python-interpreters/python315
SHA256
7
0
Fork 0
forked from pool/python315
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple

Browse Source 
quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).
Skip test_curses on ppc64le (gh#python/cpython#141534)
      avoid simple quadratic complexity vulnerabilities of
      (CVE-2025-6075, bsc#1252974). os.path.expandvars() the
      --verbose option anymore. Patch by Victor Stinner.
    - gh-95953: A CSS class, diff_changed, was added to th      e
      Patch by Katie Gardner                                    .
    - gh-138804: Raise TypeError instead of AttributeError whe  n
      an argument of incorrect type is passed to shlex.quote()  .
      This restores the behavior of the function prior to 3.14  .
    - gh-138514: Raise ValueError when a multi-character strin  g
      is passed to the echo_char parameter of getpass.getpass() .
      Patch by Benjamin Johnson                                 .
    - gh-116946: The _random.Random C type is now immutable     .
      Patch by Bénédikt Tran                                    .
    - gh-136028: Fix parsing month names containing “İ” (U+0130 ,
      LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime() .
      This affects locales az_AZ, ber_DZ, ber_MA and crh_UA     .
      whether the sign bit of a floating-point value is set     .
      Patch by Bénédikt Tran                                    .
    - gh-125996: Fix thread safety of collections.OrderedDict   .
      Patch by Kumar Aditya                                     .
    - gh-133551: Support t-strings (PEP 750) in annotationlib   .
      Patch by Jelle Zijlstra                                   .
    - gh-87790: Support underscore and comma as thousand        s
      Patch by Sergey B Kirpichev                               .
      macro is responsible for raising a curses.error exceptio n.
      Patch by Bénédikt Tra                                    n.
    - gh-138378: Move the globals-to-const     JIT optimizer pass
      into to the main                         JIT optimizer pass
    - gh-138372: Fix SyntaxWarning emitted for erroneou         s
      subscript expressions involving template string literals  .
      Patch by Brian Schubert                                   .
    - gh-138004: On Solaris/Illumos platforms, thread names     e
      ar now encoded as ASCII to avoid errors on systems (e.g   .
      OpenIndiana) that don’t support non-ASCII names           .
      Patch by Pablo Galindo                                    .
    - gh-137728: Fix the JIT’s handling of many local variables .
      This previously caused a segfault                         .
    - gh-137576: Fix for incorrect source code being shown i    n
      Patch by Adam Hartz                                       .
         PyBytesWriter_Create PyBytesWriter_Discard            ()
         PyBytesWriter_FinishWithPointer                       ()
         PyBytesWriter_FinishWithSize                          ()
         PyBytesWriter_Finish PyBytesWriter_Format             ()
         PyBytesWriter_GetData PyBytesWriter_GetSize           ()
         PyBytesWriter_GrowAndUpdatePointer PyBytesWriter_Grow ()
         PyBytesWriter_Resize PyBytesWriter_WriteBytes         ()
    - gh-133644: Remove deprecated alia                         s
      PyImport_ImportModuleNoBlock() of PyImport_ImportModule() .
      Patch by Bénédikt Tran                                    .
This commit is contained in:
Matej Cepl
2025-11-13 22:40:01 +01:00
parent b563206f1a
commit 2c3a121115
4 changed files with 433 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

367
CVE-2025-6075-expandvars-perf-degrad.patch Normal file
View File

@@ -0,0 +1,367 @@
From e3b2c85d567b51dd84d1faf83398e97c0bf1eb60 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Fri, 30 May 2025 22:33:31 +0300
Subject: [PATCH 1/2] gh-134873: Fix quadratic complexity in
os.path.expandvars()
---
Lib/ntpath.py | 126 +++-------
Lib/posixpath.py | 43 +--
Lib/test/test_genericpath.py | 21 +
Lib/test/test_ntpath.py | 22 +
Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1
5 files changed, 97 insertions(+), 116 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-134873.bu337o.rst
Index: Python-3.15.0a1/Lib/ntpath.py
===================================================================
--- Python-3.15.0a1.orig/Lib/ntpath.py 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Lib/ntpath.py 2025-11-13 18:28:37.445868967 +0100
@@ -400,17 +400,23 @@
# XXX With COMMAND.COM you can use any characters in a variable name,
# XXX except '^|<>='.
+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
+_varsub = None
+_varsubb = None
+
def expandvars(path):
"""Expand shell variables of the forms $var, ${var} and %var%.
Unknown variables are left unchanged."""
path = os.fspath(path)
+ global _varsub, _varsubb
if isinstance(path, bytes):
if b'$' not in path and b'%' not in path:
return path
- import string
- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
- quote = b'\''
+ if not _varsubb:
+ import re
+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
+ sub = _varsubb
percent = b'%'
brace = b'{'
rbrace = b'}'
@@ -419,94 +425,44 @@
else:
if '$' not in path and '%' not in path:
return path
- import string
- varchars = string.ascii_letters + string.digits + '_-'
- quote = '\''
+ if not _varsub:
+ import re
+ _varsub = re.compile(_varpattern, re.ASCII).sub
+ sub = _varsub
percent = '%'
brace = '{'
rbrace = '}'
dollar = '$'
environ = os.environ
- res = path[:0]
- index = 0
- pathlen = len(path)
- while index < pathlen:
- c = path[index:index+1]
- if c == quote: # no expansion within single quotes
- path = path[index + 1:]
- pathlen = len(path)
- try:
- index = path.index(c)
- res += c + path[:index + 1]
- except ValueError:
- res += c + path
- index = pathlen - 1
- elif c == percent: # variable or '%'
- if path[index + 1:index + 2] == percent:
- res += c
- index += 1
- else:
- path = path[index+1:]
- pathlen = len(path)
- try:
- index = path.index(percent)
- except ValueError:
- res += percent + path
- index = pathlen - 1
- else:
- var = path[:index]
- try:
- if environ is None:
- value = os.fsencode(os.environ[os.fsdecode(var)])
- else:
- value = environ[var]
- except KeyError:
- value = percent + var + percent
- res += value
- elif c == dollar: # variable or '$$'
- if path[index + 1:index + 2] == dollar:
- res += c
- index += 1
- elif path[index + 1:index + 2] == brace:
- path = path[index+2:]
- pathlen = len(path)
- try:
- index = path.index(rbrace)
- except ValueError:
- res += dollar + brace + path
- index = pathlen - 1
- else:
- var = path[:index]
- try:
- if environ is None:
- value = os.fsencode(os.environ[os.fsdecode(var)])
- else:
- value = environ[var]
- except KeyError:
- value = dollar + brace + var + rbrace
- res += value
- else:
- var = path[:0]
- index += 1
- c = path[index:index + 1]
- while c and c in varchars:
- var += c
- index += 1
- c = path[index:index + 1]
- try:
- if environ is None:
- value = os.fsencode(os.environ[os.fsdecode(var)])
- else:
- value = environ[var]
- except KeyError:
- value = dollar + var
- res += value
- if c:
- index -= 1
+
+ def repl(m):
+ lastindex = m.lastindex
+ if lastindex is None:
+ return m[0]
+ name = m[lastindex]
+ if lastindex == 1:
+ if name == percent:
+ return name
+ if not name.endswith(percent):
+ return m[0]
+ name = name[:-1]
else:
- res += c
- index += 1
- return res
+ if name == dollar:
+ return name
+ if name.startswith(brace):
+ if not name.endswith(rbrace):
+ return m[0]
+ name = name[1:-1]
+
+ try:
+ if environ is None:
+ return os.fsencode(os.environ[os.fsdecode(name)])
+ else:
+ return environ[name]
+ except KeyError:
+ return m[0]
+
+ return sub(repl, path)
# Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
Index: Python-3.15.0a1/Lib/posixpath.py
===================================================================
--- Python-3.15.0a1.orig/Lib/posixpath.py 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Lib/posixpath.py 2025-11-13 18:28:37.446168939 +0100
@@ -285,42 +285,41 @@
# This expands the forms $variable and ${variable} only.
# Non-existent variables are left unchanged.
-_varprog = None
-_varprogb = None
+_varpattern = r'\$(\w+|\{[^}]*\}?)'
+_varsub = None
+_varsubb = None
def expandvars(path):
"""Expand shell variables of form $var and ${var}. Unknown variables
are left unchanged."""
path = os.fspath(path)
- global _varprog, _varprogb
+ global _varsub, _varsubb
if isinstance(path, bytes):
if b'$' not in path:
return path
- if not _varprogb:
+ if not _varsubb:
import re
- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
- search = _varprogb.search
+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
+ sub = _varsubb
start = b'{'
end = b'}'
environ = getattr(os, 'environb', None)
else:
if '$' not in path:
return path
- if not _varprog:
+ if not _varsub:
import re
- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
- search = _varprog.search
+ _varsub = re.compile(_varpattern, re.ASCII).sub
+ sub = _varsub
start = '{'
end = '}'
environ = os.environ
- i = 0
- while True:
- m = search(path, i)
- if not m:
- break
- i, j = m.span(0)
- name = m.group(1)
- if name.startswith(start) and name.endswith(end):
+
+ def repl(m):
+ name = m[1]
+ if name.startswith(start):
+ if not name.endswith(end):
+ return m[0]
name = name[1:-1]
try:
if environ is None:
@@ -328,13 +327,11 @@
else:
value = environ[name]
except KeyError:
- i = j
+ return m[0]
else:
- tail = path[j:]
- path = path[:i] + value
- i = len(path)
- path += tail
- return path
+ return value
+
+ return sub(repl, path)
# Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
Index: Python-3.15.0a1/Lib/test/test_genericpath.py
===================================================================
--- Python-3.15.0a1.orig/Lib/test/test_genericpath.py 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Lib/test/test_genericpath.py 2025-11-13 18:28:37.446403609 +0100
@@ -9,9 +9,9 @@
import sys
import unittest
import warnings
-from test.support import (
- is_apple, os_helper, warnings_helper
-)
+from test import support
+from test.support import os_helper
+from test.support import warnings_helper
from test.support.script_helper import assert_python_ok
from test.support.os_helper import FakePath
@@ -462,6 +462,19 @@
os.fsencode('$bar%s bar' % nonascii))
check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
+ @support.requires_resource('cpu')
+ def test_expandvars_large(self):
+ expandvars = self.pathmodule.expandvars
+ with os_helper.EnvironmentVarGuard() as env:
+ env.clear()
+ env["A"] = "B"
+ n = 100_000
+ self.assertEqual(expandvars('$A'*n), 'B'*n)
+ self.assertEqual(expandvars('${A}'*n), 'B'*n)
+ self.assertEqual(expandvars('$A!'*n), 'B!'*n)
+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
+ self.assertEqual(expandvars('${'*10*n), '${'*10*n)
+
def test_abspath(self):
self.assertIn("foo", self.pathmodule.abspath("foo"))
with warnings.catch_warnings():
@@ -519,7 +532,7 @@
# directory (when the bytes name is used).
and sys.platform not in {
"win32", "emscripten", "wasi"
- } and not is_apple
+ } and not support.is_apple
):
name = os_helper.TESTFN_UNDECODABLE
elif os_helper.TESTFN_NONASCII:
Index: Python-3.15.0a1/Lib/test/test_ntpath.py
===================================================================
--- Python-3.15.0a1.orig/Lib/test/test_ntpath.py 2025-10-14 12:46:08.000000000 +0200
+++ Python-3.15.0a1/Lib/test/test_ntpath.py 2025-11-13 18:28:55.652664525 +0100
@@ -9,7 +9,8 @@
import warnings
from ntpath import ALL_BUT_LAST, ALLOW_MISSING
from test import support
-from test.support import TestFailed, cpython_only, os_helper
+from test import support
+from test.support import os_helper
from test.support.os_helper import FakePath
from test import test_genericpath
from tempfile import TemporaryFile
@@ -59,7 +60,7 @@
fn = fn.replace("\\", "\\\\")
gotResult = eval(fn)
if wantResult != gotResult and _norm(wantResult) != _norm(gotResult):
- raise TestFailed("%s should return: %s but returned: %s" \
+ raise support.TestFailed("%s should return: %s but returned: %s" \
%(str(fn), str(wantResult), str(gotResult)))
# then with bytes
@@ -75,7 +76,7 @@
warnings.simplefilter("ignore", DeprecationWarning)
gotResult = eval(fn)
if _norm(wantResult) != _norm(gotResult):
- raise TestFailed("%s should return: %s but returned: %s" \
+ raise support.TestFailed("%s should return: %s but returned: %s" \
%(str(fn), str(wantResult), repr(gotResult)))
@@ -1133,6 +1134,19 @@
check('%spam%bar', '%sbar' % nonascii)
check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
+ @support.requires_resource('cpu')
+ def test_expandvars_large(self):
+ expandvars = ntpath.expandvars
+ with os_helper.EnvironmentVarGuard() as env:
+ env.clear()
+ env["A"] = "B"
+ n = 100_000
+ self.assertEqual(expandvars('%A%'*n), 'B'*n)
+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
+ self.assertEqual(expandvars("%%"*n), "%"*n)
+ self.assertEqual(expandvars("$$"*n), "$"*n)
+
def test_expanduser(self):
tester('ntpath.expanduser("test")', 'test')
@@ -1550,7 +1564,7 @@
self.assertTrue(os.path.exists(r"\\.\CON"))
@unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32")
- @cpython_only
+ @support.cpython_only
def test_fast_paths_in_use(self):
# There are fast paths of these functions implemented in posixmodule.c.
# Confirm that they are being used, and not the Python fallbacks in
Index: Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2025-11-13 18:28:37.447873576 +0100
@@ -0,0 +1 @@
+Fix quadratic complexity in :func:`os.path.expandvars`.

5
python315-rpmlintrc
View File

@@ -1,3 +1,4 @@
addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem") addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c") addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/.*.c")
addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp") addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/.*.cpp")
addFilter("python-bytecode-inconsistent-mtime.*/usr/lib64/python.*/.*.pyc")

31
python315.changes
View File

@@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
- Skip test_curses on ppc64le (gh#python/cpython#141534)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Nov 10 10:01:37 UTC 2025 - Andreas Schwab <schwab@suse.de> Mon Nov 10 10:01:37 UTC 2025 - Andreas Schwab <schwab@suse.de>
@@ -44,7 +52,9 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
modules when explicitly specified. modules when explicitly specified.
- Tests - Tests
- gh-139208: Fix regrtest --fast-ci --verbose: dont ignore - gh-139208: Fix regrtest --fast-ci --verbose: dont ignore
the --verbose option anymore. Patch by Victor Stinner. avoid simple quadratic complexity vulnerabilities of
(CVE-2025-6075, bsc#1252974). os.path.expandvars() the
--verbose option anymore. Patch by Victor Stinner.
- gh-138313: Restore skipped test and add janky workaround - gh-138313: Restore skipped test and add janky workaround
to prevent select buildbots from failing with a to prevent select buildbots from failing with a
ResourceWarning. ResourceWarning.
@@ -1229,8 +1239,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
and does not contain double quotes. and does not contain double quotes.
- gh-137384: Fix a crash when using the warnings module in a - gh-137384: Fix a crash when using the warnings module in a
finalizer at shutdown. Patch by Kumar Aditya. finalizer at shutdown. Patch by Kumar Aditya.
- gh-138004: On Solaris/Illumos platforms, thread names are - gh-138004: On Solaris/Illumos platforms, thread names e
now encoded as ASCII to avoid errors on systems (e.g. ar now encoded as ASCII to avoid errors on systems (e.g .
OpenIndiana) that dont support non-ASCII names . OpenIndiana) that dont support non-ASCII names .
- gh-137976: Removed localtime from the list of reported - gh-137976: Removed localtime from the list of reported
system timezones. system timezones.
@@ -1598,18 +1608,13 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
function. function.
- gh-129813: Implement PEP 782, the PyBytesWriter API. Add - gh-129813: Implement PEP 782, the PyBytesWriter API. Add
functions: functions:
PyBytesWriter_Create() PyBytesWriter_Create PyBytesWriter_Discard ()
PyBytesWriter_Discard()
PyBytesWriter_FinishWithPointer () PyBytesWriter_FinishWithPointer ()
PyBytesWriter_FinishWithSize () PyBytesWriter_FinishWithSize ()
PyBytesWriter_Finish() PyBytesWriter_Finish PyBytesWriter_Format ()
PyBytesWriter_Format() PyBytesWriter_GetData PyBytesWriter_GetSize ()
PyBytesWriter_GetData() PyBytesWriter_GrowAndUpdatePointer PyBytesWriter_Grow ()
PyBytesWriter_GetSize() PyBytesWriter_Resize PyBytesWriter_WriteBytes ()
PyBytesWriter_GrowAndUpdatePointer()
PyBytesWriter_Grow()
PyBytesWriter_Resize()
PyBytesWriter_WriteBytes()
- Patch by Victor Stinner. - Patch by Victor Stinner.
- gh-137956: Display and raise an exception if an extension - gh-137956: Display and raise an exception if an extension
compiled for non-free-threaded Python is loaded in a compiled for non-free-threaded Python is loaded in a

7
python315.spec
View File

@@ -224,6 +224,9 @@ Patch40: fix-test-recursion-limit-15.6.patch
Patch41: bsc1243155-sphinx-non-determinism.patch Patch41: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch42: gh139257-Support-docutils-0.22.patch Patch42: gh139257-Support-docutils-0.22.patch
# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com
# Avoid potential quadratic complexity vulnerabilities in path modules
Patch43: CVE-2025-6075-expandvars-perf-degrad.patch
#### Python 3.15 DEVELOPMENT PATCHES #### Python 3.15 DEVELOPMENT PATCHES
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: automake BuildRequires: automake
@@ -661,8 +664,10 @@ EXCLUDE="$EXCLUDE test_pydoc"
EXCLUDE="$EXCLUDE test_multiprocessing_forkserver" EXCLUDE="$EXCLUDE test_multiprocessing_forkserver"
%endif %endif
%ifarch ppc ppc64 ppc64le %ifarch ppc ppc64 ppc64le
# exclue test_faulthandler due to bnc#831629 # exclude test_faulthandler due to bnc#831629
EXCLUDE="$EXCLUDE test_faulthandler" EXCLUDE="$EXCLUDE test_faulthandler"
# exclude test_curse for gh#python/cpython#141534
EXCLUDE="$EXCLUDE test_curses"
%endif %endif
# some tests break in QEMU # some tests break in QEMU
%if 0%{?qemu_user_space_build} %if 0%{?qemu_user_space_build}