Accepting request 1041645 from devel:languages:python:Factory

- Update to 3.8.16: - python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. - Avoid publishing list of active per-interpreter audit hooks via the gc module - The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name (CVE-2022-45061). - Update bundled libexpat to 2.5.0 - Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). - The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). - Removed upstream patches: - CVE-2022-37454-sha3-buffer-overflow.patch - CVE-2022-45061-DoS-by-IDNA-decode.patch OBS-URL: https://build.opensuse.org/request/show/1041645 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=31
2022-12-09 12:16:47 +00:00 · 2022-12-09 12:16:47 +00:00 · a9fe505070
commit a9fe505070
parent 20c2782eea c462da06b7
9 changed files with 97 additions and 257 deletions
--- a/CVE-2022-37454-sha3-buffer-overflow.patch
+++ b/CVE-2022-37454-sha3-buffer-overflow.patch
@ -1,93 +0,0 @@
 From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001
 From: Theo Buehler <botovq@users.noreply.github.com>
 Date: Fri, 21 Oct 2022 21:26:01 +0200
 Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module
 (GH-98519)
 This is a port of the applicable part of XKCP's fix [1] for
 CVE-2022-37454 and avoids the segmentation fault and the infinite
 loop in the test cases published in [2].
 [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
 [2]: https://mouha.be/sha-3-buffer-overflow/
 Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
 (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
 Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
 ---
 Lib/test/test_hashlib.py                                                |    9 ++++++
 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst |    1 
 Modules/_sha3/kcp/KeccakSponge.inc                                      |   15 +++++-----
 3 files changed, 18 insertions(+), 7 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
 --- a/Lib/test/test_hashlib.py
 +++ b/Lib/test/test_hashlib.py
@@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase)
     def test_case_md5_uintmax(self, size):
         self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
 +    @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
 +    @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
 +    def test_sha3_update_overflow(self, size):
 +        """Regression test for gh-98517 CVE-2022-37454."""
 +        h = hashlib.sha3_224()
 +        h.update(b'\x01')
 +        h.update(b'\x01'*0xffff_ffff)
 +        self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
 +
     # use the three examples from Federal Information Processing Standards
     # Publication 180-1, Secure Hash Standard,  1995 April 17
     # http://www.itl.nist.gov/div897/pubs/fip180-1.htm
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
@@ -0,0 +1 @@
 +Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
 --- a/Modules/_sha3/kcp/KeccakSponge.inc
 +++ b/Modules/_sha3/kcp/KeccakSponge.inc
@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc
     i = 0;
     curData = data;
     while(i < dataByteLen) {
 -        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
 +        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
 #ifdef SnP_FastLoop_Absorb
             /* processing full blocks first */
@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc
         }
         else {
             /* normal lane: using the message queue */
 -
 -            partialBlock = (unsigned int)(dataByteLen - i);
 -            if (partialBlock+instance->byteIOIndex > rateInBytes)
 +            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
                 partialBlock = rateInBytes-instance->byteIOIndex;
 +            else
 +                partialBlock = (unsigned int)(dataByteLen - i);
             #ifdef KeccakReference
             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
             #endif
@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan
     i = 0;
     curData = data;
     while(i < dataByteLen) {
 -        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
 +        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
                 SnP_Permute(instance->state);
                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan
                 SnP_Permute(instance->state);
                 instance->byteIOIndex = 0;
             }
 -            partialBlock = (unsigned int)(dataByteLen - i);
 -            if (partialBlock+instance->byteIOIndex > rateInBytes)
 +            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
                 partialBlock = rateInBytes-instance->byteIOIndex;
 +            else
 +                partialBlock = (unsigned int)(dataByteLen - i);
             i += partialBlock;
             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
--- a/CVE-2022-45061-DoS-by-IDNA-decode.patch
+++ b/CVE-2022-45061-DoS-by-IDNA-decode.patch
@ -1,88 +0,0 @@
 From 064ec20bf7a181ba5fa961aaa12973812aa6ca5d Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Mon, 7 Nov 2022 18:57:10 -0800
 Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
 (GH-99222)
 There was an unnecessary quadratic loop in idna decoding. This restores
 the behavior to linear.
 (cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
 (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
 Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Lib/encodings/idna.py                                                   |   32 ++++------
 Lib/test/test_codecs.py                                                 |    6 +
 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst |    6 +
 3 files changed, 27 insertions(+), 17 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
 --- a/Lib/encodings/idna.py
 +++ b/Lib/encodings/idna.py
@@ -39,23 +39,21 @@ def nameprep(label):
     # Check bidi
     RandAL = [stringprep.in_table_d1(x) for x in label]
 -    for c in RandAL:
 -        if c:
 -            # There is a RandAL char in the string. Must perform further
 -            # tests:
 -            # 1) The characters in section 5.8 MUST be prohibited.
 -            # This is table C.8, which was already checked
 -            # 2) If a string contains any RandALCat character, the string
 -            # MUST NOT contain any LCat character.
 -            if any(stringprep.in_table_d2(x) for x in label):
 -                raise UnicodeError("Violation of BIDI requirement 2")
 -
 -            # 3) If a string contains any RandALCat character, a
 -            # RandALCat character MUST be the first character of the
 -            # string, and a RandALCat character MUST be the last
 -            # character of the string.
 -            if not RandAL[0] or not RandAL[-1]:
 -                raise UnicodeError("Violation of BIDI requirement 3")
 +    if any(RandAL):
 +        # There is a RandAL char in the string. Must perform further
 +        # tests:
 +        # 1) The characters in section 5.8 MUST be prohibited.
 +        # This is table C.8, which was already checked
 +        # 2) If a string contains any RandALCat character, the string
 +        # MUST NOT contain any LCat character.
 +        if any(stringprep.in_table_d2(x) for x in label):
 +            raise UnicodeError("Violation of BIDI requirement 2")
 +        # 3) If a string contains any RandALCat character, a
 +        # RandALCat character MUST be the first character of the
 +        # string, and a RandALCat character MUST be the last
 +        # character of the string.
 +        if not RandAL[0] or not RandAL[-1]:
 +            raise UnicodeError("Violation of BIDI requirement 3")
     return label
 --- a/Lib/test/test_codecs.py
 +++ b/Lib/test/test_codecs.py
@@ -1532,6 +1532,12 @@ class IDNACodecTest(unittest.TestCase):
         self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
         self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
 +    def test_builtin_decode_length_limit(self):
 +        with self.assertRaisesRegex(UnicodeError, "too long"):
 +            (b"xn--016c"+b"a"*1100).decode("idna")
 +        with self.assertRaisesRegex(UnicodeError, "too long"):
 +            (b"xn--016c"+b"a"*70).decode("idna")
 +
     def test_stream(self):
         r = codecs.getreader("idna")(io.BytesIO(b"abc"))
         r.read(3)
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
@@ -0,0 +1,6 @@
 +The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
 +related name resolution functions no longer involves a quadratic algorithm.
 +This prevents a potential CPU denial of service if an out-of-spec excessive
 +length hostname involving bidirectional characters were decoded. Some protocols
 +such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
 +to supply such a name.
--- a/Python-3.8.15.tar.xz
+++ b/Python-3.8.15.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:5114fc7918a2a5e20eb5aac696b30c36f412c6ef24b13f5c9eb9e056982d9550
 size 19038408
--- a/Python-3.8.15.tar.xz.asc
+++ b/Python-3.8.15.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFk9MACgkQsmmV4xAl
 BWjPyA//dMfeT6hw09rFQtv1w7LrAuLFrQ/03uqYz/MZPZZgMyGvN+bGbR9U9EPA
 DSntLM75GjzaXiZ8dMyvi+A/HJCX7CWeJATxVRBo+3GoFTZfmsex7B78oTakHGnZ
 3pHRDiXJovD8DPQo3/eNpbQsEri74MOqIIbBZfdrRc4Gqqv/rVRI1qxqYzt3hmHc
 NcsZudbvBlUe+5HWaYgXbgnuzixSK4iSftlfwx289bsx12b8jzY5OEP9z5NKGqLu
 Sfb0sUWaJptSn1iEKSfLj4AamN0PeeQObOXHz+N1hdqWmWjEBKX37CEnOyHjJyVc
 Xb1PH6vJPJbPBXBR3H8YP+jwG8jDIFItJph+NduQnfZ3yLPpjEiCHs/FyUzzIKWB
 iptNyVMBvgPiMDgge+kLICywbujtI2UB7tS3YO5rb09LtQiXxkGyDbE6R6Yu7ZMb
 qJJMAJUY9zHAN1rTLL7GJHHypwd3UHoXImMvrm15+vy3ctNTA6VDxn7Zw/uym7F/
 gZJY6JaUxsnPiOhtvPYHs6EOGwLFszWvgh7AhXjZ2uncPuZ/qzgWpWsRYsKIWSRz
 yVplWRGfXaZ96pWVKmHACZY6BdgZS18Y9FdRLiqYrNG85dfqd3XFrVJqQIFHjaUX
 bImNJRcwMpuU9p23CaSeUDRFdELVQ9dXfBq//x0JL2F6/vG1ADw=
 =jc+c
 -----END PGP SIGNATURE-----
--- a/Python-3.8.16.tar.xz
+++ b/Python-3.8.16.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:d85dbb3774132473d8081dcb158f34a10ccad7a90b96c7e50ea4bb61f5ce4562
 size 19046724
--- a/Python-3.8.16.tar.xz.asc
+++ b/Python-3.8.16.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPlyYACgkQsmmV4xAl
 BWhZ3RAAhtzObFVyAJIjaNHSnYClAq39NFOvAA2oFmTbNorF/sHAbV///9Zmm2we
 prT8gWUJJtPeX1+J3lj0GokthB/YggLIF6MjTL9klamXUWZrdsv8jM00T+nXMHU3
 Y4pgi0zXX4fhb5iOWeLli99T40+a/8AgbqVC0cv5d6Yk+CncYY2XsNoBuNC4dOoL
 FaSQMZUsTYf4CoZyHbAN3hs5kshaZRufAJ/LGDlZU3+luuy1PU4uNzqSSY6XMw4L
 Ar+tukCXwqIOu4baq2BYUF5VjfZrgviC7NxHZBeKuGQ3v7X0HmOWOxG59s1cmJkA
 CbyK3z/LRVmA33YyhU60QaqfUYHXhNZaMgEku2m3XTRaRkjF+Wg/LAtu01usOrYG
 BYivpD7yhVqXXvwWV3Y+lpcu8DhZTtXM3hTrN6XErLiYnN1G7sduSNabnOke6Td/
 p0Ki1UE4Ts+P8yN85/uHiGbjDejU2SRlAuWeSmeIKIyTUNPJoM5OSK9K6FgqxZef
 OYFDWVZg0Dll5bLU+f/Lw8mXVwF7dX2OUPeXauPm3LhKRHIYpfeuQ+PkP9KeIJn5
 DwfdvcKw3jVttopWgTS/pT6vu8zgOAZ6kuzhf/s+q8mB3cQRjfn7BMq/PFcNNZJG
 iLzJ2C5Q7tNn/5elUaV8TOPa2JwmiPViitE4OHqB+sH591JIh+g=
 =DwHA
 -----END PGP SIGNATURE-----
--- a/platlibdir-in-sys.patch
+++ b/platlibdir-in-sys.patch
@ -1,19 +1,13 @@
-Index: Python-3.8.15/Python/sysmodule.c
+---
-===================================================================
+ Include/cpython/initconfig.h |    1 +
--- Python-3.8.15.orig/Python/sysmodule.c
+ Lib/test/test_embed.py       |    1 +
-+++ Python-3.8.15/Python/sysmodule.c
+ Makefile.pre.in              |    5 +++++
-@@ -2979,6 +2979,7 @@ _PySys_InitMain(_PyRuntimeState *runtime
+ Python/initconfig.c          |   21 +++++++++++++++++++++
-     SET_SYS_FROM_WSTR("base_prefix", config->base_prefix);
+ Python/sysmodule.c           |    1 +
-     SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix);
+ 5 files changed, 29 insertions(+)
     SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix);
 +    SET_SYS_FROM_WSTR("platlibdir", config->platlibdir);
-     if (config->pycache_prefix != NULL) {
+--- a/Include/cpython/initconfig.h
-         SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);
+++ b/Include/cpython/initconfig.h
 Index: Python-3.8.15/Include/cpython/initconfig.h
 ===================================================================
 --- Python-3.8.15.orig/Include/cpython/initconfig.h
 +++ Python-3.8.15/Include/cpython/initconfig.h
@@ -381,6 +381,7 @@ typedef struct {
     wchar_t *base_prefix;       /* sys.base_prefix */
     wchar_t *exec_prefix;       /* sys.exec_prefix */
@ -22,10 +16,32 @@ Index: Python-3.8.15/Include/cpython/initconfig.h
     /* --- Parameter only used by Py_Main() ---------- */
-Index: Python-3.8.15/Python/initconfig.c
+--- a/Lib/test/test_embed.py
-===================================================================
+++ b/Lib/test/test_embed.py
--- Python-3.8.15.orig/Python/initconfig.c
+@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi
-+++ Python-3.8.15/Python/initconfig.c
+         'exec_prefix': GET_DEFAULT_CONFIG,
         'base_exec_prefix': GET_DEFAULT_CONFIG,
         'module_search_paths': GET_DEFAULT_CONFIG,
 +        'platlibdir': sys.platlibdir,
         'site_import': 1,
         'bytes_warning': 0,
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys
 		$(MULTIARCH_CPPFLAGS) \
 		-o $@ $(srcdir)/Python/sysmodule.c
 +Python/initconfig.o: $(srcdir)/Python/initconfig.c
 +	$(CC) -c $(PY_CORE_CFLAGS) \
 +		-DPLATLIBDIR='"$(platsubdir)"' \
 +		-o $@ $(srcdir)/Python/initconfig.c
 +
 $(IO_OBJS): $(IO_H)
 .PHONY: regen-grammar
 --- a/Python/initconfig.c
 +++ b/Python/initconfig.c
@@ -596,6 +596,7 @@ PyConfig_Clear(PyConfig *config)
     CLEAR(config->base_prefix);
     CLEAR(config->exec_prefix);
@ -96,31 +112,13 @@ Index: Python-3.8.15/Python/initconfig.c
     DUMP_SYS(executable);
     DUMP_SYS(prefix);
     DUMP_SYS(exec_prefix);
-Index: Python-3.8.15/Makefile.pre.in
+--- a/Python/sysmodule.c
-===================================================================
+++ b/Python/sysmodule.c
--- Python-3.8.15.orig/Makefile.pre.in
+@@ -2981,6 +2981,7 @@ _PySys_InitMain(_PyRuntimeState *runtime
-+++ Python-3.8.15/Makefile.pre.in
+     SET_SYS_FROM_WSTR("base_prefix", config->base_prefix);
-@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys
+     SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix);
- 		$(MULTIARCH_CPPFLAGS) \
+     SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix);
- 		-o $@ $(srcdir)/Python/sysmodule.c
+    SET_SYS_FROM_WSTR("platlibdir", config->platlibdir);
-+Python/initconfig.o: $(srcdir)/Python/initconfig.c
+     if (config->pycache_prefix != NULL) {
-+	$(CC) -c $(PY_CORE_CFLAGS) \
+         SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);
 +		-DPLATLIBDIR='"$(platsubdir)"' \
 +		-o $@ $(srcdir)/Python/initconfig.c
 +
 $(IO_OBJS): $(IO_H)
 .PHONY: regen-grammar
 Index: Python-3.8.15/Lib/test/test_embed.py
 ===================================================================
 --- Python-3.8.15.orig/Lib/test/test_embed.py
 +++ Python-3.8.15/Lib/test/test_embed.py
@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi
         'exec_prefix': GET_DEFAULT_CONFIG,
         'base_exec_prefix': GET_DEFAULT_CONFIG,
         'module_search_paths': GET_DEFAULT_CONFIG,
 +        'platlibdir': sys.platlibdir,
         'site_import': 1,
         'bytes_warning': 0,
--- a/python38.changes
+++ b/python38.changes
@ -1,3 +1,35 @@
 -------------------------------------------------------------------
 Thu Dec  8 10:32:15 UTC 2022 - Matej Cepl <mcepl@suse.com>
 - Update to 3.8.16:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a
    name (CVE-2022-45061).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - The deprecated mailcap module now refuses to inject
    unsafe text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
 - Removed upstream patches:
  - CVE-2022-37454-sha3-buffer-overflow.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch
 -------------------------------------------------------------------
 Wed Nov  9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
--- a/python38.spec
+++ b/python38.spec
@ -92,7 +92,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.8.15
+Version:        3.8.16
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@ -176,13 +176,6 @@ Patch37:        platlibdir-in-sys.patch
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
 # this patch makes things totally awesome
 Patch38:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
 # PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 mcepl@suse.com
 # Fix original buffer overflow
 # Originally from gh#python/cpython#98528
 Patch39:        CVE-2022-37454-sha3-buffer-overflow.patch
 # PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
 # Avoid DoS by decoding IDNA for too long domain names
 Patch40:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -451,8 +444,6 @@ other applications.
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac