From b563206f1a5c3a9fbe2c10c8d7aad009f603d3a6c79aeb61e989ca225913a0c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Thu, 13 Nov 2025 14:32:39 +0100 Subject: [PATCH] Remove unnecessary patch and note that the bug has been already fixed. --- CVE-2025-8291-consistency-zip64.patch | 21 --------------------- python315.changes | 14 ++------------ python315.spec | 3 --- 3 files changed, 2 insertions(+), 36 deletions(-) delete mode 100644 CVE-2025-8291-consistency-zip64.patch diff --git a/CVE-2025-8291-consistency-zip64.patch b/CVE-2025-8291-consistency-zip64.patch deleted file mode 100644 index dfb0b51..0000000 --- a/CVE-2025-8291-consistency-zip64.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 8e208c6c06a38a008ac0c09781f9dc3cfdc26769 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Wed, 24 Sep 2025 20:56:01 +0300 -Subject: [PATCH] gh-139700: Check consistency of the zip64 end of central - directory record - -Support records with "zip64 extensible data" if there are no bytes -prepended to the ZIP file. ---- - Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +++ - 1 file changed, 3 insertions(+) - create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst - -Index: Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst 2025-11-07 00:32:39.141440720 +0100 -@@ -0,0 +1,3 @@ -+Check consistency of the zip64 end of central directory record. Support -+records with "zip64 extensible data" if there are no bytes prepended to the -+ZIP file. diff --git a/python315.changes b/python315.changes index f988958..6f5a165 100644 --- a/python315.changes +++ b/python315.changes @@ -3,17 +3,6 @@ Mon Nov 10 10:01:37 UTC 2025 - Andreas Schwab - Update list of skipped tests in qemu linux-user emulation -------------------------------------------------------------------- -Thu Nov 6 23:45:56 UTC 2025 - Matej Cepl - -- Add CVE-2025-8291-consistency-zip64.patch which checks - consistency of the zip64 end of central directory record, and - preventing obfuscation of the payload, i.e., you scanning for - malicious content in a ZIP file with one ZIP parser (let's say - a Rust one) then unpack it in production with another (e.g., - the Python one) and get malicious content that the other parser - did not see (CVE-2025-8291, bsc#1251305) - ------------------------------------------------------------------- Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl @@ -89,7 +78,8 @@ Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible - data” if there are no bytes prepended to the ZIP file. + data” if there are no bytes prepended to the ZIP file + (bsc#1251305, CVE-2025-8291). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by diff --git a/python315.spec b/python315.spec index c4a473b..0f1e88b 100644 --- a/python315.spec +++ b/python315.spec @@ -224,9 +224,6 @@ Patch40: fix-test-recursion-limit-15.6.patch Patch41: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch42: gh139257-Support-docutils-0.22.patch -# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com -# Check consistency of the zip64 end of central directory record -Patch43: CVE-2025-8291-consistency-zip64.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake