- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote

path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=211
2024-10-24 17:06:14 +00:00
parent c05bd945fa
commit 087c362626
3 changed files with 279 additions and 0 deletions
--- a/python39.spec
+++ b/python39.spec
@@ -194,6 +194,9 @@ Patch50:        gh120226-fix-sendfile-test-kernel-610.patch
 # PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com
 # status_iterator method moved between the Sphinx versions
 Patch51:        sphinx-802.patch
+# PATCH-FIX-UPSTREAM CVE-2024-9287-venv_path_unquoted.patch gh#python/cpython#124651 mcepl@suse.com
+# venv should properly quote path names provided when creating a venv
+Patch52:        CVE-2024-9287-venv_path_unquoted.patch

 BuildRequires:  autoconf-archive
 BuildRequires:  automake
@@ -467,6 +470,7 @@ other applications.
 %patch -P 48 -p1
 %patch -P 50 -p1
 %patch -P 51 -p1
+%patch -P 52 -p1

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac