From b21d8c938d62703a3e422dbfb205eb49f92dbb3f7141ad0c859664b3562fd4c2 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 19 Oct 2022 07:18:07 +0000 Subject: [PATCH 1/2] - Update to 3.8.15: - Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. - Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. (originally filed as CVE-2022-37460, later withdrawn) - Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. - When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message. - Update bundled libexpat to 2.4.9 - Fixes a potential buffer overrun in msilib. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=106 --- Python-3.8.14.tar.xz | 3 --- Python-3.8.14.tar.xz.asc | 16 ---------------- Python-3.8.15.tar.xz | 3 +++ Python-3.8.15.tar.xz.asc | 16 ++++++++++++++++ python38.changes | 20 ++++++++++++++++++++ python38.spec | 2 +- 6 files changed, 40 insertions(+), 20 deletions(-) delete mode 100644 Python-3.8.14.tar.xz delete mode 100644 Python-3.8.14.tar.xz.asc create mode 100644 Python-3.8.15.tar.xz create mode 100644 Python-3.8.15.tar.xz.asc diff --git a/Python-3.8.14.tar.xz b/Python-3.8.14.tar.xz deleted file mode 100644 index 33073c5..0000000 --- a/Python-3.8.14.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5d77e278271ba803e9909a41a4f3baca006181c93ada682a5e5fe8dc4a24c5f3 -size 19031932 diff --git a/Python-3.8.14.tar.xz.asc b/Python-3.8.14.tar.xz.asc deleted file mode 100644 index 4409695..0000000 --- a/Python-3.8.14.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmMXt3cACgkQsmmV4xAl -BWhwsg/7BJyqcgE7Zdk5Pjm/uFSbWXeAUYuYn11m0cHvUu47rxalj3nR3sct5759 -MJO+GyvsoqIwoFHOY0Kre17lVdRAB06Au3q+bcWcxRPOYv8jdHBCHj7Um/p1yVxW -z0EUl75rzSK5Fugj8DXirW94YpYaQSN0YOJoH371DHsBs5zy5nP3Rt329FwR6gqz -LaiIgE2IgxtXjs+2e6xcI1idm/K39wbEbIv2NqW8zDcd/9cFsECEb2VRzWZibHxB -WGK8sCTLAojFT7Me3Q/Zk6QnP8x6sA+QgtyfXJu5hIBDmJVIeWpmUUfx+c9IQxSU -TdO8oh4T1rX2V5h6DpLMkzJ3DNn5u1evDvU8esZuSNQ9KKdoH97aGv+0vJszs3BF -49QrF5ojxCEmeE3jqaetaVqSJRXiVL/VbBXlufQvP9CGyVlaEYXZzxeN4V3Obd6T -8cx3cBJhEdnNI/gTGCRFliFS0/OdiBEw6xApzTsNw3pqvTZcPa6hGPhXAXgodTEG -At7Ge5ZC9IpRvTGN2IKzWVaT96GOSfXACScprO978Y2TX6TzQrLbkh53SNC/COU+ -EAt2P5XZ+nhW8mYGJxClvdKgrBQyuQSj5J3QLubxQWOeFT3l6QUL6D1S5diTjhxn -aoiUEcTCcm005lX3vvgLWBzoYo4hOpGNFcUx8ROMYCMPqFgaBFQ= -=pVji ------END PGP SIGNATURE----- diff --git a/Python-3.8.15.tar.xz b/Python-3.8.15.tar.xz new file mode 100644 index 0000000..ac6f6b1 --- /dev/null +++ b/Python-3.8.15.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5114fc7918a2a5e20eb5aac696b30c36f412c6ef24b13f5c9eb9e056982d9550 +size 19038408 diff --git a/Python-3.8.15.tar.xz.asc b/Python-3.8.15.tar.xz.asc new file mode 100644 index 0000000..95c97e6 --- /dev/null +++ b/Python-3.8.15.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFk9MACgkQsmmV4xAl +BWjPyA//dMfeT6hw09rFQtv1w7LrAuLFrQ/03uqYz/MZPZZgMyGvN+bGbR9U9EPA +DSntLM75GjzaXiZ8dMyvi+A/HJCX7CWeJATxVRBo+3GoFTZfmsex7B78oTakHGnZ +3pHRDiXJovD8DPQo3/eNpbQsEri74MOqIIbBZfdrRc4Gqqv/rVRI1qxqYzt3hmHc +NcsZudbvBlUe+5HWaYgXbgnuzixSK4iSftlfwx289bsx12b8jzY5OEP9z5NKGqLu +Sfb0sUWaJptSn1iEKSfLj4AamN0PeeQObOXHz+N1hdqWmWjEBKX37CEnOyHjJyVc +Xb1PH6vJPJbPBXBR3H8YP+jwG8jDIFItJph+NduQnfZ3yLPpjEiCHs/FyUzzIKWB +iptNyVMBvgPiMDgge+kLICywbujtI2UB7tS3YO5rb09LtQiXxkGyDbE6R6Yu7ZMb +qJJMAJUY9zHAN1rTLL7GJHHypwd3UHoXImMvrm15+vy3ctNTA6VDxn7Zw/uym7F/ +gZJY6JaUxsnPiOhtvPYHs6EOGwLFszWvgh7AhXjZ2uncPuZ/qzgWpWsRYsKIWSRz +yVplWRGfXaZ96pWVKmHACZY6BdgZS18Y9FdRLiqYrNG85dfqd3XFrVJqQIFHjaUX +bImNJRcwMpuU9p23CaSeUDRFdELVQ9dXfBq//x0JL2F6/vG1ADw= +=jc+c +-----END PGP SIGNATURE----- diff --git a/python38.changes b/python38.changes index 3e9fa1e..94e02e7 100644 --- a/python38.changes +++ b/python38.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Wed Oct 19 07:12:23 UTC 2022 - Matej Cepl + +- Update to 3.8.15: + - Fix multiplying a list by an integer (list *= int): detect + the integer overflow when the new allocated length is close + to the maximum size. + - Fix a shell code injection vulnerability in the + get-remote-certificate.py example script. The script no + longer uses a shell to run openssl commands. (originally + filed as CVE-2022-37460, later withdrawn) + - Fix command line parsing: reject -X int_max_str_digits option + with no value (invalid) when the PYTHONINTMAXSTRDIGITS + environment variable is set to a valid limit. + - When ValueError is raised if an integer is larger than the + limit, mention the sys.set_int_max_str_digits() function in + the error message. + - Update bundled libexpat to 2.4.9 + - Fixes a potential buffer overrun in msilib. + ------------------------------------------------------------------- Sun Sep 11 09:07:38 UTC 2022 - Matej Cepl diff --git a/python38.spec b/python38.spec index 3377b97..4708b23 100644 --- a/python38.spec +++ b/python38.spec @@ -92,7 +92,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.8.14 +Version: 3.8.15 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 From 75d8efff801214c0ab8028df6791b1791a6a6923c4b1ae9943663beba7f599be Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 20 Oct 2022 18:12:06 +0000 Subject: [PATCH 2/2] Accepting request 1030164 from home:dgarcia:branches:devel:languages:python:Factory - Add platlibdir-in-sys.patch to provide sys.platlibdir attribute. This is used by python-setuptools in distutils.sysconfig.get_python_lib bsc#1204395 OBS-URL: https://build.opensuse.org/request/show/1030164 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=107 --- platlibdir-in-sys.patch | 126 ++++++++++++++++++++++++++++++++++++++++ python38.changes | 6 ++ python38.spec | 3 + 3 files changed, 135 insertions(+) create mode 100644 platlibdir-in-sys.patch diff --git a/platlibdir-in-sys.patch b/platlibdir-in-sys.patch new file mode 100644 index 0000000..e7e00f9 --- /dev/null +++ b/platlibdir-in-sys.patch @@ -0,0 +1,126 @@ +Index: Python-3.8.15/Python/sysmodule.c +=================================================================== +--- Python-3.8.15.orig/Python/sysmodule.c ++++ Python-3.8.15/Python/sysmodule.c +@@ -2979,6 +2979,7 @@ _PySys_InitMain(_PyRuntimeState *runtime + SET_SYS_FROM_WSTR("base_prefix", config->base_prefix); + SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix); + SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix); ++ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir); + + if (config->pycache_prefix != NULL) { + SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix); +Index: Python-3.8.15/Include/cpython/initconfig.h +=================================================================== +--- Python-3.8.15.orig/Include/cpython/initconfig.h ++++ Python-3.8.15/Include/cpython/initconfig.h +@@ -381,6 +381,7 @@ typedef struct { + wchar_t *base_prefix; /* sys.base_prefix */ + wchar_t *exec_prefix; /* sys.exec_prefix */ + wchar_t *base_exec_prefix; /* sys.base_exec_prefix */ ++ wchar_t *platlibdir; /* sys.platlibdir */ + + /* --- Parameter only used by Py_Main() ---------- */ + +Index: Python-3.8.15/Python/initconfig.c +=================================================================== +--- Python-3.8.15.orig/Python/initconfig.c ++++ Python-3.8.15/Python/initconfig.c +@@ -596,6 +596,7 @@ PyConfig_Clear(PyConfig *config) + CLEAR(config->base_prefix); + CLEAR(config->exec_prefix); + CLEAR(config->base_exec_prefix); ++ CLEAR(config->platlibdir); + + CLEAR(config->filesystem_encoding); + CLEAR(config->filesystem_errors); +@@ -834,6 +835,7 @@ _PyConfig_Copy(PyConfig *config, const P + COPY_WSTR_ATTR(base_prefix); + COPY_WSTR_ATTR(exec_prefix); + COPY_WSTR_ATTR(base_exec_prefix); ++ COPY_WSTR_ATTR(platlibdir); + + COPY_ATTR(site_import); + COPY_ATTR(bytes_warning); +@@ -935,6 +937,7 @@ config_as_dict(const PyConfig *config) + SET_ITEM_WSTR(base_prefix); + SET_ITEM_WSTR(exec_prefix); + SET_ITEM_WSTR(base_exec_prefix); ++ SET_ITEM_WSTR(platlibdir); + SET_ITEM_INT(site_import); + SET_ITEM_INT(bytes_warning); + SET_ITEM_INT(inspect); +@@ -1336,6 +1339,14 @@ config_read_env_vars(PyConfig *config) + config->malloc_stats = 1; + } + ++ if(config->platlibdir == NULL) { ++ status = CONFIG_GET_ENV_DUP(config, &config->platlibdir, ++ L"PYTHONPLATLIBDIR", "PYTHONPLATLIBDIR"); ++ if (_PyStatus_EXCEPTION(status)) { ++ return status; ++ } ++ } ++ + if (config->pythonpath_env == NULL) { + status = CONFIG_GET_ENV_DUP(config, &config->pythonpath_env, + L"PYTHONPATH", "PYTHONPATH"); +@@ -1786,6 +1797,14 @@ config_read(PyConfig *config) + } + } + ++ if(config->platlibdir == NULL) { ++ status = CONFIG_SET_BYTES_STR(config, &config->platlibdir, PLATLIBDIR, ++ "PLATLIBDIR macro"); ++ if (_PyStatus_EXCEPTION(status)) { ++ return status; ++ } ++ } ++ + if (config->_install_importlib) { + status = _PyConfig_InitPathConfig(config); + if (_PyStatus_EXCEPTION(status)) { +@@ -2565,6 +2584,7 @@ PyConfig_Read(PyConfig *config) + assert(config->exec_prefix != NULL); + assert(config->base_exec_prefix != NULL); + } ++ assert(config->platlibdir != NULL); + assert(config->filesystem_encoding != NULL); + assert(config->filesystem_errors != NULL); + assert(config->stdio_encoding != NULL); +@@ -2715,6 +2735,7 @@ _Py_DumpPathConfig(PyThreadState *tstate + DUMP_SYS(_base_executable); + DUMP_SYS(base_prefix); + DUMP_SYS(base_exec_prefix); ++ DUMP_SYS(platlibdir); + DUMP_SYS(executable); + DUMP_SYS(prefix); + DUMP_SYS(exec_prefix); +Index: Python-3.8.15/Makefile.pre.in +=================================================================== +--- Python-3.8.15.orig/Makefile.pre.in ++++ Python-3.8.15/Makefile.pre.in +@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys + $(MULTIARCH_CPPFLAGS) \ + -o $@ $(srcdir)/Python/sysmodule.c + ++Python/initconfig.o: $(srcdir)/Python/initconfig.c ++ $(CC) -c $(PY_CORE_CFLAGS) \ ++ -DPLATLIBDIR='"$(platsubdir)"' \ ++ -o $@ $(srcdir)/Python/initconfig.c ++ + $(IO_OBJS): $(IO_H) + + .PHONY: regen-grammar +Index: Python-3.8.15/Lib/test/test_embed.py +=================================================================== +--- Python-3.8.15.orig/Lib/test/test_embed.py ++++ Python-3.8.15/Lib/test/test_embed.py +@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi + 'exec_prefix': GET_DEFAULT_CONFIG, + 'base_exec_prefix': GET_DEFAULT_CONFIG, + 'module_search_paths': GET_DEFAULT_CONFIG, ++ 'platlibdir': sys.platlibdir, + + 'site_import': 1, + 'bytes_warning': 0, diff --git a/python38.changes b/python38.changes index 94e02e7..b87d9e3 100644 --- a/python38.changes +++ b/python38.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Oct 20 11:49:44 UTC 2022 - Daniel Garcia + +- Add platlibdir-in-sys.patch to provide sys.platlibdir attribute. This is used + by python-setuptools in distutils.sysconfig.get_python_lib bsc#1204395 + ------------------------------------------------------------------- Wed Oct 19 07:12:23 UTC 2022 - Matej Cepl diff --git a/python38.spec b/python38.spec index 4708b23..48ba6a7 100644 --- a/python38.spec +++ b/python38.spec @@ -171,6 +171,8 @@ Patch34: bpo34990-2038-problem-compileall.patch # PATCH-FIX-UPSTREAM gh#python/cpython#90967 gh#python/cpython#93900 mcepl@suse.com # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 Patch36: support-expat-CVE-2022-25236-patched.patch +# PATCH-FIX-OPENSUSE platlibdir-in-sys.patch bsc#1204395 +Patch37: platlibdir-in-sys.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -437,6 +439,7 @@ other applications. %patch33 -p1 %patch34 -p1 %patch36 -p1 +%patch37 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac