diff --git a/Python-3.11.0rc1.tar.xz b/Python-3.11.0rc1.tar.xz deleted file mode 100644 index 6f78839..0000000 --- a/Python-3.11.0rc1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:53a5377c37a8a2c6da075b14eb9d63374579f7f3c718fa20f0a1fbb0e94a922b -size 19815524 diff --git a/Python-3.11.0rc1.tar.xz.asc b/Python-3.11.0rc1.tar.xz.asc deleted file mode 100644 index 50ca3e1..0000000 --- a/Python-3.11.0rc1.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmLtMGcACgkQ/+h0BBaL -2Eeirw//ZSjlvrUAouGGLbWal2CnJ8qmR7eAuSQQpwftmj++JhiQfKfIoWH8WYn9 -FTYVcVD/seXKGUK+ydj8ZDRoSA59sS+zVNnca/BaxPeqScZVbFTOB/o1tlE5g4h+ -WxSCRXfYmkIqXag3ZOZ/A+EXjgfAl/DrYtYKAafjH2nF9R9j4+w8YZ/ENELQ8Fd5 -thHyxNPDFeTK56ClR2QIZHdqCZHHNk1sO+FaB1Na/uZ5dD7snc+T7CjN1/Dlcs75 -oye5HAU35FHxV5nzk8uieatwW0q6/BtFWE3g8LbxECPRbLCo6bBySj2TA2LuwroR -fhn+r093y6NIJBLPIYjpFl5HlDnxDyOvFvKrJ1hZI9DC9VHPyeYP9hzHYQ2yBMwx -SD3djAPVJnwESM25MdZ5oaYrQu8e13+zA2l6Hnk5tsIjPI6CelO/xyPdWeSzBQEg -SaJke+QakoLXKoBSJhkIskwhCX6m+vmoiZFFSpemr3k13e3jTObyDRilh8eGkQtN -EFNp2KPBn8NM7udBNI4zxGr6kviEt4R+8nfQ2VmdnlU2XIMW7pwMfoPmWI1yXpl2 -JNo9o9EbeuawY7I/j+ryHV40b2wx9UA8DXHJg0iTiQT2IMvwPy18eiQJoVg4nJqH -tH6/zUw2yqFd9G7/uoYcGhk5PlalrZO7Ufeb/vUEUqvrISYu2QE= -=jjd6 ------END PGP SIGNATURE----- diff --git a/Python-3.11.0rc2.tar.xz b/Python-3.11.0rc2.tar.xz new file mode 100644 index 0000000..52f72f9 --- /dev/null +++ b/Python-3.11.0rc2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25b35cc7d82c5ad34d867b179a1c1695d129be5ed14a21e46b6b7f2350a8b490 +size 19828340 diff --git a/Python-3.11.0rc2.tar.xz.asc b/Python-3.11.0rc2.tar.xz.asc new file mode 100644 index 0000000..3060388 --- /dev/null +++ b/Python-3.11.0rc2.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmMeOSQACgkQ/+h0BBaL +2EcrTA//USzDkebYcAJ1jcb1diiV9JJd7Znm4l7rwb/TKimY82gN1ev9R1/fkmOk +KaRhn5Ss23lm5IdwbJNL1dhrx9DdtsW3oBzaT+pchSVXu0qVokQ0XFVvWzEqwiit +2K6JOlcVyMV8QnBBJPAC+/HN1pjZGQESk/HoP7ESqQUytRkieddjO/cnJ/m36oMJ +YUVoHS1sQVrRHQU3C1RSZ+DF1sdCjzy1ZxfKMVz73gBjLRQ5MiWYIp7ryDtNMZ7F +Ws8m+5WXVhWE2hniMvCVDN25vHIan+9l4hjT01kLh7Ei/QJ6t2GrOtHagMDhFcS1 +Lhq/7flMGpLjhpNNtzAXSPhMZDDxIpyIZu4XwxmQAXFkhCm6H2RBo6OrGWDaOT+V +6kfVCUky+v7oKHs19xm+UilNBIzd4DMNKP2Q9MYcqnR+aI/ggMG7k7KZ3gpPKrQI +x8u6PGFl9vUsRHiUxXYuIM+FO9LAYIFskpWy/CW7fZ29iAkeMjRzhcyS/A8exaae +YA+z4dqgnYLQqMUX3aK3kzAreKAncFkYdNmnv7YMUUSM5J5fvIN2bG/oJ2oti0sk +o1WhVr3ygizeqAOhw0bd2N84xqee+ky18fl+FkauyzEPh7vdI+OQWrBAuJF7YZKR +sHTSxdzPBjaXijLXriZIo1YRXc7N7jd05Cq8R95dzxC9BZjOOfI= +=KvNZ +-----END PGP SIGNATURE----- diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index 6b40cea..ce566cd 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -6464,7 +6464,7 @@ C API +@@ -6636,7 +6636,7 @@ C API - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name diff --git a/python311.changes b/python311.changes index 8894ec9..128d145 100644 --- a/python311.changes +++ b/python311.changes @@ -1,3 +1,106 @@ +------------------------------------------------------------------- +Thu Sep 15 08:43:07 UTC 2022 - Matej Cepl + +- Update to 3.11.0rc2: + - Converting between int and str in bases other than 2 + (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base + 10 (decimal) now raises a ValueError if the number of digits + in string form is above a limit to avoid potential denial of + service attacks due to the algorithmic complexity. This is + a mitigation for CVE-2020-10735. + This new limit can be configured or disabled by environment + variable, command line flag, or sys APIs. See the integer + string conversion length limitation documentation. The + default limit is 4300 digits in string form. + - Fix case of undefined behavior in ceval.c + - Do not expose KeyWrapper in _functools. + - Ensure that tracing, sys.setrace(), is turned on + immediately. In pre-release versions of 3.11, some tracing + events might have been lost when turning on tracing in a + __del__ method or interrupt. + - Fix use after free in trace refs build mode. Patch by Kumar + Aditya. + - When loading a file with invalid UTF-8 inside a multi-line + string, a correct SyntaxError is emitted. + - Make sure that incomplete frames do not show up in + tracemalloc traces. + - Remove two cases of undefined behavior, by adding NULL + checks. + - Fix possible NULL pointer dereference in + _PyThread_CurrentFrames. Patch by Kumar Aditya. + - Fix AttributeError missing name and obj attributes in + object.__getattribute__(). Patch by Philip Georgi. + - Loading a file with invalid UTF-8 will now report the broken + character at the correct location. + - Fixed a bug that caused _PyCode_GetExtra to return garbage + for negative indexes. Patch by Pablo Galindo + - Fix a deadlock in PyGILState_Ensure() when allocating new + thread state. Patch by Kumar Aditya. + - PyType_Ready() now initializes ht_cached_keys and performs + additional checks to ensure that type objects are properly + configured. This avoids crashes in 3rd party packages that + don’t use regular API to create new types. + - Skip over incomplete frames in PyThreadState_GetFrame(). + - Fix format string in _PyPegen_raise_error_known_location that + can lead to memory corruption on some 64bit systems. The + function was building a tuple with i (int) instead of n + (Py_ssize_t) for Py_ssize_t arguments. + - Fix misleading contents of error message when converting an + all-whitespace string to float. + - ast.parse() will no longer parse function definitions with + positional-only params when passed feature_version less than + (3, 8). Patch by Shantanu Jain. + - Fix incorrect error message in the io module. + - Fix the faulthandler implementation of + faulthandler.register(signal, chain=True) if the sigaction() + function is not available: don’t call the previous signal + handler if it’s NULL. Patch by Victor Stinner. + - Correct conversion of numbers.Rational’s to float. + - Fix TypeVarTuple.__typing_prepare_subst__. TypeError was not + raised when using more than one TypeVarTuple, like [*T, *V] + in type alias substitutions. + - Fix asyncio.streams.StreamReaderProtocol to keep a strong + reference to the created task, so that it’s not garbage + collected + - Fix a performance regression in logging + TimedRotatingFileHandler. Only check for special files when + the rollover time has passed. + - Fix unused localName parameter in the Attr class in + xml.dom.minidom. + - Fix incorrect condition that causes sys.thread_info.name to + be wrong on pthread platforms. + - Remove an incompatible change from bpo-28080 that caused a + regression that ignored the utf8 in ZipInfo.flag_bits. Patch + by Pablo Galindo. + - Fix asyncio.Runner to call asyncio.set_event_loop() only + once to avoid calling attach_loop() multiple times on child + watchers. Patch by Kumar Aditya. + - Fix unittest.IsolatedAsyncioTestCase to set event loop before + calling setup functions. Patch by Kumar Aditya. + - When a task catches asyncio.CancelledError and raises some + other error, the other error should generally not silently be + suppressed. + - Fail gracefully if EPERM or ENOSYS is raised when loading + crypt methods. This may happen when trying to load MD5 on a + Linux kernel with FIPS enabled. + - Allow asyncio.StreamWriter.drain() to be awaited concurrently + by multiple tasks. Patch by Kumar Aditya. + - Fix ast.unparse() when ImportFrom.level is None + - Improve discoverability of the higher level + concurrent.futures module by providing clearer links from the + lower level threading and multiprocessing modules. + - What’s New 3.11 now has instructions for how to provide + compiler and linker flags for Tcl/Tk and OpenSSL on RHEL 7 + and CentOS 7. + - Mitigate the inherent race condition from using + find_unused_port() in testSockName() by trying to find an + unused port a few times before failing. Patch by Ross Burton. + - Build and test with OpenSSL 1.1.1q +- Use support-expat-CVE-2022-25236-patched.patch from the current + version of gh#python/cpython#93900 instead of the old + support-expat-245.patch. +- Reapply fix_configure_rst.patch. + ------------------------------------------------------------------- Mon Sep 5 08:43:49 UTC 2022 - Andreas Schwab diff --git a/python311.spec b/python311.spec index c95ad12..84717f0 100644 --- a/python311.spec +++ b/python311.spec @@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}} %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.11.0rc1 +Version: 3.11.0rc2 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -163,9 +163,9 @@ Patch34: skip-test_pyobject_freed_is_freed.patch # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com # remove duplicate link targets and make documentation with old Sphinx in SLE Patch35: fix_configure_rst.patch -# PATCH-FIX-UPSTREAM support-expat-245.patch jsc#SLE-21253 mcepl@suse.com +# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com # Makes Python resilient to changes of API of libexpat -Patch36: support-expat-245.patch +Patch36: support-expat-CVE-2022-25236-patched.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes diff --git a/support-expat-245.patch b/support-expat-CVE-2022-25236-patched.patch similarity index 50% rename from support-expat-245.patch rename to support-expat-CVE-2022-25236-patched.patch index f4761ee..5b26c99 100644 --- a/support-expat-245.patch +++ b/support-expat-CVE-2022-25236-patched.patch @@ -1,9 +1,9 @@ -From d4f5bb912e67299b59b814b89a5afd9a8821a14e Mon Sep 17 00:00:00 2001 +From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 21 Feb 2022 11:03:08 -0800 +Date: Mon, 21 Feb 2022 08:16:09 -0800 Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) - (GH-31471) + (GH-31472) Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating @@ -23,53 +23,53 @@ Also, test_minidom.py: Support Expat >=2.4.5 Co-authored-by: Sebastian Pipping --- - Lib/test/test_minidom.py | 13 ++++------ - Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 - 2 files changed, 7 insertions(+), 7 deletions(-) + Lib/test/test_minidom.py | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst --- a/Lib/test/test_minidom.py +++ b/Lib/test/test_minidom.py -@@ -6,12 +6,11 @@ import io +@@ -6,7 +6,6 @@ import io from test import support import unittest -import pyexpat -+import xml.parsers.expat import xml.dom.minidom - from xml.dom.minidom import parse, Node, Document, parseString - from xml.dom.minidom import getDOMImplementation --from xml.parsers.expat import ExpatError - - - tstfile = support.findfile("test.xml", subdir="xmltestdata") -@@ -1149,10 +1148,10 @@ class MinidomTest(unittest.TestCase): + from xml.dom.minidom import parse, Attr, Node, Document, parseString +@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase): # Verify that character decoding errors raise exceptions instead # of crashing - if pyexpat.version_info >= (2, 4, 5): - self.assertRaises(ExpatError, parseString, -+ if xml.parsers.expat.version_info >= (2, 4, 4): -+ self.assertRaises(xml.parsers.expat.ExpatError, parseString, - b'') +- b'') - self.assertRaises(ExpatError, parseString, -+ self.assertRaises(xml.parsers.expat.ExpatError, parseString, - b'Comment \xe7a va ? Tr\xe8s bien ?') - else: - self.assertRaises(UnicodeDecodeError, parseString, -@@ -1617,8 +1616,8 @@ class MinidomTest(unittest.TestCase): +- b'Comment \xe7a va ? Tr\xe8s bien ?') +- else: +- self.assertRaises(UnicodeDecodeError, parseString, ++ # It doesn’t make any sense to insist on the exact text of the ++ # error message, or even the exact Exception … it is enough that ++ # the error has been discovered. ++ with self.assertRaises((UnicodeDecodeError, ExpatError)): ++ parseString( + b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() +@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase): self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) def testExceptionOnSpacesInXMLNSValue(self): - if pyexpat.version_info >= (2, 4, 5): - context = self.assertRaisesRegex(ExpatError, 'syntax error') -+ if xml.parsers.expat.version_info >= (2, 4, 4): -+ context = self.assertRaisesRegex(xml.parsers.expat.ExpatError, 'syntax error') - else: - context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') +- else: +- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') +- +- with context: ++ # It doesn’t make any sense to insist on the exact text of the ++ # error message, or even the exact Exception … it is enough that ++ # the error has been discovered. ++ with self.assertRaises((ExpatError, ValueError)): + parseString('') ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst -@@ -0,0 +1 @@ -+Make test suite support Expat >=2.4.5 + def testDocRemoveChild(self):