rpm/python313
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to 3.13.0~rc2:

Browse Source 
- Tools/Demos
    - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
      and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
  - Tests
    - gh-119727: Add --single-process command line option to
      Python test runner (regrtest). Patch by Victor Stinner.
    - gh-101525: Skip test_gdb if the binary is relocated by
      BOLT. Patch by Donghee Na.
  - Security
    - gh-123678: Upgrade libexpat to 2.6.3
    - gh-121285: Remove backtracking from tarfile header parsing
      for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
      CVE-2024-6232).
  - Library
    - gh-123448: Fixed memory leak of typing.NoDefault by moving
      it to the static types array.
    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
    - gh-123270: Applied a more surgical fix for malformed
      payloads in zipfile.Path causing infinite loops (gh-122905)
      without breaking contents using legitimate characters
      (bsc#1229704, CVE-2024-8088).
    - gh-123228: Fix return type for
      _pyrepl.readline._ReadlineWrapper.get_line_buffer() to be
      str(). Patch by Sergey B Kirpichev.
    - gh-123240: Raise audit events for the input() in the new
      REPL.
    - gh-123243: Fix memory leak in _decimal.
    - gh-122546: Consistently use same file name for different

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=46
This commit is contained in:
Matej Cepl 2024-09-07 16:06:08 +00:00 committed by Git OBS Bridge
parent 4352698329
commit 48b8355786
12 changed files with 209 additions and 674 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

361
CVE-2024-6923-email-hdr-inject.patch
View File

@ -1,361 +0,0 @@
From a590277e980eaa8a08204b79ed6c62a763701c8b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 31 Jul 2024 00:19:48 +0200
Subject: [PATCH] gh-121650: Encode newlines in headers, and verify headers are
sound (GH-122233)
GH-GH- Encode header parts that contain newlines
Per RFC 2047:
> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects
It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.
GH-GH- Verify that email headers are well-formed
This should fail for custom fold() implementations that aren't careful
about newlines.
(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Doc/library/email.errors.rst | 7 +++
Doc/library/email.policy.rst | 18 ++++++
Doc/whatsnew/3.13.rst | 9 +++
Lib/email/_header_value_parser.py | 12 +++-
Lib/email/_policybase.py | 8 +++
Lib/email/errors.py | 4 ++
Lib/email/generator.py | 13 +++-
Lib/test/test_email/test_generator.py | 62 +++++++++++++++++++
Lib/test/test_email/test_policy.py | 26 ++++++++
...-07-27-16-10-41.gh-issue-121650.nf6oc9.rst | 5 ++
10 files changed, 160 insertions(+), 4 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
diff --git a/Doc/library/email.errors.rst b/Doc/library/email.errors.rst
index 33ab4265116178..f8f43d82a3df2e 100644
--- a/Doc/library/email.errors.rst
+++ b/Doc/library/email.errors.rst
@@ -58,6 +58,13 @@ The following exception classes are defined in the :mod:`email.errors` module:
:class:`~email.mime.nonmultipart.MIMENonMultipart` (e.g.
:class:`~email.mime.image.MIMEImage`).
+
+.. exception:: HeaderWriteError()
+
+ Raised when an error occurs when the :mod:`~email.generator` outputs
+ headers.
+
+
.. exception:: MessageDefect()
This is the base class for all defects found when parsing email messages.
diff --git a/Doc/library/email.policy.rst b/Doc/library/email.policy.rst
index 83feedf728351e..314767d0802a08 100644
--- a/Doc/library/email.policy.rst
+++ b/Doc/library/email.policy.rst
@@ -229,6 +229,24 @@ added matters. To illustrate::
.. versionadded:: 3.6
+
+ .. attribute:: verify_generated_headers
+
+ If ``True`` (the default), the generator will raise
+ :exc:`~email.errors.HeaderWriteError` instead of writing a header
+ that is improperly folded or delimited, such that it would
+ be parsed as multiple headers or joined with adjacent data.
+ Such headers can be generated by custom header classes or bugs
+ in the ``email`` module.
+
+ As it's a security feature, this defaults to ``True`` even in the
+ :class:`~email.policy.Compat32` policy.
+ For backwards compatible, but unsafe, behavior, it must be set to
+ ``False`` explicitly.
+
+ .. versionadded:: 3.13
+
+
The following :class:`Policy` method is intended to be called by code using
the email library to create policy instances with custom settings:
diff --git a/Doc/whatsnew/3.13.rst b/Doc/whatsnew/3.13.rst
index b53f419a59f062..35b808a4dd00a4 100644
--- a/Doc/whatsnew/3.13.rst
+++ b/Doc/whatsnew/3.13.rst
@@ -724,6 +724,15 @@ doctest
email
-----
+* Headers with embedded newlines are now quoted on output.
+
+ The :mod:`~email.generator` will now refuse to serialize (write) headers
+ that are improperly folded or delimited, such that they would be parsed as
+ multiple headers or joined with adjacent data.
+ If you need to turn this safety feature off,
+ set :attr:`~email.policy.Policy.verify_generated_headers`.
+ (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`.)
+
* :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return
``('', '')`` 2-tuples in more situations where invalid email addresses are
encountered instead of potentially inaccurate values. Add optional *strict*
diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
index 7da1bbaf8a80d7..ec2215a5e5f33c 100644
--- a/Lib/email/_header_value_parser.py
+++ b/Lib/email/_header_value_parser.py
@@ -92,6 +92,8 @@
ASPECIALS = TSPECIALS | set("*'%")
ATTRIBUTE_ENDS = ASPECIALS | WSP
EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%')
+NLSET = {'\n', '\r'}
+SPECIALSNL = SPECIALS | NLSET
def quote_string(value):
return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"'
@@ -2802,9 +2804,13 @@ def _refold_parse_tree(parse_tree, *, policy):
wrap_as_ew_blocked -= 1
continue
tstr = str(part)
- if part.token_type == 'ptext' and set(tstr) & SPECIALS:
- # Encode if tstr contains special characters.
- want_encoding = True
+ if not want_encoding:
+ if part.token_type == 'ptext':
+ # Encode if tstr contains special characters.
+ want_encoding = not SPECIALSNL.isdisjoint(tstr)
+ else:
+ # Encode if tstr contains newlines.
+ want_encoding = not NLSET.isdisjoint(tstr)
try:
tstr.encode(encoding)
charset = encoding
diff --git a/Lib/email/_policybase.py b/Lib/email/_policybase.py
index 2ec54fbabae83c..5f9aa9fb091fa2 100644
--- a/Lib/email/_policybase.py
+++ b/Lib/email/_policybase.py
@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta):
message_factory -- the class to use to create new message objects.
If the value is None, the default is Message.
+ verify_generated_headers
+ -- if true, the generator verifies that each header
+ they are properly folded, so that a parser won't
+ treat it as multiple headers, start-of-body, or
+ part of another header.
+ This is a check against custom Header & fold()
+ implementations.
"""
raise_on_defect = False
@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta):
max_line_length = 78
mangle_from_ = False
message_factory = None
+ verify_generated_headers = True
def handle_defect(self, obj, defect):
"""Based on policy, either raise defect or call register_defect.
diff --git a/Lib/email/errors.py b/Lib/email/errors.py
index 3ad00565549968..02aa5eced6ae46 100644
--- a/Lib/email/errors.py
+++ b/Lib/email/errors.py
@@ -29,6 +29,10 @@ class CharsetError(MessageError):
"""An illegal charset was given."""
+class HeaderWriteError(MessageError):
+ """Error while writing headers."""
+
+
# These are parsing defects which the parser was able to work around.
class MessageDefect(ValueError):
"""Base class for a message defect."""
diff --git a/Lib/email/generator.py b/Lib/email/generator.py
index c8056ad47baa0f..47b9df8f4e6090 100644
--- a/Lib/email/generator.py
+++ b/Lib/email/generator.py
@@ -14,12 +14,14 @@
from copy import deepcopy
from io import StringIO, BytesIO
from email.utils import _has_surrogates
+from email.errors import HeaderWriteError
UNDERSCORE = '_'
NL = '\n' # XXX: no longer used by the code below.
NLCRE = re.compile(r'\r\n|\r|\n')
fcre = re.compile(r'^From ', re.MULTILINE)
+NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
class Generator:
@@ -222,7 +224,16 @@ def _dispatch(self, msg):
def _write_headers(self, msg):
for h, v in msg.raw_items():
- self.write(self.policy.fold(h, v))
+ folded = self.policy.fold(h, v)
+ if self.policy.verify_generated_headers:
+ linesep = self.policy.linesep
+ if not folded.endswith(self.policy.linesep):
+ raise HeaderWriteError(
+ f'folded header does not end with {linesep!r}: {folded!r}')
+ if NEWLINE_WITHOUT_FWSP.search(folded.removesuffix(linesep)):
+ raise HeaderWriteError(
+ f'folded header contains newline: {folded!r}')
+ self.write(folded)
# A blank line always separates headers from body
self.write(self._NL)
diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py
index bc6f734d4fd0a9..c75a842c33578e 100644
--- a/Lib/test/test_email/test_generator.py
+++ b/Lib/test/test_email/test_generator.py
@@ -6,6 +6,7 @@
from email.generator import Generator, BytesGenerator
from email.headerregistry import Address
from email import policy
+import email.errors
from test.test_email import TestEmailBase, parameterize
@@ -249,6 +250,44 @@ def test_rfc2231_wrapping_switches_to_default_len_if_too_narrow(self):
g.flatten(msg)
self.assertEqual(s.getvalue(), self.typ(expected))
+ def test_keep_encoded_newlines(self):
+ msg = self.msgmaker(self.typ(textwrap.dedent("""\
+ To: nobody
+ Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
+
+ None
+ """)))
+ expected = textwrap.dedent("""\
+ To: nobody
+ Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
+
+ None
+ """)
+ s = self.ioclass()
+ g = self.genclass(s, policy=self.policy.clone(max_line_length=80))
+ g.flatten(msg)
+ self.assertEqual(s.getvalue(), self.typ(expected))
+
+ def test_keep_long_encoded_newlines(self):
+ msg = self.msgmaker(self.typ(textwrap.dedent("""\
+ To: nobody
+ Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
+
+ None
+ """)))
+ expected = textwrap.dedent("""\
+ To: nobody
+ Subject: Bad subject
+ =?utf-8?q?=0A?=Bcc:
+ injection@example.com
+
+ None
+ """)
+ s = self.ioclass()
+ g = self.genclass(s, policy=self.policy.clone(max_line_length=30))
+ g.flatten(msg)
+ self.assertEqual(s.getvalue(), self.typ(expected))
+
class TestGenerator(TestGeneratorBase, TestEmailBase):
@@ -273,6 +312,29 @@ def test_flatten_unicode_linesep(self):
g.flatten(msg)
self.assertEqual(s.getvalue(), self.typ(expected))
+ def test_verify_generated_headers(self):
+ """gh-121650: by default the generator prevents header injection"""
+ class LiteralHeader(str):
+ name = 'Header'
+ def fold(self, **kwargs):
+ return self
+
+ for text in (
+ 'Value\r\nBad Injection\r\n',
+ 'NoNewLine'
+ ):
+ with self.subTest(text=text):
+ message = message_from_string(
+ "Header: Value\r\n\r\nBody",
+ policy=self.policy,
+ )
+
+ del message['Header']
+ message['Header'] = LiteralHeader(text)
+
+ with self.assertRaises(email.errors.HeaderWriteError):
+ message.as_string()
+
class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py
index c6b9c80efe1b54..baa35fd68e49c5 100644
--- a/Lib/test/test_email/test_policy.py
+++ b/Lib/test/test_email/test_policy.py
@@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase):
'raise_on_defect': False,
'mangle_from_': True,
'message_factory': None,
+ 'verify_generated_headers': True,
}
# These default values are the ones set on email.policy.default.
# If any of these defaults change, the docs must be updated.
@@ -294,6 +295,31 @@ def test_short_maxlen_error(self):
with self.assertRaises(email.errors.HeaderParseError):
policy.fold("Subject", subject)
+ def test_verify_generated_headers(self):
+ """Turning protection off allows header injection"""
+ policy = email.policy.default.clone(verify_generated_headers=False)
+ for text in (
+ 'Header: Value\r\nBad: Injection\r\n',
+ 'Header: NoNewLine'
+ ):
+ with self.subTest(text=text):
+ message = email.message_from_string(
+ "Header: Value\r\n\r\nBody",
+ policy=policy,
+ )
+ class LiteralHeader(str):
+ name = 'Header'
+ def fold(self, **kwargs):
+ return self
+
+ del message['Header']
+ message['Header'] = LiteralHeader(text)
+
+ self.assertEqual(
+ message.as_string(),
+ f"{text}\nBody",
+ )
+
# XXX: Need subclassing tests.
# For adding subclassed objects, make sure the usual rules apply (subclass
# wins), but that the order still works (right overrides left).
diff --git a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
new file mode 100644
index 00000000000000..83dd28d4ac575b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
@@ -0,0 +1,5 @@
+:mod:`email` headers with embedded newlines are now quoted on output. The
+:mod:`~email.generator` will now refuse to serialize (write) headers that
+are unsafely folded or delimited; see
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
+Bloemsaat and Petr Viktorin in :gh:`121650`.)

148
CVE-2024-8088-inf-loop-zipfile_Path.patch
View File

@ -1,148 +0,0 @@
---
Lib/test/test_zipfile/_path/test_path.py | 78 ++++++++++
Lib/zipfile/_path/__init__.py | 18 ++
Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1
Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst | 3
4 files changed, 98 insertions(+), 2 deletions(-)
--- a/Lib/test/test_zipfile/_path/test_path.py
+++ b/Lib/test/test_zipfile/_path/test_path.py
@@ -5,6 +5,7 @@ import pathlib
import pickle
import stat
import sys
+import time
import unittest
import zipfile
import zipfile._path
@@ -577,3 +578,80 @@ class TestPath(unittest.TestCase):
zipfile.Path(alpharep)
with self.assertRaises(KeyError):
alpharep.getinfo('does-not-exist')
+
+ def test_malformed_paths(self):
+ """
+ Path should handle malformed paths gracefully.
+
+ Paths with leading slashes are not visible.
+
+ Paths with dots are treated like regular files.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr("/one-slash.txt", b"content")
+ zf.writestr("//two-slash.txt", b"content")
+ zf.writestr("../parent.txt", b"content")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ assert list(map(str, root.iterdir())) == ['../']
+ assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content'
+
+ def test_unsupported_names(self):
+ """
+ Path segments with special characters are readable.
+
+ On some platforms or file systems, characters like
+ ``:`` and ``?`` are not allowed, but they are valid
+ in the zip file.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr("path?", b"content")
+ zf.writestr("V: NMS.flac", b"fLaC...")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ contents = root.iterdir()
+ assert next(contents).name == 'path?'
+ assert next(contents).name == 'V: NMS.flac'
+ assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..."
+
+ def test_backslash_not_separator(self):
+ """
+ In a zip file, backslashes are not separators.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ (first,) = root.iterdir()
+ assert not first.is_dir()
+ assert first.name == 'foo\\bar'
+
+
+class DirtyZipInfo(zipfile.ZipInfo):
+ """
+ Bypass name sanitization.
+ """
+
+ def __init__(self, filename, *args, **kwargs):
+ super().__init__(filename, *args, **kwargs)
+ self.filename = filename
+
+ @classmethod
+ def for_name(cls, name, archive):
+ """
+ Construct the same way that ZipFile.writestr does.
+
+ TODO: extract this functionality and re-use
+ """
+ self = cls(filename=name, date_time=time.localtime(time.time())[:6])
+ self.compress_type = archive.compression
+ self.compress_level = archive.compresslevel
+ if self.filename.endswith('/'): # pragma: no cover
+ self.external_attr = 0o40775 << 16 # drwxrwxr-x
+ self.external_attr |= 0x10 # MS-DOS directory flag
+ else:
+ self.external_attr = 0o600 << 16 # ?rw-------
+ return self
--- a/Lib/zipfile/_path/__init__.py
+++ b/Lib/zipfile/_path/__init__.py
@@ -1,3 +1,12 @@
+"""
+A Path-like interface for zipfiles.
+
+This codebase is shared between zipfile.Path in the stdlib
+and zipp in PyPI. See
+https://github.com/python/importlib_metadata/wiki/Development-Methodology
+for more detail.
+"""
+
import io
import posixpath
import zipfile
@@ -36,7 +45,7 @@ def _parents(path):
def _ancestry(path):
"""
Given a path with elements separated by
- posixpath.sep, generate all elements of that path
+ posixpath.sep, generate all elements of that path.
>>> list(_ancestry('b/d'))
['b/d', 'b']
@@ -48,9 +57,14 @@ def _ancestry(path):
['b']
>>> list(_ancestry(''))
[]
+
+ Multiple separators are treated like a single.
+
+ >>> list(_ancestry('//b//d///f//'))
+ ['//b//d///f', '//b//d', '//b']
"""
path = path.rstrip(posixpath.sep)
- while path and path != posixpath.sep:
+ while path.rstrip(posixpath.sep):
yield path
path, tail = posixpath.split(path)
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
@@ -0,0 +1 @@
+:class:`zipfile.Path` objects now sanitize names from the zipfile.
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst
@@ -0,0 +1,3 @@
+Applied a more surgical fix for malformed payloads in :class:`zipfile.Path`
+causing infinite loops (gh-122905) without breaking contents using
+legitimate characters.

3
Python-3.13.0rc1.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:678b884775eec0224d5159fa900879020baca2a36ce942fd95febfa1adb4a6bd
size 20881016

18
Python-3.13.0rc1.tar.xz.asc
View File

@ -1,18 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmaquNZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
YwUclA//Tg0ybBUO7yjNvM85wbZLxIvYujAbReBRARLUkZXFGVMBG9zi3Arf4EE6
PKvGvy0vg/jeQPraLBe4KQnaQUTU8qmLsjd7lWWEjZc0E+3zZzAvZ9hXNtcrqY4x
YdLaGT8762c4sFoNsp173MYrqdun/usraKK50V1m/BPAqHX1Pdy0yxykkfG4p7lC
LEUrc+2KtLWI9+Z0imH2FhI0OdhlSZKgJfi82dbmRDeJwMmEoG9+F9qmanrtIEVu
6Tpwv8RphXI1JV7mzr6EjZqW4oHRayHlA4qcS9mTYKBNAfveEODXgbvsGRenh1X1
kJclnX/GBpcjP/+PZ9aheAxxrTEvg7kmjrcfZKfzxepJEvCaxlg9hTKAvmMcgKp0
V8rhWxBBfy47q8pvezjI4ip2rcedtJ21e0M98PPQLpuUxeo1xldjPLeGh8hyC9Z4
F8HAs+uv11FXV5zaJvUIMCPx125ceYhl/1Jh36bJFX9MvjFlKOtR9mnsu84D5piW
8+yUy353864bv9rrww/dMWzrrp7nO+/3gZi/goNGfMvm5KVpuhTro6xoW5KQ5LS+
ZQGbWXl08lJ9+k8pUuwxCFHQCKjgjmerjb8xL9claBlF8FtfrQjy33BpxqF5BLpW
CUbabJ9bA9O7fPsPhbW0XQGdXIJJLjHTP39pxCPGoBqAyUVJOc8=
=CSLe
-----END PGP SIGNATURE-----

3
Python-3.13.0rc2.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d60e8b7c10de4f71d2dffaf7c7be8efa54dc1e532fe931dbb84e5f625709e237
size 21055084

18
Python-3.13.0rc2.tar.xz.asc Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmbbgTdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
YwUUpBAAnxUxwaFw3/XLw+5v3k2cbtzPtRmLtg81LlJ2bD5VG+RlCjbwHK03FghH
kr4YILbFXN51mT0p2XtrXnd1WRYOIWTxXQ7jji02KY6OBlIordpa0KL415R+Y0O6
fvS4sn9r5Ww8TMGHthGeN1boMjtFUHHRZKNUmIzVWihjxQX6UiPVcb9ezM2WDbhI
hmGtyEq7KLYwl9GTW/YlsAQXyVvveePgr6PrMjRRquOSVL2vD+ZA8qrQvzWYCza6
jDa2+6jrFlE6PpbCUDoRMDagjU2gEG9DllSziayh3aqMHG2fVbEqzLtBHl9EJ7IL
yOkhgVVmqus52O5P0YhDDp2fkSxs2JgrXiF2Dd2UTIKKrFQkxmknoj/ScyyeajAj
ymqf1CZf3ydhpEng+HGpnU+vWBnQA+v7BZBQXaoPGvMzTeNy1cn5JPTFFkcKXKDE
jX8AzV82+OHnZ/80tLNTNCyFQNStKF2CNrHR1gnMAcgQTaJOlp4NMD3nC88WQlpx
M4HC/yXq4556AaAzv0CctfzMLejvwmszMxbADHI4FcS7BJO85WsSXH3pnAx3Gfgg
5NSEMB1ZAsoS9WbkxTkgaJOT9fHmf86S/sdx4W1zBetmag11bTVWHJwbE9z5V0YQ
+fwQYVsi+ecgs3mL7vJzg8vEpJ33O2/y4vqySQYZRA4aIKn9Ks0=
=dHr3
-----END PGP SIGNATURE-----

24
bso1227999-reproducible-builds.patch
View File

@ -1,24 +0,0 @@
From ac2b8869724d7a57d9b5efbdce2f20423214e8bb Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Tue, 16 Jul 2024 21:39:33 +0200
Subject: [PATCH] Allow to override build date with SOURCE_DATE_EPOCH
to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.
---
Doc/library/functions.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Doc/library/functions.rst
+++ b/Doc/library/functions.rst
@@ -1502,7 +1502,7 @@ are always available. They are listed h
(where :func:`open` is declared), :mod:`os`, :mod:`os.path`, :mod:`tempfile`,
and :mod:`shutil`.
- .. audit-event:: open file,mode,flags open
+ .. audit-event:: open path,mode,flags open
The ``mode`` and ``flags`` arguments may have been modified or inferred from
the original call.

15
fix_configure_rst.patch
View File

@ -1,15 +0,0 @@
---
Misc/NEWS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -17647,7 +17647,7 @@ C API
- bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
- bpo-43795: The list in :ref:`limited-api-list` now shows the public name
- :c:struct:`PyFrameObject` rather than ``_frame``. The non-existing entry
+ :c:type:`PyFrameObject` rather than ``_frame``. The non-existing entry
``_node`` no longer appears in the list.
- bpo-44378: :c:func:`Py_IS_TYPE` no longer uses :c:func:`Py_TYPE` to avoid

35
gh120226-fix-sendfile-test-kernel-610.patch
View File

@ -1,35 +0,0 @@
From 1b3f6523a5c83323cdc44031b33a1c062e5dc698 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Fri, 7 Jun 2024 23:51:32 +0800
Subject: [PATCH] gh-120226: Fix
test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10
(GH-120227)
The worst case is that the kernel buffers 17 pages with a page size of 64k.
(cherry picked from commit a7584245661102a5768c643fbd7db8395fd3c90e)
Co-authored-by: Xi Ruoyao <xry111@xry111.site>
---
Lib/test/test_asyncio/test_sendfile.py | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/Lib/test/test_asyncio/test_sendfile.py
+++ b/Lib/test/test_asyncio/test_sendfile.py
@@ -93,13 +93,10 @@ class MyProto(asyncio.Protocol):
class SendfileBase:
- # 256 KiB plus small unaligned to buffer chunk
- # Newer versions of Windows seems to have increased its internal
- # buffer and tries to send as much of the data as it can as it
- # has some form of buffering for this which is less than 256KiB
- # on newer server versions and Windows 11.
- # So DATA should be larger than 256 KiB to make this test reliable.
- DATA = b"x" * (1024 * 256 + 1)
+ # Linux >= 6.10 seems buffering up to 17 pages of data.
+ # So DATA should be large enough to make this test reliable even with a
+ # 64 KiB page configuration.
+ DATA = b"x" * (1024 * 17 * 64 + 1)
# Reduce socket buffer size to test on relative small data sets.
BUF_SIZE = 4 * 1024 # 4 KiB

48
gh122136-test_asyncio-kernel-buffer-data.patch
View File

@ -1,48 +0,0 @@
From 235fbc05dcbca5cb5f7f0cd836317b8426e33243 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 28 Aug 2024 22:36:42 +0200
Subject: [PATCH] gh-122136: test_asyncio: Don't fail if the kernel buffers
more data than advertised (GH-123423) (cherry picked from commit
b379f1b26c1e89c8e9160b4dede61b980cc77be6)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
---
Lib/test/test_asyncio/test_server.py | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/Lib/test/test_asyncio/test_server.py b/Lib/test/test_asyncio/test_server.py
index 4ca8a166a0f1a1..60a40cc8349fed 100644
--- a/Lib/test/test_asyncio/test_server.py
+++ b/Lib/test/test_asyncio/test_server.py
@@ -227,7 +227,7 @@ async def serve(rd, wr):
(s_rd, s_wr) = await fut
- # Limit the socket buffers so we can reliably overfill them
+ # Limit the socket buffers so we can more reliably overfill them
s_sock = s_wr.get_extra_info('socket')
s_sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 65536)
c_sock = c_wr.get_extra_info('socket')
@@ -242,10 +242,18 @@ async def serve(rd, wr):
await asyncio.sleep(0)
# Get the writer in a waiting state by sending data until the
- # socket buffers are full on both server and client sockets and
- # the kernel stops accepting more data
- s_wr.write(b'a' * c_sock.getsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF))
- s_wr.write(b'a' * s_sock.getsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF))
+ # kernel stops accepting more data in the send buffer.
+ # gh-122136: getsockopt() does not reliably report the buffer size
+ # available for message content.
+ # We loop until we start filling up the asyncio buffer.
+ # To avoid an infinite loop we cap at 10 times the expected value
+ c_bufsize = c_sock.getsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF)
+ s_bufsize = s_sock.getsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF)
+ for i in range(10):
+ s_wr.write(b'a' * c_bufsize)
+ s_wr.write(b'a' * s_bufsize)
+ if s_wr.transport.get_write_buffer_size() > 0:
+ break
self.assertNotEqual(s_wr.transport.get_write_buffer_size(), 0)
task = asyncio.create_task(srv.wait_closed())

186
python313.changes
View File

@ -1,3 +1,186 @@
-------------------------------------------------------------------
Sat Sep 7 15:36:03 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.13.0~rc2:
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-119727: Add --single-process command line option to
Python test runner (regrtest). Patch by Victor Stinner.
- gh-101525: Skip test_gdb if the binary is relocated by
BOLT. Patch by Donghee Na.
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121285: Remove backtracking from tarfile header parsing
for hdrcharset, PAX, and GNU sparse headers (bsc#1230227,
CVE-2024-6232).
- Library
- gh-123448: Fixed memory leak of typing.NoDefault by moving
it to the static types array.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- gh-123270: Applied a more surgical fix for malformed
payloads in zipfile.Path causing infinite loops (gh-122905)
without breaking contents using legitimate characters
(bsc#1229704, CVE-2024-8088).
- gh-123228: Fix return type for
_pyrepl.readline._ReadlineWrapper.get_line_buffer() to be
str(). Patch by Sergey B Kirpichev.
- gh-123240: Raise audit events for the input() in the new
REPL.
- gh-123243: Fix memory leak in _decimal.
- gh-122546: Consistently use same file name for different
exceptions in the new repl. Patch by Sergey B Kirpichev.
- gh-123213: xml.etree.ElementTree.Element.extend() and
Element assignment no longer hide the internal exception if
an erronous generator is passed. Patch by Bar Harel.
- gh-85110: Preserve relative path in URL without netloc in
urllib.parse.urlunsplit() and urllib.parse.urlunparse().
- gh-123067: Fix quadratic complexity in parsing "-quoted
cookie values with backslashes by http.cookies
(bsc#1229596, CVE-2024-7592)
- gh-122981: Fix inspect.getsource() for generated classes
with Python base classes (e.g. enums).
- gh-122903: zipfile.Path.glob now correctly matches
directories instead of silently omitting them.
- gh-122905: zipfile.Path objects now sanitize names from the
zipfile.
- gh-122695: Fixed double-free when using gc.get_referents()
with a freed asyncio.Future iterator.
- gh-116263: logging.handlers.RotatingFileHandler no longer
rolls over empty log files.
- gh-105376: Restore the deprecated logging warn() method. It
was removed in Python 3.13 alpha 1. Keep the deprecated
warn() method in Python 3.13. Patch by Victor Stinner.
- gh-122744: Bump the version of pip bundled in ensurepip to
version 24.2.
- gh-118814: Fix the typing.TypeVar constructor when name is
passed by keyword.
- gh-122478: Remove internal frames from tracebacks
shown in code.InteractiveInterpreter with non-default
sys.excepthook(). Save correct tracebacks in
sys.last_traceback and update __traceback__ attribute of
sys.last_value and sys.last_exc.
- gh-116622: On Android, the FICLONE and FICLONERANGE
constants are no longer exposed by fcntl, as these ioctls
are blocked by SELinux.
- gh-82378: Make sure that the new REPL interprets
sys.tracebacklimit in the same way that the classic REPL
did.
- gh-122334: Fix crash when importing ssl after the main
interpreter restarts.
- gh-87320: In code.InteractiveInterpreter, handle exceptions
caused by calling a non-default sys.excepthook(). Before,
the exception bubbled up to the caller, ending the REPL.
- gh-121650: email headers with embedded newlines
are now quoted on output. The generator will
now refuse to serialize (write) headers
that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780)
- gh-121723: Make logging.config.dictConfig() accept any
object implementing the Queue public API. See the queue
configuration section for details. Patch by Bénédikt Tran.
- gh-122081: Fix a crash in the decimal.IEEEContext()
optional function available via the EXTRA_FUNCTIONALITY
configuration flag.
- gh-121804: Correctly show error locations, when SyntaxError
raised in new repl. Patch by Sergey B Kirpichev.
- gh-121151: Fix wrapping of long usage text of arguments
inside a mutually exclusive group in argparse.
- gh-108172: webbrowser honors OS preferred browser on Linux
when its desktop entry name contains the text of a known
browser name.
- gh-109109: You can now get the raw TLS .
Cocertificate chains from TLS connections .
Covia ssl.SSLSocket.get_verified_chain() and .
Cossl.SSLSocket.get_unverified_chain() methods ntributed by .
CoMateusz Nowak .
- IDLE
- gh-120083: Add explicit black IDLE Hovertip foreground
color needed for recent macOS. Fixes Sonoma showing
unreadable white on pale yellow. Patch by John Riggles.
- Core and Builtins
- gh-123572: Fix key mappings for various F-keys in Windows
for the new REPL. Patch by devdanzin
- gh-123484: Fix _Py_DebugOffsets for long objects to be
relative to the start of the object rather than the start
of a subobject.
- gh-123344: Add AST optimizations for type parameter
defaults.
- gh-123321: Prevent Parser/myreadline race condition from
segfaulting on multi-threaded use. Patch by Bar Harel and
Amit Wienner.
- gh-123177: Fix a bug causing stray prompts to appear in the
middle of wrapped lines in the new REPL.
- gh-122982: Extend the deprecation period for bool inversion
(~) by two years.
- gh-123177: Deactivate line wrap in the Apple Terminal via a
ANSI escape code. Patch by Pablo Galindo
- gh-123229: Fix valgrind warning by initializing the
f-string buffers to 0 in the tokenizer. Patch by Pablo
Galindo
- gh-122298: Restore printout of GC stats when
gc.set_debug(gc.DEBUG_STATS) is called. This featue was
accidentally removed when implementing incremental GC.
- gh-121804: Correctly show error locations when a
SyntaxError is raised in the basic REPL. Patch by Sergey B
Kirpichev.
- gh-123142: Fix too-wide source location in exception
tracebacks coming from broken iterables in comprehensions.
- gh-123048: Fix a bug where pattern matching code could emit
a JUMP_FORWARD with no source location.
- gh-123123: Fix displaying SyntaxError exceptions covering
multiple lines. Patch by Pablo Galindo
- gh-123083: Fix a potential use-after-free in
STORE_ATTR_WITH_HINT.
- gh-123022: Fix crash in free-threaded build when calling
Py_Initialize() from a non-main thread.
- gh-122888: Fix crash on certain calls to str() with
positional arguments of the wrong type. Patch by Jelle
Zijlstra.
- gh-116622: Fix Android stdout and stderr messages being
truncated or lost.
- gh-122527: Fix a crash that occurred when a
PyStructSequence was deallocated after its types
dictionary was cleared by the GC. The types tp_basicsize
now accounts for non-sequence fields that arent included
in the Py_SIZE of the sequence.
- gh-122445: Add only fields which are modified via self.* to
__static_attributes__.
- gh-98442: Fix too wide source locations of the cleanup
instructions of a with statement.
- gh-93691: Fix source locations of instructions generated
for with statements.
- gh-120097: FrameLocalsProxy now subclasses
collections.abc.Mapping and can be matched as a mapping in
match statements
- C API
- gh-122728: Fix PyEval_GetLocals() to avoid SystemError
(“bad argument to internal function”). Patch by Victor
Stinner.
- Build
- gh-123297: Propagate the value of LDFLAGS to LDCXXSHARED in
sysconfig. Patch by Pablo Galindo
- gh-116622: Rename build variable MODULE_LDFLAGS back
to LIBPYTHON, as its used by package build systems
(e.g. Meson).
- gh-118943: Fix an issue where the experimental JIT could be
built several times by the make regen-all target, leading
to possible race conditions on heavily parallelized builds.
- gh-118943: Fix a possible race condition affecting parallel
builds configured with --enable-experimental-jit, in which
FileNotFoundError could be caused by another process
already moving jit_stencils.h.new to jit_stencils.h.
- Remove upstreamed patches:
- bso1227999-reproducible-builds.patch
- CVE-2024-8088-inf-loop-zipfile_Path.patch
- gh120226-fix-sendfile-test-kernel-610.patch
- gh122136-test_asyncio-kernel-buffer-data.patch
- fix_configure_rst.patch
- CVE-2024-6923-email-hdr-inject.patch
-------------------------------------------------------------------
Mon Sep 2 09:44:26 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@ -6109,7 +6292,8 @@ Thu Jul 16 21:45:50 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Spec file fixes
- Re-added subprocess-raise-timeout.patch: now compatible
- Removed bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch: contained in upstream
- Removed bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch:
contained in upstream
-------------------------------------------------------------------
Wed Jul 15 09:10:42 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

24
python313.spec
View File

@ -144,8 +144,8 @@
# _md5.cpython-38m-x86_64-linux-gnu.so
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
Name: %{python_pkg_name}%{psuffix}
Version: 3.13.0~rc1
%define tarversion 3.13.0rc1
Version: 3.13.0~rc2
%define tarversion 3.13.0rc2
%define tarname Python-%{tarversion}
Release: 0
Summary: Python 3 Interpreter
@ -201,24 +201,6 @@ Patch08: no-skipif-doctests.patch
# PATCH-FIX-SLE skip-test_pyobject_freed_is_freed.patch mcepl@suse.com
# skip a test failing on SLE-15
Patch09: skip-test_pyobject_freed_is_freed.patch
# PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com
# remove duplicate link targets and make documentation with old Sphinx in SLE
Patch10: fix_configure_rst.patch
# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com
# prevent email header injection, patch from gh#python/cpython!122608
Patch12: CVE-2024-6923-email-hdr-inject.patch
# PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com
# reproducibility patches
Patch13: bso1227999-reproducible-builds.patch
# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704 mcepl@suse.com
# avoid denial of service in zipfile
Patch14: CVE-2024-8088-inf-loop-zipfile_Path.patch
# PATCH-FIX-UPSTREAM gh122136-test_asyncio-kernel-buffer-data.patch gh#python/cpython#122136 mcepl@suse.com
# test.test_asyncio.test_server.TestServer2.test_abort_clients fails because of changes in the kernel
Patch15: gh122136-test_asyncio-kernel-buffer-data.patch
# PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
# Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
Patch16: gh120226-fix-sendfile-test-kernel-610.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -478,7 +460,7 @@ This package contains libpython3.2 shared library for embedding in
other applications.
%prep
%autosetup -p1 -N -n %{tarname}
%setup -q -n %{tarname}
%autopatch -p1 -M 07
%if 0%{?suse_version} <= 1500