- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091

(CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=12

python39.spec

@@ -38,7 +38,6 @@
 %define _version %(c=%{version}; echo ${c/[a-z]*/})
 %define tar_suffix %(c=%{_version}; echo ${c#%{_version}})
 %define python_version %(c=%{_version}; echo ${c:0:3})
-# the versions are autogenerated from pre_checkin.sh
 # based on the current source tarball
 %define python_version_abitag %(c=%{python_version}; echo ${c//./})
 # FIXME %define python_version_soname %(c=%{python_version}; echo ${c//./_})
@@ -53,7 +52,7 @@
 # Will provide the pyton3-* provides
 # Will do the /usr/bin/python3 and all the core links
 %define         primary_interpreter 0
-%define         folderversion %{_version}
+%define         folderversion 3.9.0
 %define         tarname    Python-%{tarversion}
 %define         sitedir         %{_libdir}/python%{python_version}
 # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
@@ -139,6 +138,9 @@ Patch29:        bpo-31046_ensurepip_honours_prefix.patch
 # PATCH-FIX-UPSTREAM bsc1167501-invalid-alignment.patch gh#python/cpython#19133 mcepl@suse.com
 # Fix wrong misalignment of pointer to vectorcallfunc
 Patch31:        bsc1167501-invalid-alignment.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+Patch32:        CVE-2019-20907_tarfile-inf-loop.patch
 BuildRequires:  automake
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
@@ -392,6 +394,7 @@ other applications.
 %patch27 -p1
 %patch29 -p1
 %patch31 -p1
+%patch32 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac