diff --git a/CVE-2017-18207.patch b/CVE-2017-18207.patch new file mode 100644 index 0000000..5fb1bcc --- /dev/null +++ b/CVE-2017-18207.patch @@ -0,0 +1,22 @@ +From ae0ed14794ced2c51c822fc6f0d3ca92064619dd Mon Sep 17 00:00:00 2001 +From: BT123 +Date: Fri, 17 Nov 2017 16:45:45 +0800 +Subject: [PATCH] bug in wave.py + +--- + Lib/wave.py | 2 ++ + 1 file changed, 2 insertions(+) + +Index: Python-2.7.13/Lib/wave.py +=================================================================== +--- Python-2.7.13.orig/Lib/wave.py 2018-06-07 17:00:25.370728844 +0000 ++++ Python-2.7.13/Lib/wave.py 2018-06-07 17:02:51.768202800 +0000 +@@ -272,6 +272,8 @@ class Wave_read: + self._sampwidth = (sampwidth + 7) // 8 + else: + raise Error, 'unknown format: %r' % (wFormatTag,) ++ if self._nchannels == 0: ++ raise Error, "The audio file in wav format should have at least one channel!" + self._framesize = self._nchannels * self._sampwidth + self._comptype = 'NONE' + self._compname = 'not compressed' diff --git a/macros.python2 b/macros.python2 index 696f6a4..c22b793 100644 --- a/macros.python2 +++ b/macros.python2 @@ -1,10 +1,8 @@ # legacy macros. commented but kept for the sake of possible recovery of their values -#%py_ver %(python -c "import sys; v=sys.version_info[:2]; print '%%d.%%d'%%v" 2>/dev/null || echo PYTHON-NOT-FOUND) -#%py_prefix %(python -c "import sys; print sys.prefix" 2>/dev/null || echo PYTHON-NOT-FOUND) -#%py_libdir %{py_prefix}/%{_lib}/python%{py_ver} -#%py_incdir %{py_prefix}/include/python%{py_ver} -#%py_sitedir %{py_libdir}/site-packages -#%__python2 /usr/bin/python2 +%py_prefix %(python -c "import sys; print sys.prefix" 2>/dev/null || echo PYTHON-NOT-FOUND) +%py_libdir %{py_prefix}/%{_lib}/python%{py_ver} +%py_incdir %{py_prefix}/include/python%{py_ver} +%py_sitedir %{py_libdir}/site-packages # these might be still in use somewhere %py_compile(O) \ diff --git a/python-base.changes b/python-base.changes index 07310a2..6cf0cf8 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,11 +1,5 @@ ------------------------------------------------------------------- -Tue Nov 5 04:24:05 UTC 2019 - Steve Kowalik - -- Add adapted-from-F00251-change-user-install-location.patch fixing - pip/distutils to install into /usr/local. - -------------------------------------------------------------------- -Thu Oct 24 14:40:39 CEST 2019 - Matej Cepl +Tue Nov 12 14:11:27 CET 2019 - Matej Cepl - Update to 2.7.17: - a bug fix release in the Python 2.7.x series. It is expected @@ -17,6 +11,15 @@ Thu Oct 24 14:40:39 CEST 2019 - Matej Cepl - CVE-2019-9947-no-ctrl-char-http.patch - CVE-2019-9948-avoid_local-file.patch +- Readjusted CVE-2017-18207.patch (for its description, see + below). + +------------------------------------------------------------------- +Tue Nov 5 04:24:05 UTC 2019 - Steve Kowalik + +- Add adapted-from-F00251-change-user-install-location.patch fixing + pip/distutils to install into /usr/local. + ------------------------------------------------------------------- Tue Oct 8 19:46:52 CEST 2019 - Matej Cepl @@ -30,7 +33,14 @@ Wed Sep 25 13:25:33 UTC 2019 - Bernhard Wiedemann - Add bpo36302-sort-module-sources.patch (boo#1041090) ------------------------------------------------------------------- -Fri Jul 19 13:28:16 CEST 2019 - Matej Cepl +Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl + +- Add CVE-2019-16056-email-parse-addr.patch fixing the email + module wrongly parses email addresses [bsc#1149955, + CVE-2019-16056] + +------------------------------------------------------------------- +Thu Jul 25 19:31:47 CEST 2019 - Matej Cepl - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing @@ -39,68 +49,49 @@ Fri Jul 19 13:28:16 CEST 2019 - Matej Cepl cookies to the wrong server. ------------------------------------------------------------------- -Fri Jul 19 11:19:42 UTC 2019 - Tomáš Chvátal +Wed Jul 3 21:02:00 CEST 2019 - Matej Cepl -- Skip test_urllib2_localnet that randomly fails in OBS +- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch + which fixes regression introduced by the previous patch. + (CVE-2019-10160) + Upstream gh#python/cpython#13812 ------------------------------------------------------------------- -Wed May 29 08:58:16 UTC 2019 - Martin Liška - -- Set _lto_cflags to nil as it will prevent to propage LTO - for Python modules that are built in a separate package. - -------------------------------------------------------------------- -Thu May 2 08:40:33 CEST 2019 - Matej Cepl - -- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch - Address the issue by disallowing URL paths with embedded - whitespace or control characters through into the underlying - http client request. Such potentially malicious header - injection URLs now cause a ValueError to be raised. - -------------------------------------------------------------------- -Mon Apr 8 22:40:01 CEST 2019 - Matej Cepl +Tue Apr 9 00:47:11 CEST 2019 - Matej Cepl - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. ------------------------------------------------------------------- -Mon Apr 8 21:13:48 CEST 2019 - Matej Cepl +Tue Apr 9 00:46:36 CEST 2019 - Matej Cepl - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, - no error will be raised. + no error will be raised (CVE-2019-9636). Upstream commits e37ef41 and 507bd8c. ------------------------------------------------------------------- -Thu Apr 4 22:28:24 CEST 2019 - Matej Cepl +Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com -- Update to 2.7.16: - * bugfix-only release: complete list of changes on - https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst - * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch - which are fully included in the tarball. - * Updated patches to apply cleanly: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - bpo36160-init-sysconfig_vars.patch - do-not-use-non-ascii-in-test_ssl.patch - openssl-111-middlebox-compat.patch - openssl-111-ssl_options.patch - python-2.5.1-sqlite.patch - python-2.6-gettext-plurals.patch - python-2.7-dirs.patch - python-2.7.2-fix_date_time_compiler.patch - python-2.7.4-canonicalize2.patch - python-2.7.5-multilib.patch - python-2.7.9-ssl_ca_path.patch - python-bsddb6.diff - remove-static-libpython.diff - * Update python-2.7.5-multilib.patch to pass with new platlib - regime. +- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch + fixing bpo-34623. + +------------------------------------------------------------------- +Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com + +- bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch + PyWeakref_NewProxy@Objects/weakrefobject.c creates new isntance + of PyWeakReference struct and does not intialize wr_prev and + wr_next of new isntance. These pointers can have garbage and + point to random memory locations. + Python should not crash while destroying the isntance created + in the same interpreter function. As per my understanding, both + wr_prev and wr_next of PyWeakReference instance should be + initialized to NULL to avoid segfault. ------------------------------------------------------------------- Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com @@ -114,17 +105,6 @@ Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com initiate or accept TLS connections using crafted certificates to trigger this vulnerability. -------------------------------------------------------------------- -Wed Dec 19 19:29:44 UTC 2018 - Todd R - -- Use upstream-recommended %{_rpmconfigdir}/macros.d directory - for the rpm macros. - -------------------------------------------------------------------- -Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal - -- Add patch openssl-111.patch to work with openssl-1.1.1 - ------------------------------------------------------------------- Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl @@ -133,88 +113,65 @@ Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl distutils.spawn. [bsc#1109663, CVE-2018-1000802] ------------------------------------------------------------------- -Mon May 21 18:41:43 UTC 2018 - michael@stroeder.com +Fri Jun 29 10:24:27 UTC 2018 - mcepl@suse.com -- update to 2.7.15 - * dozens of bugfixes, see NEWS for details -- removed obsolete patches: - * python-ncurses-6.0-accessors.patch - * python-fix-shebang.patch - * gcc8-miscompilation-fix.patch -- add patch from upstream: - * do-not-use-non-ascii-in-test_ssl.patch +- Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent + low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS + (CVE-2018-1061). Prior to this patch mail server's timestamp was + susceptible to catastrophic backtracking on long evil response from + the server. Also, it was susceptible to catastrophic backtracking, + which was a potential DOS vector. + [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] ------------------------------------------------------------------- -Fri Apr 6 10:11:22 UTC 2018 - mliska@suse.cz +Thu Jun 7 17:04:40 UTC 2018 - psimons@suse.com -- Add gcc8-miscompilation-fix.patch (boo#1084650). +- Apply "CVE-2017-18207.patch" to add a check to Lib/wave.py that + verifies that at least one channel is provided. Prior to this + check, attackers could cause a denial of service (divide-by-zero + error and application crash) via a crafted wav format audio file. + [bsc#1083507, CVE-2017-18207] ------------------------------------------------------------------- -Tue Feb 20 13:14:27 UTC 2018 - bwiedemann@suse.com +Tue May 29 12:42:22 UTC 2018 - mcepl@suse.com -- Add python-sorted_tar.patch (boo#1081750) +- Apply "python-sorted_tar.patch" (bsc#1086001) + sort tarfile output directory listing ------------------------------------------------------------------- -Mon Feb 5 16:01:59 UTC 2018 - normand@linux.vnet.ibm.com +Tue Mar 13 15:22:47 UTC 2018 - psimons@suse.com -- exclude test_socket & test_subprocess for PowerPC boo#1078485 - (same ref as previous change) +- Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer + overflows in PyString_DecodeEscape that could have resulted in + heap-based buffer overflow attacks and possible arbitrary code + execution. [bsc#1068664, CVE-2017-1000158] + +- Apply "python-2.7.14-CVE-2018-1000030-1.patch" and + "python-2.7.14-CVE-2018-1000030-2.patch" to remedy a bug that + would crash the Python interpreter when multiple threads used the + same I/O stream concurrently. This issue is not classified as a + security vulnerability due to the fact that an attacker must be + able to run code, however in some situations -- such as function + as a service -- this vulnerability can potentially be used by an + attacker to violate a trust boundary. [bsc#1079300, + CVE-2018-1000030] ------------------------------------------------------------------- -Fri Feb 2 09:21:24 UTC 2018 - normand@linux.vnet.ibm.com +Tue Feb 28 16:16:40 UTC 2017 - jmatejek@suse.com -- Add python-skip_random_failing_tests.patch bypass boo#1078485 - and exclude many tests for PowerPC - -------------------------------------------------------------------- -Tue Jan 30 16:08:33 UTC 2018 - tchvatal@suse.com - -- Add patch python-fix-shebang.patch to fix bsc#1078326 - -------------------------------------------------------------------- -Fri Dec 22 16:49:38 UTC 2017 - jmatejek@suse.com - -- exclude test_regrtest for s390, where it does not segfault as it should - (fixes bsc#1073269) -- fix segfault while creating weakref - bsc#1073748, bpo#29347 - (this is actually fixed by the 2.7.14 update; mentioning this for purposes - of bugfix tracking) - -------------------------------------------------------------------- -Mon Nov 20 16:11:48 UTC 2017 - jmatejek@suse.com - -- update to 2.7.14 - * dozens of bugfixes, see NEWS for details - * fixed possible integer overflow in PyString_DecodeEscape (CVE-2017-1000158, bsc#1068664) - * fixed segfaults with dict mutated during search - * fixed possible free-after-use problems with buffer objects with custom indexing - * fixed urllib.splithost to correctly parse fragments (bpo-30500) -- drop upstreamed python-2.7.13-overflow_check.patch -- drop unneeded python-2.7.12-makeopcode.patch -- drop upstreamed 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch - -------------------------------------------------------------------- -Thu Nov 2 16:53:42 UTC 2017 - mpluskal@suse.com - -- Call python2 instead of python in macros - -------------------------------------------------------------------- -Thu Aug 17 08:58:02 CEST 2017 - kukuk@suse.de - -- Add libnsl-devel build requires for glibc obsoleting libnsl - -------------------------------------------------------------------- -Mon May 15 14:03:01 UTC 2017 - jmatejek@suse.com - -- obsolete/provide python-argparse and provide python2-argparse, - because the argparse module is available from python 2.7 up - -------------------------------------------------------------------- -Fri Feb 24 17:08:25 UTC 2017 - bwiedemann@suse.com - -- Add reproducible.patch to allow reproducible builds of various - python packages like python-amqp - Upstream: https://github.com/python/cpython/pull/296 +- SLE package update (bsc#1027282) +- refresh python-2.7.5-multilib.patch +- dropped upstreamed patches: + python-fix-short-dh.patch + python-2.7.7-mhlib-linkcount.patch + python-2.7-urllib2-localnet-ssl.patch + CVE-2016-0772-smtplib-starttls.patch + CVE-2016-5699-http-header-injection.patch + CVE-2016-5636-zipimporter-overflow.patch + python-2.7-httpoxy.patch +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. + (dimstar@opensuse.org) ------------------------------------------------------------------- Tue Jan 3 16:59:24 UTC 2017 - jmatejek@suse.com @@ -224,8 +181,8 @@ Tue Jan 3 16:59:24 UTC 2017 - jmatejek@suse.com * updated cipher lists for openssl wrapper, support openssl >= 1.1.0 * properly fix HTTPoxy (CVE-2016-1000110) * profile-opt build now applies PGO to modules as well -- update python-2.7.10-overflow_check.patch - with python-2.7.13-overflow_check.patch, incorporating upstream changes +- add python-2.7.13-overflow_check.patch, incorporating upstream changes + (bnc#964182) - add "-fwrapv" to optflags explicitly because upstream code still relies on it in many places @@ -257,34 +214,40 @@ Thu Jun 30 09:23:05 UTC 2016 - jmatejek@suse.com - modify shebang-fixing scriptlet to ignore makeopcodetargets.py ------------------------------------------------------------------- -Fri Jan 29 13:03:40 UTC 2016 - rguenther@suse.com +Fri Jun 17 12:33:23 UTC 2016 - jmatejek@suse.com -- Add python-2.7.10-overflow_check.patch to fix broken overflow checks. - [bnc#964182] +- CVE-2016-0772-smtplib-starttls.patch: + smtplib vulnerability opens startTLS stripping attack + (CVE-2016-0772, bsc#984751) +- CVE-2016-5636-zipimporter-overflow.patch: + heap overflow when importing malformed zip files + (CVE-2016-5636, bsc#985177) +- CVE-2016-5699-http-header-injection.patch: + incorrect validation of HTTP headers allow header injection + (CVE-2016-5699, bsc#985348) +- python-2.7-httpoxy.patch: + HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY + when REQUEST_METHOD is also set + (CVE-2016-1000110, bsc#989523) ------------------------------------------------------------------- -Mon Sep 14 15:04:43 UTC 2015 - jmatejek@suse.com +Mon Sep 14 13:45:03 UTC 2015 - jmatejek@suse.com -- copy strict-tls-checks subpackage from SLE to retain future compatibility - (not built in openSUSE) -- do this properly to fix bnc#945401 +- exclude tsl_check files from python-base to prevent file conflict + with python-strict-tls-checks package (bnc#945401) +- update SLE check to exclude Leap which also has version 1315, + just to be sure ------------------------------------------------------------------- -Wed Sep 9 12:19:01 UTC 2015 - dimstar@opensuse.org +Mon Jun 29 08:32:44 UTC 2015 - meissner@suse.com -- Add python-ncurses-6.0-accessors.patch: Fix build with - NCurses 6.0 and OPAQUE_WINDOW set to 1. +- python-fix-short-dh.patch: Bump DH parameters to 2048 bit + to fix logjam security issue. bsc#935856 ------------------------------------------------------------------- Wed Jun 10 11:19:58 UTC 2015 - dmueller@suse.com -- add __python2 compatibility macro (used by Fedora) - -------------------------------------------------------------------- -Sun May 24 14:36:37 UTC 2015 - michael@stroeder.com - -- update to 2.7.10 -- removed obsolete python-2.7-urllib2-localnet-ssl.patch +- add __python2 compatibility macro (used by Fedora) (fate#318838) ------------------------------------------------------------------- Tue May 19 11:18:12 UTC 2015 - schwab@suse.de @@ -324,13 +287,21 @@ Wed Oct 22 13:30:24 UTC 2014 - dmueller@suse.com - skip test_thread in qemu_linux_user mode ------------------------------------------------------------------- -Tue Sep 30 15:06:15 UTC 2014 - jmatejek@suse.com +Wed Oct 1 13:00:59 UTC 2014 - jmatejek@suse.com - update to 2.7.8 * bugfix-only release, dozens of bugs fixed * fixes CVE-2014-4650 directory traversal in CGIHTTPServer * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer() - dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch +- dropped upstreamed CVE-2014-7185-buffer-wraparound.patch + +------------------------------------------------------------------- +Wed Oct 1 13:00:59 UTC 2014 - jmatejek@suse.com + +- CVE-2014-7185-buffer-wraparound.patch: potential wraparound/overflow + in buffer() + (CVE-2014-7185, bnc#898572) ------------------------------------------------------------------- Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com diff --git a/python-base.spec b/python-base.spec index 36bfdca..459444b 100644 --- a/python-base.spec +++ b/python-base.spec @@ -66,13 +66,16 @@ Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE Patch48: openssl-111-ssl_options.patch # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com -# https://github.com/python/cpython/pull/11569 +# gh#python/cpython#11569 # Fix segfault in ssl's cert parser Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch # PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com # Initialize sysconfig variables in test_site. Patch50: bpo36160-init-sysconfig_vars.patch -# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341 +# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com +# Add check for channels of wav file in Lib/wave.py +Patch51: CVE-2017-18207.patch +# PATCH-FIX-UPSTREAM gh#python/cpython#12341 Patch55: bpo36302-sort-module-sources.patch # Fix installation in /usr/local (boo#1071941), adapted from Fedora # https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch @@ -191,6 +194,7 @@ other applications. %patch48 -p1 %patch49 -p1 %patch50 -p1 +%patch51 -p1 %patch55 -p1 %patch56 -p1 diff --git a/python-doc.spec b/python-doc.spec index 6fa4036..dce62d6 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -66,14 +66,23 @@ Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE Patch48: openssl-111-ssl_options.patch # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com -# https://github.com/python/cpython/pull/11569 +# gh#python/cpython#11569 # Fix segfault in ssl's cert parser Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch # PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com # Initialize sysconfig variables in test_site. Patch50: bpo36160-init-sysconfig_vars.patch -# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341 +# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com +# Add check for channels of wav file in Lib/wave.py +Patch51: CVE-2017-18207.patch +# PATCH-FIX-UPSTREAM gh#python/cpython#12341 Patch55: bpo36302-sort-module-sources.patch +# Fix installation in /usr/local (boo#1071941), adapted from Fedora +# https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch +# Set values of prefix and exec_prefix in distutils install command +# to /usr/local if executable is /usr/bin/python* and RPM build +# is not detected to make pip and distutils install into separate location +Patch56: adapted-from-F00251-change-user-install-location.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -131,7 +140,9 @@ Python, and Macintosh Module Reference in PDF format. %patch48 -p1 %patch49 -p1 %patch50 -p1 +%patch51 -p1 %patch55 -p1 +%patch56 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python.spec b/python.spec index f4d3ac7..b6d9918 100644 --- a/python.spec +++ b/python.spec @@ -71,14 +71,23 @@ Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE Patch48: openssl-111-ssl_options.patch # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com -# https://github.com/python/cpython/pull/11569 +# gh#python/cpython#11569 # Fix segfault in ssl's cert parser Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch # PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com # Initialize sysconfig variables in test_site. Patch50: bpo36160-init-sysconfig_vars.patch -# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341 +# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com +# Add check for channels of wav file in Lib/wave.py +Patch51: CVE-2017-18207.patch +# PATCH-FIX-UPSTREAM gh#python/cpython#12341 Patch55: bpo36302-sort-module-sources.patch +# Fix installation in /usr/local (boo#1071941), adapted from Fedora +# https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch +# Set values of prefix and exec_prefix in distutils install command +# to /usr/local if executable is /usr/bin/python* and RPM build +# is not detected to make pip and distutils install into separate location +Patch56: adapted-from-F00251-change-user-install-location.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -236,7 +245,9 @@ that rely on earlier non-verification behavior. %patch48 -p1 %patch49 -p1 %patch50 -p1 +%patch51 -p1 %patch55 -p1 +%patch56 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac