diff --git a/CVE-2025-6075-expandvars-perf-degrad.patch b/CVE-2025-6075-expandvars-perf-degrad.patch deleted file mode 100644 index 83f7dfc..0000000 --- a/CVE-2025-6075-expandvars-perf-degrad.patch +++ /dev/null @@ -1,367 +0,0 @@ -From e3b2c85d567b51dd84d1faf83398e97c0bf1eb60 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Fri, 30 May 2025 22:33:31 +0300 -Subject: [PATCH 1/2] gh-134873: Fix quadratic complexity in - os.path.expandvars() - ---- - Lib/ntpath.py | 126 +++------- - Lib/posixpath.py | 43 +-- - Lib/test/test_genericpath.py | 21 + - Lib/test/test_ntpath.py | 22 + - Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 - 5 files changed, 97 insertions(+), 116 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-134873.bu337o.rst - -Index: Python-3.15.0a1/Lib/ntpath.py -=================================================================== ---- Python-3.15.0a1.orig/Lib/ntpath.py 2025-10-14 12:46:08.000000000 +0200 -+++ Python-3.15.0a1/Lib/ntpath.py 2025-11-13 18:28:37.445868967 +0100 -@@ -400,17 +400,23 @@ - # XXX With COMMAND.COM you can use any characters in a variable name, - # XXX except '^|<>='. - -+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)" -+_varsub = None -+_varsubb = None -+ - def expandvars(path): - """Expand shell variables of the forms $var, ${var} and %var%. - - Unknown variables are left unchanged.""" - path = os.fspath(path) -+ global _varsub, _varsubb - if isinstance(path, bytes): - if b'$' not in path and b'%' not in path: - return path -- import string -- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii') -- quote = b'\'' -+ if not _varsubb: -+ import re -+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub -+ sub = _varsubb - percent = b'%' - brace = b'{' - rbrace = b'}' -@@ -419,94 +425,44 @@ - else: - if '$' not in path and '%' not in path: - return path -- import string -- varchars = string.ascii_letters + string.digits + '_-' -- quote = '\'' -+ if not _varsub: -+ import re -+ _varsub = re.compile(_varpattern, re.ASCII).sub -+ sub = _varsub - percent = '%' - brace = '{' - rbrace = '}' - dollar = '$' - environ = os.environ -- res = path[:0] -- index = 0 -- pathlen = len(path) -- while index < pathlen: -- c = path[index:index+1] -- if c == quote: # no expansion within single quotes -- path = path[index + 1:] -- pathlen = len(path) -- try: -- index = path.index(c) -- res += c + path[:index + 1] -- except ValueError: -- res += c + path -- index = pathlen - 1 -- elif c == percent: # variable or '%' -- if path[index + 1:index + 2] == percent: -- res += c -- index += 1 -- else: -- path = path[index+1:] -- pathlen = len(path) -- try: -- index = path.index(percent) -- except ValueError: -- res += percent + path -- index = pathlen - 1 -- else: -- var = path[:index] -- try: -- if environ is None: -- value = os.fsencode(os.environ[os.fsdecode(var)]) -- else: -- value = environ[var] -- except KeyError: -- value = percent + var + percent -- res += value -- elif c == dollar: # variable or '$$' -- if path[index + 1:index + 2] == dollar: -- res += c -- index += 1 -- elif path[index + 1:index + 2] == brace: -- path = path[index+2:] -- pathlen = len(path) -- try: -- index = path.index(rbrace) -- except ValueError: -- res += dollar + brace + path -- index = pathlen - 1 -- else: -- var = path[:index] -- try: -- if environ is None: -- value = os.fsencode(os.environ[os.fsdecode(var)]) -- else: -- value = environ[var] -- except KeyError: -- value = dollar + brace + var + rbrace -- res += value -- else: -- var = path[:0] -- index += 1 -- c = path[index:index + 1] -- while c and c in varchars: -- var += c -- index += 1 -- c = path[index:index + 1] -- try: -- if environ is None: -- value = os.fsencode(os.environ[os.fsdecode(var)]) -- else: -- value = environ[var] -- except KeyError: -- value = dollar + var -- res += value -- if c: -- index -= 1 -+ -+ def repl(m): -+ lastindex = m.lastindex -+ if lastindex is None: -+ return m[0] -+ name = m[lastindex] -+ if lastindex == 1: -+ if name == percent: -+ return name -+ if not name.endswith(percent): -+ return m[0] -+ name = name[:-1] - else: -- res += c -- index += 1 -- return res -+ if name == dollar: -+ return name -+ if name.startswith(brace): -+ if not name.endswith(rbrace): -+ return m[0] -+ name = name[1:-1] -+ -+ try: -+ if environ is None: -+ return os.fsencode(os.environ[os.fsdecode(name)]) -+ else: -+ return environ[name] -+ except KeyError: -+ return m[0] -+ -+ return sub(repl, path) - - - # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B. -Index: Python-3.15.0a1/Lib/posixpath.py -=================================================================== ---- Python-3.15.0a1.orig/Lib/posixpath.py 2025-10-14 12:46:08.000000000 +0200 -+++ Python-3.15.0a1/Lib/posixpath.py 2025-11-13 18:28:37.446168939 +0100 -@@ -285,42 +285,41 @@ - # This expands the forms $variable and ${variable} only. - # Non-existent variables are left unchanged. - --_varprog = None --_varprogb = None -+_varpattern = r'\$(\w+|\{[^}]*\}?)' -+_varsub = None -+_varsubb = None - - def expandvars(path): - """Expand shell variables of form $var and ${var}. Unknown variables - are left unchanged.""" - path = os.fspath(path) -- global _varprog, _varprogb -+ global _varsub, _varsubb - if isinstance(path, bytes): - if b'$' not in path: - return path -- if not _varprogb: -+ if not _varsubb: - import re -- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII) -- search = _varprogb.search -+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub -+ sub = _varsubb - start = b'{' - end = b'}' - environ = getattr(os, 'environb', None) - else: - if '$' not in path: - return path -- if not _varprog: -+ if not _varsub: - import re -- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII) -- search = _varprog.search -+ _varsub = re.compile(_varpattern, re.ASCII).sub -+ sub = _varsub - start = '{' - end = '}' - environ = os.environ -- i = 0 -- while True: -- m = search(path, i) -- if not m: -- break -- i, j = m.span(0) -- name = m.group(1) -- if name.startswith(start) and name.endswith(end): -+ -+ def repl(m): -+ name = m[1] -+ if name.startswith(start): -+ if not name.endswith(end): -+ return m[0] - name = name[1:-1] - try: - if environ is None: -@@ -328,13 +327,11 @@ - else: - value = environ[name] - except KeyError: -- i = j -+ return m[0] - else: -- tail = path[j:] -- path = path[:i] + value -- i = len(path) -- path += tail -- return path -+ return value -+ -+ return sub(repl, path) - - - # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B. -Index: Python-3.15.0a1/Lib/test/test_genericpath.py -=================================================================== ---- Python-3.15.0a1.orig/Lib/test/test_genericpath.py 2025-10-14 12:46:08.000000000 +0200 -+++ Python-3.15.0a1/Lib/test/test_genericpath.py 2025-11-13 18:28:37.446403609 +0100 -@@ -9,9 +9,9 @@ - import sys - import unittest - import warnings --from test.support import ( -- is_apple, os_helper, warnings_helper --) -+from test import support -+from test.support import os_helper -+from test.support import warnings_helper - from test.support.script_helper import assert_python_ok - from test.support.os_helper import FakePath - -@@ -462,6 +462,19 @@ - os.fsencode('$bar%s bar' % nonascii)) - check(b'$spam}bar', os.fsencode('%s}bar' % nonascii)) - -+ @support.requires_resource('cpu') -+ def test_expandvars_large(self): -+ expandvars = self.pathmodule.expandvars -+ with os_helper.EnvironmentVarGuard() as env: -+ env.clear() -+ env["A"] = "B" -+ n = 100_000 -+ self.assertEqual(expandvars('$A'*n), 'B'*n) -+ self.assertEqual(expandvars('${A}'*n), 'B'*n) -+ self.assertEqual(expandvars('$A!'*n), 'B!'*n) -+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n) -+ self.assertEqual(expandvars('${'*10*n), '${'*10*n) -+ - def test_abspath(self): - self.assertIn("foo", self.pathmodule.abspath("foo")) - with warnings.catch_warnings(): -@@ -519,7 +532,7 @@ - # directory (when the bytes name is used). - and sys.platform not in { - "win32", "emscripten", "wasi" -- } and not is_apple -+ } and not support.is_apple - ): - name = os_helper.TESTFN_UNDECODABLE - elif os_helper.TESTFN_NONASCII: -Index: Python-3.15.0a1/Lib/test/test_ntpath.py -=================================================================== ---- Python-3.15.0a1.orig/Lib/test/test_ntpath.py 2025-10-14 12:46:08.000000000 +0200 -+++ Python-3.15.0a1/Lib/test/test_ntpath.py 2025-11-13 18:28:55.652664525 +0100 -@@ -9,7 +9,8 @@ - import warnings - from ntpath import ALL_BUT_LAST, ALLOW_MISSING - from test import support --from test.support import TestFailed, cpython_only, os_helper -+from test import support -+from test.support import os_helper - from test.support.os_helper import FakePath - from test import test_genericpath - from tempfile import TemporaryFile -@@ -59,7 +60,7 @@ - fn = fn.replace("\\", "\\\\") - gotResult = eval(fn) - if wantResult != gotResult and _norm(wantResult) != _norm(gotResult): -- raise TestFailed("%s should return: %s but returned: %s" \ -+ raise support.TestFailed("%s should return: %s but returned: %s" \ - %(str(fn), str(wantResult), str(gotResult))) - - # then with bytes -@@ -75,7 +76,7 @@ - warnings.simplefilter("ignore", DeprecationWarning) - gotResult = eval(fn) - if _norm(wantResult) != _norm(gotResult): -- raise TestFailed("%s should return: %s but returned: %s" \ -+ raise support.TestFailed("%s should return: %s but returned: %s" \ - %(str(fn), str(wantResult), repr(gotResult))) - - -@@ -1133,6 +1134,19 @@ - check('%spam%bar', '%sbar' % nonascii) - check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii) - -+ @support.requires_resource('cpu') -+ def test_expandvars_large(self): -+ expandvars = ntpath.expandvars -+ with os_helper.EnvironmentVarGuard() as env: -+ env.clear() -+ env["A"] = "B" -+ n = 100_000 -+ self.assertEqual(expandvars('%A%'*n), 'B'*n) -+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n) -+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%') -+ self.assertEqual(expandvars("%%"*n), "%"*n) -+ self.assertEqual(expandvars("$$"*n), "$"*n) -+ - def test_expanduser(self): - tester('ntpath.expanduser("test")', 'test') - -@@ -1550,7 +1564,7 @@ - self.assertTrue(os.path.exists(r"\\.\CON")) - - @unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32") -- @cpython_only -+ @support.cpython_only - def test_fast_paths_in_use(self): - # There are fast paths of these functions implemented in posixmodule.c. - # Confirm that they are being used, and not the Python fallbacks in -Index: Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2025-11-13 18:28:37.447873576 +0100 -@@ -0,0 +1 @@ -+Fix quadratic complexity in :func:`os.path.expandvars`. diff --git a/Python-3.15.0a1.tar.xz b/Python-3.15.0a1.tar.xz deleted file mode 100644 index 26d8153..0000000 --- a/Python-3.15.0a1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3194939d488eeaeefdcf990d35542d9ad1ce788789c4e2305a2060eb7058e5a4 -size 23646768 diff --git a/Python-3.15.0a1.tar.xz.sigstore b/Python-3.15.0a1.tar.xz.sigstore deleted file mode 100644 index 7b84f4e..0000000 --- a/Python-3.15.0a1.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzTCCAlSgAwIBAgIUHBnJY2cDVNyp0+jVDU64RXDfTLUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMDE0MTQ0NjIwWhcNMjUxMDE0MTQ1NjIwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELQMCqzrc9clNKPUzmojg3JbTM3XXjmo/wWH6zH8rh6GGP8TJSz+A8OMUdeE7ktSr5+9QeVaEGDRasbmwIAKX8aOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQULWp/zwV2HmZ8X/y10L1ftl0hN5QwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmeMvvDEAAAQDAEcwRQIhALiWW21hVw6w95sI+lVh8NFcaWG1KITMvDC0HytgwrkTAiBmnB/Il7sqNC9TV3ybSbyMgXUrXlpz7Y4+ri6qEe8OmjAKBggqhkjOPQQDAwNnADBkAjAav7uspSvsMYLOIqcV65W7UEfUl/+oaDVcAnUBTn4VzzWVNt7rRh/sGU9Ow1fsgaQCMHKjjdlRouWZV13QxRqUlwiYnso8K/LrepolTWuu9hmJ4498BbxpQkG82AiFgwHKiA=="}, "tlogEntries": [{"logIndex": "605381105", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1760453180", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQD2M+xpYMeDZb0B+2kBuUQDfsBPNuaNbOPB/tLnCY1+CwIgH1bBckucAYWz+3wFvU9MVGWc985g1wJsYy27aYYg+5c="}, "inclusionProof": {"logIndex": "483476843", "rootHash": "VcoiuI3enMGLjUhgMzdjfI+PlOWmz/r/ADehdiW44fo=", "treeSize": "483476848", "hashes": ["r/fQjBRZKxYDs6T00FfDqZfE3gNFN5jUw2hPbI6Klb4=", "Fu7qRL8q8yz4aWKTEU5+PzVtd9R4k7HkP62EtCYWURQ=", "jvpXra7v+FEGbwj68er3f1BUvjOiYUjCL/pwYF0UG6c=", "VxMxwBbsJTw+9QBfKnXMOxyeZ7HJKlExLQMtqStpg0Y=", "fU2ETS/0MxEeuY1O0lS9SJrXcXC78pJVOtXCNv7LymQ=", "TS0t//1G9191vAjMg50KLfXBi3UY8ANFmx1ZNp2k5vk=", "1bdCuQIZjyx9tCJXNrYevW3fyHk6huvJ/h5uIlfIiy0=", "wjy79ir2+9dNofV/yngwyU7P7qEQoJWbN/f/+YIqeSg=", "Tx/mYCxiKxJdXGSB99WD+yAVDPg18BLOj5lDqPQUNe4=", "eSCfK8nXzRpj/m2HYQ9+GtLIccUwLOkk3iYGC4R5zXI=", "inrOYOb+roitD1EYWHmRPy8aJnjhSAhp5cHXbXVlxU4=", "8nCds1SUzxGg2Xoa+M1tOFTwx+1BGtp8TDMSS4P54xQ=", "V5lOdefY1WOOt4iQp7tZoyj1beBDVi24KsEMcgsqZds=", "2Wv4GiithwNukRKV06clevnQQYCzXmSS/+/OJtXgsXQ=", "1mfy94KpcItqshH9+gwqV6jccupcaMpVsF28New8zDY=", "vS7O4ozHIQZJWBiov+mkpI27GE8zAmVCEkRcP3NDyNE="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n483476848\nVcoiuI3enMGLjUhgMzdjfI+PlOWmz/r/ADehdiW44fo=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEAhRdd+DI17Uc7iB9ExZ3kq9O47UtmJyeRF8AcagocSIYCIQCjl6Z9CXp3exjHHmeQCwLAVOGRbCfKwsbuQAZwl4K80A==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzMTk0OTM5ZDQ4OGVlYWVlZmRjZjk5MGQzNTU0MmQ5YWQxY2U3ODg3ODljNGUyMzA1YTIwNjBlYjcwNThlNWE0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQkZ3NFEvelFZcnJWNHlSalN0TmkwSkd3NG80VTdjWGlCWFZHUksrYTVNV0FpQmFBYTBMTUN6VkZxelVEbVkrMEYranZEQm8waFJUc25JckVUY1RMY1ZPZkE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZWRU5EUVd4VFowRjNTVUpCWjBsVlNFSnVTbGt5WTBSV1RubHdNQ3RxVmtSVk5qUlNXRVJtVkV4VmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFFUlRCTlZGRXdUbXBKZDFkb1kwNU5hbFY0VFVSRk1FMVVVVEZPYWtsM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZNVVUxRGNYcHlZemxqYkU1TFVGVjZiVzlxWnpOS1lsUk5NMWhZYW0xdkwzZFhTRFlLZWtnNGNtZzJSMGRRT0ZSS1Uzb3JRVGhQVFZWa1pVVTNhM1JUY2pVck9WRmxWbUZGUjBSU1lYTmliWGRKUVV0WU9HRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZNVjNBdkNucDNWakpJYlZvNFdDOTVNVEJNTVdaMGJEQm9UalZSZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRaVTEyZGtSRlFRcEJRVkZFUVVWamQxSlJTV2hCVEdsWFZ6SXhhRlozTm5jNU5YTkpLMnhXYURoT1JtTmhWMGN4UzBsVVRYWkVRekJJZVhSbmQzSnJWRUZwUW0xdVFpOUpDbXczYzNGT1F6bFVWak41WWxOaWVVMW5XRlZ5V0d4d2VqZFpOQ3R5YVRaeFJXVTRUMjFxUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV1UVVSQ2EwRnFRV0VLZGpkMWMzQlRkbk5OV1V4UFNYRmpWalkxVnpkVlJXWlZiQzhyYjJGRVZtTkJibFZDVkc0MFZucDZWMVpPZERkeVVtZ3ZjMGRWT1U5M01XWnpaMkZSUXdwTlNFdHFhbVJzVW05MVYxcFdNVE5SZUZKeFZXeDNhVmx1YzI4NFN5OU1jbVZ3YjJ4VVYzVjFPV2h0U2pRME9UaENZbmh3VVd0SE9ESkJhVVpuZDBoTENtbEJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "MZSTnUiO6u79z5kNNVQtmtHOeIeJxOIwWiBg63BY5aQ="}, "signature": "MEQCIBFw4Q/zQYrrV4yRjStNi0JGw4o4U7cXiBXVGRK+a5MWAiBaAa0LMCzVFqzUDmY+0F+jvDBo0hRTsnIrETcTLcVOfA=="}} diff --git a/Python-3.15.0a2.tar.xz b/Python-3.15.0a2.tar.xz new file mode 100644 index 0000000..b693351 --- /dev/null +++ b/Python-3.15.0a2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8a0a2f4a7f3d7090cf195e81814efe95f70554955557f40e149d8694a662751 +size 23728836 diff --git a/Python-3.15.0a2.tar.xz.sigstore b/Python-3.15.0a2.tar.xz.sigstore new file mode 100644 index 0000000..d3439e7 --- /dev/null +++ b/Python-3.15.0a2.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUBmylNbQW8lgH3BD7NaD4dsMNkSYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMTE5MDk0NDU1WhcNMjUxMTE5MDk1NDU1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEi0wghUz8k/UNn7MEg6TwxPsewzYFutTbDMxXxKevJePP7XqFB1UQnLH1GokPltZPyB+l1m4VF5Sy8ZvaF1ClcKOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFUET7divejslt9ZiyIL0u9SFfBYwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmpuAt6EAAAQDAEcwRQIgE3w20s7OrtGL+zODecqs7H0Smv8KcfaAKYvEdR5XT5oCIQD7Eq3ulu9eBvww92bR9tnW4ghFqkpnDXVU7J7i/yM4vzAKBggqhkjOPQQDAwNoADBlAjBiUgZCSW+Mjhx7RJ+zYdrpTtg8EDMOZHbnXq/RTYvRrh3iKv6E5oH11IgPFn9MmEECMQCZUuUixsdRNihrf8ZrSyuQ9RCMvLg7Y+Gg5eJ8eJjIm+9vtZfkRNtD2SGMOWTKDXY="}, "tlogEntries": [{"logIndex": "708501076", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1763545495", "inclusionPromise": {"signedEntryTimestamp": "MEQCIBBFm5zZqaDhf/2WNPlvBVa+hgbqGFDW9pSVGDwT+aMjAiBJWrthkghtaPFH+TYaCwiOpBYvXNql3HltsZ/DsXcV2A=="}, "inclusionProof": {"logIndex": "586596814", "rootHash": "eYRHPRBPrv7VPt0RJ5/Wfp8sctnBIszg6NIaf3GQrfw=", "treeSize": "586596815", "hashes": ["WQXHunKvibcfvQ9ZT6N2rUAkABNdnLQRwa92wR4gX58=", "287rj+EV908dOcox9MDXVe+gnfm6BAolfDJm46eY1Xw=", "cl+YdAs75DrN9x0oB+vn3kgtMfroClWhykZO839ri1Q=", "TAcghz4eEeOn8NMKSy1KOeg9H09f30R8FC+PGof84Oc=", "Ne2M91/psRGlS51Q1/TlubrsVcsm9OnJ3/5dqeXizZc=", "VA3Ony+IuiKE6GaSIUOVU8jfXsw54CyctvI+If9sXdI=", "k17qYjw0FJ9hhgBebiwJG1JJwGYkXslaEFslKgI2FTs=", "7GMOmqHGPgIUD2AGgoZScCiJ5IbZSh18ZlHgKKxnaRo=", "/Lh1BYN2nonyxa0Ny6DeXbNUcSJIp2Of2JLKKCxDbUo=", "1Hte46ZYqMjMJtFdJJyTJoXer0VRtOnSa+JEILdAMI8=", "XPOd8yApSEIRvyCps+FG/vNe/n08jAfXlL68srajUQU=", "3TB24c2iSQ7Z4Xrp+12hwHyAJq+0z5oGCREpV9ajoe0=", "E/c5y8qGcENHbLJDyW+YH8tGXlQ+8+Qcg/TJ3j4d/mg=", "bzTJsC7KPkC5dVD2uXRC5gpiYT1DSYoxvShGPXwjLBI=", "f2j1ljMRjwO8o3f9nSp1S8xu26ILehAfUf3wltrZCKU=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n586596815\neYRHPRBPrv7VPt0RJ5/Wfp8sctnBIszg6NIaf3GQrfw=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEAt/UvfI7Nr/RIGZXc7idhtGQKiA0lrHTQAk5pKZTsVZ4CIQD9hNwwvtAocNIkXCLnGJ9gtMSWWNpacpxX2c8TKyJ9yQ==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkOGEwYTJmNGE3ZjNkNzA5MGNmMTk1ZTgxODE0ZWZlOTVmNzA1NTQ5NTU1NTdmNDBlMTQ5ZDg2OTRhNjYyNzUxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURzUXEwMTJUa3FkV3VkTXk2cXBLeURsdUxOVGk1Ry9xS3NVOEtYaU9RMlpBSWhBSnVXSlgxN0FwL0kyU3hIWHFremMrNlZoKzBwUmRySXI0WGhXdHlENXFQcCIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlFtMTViRTVpVVZjNGJHZElNMEpFTjA1aFJEUmtjMDFPYTFOWmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFVUlRWTlJHc3dUa1JWTVZkb1kwNU5hbFY0VFZSRk5VMUVhekZPUkZVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZwTUhkbmFGVjZPR3N2VlU1dU4wMUZaelpVZDNoUWMyVjNlbGxHZFhSVVlrUk5lRmdLZUV0bGRrcGxVRkEzV0hGR1FqRlZVVzVNU0RGSGIydFFiSFJhVUhsQ0syd3hiVFJXUmpWVGVUaGFkbUZHTVVOc1kwdFBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZHVlVWVUNqZGthWFpsYW5Oc2REbGFhWGxKVERCMU9WTkdaa0paZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRjSFZCZERaRlFRcEJRVkZFUVVWamQxSlJTV2RGTTNjeU1ITTNUM0owUjB3cmVrOUVaV054Y3pkSU1GTnRkamhMWTJaaFFVdFpka1ZrVWpWWVZEVnZRMGxSUkRkRmNUTjFDbXgxT1dWQ2RuZDNPVEppVWpsMGJsYzBaMmhHY1d0d2JrUllWbFUzU2pkcEwzbE5OSFo2UVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFRbWtLVldkYVExTlhLMDFxYUhnM1Vrb3JlbGxrY25CVWRHYzRSVVJOVDFwSVltNVljUzlTVkZsMlVuSm9NMmxMZGpaRk5XOUlNVEZKWjFCR2JqbE5iVVZGUXdwTlVVTmFWWFZWYVhoelpGSk9hV2h5WmpoYWNsTjVkVkU1VWtOTmRreG5OMWtyUjJjMVpVbzRaVXBxU1cwck9YWjBXbVpyVWs1MFJESlRSMDFQVjFSTENrUllXVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "2KCi9Kfz1wkM8ZXoGBTv6V9wVUlVVX9A4UnYaUpmJ1E="}, "signature": "MEYCIQDsQq012TkqdWudMy6qpKyDluLNTi5G/qKsU8KXiOQ2ZAIhAJuWJX17Ap/I2SxHXqkzc+6Vh+0pRdrIr4XhWtyD5qPp"}} diff --git a/python315.changes b/python315.changes index e2d488a..e2d9131 100644 --- a/python315.changes +++ b/python315.changes @@ -1,3 +1,357 @@ +------------------------------------------------------------------- +Fri Nov 21 02:06:55 UTC 2025 - Steve Kowalik + +- Update to 3.15.0~a2: + * Tools/Demos + + gh-139198: Remove Tools/scripts/checkpip.py script. + + gh-139188: Remove Tools/tz/zdump.py script. + * Tests + + gh-140482: Preserve and restore the state of stty echo as part of the + test environment. + + gh-140082: Update python -m test to set FORCE_COLOR=1 when being run + with color enabled so that unittest which is run by it with redirected + output will output in color. + + gh-136442: Use exitcode 1 instead of 5 if + unittest.TestCase.setUpClass() raises an exception + * Security + + gh-137836: Add support of the “plaintext” element, RAWTEXT elements + “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT + element “noscript” in html.parser.HTMLParser. + + gh-136063: email.message: ensure linear complexity for legacy HTTP + parameters parsing. Patch by Bénédikt Tran. + + gh-136065: Fix quadratic complexity in os.path.expandvars(). + * Library + + gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and + IPv6Network.hosts() always return an iterator. + + gh-140938: The statistics.stdev() and statistics.pstdev() functions now + raise a ValueError when the input contains an infinity or a NaN. + + gh-124111: Updated Tcl threading configuration in _tkinter to assume + that threads are always available in Tcl 9 and later. + + gh-137109: The os.fork and related forking APIs will no longer warn in + the common case where Linux or macOS platform APIs return the number of + threads in a process and find the answer to be 1 even when a + os.register_at_fork() after_in_parent= callback (re)starts a thread. + + gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when + reading files with standalone carriage return (\r) line endings. + + gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined + behavior arising when read position is above capcity in io.BytesIO. + + gh-87710: mimetypes: Update mime type for .ai files to application/pdf. + + gh-85524: Update io.FileIO.readall, an implementation of + io.RawIOBase.readall(), to follow io.IOBase guidelines and raise + io.UnsupportedOperation when a file is in "w" mode rather than OSError + + gh-141141: Fix a thread safety issue with base64.b85decode(). + + gh-141018: mimetypes: Update .exe, .dll, .rtf and (when + strict=False) .jpg to their correct IANA mime type. + + gh-137969: Fix annotationlib.ForwardRef.evaluate() returning ForwardRef + objects which don’t update with new globals. + + gh-75593: Add support of path-like objects and bytes-like objects in + wave.open(). + + gh-140797: The undocumented re.Scanner class now forbids regular + expressions containing capturing groups in its lexicon patterns. + Patterns using capturing groups could previously lead to crashes with + segmentation fault. Use non-capturing groups (?:…) instead. + + gh-125115: Refactor the pdb parsing issue so positional arguments can + pass through intuitively. + + gh-140815: faulthandler now detects if a frame or a code object is + invalid or freed. Patch by Victor Stinner. + + gh-100218: Correctly set errno when socket.if_nametoindex() or + socket.if_indextoname() raise an OSError. Patch by Bénédikt Tran. + + gh-140734: multiprocessing: fix off-by-one error when checking the + length of a temporary socket file path. Patch by Bénédikt Tran. + + gh-140873: Add support of non-descriptor callables in + functools.singledispatchmethod(). + + gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 + + gh-140808: The internal class mailbox._ProxyFile is no longer a + parameterized generic. + + gh-140691: In urllib.request, when opening a FTP URL fails because a + data connection cannot be made, the control connection's socket is now + closed to avoid a ResourceWarning. + + gh-103847: Fix hang when cancelling process created by + asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). + + gh-137821: Convert _json module to use Argument Clinic. + + gh-140790: Initialize all Pdb's instance variables in __init__, remove + some hasattr/getattr + + gh-140766: Add enum.show_flag_values() and enum.bin to enum.__all__. + + gh-120057: Add os.reload_environ() to os.__all__. + + gh-140741: Fix profiling.sampling.sample() incorrectly handling a + FileNotFoundError or PermissionError. + + gh-140228: Avoid making unnecessary filesystem calls for frozen modules + in linecache when the global module cache is not present. + + gh-139946: Error and warning keywords in argparse.ArgumentParser + messages are now colorized when color output is enabled, fixing a + visual inconsistency in which they remained plain text while other + output was colorized. + + gh-140590: Fix arguments checking for functools.partial.__setstate__() + that may lead to internal state corruption and crash. + + gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). + + gh-140650: Fix an issue where closing io.BufferedWriter could crash if + the closed attribute raised an exception on access or could not be + converted to a boolean. + + gh-140601: xml.etree.ElementTree.iterparse() now emits a + ResourceWarning when the iterator is not explicitly closed and was + opened with a filename. + + gh-140593: xml.parsers.expat: Fix a memory leak that could affect users + with ElementDeclHandler() set to a custom element declaration handler. + + gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes + returned by io.RawIOBase.readinto() is valid (inside the provided + buffer). + + gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without + the extra argument. + + gh-140481: Improve error message when trying to iterate a Tk widget, + image or font. + + gh-138774: ast.unparse() now generates full source code when handling + ast.Interpolation nodes that do not have a specified source. + + gh-140474: Fix memory leak in array.array when creating arrays from an + empty str and the u type code. + + gh-140448: Change the default of suggest_on_error to True in + argparse.ArgumentParser. + + gh-137530: dataclasses Fix annotations for generated __init__ methods + by replacing the annotations that were in-line in the generated source + code with __annotate__ functions attached to the methods. + + gh-140348: Fix regression in Python 3.14.0 where using the | operator + on a typing.Union object combined with an object that is not a type + would raise an error. + + gh-76007: decimal: Deprecate __version__ and replace with + decimal.SPEC_VERSION. + + gh-76007: Deprecate __version__ from a imaplib. + + gh-140272: Fix memory leak in the clear() method of the dbm.gnu + database. + + gh-129117: unicodedata: Add isxidstart() and isxidcontinue() functions + to check whether a character can start or continue a Unicode Standard + Annex #31 identifier. + + gh-140251: Colorize the default import statement import asyncio in + asyncio REPL. + + gh-140212: Calendar's HTML formatting now accepts year and month as + options. + + gh-135801: Improve filtering by module in warnings.warn_explicit() if + no module argument is passed + + gh-139707: Improve ModuleNotFoundError error message when a standard + library module is missing. + + gh-140120: Fixed a memory leak in hmac when it was using the hacl-star + backend. + + gh-140141: The importlib.metadata.PackageNotFoundError traceback raised + when importlib.metadata.Distribution.from_name cannot discover a + distribution no longer includes a transient StopIteration exception + trace. + + gh-140166: mimetypes: Per the IANA assignment, update the MIME type for + the .texi and .texinfo file formats to application/texinfo, instead of + application/x-texinfo. + + gh-140135: Speed up io.RawIOBase.readall() by using PyBytesWriter API + + gh-136702: encodings: Deprecate passing a non-ascii encoding name to + encodings.normalize_encoding() and schedule removal of support for + Python 3.17. + + gh-139940: Print clearer error message when using pdb to attach to a + non-existing process. + + gh-139462: When a child process in a + concurrent.futures.ProcessPoolExecutor terminates abruptly, the + resulting traceback will now tell you the PID and exit code of the + terminated process. Contributed by Jonathan Berg. + + gh-63161: Fix tokenize.detect_encoding(). Support non-UTF-8 shebang and + comments if non-UTF-8 encoding is specified. Detect decoding error for + non-UTF-8 encoding. Detect null bytes in source code. + + gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and + 'euc_jis_2004' codecs truncating null chars as they were treated as + part of multi-character sequences. + + gh-139246: fix: paste zero-width in default repl width is wrong. + + gh-83714: Implement os.statx() on Linux kernel versions 4.11 and later + with glibc versions 2.28 and later. + + gh-138891: Fix SyntaxError when inspect.get_annotations(f, + eval_str=True) is called on a function annotated with a PEP 646 + star_expression + + gh-138859: Fix generic type parameterization raising a TypeError when + omitting a ParamSpec that has a default which is not a list of types. + + gh-138764: Prevent annotationlib.call_annotate_function() from calling + __annotate__ functions that don't support VALUE_WITH_FAKE_GLOBALS in a + fake globals namespace with empty globals. + + Make FORWARDREF and STRING annotations fall back to using VALUE + annotations in the case that neither their own format, nor + VALUE_WITH_FAKE_GLOBALS are supported. + + gh-138775: Use of python -m with base64 has been fixed to detect input + from a terminal so that it properly notices EOF. + + gh-98896: Fix a failure in multiprocessing resource_tracker when + SharedMemory names contain colons. Patch by Rani Pinchuk. + + gh-138425: Fix partial evaluation of annotationlib.ForwardRef objects + which rely on names defined as globals. + + gh-138151: In annotationlib, improve evaluation of forward references + to nonlocal variables that are not yet defined when the annotations are + initially evaluated. + + gh-69528: The mode attribute of files opened in the 'wb+' mode is now + 'wb+' instead of 'rb+'. + + gh-137627: Speed up csv.Sniffer.sniff() delimiter detection by up to + 1.6x. + + gh-55531: encodings: Improve normalize_encoding() performance by + implementing the function in C using the private _Py_normalize_encoding + which has been modified to make lowercase conversion optional. + + gh-136057: Fixed the bug in pdb and bdb where next and step can't go + over the line if a loop exists in the line. + + gh-133390: Support table, index, trigger, view, column, function, and + schema completion for sqlite3's command-line interface. + + gh-135307: email: Fix exception in set_content() when encoding text and + max_line_length is set to 0 or None (unlimited). + + gh-133789: Fix unpickling of pathlib objects that were pickled in + Python 3.13. + + gh-133601: Remove deprecated typing.no_type_check_decorator(). + + gh-132686: Add parameters inherit_class_doc and fallback_to_class_doc + for inspect.getdoc(). + + gh-131116: inspect.getdoc() now correctly returns an inherited + docstring on cached_property objects if none is given in a subclass. + + gh-130693: Add support for -nolinestop, and -strictlimits options to + tkinter.Text.search(). Also add the tkinter.Text.search_all() method + for -all and -overlap options. + + gh-122255: In the linecache module and in the Python implementation of + the warnings module, a DeprecationWarning is issued when mod.__loader__ + differs from mod.__spec__.loader (like in the C implementation of the + warnings module). + + gh-121011: math.log() now supports arbitrary large integer-like + arguments in the same way as arbitrary large integer arguments. + + gh-119668: Publicly expose and document + importlib.machinery.NamespacePath. + + gh-102431: Clarify constraints for "logical" arguments in methods of + decimal.Context. + + gh-81313: Add the math.integer module (PEP 791). + * Core and Builtins + + gh-141579: Fix sys.activate_stack_trampoline() to properly support the + perf_jit backend. Patch by Pablo Galindo. + + gh-114203: Skip locking if object is already locked by two-mutex + critical section. + + gh-141528: Suggest using concurrent.interpreters.Interpreter.close() + instead of the private _interpreters.destroy function when warning + about remaining subinterpreters. Patch by Sergey Miryanov. + + gh-141367: Specialize CALL_LIST_APPEND instruction only for lists, not + for list subclasses, to avoid unnecessary deopt. + + gh-141312: Fix the assertion failure in the __setstate__ method of the + range iterator when a non-integer argument is passed. + + gh-140643: Add support for and frames to + profiling.sampling output to denote active garbage collection and calls + to native code. + + gh-140942: Add .cjs to mimetypes to give CommonJS modules a MIME type + of application/node. + + gh-140479: Update JIT compilation to use LLVM 21 at build time. + + gh-140939: Fix memory leak when bytearray or bytes is formated with the + %*b format with a large width that results in a MemoryError. + + gh-140260: Fix struct data race in endian table initialization with + subinterpreters. Patch by Shamil Abdulaev. + + gh-140530: Fix a reference leak when raise exc from cause fails. + + gh-90344: Replace io.IncrementalNewlineDecoder with non incremental + newline decoders in codebase where + io.IncrementalNewlineDecoder.decode() was being called once. + + gh-140373: Correctly emit PY_UNWIND event when generator object is + closed. Patch by Mikhail Efimov. + + gh-140729: Fix pickling error in the sampling profiler when using + concurrent.futures.ProcessPoolExecutor script can not be properly + pickled and executed in worker processes. + + gh-131527: Dynamic borrow checking for stackrefs is added to + Py_STACKREF_DEBUG mode. Patch by Mikhail Efimov. + + gh-140576: Fixed crash in tokenize.generate_tokens() in case of + specific incorrect input. Patch by Mikhail Efimov. + + gh-140544: Speed up accessing interpreter state by caching it in a + thread local variable. Patch by Kumar Aditya. + + gh-140551: Fixed crash in dict if dict.clear() is called at the lookup + stage. Patch by Mikhail Efimov and Inada Naoki. + + gh-140517: Fixed a reference leak when iterating over the result of + map() with strict=True when the input iterables have different lengths. + + gh-133467: Fix race when updating type.__bases__ that could allow a + read of type.__base__ to observe an inconsistent value on the free + threaded build. + + gh-140471: Fix potential buffer overflow in ast.AST node initialization + when encountering malformed _fields containing non-str. + + gh-140443: The logarithm functions (such as math.log10() and + math.log()) may now produce slightly different results for extremely + large integers that cannot be converted to floats without overflow. + These results are generally more accurate, with reduced worst-case + error and a tighter overall error distribution. + + gh-140431: Fix a crash in Python's garbage collector due to partially + initialized coroutine objects when coroutine origin tracking depth is + enabled (sys.set_coroutine_origin_tracking_depth()). + + gh-140476: Optimize PySet_Add() for frozenset in free threaded build. + + gh-140398: Fix memory leaks in readline functions read_init_file(), + read_history_file(), write_history_file(), and append_history_file() + when PySys_Audit() fails. + + gh-140406: Fix memory leak when an object's __hash__() method returns + an object that isn't an int. + + gh-140358: Restore elapsed time and unreachable object count in GC + debug output. + + gh-139109: A new tracing frontend for the JIT compiler has been + implemented. + + gh-140306: Fix memory leaks in cross-interpreter channel operations and + shared namespace handling. + + gh-116738: Make _suggestions module thread-safe on the free threaded + build. + + gh-140301: Fix memory leak of PyConfig in subinterpreters. + + gh-140257: Fix data race between interpreter_clear() and take_gil() on + eval_breaker during finalization with daemon threads. + + gh-139951: Fixes a regression in GC performance for a growing heap + composed mostly of small tuples. + + gh-140253: Wrong placement of a double-star pattern inside a mapping + pattern now throws a specialized syntax error. + + gh-140104: Fix a bug with exception handling in the JIT. + + gh-140149: Speed up parsing bytes literals concatenation by using + PyBytesWriter API and a single memory allocation (about 3x faster). + + gh-140061: Fixing the checking of whether an object is uniquely + referenced to ensure free-threaded compatibility. + + gh-140080: Fix hang during finalization when attempting to call atexit + handlers under no memory. + + gh-139871: Update bytearray to use a bytes under the hood as its buffer + and add bytearray.take_bytes() to take it out. + + gh-140067: Fix memory leak in sub-interpreter creation. + + gh-139817: Attribute __qualname__ is added to typing.TypeAliasType. + + gh-135801: Many functions related to compiling or parsing Python code, + such as compile(), ast.parse(), symtable.symtable(), and + importlib.abc.InspectLoader.source_to_code() now allow to specify the + module name. It is needed to unambiguous filter syntax warnings by + module name. + + gh-139640: ast.parse() no longer emits syntax warnings for + return/break/continue in finally (see PEP 765) - they are only emitted + during compilation. + + gh-139640: Fix swallowing some syntax warnings in different modules if + they accidentally have the same message and are emitted from the same + line. Fix duplicated warnings in the finally block. + + gh-139475: Changes in stackref debugging mode when Py_STACKREF_DEBUG is + set. We use the same pattern of refcounting for stackrefs as in + production build. + + gh-139269: Fix undefined behavior when using unaligned store in JIT's + patch_* functions. + + gh-138944: Fix SyntaxError message when invalid syntax appears on the + same line as a valid import ... as ... or from ... import ... as ... + statement. Patch by Brian Schubert. + + gh-138857: Improve SyntaxError message for case keyword placed outside + match body. + + gh-131253: Support the --enable-pystats build option for the + free-threaded build. + + gh-136327: Errors when calling functions with invalid values after * + and ** now do not include the function name. Patch by Ilia Solin. + + gh-134786: If Py_TPFLAGS_MANAGED_DICT and Py_TPFLAGS_MANAGED_WEAKREF + are used, then Py_TPFLAGS_HAVE_GC must be used as well. + * C API + + gh-116146: Add a new PyImport_CreateModuleFromInitfunc() C-API for + creating a module from a spec and initfunc. Patch by Itamar Oren. + + gh-141042: Make qNaN in PyFloat_Pack2() and PyFloat_Pack4(), if while + conversion to a narrower precision floating-point format - the + remaining after truncation payload will be zero. + + gh-141004: Py_MATH_El and Py_MATH_PIl are deprecated. + + gh-141004: The Py_INFINITY macro is soft deprecated. + + gh-140556: PEP 793: Add a new entry point for C extension modules, + PyModExport_. + + gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and + older: don’t treat Py_NotImplemented as immortal. + + gh-140153: Fix Py_REFCNT() definition on limited C API 3.11-3.13. + + gh-139653: Add PyUnstable_ThreadState_SetStackProtection() and + PyUnstable_ThreadState_ResetStackProtection() functions to set the + stack protection base address and stack protection size of a Python + thread state. Patch by Victor Stinner. + * Build + + gh-140454: When building the JIT, match the jit_stencils filename + expectations in Makefile with the generator script. This avoid needless + JIT recompilation during make install. + + gh-140768: Warn when the WASI SDK version doesn’t match what's + supported. + + gh-140513: Generate a clear compilation error when _Py_TAIL_CALL_INTERP + is enabled but either preserve_none or musttail is not supported. + + gh-140475: Support WASI SDK 25. + + gh-140239: Check statx availability only on Linux (including Android). + + gh-137618: PYTHON_FOR_REGEN now requires Python 3.10 to Python 3.15. +- Drop patch CVE-2025-6075-expandvars-perf-degrad.patch, included upstream. + ------------------------------------------------------------------- Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl diff --git a/python315.spec b/python315.spec index c0ebd1b..ca37ea5 100644 --- a/python315.spec +++ b/python315.spec @@ -162,8 +162,8 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.15.0~a1 -%define tarversion 3.15.0a1 +Version: 3.15.0~a2 +%define tarversion 3.15.0a2 %define tarname Python-%{tarversion} Release: 0 Summary: Python 3 Interpreter @@ -224,9 +224,6 @@ Patch40: fix-test-recursion-limit-15.6.patch Patch41: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch42: gh139257-Support-docutils-0.22.patch -# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com -# Avoid potential quadratic complexity vulnerabilities in path modules -Patch43: CVE-2025-6075-expandvars-perf-degrad.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake @@ -272,7 +269,7 @@ BuildRequires: python3-python-docs-theme >= 2022.1 %if %{with experimental_jit} # needed for experimental_jit -BuildRequires: clang19 llvm19 +BuildRequires: clang21 llvm21 BuildRequires: llvm %endif @@ -755,7 +752,7 @@ done for library in \ array binascii _bisect _bz2 cmath _codecs_* \ _csv _ctypes _decimal fcntl grp \ - _hashlib _heapq _hmac _json _lsprof _lzma math mmap \ + _hashlib _heapq _hmac _json _lsprof _lzma math mmap _math_integer \ _multibytecodec _multiprocessing _pickle _posixshmem \ _posixsubprocess _queue _random resource select _ssl _socket \ _statistics _struct syslog termios _testbuffer _testimportmultiple \ @@ -1088,6 +1085,7 @@ fi %{dynlib _lzma} %{dynlib math} %{dynlib mmap} +%{dynlib _math_integer} %{dynlib _multibytecodec} %{dynlib _multiprocessing} %{dynlib _pickle}