diff --git a/CVE-2025-6075-expandvars-perf-degrad.patch b/CVE-2025-6075-expandvars-perf-degrad.patch new file mode 100644 index 0000000..83f7dfc --- /dev/null +++ b/CVE-2025-6075-expandvars-perf-degrad.patch @@ -0,0 +1,367 @@ +From e3b2c85d567b51dd84d1faf83398e97c0bf1eb60 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Fri, 30 May 2025 22:33:31 +0300 +Subject: [PATCH 1/2] gh-134873: Fix quadratic complexity in + os.path.expandvars() + +--- + Lib/ntpath.py | 126 +++------- + Lib/posixpath.py | 43 +-- + Lib/test/test_genericpath.py | 21 + + Lib/test/test_ntpath.py | 22 + + Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 + 5 files changed, 97 insertions(+), 116 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-134873.bu337o.rst + +Index: Python-3.15.0a1/Lib/ntpath.py +=================================================================== +--- Python-3.15.0a1.orig/Lib/ntpath.py 2025-10-14 12:46:08.000000000 +0200 ++++ Python-3.15.0a1/Lib/ntpath.py 2025-11-13 18:28:37.445868967 +0100 +@@ -400,17 +400,23 @@ + # XXX With COMMAND.COM you can use any characters in a variable name, + # XXX except '^|<>='. + ++_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)" ++_varsub = None ++_varsubb = None ++ + def expandvars(path): + """Expand shell variables of the forms $var, ${var} and %var%. + + Unknown variables are left unchanged.""" + path = os.fspath(path) ++ global _varsub, _varsubb + if isinstance(path, bytes): + if b'$' not in path and b'%' not in path: + return path +- import string +- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii') +- quote = b'\'' ++ if not _varsubb: ++ import re ++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub ++ sub = _varsubb + percent = b'%' + brace = b'{' + rbrace = b'}' +@@ -419,94 +425,44 @@ + else: + if '$' not in path and '%' not in path: + return path +- import string +- varchars = string.ascii_letters + string.digits + '_-' +- quote = '\'' ++ if not _varsub: ++ import re ++ _varsub = re.compile(_varpattern, re.ASCII).sub ++ sub = _varsub + percent = '%' + brace = '{' + rbrace = '}' + dollar = '$' + environ = os.environ +- res = path[:0] +- index = 0 +- pathlen = len(path) +- while index < pathlen: +- c = path[index:index+1] +- if c == quote: # no expansion within single quotes +- path = path[index + 1:] +- pathlen = len(path) +- try: +- index = path.index(c) +- res += c + path[:index + 1] +- except ValueError: +- res += c + path +- index = pathlen - 1 +- elif c == percent: # variable or '%' +- if path[index + 1:index + 2] == percent: +- res += c +- index += 1 +- else: +- path = path[index+1:] +- pathlen = len(path) +- try: +- index = path.index(percent) +- except ValueError: +- res += percent + path +- index = pathlen - 1 +- else: +- var = path[:index] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = percent + var + percent +- res += value +- elif c == dollar: # variable or '$$' +- if path[index + 1:index + 2] == dollar: +- res += c +- index += 1 +- elif path[index + 1:index + 2] == brace: +- path = path[index+2:] +- pathlen = len(path) +- try: +- index = path.index(rbrace) +- except ValueError: +- res += dollar + brace + path +- index = pathlen - 1 +- else: +- var = path[:index] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = dollar + brace + var + rbrace +- res += value +- else: +- var = path[:0] +- index += 1 +- c = path[index:index + 1] +- while c and c in varchars: +- var += c +- index += 1 +- c = path[index:index + 1] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = dollar + var +- res += value +- if c: +- index -= 1 ++ ++ def repl(m): ++ lastindex = m.lastindex ++ if lastindex is None: ++ return m[0] ++ name = m[lastindex] ++ if lastindex == 1: ++ if name == percent: ++ return name ++ if not name.endswith(percent): ++ return m[0] ++ name = name[:-1] + else: +- res += c +- index += 1 +- return res ++ if name == dollar: ++ return name ++ if name.startswith(brace): ++ if not name.endswith(rbrace): ++ return m[0] ++ name = name[1:-1] ++ ++ try: ++ if environ is None: ++ return os.fsencode(os.environ[os.fsdecode(name)]) ++ else: ++ return environ[name] ++ except KeyError: ++ return m[0] ++ ++ return sub(repl, path) + + + # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B. +Index: Python-3.15.0a1/Lib/posixpath.py +=================================================================== +--- Python-3.15.0a1.orig/Lib/posixpath.py 2025-10-14 12:46:08.000000000 +0200 ++++ Python-3.15.0a1/Lib/posixpath.py 2025-11-13 18:28:37.446168939 +0100 +@@ -285,42 +285,41 @@ + # This expands the forms $variable and ${variable} only. + # Non-existent variables are left unchanged. + +-_varprog = None +-_varprogb = None ++_varpattern = r'\$(\w+|\{[^}]*\}?)' ++_varsub = None ++_varsubb = None + + def expandvars(path): + """Expand shell variables of form $var and ${var}. Unknown variables + are left unchanged.""" + path = os.fspath(path) +- global _varprog, _varprogb ++ global _varsub, _varsubb + if isinstance(path, bytes): + if b'$' not in path: + return path +- if not _varprogb: ++ if not _varsubb: + import re +- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII) +- search = _varprogb.search ++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub ++ sub = _varsubb + start = b'{' + end = b'}' + environ = getattr(os, 'environb', None) + else: + if '$' not in path: + return path +- if not _varprog: ++ if not _varsub: + import re +- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII) +- search = _varprog.search ++ _varsub = re.compile(_varpattern, re.ASCII).sub ++ sub = _varsub + start = '{' + end = '}' + environ = os.environ +- i = 0 +- while True: +- m = search(path, i) +- if not m: +- break +- i, j = m.span(0) +- name = m.group(1) +- if name.startswith(start) and name.endswith(end): ++ ++ def repl(m): ++ name = m[1] ++ if name.startswith(start): ++ if not name.endswith(end): ++ return m[0] + name = name[1:-1] + try: + if environ is None: +@@ -328,13 +327,11 @@ + else: + value = environ[name] + except KeyError: +- i = j ++ return m[0] + else: +- tail = path[j:] +- path = path[:i] + value +- i = len(path) +- path += tail +- return path ++ return value ++ ++ return sub(repl, path) + + + # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B. +Index: Python-3.15.0a1/Lib/test/test_genericpath.py +=================================================================== +--- Python-3.15.0a1.orig/Lib/test/test_genericpath.py 2025-10-14 12:46:08.000000000 +0200 ++++ Python-3.15.0a1/Lib/test/test_genericpath.py 2025-11-13 18:28:37.446403609 +0100 +@@ -9,9 +9,9 @@ + import sys + import unittest + import warnings +-from test.support import ( +- is_apple, os_helper, warnings_helper +-) ++from test import support ++from test.support import os_helper ++from test.support import warnings_helper + from test.support.script_helper import assert_python_ok + from test.support.os_helper import FakePath + +@@ -462,6 +462,19 @@ + os.fsencode('$bar%s bar' % nonascii)) + check(b'$spam}bar', os.fsencode('%s}bar' % nonascii)) + ++ @support.requires_resource('cpu') ++ def test_expandvars_large(self): ++ expandvars = self.pathmodule.expandvars ++ with os_helper.EnvironmentVarGuard() as env: ++ env.clear() ++ env["A"] = "B" ++ n = 100_000 ++ self.assertEqual(expandvars('$A'*n), 'B'*n) ++ self.assertEqual(expandvars('${A}'*n), 'B'*n) ++ self.assertEqual(expandvars('$A!'*n), 'B!'*n) ++ self.assertEqual(expandvars('${A}A'*n), 'BA'*n) ++ self.assertEqual(expandvars('${'*10*n), '${'*10*n) ++ + def test_abspath(self): + self.assertIn("foo", self.pathmodule.abspath("foo")) + with warnings.catch_warnings(): +@@ -519,7 +532,7 @@ + # directory (when the bytes name is used). + and sys.platform not in { + "win32", "emscripten", "wasi" +- } and not is_apple ++ } and not support.is_apple + ): + name = os_helper.TESTFN_UNDECODABLE + elif os_helper.TESTFN_NONASCII: +Index: Python-3.15.0a1/Lib/test/test_ntpath.py +=================================================================== +--- Python-3.15.0a1.orig/Lib/test/test_ntpath.py 2025-10-14 12:46:08.000000000 +0200 ++++ Python-3.15.0a1/Lib/test/test_ntpath.py 2025-11-13 18:28:55.652664525 +0100 +@@ -9,7 +9,8 @@ + import warnings + from ntpath import ALL_BUT_LAST, ALLOW_MISSING + from test import support +-from test.support import TestFailed, cpython_only, os_helper ++from test import support ++from test.support import os_helper + from test.support.os_helper import FakePath + from test import test_genericpath + from tempfile import TemporaryFile +@@ -59,7 +60,7 @@ + fn = fn.replace("\\", "\\\\") + gotResult = eval(fn) + if wantResult != gotResult and _norm(wantResult) != _norm(gotResult): +- raise TestFailed("%s should return: %s but returned: %s" \ ++ raise support.TestFailed("%s should return: %s but returned: %s" \ + %(str(fn), str(wantResult), str(gotResult))) + + # then with bytes +@@ -75,7 +76,7 @@ + warnings.simplefilter("ignore", DeprecationWarning) + gotResult = eval(fn) + if _norm(wantResult) != _norm(gotResult): +- raise TestFailed("%s should return: %s but returned: %s" \ ++ raise support.TestFailed("%s should return: %s but returned: %s" \ + %(str(fn), str(wantResult), repr(gotResult))) + + +@@ -1133,6 +1134,19 @@ + check('%spam%bar', '%sbar' % nonascii) + check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii) + ++ @support.requires_resource('cpu') ++ def test_expandvars_large(self): ++ expandvars = ntpath.expandvars ++ with os_helper.EnvironmentVarGuard() as env: ++ env.clear() ++ env["A"] = "B" ++ n = 100_000 ++ self.assertEqual(expandvars('%A%'*n), 'B'*n) ++ self.assertEqual(expandvars('%A%A'*n), 'BA'*n) ++ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%') ++ self.assertEqual(expandvars("%%"*n), "%"*n) ++ self.assertEqual(expandvars("$$"*n), "$"*n) ++ + def test_expanduser(self): + tester('ntpath.expanduser("test")', 'test') + +@@ -1550,7 +1564,7 @@ + self.assertTrue(os.path.exists(r"\\.\CON")) + + @unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32") +- @cpython_only ++ @support.cpython_only + def test_fast_paths_in_use(self): + # There are fast paths of these functions implemented in posixmodule.c. + # Confirm that they are being used, and not the Python fallbacks in +Index: Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2025-11-13 18:28:37.447873576 +0100 +@@ -0,0 +1 @@ ++Fix quadratic complexity in :func:`os.path.expandvars`. diff --git a/python315-rpmlintrc b/python315-rpmlintrc index 5b35f34..20f386a 100644 --- a/python315-rpmlintrc +++ b/python315-rpmlintrc @@ -1,3 +1,4 @@ addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem") -addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c") -addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp") +addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/.*.c") +addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/.*.cpp") +addFilter("python-bytecode-inconsistent-mtime.*/usr/lib64/python.*/.*.pyc") diff --git a/python315.changes b/python315.changes index 6f5a165..e2d488a 100644 --- a/python315.changes +++ b/python315.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl + +- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple + quadratic complexity vulnerabilities of os.path.expandvars() + (CVE-2025-6075, bsc#1252974). +- Skip test_curses on ppc64le (gh#python/cpython#141534) + ------------------------------------------------------------------- Mon Nov 10 10:01:37 UTC 2025 - Andreas Schwab @@ -44,7 +52,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl modules when explicitly specified. - Tests - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore - the --verbose option anymore. Patch by Victor Stinner. + avoid simple quadratic complexity vulnerabilities of + (CVE-2025-6075, bsc#1252974). os.path.expandvars() the + --verbose option anymore. Patch by Victor Stinner. - gh-138313: Restore skipped test and add janky workaround to prevent select buildbots from failing with a ResourceWarning. @@ -193,9 +203,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl arguments now accept any real numbers (such as Decimal and Fraction), not only integers or floats, although this does not improve precision. - - gh-95953: A CSS class, diff_changed, was added to the + - gh-95953: A CSS class, diff_changed, was added to th e changed lines in the make_table output of difflib.HtmlDiff. - Patch by Katie Gardner. + Patch by Katie Gardner . - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock @@ -248,9 +258,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - gh-138899: Executing quit command in pdb will raise bdb.BdbQuit when pdb is started from an asyncio console using breakpoint() or pdb.set_trace(). - - gh-138804: Raise TypeError instead of AttributeError when - an argument of incorrect type is passed to shlex.quote(). - This restores the behavior of the function prior to 3.14. + - gh-138804: Raise TypeError instead of AttributeError whe n + an argument of incorrect type is passed to shlex.quote() . + This restores the behavior of the function prior to 3.14 . - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-138682: Added symmetric difference support to @@ -281,9 +291,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl calling createtimerhandler() on a Tk application) and _tkinter.tkapp (the runtime type of Tk applications) are now immutable. Patch by Bénédikt Tran. - - gh-138514: Raise ValueError when a multi-character string - is passed to the echo_char parameter of getpass.getpass(). - Patch by Benjamin Johnson. + - gh-138514: Raise ValueError when a multi-character strin g + is passed to the echo_char parameter of getpass.getpass() . + Patch by Benjamin Johnson . - gh-137706: Fix the partial evaluation of annotations that use typing.Annotated[T, x] where T is a forward reference. - gh-88375: Fix normalization of the robots.txt rules and @@ -307,8 +317,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl copy.deepcopy() in the free-threading build. - gh-116946: The types of select.poll() and select.epoll() objects are now immutable. Patch by Bénédikt Tran. - - gh-116946: The _random.Random C type is now immutable. - Patch by Bénédikt Tran. + - gh-116946: The _random.Random C type is now immutable . + Patch by Bénédikt Tran . - gh-57911: When extracting tar files on Windows, slashes in symlink targets will be replaced by backslashes to prevent corrupted links. @@ -597,9 +607,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. - - gh-136028: Fix parsing month names containing “İ” (U+0130, - LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). - This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. + - gh-136028: Fix parsing month names containing “İ” (U+0130 , + LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime() . + This affects locales az_AZ, ber_DZ, ber_MA and crh_UA . - gh-87135: Acquiring a threading.Lock or threading.RLock at interpreter shutdown will raise PythonFinalizationError if Python can determine that it would otherwise deadlock. @@ -621,8 +631,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl non-OSError exception is raised during connection and socket’s close() raises OSError. - gh-135853: math: expose C99 signbit() function to determine - whether the sign bit of a floating-point value is set. - Patch by Bénédikt Tran. + whether the sign bit of a floating-point value is set . + Patch by Bénédikt Tran . - gh-134531: hmac: use the EVP_MAC(3ssl) interface for HMAC when Python is built with OpenSSL 3.0 and later instead of the deprecated HMAC_CTX(3ssl) interface. Patch by Bénédikt @@ -917,8 +927,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl and TD = TypedDict("TD", None) calls for constructing typing.TypedDict objects with zero field. Patch by Bénédikt Tran. - - gh-125996: Fix thread safety of collections.OrderedDict. - Patch by Kumar Aditya. + - gh-125996: Fix thread safety of collections.OrderedDict . + Patch by Kumar Aditya . - gh-133817: Remove support for creating NamedTuple classes via the undocumented keyword argument syntax. Patch by Bénédikt Tran. @@ -973,8 +983,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl logging.basicConfig(). - gh-92897: Removed the check_home parameter from sysconfig.is_python_build(), deprecated since Python 3.12. - - gh-133551: Support t-strings (PEP 750) in annotationlib. - Patch by Jelle Zijlstra. + - gh-133551: Support t-strings (PEP 750) in annotationlib . + Patch by Jelle Zijlstra . - gh-133517: Remove os.listdrives(), os.listvolumes() and os.listmounts() in non Windows desktop builds since the underlying functionality is missing. @@ -1035,9 +1045,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - gh-87790: Support underscore and comma as thousands separators in the fractional part for Fraction’s formatting. Patch by Sergey B Kirpichev. - - gh-87790: Support underscore and comma as thousands + - gh-87790: Support underscore and comma as thousand s separators in the fractional part for Decimal’s formatting. - Patch by Sergey B Kirpichev. + Patch by Sergey B Kirpichev . - gh-131884: Fix formatting issues in json.dump() when both indent and skipkeys are used. - gh-131788: Make ResourceTracker.send from multiprocessing @@ -1072,8 +1082,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - gh-125028: functools.Placeholder cannot be passed to functools.partial() as a keyword argument. - gh-125843: If possible, indicate which curses C function or - macro is responsible for raising a curses.error exception. - Patch by Bénédikt Tran. + macro is responsible for raising a curses.error exceptio n. + Patch by Bénédikt Tra n. - gh-119109: functools.partial() calls are now faster when keyword arguments are used. - gh-124033: SimplePath is now presented in @@ -1198,13 +1208,13 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl __typing_subst__ returns an object that isn’t a tuple. - gh-138431: Fix a bug in the JIT optimizer when round-tripping strings and tuples. - - gh-138378: Move the globals-to-const JIT optimizer pass - into to the main JIT optimizer pass + - gh-138378: Move the globals-to-const JIT optimizer pass + into to the main JIT optimizer pass - gh-138401: Add missing validation of argument count in os.sendfile() to be non-negative. - - gh-138372: Fix SyntaxWarning emitted for erroneous - subscript expressions involving template string literals. - Patch by Brian Schubert. + - gh-138372: Fix SyntaxWarning emitted for erroneou s + subscript expressions involving template string literals . + Patch by Brian Schubert . - gh-138302: BINARY_OP now specializes to BINARY_OP_ADD_INT, BINARY_OP_SUBTRACT_INT or BINARY_OP_MULTIPLY_INT if operands are compact ints. @@ -1229,9 +1239,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl and does not contain double quotes. - gh-137384: Fix a crash when using the warnings module in a finalizer at shutdown. Patch by Kumar Aditya. - - gh-138004: On Solaris/Illumos platforms, thread names are - now encoded as ASCII to avoid errors on systems (e.g. - OpenIndiana) that don’t support non-ASCII names. + - gh-138004: On Solaris/Illumos platforms, thread names e + ar now encoded as ASCII to avoid errors on systems (e.g . + OpenIndiana) that don’t support non-ASCII names . - gh-137976: Removed localtime from the list of reported system timezones. - gh-137992: Ensure that PyRefTracer_SetTracer() sync with @@ -1244,18 +1254,18 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - gh-137883: Fix runaway recursion when calling a function with keyword arguments. - gh-137079: Fix keyword typo recognition when parsing files. - Patch by Pablo Galindo. - - gh-137728: Fix the JIT’s handling of many local variables. - This previously caused a segfault. + Patch by Pablo Galindo . + - gh-137728: Fix the JIT’s handling of many local variables . + This previously caused a segfault . - gh-137716: Fix double period in AttributeError message for invalid mock assertions - gh-137433: Fix a potential deadlock in the free threading build when daemon threads enable or disable profiling or tracing while the main thread is shutting down the interpreter. - - gh-137576: Fix for incorrect source code being shown in + - gh-137576: Fix for incorrect source code being shown i n tracebacks from the Basic REPL when PYTHONSTARTUP is given. - Patch by Adam Hartz. + Patch by Adam Hartz . - gh-37817: Allow assignment to __bases__ of direct subclasses of builtin classes. - gh-132732: Optimize _COMPARE_OP, _CONTAINS_OP, @@ -1598,18 +1608,13 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl function. - gh-129813: Implement PEP 782, the PyBytesWriter API. Add functions: - PyBytesWriter_Create() - PyBytesWriter_Discard() - PyBytesWriter_FinishWithPointer() - PyBytesWriter_FinishWithSize() - PyBytesWriter_Finish() - PyBytesWriter_Format() - PyBytesWriter_GetData() - PyBytesWriter_GetSize() - PyBytesWriter_GrowAndUpdatePointer() - PyBytesWriter_Grow() - PyBytesWriter_Resize() - PyBytesWriter_WriteBytes() + PyBytesWriter_Create PyBytesWriter_Discard () + PyBytesWriter_FinishWithPointer () + PyBytesWriter_FinishWithSize () + PyBytesWriter_Finish PyBytesWriter_Format () + PyBytesWriter_GetData PyBytesWriter_GetSize () + PyBytesWriter_GrowAndUpdatePointer PyBytesWriter_Grow () + PyBytesWriter_Resize PyBytesWriter_WriteBytes () - Patch by Victor Stinner. - gh-137956: Display and raise an exception if an extension compiled for non-free-threaded Python is loaded in a @@ -1669,9 +1674,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - gh-133644: Remove deprecated function PyWeakref_GetObject() and macro PyWeakref_GET_OBJECT. Use PyWeakref_GetRef() instead. Patch by Bénédikt Tran. - - gh-133644: Remove deprecated alias - PyImport_ImportModuleNoBlock() of PyImport_ImportModule(). - Patch by Bénédikt Tran. + - gh-133644: Remove deprecated alia s + PyImport_ImportModuleNoBlock() of PyImport_ImportModule() . + Patch by Bénédikt Tran . - gh-133610: Remove deprecated functions PyUnicode_AsDecodedObject(), PyUnicode_AsDecodedUnicode(), PyUnicode_AsEncodedObject(), and diff --git a/python315.spec b/python315.spec index 0f1e88b..c0ebd1b 100644 --- a/python315.spec +++ b/python315.spec @@ -224,6 +224,9 @@ Patch40: fix-test-recursion-limit-15.6.patch Patch41: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch42: gh139257-Support-docutils-0.22.patch +# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com +# Avoid potential quadratic complexity vulnerabilities in path modules +Patch43: CVE-2025-6075-expandvars-perf-degrad.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake @@ -661,8 +664,10 @@ EXCLUDE="$EXCLUDE test_pydoc" EXCLUDE="$EXCLUDE test_multiprocessing_forkserver" %endif %ifarch ppc ppc64 ppc64le -# exclue test_faulthandler due to bnc#831629 +# exclude test_faulthandler due to bnc#831629 EXCLUDE="$EXCLUDE test_faulthandler" +# exclude test_curse for gh#python/cpython#141534 +EXCLUDE="$EXCLUDE test_curses" %endif # some tests break in QEMU %if 0%{?qemu_user_space_build}