From 9cf0841df6da3fcdd9b01c118cf18d2d69a6b229d05e34225b015665fcd3b60a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Fri, 21 Nov 2025 12:51:18 +0100 Subject: [PATCH] Add missing %patch call. --- .gitignore | 1 + CVE-2025-6075-expandvars-perf-degrad.patch | 225 ++++++++------------- python39.spec | 3 +- 3 files changed, 85 insertions(+), 144 deletions(-) diff --git a/.gitignore b/.gitignore index 57affb6..d386254 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .osc +python39-*-build/ diff --git a/CVE-2025-6075-expandvars-perf-degrad.patch b/CVE-2025-6075-expandvars-perf-degrad.patch index deaa4bc..b77d74b 100644 --- a/CVE-2025-6075-expandvars-perf-degrad.patch +++ b/CVE-2025-6075-expandvars-perf-degrad.patch @@ -11,19 +11,19 @@ Content-Transfer-Encoding: 8bit Co-authored-by: Serhiy Storchaka Co-authored-by: Ɓukasz Langa --- - Lib/ntpath.py | 126 ++++++------------ - Lib/posixpath.py | 43 +++--- - Lib/test/test_genericpath.py | 14 ++ - Lib/test/test_ntpath.py | 17 ++- - ...-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 + - 5 files changed, 91 insertions(+), 110 deletions(-) + Lib/ntpath.py | 126 +++------- + Lib/posixpath.py | 43 +-- + Lib/test/test_genericpath.py | 19 + + Lib/test/test_ntpath.py | 23 + + Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 + 5 files changed, 96 insertions(+), 116 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst -diff --git a/Lib/ntpath.py b/Lib/ntpath.py -index 56c3614ba76b2e..604a1bd8d7a4e5 100644 ---- a/Lib/ntpath.py -+++ b/Lib/ntpath.py -@@ -335,17 +335,23 @@ def expanduser(path): +Index: Python-3.9.24/Lib/ntpath.py +=================================================================== +--- Python-3.9.24.orig/Lib/ntpath.py 2025-11-21 12:52:18.350673347 +0100 ++++ Python-3.9.24/Lib/ntpath.py 2025-11-21 12:52:34.076133325 +0100 +@@ -335,17 +335,23 @@ # XXX With COMMAND.COM you can use any characters in a variable name, # XXX except '^|<>='. @@ -50,7 +50,7 @@ index 56c3614ba76b2e..604a1bd8d7a4e5 100644 percent = b'%' brace = b'{' rbrace = b'}' -@@ -354,94 +360,44 @@ def expandvars(path): +@@ -354,94 +360,44 @@ else: if '$' not in path and '%' not in path: return path @@ -177,11 +177,11 @@ index 56c3614ba76b2e..604a1bd8d7a4e5 100644 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B. -diff --git a/Lib/posixpath.py b/Lib/posixpath.py -index de2b90c10cc3f2..5daa6ef5f12605 100644 ---- a/Lib/posixpath.py -+++ b/Lib/posixpath.py -@@ -275,42 +275,41 @@ def expanduser(path): +Index: Python-3.9.24/Lib/posixpath.py +=================================================================== +--- Python-3.9.24.orig/Lib/posixpath.py 2025-11-21 12:52:18.388628236 +0100 ++++ Python-3.9.24/Lib/posixpath.py 2025-11-21 12:52:34.076301225 +0100 +@@ -275,42 +275,41 @@ # This expands the forms $variable and ${variable} only. # Non-existent variables are left unchanged. @@ -240,7 +240,7 @@ index de2b90c10cc3f2..5daa6ef5f12605 100644 name = name[1:-1] try: if environ is None: -@@ -318,13 +317,11 @@ def expandvars(path): +@@ -318,13 +317,11 @@ else: value = environ[name] except KeyError: @@ -258,26 +258,45 @@ index de2b90c10cc3f2..5daa6ef5f12605 100644 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B. -diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py -index e7acbcd29088b3..cd6180cc290c80 100644 ---- a/Lib/test/test_genericpath.py -+++ b/Lib/test/test_genericpath.py -@@ -8,6 +8,7 @@ - import unittest +Index: Python-3.9.24/Lib/test/test_genericpath.py +=================================================================== +--- Python-3.9.24.orig/Lib/test/test_genericpath.py 2025-11-21 12:52:19.232406542 +0100 ++++ Python-3.9.24/Lib/test/test_genericpath.py 2025-11-21 12:52:34.077309462 +0100 +@@ -9,7 +9,7 @@ import warnings from test import support -+from test.support import os_helper from test.support.script_helper import assert_python_ok - from test.support import FakePath +-from test.support import FakePath ++from test.support import FakePath, EnvironmentVarGuard -@@ -429,6 +430,19 @@ def check(value, expected): + + def create_file(filename, data=b'foo'): +@@ -374,7 +374,7 @@ + + def test_expandvars(self): + expandvars = self.pathmodule.expandvars +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + env["foo"] = "bar" + env["{foo"] = "baz1" +@@ -408,7 +408,7 @@ + expandvars = self.pathmodule.expandvars + def check(value, expected): + self.assertEqual(expandvars(value), expected) +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + nonascii = support.FS_NONASCII + env['spam'] = nonascii +@@ -429,6 +429,19 @@ os.fsencode('$bar%s bar' % nonascii)) check(b'$spam}bar', os.fsencode('%s}bar' % nonascii)) + @support.requires_resource('cpu') + def test_expandvars_large(self): + expandvars = self.pathmodule.expandvars -+ with os_helper.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + env["A"] = "B" + n = 100_000 @@ -290,10 +309,10 @@ index e7acbcd29088b3..cd6180cc290c80 100644 def test_abspath(self): self.assertIn("foo", self.pathmodule.abspath("foo")) with warnings.catch_warnings(): -diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py -index 8f07d18e134fb7..6534c791d8d269 100644 ---- a/Lib/test/test_ntpath.py -+++ b/Lib/test/test_ntpath.py +Index: Python-3.9.24/Lib/test/test_ntpath.py +=================================================================== +--- Python-3.9.24.orig/Lib/test/test_ntpath.py 2025-11-21 12:52:19.665352116 +0100 ++++ Python-3.9.24/Lib/test/test_ntpath.py 2025-11-21 12:52:34.077441463 +0100 @@ -1,11 +1,10 @@ import ntpath import os @@ -303,18 +322,36 @@ index 8f07d18e134fb7..6534c791d8d269 100644 import warnings from ntpath import ALLOW_MISSING -from test.support import TestFailed, FakePath -+from test.support import TestFailed, FakePath, os_helper ++from test.support import TestFailed, FakePath, EnvironmentVarGuard from test import support, test_genericpath from tempfile import TemporaryFile -@@ -687,6 +686,19 @@ def check(value, expected): +@@ -642,7 +641,7 @@ + ntpath.realpath("file.txt", **kwargs)) + + def test_expandvars(self): +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + env["foo"] = "bar" + env["{foo"] = "baz1" +@@ -671,7 +670,7 @@ + def test_expandvars_nonascii(self): + def check(value, expected): + tester('ntpath.expandvars(%r)' % value, expected) +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + nonascii = support.FS_NONASCII + env['spam'] = nonascii +@@ -687,10 +686,23 @@ check('%spam%bar', '%sbar' % nonascii) check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii) + @support.requires_resource('cpu') + def test_expandvars_large(self): + expandvars = ntpath.expandvars -+ with os_helper.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + env["A"] = "B" + n = 100_000 @@ -327,7 +364,12 @@ index 8f07d18e134fb7..6534c791d8d269 100644 def test_expanduser(self): tester('ntpath.expanduser("test")', 'test') -@@ -908,6 +920,7 @@ def test_nt_helpers(self): +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + tester('ntpath.expanduser("~test")', '~test') + +@@ -908,6 +920,7 @@ self.assertIsInstance(b_final_path, bytes) self.assertGreater(len(b_final_path), 0) @@ -335,112 +377,9 @@ index 8f07d18e134fb7..6534c791d8d269 100644 class NtCommonTest(test_genericpath.CommonTest, unittest.TestCase): pathmodule = ntpath attributes = ['relpath'] -diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst -new file mode 100644 -index 00000000000000..1d152bb5318380 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +Index: Python-3.9.24/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.9.24/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2025-11-21 12:52:34.076771610 +0100 @@ -0,0 +1 @@ +Fix quadratic complexity in :func:`os.path.expandvars`. - -From b4fb84faf470183801c3e3d361bec03101d928ed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C5=81ukasz=20Langa?= -Date: Fri, 31 Oct 2025 16:45:42 +0100 -Subject: [PATCH 2/2] Oops, there's no test.support.os_helper on 3.9 - ---- - Lib/test/test_genericpath.py | 9 ++++----- - Lib/test/test_ntpath.py | 10 +++++----- - 2 files changed, 9 insertions(+), 10 deletions(-) - -diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py -index cd6180cc290c80..e53bb203a0c4fd 100644 ---- a/Lib/test/test_genericpath.py -+++ b/Lib/test/test_genericpath.py -@@ -8,9 +8,8 @@ - import unittest - import warnings - from test import support --from test.support import os_helper - from test.support.script_helper import assert_python_ok --from test.support import FakePath -+from test.support import FakePath, EnvironmentVarGuard - - - def create_file(filename, data=b'foo'): -@@ -375,7 +374,7 @@ def test_splitdrive(self): - - def test_expandvars(self): - expandvars = self.pathmodule.expandvars -- with support.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - env["foo"] = "bar" - env["{foo"] = "baz1" -@@ -409,7 +408,7 @@ def test_expandvars_nonascii(self): - expandvars = self.pathmodule.expandvars - def check(value, expected): - self.assertEqual(expandvars(value), expected) -- with support.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - nonascii = support.FS_NONASCII - env['spam'] = nonascii -@@ -433,7 +432,7 @@ def check(value, expected): - @support.requires_resource('cpu') - def test_expandvars_large(self): - expandvars = self.pathmodule.expandvars -- with os_helper.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - env["A"] = "B" - n = 100_000 -diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py -index 6534c791d8d269..9a8a44b235b2ce 100644 ---- a/Lib/test/test_ntpath.py -+++ b/Lib/test/test_ntpath.py -@@ -4,7 +4,7 @@ - import unittest - import warnings - from ntpath import ALLOW_MISSING --from test.support import TestFailed, FakePath, os_helper -+from test.support import TestFailed, FakePath, EnvironmentVarGuard - from test import support, test_genericpath - from tempfile import TemporaryFile - -@@ -641,7 +641,7 @@ def test_realpath_cwd(self): - ntpath.realpath("file.txt", **kwargs)) - - def test_expandvars(self): -- with support.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - env["foo"] = "bar" - env["{foo"] = "baz1" -@@ -670,7 +670,7 @@ def test_expandvars(self): - def test_expandvars_nonascii(self): - def check(value, expected): - tester('ntpath.expandvars(%r)' % value, expected) -- with support.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - nonascii = support.FS_NONASCII - env['spam'] = nonascii -@@ -689,7 +689,7 @@ def check(value, expected): - @support.requires_resource('cpu') - def test_expandvars_large(self): - expandvars = ntpath.expandvars -- with os_helper.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - env["A"] = "B" - n = 100_000 -@@ -702,7 +702,7 @@ def test_expandvars_large(self): - def test_expanduser(self): - tester('ntpath.expanduser("test")', 'test') - -- with support.EnvironmentVarGuard() as env: -+ with EnvironmentVarGuard() as env: - env.clear() - tester('ntpath.expanduser("~test")', '~test') - diff --git a/python39.spec b/python39.spec index 501c286..31f5e8e 100644 --- a/python39.spec +++ b/python39.spec @@ -196,7 +196,7 @@ Patch51: sphinx-802.patch Patch52: gh139257-Support-docutils-0.22.patch # PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com # Avoid potential quadratic complexity vulnerabilities in path modules -Patch54: CVE-2025-6075-expandvars-perf-degrad.patch +Patch53: CVE-2025-6075-expandvars-perf-degrad.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -469,6 +469,7 @@ other applications. %patch -p1 -P 50 %patch -p1 -P 51 %patch -p1 -P 52 +%patch -p1 -P 53 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac