Accepting request 1068978 from devel:languages:python:Factory

- Disable NIS for new products, it's deprecated and gets removed

- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/request/show/1068978
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=178

CVE-2023-24329-blank-URL-bypass.patch

@@ -0,0 +1,84 @@
+---
+ Lib/test/test_urlparse.py                                             |   21 ++++++++++
+ Lib/urlparse.py                                                       |    9 +++-
+ Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs |    2 
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+Index: Python-2.7.18/Lib/test/test_urlparse.py
+===================================================================
+--- Python-2.7.18.orig/Lib/test/test_urlparse.py
++++ Python-2.7.18/Lib/test/test_urlparse.py
+@@ -1,4 +1,5 @@
+ from test import test_support
++from urlparse import isascii
+ import sys
+ import unicodedata
+ import unittest
+@@ -592,6 +593,26 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertEqual(p.netloc, "www.example.net:foo")
+         self.assertRaises(ValueError, lambda: p.port)
+ 
++    def do_attributes_bad_scheme(self, bytes, parse, scheme):
++        url = scheme + "://www.example.net"
++        if bytes:
++            if isascii(url):
++                url = url.encode("ascii")
++            else:
++                return
++        p = parse(url)
++        if bytes:
++            self.assertEqual(p.scheme, b"")
++        else:
++            self.assertEqual(p.scheme, "")
++
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urlparse.urlsplit, urlparse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&"):
++                    self.do_attributes_bad_scheme(bytes, parse, scheme)
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+Index: Python-2.7.18/Lib/urlparse.py
+===================================================================
+--- Python-2.7.18.orig/Lib/urlparse.py
++++ Python-2.7.18/Lib/urlparse.py
+@@ -31,7 +31,8 @@ test_urlparse.py provides a good indicat
+ import re
+ 
+ __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
+-           "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
++           "urlsplit", "urlunsplit", "parse_qs", "parse_qsl",
++           "isascii"]
+ 
+ # A classification of schemes ('' means apply by default)
+ uses_relative = ['ftp', 'http', 'gopher', 'nntp', 'imap',
+@@ -68,6 +69,10 @@ _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+ 
++# Py3k shim
++def isascii(word):
++    return all([ord(c) < 128 for c in word])
++
+ def clear_cache():
+     """Clear the parse cache."""
+     _parse_cache.clear()
+@@ -211,7 +216,7 @@ def urlsplit(url, scheme='', allow_fragm
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and isascii(url[0]) and url[0].isalpha():
+         if url[:i] == 'http': # optimize the common case
+             scheme = url[:i].lower()
+             url = url[i+1:]
+Index: Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
+===================================================================
+--- /dev/null
++++ Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.

python-base.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
 -------------------------------------------------------------------
 Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 

python-base.spec

@@ -142,6 +142,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -287,6 +291,7 @@ other applications.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python-doc.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
+-------------------------------------------------------------------
+Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
+
+- Disable NIS for new products, it's deprecated and gets removed
+
 -------------------------------------------------------------------
 Thu Jan 19 07:14:09 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python-doc.spec

@@ -141,6 +141,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -224,6 +228,7 @@ Python, and Macintosh Module Reference in PDF format.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
 -------------------------------------------------------------------
 Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 

python.spec

@@ -141,6 +141,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -342,6 +346,7 @@ that rely on earlier non-verification behavior.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar