python39/support-expat-CVE-2022-25236-patched.patch

From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Mon, 21 Feb 2022 08:16:09 -0800
Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
 (GH-31472)

Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.

libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.

References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/

Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
---
 Lib/test/test_minidom.py |   23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst

--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -6,7 +6,6 @@ import io
 from test import support
 import unittest
 
-import pyexpat
 import xml.dom.minidom
 
 from xml.dom.minidom import parse, Node, Document, parseString
@@ -1149,13 +1148,11 @@ class MinidomTest(unittest.TestCase):
 
         # Verify that character decoding errors raise exceptions instead
         # of crashing
-        if pyexpat.version_info >= (2, 4, 5):
-            self.assertRaises(ExpatError, parseString,
-                    b'<fran\xe7ais></fran\xe7ais>')
-            self.assertRaises(ExpatError, parseString,
-                    b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
-        else:
-            self.assertRaises(UnicodeDecodeError, parseString,
+        # It doesn’t make any sense to insist on the exact text of the
+        # error message, or even the exact Exception … it is enough that
+        # the error has been discovered.
+        with self.assertRaises((UnicodeDecodeError, ExpatError)):
+            parseString(
                 b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
 
         doc.unlink()
@@ -1617,12 +1614,10 @@ class MinidomTest(unittest.TestCase):
         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
 
     def testExceptionOnSpacesInXMLNSValue(self):
-        if pyexpat.version_info >= (2, 4, 5):
-            context = self.assertRaisesRegex(ExpatError, 'syntax error')
-        else:
-            context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
-
-        with context:
+        # It doesn’t make any sense to insist on the exact text of the
+        # error message, or even the exact Exception … it is enough that
+        # the error has been discovered.
+        with self.assertRaises((ExpatError, ValueError)):
             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
 
     def testDocRemoveChild(self):
-												- Update to 3.9.20:
  - Tests
    - gh-112769: The tests now correctly compare zlib version when
      :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For
      example zlib-ng defines the version as ``1.3.0.zlib-ng``.
    - gh-117187: Fix XML tests for vanilla Expat <2.6.0.
  - Security
    - gh-123678: Upgrade libexpat to 2.6.3
    - gh-121957: Fixed missing audit events around interactive use of Python,
      now also properly firing for ``python -i``, as well as for ``python -m
      asyncio``. The event in question is ``cpython.run_stdin``.
    - gh-122133: Authenticate the socket connection for the
      ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not
      available like Windows.
      Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson
      <seth@python.org>. Reported by Ellie <el@horse64.org>
    - gh-121285: Remove backtracking from tarfile header parsing for
      ``hdrcharset``, PAX, and GNU sparse headers
      (bsc#1230227, CVE-2024-6232).
    - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to
      restrict the new directory to the current user. This fixes CVE-2024-4030
      affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary
      directory is more permissive than the default.
    - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and
      :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
      certificate store, when the :class:`ssl.SSLContext` is shared across
      multiple threads (bsc#1226447, CVE-2024-0397).
    - gh-116741: Update bundled libexpat to 2.6.2
  - Library
    - gh-123270: Applied a more surgical fix for malformed payloads in

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201
											
										
										
											2024-09-09 22:10:25 +02:00
+								From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
 								From: "Miss Islington (bot)"
 								 <31488909+miss-islington@users.noreply.github.com>
 								Date: Mon, 21 Feb 2022 08:16:09 -0800
 								Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
 								 (GH-31472)
 								Curly brackets were never allowed in namespace URIs
 								according to RFC 3986, and so-called namespace-validating
 								XML parsers have the right to reject them a invalid URIs.
 								libexpat >=2.4.5 has become strcter in that regard due to
 								related security issues; with ET.XML instantiating a
 								namespace-aware parser under the hood, this test has no
 								future in CPython.
 								References:
 								- https://datatracker.ietf.org/doc/html/rfc3968
 								- https://www.w3.org/TR/xml-names/
 								Also, test_minidom.py: Support Expat >=2.4.5
 								(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
 								Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
 								---
 								 Lib/test/test_minidom.py |   23 +++++++++--------------
 file changed, 9 insertions(+), 14 deletions(-)
 								 create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
 								--- a/Lib/test/test_minidom.py
 								+++ b/Lib/test/test_minidom.py
@@ -6,7 +6,6 @@ import io
 								 from test import support
 								 import unittest
 								-import pyexpat
 								 import xml.dom.minidom
 								 from xml.dom.minidom import parse, Node, Document, parseString
@@ -1149,13 +1148,11 @@ class MinidomTest(unittest.TestCase):
 								         # Verify that character decoding errors raise exceptions instead
 								         # of crashing
 								-        if pyexpat.version_info >= (2, 4, 5):
 								-            self.assertRaises(ExpatError, parseString,
 								-                    b'<fran\xe7ais></fran\xe7ais>')
 								-            self.assertRaises(ExpatError, parseString,
 								-                    b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
 								-        else:
 								-            self.assertRaises(UnicodeDecodeError, parseString,
 								+        # It doesn’t make any sense to insist on the exact text of the
 								+        # error message, or even the exact Exception … it is enough that
 								+        # the error has been discovered.
 								+        with self.assertRaises((UnicodeDecodeError, ExpatError)):
 								+            parseString(
 								                 b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
 								         doc.unlink()
@@ -1617,12 +1614,10 @@ class MinidomTest(unittest.TestCase):
 								         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
 								     def testExceptionOnSpacesInXMLNSValue(self):
 								-        if pyexpat.version_info >= (2, 4, 5):
 								-            context = self.assertRaisesRegex(ExpatError, 'syntax error')
 								-        else:
 								-            context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
 								-
 								-        with context:
 								+        # It doesn’t make any sense to insist on the exact text of the
 								+        # error message, or even the exact Exception … it is enough that
 								+        # the error has been discovered.
 								+        with self.assertRaises((ExpatError, ValueError)):
 								             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
 								     def testDocRemoveChild(self):