6 changed files with 85 additions and 158 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/python-dateutil-2.8.2.tar.gz
+SOURCES/python-dateutil-2.8.1.tar.gz
--- a/.python-dateutil.metadata
+++ b/.python-dateutil.metadata
@ -1 +1 @@
-c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
+bd26127e57f83a10f656b62c46524c15aeb844dd SOURCES/python-dateutil-2.8.1.tar.gz
--- a/SOURCES/1295.patch
+++ b/SOURCES/1295.patch
@ -0,0 +1,57 @@
+From a97d0ff4b7559a431f42102b6208fb876f511194 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 27 Jun 2023 15:28:36 +0200
+Subject: [PATCH 1/2] zoneinfo.rebuild: Extract using tarfile data filter (PEP
+ 706) if available
+
+---
+ src/dateutil/zoneinfo/rebuild.py | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/dateutil/zoneinfo/rebuild.py b/src/dateutil/zoneinfo/rebuild.py
+index 684c6586f..1b6e34b15 100644
+--- a/dateutil/zoneinfo/rebuild.py
+++ b/dateutil/zoneinfo/rebuild.py
+@@ -4,6 +4,7 @@
+ import shutil
+ import json
+ from subprocess import check_call
+import tarfile
+ from tarfile import TarFile
+ 
+ from dateutil.zoneinfo import METADATA_FN, ZONEFILENAME
+@@ -20,6 +21,13 @@ def rebuild(filename, tag=None, format="gz", zonegroups=[], metadata=None):
+     moduledir = os.path.dirname(__file__)
+     try:
+         with TarFile.open(filename) as tf:
+
+            # Limit extraction to safe, plain data files, if this Python
+            # allows it easily. If not, just trust the input.
+            # See: https://docs.python.org/3/library/tarfile.html#supporting-older-python-versions
+            tf.extraction_filter = getattr(tarfile, 'data_filter',
+                                           (lambda member, path: member))
+
+             for name in zonegroups:
+                 tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+
+From 4790f9d64451002fd3c31c2fbe0d70322019a92a Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 27 Jun 2023 16:12:14 +0200
+Subject: [PATCH 2/2] Add changelog entry
+
+---
+ changelog.d/1295.misc.rst | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 changelog.d/1295.misc.rst
+
+diff --git a/changelog.d/1295.misc.rst b/changelog.d/1295.misc.rst
+new file mode 100644
+index 000000000..c2876dd65
+--- /dev/null
+++ b/changelog.d/1295.misc.rst
+@@ -0,0 +1,4 @@
+On Python versions that support it, ``zoneinfo.rebuild`` now uses the
+tarfile ``data`` filter to limit damage in case it's used with a
+malicious tarball, and to avoid a deprecation warning on Python 3.12.
+Reported and fixed by @encukou (gh pr #1295)
--- a/SOURCES/2bdd63158b7f981fc6d70a869680451bdfd8d848.patch
+++ b/SOURCES/2bdd63158b7f981fc6d70a869680451bdfd8d848.patch
@ -1,46 +0,0 @@
-From 2bdd63158b7f981fc6d70a869680451bdfd8d848 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jakub=20Kul=C3=ADk?= <kulikjak@gmail.com>
-Date: Thu, 10 Feb 2022 10:28:42 +0100
-Subject: [PATCH] Remove deprecated pytest.warns(None) from test_internals.py
-
---
- tests/test_internals.py | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/tests/test_internals.py b/tests/test_internals.py
-index 530813147..b32e6723f 100644
--- a/tests/test_internals.py
-+++ b/tests/test_internals.py
-@@ -9,6 +9,7 @@
- 
- import sys
- import pytest
-+import warnings
- 
- from dateutil.parser._parser import _ymd
- from dateutil import tz
-@@ -65,18 +66,17 @@ def test_parser_parser_private_not_warns():
-     from dateutil.parser._parser import _timelex, _tzparser
-     from dateutil.parser._parser import _parsetz
- 
-    with pytest.warns(None) as recorder:
-+    with warnings.catch_warnings():
-+        warnings.simplefilter("error")
-         _tzparser()
-        assert len(recorder) == 0
- 
-    with pytest.warns(None) as recorder:
-+    with warnings.catch_warnings():
-+        warnings.simplefilter("error")
-         _timelex('2014-03-03')
- 
-        assert len(recorder) == 0
-
-    with pytest.warns(None) as recorder:
-+    with warnings.catch_warnings():
-+        warnings.simplefilter("error")
-         _parsetz('+05:00')
-        assert len(recorder) == 0
- 
- 
- @pytest.mark.tzstr
--- a/SOURCES/f2293200747fb03d56c6c5997bfebeabe703576f.patch
+++ b/SOURCES/f2293200747fb03d56c6c5997bfebeabe703576f.patch
@ -1,23 +0,0 @@
-From f2293200747fb03d56c6c5997bfebeabe703576f Mon Sep 17 00:00:00 2001
-From: Thomas Grainger <tagrain@gmail.com>
-Date: Fri, 2 Jun 2023 14:06:41 +0100
-Subject: [PATCH] avoid deprecated utcfromtimestamp
-
-Fixes #1284
---
- src/dateutil/tz/tz.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/dateutil/tz/tz.py b/src/dateutil/tz/tz.py
-index c67f56d46..617591446 100644
--- a/src/dateutil/tz/tz.py
-+++ b/src/dateutil/tz/tz.py
-@@ -34,7 +34,7 @@
- from warnings import warn
- 
- ZERO = datetime.timedelta(0)
-EPOCH = datetime.datetime.utcfromtimestamp(0)
-+EPOCH = datetime.datetime(1970, 1, 1, 0, 0)
- EPOCHORDINAL = EPOCH.toordinal()
- 
- 
--- a/SPECS/python-dateutil.spec
+++ b/SPECS/python-dateutil.spec
@ -1,34 +1,26 @@
 %global modname dateutil

 Name:           python-%{modname}
-Version:        2.8.2
-Release:        14%{?dist}
+Version:        2.8.1
+Release:        7%{?dist}
 Epoch:          1
 Summary:        Powerful extensions to the standard datetime module

-# According to the LICENSE file:
-# - Apache-2.0 applies to all contributions after 2017-12-01, as well as
-#   all contributions that have been re-licensed.
-# - BSD-3-Clause applies to all code, even that also covered by Apache-2.0
-License:        (Apache-2.0 AND BSD-3-Clause) OR BSD-3-Clause
-
+License:        BSD
 URL:            https://github.com/dateutil/dateutil
 Source:         %{pypi_source}

-# Remove deprecated pytest.warns(None) from test_internals.py
-#
-# Fixes:
-# python-dateutil fails to build with pytest 7
-# https://bugzilla.redhat.com/show_bug.cgi?id=2059950
-Patch1:         %{url}/commit/2bdd63158b7f981fc6d70a869680451bdfd8d848.patch
-
-# Backport the replacement for the deprecated in Python 3.12
-# datetime.datetime.utcfromtimestamp()
-Patch2:         %{url}/commit/f2293200747fb03d56c6c5997bfebeabe703576f.patch
+# Mitigate CVE-2007-4559 (tarfile directory traversal).
+# `dateutil.zoneinfo.rebuild` handles "pure data" tarballs,
+# here we disable tar features that are potentially unsafe.
+# Submitted upstream, but rejected because they're removing this
+# code entirely.
+# BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2203905
+Patch1:         https://github.com/dateutil/dateutil/pull/1295.patch

-# when bootstrapping dateutil-freezegun, we cannot run tests
-# on RHEL, we do not have or want all test dependencies
-%bcond tests %{undefined rhel}
+# Disable tests to avoid pulling in test dependencies on RHEL9
+# Specify --with tests to run the tests e.g. on EPEL
+%bcond_with tests

 BuildArch:      noarch
 BuildRequires: make
@ -46,12 +38,11 @@ Summary:        %summary
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-setuptools_scm
-# Runtime deps
-BuildRequires:  python3-six
 %if %{with tests}
 BuildRequires:  python3-freezegun
 BuildRequires:  python3-hypothesis
 BuildRequires:  python3-pytest
+BuildRequires:  python3-six
 %endif
 Requires:       tzdata
 %{?python_provide:%python_provide python3-%{modname}}
@ -64,13 +55,7 @@ Summary: API documentation for python-dateutil
 This package contains %{summary}.

 %prep
-%autosetup -N
-# the tests were moved outside of %%{modname} directory upstream after 2.8.2
-# so we apply the patch with new paths from within it
-pushd %{modname}/test
-%patch -P1 -p2
-popd
-%patch -P2 -p2
+%autosetup -p1
 iconv --from=ISO-8859-1 --to=UTF-8 NEWS > NEWS.new
 mv NEWS.new NEWS

@ -81,11 +66,9 @@ make -C docs html
 %install
 %py3_install

-%check
 %if %{with tests}
+%check
 %{__python3} -m pytest -W ignore::pytest.PytestUnknownMarkWarning
-%else
-%py3_check_import dateutil dateutil.easter dateutil.parser dateutil.relativedelta dateutil.rrule dateutil.tz dateutil.utils dateutil.zoneinfo
 %endif

 %files -n python3-%{modname}
@ -99,63 +82,19 @@ make -C docs html
 %doc docs/_build/html

 %changelog
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:2.8.2-14
- Bump release for June 2024 mass rebuild
-
-* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.2-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sun Nov 05 2023 Miro Hrončok <mhroncok@redhat.com> - 1:2.8.2-11
- Clarify the SPDX License tag
-
-* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.2-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Tue Jul 04 2023 Karolina Surma <ksurma@redhat.com> - 1:2.8.2-9
- Backport replacement for deprecated datetime.datetime.utcfromtimestamp()
-
-* Fri Jun 16 2023 Python Maint <python-maint@redhat.com> - 1:2.8.2-8
- Rebuilt for Python 3.12
-
-* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 1:2.8.2-7
- Bootstrap for Python 3.12
-
-* Wed Mar 01 2023 Gwyn Ciesla <gwync@protonmail.com> - 1:2.8.2-6
- migrated to SPDX license
-
-* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1:2.8.2-3
- Rebuilt for Python 3.11
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1:2.8.2-2
- Bootstrap for Python 3.11
-
-* Thu Mar 10 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 1:2.8.2-1
- Update to 3.8.2 (fix RHBZ#1982169)
- Backport 2bdd631: remove deprecated pytest.warns(None) (fix RHBZ#2059950)
-
-* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+* Wed Jul 12 2023 Petr Viktorin <pviktori@redhat.com> - 1:2.8.1-7
+- Mitigate CVE-2007-4559 (tarfile directory traversal).
+  Resolves: rhbz#2203905

-* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 1:2.8.1-6
- Rebuilt for Python 3.10
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.8.1-6
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 1:2.8.1-5
- Bootstrap for Python 3.10
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.8.1-5
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

-* Wed Jun 02 2021 Petr Viktorin <pviktori@redhat.com> - 1:2.8.1-4
- Add the ASL 2.0 license
+* Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 1:2.8.1-4
+- Disable tests on RHEL9 to remove the test dependencies

 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild