diff --git a/CVE-2025-13837-plistlib-mailicious-length.patch b/CVE-2025-13837-plistlib-mailicious-length.patch index e380248..bd55556 100644 --- a/CVE-2025-13837-plistlib-mailicious-length.patch +++ b/CVE-2025-13837-plistlib-mailicious-length.patch @@ -20,8 +20,8 @@ Co-authored-by: Serhiy Storchaka Index: Python-3.9.25/Lib/plistlib.py =================================================================== ---- Python-3.9.25.orig/Lib/plistlib.py 2025-10-31 19:40:52.000000000 +0100 -+++ Python-3.9.25/Lib/plistlib.py 2025-12-19 23:27:31.617856557 +0100 +--- Python-3.9.25.orig/Lib/plistlib.py 2025-12-23 23:47:30.450823742 +0100 ++++ Python-3.9.25/Lib/plistlib.py 2025-12-23 23:49:03.726727983 +0100 @@ -64,6 +64,9 @@ PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__) globals().update(PlistFormat.__members__) @@ -87,8 +87,8 @@ Index: Python-3.9.25/Lib/plistlib.py elif tokenH == 0x80: # UID Index: Python-3.9.25/Lib/test/test_plistlib.py =================================================================== ---- Python-3.9.25.orig/Lib/test/test_plistlib.py 2025-10-31 19:40:52.000000000 +0100 -+++ Python-3.9.25/Lib/test/test_plistlib.py 2025-12-19 23:27:31.618131664 +0100 +--- Python-3.9.25.orig/Lib/test/test_plistlib.py 2025-12-23 23:47:31.633839488 +0100 ++++ Python-3.9.25/Lib/test/test_plistlib.py 2025-12-23 23:50:05.844028198 +0100 @@ -837,8 +837,7 @@ class TestBinaryPlistlib(unittest.TestCase): @@ -117,16 +117,16 @@ Index: Python-3.9.25/Lib/test/test_plistlib.py plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY) + def test_truncated_large_data(self): -+ self.addCleanup(os_helper.unlink, os_helper.TESTFN) ++ self.addCleanup(support.unlink, support.TESTFN) + def check(data): -+ with open(os_helper.TESTFN, 'wb') as f: ++ with open(support.TESTFN, 'wb') as f: + f.write(data) + # buffered file -+ with open(os_helper.TESTFN, 'rb') as f: ++ with open(support.TESTFN, 'rb') as f: + with self.assertRaises(plistlib.InvalidFileException): + plistlib.load(f, fmt=plistlib.FMT_BINARY) + # unbuffered file -+ with open(os_helper.TESTFN, 'rb', buffering=0) as f: ++ with open(support.TESTFN, 'rb', buffering=0) as f: + with self.assertRaises(plistlib.InvalidFileException): + plistlib.load(f, fmt=plistlib.FMT_BINARY) + for w in range(20, 64): @@ -150,7 +150,7 @@ Index: Python-3.9.25/Lib/test/test_plistlib.py Index: Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst 2025-12-19 23:27:31.618365285 +0100 ++++ Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst 2025-12-23 23:49:03.727528792 +0100 @@ -0,0 +1,5 @@ +Fix a potential memory denial of service in the :mod:`plistlib` module. +When reading a Plist file received from untrusted source, it could cause diff --git a/python39.spec b/python39.spec index d19295d..12af7c0 100644 --- a/python39.spec +++ b/python39.spec @@ -475,6 +475,9 @@ other applications. %patch -p1 -P 50 %patch -p1 -P 51 %patch -p1 -P 52 +%patch -p1 -P 53 +%patch -p1 -P 54 +%patch -p1 -P 55 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac