Accepting request 1297128 from devel:languages:python:Factory

- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
  validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

OBS-URL: https://build.opensuse.org/request/show/1297128
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=57

CVE-2023-52425-libexpat-2.6.0-backport.patch

@@ -6,9 +6,11 @@
  Lib/test/test_xml_etree.py   |   12 ------------
  5 files changed, 37 insertions(+), 44 deletions(-)
 
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -8,6 +8,7 @@ import dataclasses
+Index: Python-3.11.12/Lib/test/support/__init__.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/support/__init__.py	2025-04-11 10:52:43.191010503 +0200
++++ Python-3.11.12/Lib/test/support/__init__.py	2025-04-11 10:52:44.802161741 +0200
+@@ -8,6 +8,7 @@
  import functools
  import os
  import re
@@ -16,7 +18,7 @@
  import stat
  import sys
  import sysconfig
-@@ -56,7 +57,7 @@ __all__ = [
+@@ -56,7 +57,7 @@
      "run_with_tz", "PGO", "missing_compiler_executable",
      "ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST",
      "LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT",
@@ -25,7 +27,7 @@
      ]
  
  
-@@ -2240,6 +2241,17 @@ def copy_python_src_ignore(path, names):
+@@ -2244,6 +2245,17 @@
          }
      return ignored
  
@@ -44,9 +46,11 @@
 +fails_with_expat_2_6_0 = (unittest.expectedFailure
 +                          if is_expat_2_6_0
 +                          else lambda test: test)
---- a/Lib/test/test_minidom.py
-+++ b/Lib/test/test_minidom.py
-@@ -6,7 +6,6 @@ import io
+Index: Python-3.11.12/Lib/test/test_minidom.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_minidom.py	2025-04-11 10:52:21.907086938 +0200
++++ Python-3.11.12/Lib/test/test_minidom.py	2025-04-11 10:52:44.802522893 +0200
+@@ -6,7 +6,6 @@
  from test import support
  import unittest
  
@@ -54,7 +58,7 @@
  import xml.dom.minidom
  
  from xml.dom.minidom import parse, Attr, Node, Document, parseString
-@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase):
+@@ -1163,13 +1162,11 @@
  
          # Verify that character decoding errors raise exceptions instead
          # of crashing
@@ -73,7 +77,7 @@
                  b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
  
          doc.unlink()
-@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase):
+@@ -1631,12 +1628,10 @@
          self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
  
      def testExceptionOnSpacesInXMLNSValue(self):
@@ -90,9 +94,11 @@
              parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
  
      def testDocRemoveChild(self):
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -14,8 +14,7 @@ from test.support import os_helper
+Index: Python-3.11.12/Lib/test/test_pyexpat.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_pyexpat.py	2025-04-11 10:52:22.076696906 +0200
++++ Python-3.11.12/Lib/test/test_pyexpat.py	2025-04-11 10:52:44.803228085 +0200
+@@ -14,8 +14,7 @@
  from xml.parsers import expat
  from xml.parsers.expat import errors
  
@@ -102,7 +108,7 @@
  
  class SetAttributeTest(unittest.TestCase):
      def setUp(self):
-@@ -770,9 +769,8 @@ class ReparseDeferralTest(unittest.TestC
+@@ -770,9 +769,8 @@
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
      def test_reparse_deferral_enabled(self):
@@ -114,7 +120,7 @@
  
          started = []
  
-@@ -801,9 +799,9 @@ class ReparseDeferralTest(unittest.TestC
+@@ -801,9 +799,9 @@
  
          parser = expat.ParserCreate()
          parser.StartElementHandler = start_element
@@ -126,9 +132,11 @@
  
          for chunk in (b'<doc', b'/>'):
              parser.Parse(chunk, False)
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -19,13 +19,11 @@ from xml.sax.xmlreader import InputSourc
+Index: Python-3.11.12/Lib/test/test_sax.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_sax.py	2025-04-11 10:52:22.111440337 +0200
++++ Python-3.11.12/Lib/test/test_sax.py	2025-04-11 10:52:44.803567098 +0200
+@@ -19,13 +19,11 @@
  from io import BytesIO, StringIO
  import codecs
  import os.path
@@ -143,7 +151,7 @@
  from test.support.os_helper import FakePath, TESTFN
  
  
-@@ -1215,10 +1213,10 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1215,10 +1213,10 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
  
@@ -157,7 +165,7 @@
          result = BytesIO()
          xmlgen = XMLGenerator(result)
          parser = create_parser()
-@@ -1241,6 +1239,9 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1241,6 +1239,9 @@
          self.assertEqual(result.getvalue(), start + b"<doc></doc>")
  
      def test_flush_reparse_deferral_disabled(self):
@@ -167,7 +175,7 @@
          result = BytesIO()
          xmlgen = XMLGenerator(result)
          parser = create_parser()
-@@ -1249,9 +1250,8 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1249,9 +1250,8 @@
          for chunk in ("<doc", ">"):
              parser.feed(chunk)
  
@@ -179,9 +187,11 @@
  
          self.assertFalse(parser._parser.GetReparseDeferralEnabled())
  
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -13,7 +13,6 @@ import itertools
+Index: Python-3.11.12/Lib/test/test_xml_etree.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_xml_etree.py	2025-04-11 10:52:22.425637912 +0200
++++ Python-3.11.12/Lib/test/test_xml_etree.py	2025-04-11 10:52:44.804234785 +0200
+@@ -13,7 +13,6 @@
  import operator
  import os
  import pickle
@@ -189,7 +199,7 @@
  import sys
  import textwrap
  import types
-@@ -1424,12 +1423,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1424,12 +1423,6 @@
          self.assert_event_tags(parser, [('end', 'root')])
          self.assertIsNone(parser.close())
  
@@ -202,7 +212,7 @@
      def test_simple_xml_chunk_22(self):
          self.test_simple_xml(chunk_size=22)
  
-@@ -1627,9 +1620,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1627,9 +1620,6 @@
          with self.assertRaises(ValueError):
              ET.XMLPullParser(events=('start', 'end', 'bogus'))
  
@@ -212,7 +222,7 @@
      def test_flush_reparse_deferral_enabled(self):
          parser = ET.XMLPullParser(events=('start', 'end'))
  
-@@ -1656,8 +1646,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1656,8 +1646,6 @@
  
          for chunk in ("<doc", ">"):
              parser.feed(chunk)

CVE-2025-6069-quad-complex-HTMLParser.patch

@@ -0,0 +1,190 @@
+From 9043edabc7e2f0dd655146e0a4571e2a0b2906af Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 13 Jun 2025 19:57:48 +0300
+Subject: [PATCH] gh-135462: Fix quadratic complexity in processing special
+ input in HTMLParser (GH-135464)
+
+End-of-file errors are now handled according to the HTML5 specs --
+comments and declarations are automatically closed, tags are ignored.
+(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/html/parser.py                                                       |   41 +++++---
+ Lib/test/test_htmlparser.py                                              |   51 +++++++---
+ Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst |    4 
+ 3 files changed, 74 insertions(+), 22 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
+
+Index: Python-3.11.13/Lib/html/parser.py
+===================================================================
+--- Python-3.11.13.orig/Lib/html/parser.py	2025-07-02 18:12:07.084569398 +0200
++++ Python-3.11.13/Lib/html/parser.py	2025-07-02 18:12:12.582519793 +0200
+@@ -25,6 +25,7 @@
+ charref = re.compile('&#(?:[0-9]+|[xX][0-9a-fA-F]+)[^0-9a-fA-F]')
+ 
+ starttagopen = re.compile('<[a-zA-Z]')
++endtagopen = re.compile('</[a-zA-Z]')
+ piclose = re.compile('>')
+ commentclose = re.compile(r'--\s*>')
+ # Note:
+@@ -176,7 +177,7 @@
+                     k = self.parse_pi(i)
+                 elif startswith("<!", i):
+                     k = self.parse_html_declaration(i)
+-                elif (i + 1) < n:
++                elif (i + 1) < n or end:
+                     self.handle_data("<")
+                     k = i + 1
+                 else:
+@@ -184,17 +185,35 @@
+                 if k < 0:
+                     if not end:
+                         break
+-                    k = rawdata.find('>', i + 1)
+-                    if k < 0:
+-                        k = rawdata.find('<', i + 1)
+-                        if k < 0:
+-                            k = i + 1
++                    if starttagopen.match(rawdata, i):  # < + letter
++                        pass
++                    elif startswith("</", i):
++                        if i + 2 == n:
++                            self.handle_data("</")
++                        elif endtagopen.match(rawdata, i):  # </ + letter
++                            pass
++                        else:
++                            # bogus comment
++                            self.handle_comment(rawdata[i+2:])
++                    elif startswith("<!--", i):
++                        j = n
++                        for suffix in ("--!", "--", "-"):
++                            if rawdata.endswith(suffix, i+4):
++                                j -= len(suffix)
++                                break
++                        self.handle_comment(rawdata[i+4:j])
++                    elif startswith("<![CDATA[", i):
++                        self.unknown_decl(rawdata[i+3:])
++                    elif rawdata[i:i+9].lower() == '<!doctype':
++                        self.handle_decl(rawdata[i+2:])
++                    elif startswith("<!", i):
++                        # bogus comment
++                        self.handle_comment(rawdata[i+2:])
++                    elif startswith("<?", i):
++                        self.handle_pi(rawdata[i+2:])
+                     else:
+-                        k += 1
+-                    if self.convert_charrefs and not self.cdata_elem:
+-                        self.handle_data(unescape(rawdata[i:k]))
+-                    else:
+-                        self.handle_data(rawdata[i:k])
++                        raise AssertionError("we should not get here!")
++                    k = n
+                 i = self.updatepos(i, k)
+             elif startswith("&#", i):
+                 match = charref.match(rawdata, i)
+Index: Python-3.11.13/Lib/test/test_htmlparser.py
+===================================================================
+--- Python-3.11.13.orig/Lib/test/test_htmlparser.py	2025-07-02 18:12:08.523658593 +0200
++++ Python-3.11.13/Lib/test/test_htmlparser.py	2025-07-02 18:13:32.674943007 +0200
+@@ -4,6 +4,8 @@
+ import pprint
+ import unittest
+ 
++from test import support
++
+ 
+ class EventCollector(html.parser.HTMLParser):
+ 
+@@ -391,28 +393,34 @@
+                             ('data', '<'),
+                             ('starttag', 'bc<', [('a', None)]),
+                             ('endtag', 'html'),
+-                            ('data', '\n<img src="URL>'),
+-                            ('comment', '/img'),
+-                            ('endtag', 'html<')])
++                            ('data', '\n')])
+ 
+     def test_starttag_junk_chars(self):
++        self._run_check("<", [('data', '<')])
++        self._run_check("<>", [('data', '<>')])
++        self._run_check("< >", [('data', '< >')])
++        self._run_check("< ", [('data', '< ')])
+         self._run_check("</>", [])
++        self._run_check("<$>", [('data', '<$>')])
+         self._run_check("</$>", [('comment', '$')])
+         self._run_check("</", [('data', '</')])
+-        self._run_check("</a", [('data', '</a')])
++        self._run_check("</a", [])
++        self._run_check("</ a>", [('endtag', 'a')])
++        self._run_check("</ a", [('comment', ' a')])
+         self._run_check("<a<a>", [('starttag', 'a<a', [])])
+         self._run_check("</a<a>", [('endtag', 'a<a')])
+-        self._run_check("<!", [('data', '<!')])
+-        self._run_check("<a", [('data', '<a')])
+-        self._run_check("<a foo='bar'", [('data', "<a foo='bar'")])
+-        self._run_check("<a foo='bar", [('data', "<a foo='bar")])
+-        self._run_check("<a foo='>'", [('data', "<a foo='>'")])
+-        self._run_check("<a foo='>", [('data', "<a foo='>")])
++        self._run_check("<!", [('comment', '')])
++        self._run_check("<a", [])
++        self._run_check("<a foo='bar'", [])
++        self._run_check("<a foo='bar", [])
++        self._run_check("<a foo='>'", [])
++        self._run_check("<a foo='>", [])
+         self._run_check("<a$>", [('starttag', 'a$', [])])
+         self._run_check("<a$b>", [('starttag', 'a$b', [])])
+         self._run_check("<a$b/>", [('startendtag', 'a$b', [])])
+         self._run_check("<a$b  >", [('starttag', 'a$b', [])])
+         self._run_check("<a$b  />", [('startendtag', 'a$b', [])])
++        self._run_check("</a$b>", [('endtag', 'a$b')])
+ 
+     def test_slashes_in_starttag(self):
+         self._run_check('<a foo="var"/>', [('startendtag', 'a', [('foo', 'var')])])
+@@ -549,8 +557,9 @@
+             ('comment', ' -- close enough --'),
+             ('comment', ''),
+             ('comment', '<-- this was an empty comment'),
+-            ('comment', '!! another bogus comment !!!'),
++            ('comment', '!! another bogus comment !!!')
+         ]
++
+         self._run_check(html, expected)
+ 
+     def test_broken_condcoms(self):
+@@ -598,6 +607,26 @@
+              ('endtag', 'a'), ('data', ' bar & baz')]
+         )
+ 
++    @support.requires_resource('cpu')
++    def test_eof_no_quadratic_complexity(self):
++        # Each of these examples used to take about an hour.
++        # Now they take a fraction of a second.
++        def check(source):
++            parser = html.parser.HTMLParser()
++            parser.feed(source)
++            parser.close()
++        n = 120_000
++        check("<a " * n)
++        check("<a a=" * n)
++        check("</a " * 14 * n)
++        check("</a a=" * 11 * n)
++        check("<!--" * 4 * n)
++        check("<!" * 60 * n)
++        check("<?" * 19 * n)
++        check("</$" * 15 * n)
++        check("<![CDATA[" * 9 * n)
++        check("<!doctype" * 35 * n)
++
+ 
+ class AttributesTestCase(TestCaseBase):
+ 
+Index: Python-3.11.13/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.13/Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst	2025-07-02 18:12:12.583386736 +0200
+@@ -0,0 +1,4 @@
++Fix quadratic complexity in processing specially crafted input in
++:class:`html.parser.HTMLParser`. End-of-file errors are now handled according
++to the HTML5 specs -- comments and declarations are automatically closed,
++tags are ignored.

CVE-2025-8194-tarfile-no-neg-offsets.patch

@@ -0,0 +1,212 @@
+From cb3519590c62f9b1abf7f31b92ec37d4b725ce15 Mon Sep 17 00:00:00 2001
+From: Alexander Urieles <aeurielesn@users.noreply.github.com>
+Date: Mon, 28 Jul 2025 17:37:26 +0200
+Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member
+ offsets are non-negative (GH-137027) (cherry picked from commit
+ 7040aa54f14676938970e10c5f74ea93cd56aa38)
+
+Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/tarfile.py                                                          |    3 
+ Lib/test/test_tarfile.py                                                |  156 ++++++++++
+ Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst |    3 
+ 3 files changed, 162 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+
+Index: Python-3.11.13/Lib/tarfile.py
+===================================================================
+--- Python-3.11.13.orig/Lib/tarfile.py	2025-08-01 22:21:29.158050900 +0200
++++ Python-3.11.13/Lib/tarfile.py	2025-08-01 22:21:33.121079687 +0200
+@@ -1613,6 +1613,9 @@
+         """Round up a byte count by BLOCKSIZE and return it,
+            e.g. _block(834) => 1024.
+         """
++        # Only non-negative offsets are allowed
++        if count < 0:
++            raise InvalidHeaderError("invalid offset")
+         blocks, remainder = divmod(count, BLOCKSIZE)
+         if remainder:
+             blocks += 1
+Index: Python-3.11.13/Lib/test/test_tarfile.py
+===================================================================
+--- Python-3.11.13.orig/Lib/test/test_tarfile.py	2025-08-01 22:21:30.644301786 +0200
++++ Python-3.11.13/Lib/test/test_tarfile.py	2025-08-01 22:21:33.121718600 +0200
+@@ -50,6 +50,7 @@
+ xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
+ tmpname = os.path.join(TEMPDIR, "tmp.tar")
+ dotlessname = os.path.join(TEMPDIR, "testtar")
++SPACE = b" "
+ 
+ sha256_regtype = (
+     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
+@@ -4386,6 +4387,161 @@
+         ar.extractall(self.testdir, filter='fully_trusted')
+ 
+ 
++class OffsetValidationTests(unittest.TestCase):
++    tarname = tmpname
++    invalid_posix_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011407" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 6 bytes, version: 2 bytes
++        + tarfile.POSIX_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # devminor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # prefix: 155 bytes
++        + tarfile.NUL * tarfile.LENGTH_PREFIX
++        # padding: 12 bytes
++        + tarfile.NUL * 12
++    )
++    invalid_gnu_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, null terminator: 8 bytes
++        + b"0000755" + tarfile.NUL
++        # uid, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011327" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 8 bytes
++        + tarfile.GNU_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # devminor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # padding: 167 bytes
++        + tarfile.NUL * 167
++    )
++    invalid_v7_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0010070" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # padding: 255 bytes
++        + tarfile.NUL * 255
++    )
++    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
++    data_block = b"\xff" * tarfile.BLOCKSIZE
++
++    def _write_buffer(self, buffer):
++        with open(self.tarname, "wb") as f:
++            f.write(buffer)
++
++    def _get_members(self, ignore_zeros=None):
++        with open(self.tarname, "rb") as f:
++            with tarfile.open(
++                mode="r", fileobj=f, ignore_zeros=ignore_zeros
++            ) as tar:
++                return tar.getmembers()
++
++    def _assert_raises_read_error_exception(self):
++        with self.assertRaisesRegex(
++            tarfile.ReadError, "file could not be opened successfully"
++        ):
++            self._get_members()
++
++    def test_invalid_offset_header_validations(self):
++        for tar_format, invalid_header in (
++            ("posix", self.invalid_posix_header),
++            ("gnu", self.invalid_gnu_header),
++            ("v7", self.invalid_v7_header),
++        ):
++            with self.subTest(format=tar_format):
++                self._write_buffer(invalid_header)
++                self._assert_raises_read_error_exception()
++
++    def test_early_stop_at_invalid_offset_header(self):
++        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
++        self._write_buffer(buffer)
++        members = self._get_members()
++        self.assertEqual(len(members), 1)
++        self.assertEqual(members[0].name, "filename")
++        self.assertEqual(members[0].offset, 0)
++
++    def test_ignore_invalid_archive(self):
++        # 3 invalid headers with their respective data
++        buffer = (self.invalid_gnu_header + self.data_block) * 3
++        self._write_buffer(buffer)
++        members = self._get_members(ignore_zeros=True)
++        self.assertEqual(len(members), 0)
++
++    def test_ignore_invalid_offset_headers(self):
++        for first_block, second_block, expected_offset in (
++            (
++                (self.valid_gnu_header),
++                (self.invalid_gnu_header + self.data_block),
++                0,
++            ),
++            (
++                (self.invalid_gnu_header + self.data_block),
++                (self.valid_gnu_header),
++                1024,
++            ),
++        ):
++            self._write_buffer(first_block + second_block)
++            members = self._get_members(ignore_zeros=True)
++            self.assertEqual(len(members), 1)
++            self.assertEqual(members[0].name, "filename")
++            self.assertEqual(members[0].offset, expected_offset)
++
++
+ def setUpModule():
+     os_helper.unlink(TEMPDIR)
+     os.makedirs(TEMPDIR)
+Index: Python-3.11.13/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ Python-3.11.13/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst	2025-08-01 22:21:33.122108946 +0200
+@@ -0,0 +1,3 @@
++:mod:`tarfile` now validates archives to ensure member offsets are
++non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
++:gh:`130577`.)

Python-3.11.10.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372
-size 20067656

Python-3.11.10.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmbbrO0ACgkQ/+h0BBaL
-2Ec+YBAAnQJLKYPjj7Yr7xkFU655Sv86JxeRAdWjnIapbiIuWg3Up8Pd8FTRgHGf
-3XdTHw7b03lSjtzJwavzdnDklqAlBIGn9dVieljUIN7NYyNxoYOr/AiatimgSwv7
-dI5mfun5fLKV6ZcdNdQN5PJ3RZtF3I7VfkN2mlfZJHtxl1agdU/TfW2L+qJ7+JPY
-cayjq2xKTLRNXOf2iV29GRRovLiqA+Dx0+cAwsScwreHMp3U4k3GkeHVoR6fldV4
-bVAM8GRl3CYVFePiqAbamKP1BSys44JOINWbWyd94JxzEAwXWz//Es0h73AzeRfK
-ueORqzdoOGrVc74+HGlAHhqO1Gg7jMMmtkzCEuav+cGHYnMRMOngGR3q47aTJTVb
-5UdP0oD4OlADPFVa6q0LCqN/IFlebWMh9pXYw7Wpek63oNuZHTfNPq4S1AUM2HJm
-C3yzaOG9VAdYfLneJC4ldY4CVt1FKckfaXp5OAaMr71DI74e4CcEswlUupZJLZKV
-TJRjQD15bnXGhHDqU4w3RmzpCWMh2mf4m4VMYQyObl3TtlX+gVvzIhDS5+mXqutB
-F1pdXwaHHkTb2PLLxpwOGrnsp8XoW74tsylcYirQg8jSFMbgxfwgIjEIuRGXeDkT
-B4QzmQ4SxsbLiH7etV6Fznl1h569Z4DO9OOs4i0ZzIjdhPDQtAs=
-=TatG
------END PGP SIGNATURE-----

Python-3.11.13.tar.xz.sigstore

@@ -0,0 +1 @@
+{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUfnOGm4U1QCsCXWiDvPy5Tgni2HUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNjAzMTkyNzM1WhcNMjUwNjAzMTkzNzM1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpTsf/wrCdu4Domf4WOtO4CLkj51wmj4iesYv5N6DYhghPjqQFwGYI9gFc/WX6QMIWh5YHU2NGxrmM7KfbAYzz6OCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUkQ2/O4Fivj1bTq7NTQczm1RdtYAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wIgYDVR0RAQH/BBgwFoEUcGFibG9nc2FsQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGLBgorBgEEAdZ5AgQCBH0EewB5AHcA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGXN0NwGwAABAMASDBGAiEA6pD8PjS+5z2SQre/NS/wOdFSjVMsxvtfF6A1jg+1T3YCIQDC44S/Z3c0dNddM7EkE+A3j7Vft3hqRUoFkNe4U6g5qTAKBggqhkjOPQQDAwNoADBlAjA6lBI2r3KCZFc+2affpH3S3Xj3gMOKh8Lr5Z7TgkGp3Q6QsnExGmJJ0leXhqH6rQkCMQDfxk/6DyhbO7KTrIUfmrbZoa7dV75cresJS69Xk67XN57qsqY52DZj9o4fbUIw4ro="}, "tlogEntries": [{"logIndex": "228953871", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1748978856", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQC9nXmfcRqyOL2Zmw1zI7+kulTbmDE3Yfzew81mXJGU4QIgF8Uhdg2uzttSA6erOuEchX68PCyJ0cVFHE0XJX2+ZfE="}, "inclusionProof": {"logIndex": "107049609", "rootHash": "Ilofw5POqC/C3zqfrdMQP1DyhNW+UfB9fHdjrbK6qaM=", "treeSize": "107049610", "hashes": ["AcD1iyjU7nuIPqAq29ynz7PEdq6zPXglj6e2tkH+/do=", "1BNDCN01B3dbUo/TfLaQgKIYTvPyrkcrHKd69GxuF2E=", "t59A0CV2pHM2S9AgZgcEA6FbXhgNZGo0jMRIXHiqsJ0=", "bCrkgWpJ8MBic+mIfCRsKi+5XAMqgM8Lc6G0LLfzZ7M=", "4iwdOrGkcqdN0qqZUx/gv8a8qpLMqVj8aXRVmhQ558c=", "mAX/zvx1jR0ujLtDApsQpHyxmoDGidClHMOn0BX1aQA=", "u5LKLBPTYgXZg0fBi6/8LuEeNy3EBAxJF0AkkB4Co6E=", "SPUVncwJRVX/n/RICCYqLpAzraqx7S0eMdXRr1RLRgg=", "uEJFtwcGQJMd9kjQhkXb7gl2WD3WMElCc15uDFvFGxs=", "VdOKzpQhJlpXgijzXANf/hNlje1G/N1kUuVnKNskkso=", "mta5fH/gFwxJ/0fT8yGpn3sFCY0G1RY555Iflm0LInM=", "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n107049610\nIlofw5POqC/C3zqfrdMQP1DyhNW+UfB9fHdjrbK6qaM=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEAjtzTnsnrGx0G3Dg99s89cPUh6EA+cxkicQ9j4qYU60wCIQCKcAL4kdakbq2JrBVgk7bRNf3FoJRrEI6SCjv16f7Crg==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4ZmI1ZjlmYmM3NjA5ZmE4MjJjYjMxNTQ5ODg0NTc1ZGI3ZmQ5NjU3Y2JmZmI4OTUxMGI1ZDc5NzU5NjNhODNhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM5Q1JZRjNSWGUzdDNxQlBJd2UrR3pMMTJCOXVLTjIrRFpWa2JjZW1FTS93SWdPMDFKaVhnbUJxZEN5RVhoM05JUEt5QlRBb2hpcjZHTkhZdXhiSUxKNDlRPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlptNVBSMjAwVlRGUlEzTkRXRmRwUkhaUWVUVlVaMjVwTWtoVmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDVxUVhwTlZHdDVUbnBOTVZkb1kwNU5hbFYzVG1wQmVrMVVhM3BPZWsweFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZ3VkhObUwzZHlRMlIxTkVSdmJXWTBWMDkwVHpSRFRHdHFOVEYzYldvMGFXVnpXWFlLTlU0MlJGbG9aMmhRYW5GUlJuZEhXVWs1WjBaakwxZFlObEZOU1Zkb05WbElWVEpPUjNoeWJVMDNTMlppUVZsNmVqWlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZyVVRJdkNrODBSbWwyYWpGaVZIRTNUbFJSWTNwdE1WSmtkRmxCZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBsbldVUldVakJTUVZGSUwwSkNaM2RHYjBWVlkwZEdhV0pIT1c1ak1rWnpVVWhDTldSSGFIWmlhVFYyWTIxamQwdFJXVXRMZDFsQ1FrRkhSQXAyZWtGQ1FWRlJZbUZJVWpCalNFMDJUSGs1YUZreVRuWmtWelV3WTNrMWJtSXlPVzVpUjFWMVdUSTVkRTFEYzBkRGFYTkhRVkZSUW1jM09IZEJVV2RGQ2toUmQySmhTRkl3WTBoTk5reDVPV2haTWs1MlpGYzFNR041Tlc1aU1qbHVZa2RWZFZreU9YUk5TVWRNUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpJTUVVS1pYZENOVUZJWTBFelZEQjNZWE5pU0VWVVNtcEhValJqYlZkak0wRnhTa3RZY21wbFVFc3pMMmcwY0hsblF6aHdOMjgwUVVGQlIxaE9NRTUzUjNkQlFRcENRVTFCVTBSQ1IwRnBSVUUyY0VRNFVHcFRLelY2TWxOUmNtVXZUbE12ZDA5a1JsTnFWazF6ZUhaMFprWTJRVEZxWnlzeFZETlpRMGxSUkVNME5GTXZDbG96WXpCa1RtUmtUVGRGYTBVclFUTnFOMVptZEROb2NWSlZiMFpyVG1VMFZUWm5OWEZVUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFRVFlLYkVKSk1uSXpTME5hUm1Nck1tRm1abkJJTTFNeldHb3paMDFQUzJnNFRISTFXamRVWjJ0SGNETlJObEZ6YmtWNFIyMUtTakJzWlZob2NVZzJjbEZyUXdwTlVVUm1lR3N2TmtSNWFHSlBOMHRVY2tsVlptMXlZbHB2WVRka1ZqYzFZM0psYzBwVE5qbFlhelkzV0U0MU4zRnpjVmsxTWtSYWFqbHZOR1ppVlVsM0NqUnliejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "j7X5+8dgn6giyzFUmIRXXbf9llfL/7iVELXXl1ljqDo="}, "signature": "MEUCIQC9CRYF3RXe3t3qBPIwe+GzL12B9uKN2+DZVkbcemEM/wIgO01JiXgmBqdCyEXh3NIPKyBTAohir6GNHYuxbILJ49Q="}}

add-loongarch64-support.patch

@@ -0,0 +1,29 @@
+Description: Add platform triplets for LoongArch.
+
+---
+ configure.ac |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -976,6 +976,20 @@ cat > conftest.c <<EOF
+         hppa-linux-gnu
+ # elif defined(__ia64__)
+         ia64-linux-gnu
++# elif defined(__loongarch__)
++#  if defined(__loongarch_lp64)
++#   if defined(__loongarch_soft_float)
++        loongarch64-linux-gnusf
++#   elif defined(__loongarch_single_float)
++        loongarch64-linux-gnuf32
++#   elif defined(__loongarch_double_float)
++        loongarch64-linux-gnu
++#   else
++#    error unknown platform triplet
++#   endif
++#  else
++#   error unknown platform triplet
++#  endif
+ # elif defined(__m68k__) && !defined(__mcoldfire__)
+         m68k-linux-gnu
+ # elif defined(__mips_hard_float) && defined(__mips_isa_rev) && (__mips_isa_rev >=6) && defined(_MIPSEL)

fix_configure_rst.patch

@@ -29,7 +29,7 @@
     Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -9774,7 +9774,7 @@ C API
+@@ -9911,7 +9911,7 @@ C API
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`limited-api-list` now shows the public name

python-3.3.0b1-test-posix_fadvise.patch

@@ -1,17 +0,0 @@
----
- Lib/test/test_posix.py |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: Python-3.11.8/Lib/test/test_posix.py
-===================================================================
---- Python-3.11.8.orig/Lib/test/test_posix.py
-+++ Python-3.11.8/Lib/test/test_posix.py
-@@ -430,7 +430,7 @@ class PosixTester(unittest.TestCase):
-     def test_posix_fadvise(self):
-         fd = os.open(os_helper.TESTFN, os.O_RDONLY)
-         try:
--            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_WILLNEED)
-+            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_RANDOM)
-         finally:
-             os.close(fd)
- 

python311-rpmlintrc

@@ -1,3 +1,4 @@
 addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
+addFilter("python-bytecode-inconsistent-mtime.*\.pyc")

python311.changes

@@ -1,3 +1,204 @@
+-------------------------------------------------------------------
+Fri Aug  1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
+  validates archives to ensure member offsets are non-negative
+  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).
+
+-------------------------------------------------------------------
+Wed Jul  2 14:47:20 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
+  case quadratic complexity when processing certain crafted
+  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
+
+-------------------------------------------------------------------
+Tue Jul  1 08:19:52 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Use one core to build doc. This will make sphinx doc build
+  reproducible.
+  bsc#1243155
+
+-------------------------------------------------------------------
+Mon Jun  9 17:19:32 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.13:
+  - Security
+    - gh-135034: Fixes multiple issues that allowed tarfile
+      extraction filters (filter="data" and filter="tar")
+      to be bypassed using crafted symlinks and hard links.
+      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
+      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
+      CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
+      (gh#135034, bsc#1244061).
+    - gh-133767: Fix use-after-free in the “unicode-escape”
+      decoder with a non-“strict” error handler (CVE-2025-4516,
+      bsc#1243273).
+    - gh-128840: Short-circuit the processing of long IPv6
+      addresses early in ipaddress to prevent excessive memory
+      consumption and a minor denial-of-service.
+  - Library
+    - gh-128840: Fix parsing long IPv6 addresses with embedded
+      IPv4 address.
+    - gh-134062: ipaddress: fix collisions in __hash__() for
+      IPv4Network and IPv6Network objects.
+    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
+      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
+    - bpo-43633: Improve the textual representation of
+      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
+      in ipaddress. Patch by Oleksandr Pavliuk.
+- Remove upstreamed patches:
+  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  - CVE-2025-4516-DecodeError-handler.patch
+
+-------------------------------------------------------------------
+Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-4516-DecodeError-handler.patch fixing
+  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
+  vulnerability, which could lead to DoS.
+
+-------------------------------------------------------------------
+Sat May 17 10:02:27 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Use extended %autopatch.
+
+-------------------------------------------------------------------
+Sat May 10 11:38:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
+  since kernel 3.6-rc1)
+
+-------------------------------------------------------------------
+Fri Apr 18 14:05:38 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.12:
+  - gh-131809: Update bundled libexpat to 2.7.1
+  - gh-131261: Upgrade to libexpat 2.7.0
+  - gh-105704: When using urllib.parse.urlsplit() and
+    urllib.parse.urlparse() host parsing would not reject domain
+    names containing square brackets ([ and ]). Square brackets
+    are only valid for IPv6 and IPvFuture hosts according to RFC
+    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
+    gh#python/cpython#105704).
+  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
+    when flattening an email message using a modern email
+    policy. Previously when an encoded-word was too long for
+    a line, it would be decoded, split across lines, and
+    re-encoded. But commas and other special characters in the
+    original text could be left unencoded and unquoted. This
+    could theoretically be used to spoof header lines using a
+    carefully constructed encoded-word if the resulting rendered
+    email was transmitted or re-parsed.
+  - gh-80222: Fix bug in the folding of quoted strings
+    when flattening an email message using a modern email
+    policy. Previously when a quoted string was folded so that
+    it spanned more than one line, the surrounding quotes and
+    internal escapes would be omitted. This could theoretically
+    be used to spoof header lines using a carefully constructed
+    quoted string if the resulting rendered email was transmitted
+    or re-parsed.
+  - gh-119511: Fix a potential denial of service in the imaplib
+    module. When connecting to a malicious server, it could
+    cause an arbitrary amount of memory to be allocated. On many
+    systems this is harmless as unused virtual memory is only
+    a mapping, but if this hit a virtual address size limit
+    it could lead to a MemoryError or other process crash. On
+    unusual systems or builds where all allocated memory is
+    touched and backed by actual ram or storage it could’ve
+    consumed resources doing so until similarly crashing.
+  - gh-127257: In ssl, system call failures that OpenSSL reports
+    using ERR_LIB_SYS are now raised as OSError.
+  - gh-121277: Writers of CPython’s documentation can now use
+    next as the version for the versionchanged, versionadded,
+    deprecated directives.
+  - gh-106883: Disable GC during the _PyThread_CurrentFrames()
+    and _PyThread_CurrentExceptions() calls to avoid the
+    interpreter to deadlock.
+- Remove upstreamed patch:
+  - CVE-2025-0938-sq-brackets-domain-names.patch
+- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  which makes test_ssl not to stop ThreadedEchoServer on OSError,
+  which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
+  gh#python/cpython!126572)
+
+-------------------------------------------------------------------
+Wed Mar 12 15:05:46 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Allow to disable PGO
+
+-------------------------------------------------------------------
+Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Skip PGO with %want_reproducible_builds (bsc#1239210)
+
+-------------------------------------------------------------------
+Tue Feb  4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+
+-------------------------------------------------------------------
+Mon Jan 27 09:00:48 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Configure externally_managed with a bcond
+  https://en.opensuse.org/openSUSE:Python:Externally_managed
+  bsc#1228165
+
+-------------------------------------------------------------------
+Wed Dec  4 21:40:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.11:
+  - Tools/Demos
+    - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
+      and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
+  - Tests
+    - gh-125041: Re-enable skipped tests for zlib on the
+      s390x architecture: only skip checks of the compressed
+      bytes, which can be different between zlib’s software
+      implementation and the hardware-accelerated implementation.
+  - Security
+    - gh-126623: Upgrade libexpat to 2.6.4
+    - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
+      consistently use the mapped IPv4 address value for deciding
+      properties. Properties which have their behavior fixed are
+      is_multicast, is_reserved, is_link_local, is_global, and
+      is_unspecified.
+  - Library
+    - gh-124651: Properly quote template strings in venv
+      activation scripts (bsc#1232241, CVE-2024-9287).
+- Removed upstreamed patches:
+  - CVE-2024-9287-venv_path_unquoted.patch
+
+-------------------------------------------------------------------
+Tue Dec  3 08:21:35 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add add-loongarch64-support.patch to support loongarch64
+
+-------------------------------------------------------------------
+Mon Dec  2 22:50:07 UTC 2024 - Matej Cepl <mcepl@suse.com>
+
+- Fix changelog
+
+-------------------------------------------------------------------
+Mon Nov 11 12:43:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Remove -IVendor/ from python-config boo#1231795
+
+-------------------------------------------------------------------
+Fri Nov  1 16:32:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
+  path names provided when creating a virtual environment
+  (bsc#1232241, CVE-2024-9287)
+
+-------------------------------------------------------------------
+Wed Oct  2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Drop .pyc files from docdir for reproducible builds
+  (bsc#1230906).
+
 -------------------------------------------------------------------
 Mon Sep  9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
@@ -81,6 +282,9 @@ Mon Sep  9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
   - CVE-2024-4032-private-IP-addrs.patch
   - CVE-2024-6923-email-hdr-inject.patch
   - CVE-2024-8088-inf-loop-zipfile_Path.patch
+    (renamed from CVE-2024-8088-zipfile-Path-sanitization.patch)
+  - CVE-2024-6232-ReDOS-backtrack-tarfile.patch
+  - CVE-2024-7592-quad-complex-cookies.patch
 
 -------------------------------------------------------------------
 Mon Sep  2 09:44:26 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@@ -167,6 +371,7 @@ Mon Apr  8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 - Remove not needed upstream patches:
   * libexpat260.patch
   * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
+  * CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
 
 - Update to 3.11.9:
   * Security
@@ -336,8 +541,9 @@ Mon Apr  8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
     - gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
     - gh-100985: Update HTTPSConnection to consistently wrap IPv6
       Addresses when using a proxy.
-    - gh-100884: email: fix misfolding of comma in address-lists over
-      multiple lines in combination with unicode encoding.
+    - gh-100884: email: fix misfolding of comma in address-lists
+      over multiple lines in combination with unicode encoding
+      (bsc#1238450 CVE-2025-1795)
     - gh-95782: Fix io.BufferedReader.tell(),
       io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
       io.BufferedRandom.tell(), io.BufferedRandom.seek() and
@@ -719,7 +925,8 @@ Thu Feb  8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
       METH_FASTCALL | METH_KEYWORDS calling convention. Only the
       positional parameter count was checked; any keyword argument
       passed would be silently accepted.
-
+- Remove upstreamed patches:
+  - CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
 - Refresh all patches:
   - CVE-2023-27043-email-parsing-errors.patch
   - F00251-change-user-install-location.patch

python311.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python311
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,12 +36,20 @@
 %bcond_without general
 %endif
 
-%if 0%{?do_profiling}
+%if 0%{?do_profiling} && !0%{?want_reproducible_builds}
 %bcond_without profileopt
 %else
 %bcond_with profileopt
 %endif
 
+# Only for Tumbleweed
+# https://en.opensuse.org/openSUSE:Python:Externally_managed
+%if 0%{?suse_version} > 1600
+%bcond_without externally_managed
+%else
+%bcond_with externally_managed
+%endif
+
 %define         python_pkg_name python311
 %if "%{python_pkg_name}" == "%{primary_python}"
 %define primary_interpreter 1
@@ -98,15 +106,14 @@
 # pyexpat.cpython-35m-armv7-linux-gnueabihf
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
-%bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.10
+Version:        3.11.13
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
 URL:            https://www.python.org/
 Source0:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
-Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
+Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source4:        externally_managed.in
@@ -145,8 +152,6 @@ Patch03:        distutils-reproducible-compile.patch
 Patch04:        python-3.3.0b1-localpath.patch
 # replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
 Patch05:        python-3.3.0b1-fix_date_time_compiler.patch
-# POSIX_FADV_WILLNEED throws EINVAL. Use a different constant in test
-Patch06:        python-3.3.0b1-test-posix_fadvise.patch
 # Raise timeout value for test_subprocess
 Patch07:        subprocess-raise-timeout.patch
 # PATCH-FEATURE-UPSTREAM bpo-31046_ensurepip_honours_prefix.patch bpo#31046 mcepl@suse.com
@@ -179,8 +184,17 @@ Patch19:        bso1227999-reproducible-builds.patch
 # PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
 # Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
 Patch22:        gh120226-fix-sendfile-test-kernel-610.patch
+# PATCH-FIX-UPSTREAM Add platform triplets for 64-bit LoongArch gh#python/cpython#30939 glaubitz@suse.com
+Patch24:        add-loongarch64-support.patch
+# PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com
+# avoid quadratic complexity when processing malformed inputs with HTMLParser
+Patch25:        CVE-2025-6069-quad-complex-HTMLParser.patch
+# PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com
+# tarfile now validates archives to ensure member offsets are non-negative
+Patch26:        CVE-2025-8194-tarfile-no-neg-offsets.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
+BuildRequires:  crypto-policies-scripts
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
 BuildRequires:  lzma-devel
@@ -421,26 +435,11 @@ other applications.
 %prep
 %setup -q -n %{tarname}
 
-%patch -p1 -P 02
-%patch -p1 -P 03
-%patch -p1 -P 04
-%patch -p1 -P 05
-%patch -p1 -P 06
-%patch -p1 -P 07
-%patch -p1 -P 08
-
+%autopatch -p1 -M 08
 %if 0%{?suse_version} <= 1500
 %patch -P 09 -p1
 %endif
-
-%patch -p1 -P 10
-%patch -p1 -P 11
-%patch -p1 -P 13
-%patch -p1 -P 15
-%patch -p1 -P 16
-%patch -p1 -P 17
-%patch -p1 -P 19
-%patch -p1 -P 22
+%autopatch -p1 -m 10
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -485,7 +484,7 @@ TODAY_DATE=`date -r %{SOURCE0} "+%%B %%d, %%Y"`
 
 cd Doc
 sed -i "s/^today = .*/today = '$TODAY_DATE'/" conf.py
-%make_build -j1 html
+%make_build -j1 JOBS=1 html
 
 # Build also devhelp files
 sphinx-build -a -b devhelp . build/devhelp
@@ -723,7 +722,7 @@ rm %{buildroot}%{_libdir}/libpython3.so
 rm %{buildroot}%{_libdir}/pkgconfig/{python3,python3-embed}.pc
 %endif
 
-%if %{suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668 mark this as a distro maintained python
 sed -e 's,__PYTHONPREFIX__,%{python_pkg_name},' -e 's,__PYTHON__,python%{python_version},' < %{SOURCE4} > %{buildroot}%{sitedir}/EXTERNALLY-MANAGED
 %endif
@@ -764,6 +763,9 @@ install -m 755 -D Tools/gdb/libpython.py %{buildroot}%{_datadir}/gdb/auto-load/%
 # install devel files to /config
 #cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%%{sitedir}/config-%%{python_abi}/
 
+# Remove -IVendor/ from python-config boo#1231795
+sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config
+
 # RPM macros
 %if %{primary_interpreter}
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d/
@@ -792,6 +794,11 @@ LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAIL
 echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth
 %endif
 
+# For the purposes of reproducibility, it is necessary to eliminate any *.pyc files inside documentation dirs
+if [ -d %{buildroot}%{_defaultdocdir} ] ; then
+find %{buildroot}%{_defaultdocdir} -type f -name \*.pyc -ls -exec rm -vf '{}' \;
+fi
+
 %if %{with general}
 %files -n %{python_pkg_name}-tk
 %{sitedir}/tkinter
@@ -911,7 +918,7 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
 %{_mandir}/man1/python3.1%{?ext_man}
 %endif
 %{_mandir}/man1/python%{python_version}.1%{?ext_man}
-%if 0%{?suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668
 %{sitedir}/EXTERNALLY-MANAGED
 %endif