - Library + - gh-144380: Improve performance of io.BufferedReader line + iteration by ~49%. + - gh-144169: Fix three crashes when non-string keyword + arguments are supplied to objects in the ast module. + - gh-144100: Fixed a crash in ctypes when using a deprecated + POINTER(str) type in argtypes. Instead of aborting, ctypes + now raises a proper Python exception when the pointer + target type is unresolved. + - gh-144050: Fix stat.filemode() in the pure-Python + implementation to avoid misclassifying invalid mode values + as block devices. + - gh-144023: Fixed validation of file descriptor 0 in posix + functions when used with follow_symlinks parameter. + - gh-143999: Fix an issue where inspect.getgeneratorstate() + and inspect.getcoroutinestate() could fail for generators + wrapped by types.coroutine() in the suspended state. + - gh-143831: annotationlib.ForwardRef objects are now + hashable when created from annotation scopes with closures. + Previously, hashing such objects would throw an exception. + Patch by Bartosz Sławecki. + - gh-143874: Fixed a bug in pdb where expression results were + not sent back to remote client. + - gh-143880: Fix data race in functools.partial() in the free + threading build. + - gh-143706: Fix multiprocessing forkserver so that sys.argv + is correctly set before __main__ is preloaded. Previously, + sys.argv was empty during main module import in forkserver + child processes. This fixes a regression introduced in + 3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test + provided by Thomas Watson, thanks! + - gh-143638: Forbid reentrant calls of the pickle.Pickler and + pickle.Unpickler methods for the C implementation. + Previously, this could cause crash or data corruption, now + concurrent calls of methods of the same object raise + RuntimeError. + - gh-78724: Raise RuntimeError’s when user attempts to call + methods on half-initialized Struct objects, For example, + created by Struct.__new__(Struct). Patch by Sergey + B Kirpichev. + - gh-143196: Fix crash when the internal encoder object + returned by undocumented function + json.encoder.c_make_encoder() was called with non-zero + second (_current_indent_level) argument. + - gh-143191: _thread.stack_size() now raises ValueError if + the stack size is too small. Patch by Victor Stinner. + - gh-143602: Fix a inconsistency issue in write() that leads + to unexpected buffer overwrite by deduplicating the buffer + exports. + - gh-143547: Fix sys.unraisablehook() when the hook raises an + exception and changes sys.unraisablehook(): hold a strong + reference to the old hook. Patch by Victor Stinner. + - gh-143517: annotationlib.get_annotations() no longer raises + a SyntaxError when evaluating a stringified starred + annotation that starts with one or more whitespace + characters followed by a *. Patch by Bartosz Sławecki. + - gh-143378: Fix use-after-free crashes when a BytesIO object + is concurrently mutated during write() or writelines(). + - gh-143346: Fix incorrect wrapping of the Base64 data in + plistlib._PlistWriter when the indent contains a mix of + tabs and spaces. + - gh-143310: tkinter: fix a crash when a Python list is + mutated during the conversion to a Tcl object (e.g., when + setting a Tcl variable). Patch by Bénédikt Tran. + - gh-143309: Fix a crash in os.execve() on non-Windows + platforms when given a custom environment mapping which is + then mutated during parsing. Patch by Bénédikt Tran. + - gh-143308: pickle: fix use-after-free crashes when + a PickleBuffer is concurrently mutated by a custom buffer + callback during pickling. Patch by Bénédikt Tran and Aaron + Wieczorek. + - gh-143237: Fix support of named pipes in the rotating + logging handlers. + - gh-143249: Fix possible buffer leaks in Windows overlapped + I/O on error handling. + - gh-143241: zoneinfo: fix infinite loop in + ZoneInfo.from_file when parsing a malformed TZif file. + Patch by Fatih Celik. + - gh-142830: sqlite3: fix use-after-free crashes when the + connection’s callbacks are mutated during a callback + execution. Patch by Bénédikt Tran. + - gh-143200: xml.etree.ElementTree: fix use-after-free + crashes in __getitem__() and __setitem__() methods of + Element when the element is concurrently mutated. Patch by + Bénédikt Tran. + - gh-142195: Updated timeout evaluation logic in subprocess + to be compatible with deterministic environments like + Shadow where time moves exactly as requested. + - gh-142164: Fix the ctypes bitfield overflow error message + to report the correct offset and size calculation. + - gh-143145: Fixed a possible reference leak in ctypes when + constructing results with multiple output parameters on + error. + - gh-122431: Corrected the error message in + readline.append_history_file() to state that nelements must + be non-negative instead of positive. + - gh-143004: Fix a potential use-after-free in + collections.Counter.update() when user code mutates the + Counter during an update. + - gh-143046: The asyncio REPL no longer prints copyright and + version messages in the quiet mode (-q). Patch by Bartosz + Sławecki. + - gh-140648: The asyncio REPL now respects the -I flag + (isolated mode). Previously, it would load and execute + PYTHONSTARTUP even if the flag was set. Contributed by + Bartosz Sławecki. + - gh-142991: Fixed socket operations such as recvfrom() and + sendto() for FreeBSD divert(4) socket. + - gh-143010: Fixed a bug in mailbox where the precise timing + of an external event could result in the library opening an + existing file instead of a file it expected to create. + - gh-142881: Fix concurrent and reentrant call of + atexit.unregister(). + - gh-112127: Fix possible use-after-free in + atexit.unregister() when the callback is unregistered + during comparison. + - gh-142783: Fix zoneinfo use-after-free with descriptor + _weak_cache. a descriptor as _weak_cache could cause + crashes during object creation. The fix ensures proper + reference counting for descriptor-provided objects. + - gh-142754: Add the ownerDocument attribute to + xml.dom.minidom elements and attributes created by directly + instantiating the Element or Attr class. Note that this way + of creating nodes is not supported; creator functions like + xml.dom.Document.documentElement() should be used instead. + - gh-142784: The asyncio REPL now properly closes the loop + upon the end of interactive session. Previously, it could + cause surprising warnings. Contributed by Bartosz Sławecki. + - gh-142555: array: fix a crash in a[i] = v when converting + i to an index via i.__index__ or i.__float__ mutates the + array. + - gh-142594: Fix crash in TextIOWrapper.close() when the + underlying buffer’s closed property calls detach(). + - gh-142451: hmac: Ensure that the HMAC.block_size attribute + is correctly copied by HMAC.copy. Patch by Bénédikt Tran. + - gh-142495: collections.defaultdict now prioritizes + __setitem__() when inserting default values from + default_factory. This prevents race conditions where + a default value would overwrite a value set before + default_factory returns. + - gh-142651: unittest.mock: fix a thread safety issue where + Mock.call_count may return inaccurate values when the mock + is called concurrently from multiple threads. + - gh-142595: Added type check during initialization of the + decimal module to prevent a crash in case of broken stdlib. + Patch by Sergey B Kirpichev. + - gh-142556: Fix crash when a task gets re-registered during + finalization in asyncio. Patch by Kumar Aditya. + - gh-123241: Avoid reference count operations in garbage + collection of ctypes objects. + - gh-142517: The non-compat32 email policies now correctly + handle refolding encoded words that contain bytes that can + not be decoded in their specified character set. Previously + this resulted in an encoding exception during folding. + - gh-112527: The help text for required options in argparse + no longer extended with “ (default: None)”. + - gh-142346: Fix usage formatting for mutually exclusive + groups in argparse when they are preceded by positional + arguments or followed or intermixed with other optional + arguments. + - gh-142315: Pdb can now run scripts from anonymous pipes + used in process substitution. Patch by Bartosz Sławecki. + - gh-142332: Fix usage formatting for positional arguments in + mutually exclusive groups in argparse. in argparse. + - gh-142282: Fix winreg.QueryValueEx() to not accidentally + read garbage buffer under race condition. + - gh-75949: Fix argparse to preserve | separators in mutually + exclusive groups when the usage line wraps due to length. + - gh-142267: Improve argparse performance by caching the + formatter used for argument validation. + - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header + name defects are now correctly passed to the handle_defect + method of policy in FeedParser. + - gh-142006: Fix a bug in the email.policy.default folding + algorithm which incorrectly resulted in a doubled newline + when a line ending at exactly max_line_length was followed + by an unfoldable token. + - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving + underlying cancelled asyncio task running. + - gh-139971: pydoc: Ensure that the link to the online + documentation of a stdlib module is correct. + - gh-139262: Some keystrokes can be swallowed in the new + PyREPL on Windows, especially when used together with the + ALT key. Fix by Chris Eibl. + - gh-138897: Improved license/copyright/credits display in + the REPL: now uses a pager. + - gh-79986: Add parsing for References and In-Reply-To + headers to the email library that parses the header content + as lists of message id tokens. This prevents them from + being folded incorrectly. + - gh-136282: Add support for UNNAMED_SECTION when creating + a section via the mapping protocol access + - gh-109263: Starting a process from spawn context in + multiprocessing no longer sets the start method globally. + - gh-133253: Fix thread-safety issues in linecache. + - gh-132715: Skip writing objects during marshalling once + a failure has occurred. + - IDLE + - gh-143774: Better explain the operation of Format / Format + Paragraph. + - Documentation + - gh-140806: Add documentation for enum.bin(). + - Core and Builtins + - gh-144307: Prevent a reference leak in module teardown at + interpreter finalization. + - gh-144194: Fix error handling in perf jitdump + initialization on memory allocation failure. + - gh-144012: Check if the result is NULL in BINARY_OP_EXTENT + opcode. + - gh-141805: Fix crash in set when objects with the same hash + are concurrently added to the set after removing an element + with the same hash while the set still contains elements + with the same hash. + - gh-143670: Fixes a crash in ga_repr_items_list function. + - gh-143377: Fix a crash in _interpreters.capture_exception() + when the exception is incorrectly formatted. Patch by + Bénédikt Tran. + - gh-136924: The interactive help mode in the REPL no longer + incorrectly syntax highlights text input as Python code. + Contributed by Olga Matoula. + - gh-143189: Fix crash when inserting a non-str key into + a split table dictionary when the key matches an existing + key in the split table but has no corresponding value in + the dict. + - gh-143228: Fix use-after-free in perf trampoline when + toggling profiling while threads are running or during + interpreter finalization with daemon threads active. The + fix uses reference counting to ensure trampolines are not + freed while any code object could still reference them. + Pach by Pablo Galindo + - gh-142664: Fix a use-after-free crash in + memoryview.__hash__ when the __hash__ method of the + referenced object mutates that object or the view. Patch by + Bénédikt Tran. + - gh-142557: Fix a use-after-free crash in bytearray.__mod__ + when the bytearray is mutated while formatting the %-style + arguments. Patch by Bénédikt Tran. + - gh-143195: Fix use-after-free crashes in bytearray.hex() + and memoryview.hex() when the separator’s __len__() mutates + the original object. Patch by Bénédikt Tran. + - gh-142975: Fix crash after unfreezing all objects tracked + by the garbage collector on the free threaded build. + - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is + 0. Previously, it was set to 0 in this case. + - gh-143003: Fix an overflow of the shared empty buffer in + bytearray.extend() when __length_hint__() returns 0 for + non-empty iterator. + - gh-143006: Fix a possible assertion error when comparing + negative non-integer float and int with the same number of + bits in the integer part. + - gh-143057: Avoid locking in PyTraceMalloc_Track() and + PyTraceMalloc_Untrack() when tracemalloc is not enabled. + - gh-142776: Fix a file descriptor leak in import.c + - gh-142829: Fix a use-after-free crash in + contextvars.Context comparison when a custom __eq__ method + modifies the context via set(). + - gh-142766: Clear the frame of a generator when + generator.close() is called. + - gh-142737: Tracebacks will be displayed in fallback mode + even if io.open() is lost. Previously, this would crash the + interpreter. Patch by Bartosz Sławecki. + - gh-142554: Fix a crash in divmod() when + _pylong.int_divmod() does not return a tuple of length two + exactly. Patch by Bénédikt Tran. + - gh-142560: Fix use-after-free in bytearray search-like + methods (find(), count(), index(), rindex(), and rfind()) + by marking the storage as exported which causes + reallocation attempts to raise BufferError. For contains(), + split(), and rsplit() the buffer protocol is used for this. + - gh-142531: Fix a free-threaded GC performance regression. + If there are many untracked tuples, the GC will run too + often, resulting in poor performance. The fix is to include + untracked tuples in the “long lived” object count. The + number of frozen objects is also now included since the + free-threaded GC must scan those too. + - gh-142402: Fix reference counting when adjacent literal + parts are merged while constructing + string.templatelib.Template, preventing the displaced + string object from leaking. + - gh-133932: Fix crash in the free threading build when + clearing frames that hold tagged integers. + - gh-142343: Fix SIGILL crash on m68k due to incorrect + assembly constraint. + - gh-100964: Fix reference cycle in exhausted generator + frames. Patch by Savannah Ostrowski. + - gh-69605: Fix edge-cases around already imported modules in + the REPL auto-completion of imports. + - gh-138568: Adjusted the built-in help() function so that + empty inputs are ignored in interactive mode. + - gh-137007: Fix a bug during JIT compilation failure which + caused garbage collection debug assertions to fail. + - C API + - gh-142589: Fix + PyUnstable_Object_IsUniqueReferencedTemporary() handling of + tagged ints on the interpreter stack. + - gh-142571: PyUnstable_CopyPerfMapFile() now checks that + opening the file succeeded before flushing. + - Build + - gh-142454: When calculating the digest of the JIT stencils + input, sort the hashed files by filenames before adding + their content to the hasher. This ensures deterministic + hash input and hence deterministic hash, independent on + filesystem order. + - gh-141808: When running make clean-retain-profile, keep the + generated JIT stencils. That way, the stencils are not + generated twice when Profile-guided optimization (PGO) is + used. It also allows distributors to supply their own + pre-built JIT stencils. + - gh-138061: Ensure reproducible builds by making JIT stencil + header generation deterministic. +- Remove upstreamed patches: + - CVE-2024-6923-follow-up-EOL-email-headers.patch + - CVE-2025-11468-email-hdr-fold-comment.patch + - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch + - gh138131-exclude-pycache-from-digest.patch + ------------------------------------------------------------------- Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl @@ -4030,7 +4390,7 @@ Tue Nov 19 22:08:24 UTC 2024 - Matej Cepl generated URLs beginning with four slashes (rather than two) when given a Windows UNC path. - gh-126156: Improved performances of creating Morsel objects - by a factor of 3.8x. + by a factor of 3.8x (bsc#1257031, CVE-2026-0672). - gh-126105: Fix a crash in ast when the ast.AST._fields attribute is deleted. - gh-126106: Fixes a possible NULL pointer dereference in diff --git a/python314.spec b/python314.spec index bbc6ae6..1932edd 100644 --- a/python314.spec +++ b/python314.spec @@ -124,7 +124,7 @@ # %%define tarversion %%{version} # %%endif # We don't process beta signs well -%define folderversion 3.14.2 +%define folderversion 3.14.3 %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149 %define abi_kind %{nil} @@ -162,7 +162,7 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.14.2 +Version: 3.14.3 %define tarversion %{version} %define tarname Python-%{tarversion} Release: 0 @@ -220,20 +220,8 @@ Patch40: fix-test-recursion-limit-15.6.patch # PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com # Doc: Generate ids for audit_events using docname Patch41: bsc1243155-sphinx-non-determinism.patch -# PATCH-FIX-UPSTREAM gh138131-exclude-pycache-from-digest.patch bsc#1244680 daniel.garcia@suse.com -Patch44: gh138131-exclude-pycache-from-digest.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch45: gh139257-Support-docutils-0.22.patch -# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 mcepl@suse.com -# Encode newlines in headers when using ByteGenerator -# patch from gh#python/cpython#144125 -Patch46: CVE-2024-6923-follow-up-EOL-email-headers.patch -# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com -# Email preserve parens when folding comments -Patch47: CVE-2025-11468-email-hdr-fold-comment.patch -# PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 mcepl@suse.com -# Reject control characters in http cookies -Patch48: CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch #### Python 3.14 END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake