From 1716dfe0886ef6dd3cf1720e9d3e3b412e3eefff887a24eb70ed4f378d8134c3 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 7 Aug 2024 20:30:36 +0000 Subject: [PATCH] - Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 and gh#python/cpython!121883. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=140 --- CVE-2024-6923-email-hdr-inject.patch | 65 ++++++++++------------------ bso1227999-reproducible-builds.patch | 37 ++++++++++++++++ python310.changes | 3 ++ python310.spec | 6 ++- 4 files changed, 67 insertions(+), 44 deletions(-) create mode 100644 bso1227999-reproducible-builds.patch diff --git a/CVE-2024-6923-email-hdr-inject.patch b/CVE-2024-6923-email-hdr-inject.patch index 16abd6a..fe6cde5 100644 --- a/CVE-2024-6923-email-hdr-inject.patch +++ b/CVE-2024-6923-email-hdr-inject.patch @@ -25,24 +25,22 @@ Co-authored-by: Petr Viktorin Co-authored-by: Bas Bloemsaat Co-authored-by: Serhiy Storchaka --- - Doc/library/email.errors.rst | 6 ++ - Doc/library/email.policy.rst | 18 ++++++ - Doc/whatsnew/3.10.rst | 12 ++++ - Lib/email/_header_value_parser.py | 12 +++- - Lib/email/_policybase.py | 8 +++ - Lib/email/errors.py | 4 ++ - Lib/email/generator.py | 13 +++- - Lib/test/test_email/test_generator.py | 62 +++++++++++++++++++ - Lib/test/test_email/test_policy.py | 26 ++++++++ - ...-07-27-16-10-41.gh-issue-121650.nf6oc9.rst | 5 ++ + Doc/library/email.errors.rst | 6 + Doc/library/email.policy.rst | 18 ++ + Doc/whatsnew/3.10.rst | 12 + + Lib/email/_header_value_parser.py | 12 + + Lib/email/_policybase.py | 8 + + Lib/email/errors.py | 4 + Lib/email/generator.py | 13 +- + Lib/test/test_email/test_generator.py | 62 ++++++++++ + Lib/test/test_email/test_policy.py | 26 ++++ + Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst | 5 10 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst -diff --git a/Doc/library/email.errors.rst b/Doc/library/email.errors.rst -index 194a98696f437d..f737f0282c5489 100644 --- a/Doc/library/email.errors.rst +++ b/Doc/library/email.errors.rst -@@ -59,6 +59,12 @@ The following exception classes are defined in the :mod:`email.errors` module: +@@ -59,6 +59,12 @@ The following exception classes are defi :class:`~email.mime.image.MIMEImage`). @@ -55,8 +53,6 @@ index 194a98696f437d..f737f0282c5489 100644 Here is the list of the defects that the :class:`~email.parser.FeedParser` can find while parsing messages. Note that the defects are added to the message where the problem was found, so for example, if a message nested inside a -diff --git a/Doc/library/email.policy.rst b/Doc/library/email.policy.rst -index bf53b9520fc723..eba43b5169ddcf 100644 --- a/Doc/library/email.policy.rst +++ b/Doc/library/email.policy.rst @@ -229,6 +229,24 @@ added matters. To illustrate:: @@ -84,11 +80,9 @@ index bf53b9520fc723..eba43b5169ddcf 100644 The following :class:`Policy` method is intended to be called by code using the email library to create policy instances with custom settings: -diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst -index f71a50163f49ea..2d9f7608162863 100644 --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst -@@ -2372,3 +2372,15 @@ ipaddress +@@ -2357,3 +2357,15 @@ ipaddress * Fixed ``is_global`` and ``is_private`` behavior in ``IPv4Address``, ``IPv6Address``, ``IPv4Network`` and ``IPv6Network``. @@ -104,11 +98,9 @@ index f71a50163f49ea..2d9f7608162863 100644 + If you need to turn this safety feature off, + set :attr:`~email.policy.Policy.verify_generated_headers`. + (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`.) -diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py -index e637e6df06612d..e1b99d5b417253 100644 --- a/Lib/email/_header_value_parser.py +++ b/Lib/email/_header_value_parser.py -@@ -92,6 +92,8 @@ +@@ -92,6 +92,8 @@ TOKEN_ENDS = TSPECIALS | WSP ASPECIALS = TSPECIALS | set("*'%") ATTRIBUTE_ENDS = ASPECIALS | WSP EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%') @@ -117,7 +109,7 @@ index e637e6df06612d..e1b99d5b417253 100644 def quote_string(value): return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"' -@@ -2778,9 +2780,13 @@ def _refold_parse_tree(parse_tree, *, policy): +@@ -2778,9 +2780,13 @@ def _refold_parse_tree(parse_tree, *, po wrap_as_ew_blocked -= 1 continue tstr = str(part) @@ -134,11 +126,9 @@ index e637e6df06612d..e1b99d5b417253 100644 try: tstr.encode(encoding) charset = encoding -diff --git a/Lib/email/_policybase.py b/Lib/email/_policybase.py -index c9cbadd2a80c48..d1f48211f90970 100644 --- a/Lib/email/_policybase.py +++ b/Lib/email/_policybase.py -@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta): +@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc. message_factory -- the class to use to create new message objects. If the value is None, the default is Message. @@ -152,7 +142,7 @@ index c9cbadd2a80c48..d1f48211f90970 100644 """ raise_on_defect = False -@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta): +@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc. max_line_length = 78 mangle_from_ = False message_factory = None @@ -160,8 +150,6 @@ index c9cbadd2a80c48..d1f48211f90970 100644 def handle_defect(self, obj, defect): """Based on policy, either raise defect or call register_defect. -diff --git a/Lib/email/errors.py b/Lib/email/errors.py -index 3ad00565549968..02aa5eced6ae46 100644 --- a/Lib/email/errors.py +++ b/Lib/email/errors.py @@ -29,6 +29,10 @@ class CharsetError(MessageError): @@ -175,11 +163,9 @@ index 3ad00565549968..02aa5eced6ae46 100644 # These are parsing defects which the parser was able to work around. class MessageDefect(ValueError): """Base class for a message defect.""" -diff --git a/Lib/email/generator.py b/Lib/email/generator.py -index c9b121624e08d5..89224ae41cbc67 100644 --- a/Lib/email/generator.py +++ b/Lib/email/generator.py -@@ -14,12 +14,14 @@ +@@ -14,12 +14,14 @@ import random from copy import deepcopy from io import StringIO, BytesIO from email.utils import _has_surrogates @@ -194,7 +180,7 @@ index c9b121624e08d5..89224ae41cbc67 100644 -@@ -223,7 +225,16 @@ def _dispatch(self, msg): +@@ -223,7 +225,16 @@ class Generator: def _write_headers(self, msg): for h, v in msg.raw_items(): @@ -212,11 +198,9 @@ index c9b121624e08d5..89224ae41cbc67 100644 # A blank line always separates headers from body self.write(self._NL) -diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py -index 89e7edeb63a892..d29400f0ed1dbb 100644 --- a/Lib/test/test_email/test_generator.py +++ b/Lib/test/test_email/test_generator.py -@@ -6,6 +6,7 @@ +@@ -6,6 +6,7 @@ from email.message import EmailMessage from email.generator import Generator, BytesGenerator from email.headerregistry import Address from email import policy @@ -224,7 +208,7 @@ index 89e7edeb63a892..d29400f0ed1dbb 100644 from test.test_email import TestEmailBase, parameterize -@@ -216,6 +217,44 @@ def test_rfc2231_wrapping_switches_to_default_len_if_too_narrow(self): +@@ -216,6 +217,44 @@ class TestGeneratorBase: g.flatten(msg) self.assertEqual(s.getvalue(), self.typ(expected)) @@ -269,7 +253,7 @@ index 89e7edeb63a892..d29400f0ed1dbb 100644 class TestGenerator(TestGeneratorBase, TestEmailBase): -@@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, TestEmailBase): +@@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, T ioclass = io.StringIO typ = str @@ -299,8 +283,6 @@ index 89e7edeb63a892..d29400f0ed1dbb 100644 class TestBytesGenerator(TestGeneratorBase, TestEmailBase): -diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py -index e87c275549406d..ff1ddf7d7a8fca 100644 --- a/Lib/test/test_email/test_policy.py +++ b/Lib/test/test_email/test_policy.py @@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase): @@ -311,7 +293,7 @@ index e87c275549406d..ff1ddf7d7a8fca 100644 } # These default values are the ones set on email.policy.default. # If any of these defaults change, the docs must be updated. -@@ -277,6 +278,31 @@ def test_short_maxlen_error(self): +@@ -277,6 +278,31 @@ class PolicyAPITests(unittest.TestCase): with self.assertRaises(email.errors.HeaderParseError): policy.fold("Subject", subject) @@ -343,9 +325,6 @@ index e87c275549406d..ff1ddf7d7a8fca 100644 # XXX: Need subclassing tests. # For adding subclassed objects, make sure the usual rules apply (subclass # wins), but that the order still works (right overrides left). -diff --git a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst -new file mode 100644 -index 00000000000000..83dd28d4ac575b --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst @@ -0,0 +1,5 @@ diff --git a/bso1227999-reproducible-builds.patch b/bso1227999-reproducible-builds.patch new file mode 100644 index 0000000..1b674a7 --- /dev/null +++ b/bso1227999-reproducible-builds.patch @@ -0,0 +1,37 @@ +From ac2b8869724d7a57d9b5efbdce2f20423214e8bb Mon Sep 17 00:00:00 2001 +From: "Bernhard M. Wiedemann" +Date: Tue, 16 Jul 2024 21:39:33 +0200 +Subject: [PATCH] Allow to override build date with SOURCE_DATE_EPOCH + +to make builds reproducible. +See https://reproducible-builds.org/ for why this is good +and https://reproducible-builds.org/specs/source-date-epoch/ +for the definition of this variable. +--- + Doc/conf.py | 3 ++- + Doc/library/functions.rst | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/Doc/conf.py ++++ b/Doc/conf.py +@@ -89,7 +89,8 @@ html_short_title = '%s Documentation' % + + # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, + # using the given strftime format. +-html_last_updated_fmt = '%b %d, %Y' ++html_time = int(os.environ.get('SOURCE_DATE_EPOCH', time.time())) ++html_last_updated_fmt = time.strftime('%b %d, %Y (%H:%M UTC)', time.gmtime(html_time)) + + # Path to find HTML templates. + templates_path = ['tools/templates'] +--- a/Doc/library/functions.rst ++++ b/Doc/library/functions.rst +@@ -1320,7 +1320,7 @@ are always available. They are listed h + (where :func:`open` is declared), :mod:`os`, :mod:`os.path`, :mod:`tempfile`, + and :mod:`shutil`. + +- .. audit-event:: open file,mode,flags open ++ .. audit-event:: open path,mode,flags open + + The ``mode`` and ``flags`` arguments may have been modified or inferred from + the original call. diff --git a/python310.changes b/python310.changes index 2ceb11b..815fac7 100644 --- a/python310.changes +++ b/python310.changes @@ -4,6 +4,9 @@ Wed Aug 7 13:40:44 UTC 2024 - Matej Cepl - Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). +- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 + adding reproducibility patches from gh#python/cpython!121872 + and gh#python/cpython!121883. - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999) - Update bluez-devel-vendor.tar.xz diff --git a/python310.spec b/python310.spec index 6db8323..45f3fda 100644 --- a/python310.spec +++ b/python310.spec @@ -203,9 +203,12 @@ Patch22: CVE-2023-52425-libexpat-2.6.0-backport.patch # PATCH-FIX-UPSTREAM CVE-2024-4032-private-IP-addrs.patch bsc#1226448 mcepl@suse.com # rearrange definition of private v global IP addresses Patch23: CVE-2024-4032-private-IP-addrs.patch +# PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com +# reproducibility patches +Patch24: bso1227999-reproducible-builds.patch # PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com # prevent email header injection, patch from gh#python/cpython!122608 -Patch24: CVE-2024-6923-email-hdr-inject.patch +Patch25: CVE-2024-6923-email-hdr-inject.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -485,6 +488,7 @@ other applications. %patch -p1 -P 22 %patch -p1 -P 23 %patch -p1 -P 24 +%patch -p1 -P 25 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac