CVE-2023-52425-libexpat-2.6.0-backport.patch

---
 Lib/test/test_pyexpat.py   |    4 ++++
 Lib/test/test_sax.py       |    3 +++
 Lib/test/test_xml_etree.py |    7 +++++++
 3 files changed, 14 insertions(+)

Index: Python-3.9.25/Lib/test/test_pyexpat.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_pyexpat.py	2025-12-11 22:43:38.646411669 +0100
+++ Python-3.9.25/Lib/test/test_pyexpat.py	2025-12-11 22:43:57.288891858 +0100
@@ -802,6 +802,10 @@
         self.assertEqual(started, ['doc'])
 
     def test_reparse_deferral_disabled(self):
+        if expat.version_info < (2, 6, 0):
+            self.skipTest(f'Expat {expat.version_info} does not '
+                          'support reparse deferral')
+
         started = []
 
         def start_element(name, _):
Index: Python-3.9.25/Lib/test/test_sax.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_sax.py	2025-12-11 22:43:38.675498657 +0100
+++ Python-3.9.25/Lib/test/test_sax.py	2025-12-11 22:43:57.289349463 +0100
@@ -1236,6 +1236,9 @@
 
         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
 
+    @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
+                     f'Expat {pyexpat.version_info} does not '
+                     'support reparse deferral')
     def test_flush_reparse_deferral_disabled(self):
         result = BytesIO()
         xmlgen = XMLGenerator(result)
Index: Python-3.9.25/Lib/test/test_xml_etree.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_xml_etree.py	2025-12-11 22:43:38.988627336 +0100
+++ Python-3.9.25/Lib/test/test_xml_etree.py	2025-12-11 22:43:57.289604596 +0100
@@ -1416,9 +1416,13 @@
         self.assert_event_tags(parser, [('end', 'root')])
         self.assertIsNone(parser.close())
 
+    @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
+                     f'Fail with patched version of Expat {pyexpat.version_info}')
     def test_simple_xml_chunk_1(self):
         self.test_simple_xml(chunk_size=1, flush=True)
 
+    @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
+                     f'Fail with patched version of Expat {pyexpat.version_info}')
     def test_simple_xml_chunk_5(self):
         self.test_simple_xml(chunk_size=5, flush=True)
 
@@ -1643,6 +1647,9 @@
 
         self.assert_event_tags(parser, [('end', 'doc')])
 
+    @unittest.skipIf(pyexpat.version_info < (2, 6, 0),
+                     f'Expat {pyexpat.version_info} does not '
+                     'support reparse deferral')
     def test_flush_reparse_deferral_disabled(self):
         parser = ET.XMLPullParser(events=('start', 'end'))
- Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts mode of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the certificate store, when the :class:`ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201 2024-09-09 20:10:25 +00:00			`---`
			`Lib/test/test_pyexpat.py \| 4 ++++`
			`Lib/test/test_sax.py \| 3 +++`
			`Lib/test/test_xml_etree.py \| 7 +++++++`
			`3 files changed, 14 insertions(+)`

Update to 3.9.25 Security - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974). Library - gh-98793: Fix argument typechecks in _overlapped.WSAConnect() and _overlapped.Overlapped.WSASendTo() functions. bpo-44817: Ignore WinError 53 (ERROR_BAD_NETPATH), 65 (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME) when using ntpath.realpath(). Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. 2025-12-11 22:48:48 +01:00			`Index: Python-3.9.25/Lib/test/test_pyexpat.py`
			`===================================================================`
			`--- Python-3.9.25.orig/Lib/test/test_pyexpat.py 2025-12-11 22:43:38.646411669 +0100`
			`+++ Python-3.9.25/Lib/test/test_pyexpat.py 2025-12-11 22:43:57.288891858 +0100`
			`@@ -802,6 +802,10 @@`
- Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts mode of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the certificate store, when the :class:`ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201 2024-09-09 20:10:25 +00:00			`self.assertEqual(started, ['doc'])`

			`def test_reparse_deferral_disabled(self):`
			`+ if expat.version_info < (2, 6, 0):`
			`+ self.skipTest(f'Expat {expat.version_info} does not '`
			`+ 'support reparse deferral')`
			`+`
			`started = []`

			`def start_element(name, _):`
Update to 3.9.25 Security - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974). Library - gh-98793: Fix argument typechecks in _overlapped.WSAConnect() and _overlapped.Overlapped.WSASendTo() functions. bpo-44817: Ignore WinError 53 (ERROR_BAD_NETPATH), 65 (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME) when using ntpath.realpath(). Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. 2025-12-11 22:48:48 +01:00			`Index: Python-3.9.25/Lib/test/test_sax.py`
			`===================================================================`
			`--- Python-3.9.25.orig/Lib/test/test_sax.py 2025-12-11 22:43:38.675498657 +0100`
			`+++ Python-3.9.25/Lib/test/test_sax.py 2025-12-11 22:43:57.289349463 +0100`
			`@@ -1236,6 +1236,9 @@`
- Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts mode of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the certificate store, when the :class:`ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201 2024-09-09 20:10:25 +00:00
			`self.assertEqual(result.getvalue(), start + b"<doc></doc>")`

			`+ @unittest.skipIf(pyexpat.version_info < (2, 6, 0),`
			`+ f'Expat {pyexpat.version_info} does not '`
			`+ 'support reparse deferral')`
			`def test_flush_reparse_deferral_disabled(self):`
			`result = BytesIO()`
			`xmlgen = XMLGenerator(result)`
Update to 3.9.25 Security - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974). Library - gh-98793: Fix argument typechecks in _overlapped.WSAConnect() and _overlapped.Overlapped.WSASendTo() functions. bpo-44817: Ignore WinError 53 (ERROR_BAD_NETPATH), 65 (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME) when using ntpath.realpath(). Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. 2025-12-11 22:48:48 +01:00			`Index: Python-3.9.25/Lib/test/test_xml_etree.py`
			`===================================================================`
			`--- Python-3.9.25.orig/Lib/test/test_xml_etree.py 2025-12-11 22:43:38.988627336 +0100`
			`+++ Python-3.9.25/Lib/test/test_xml_etree.py 2025-12-11 22:43:57.289604596 +0100`
			`@@ -1416,9 +1416,13 @@`
- Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts mode of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the certificate store, when the :class:`ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201 2024-09-09 20:10:25 +00:00			`self.assert_event_tags(parser, [('end', 'root')])`
			`self.assertIsNone(parser.close())`

			`+ @unittest.skipIf(pyexpat.version_info < (2, 6, 0),`
			`+ f'Fail with patched version of Expat {pyexpat.version_info}')`
			`def test_simple_xml_chunk_1(self):`
			`self.test_simple_xml(chunk_size=1, flush=True)`

			`+ @unittest.skipIf(pyexpat.version_info < (2, 6, 0),`
			`+ f'Fail with patched version of Expat {pyexpat.version_info}')`
			`def test_simple_xml_chunk_5(self):`
			`self.test_simple_xml(chunk_size=5, flush=True)`

Update to 3.9.25 Security - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974). Library - gh-98793: Fix argument typechecks in _overlapped.WSAConnect() and _overlapped.Overlapped.WSASendTo() functions. bpo-44817: Ignore WinError 53 (ERROR_BAD_NETPATH), 65 (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME) when using ntpath.realpath(). Core and Builtins - gh-120384: Fix an array out of bounds crash in list_ass_subscript, which could be invoked via some specificly tailored input: including concurrent modification of a list object, where one thread assigns a slice and another clears it. - gh-120298: Fix use-after free in list_richcompare_impl which can be invoked via some specificly tailored evil input. 2025-12-11 22:48:48 +01:00			`@@ -1643,6 +1647,9 @@`
- Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts mode of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the certificate store, when the :class:`ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201 2024-09-09 20:10:25 +00:00
			`self.assert_event_tags(parser, [('end', 'doc')])`

			`+ @unittest.skipIf(pyexpat.version_info < (2, 6, 0),`
			`+ f'Expat {pyexpat.version_info} does not '`
			`+ 'support reparse deferral')`
			`def test_flush_reparse_deferral_disabled(self):`
			`parser = ET.XMLPullParser(events=('start', 'end'))`