diff --git a/python310.changes b/python310.changes index c616613..57e429c 100644 --- a/python310.changes +++ b/python310.changes @@ -4,6 +4,8 @@ Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module. +- Fix building of documentation and the universal configuration of the + %primary_interpreter. ------------------------------------------------------------------- Mon Jun 6 22:29:23 UTC 2022 - Matej Cepl @@ -247,7 +249,8 @@ Tue May 10 14:35:52 UTC 2022 - Matej Cepl ------------------------------------------------------------------- Thu May 5 14:35:56 UTC 2022 - Matej Cepl -- Switch primary_interpreter from python38 to python310 +- Switch primary_interpreter from python38 to python310 for + Factory (only) ------------------------------------------------------------------- Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl @@ -530,8 +533,13 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl - bpo-14916: Fixed bug in the tokenizer that prevented PyRun_InteractiveOne from parsing from the provided FD. -- Remove upstreamed patches: - - support-expat-245.patch +------------------------------------------------------------------- +Thu Mar 24 18:55:46 UTC 2022 - David Anes + +- (bsc#1196784, CVE-2022-25236) Rename patch: + support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch + and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5 + as it was fully patched against CVE-2022-25236. ------------------------------------------------------------------- Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik diff --git a/python310.spec b/python310.spec index 38383fd..c3fcde6 100644 --- a/python310.spec +++ b/python310.spec @@ -62,7 +62,11 @@ Obsoletes: python39%{?1:-%{1}} %define python_pkg_name python310 # Will provide the python3-* provides # Will do the /usr/bin/python3 and all the core links -%define primary_interpreter 1 +%if 0%{?sle_version} || 0%{?suse_version} >= 1550 +%define primary_interpreter 0 +%else +%define primary_interpreter 1 +%endif # We don't process beta signs well %define folderversion 3.10.5 %define tarname Python-%{tarversion} @@ -160,9 +164,12 @@ Patch34: skip-test_pyobject_freed_is_freed.patch # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com # remove duplicate link targets and make documentation with old Sphinx in SLE Patch35: fix_configure_rst.patch +# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com +# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 +Patch36: support-expat-CVE-2022-25236-patched.patch # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com # avoid the command injection in the mailcap module. -Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch +Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -190,7 +197,11 @@ BuildRequires: pkgconfig(libtirpc) BuildRequires: mpdecimal-devel %endif %if %{with doc} +%if 0%{?sle_version} && 0%{?sle_version} <= 150300 BuildRequires: python3-Sphinx +%else +BuildRequires: python3-Sphinx >= 3.2.0 +%endif %if 0%{?suse_version} >= 1500 BuildRequires: python3-python-docs-theme >= 2022.1 %endif @@ -421,14 +432,13 @@ other applications. %patch09 -p1 %patch15 -p1 %patch29 -p1 -%if 0%{?suse_version} <= 1500 -%patch33 -p1 -%endif %if 0%{?sle_version} && 0%{?sle_version} <= 150300 +%patch33 -p1 %patch34 -p1 %endif %patch35 -p1 %patch36 -p1 +%patch37 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/support-expat-CVE-2022-25236-patched.patch b/support-expat-CVE-2022-25236-patched.patch new file mode 100644 index 0000000..34cc199 --- /dev/null +++ b/support-expat-CVE-2022-25236-patched.patch @@ -0,0 +1,49 @@ +From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 21 Feb 2022 08:16:09 -0800 +Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) + (GH-31472) + +Curly brackets were never allowed in namespace URIs +according to RFC 3986, and so-called namespace-validating +XML parsers have the right to reject them a invalid URIs. + +libexpat >=2.4.5 has become strcter in that regard due to +related security issues; with ET.XML instantiating a +namespace-aware parser under the hood, this test has no +future in CPython. + +References: +- https://datatracker.ietf.org/doc/html/rfc3968 +- https://www.w3.org/TR/xml-names/ + +Also, test_minidom.py: Support Expat >=2.4.5 +(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) + +Co-authored-by: Sebastian Pipping +--- + Lib/test/test_minidom.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst + +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -1149,7 +1149,7 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- if pyexpat.version_info >= (2, 4, 5): ++ if pyexpat.version_info >= (2, 4, 4): + self.assertRaises(ExpatError, parseString, + b'') + self.assertRaises(ExpatError, parseString, +@@ -1617,7 +1617,7 @@ class MinidomTest(unittest.TestCase): + self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) + + def testExceptionOnSpacesInXMLNSValue(self): +- if pyexpat.version_info >= (2, 4, 5): ++ if pyexpat.version_info >= (2, 4, 4): + context = self.assertRaisesRegex(ExpatError, 'syntax error') + else: + context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')