From 88ffffeead2a4cddd519678872aeeb365699e85db4282afe7d3f6ca7ed4b1bca Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 8 Apr 2019 22:40:36 +0000 Subject: [PATCH] Accepting request 692400 from home:mcepl:branches:devel:languages:python:Factory - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. Upstream commits e37ef41 and 507bd8c. - Update to 2.7.16: * bugfix-only release: complete list of changes on https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch which are fully included in the tarball. * Updated patches to apply cleanly: CVE-2019-5010-null-defer-x509-cert-DOS.patch bpo36160-init-sysconfig_vars.patch do-not-use-non-ascii-in-test_ssl.patch openssl-111-middlebox-compat.patch openssl-111-ssl_options.patch python-2.5.1-sqlite.patch python-2.6-gettext-plurals.patch python-2.7-dirs.patch python-2.7.2-fix_date_time_compiler.patch python-2.7.4-canonicalize2.patch python-2.7.5-multilib.patch python-2.7.9-ssl_ca_path.patch OBS-URL: https://build.opensuse.org/request/show/692400 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=241 --- ...00802-shutil_use_subprocess_no_spawn.patch | 50 ------- CVE-2019-5010-null-defer-x509-cert-DOS.patch | 52 +------ ...-9636-netloc-no-decompose-characters.patch | 133 +++++++++++++++++ CVE-2019-9948-avoid_local-file.patch | 73 ++++++++++ Python-2.7.15.tar.xz | 3 - Python-2.7.15.tar.xz.asc | 16 -- Python-2.7.16.tar.xz | 3 + Python-2.7.16.tar.xz.asc | 16 ++ bpo36160-init-sysconfig_vars.patch | 29 ++++ do-not-use-non-ascii-in-test_ssl.patch | 20 +-- openssl-111-middlebox-compat.patch | 14 +- openssl-111-ssl_options.patch | 26 ++-- openssl-111.patch | 137 ------------------ python-2.5.1-sqlite.patch | 2 +- python-2.6-gettext-plurals.patch | 6 +- python-2.7-dirs.patch | 2 +- python-2.7.15-docs-pdf-a4.tar.bz2 | 3 - python-2.7.15-docs-pdf-letter.tar.bz2 | 3 - python-2.7.16-docs-pdf-a4.tar.bz2 | 3 + python-2.7.16-docs-pdf-letter.tar.bz2 | 3 + python-2.7.2-fix_date_time_compiler.patch | 8 +- python-2.7.4-canonicalize2.patch | 30 ++-- python-2.7.5-multilib.patch | 113 ++++++--------- python-2.7.9-ssl_ca_path.patch | 8 +- python-base.changes | 44 ++++++ python-base.spec | 21 ++- python-bsddb6.diff | 60 +++----- python-doc.spec | 21 ++- python.spec | 21 ++- remove-static-libpython.diff | 12 +- 30 files changed, 476 insertions(+), 456 deletions(-) delete mode 100644 CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch create mode 100644 CVE-2019-9636-netloc-no-decompose-characters.patch create mode 100644 CVE-2019-9948-avoid_local-file.patch delete mode 100644 Python-2.7.15.tar.xz delete mode 100644 Python-2.7.15.tar.xz.asc create mode 100644 Python-2.7.16.tar.xz create mode 100644 Python-2.7.16.tar.xz.asc create mode 100644 bpo36160-init-sysconfig_vars.patch delete mode 100644 openssl-111.patch delete mode 100644 python-2.7.15-docs-pdf-a4.tar.bz2 delete mode 100644 python-2.7.15-docs-pdf-letter.tar.bz2 create mode 100644 python-2.7.16-docs-pdf-a4.tar.bz2 create mode 100644 python-2.7.16-docs-pdf-letter.tar.bz2 diff --git a/CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch b/CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch deleted file mode 100644 index 9b990cb..0000000 --- a/CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +++ /dev/null @@ -1,50 +0,0 @@ -From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001 -From: Benjamin Peterson -Date: Tue, 28 Aug 2018 22:12:56 -0700 -Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use - subprocess rather than distutils.spawn. - ---- - Lib/shutil.py | 16 ++++++++++------ - .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ - 2 files changed, 13 insertions(+), 6 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst - ---- a/Lib/shutil.py -+++ b/Lib/shutil.py -@@ -396,17 +396,21 @@ def _make_tarball(base_name, base_dir, c - - return archive_name - --def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): -+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): - # XXX see if we want to keep an external call here - if verbose: - zipoptions = "-r" - else: - zipoptions = "-rq" -- from distutils.errors import DistutilsExecError -- from distutils.spawn import spawn -+ cmd = ["zip", zipoptions, zip_filename, base_dir] -+ if logger is not None: -+ logger.info(' '.join(cmd)) -+ if dry_run: -+ return -+ import subprocess - try: -- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) -- except DistutilsExecError: -+ subprocess.check_call(cmd) -+ except subprocess.CalledProcessError: - # XXX really should distinguish between "couldn't find - # external 'zip' command" and "zip failed". - raise ExecError, \ -@@ -440,7 +444,7 @@ def _make_zipfile(base_name, base_dir, v - zipfile = None - - if zipfile is None: -- _call_external_zip(base_dir, zip_filename, verbose, dry_run) -+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) - else: - if logger is not None: - logger.info("creating '%s' and adding '%s' to it", diff --git a/CVE-2019-5010-null-defer-x509-cert-DOS.patch b/CVE-2019-5010-null-defer-x509-cert-DOS.patch index 2de556b..c0a272b 100644 --- a/CVE-2019-5010-null-defer-x509-cert-DOS.patch +++ b/CVE-2019-5010-null-defer-x509-cert-DOS.patch @@ -22,44 +22,11 @@ Co-authored-by: Christian Heimes create mode 100644 Lib/test/talos-2019-0758.pem create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst ---- /dev/null -+++ b/Lib/test/talos-2019-0758.pem -@@ -0,0 +1,22 @@ -+-----BEGIN CERTIFICATE----- -+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO -+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 -+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh -+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB -+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES -+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD -+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C -+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP -+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF -+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp -+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io -+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 -+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu -+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG -+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p -+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr -+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit -+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV -+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ -+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== -+-----END CERTIFICATE----- --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexist - BADKEY = data_file("badkey.pem") - NOKIACERT = data_file("nokia.pem") - NULLBYTECERT = data_file("nullbytecert.pem") -+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") - - DHFILE = data_file("dh1024.pem") - BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) -@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase - self.assertEqual(p['crlDistributionPoints'], - ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) +@@ -256,6 +256,27 @@ class BasicSocketTests(unittest.TestCase + } + ) + def test_parse_cert_CVE_2019_5010(self): + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) @@ -91,16 +58,3 @@ Co-authored-by: Christian Heimes +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did +not handle CRL distribution points with empty DP or URI correctly. A +malicious or buggy certificate can result into segfault. ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -1222,6 +1222,10 @@ _get_crl_dp(X509 *certificate) { - STACK_OF(GENERAL_NAME) *gns; - - dp = sk_DIST_POINT_value(dps, i); -+ if (dp->distpoint == NULL) { -+ /* Ignore empty DP value, CVE-2019-5010 */ -+ continue; -+ } - gns = dp->distpoint->name.fullname; - - for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { diff --git a/CVE-2019-9636-netloc-no-decompose-characters.patch b/CVE-2019-9636-netloc-no-decompose-characters.patch new file mode 100644 index 0000000..4cb11a4 --- /dev/null +++ b/CVE-2019-9636-netloc-no-decompose-characters.patch @@ -0,0 +1,133 @@ +--- a/Doc/library/urlparse.rst ++++ b/Doc/library/urlparse.rst +@@ -119,12 +119,22 @@ The :mod:`urlparse` module defines the f + See section :ref:`urlparse-result-object` for more information on the result + object. + ++ Characters in the :attr:`netloc` attribute that decompose under NFKC ++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is ++ decomposed before parsing, or is not a Unicode string, no error will be ++ raised. ++ + .. versionchanged:: 2.5 + Added attributes to return value. + + .. versionchanged:: 2.7 + Added IPv6 URL parsing capabilities. + ++ .. versionchanged:: 2.7.17 ++ Characters that affect netloc parsing under NFKC normalization will ++ now raise :exc:`ValueError`. ++ + + .. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) + +@@ -232,11 +242,21 @@ The :mod:`urlparse` module defines the f + See section :ref:`urlparse-result-object` for more information on the result + object. + ++ Characters in the :attr:`netloc` attribute that decompose under NFKC ++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is ++ decomposed before parsing, or is not a Unicode string, no error will be ++ raised. ++ + .. versionadded:: 2.2 + + .. versionchanged:: 2.5 + Added attributes to return value. + ++ .. versionchanged:: 2.7.17 ++ Characters that affect netloc parsing under NFKC normalization will ++ now raise :exc:`ValueError`. ++ + + .. function:: urlunsplit(parts) + +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -1,4 +1,6 @@ + from test import test_support ++import sys ++import unicodedata + import unittest + import urlparse + +@@ -624,6 +626,29 @@ class UrlParseTestCase(unittest.TestCase + self.assertEqual(urlparse.urlparse("http://www.python.org:80"), + ('http','www.python.org:80','','','','')) + ++ def test_urlsplit_normalization(self): ++ # Certain characters should never occur in the netloc, ++ # including under normalization. ++ # Ensure that ALL of them are detected and cause an error ++ illegal_chars = u'/:#?@' ++ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} ++ denorm_chars = [ ++ c for c in map(unichr, range(128, sys.maxunicode)) ++ if (hex_chars & set(unicodedata.decomposition(c).split())) ++ and c not in illegal_chars ++ ] ++ # Sanity check that we found at least one such character ++ self.assertIn(u'\u2100', denorm_chars) ++ self.assertIn(u'\uFF03', denorm_chars) ++ ++ for scheme in [u"http", u"https", u"ftp"]: ++ for c in denorm_chars: ++ url = u"{}://netloc{}false.netloc/path".format(scheme, c) ++ if test_support.verbose: ++ print "Checking %r" % url ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(url) ++ + def test_main(): + test_support.run_unittest(UrlParseTestCase) + +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0): + delim = min(delim, wdelim) # use earliest delim position + return url[start:delim], url[delim:] # return (domain, rest) + ++def _checknetloc(netloc): ++ if not netloc or not isinstance(netloc, unicode): ++ return ++ # looking for characters like \u2100 that expand to 'a/c' ++ # IDNA uses NFKC equivalence, so normalize for this check ++ import unicodedata ++ netloc2 = unicodedata.normalize('NFKC', netloc) ++ if netloc == netloc2: ++ return ++ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay ++ for c in '/?#@:': ++ if c in netloc2: ++ raise ValueError("netloc '" + netloc2 + "' contains invalid " + ++ "characters under NFKC normalization") ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# +@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragm + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) ++ _checknetloc(netloc) + v = SplitResult(scheme, netloc, url, query, fragment) + _parse_cache[key] = v + return v +@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragm + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) ++ _checknetloc(netloc) + v = SplitResult(scheme, netloc, url, query, fragment) + _parse_cache[key] = v + return v +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst +@@ -0,0 +1,3 @@ ++Changes urlsplit() to raise ValueError when the URL contains characters that ++decompose under IDNA encoding (NFKC-normalization) into characters that ++affect how the URL is parsed. +\ No newline at end of file diff --git a/CVE-2019-9948-avoid_local-file.patch b/CVE-2019-9948-avoid_local-file.patch new file mode 100644 index 0000000..0ae57ca --- /dev/null +++ b/CVE-2019-9948-avoid_local-file.patch @@ -0,0 +1,73 @@ +From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 +From: push0ebp +Date: Thu, 14 Feb 2019 02:05:46 +0900 +Subject: [PATCH 1/2] bpo-35907: Avoid file reading as disallowing the + unnecessary URL scheme in urllib + +--- + Lib/test/test_urllib.py | 12 ++++++++++++ + Lib/urllib.py | 5 ++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index 1ce9201c0693..e5f210e62a18 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -1023,6 +1023,18 @@ def open_spam(self, url): + "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), + "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") + ++ def test_local_file_open(self): ++ class DummyURLopener(urllib.URLopener): ++ def open_local_file(self, url): ++ return url ++ self.assertEqual(DummyURLopener().open( ++ 'local-file://example'), '//example') ++ self.assertEqual(DummyURLopener().open( ++ 'local_file://example'), '//example') ++ self.assertRaises(IOError, urllib.urlopen, ++ 'local-file://example') ++ self.assertRaises(IOError, urllib.urlopen, ++ 'local_file://example') + + # Just commented them out. + # Can't really tell why keep failing in windows and sparc. +diff --git a/Lib/urllib.py b/Lib/urllib.py +index d85504a5cb7e..a24e9a5c68fb 100644 +--- a/Lib/urllib.py ++++ b/Lib/urllib.py +@@ -203,7 +203,10 @@ def open(self, fullurl, data=None): + name = 'open_' + urltype + self.type = urltype + name = name.replace('-', '_') +- if not hasattr(self, name): ++ ++ # bpo-35907: # disallow the file reading with the type not allowed ++ if not hasattr(self, name) or \ ++ (self == _urlopener and name == 'open_local_file'): + if proxy: + return self.open_unknown_proxy(proxy, fullurl, data) + else: + +From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001 +From: "blurb-it[bot]" +Date: Wed, 13 Feb 2019 17:21:11 +0000 +Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= + =?UTF-8?q?rb=5Fit.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + .../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst + +diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst +new file mode 100644 +index 000000000000..8118a5f40583 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst +@@ -0,0 +1 @@ ++Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen +\ No newline at end of file diff --git a/Python-2.7.15.tar.xz b/Python-2.7.15.tar.xz deleted file mode 100644 index e143983..0000000 --- a/Python-2.7.15.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574 -size 12642436 diff --git a/Python-2.7.15.tar.xz.asc b/Python-2.7.15.tar.xz.asc deleted file mode 100644 index e8cb116..0000000 --- a/Python-2.7.15.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCAAGBQJa5lMMAAoJEATDZ8IYrdT/kZoP/jxQcZQLglI/4Vor+bzGuvad -+uCJFnI37p98ByUdzqcF6ryKzbWoCkswr5+HMT2gVnxIfUV37rBa/cPLaHlTG+ZI -dqFo87XCNeLiPNnAFk32Vq+NHFw1OhmlZfP7UnxYtomAtF2U2qUi1rfU3KHNpQuR -rxsYD1A+5Sy5nWvpCOJ6x8tG6FFgCeHLfbrg6KtB10MqByXKXiOcp9VgdMBr0TwW -Kesq0PuTr88lOQ9qIAS44SsCu2dfls1l+YLf41JtH0zBQryQyxDgfHnNf13PqRzH -CekC3GwcV2Yw5MiSmsqEQtOag3RDggE+8mV5JAs1YmRMQ8wt3fit6EIhmATEwc4Z -LfNxJrwhD8NoTTZ4jOI9hZW0BPBfdf0ezZa38ImWsOymP7m9Z+GrX1LMPxCn+68X -PWxLS+sbLIyPD4XXPCeoMyX8cUz6/Z4XT8vtg1+Tud+nXjs8xA6i3eFt0MzxNGqg -yixVnYp8ZMwImkF31g4tOAbEue0BXWRzm3GDGfOkiCN6YZ7BruC7YylgLMaXMrMV -BoJN4bDcNgoyoqhYY1pV62Yu+n3WrBD4ch3kPtmJG1Gk5jCDXuH+y9tWetWrLqTZ -EJA8GAGVLz9qdm+yfvWGYpRezb3ErH/fOF8qXvoOY/B5jEyh1xPgnqmOYuIsPZLX -mihaoYBkGZpfDfCGutcm -=2GQo ------END PGP SIGNATURE----- diff --git a/Python-2.7.16.tar.xz b/Python-2.7.16.tar.xz new file mode 100644 index 0000000..9fda2b9 --- /dev/null +++ b/Python-2.7.16.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7 +size 12752104 diff --git a/Python-2.7.16.tar.xz.asc b/Python-2.7.16.tar.xz.asc new file mode 100644 index 0000000..bfab747 --- /dev/null +++ b/Python-2.7.16.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEwB4crV6ixPC441cVBMNnwhit1P8FAlx6zU8ACgkQBMNnwhit +1P+xUg//dE6dUc6NlwUzLD+MsvegKz5vXJXjPvhEsShcdaiedWsdfr22PeAXsook +fqEYALONUetv5LTWIlMpR8sNefxw7GCeIsk4ze7aXKNnh0HsZ6LJYny1Eh0aL9Mu +5tpJfvSC8Gxp2IR/vQOGMibNEuU6gpcUA0XPgKi6RvHI1iXbo71NaSuM7Ypi/6t9 +X6ZBGGU0TOP7QDdFHwSs+KzfU0uLpzadWHoksTv6lESTK9BmNlKY2CdUkjbxdD/z +72UZKaLBqCwKC6znpTrZRLzdzdeRGhlnzW1LTNmdsQOj70zRwYvE8/kXVlIF5zJo +7y4SyL54+/B+M5fXsxemY1If8kc5sHFhLouzI1gd5nfiGoebWMDE+gjkBTMr5r9i +/J5DLUYHLd0/B9Yf6sz+O6kTqYwjp0SIhcIDhQRWKre4vNc0Jy6rpogA6ILl2pFo +VRctsjnqLyfhp1wfrBq4h18fjEw48itu9rWKea/DC+4oudHzAuSP9dv8RkLVD+GR +buV1lXSIsPE2sYBrc1KvRud475W3I8zPZ25VVsZ/uRJdj4HehcTwiN7poSZ4T7My +Mz4grC5b3HDveFT4N6TbL1RgbSKL9Xm3mh+LF0u6uFN466ahmdzjAj3+uCJ98TkU +4aZvrLgiPTkWOyBD0Y8WXsdiAblTRucGStm5SbqvnXUgB9N3rNA= +=XmAm +-----END PGP SIGNATURE----- diff --git a/bpo36160-init-sysconfig_vars.patch b/bpo36160-init-sysconfig_vars.patch new file mode 100644 index 0000000..1e20e49 --- /dev/null +++ b/bpo36160-init-sysconfig_vars.patch @@ -0,0 +1,29 @@ +From 603a4461e3c889b06a5d78e57594ebbc580f1c03 Mon Sep 17 00:00:00 2001 +From: Ivan Pozdeev +Date: Fri, 1 Mar 2019 21:44:24 +0300 +Subject: [PATCH] Fix AttributeError on sysconfig._CONFIG_VARS.clear() if + test_site is run separately + +--- + Lib/test/test_site.py | 4 +++- + .../next/Tests/2019-03-01-21-45-13.bpo-36160.4JjrqB.rst | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Tests/2019-03-01-21-45-13.bpo-36160.4JjrqB.rst + +--- a/Lib/test/test_site.py ++++ b/Lib/test/test_site.py +@@ -47,6 +47,9 @@ def setUpModule(): + else: + raise + ++ # sysconfig._CONFIG_VARS is None until the first call to this function ++ sysconfig.get_config_vars() ++ + + def tearDownModule(): + sys.path[:] = OLD_SYS_PATH +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2019-03-01-21-45-13.bpo-36160.4JjrqB.rst +@@ -0,0 +1,2 @@ ++Fix AttributeError on sysconfig._CONFIG_VARS.clear() if test_site is run ++separately diff --git a/do-not-use-non-ascii-in-test_ssl.patch b/do-not-use-non-ascii-in-test_ssl.patch index aba3f07..ce7dd1f 100644 --- a/do-not-use-non-ascii-in-test_ssl.patch +++ b/do-not-use-non-ascii-in-test_ssl.patch @@ -1,11 +1,11 @@ ---- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-04-30 00:47:33.000000000 +0200 -+++ Python-2.7.15/Lib/test/test_ssl.py 2018-05-21 21:23:23.905940795 +0200 -@@ -1001,7 +1001,7 @@ - with self.assertRaises(ssl.SSLError) as cm: - ctx.load_dh_params(CERTFILE) - with support.temp_dir() as d: -- fname = os.path.join(d, u'dhpäräm.pem') -+ fname = os.path.join(d, u'dhparam.pem') - shutil.copy(DHFILE, fname) - ctx.load_dh_params(fname) +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -1021,7 +1021,7 @@ class ContextTests(unittest.TestCase): + + def test_load_dh_params(self): +- filename = u'dhpäräm.pem' ++ filename = u'dhparam.pem' + fs_encoding = sys.getfilesystemencoding() + try: + filename.encode(fs_encoding) diff --git a/openssl-111-middlebox-compat.patch b/openssl-111-middlebox-compat.patch index cd83563..d217ebc 100644 --- a/openssl-111-middlebox-compat.patch +++ b/openssl-111-middlebox-compat.patch @@ -11,16 +11,14 @@ https://bugs.python.org/issue34834 Lib/test/test_ssl.py | 5 +++++ 1 file changed, 5 insertions(+) -Index: Python-2.7.15/Lib/test/test_ssl.py -=================================================================== ---- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:32:59.190865648 +0100 -+++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100 -@@ -777,8 +777,12 @@ class ContextTests(unittest.TestCase): +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -807,8 +807,12 @@ class ContextTests(unittest.TestCase): default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) # SSLContext also enables these by default - default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | -- ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | -- ssl.OP_ENABLE_MIDDLEBOX_COMPAT) + default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | +- OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | +- OP_ENABLE_MIDDLEBOX_COMPAT) + ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) + if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): + # define MIDDLEBOX constant, as python2.7 does not know about it diff --git a/openssl-111-ssl_options.patch b/openssl-111-ssl_options.patch index d76ba48..e32276b 100644 --- a/openssl-111-ssl_options.patch +++ b/openssl-111-ssl_options.patch @@ -1,13 +1,17 @@ -Index: Python-2.7.15/Lib/test/test_ssl.py -=================================================================== ---- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100 -+++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 14:04:59.674004321 +0100 -@@ -776,7 +776,7 @@ class ContextTests(unittest.TestCase): - # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -807,12 +807,8 @@ class ContextTests(unittest.TestCase): default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) # SSLContext also enables these by default -- default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | -+ default |= (ssl.OP_NO_COMPRESSION | - ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) - if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): - # define MIDDLEBOX constant, as python2.7 does not know about it + default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | +- ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) +- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): +- # define MIDDLEBOX constant, as python2.7 does not know about it +- # but it is used by default. +- OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L +- default |= OP_ENABLE_MIDDLEBOX_COMPAT ++ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | ++ OP_ENABLE_MIDDLEBOX_COMPAT) + self.assertEqual(default, ctx.options) + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) diff --git a/openssl-111.patch b/openssl-111.patch deleted file mode 100644 index 8792dd9..0000000 --- a/openssl-111.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 9e32244ea7d2621030f040b0f4e5af89480ecc0f Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 15 Aug 2018 09:07:28 +0200 -Subject: [PATCH] [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) - (GH-8760) - -Change TLS 1.3 cipher suite settings for compatibility with OpenSSL -1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by -default. - -Also update multissltests to test with latest OpenSSL. - -Signed-off-by: Christian Heimes . -(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) - -Co-authored-by: Christian Heimes ---- - Doc/library/ssl.rst | 8 ++-- - Lib/test/test_ssl.py | 37 +++++++++++-------- - .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++ - 3 files changed, 27 insertions(+), 21 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst - -Index: Python-2.7.15/Doc/library/ssl.rst -=================================================================== ---- Python-2.7.15.orig/Doc/library/ssl.rst -+++ Python-2.7.15/Doc/library/ssl.rst -@@ -291,11 +291,6 @@ purposes. - - 3DES was dropped from the default cipher string. - -- .. versionchanged:: 2.7.15 -- -- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, -- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. -- - .. function:: _https_verify_certificates(enable=True) - - Specifies whether or not server certificates are verified when creating -@@ -1176,6 +1171,9 @@ to speed up repeated connections from th - when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will - give the currently selected cipher. - -+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites -+ cannot be disabled with :meth:`~SSLContext.set_ciphers`. -+ - .. method:: SSLContext.set_alpn_protocols(protocols) - - Specify which protocols the socket should advertise during the SSL/TLS -Index: Python-2.7.15/Lib/test/test_ssl.py -=================================================================== ---- Python-2.7.15.orig/Lib/test/test_ssl.py -+++ Python-2.7.15/Lib/test/test_ssl.py -@@ -775,8 +775,10 @@ class ContextTests(unittest.TestCase): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value - default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) -- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): -- default |= ssl.OP_NO_COMPRESSION -+ # SSLContext also enables these by default -+ default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE | -+ ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | -+ ssl.OP_ENABLE_MIDDLEBOX_COMPAT) - self.assertEqual(default, ctx.options) - ctx.options |= ssl.OP_NO_TLSv1 - self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) -@@ -2765,19 +2767,24 @@ else: - sock.do_handshake() - self.assertEqual(cm.exception.errno, errno.ENOTCONN) - -- def test_default_ciphers(self): -- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -- try: -- # Force a set of weak ciphers on our client context -- context.set_ciphers("DES") -- except ssl.SSLError: -- self.skipTest("no DES cipher available") -- with ThreadedEchoServer(CERTFILE, -- ssl_version=ssl.PROTOCOL_SSLv23, -- chatty=False) as server: -- with closing(context.wrap_socket(socket.socket())) as s: -- with self.assertRaises(ssl.SSLError): -- s.connect((HOST, server.port)) -+ def test_no_shared_ciphers(self): -+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ server_context.load_cert_chain(SIGNED_CERTFILE) -+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ client_context.verify_mode = ssl.CERT_REQUIRED -+ client_context.check_hostname = True -+ -+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test -+ client_context.options |= ssl.OP_NO_TLSv1_3 -+ # Force different suites on client and master -+ client_context.set_ciphers("AES128") -+ server_context.set_ciphers("AES256") -+ with ThreadedEchoServer(context=server_context) as server: -+ s = client_context.wrap_socket( -+ socket.socket(), -+ server_hostname="localhost") -+ with self.assertRaises(ssl.SSLError): -+ s.connect((HOST, server.port)) - self.assertIn("no shared cipher", str(server.conn_errors[0])) - - def test_version_basic(self): -@@ -2805,12 +2812,12 @@ else: - ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 - ) - with ThreadedEchoServer(context=context) as server: -- with context.wrap_socket(socket.socket()) as s: -+ with closing(context.wrap_socket(socket.socket())) as s: - s.connect((HOST, server.port)) - self.assertIn(s.cipher()[0], [ -- 'TLS13-AES-256-GCM-SHA384', -- 'TLS13-CHACHA20-POLY1305-SHA256', -- 'TLS13-AES-128-GCM-SHA256', -+ 'TLS_AES_256_GCM_SHA384', -+ 'TLS_CHACHA20_POLY1305_SHA256', -+ 'TLS_AES_128_GCM_SHA256', - ]) - - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") -@@ -2819,6 +2826,7 @@ else: - # should be enabled by default on SSL contexts. - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - context.load_cert_chain(CERTFILE) -+ context.options |= ssl.OP_NO_TLSv1_3 - # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled - # explicitly using the 'ECCdraft' cipher alias. Otherwise, - # our default cipher list should prefer ECDH-based ciphers -Index: Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst -=================================================================== ---- /dev/null -+++ Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst -@@ -0,0 +1,3 @@ -+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL -+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by -+default. diff --git a/python-2.5.1-sqlite.patch b/python-2.5.1-sqlite.patch index 11934c5..6cb57b0 100644 --- a/python-2.5.1-sqlite.patch +++ b/python-2.5.1-sqlite.patch @@ -1,6 +1,6 @@ --- a/Modules/_sqlite/cursor.c +++ b/Modules/_sqlite/cursor.c -@@ -837,6 +837,9 @@ +@@ -829,6 +829,9 @@ PyObject* pysqlite_cursor_executescript( goto error; } diff --git a/python-2.6-gettext-plurals.patch b/python-2.6-gettext-plurals.patch index 3ba1cf9..ae235fe 100644 --- a/python-2.6-gettext-plurals.patch +++ b/python-2.6-gettext-plurals.patch @@ -1,8 +1,6 @@ -Index: Lib/gettext.py -=================================================================== ---- a/Lib/gettext.py.orig +--- a/Lib/gettext.py +++ b/Lib/gettext.py -@@ -311,8 +311,9 @@ class GNUTranslations(NullTranslations): +@@ -387,8 +387,9 @@ class GNUTranslations(NullTranslations): self._charset = v.split('charset=')[1] elif k == 'plural-forms': v = v.split(';') diff --git a/python-2.7-dirs.patch b/python-2.7-dirs.patch index a35cb41..d366656 100644 --- a/python-2.7-dirs.patch +++ b/python-2.7-dirs.patch @@ -1,6 +1,6 @@ --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -106,7 +106,7 @@ +@@ -110,7 +110,7 @@ LIBDIR= @libdir@ MANDIR= @mandir@ INCLUDEDIR= @includedir@ CONFINCLUDEDIR= $(exec_prefix)/include diff --git a/python-2.7.15-docs-pdf-a4.tar.bz2 b/python-2.7.15-docs-pdf-a4.tar.bz2 deleted file mode 100644 index 1fbdf54..0000000 --- a/python-2.7.15-docs-pdf-a4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bbf77aefc548510b72b18f20be35543754a2f0be4fb3139362166f76ba16d846 -size 11453397 diff --git a/python-2.7.15-docs-pdf-letter.tar.bz2 b/python-2.7.15-docs-pdf-letter.tar.bz2 deleted file mode 100644 index b50d45a..0000000 --- a/python-2.7.15-docs-pdf-letter.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bc0c23f8c232fa60e0f1183269b30a4e995cdb2ff1a5b212c5ef96a0486b8edf -size 11453167 diff --git a/python-2.7.16-docs-pdf-a4.tar.bz2 b/python-2.7.16-docs-pdf-a4.tar.bz2 new file mode 100644 index 0000000..be076ad --- /dev/null +++ b/python-2.7.16-docs-pdf-a4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b35b997446031dcda1fc7fb9bc4f24e8e3615d09b038ee802e6b88d3b3d27182 +size 11420205 diff --git a/python-2.7.16-docs-pdf-letter.tar.bz2 b/python-2.7.16-docs-pdf-letter.tar.bz2 new file mode 100644 index 0000000..f1efb0f --- /dev/null +++ b/python-2.7.16-docs-pdf-letter.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4157eadddf1d5d892820f16752119910f0e9d3264e55616c6ebf0445854a47fe +size 11420016 diff --git a/python-2.7.2-fix_date_time_compiler.patch b/python-2.7.2-fix_date_time_compiler.patch index b514a83..e09b9d3 100644 --- a/python-2.7.2-fix_date_time_compiler.patch +++ b/python-2.7.2-fix_date_time_compiler.patch @@ -1,8 +1,6 @@ -Index: Python-2.7.14/Makefile.pre.in -=================================================================== ---- Python-2.7.14.orig/Makefile.pre.in -+++ Python-2.7.14/Makefile.pre.in -@@ -638,8 +638,15 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -647,8 +647,15 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ -DGITVERSION="\"`LC_ALL=C $(GITVERSION)`\"" \ -DGITTAG="\"`LC_ALL=C $(GITTAG)`\"" \ -DGITBRANCH="\"`LC_ALL=C $(GITBRANCH)`\"" \ diff --git a/python-2.7.4-canonicalize2.patch b/python-2.7.4-canonicalize2.patch index d8c83f4..8450675 100644 --- a/python-2.7.4-canonicalize2.patch +++ b/python-2.7.4-canonicalize2.patch @@ -1,8 +1,6 @@ -Index: Python-2.7.7/Python/sysmodule.c -=================================================================== ---- Python-2.7.7.orig/Python/sysmodule.c 2014-06-20 14:33:06.696228064 +0200 -+++ Python-2.7.7/Python/sysmodule.c 2014-06-20 14:33:10.960250497 +0200 -@@ -1624,7 +1624,20 @@ +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c +@@ -1638,7 +1638,20 @@ PySys_SetArgvEx(int argc, char **argv, i char *p = NULL; Py_ssize_t n = 0; PyObject *a; @@ -24,7 +22,7 @@ Index: Python-2.7.7/Python/sysmodule.c char link[MAXPATHLEN+1]; char argv0copy[2*MAXPATHLEN+1]; int nr = 0; -@@ -1651,7 +1664,8 @@ +@@ -1665,7 +1678,8 @@ PySys_SetArgvEx(int argc, char **argv, i } } } @@ -34,7 +32,7 @@ Index: Python-2.7.7/Python/sysmodule.c #if SEP == '\\' /* Special case for MS filename syntax */ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { char *q; -@@ -1680,11 +1694,6 @@ +@@ -1694,11 +1708,6 @@ PySys_SetArgvEx(int argc, char **argv, i } #else /* All other filename syntaxes */ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { @@ -46,7 +44,7 @@ Index: Python-2.7.7/Python/sysmodule.c p = strrchr(argv0, SEP); } if (p != NULL) { -@@ -1702,6 +1711,9 @@ +@@ -1716,6 +1725,9 @@ PySys_SetArgvEx(int argc, char **argv, i a = PyString_FromStringAndSize(argv0, n); if (a == NULL) Py_FatalError("no mem for sys.path insertion"); @@ -56,10 +54,8 @@ Index: Python-2.7.7/Python/sysmodule.c if (PyList_Insert(path, 0, a) < 0) Py_FatalError("sys.path.insert(0) failed"); Py_DECREF(a); -Index: Python-2.7.7/pyconfig.h.in -=================================================================== ---- Python-2.7.7.orig/pyconfig.h.in 2014-05-31 20:58:40.000000000 +0200 -+++ Python-2.7.7/pyconfig.h.in 2014-06-20 14:33:10.961250502 +0200 +--- a/pyconfig.h.in ++++ b/pyconfig.h.in @@ -109,6 +109,9 @@ /* Define to 1 if you have the 'chflags' function. */ #undef HAVE_CHFLAGS @@ -70,13 +66,11 @@ Index: Python-2.7.7/pyconfig.h.in /* Define to 1 if you have the `chown' function. */ #undef HAVE_CHOWN -Index: Python-2.7.7/configure.ac -=================================================================== ---- Python-2.7.7.orig/configure.ac 2014-06-20 14:33:06.694228054 +0200 -+++ Python-2.7.7/configure.ac 2014-06-20 14:33:10.961250502 +0200 -@@ -2935,7 +2935,7 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -3159,7 +3159,7 @@ AC_CHECK_FUNCS(alarm setitimer getitimer getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \ - initgroups kill killpg lchmod lchown lstat mkfifo mknod mktime mmap \ + initgroups kill killpg lchown lstat mkfifo mknod mktime mmap \ mremap nice pathconf pause plock poll pthread_init \ - putenv readlink realpath \ + putenv readlink realpath canonicalize_file_name \ diff --git a/python-2.7.5-multilib.patch b/python-2.7.5-multilib.patch index 66d514a..5d57cf9 100644 --- a/python-2.7.5-multilib.patch +++ b/python-2.7.5-multilib.patch @@ -1,8 +1,6 @@ -Index: Python-2.7.14/configure.ac -=================================================================== ---- Python-2.7.14.orig/configure.ac -+++ Python-2.7.14/configure.ac -@@ -758,6 +758,41 @@ SunOS*) +--- a/configure.ac ++++ b/configure.ac +@@ -773,6 +773,41 @@ SunOS*) ;; esac @@ -44,10 +42,8 @@ Index: Python-2.7.14/configure.ac AC_SUBST(LIBRARY) AC_MSG_CHECKING(LIBRARY) -Index: Python-2.7.14/Include/pythonrun.h -=================================================================== ---- Python-2.7.14.orig/Include/pythonrun.h -+++ Python-2.7.14/Include/pythonrun.h +--- a/Include/pythonrun.h ++++ b/Include/pythonrun.h @@ -108,6 +108,8 @@ PyAPI_FUNC(char *) Py_GetPath(void); /* In their own files */ PyAPI_FUNC(const char *) Py_GetVersion(void); @@ -57,10 +53,8 @@ Index: Python-2.7.14/Include/pythonrun.h PyAPI_FUNC(const char *) Py_GetCopyright(void); PyAPI_FUNC(const char *) Py_GetCompiler(void); PyAPI_FUNC(const char *) Py_GetBuildInfo(void); -Index: Python-2.7.14/Lib/distutils/command/install.py -=================================================================== ---- Python-2.7.14.orig/Lib/distutils/command/install.py -+++ Python-2.7.14/Lib/distutils/command/install.py +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py @@ -22,6 +22,8 @@ from site import USER_BASE from site import USER_SITE @@ -79,10 +73,8 @@ Index: Python-2.7.14/Lib/distutils/command/install.py 'headers': '$base/include/python$py_version_short/$dist_name', 'scripts': '$base/bin', 'data' : '$base', -Index: Python-2.7.14/Lib/distutils/sysconfig.py -=================================================================== ---- Python-2.7.14.orig/Lib/distutils/sysconfig.py -+++ Python-2.7.14/Lib/distutils/sysconfig.py +--- a/Lib/distutils/sysconfig.py ++++ b/Lib/distutils/sysconfig.py @@ -119,8 +119,11 @@ def get_python_lib(plat_specific=0, stan prefix = plat_specific and EXEC_PREFIX or PREFIX @@ -97,10 +89,8 @@ Index: Python-2.7.14/Lib/distutils/sysconfig.py if standard_lib: return libpython else: -Index: Python-2.7.14/Lib/pydoc.py -=================================================================== ---- Python-2.7.14.orig/Lib/pydoc.py -+++ Python-2.7.14/Lib/pydoc.py +--- a/Lib/pydoc.py ++++ b/Lib/pydoc.py @@ -375,7 +375,7 @@ class Doc: docmodule = docclass = docroutine = docother = docproperty = docdata = fail @@ -110,10 +100,8 @@ Index: Python-2.7.14/Lib/pydoc.py "python"+sys.version[0:3])): """Return the location of module docs or None""" -Index: Python-2.7.14/Lib/site.py -=================================================================== ---- Python-2.7.14.orig/Lib/site.py -+++ Python-2.7.14/Lib/site.py +--- a/Lib/site.py ++++ b/Lib/site.py @@ -231,29 +231,38 @@ def getuserbase(): USER_BASE = get_config_var('userbase') return USER_BASE @@ -197,10 +185,8 @@ Index: Python-2.7.14/Lib/site.py return sitepackages def addsitepackages(known_paths): -Index: Python-2.7.14/Lib/sysconfig.py -=================================================================== ---- Python-2.7.14.orig/Lib/sysconfig.py -+++ Python-2.7.14/Lib/sysconfig.py +--- a/Lib/sysconfig.py ++++ b/Lib/sysconfig.py @@ -7,10 +7,10 @@ from os.path import pardir, realpath _INSTALL_SCHEMES = { @@ -229,10 +215,8 @@ Index: Python-2.7.14/Lib/sysconfig.py 'include': '{userbase}/include/python{py_version_short}', 'scripts': '{userbase}/bin', 'data' : '{userbase}', -Index: Python-2.7.14/Lib/test/test_dl.py -=================================================================== ---- Python-2.7.14.orig/Lib/test/test_dl.py -+++ Python-2.7.14/Lib/test/test_dl.py +--- a/Lib/test/test_dl.py ++++ b/Lib/test/test_dl.py @@ -4,10 +4,11 @@ import unittest from test.test_support import verbose, import_module @@ -247,11 +231,9 @@ Index: Python-2.7.14/Lib/test/test_dl.py ('/usr/bin/cygwin1.dll', 'getpid'), ('/usr/lib/libc.dylib', 'getpid'), ] -Index: Python-2.7.14/Lib/test/test_site.py -=================================================================== ---- Python-2.7.14.orig/Lib/test/test_site.py -+++ Python-2.7.14/Lib/test/test_site.py -@@ -252,12 +252,16 @@ class HelperFunctionsTests(unittest.Test +--- a/Lib/test/test_site.py ++++ b/Lib/test/test_site.py +@@ -254,12 +254,16 @@ class HelperFunctionsTests(unittest.Test self.assertEqual(dirs[0], wanted) elif os.sep == '/': # OS X, Linux, FreeBSD, etc @@ -271,10 +253,21 @@ Index: Python-2.7.14/Lib/test/test_site.py else: # other platforms self.assertEqual(len(dirs), 2) -Index: Python-2.7.14/Lib/trace.py -=================================================================== ---- Python-2.7.14.orig/Lib/trace.py -+++ Python-2.7.14/Lib/trace.py +@@ -305,7 +309,11 @@ class HelperFunctionsTests(unittest.Test + known_paths = set() + site.addusersitepackages(known_paths) + +- self.assertEqual(fake_isdir.arg, user_site) ++ # value of user_site cannot be used for comparison, because ++ # the following assert mistakenly assumes 'platlib' and ++ # 'purelib' directories are same. ++ self.assertEqual(fake_isdir.arg, ++ site.getusersitepackages('platlib')) + self.assertFalse(known_paths) + + +--- a/Lib/trace.py ++++ b/Lib/trace.py @@ -754,10 +754,10 @@ def main(argv=None): # should I also call expanduser? (after all, could use $HOME) @@ -288,10 +281,8 @@ Index: Python-2.7.14/Lib/trace.py "python" + sys.version[:3])) s = os.path.normpath(s) ignore_dirs.append(s) -Index: Python-2.7.14/Makefile.pre.in -=================================================================== ---- Python-2.7.14.orig/Makefile.pre.in -+++ Python-2.7.14/Makefile.pre.in +--- a/Makefile.pre.in ++++ b/Makefile.pre.in @@ -91,6 +91,8 @@ PY_CFLAGS= $(CFLAGS) $(CPPFLAGS) $(CFLAG # Machine-dependent subdirectories @@ -301,7 +292,7 @@ Index: Python-2.7.14/Makefile.pre.in # Multiarch directory (may be empty) MULTIARCH= @MULTIARCH@ -@@ -644,6 +646,7 @@ Modules/getpath.o: $(srcdir)/Modules/get +@@ -653,6 +655,7 @@ Modules/getpath.o: $(srcdir)/Modules/get -DEXEC_PREFIX='"$(exec_prefix)"' \ -DVERSION='"$(VERSION)"' \ -DVPATH='"$(VPATH)"' \ @@ -309,7 +300,7 @@ Index: Python-2.7.14/Makefile.pre.in -o $@ $(srcdir)/Modules/getpath.c Modules/python.o: $(srcdir)/Modules/python.c -@@ -692,7 +695,7 @@ regen-ast: +@@ -701,7 +704,7 @@ regen-ast: Python/compile.o Python/symtable.o Python/ast.o: $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h Python/getplatform.o: $(srcdir)/Python/getplatform.c @@ -318,10 +309,8 @@ Index: Python-2.7.14/Makefile.pre.in Python/importdl.o: $(srcdir)/Python/importdl.c $(CC) -c $(PY_CFLAGS) -I$(DLINCLDIR) -o $@ $(srcdir)/Python/importdl.c -Index: Python-2.7.14/Modules/getpath.c -=================================================================== ---- Python-2.7.14.orig/Modules/getpath.c -+++ Python-2.7.14/Modules/getpath.c +--- a/Modules/getpath.c ++++ b/Modules/getpath.c @@ -100,6 +100,8 @@ #error "PREFIX, EXEC_PREFIX, VERSION, and VPATH must be constant defined" #endif @@ -340,10 +329,8 @@ Index: Python-2.7.14/Modules/getpath.c static void reduce(char *dir) -Index: Python-2.7.14/Python/getplatform.c -=================================================================== ---- Python-2.7.14.orig/Python/getplatform.c -+++ Python-2.7.14/Python/getplatform.c +--- a/Python/getplatform.c ++++ b/Python/getplatform.c @@ -10,3 +10,23 @@ Py_GetPlatform(void) { return PLATFORM; @@ -368,10 +355,8 @@ Index: Python-2.7.14/Python/getplatform.c +{ + return LIB; +} -Index: Python-2.7.14/Python/sysmodule.c -=================================================================== ---- Python-2.7.14.orig/Python/sysmodule.c -+++ Python-2.7.14/Python/sysmodule.c +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c @@ -1437,6 +1437,10 @@ _PySys_Init(void) PyString_FromString(Py_GetCopyright())); SET_SYS_FROM_STRING("platform", @@ -383,10 +368,8 @@ Index: Python-2.7.14/Python/sysmodule.c SET_SYS_FROM_STRING("executable", PyString_FromString(Py_GetProgramFullPath())); SET_SYS_FROM_STRING("prefix", -Index: Python-2.7.14/setup.py -=================================================================== ---- Python-2.7.14.orig/setup.py -+++ Python-2.7.14/setup.py +--- a/setup.py ++++ b/setup.py @@ -456,7 +456,7 @@ class PyBuildExt(build_ext): def detect_modules(self): # Ensure that /usr/local is always used @@ -410,7 +393,7 @@ Index: Python-2.7.14/setup.py extra_link_args=readline_extra_link_args, libraries=readline_libs) ) else: -@@ -1941,18 +1941,17 @@ class PyBuildExt(build_ext): +@@ -1933,18 +1933,17 @@ class PyBuildExt(build_ext): # Check for various platform-specific directories if host_platform == 'sunos5': include_dirs.append('/usr/openwin/include') diff --git a/python-2.7.9-ssl_ca_path.patch b/python-2.7.9-ssl_ca_path.patch index 30bbef0..b22a1ac 100644 --- a/python-2.7.9-ssl_ca_path.patch +++ b/python-2.7.9-ssl_ca_path.patch @@ -1,8 +1,6 @@ -Index: Python-2.7.9/Lib/ssl.py -=================================================================== ---- Python-2.7.9.orig/Lib/ssl.py 2014-12-10 16:59:40.000000000 +0100 -+++ Python-2.7.9/Lib/ssl.py 2015-02-25 17:28:19.538808314 +0100 -@@ -504,7 +504,15 @@ +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -537,7 +537,15 @@ class SSLSocket(socket): self._context = SSLContext(ssl_version) self._context.verify_mode = cert_reqs if ca_certs: diff --git a/python-base.changes b/python-base.changes index d9bddc2..692fca5 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Mon Apr 8 22:40:01 CEST 2019 - Matej Cepl + +- bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch + removing unnecessary (and potentially harmful) URL scheme + local-file://. + +------------------------------------------------------------------- +Mon Apr 8 21:13:48 CEST 2019 - Matej Cepl + +- bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch + Characters in the netloc attribute that decompose under NFKC + normalization (as used by the IDNA encoding) into any of ``/``, + ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the + URL is decomposed before parsing, or is not a Unicode string, + no error will be raised. + Upstream commits e37ef41 and 507bd8c. + +------------------------------------------------------------------- +Thu Apr 4 22:28:24 CEST 2019 - Matej Cepl + +- Update to 2.7.16: + * bugfix-only release: complete list of changes on + https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst + * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch + which are fully included in the tarball. + * Updated patches to apply cleanly: + CVE-2019-5010-null-defer-x509-cert-DOS.patch + bpo36160-init-sysconfig_vars.patch + do-not-use-non-ascii-in-test_ssl.patch + openssl-111-middlebox-compat.patch + openssl-111-ssl_options.patch + python-2.5.1-sqlite.patch + python-2.6-gettext-plurals.patch + python-2.7-dirs.patch + python-2.7.2-fix_date_time_compiler.patch + python-2.7.4-canonicalize2.patch + python-2.7.5-multilib.patch + python-2.7.9-ssl_ca_path.patch + python-bsddb6.diff + remove-static-libpython.diff + * Update python-2.7.5-multilib.patch to pass with new platlib + regime. + ------------------------------------------------------------------- Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com diff --git a/python-base.spec b/python-base.spec index 1db2e86..c7210c5 100644 --- a/python-base.spec +++ b/python-base.spec @@ -17,7 +17,7 @@ Name: python-base -Version: 2.7.15 +Version: 2.7.16 Release: 0 Summary: Python Interpreter base package License: Python-2.0 @@ -61,11 +61,6 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch -# https://github.com/python/cpython/pull/8771 -Patch42: openssl-111.patch -# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com -# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch # https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE @@ -74,6 +69,15 @@ Patch48: openssl-111-ssl_options.patch # https://github.com/python/cpython/pull/11569 # Fix segfault in ssl's cert parser Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com +# Initialize sysconfig variables in test_site. +Patch50: bpo36160-init-sysconfig_vars.patch +# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com +# https://bugs.python.org/issue36216 +Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch +# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com +# removing unnecessary (and potentially harmful) URL scheme local-file:// +Patch52: CVE-2019-9948-avoid_local-file.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -181,11 +185,12 @@ other applications. %patch40 -p1 %endif %patch41 -p1 -%patch42 -p1 -%patch43 -p1 %patch47 -p1 %patch48 -p1 %patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python-bsddb6.diff b/python-bsddb6.diff index 973aa56..a64b919 100644 --- a/python-bsddb6.diff +++ b/python-bsddb6.diff @@ -16,10 +16,8 @@ This patch was partially autogenerated: setup.py | 6 +- 6 files changed, 120 insertions(+), 41 deletions(-) -Index: Python-2.7.14/Lib/bsddb/test/test_all.py -=================================================================== ---- Python-2.7.14.orig/Lib/bsddb/test/test_all.py -+++ Python-2.7.14/Lib/bsddb/test/test_all.py +--- a/Lib/bsddb/test/test_all.py ++++ b/Lib/bsddb/test/test_all.py @@ -74,8 +74,9 @@ if sys.version_info[0] >= 3 : key = key.decode(charset) return (key, value.decode(charset)) @@ -56,10 +54,8 @@ Index: Python-2.7.14/Lib/bsddb/test/test_all.py print 'My pid: %s' % os.getpid() print '-=' * 38 -Index: Python-2.7.14/Lib/bsddb/test/test_misc.py -=================================================================== ---- Python-2.7.14.orig/Lib/bsddb/test/test_misc.py -+++ Python-2.7.14/Lib/bsddb/test/test_misc.py +--- a/Lib/bsddb/test/test_misc.py ++++ b/Lib/bsddb/test/test_misc.py @@ -46,8 +46,9 @@ class MiscTestCase(unittest.TestCase): d[repr(i)] = repr(100*i) db.close() @@ -72,10 +68,8 @@ Index: Python-2.7.14/Lib/bsddb/test/test_misc.py db.close() # http://sourceforge.net/tracker/index.php?func=detail&aid=1708868&group_id=13900&atid=313900 -Index: Python-2.7.14/Lib/bsddb/test/test_replication.py -=================================================================== ---- Python-2.7.14.orig/Lib/bsddb/test/test_replication.py -+++ Python-2.7.14/Lib/bsddb/test/test_replication.py +--- a/Lib/bsddb/test/test_replication.py ++++ b/Lib/bsddb/test/test_replication.py @@ -165,21 +165,10 @@ class DBReplicationManager(DBReplication # is not generated if the master has no new transactions. # This is solved in BDB 4.6 (#15542). @@ -124,10 +118,8 @@ Index: Python-2.7.14/Lib/bsddb/test/test_replication.py while (time.time()btCompareCallback == NULL) { MYDB_BEGIN_BLOCK_THREADS; PyErr_SetString(PyExc_TypeError, -@@ -2769,13 +2793,21 @@ DB_set_bt_compare(DBObject* self, PyObje +@@ -2791,13 +2815,21 @@ DB_set_bt_compare(DBObject* self, PyObje static int _db_dupCompareCallback(DB* db, const DBT *leftKey, @@ -208,7 +200,7 @@ Index: Python-2.7.14/Modules/_bsddb.c if (self == NULL || self->dupCompareCallback == NULL) { MYDB_BEGIN_BLOCK_THREADS; PyErr_SetString(PyExc_TypeError, -@@ -3554,13 +3586,14 @@ Py_ssize_t DB_length(PyObject* _self) +@@ -3576,13 +3608,14 @@ Py_ssize_t DB_length(PyObject* _self) err = self->db->stat(self->db, /*txnid*/ NULL, &sp, 0); MYDB_END_ALLOW_THREADS; @@ -226,7 +218,7 @@ Index: Python-2.7.14/Modules/_bsddb.c free(sp); return size; } -@@ -8398,12 +8431,22 @@ static PyObject* +@@ -8420,12 +8453,22 @@ static PyObject* DBSequence_get(DBSequenceObject* self, PyObject* args, PyObject* kwargs) { int err, flags = 0; @@ -250,7 +242,7 @@ Index: Python-2.7.14/Modules/_bsddb.c return NULL; CHECK_SEQUENCE_NOT_CLOSED(self) -@@ -8533,8 +8576,19 @@ DBSequence_remove(DBSequenceObject* self +@@ -8555,8 +8598,19 @@ DBSequence_remove(DBSequenceObject* self static PyObject* DBSequence_set_cachesize(DBSequenceObject* self, PyObject* args) { @@ -272,7 +264,7 @@ Index: Python-2.7.14/Modules/_bsddb.c return NULL; CHECK_SEQUENCE_NOT_CLOSED(self) -@@ -8549,7 +8603,11 @@ DBSequence_set_cachesize(DBSequenceObjec +@@ -8571,7 +8625,11 @@ DBSequence_set_cachesize(DBSequenceObjec static PyObject* DBSequence_get_cachesize(DBSequenceObject* self) { @@ -285,7 +277,7 @@ Index: Python-2.7.14/Modules/_bsddb.c CHECK_SEQUENCE_NOT_CLOSED(self) -@@ -8678,6 +8736,9 @@ DBSequence_stat(DBSequenceObject* self, +@@ -8700,6 +8758,9 @@ DBSequence_stat(DBSequenceObject* self, #define MAKE_INT_ENTRY(name) _addIntToDict(dict_stat, #name, sp->st_##name) @@ -295,7 +287,7 @@ Index: Python-2.7.14/Modules/_bsddb.c #define MAKE_LONG_LONG_ENTRY(name) _addDb_seq_tToDict(dict_stat, #name, sp->st_##name) MAKE_INT_ENTRY(wait); -@@ -8687,10 +8748,15 @@ DBSequence_stat(DBSequenceObject* self, +@@ -8709,10 +8770,15 @@ DBSequence_stat(DBSequenceObject* self, MAKE_LONG_LONG_ENTRY(last_value); MAKE_LONG_LONG_ENTRY(min); MAKE_LONG_LONG_ENTRY(max); @@ -311,7 +303,7 @@ Index: Python-2.7.14/Modules/_bsddb.c #undef MAKE_LONG_LONG_ENTRY free(sp); -@@ -8992,7 +9058,7 @@ static PyMethodDef DBEnv_methods[] = { +@@ -9014,7 +9080,7 @@ static PyMethodDef DBEnv_methods[] = { {"txn_recover", (PyCFunction)DBEnv_txn_recover, METH_NOARGS}, #if (DBVER < 48) {"set_rpc_server", (PyCFunction)DBEnv_set_rpc_server, @@ -320,7 +312,7 @@ Index: Python-2.7.14/Modules/_bsddb.c #endif {"set_mp_max_openfd", (PyCFunction)DBEnv_set_mp_max_openfd, METH_VARARGS}, {"get_mp_max_openfd", (PyCFunction)DBEnv_get_mp_max_openfd, METH_NOARGS}, -@@ -9964,6 +10030,10 @@ PyMODINIT_FUNC PyInit__bsddb(void) / +@@ -9986,6 +10052,10 @@ PyMODINIT_FUNC PyInit__bsddb(void) / ADD_INT(d, DB_LOG_ZERO); #endif @@ -331,7 +323,7 @@ Index: Python-2.7.14/Modules/_bsddb.c #if (DBVER >= 44) ADD_INT(d, DB_DSYNC_DB); #endif -@@ -10024,6 +10094,10 @@ PyMODINIT_FUNC PyInit__bsddb(void) / +@@ -10046,6 +10116,10 @@ PyMODINIT_FUNC PyInit__bsddb(void) / ADD_INT(d, DB_EVENT_REG_PANIC); #endif @@ -342,7 +334,7 @@ Index: Python-2.7.14/Modules/_bsddb.c #if (DBVER >=52) ADD_INT(d, DB_EVENT_REP_SITE_ADDED); ADD_INT(d, DB_EVENT_REP_SITE_REMOVED); -@@ -10128,6 +10202,20 @@ PyMODINIT_FUNC PyInit__bsddb(void) / +@@ -10150,6 +10224,20 @@ PyMODINIT_FUNC PyInit__bsddb(void) / ADD_INT(d, DB_REP_CONF_INMEM); #endif @@ -363,10 +355,8 @@ Index: Python-2.7.14/Modules/_bsddb.c ADD_INT(d, DB_TIMEOUT); #if (DBVER >= 50) -Index: Python-2.7.14/Modules/bsddb.h -=================================================================== ---- Python-2.7.14.orig/Modules/bsddb.h -+++ Python-2.7.14/Modules/bsddb.h +--- a/Modules/bsddb.h ++++ b/Modules/bsddb.h @@ -110,7 +110,7 @@ #error "eek! DBVER can't handle minor versions > 9" #endif @@ -376,10 +366,8 @@ Index: Python-2.7.14/Modules/bsddb.h /* Python object definitions */ -Index: Python-2.7.14/setup.py -=================================================================== ---- Python-2.7.14.orig/setup.py -+++ Python-2.7.14/setup.py +--- a/setup.py ++++ b/setup.py @@ -905,7 +905,7 @@ class PyBuildExt(build_ext): # a release. Most open source OSes come with one or more # versions of BerkeleyDB already installed. diff --git a/python-doc.spec b/python-doc.spec index b1d6afc..05333b2 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -17,7 +17,7 @@ Name: python-doc -Version: 2.7.15 +Version: 2.7.16 Release: 0 Summary: Additional Package Documentation for Python License: Python-2.0 @@ -61,11 +61,6 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch -# https://github.com/python/cpython/pull/8771 -Patch42: openssl-111.patch -# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com -# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch # https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE @@ -74,6 +69,15 @@ Patch48: openssl-111-ssl_options.patch # https://github.com/python/cpython/pull/11569 # Fix segfault in ssl's cert parser Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com +# Initialize sysconfig variables in test_site. +Patch50: bpo36160-init-sysconfig_vars.patch +# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com +# https://bugs.python.org/issue36216 +Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch +# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com +# removing unnecessary (and potentially harmful) URL scheme local-file:// +Patch52: CVE-2019-9948-avoid_local-file.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -127,11 +131,12 @@ Python, and Macintosh Module Reference in PDF format. %patch40 -p1 %endif %patch41 -p1 -%patch42 -p1 -%patch43 -p1 %patch47 -p1 %patch48 -p1 %patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python.spec b/python.spec index 31241c8..5779f1a 100644 --- a/python.spec +++ b/python.spec @@ -17,7 +17,7 @@ Name: python -Version: 2.7.15 +Version: 2.7.16 Release: 0 Summary: Python Interpreter License: Python-2.0 @@ -66,11 +66,6 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch -# https://github.com/python/cpython/pull/8771 -Patch42: openssl-111.patch -# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com -# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch -Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch # https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE @@ -79,6 +74,15 @@ Patch48: openssl-111-ssl_options.patch # https://github.com/python/cpython/pull/11569 # Fix segfault in ssl's cert parser Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com +# Initialize sysconfig variables in test_site. +Patch50: bpo36160-init-sysconfig_vars.patch +# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com +# https://bugs.python.org/issue36216 +Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch +# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com +# removing unnecessary (and potentially harmful) URL scheme local-file:// +Patch52: CVE-2019-9948-avoid_local-file.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -233,11 +237,12 @@ that rely on earlier non-verification behavior. %patch40 -p1 %endif %patch41 -p1 -%patch42 -p1 -%patch43 -p1 %patch47 -p1 %patch48 -p1 %patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/remove-static-libpython.diff b/remove-static-libpython.diff index 24b1e94..c4997d3 100644 --- a/remove-static-libpython.diff +++ b/remove-static-libpython.diff @@ -1,8 +1,6 @@ -Index: Python-2.7.6/Makefile.pre.in -=================================================================== ---- Python-2.7.6.orig/Makefile.pre.in 2013-11-19 17:36:56.968106247 +0100 -+++ Python-2.7.6/Makefile.pre.in 2013-11-19 17:36:56.972106270 +0100 -@@ -438,7 +438,7 @@ +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -488,7 +488,7 @@ coverage-report: regen-grammar # Build the interpreter @@ -11,7 +9,7 @@ Index: Python-2.7.6/Makefile.pre.in $(LINKCC) $(LDFLAGS) $(LINKFORSHARED) -o $@ \ Modules/python.o \ $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) -@@ -465,18 +465,6 @@ +@@ -529,18 +529,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.tx _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build @@ -30,7 +28,7 @@ Index: Python-2.7.6/Makefile.pre.in libpython$(VERSION).so: $(LIBRARY_OBJS) if test $(INSTSONAME) != $(LDLIBRARY); then \ $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ -@@ -1094,18 +1082,6 @@ +@@ -1220,18 +1208,6 @@ libainstall: @DEF_MAKE_RULE@ python-conf else true; \ fi; \ done