From 7c01f56f5b62fc389222720f5e60e6c6cc62d42f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 22 Sep 2023 19:41:10 +0300 Subject: [PATCH] import python3.11-3.11.4-3.el9 --- .gitignore | 3 +- .python3.11.metadata | 3 +- SOURCES/00397-tarfile-filter.patch | 361 +++++++++++++++++++++++++++++ SOURCES/Python-3.11.2.tar.xz.asc | 16 -- SOURCES/Python-3.11.4.tar.xz.asc | 16 ++ SOURCES/pgp_keys.asc | 109 +++++++++ SPECS/python3.11.spec | 29 ++- 7 files changed, 514 insertions(+), 23 deletions(-) create mode 100644 SOURCES/00397-tarfile-filter.patch delete mode 100644 SOURCES/Python-3.11.2.tar.xz.asc create mode 100644 SOURCES/Python-3.11.4.tar.xz.asc create mode 100644 SOURCES/pgp_keys.asc diff --git a/.gitignore b/.gitignore index 724e5cb..245fd29 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -SOURCES/Python-3.11.2.tar.xz -SOURCES/pgp_keys.asc +SOURCES/Python-3.11.4.tar.xz diff --git a/.python3.11.metadata b/.python3.11.metadata index 0e4f954..6c4d744 100644 --- a/.python3.11.metadata +++ b/.python3.11.metadata @@ -1,2 +1 @@ -ae1c199ecb7a969588b15354e19e7b60cb65d1b9 SOURCES/Python-3.11.2.tar.xz -befe131eceffa73877ba3adceca3b7b1da1d2319 SOURCES/pgp_keys.asc +413b3715d919a7b473281529ab91eeea5c82e632 SOURCES/Python-3.11.4.tar.xz diff --git a/SOURCES/00397-tarfile-filter.patch b/SOURCES/00397-tarfile-filter.patch new file mode 100644 index 0000000..bd8f98f --- /dev/null +++ b/SOURCES/00397-tarfile-filter.patch @@ -0,0 +1,361 @@ +From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Wed, 9 Aug 2023 20:23:03 +0200 +Subject: [PATCH] Fix symlink handling for tarfile.data_filter + +--- + Doc/library/tarfile.rst | 5 +++++ + Lib/tarfile.py | 9 ++++++++- + Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++-- + 3 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst +index 00f3070324e..e0511bfeb64 100644 +--- a/Doc/library/tarfile.rst ++++ b/Doc/library/tarfile.rst +@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes: + Name of the target file name, which is only present in :class:`TarInfo` objects + of type :const:`LNKTYPE` and :const:`SYMTYPE`. + ++ For symbolic links (``SYMTYPE``), the linkname is relative to the directory ++ that contains the link. ++ For hard links (``LNKTYPE``), the linkname is relative to the root of ++ the archive. ++ + + .. attribute:: TarInfo.uid + :type: int +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index df4e41f7a0d..d62323715b4 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True): + if member.islnk() or member.issym(): + if os.path.isabs(member.linkname): + raise AbsoluteLinkError(member) +- target_path = os.path.realpath(os.path.join(dest_path, member.linkname)) ++ if member.issym(): ++ target_path = os.path.join(dest_path, ++ os.path.dirname(name), ++ member.linkname) ++ else: ++ target_path = os.path.join(dest_path, ++ member.linkname) ++ target_path = os.path.realpath(target_path) + if os.path.commonpath([target_path, dest_path]) != dest_path: + raise LinkOutsideDestinationError(member, target_path) + return new_attrs +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 2eda7fc4cea..79fc35c2895 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -3337,10 +3337,12 @@ def __exit__(self, *exc): + self.bio = None + + def add(self, name, *, type=None, symlink_to=None, hardlink_to=None, +- mode=None, **kwargs): ++ mode=None, size=None, **kwargs): + """Add a member to the test archive. Call within `with`.""" + name = str(name) + tarinfo = tarfile.TarInfo(name).replace(**kwargs) ++ if size is not None: ++ tarinfo.size = size + if mode: + tarinfo.mode = _filemode_to_int(mode) + if symlink_to is not None: +@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter): + raise self.raised_exception + self.assertEqual(self.expected_paths, set()) + +- def expect_file(self, name, type=None, symlink_to=None, mode=None): ++ def expect_file(self, name, type=None, symlink_to=None, mode=None, ++ size=None): + """Check a single file. See check_context.""" + if self.raised_exception: + raise self.raised_exception +@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None): + self.assertTrue(path.is_fifo()) + else: + raise NotImplementedError(type) ++ if size is not None: ++ self.assertEqual(path.stat().st_size, size) + for parent in path.parents: + self.expected_paths.discard(parent) + +@@ -3649,6 +3654,22 @@ def test_sly_relative2(self): + + """['"].*moo['"], which is outside the """ + + "destination") + ++ def test_deep_symlink(self): ++ with ArchiveMaker() as arc: ++ arc.add('targetdir/target', size=3) ++ arc.add('linkdir/hardlink', hardlink_to='targetdir/target') ++ arc.add('linkdir/symlink', symlink_to='../targetdir/target') ++ ++ for filter in 'tar', 'data', 'fully_trusted': ++ with self.check_context(arc.open(), filter): ++ self.expect_file('targetdir/target', size=3) ++ self.expect_file('linkdir/hardlink', size=3) ++ if os_helper.can_symlink(): ++ self.expect_file('linkdir/symlink', size=3, ++ symlink_to='../targetdir/target') ++ else: ++ self.expect_file('linkdir/symlink', size=3) ++ + def test_modes(self): + # Test how file modes are extracted + # (Note that the modes are ignored on platforms without working chmod) +-- +2.41.0 + +From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Mon, 6 Mar 2023 17:24:24 +0100 +Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction + (downstream) + +Add and test RHEL-specific ways of configuring the default behavior: environment +variable and config file. +--- + Lib/tarfile.py | 42 +++++++++++++ + Lib/test/test_shutil.py | 3 +- + Lib/test/test_tarfile.py | 128 ++++++++++++++++++++++++++++++++++++++- + 3 files changed, 169 insertions(+), 4 deletions(-) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 130b5e0..3b7d8d5 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError", + "ENCODING", "USTAR_FORMAT", "GNU_FORMAT", "PAX_FORMAT", + "DEFAULT_FORMAT", "open"] + ++# If true, use the safer (but backwards-incompatible) 'tar' extraction filter, ++# rather than 'fully_trusted', by default. ++# The emitted warning is changed to match. ++_RH_SAFER_DEFAULT = True ++ ++# System-wide configuration file ++_CONFIG_FILENAME = '/etc/python/tarfile.cfg' + + #--------------------------------------------------------- + # tar constants +@@ -2211,6 +2218,41 @@ class TarFile(object): + if filter is None: + filter = self.extraction_filter + if filter is None: ++ name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER') ++ if name is None: ++ try: ++ file = bltn_open(_CONFIG_FILENAME) ++ except FileNotFoundError: ++ pass ++ else: ++ import configparser ++ conf = configparser.ConfigParser( ++ interpolation=None, ++ comment_prefixes=('#', ), ++ ) ++ with file: ++ conf.read_file(file) ++ name = conf.get('tarfile', ++ 'PYTHON_TARFILE_EXTRACTION_FILTER', ++ fallback='') ++ if name: ++ try: ++ filter = _NAMED_FILTERS[name] ++ except KeyError: ++ raise ValueError(f"filter {filter!r} not found") from None ++ self.extraction_filter = filter ++ return filter ++ if _RH_SAFER_DEFAULT: ++ warnings.warn( ++ 'The default behavior of tarfile extraction has been ' ++ + 'changed to disallow common exploits ' ++ + '(including CVE-2007-4559). ' ++ + 'By default, absolute/parent paths are disallowed ' ++ + 'and some mode bits are cleared. ' ++ + 'See https://access.redhat.com/articles/7004769 ' ++ + 'for more details.', ++ RuntimeWarning) ++ return tar_filter + return fully_trusted_filter + if isinstance(filter, str): + raise TypeError( +diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py +index 9bf4145..f247b82 100644 +--- a/Lib/test/test_shutil.py ++++ b/Lib/test/test_shutil.py +@@ -1665,7 +1665,8 @@ class TestArchives(BaseTest, unittest.TestCase): + def check_unpack_tarball(self, format): + self.check_unpack_archive(format, filter='fully_trusted') + self.check_unpack_archive(format, filter='data') +- with warnings_helper.check_no_warnings(self): ++ with warnings_helper.check_warnings( ++ ('.*CVE-2007-4559', RuntimeWarning)): + self.check_unpack_archive(format) + + def test_unpack_archive_tar(self): +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index cdea033..4724285 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -2,7 +2,7 @@ import sys + import os + import io + from hashlib import sha256 +-from contextlib import contextmanager ++from contextlib import contextmanager, ExitStack + from random import Random + import pathlib + import shutil +@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest): + tar = tarfile.open(tarname, mode='r', encoding="iso8859-1") + cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl" + tar.errorlevel = 0 +- tar.extractall(cls.control_dir, filter=cls.extraction_filter) ++ with ExitStack() as cm: ++ if cls.extraction_filter is None: ++ cm.enter_context(warnings.catch_warnings()) ++ warnings.simplefilter(action="ignore", category=RuntimeWarning) ++ tar.extractall(cls.control_dir, filter=cls.extraction_filter) + tar.close() + cls.control_paths = set( + p.relative_to(cls.control_dir) +@@ -3674,7 +3678,8 @@ class TestExtractionFilters(unittest.TestCase): + """Ensure the default filter does not warn (like in 3.12)""" + with ArchiveMaker() as arc: + arc.add('foo') +- with warnings_helper.check_no_warnings(self): ++ with warnings_helper.check_warnings( ++ ('.*CVE-2007-4559', RuntimeWarning)): + with self.check_context(arc.open(), None): + self.expect_file('foo') + +@@ -3844,6 +3849,123 @@ class TestExtractionFilters(unittest.TestCase): + self.expect_exception(TypeError) # errorlevel is not int + + ++ @contextmanager ++ def rh_config_context(self, config_lines=None): ++ """Set up for testing various ways of overriding the default filter ++ ++ return a triple with: ++ - temporary directory ++ - EnvironmentVarGuard() ++ - a test archive for use with check_* methods below ++ ++ If config_lines is given, write them to the config file. Otherwise ++ the config file is missing. ++ """ ++ tempdir = pathlib.Path(TEMPDIR) / 'tmp' ++ configfile = tempdir / 'tarfile.cfg' ++ with ArchiveMaker() as arc: ++ arc.add('good') ++ arc.add('ugly', symlink_to='/etc/passwd') ++ arc.add('../bad') ++ with ( ++ os_helper.temp_dir(tempdir), ++ support.swap_attr(tarfile, '_CONFIG_FILENAME', str(configfile)), ++ os_helper.EnvironmentVarGuard() as env, ++ arc.open() as tar, ++ ): ++ if config_lines is not None: ++ with configfile.open('w') as f: ++ for line in config_lines: ++ print(line, file=f) ++ yield tempdir, env, tar ++ ++ def check_rh_default_behavior(self, tar, tempdir): ++ """Check RH default: warn and refuse to extract dangerous files.""" ++ with ( ++ warnings_helper.check_warnings( ++ ('.*CVE-2007-4559', RuntimeWarning)), ++ self.assertRaises(tarfile.OutsideDestinationError), ++ ): ++ tar.extractall(tempdir / 'outdir') ++ ++ def check_trusted_default(self, tar, tempdir): ++ """Check 'fully_trusted' is configured as the default filter.""" ++ with ( ++ warnings_helper.check_no_warnings(self), ++ ): ++ tar.extractall(tempdir / 'outdir') ++ self.assertTrue((tempdir / 'outdir/good').exists()) ++ self.assertEqual((tempdir / 'outdir/ugly').readlink(), ++ pathlib.Path('/etc/passwd')) ++ self.assertTrue((tempdir / 'bad').exists()) ++ ++ def test_rh_default_no_conf(self): ++ with self.rh_config_context() as (tempdir, env, tar): ++ self.check_rh_default_behavior(tar, tempdir) ++ ++ def test_rh_default_from_file(self): ++ lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=fully_trusted'] ++ with self.rh_config_context(lines) as (tempdir, env, tar): ++ self.check_trusted_default(tar, tempdir) ++ ++ def test_rh_empty_config_file(self): ++ """Empty config file -> default behavior""" ++ lines = [] ++ with self.rh_config_context(lines) as (tempdir, env, tar): ++ self.check_rh_default_behavior(tar, tempdir) ++ ++ def test_empty_config_section(self): ++ """Empty section in config file -> default behavior""" ++ lines = ['[tarfile]'] ++ with self.rh_config_context(lines) as (tempdir, env, tar): ++ self.check_rh_default_behavior(tar, tempdir) ++ ++ def test_rh_default_empty_config_option(self): ++ """Empty option value in config file -> default behavior""" ++ lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER='] ++ with self.rh_config_context(lines) as (tempdir, env, tar): ++ self.check_rh_default_behavior(tar, tempdir) ++ ++ def test_bad_config_option(self): ++ """Bad option value in config file -> ValueError""" ++ lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=unknown!'] ++ with self.rh_config_context(lines) as (tempdir, env, tar): ++ with self.assertRaises(ValueError): ++ tar.extractall(tempdir / 'outdir') ++ ++ def test_default_from_envvar(self): ++ with self.rh_config_context() as (tempdir, env, tar): ++ env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted' ++ self.check_trusted_default(tar, tempdir) ++ ++ def test_empty_envvar(self): ++ """Empty env variable -> default behavior""" ++ with self.rh_config_context() as (tempdir, env, tar): ++ env['PYTHON_TARFILE_EXTRACTION_FILTER'] = '' ++ self.check_rh_default_behavior(tar, tempdir) ++ ++ def test_bad_envvar(self): ++ with self.rh_config_context() as (tempdir, env, tar): ++ env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'unknown!' ++ with self.assertRaises(ValueError): ++ tar.extractall(tempdir / 'outdir') ++ ++ def test_envvar_overrides_file(self): ++ lines = ['[tarfile]', 'PYTHON_TARFILE_EXTRACTION_FILTER=data'] ++ with self.rh_config_context(lines) as (tempdir, env, tar): ++ env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'fully_trusted' ++ self.check_trusted_default(tar, tempdir) ++ ++ def test_monkeypatch_overrides_envvar(self): ++ with self.rh_config_context(None) as (tempdir, env, tar): ++ env['PYTHON_TARFILE_EXTRACTION_FILTER'] = 'data' ++ with support.swap_attr( ++ tarfile.TarFile, 'extraction_filter', ++ staticmethod(tarfile.fully_trusted_filter) ++ ): ++ self.check_trusted_default(tar, tempdir) ++ ++ + def setUpModule(): + os_helper.unlink(TEMPDIR) + os.makedirs(TEMPDIR) +-- +2.41.0 + diff --git a/SOURCES/Python-3.11.2.tar.xz.asc b/SOURCES/Python-3.11.2.tar.xz.asc deleted file mode 100644 index 1cd2b66..0000000 --- a/SOURCES/Python-3.11.2.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiV84ACgkQ/+h0BBaL -2EeZ1xAAwBi0AEjUlZ9oeC54VuqC/XLuVwc3xWf+Irw/5mJA2/weJHoQqG9aEDkB -ph1pDJ6G/vDyKdjh8NZKkKftIL9pggRpAcA4mQ3XcDMKI/J+EQe5P/BwsTGClLhK -cZg6IcQKZvo9djfyRz48w9wfKs34NasBgoFQP+hOzmU10UMrcR7gUSB2ZgMVMDID -0rK1w2aPmZmDLUltBhf6Xb2voUYo+3jINLHWmQC6tdDOBxtxv222dhxS1mvpV7Zu -Xw8do9OsQxonc+owkpciMKDLcFoVmkdQPz9bmvHJKovMXT2RY7FEam9H7ukr35fC -xA6BKnyMgvWIWQVTwjBhcz3C85adzAz/ypHNTbJOuPxp1ZP8qO3D6vPlhZIFyTeJ -7LhagUBUkIKKtbz7u3ERJgvA6tn3UVyLOXM1DnaKkXQ1FgSymgWPRU7BsxanQ8FD -QkfTjC8fatZLCewNfGInkeAdLue+rMwZc8Q6vw2CAmcVdOKsQ98Db/FLF5sC+Kjz -D3brUESEX1ELcVk7vumUI0/z+MECF11dpv5hPOZ4cZDoInsNu846TfU0rzOeVe7H -gGO6Ae/Lu5gG09TNqepbFGA/dWR8V3zdLs5ZShTT4FsNFrHh7GDAEAMZSwT3AsVZ -TjOdU3+xEGsEfrYWRXOkhVIQdJtuovwv9+me5YWeyC4Puzp0Zwk= -=8/cW ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.11.4.tar.xz.asc b/SOURCES/Python-3.11.4.tar.xz.asc new file mode 100644 index 0000000..bf39d4a --- /dev/null +++ b/SOURCES/Python-3.11.4.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/sHIACgkQ/+h0BBaL +2EfQDQ//eFWvcQ5ijhVd3r5lp7NTNUPK6xKR2iqzpNWlN2Z4QkGJ2+IworBaZoGA +tzmbT0j0LB9ZQ+ba3xnqXGXD8Ky+fHLg8GV5yshPlH/bD7tPuHtfDRxNcWplEVSS +MbMuLjAYavTIHhYEz/Rpx4jvZTI5lwplVqj9WxNI/8tNrL5M2bsCtv+IB6brohiw +rUOUlT/KDkZbrGfB1Fe033Ep8hay5MkKjhgr7O1dU7zMuDRG+HRsCYGs7a5x6KhH +3QNTEp+GEIAKEsip5nR7vl5KqL02lHa5sf36SV2wjRTwO+IhgV7lvtJEwOD12oE5 +c+TCQMFbmBXg2vVmNBN/Lwftw1SwT/+orFX6V4U93jq6QNUo4GvPqum6YzuayGYc +/JM4MNziqmfdNW2YjEHPPfzti3f40eTapys97YufOrmYjM2NY0Fs+kAErvyxiWqi +guVQtaZIYeLl/9KWqQ0F/Apy1N+fVDuWBkZlizwHrUsGips4Rp7Bh/iCrDdOj+1D +gRCio7+KvdtzHavZPZnU5dcpUiXZgsDzOTI138IyYaEtVUS59ELkA2qxI1yCb5mk +eLVG1L7r/J2tIaTcguQppp5Z+62UDTArlUbnRxda0buzA2r1aFiQCTMwp+kTRegw +T9Ht/CT/D4vpMdmSQTun9MkKifcK+2uGfSsS7Lz4fSWjQLqg36k= +=zSfJ +-----END PGP SIGNATURE----- diff --git a/SOURCES/pgp_keys.asc b/SOURCES/pgp_keys.asc new file mode 100644 index 0000000..11dccb8 --- /dev/null +++ b/SOURCES/pgp_keys.asc @@ -0,0 +1,109 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFq+ToQBEADRYvIVtbK6owynD3j3nxwpW2KEk/p+aDvtXmc2SR2dBcZ8sFW2 +R5vEsG8d3/D3wgv5pcL3KfNNXQYUnXVbobrFUUWQYc79qIsE3MgiPf5NVOtwKPUR +i5g9YJgKvpBxkQfqp3LYGm9ZBtwo3DVLA3yn7KsazCmAgTNFJYw7ku1XxgmIzY6K +5J30DfbJiqDqj4f9GslCCCCH3qiPnuLG/HUyVLHMpbWlaiy9NI0GcaLxjJewHj9w +W2D2lydkxe5JGo7egUkV3ILcuLVSVKA35SKY27dYqfuyqp9tAzaRbjDYjsYdHA6G +BqrNrKBn/GwlFDPrVdcvN3ZSY2wMLTxWE3Axc/FweuHxFnou/80FwX7F3JD+oEQ6 +rofmcxOBCC7J98I7HZAhP9jBn88XIS2hztbLq8d6rZJZRtcz0k61VR0ddO+TrFmf +9rMYCPgCckRtVxeFIVIabrN1IzKynLFeo040h8hSGswd6YKDOVwjJY6Oa6EmVefZ +a8QSt4+M65RSzH6SEPY008F3nJUAK6MEkzTak+tFltZNrVWu8p2xd1j9nmxAwEhZ +/lgbxLqzYgaUWmfyHeZ8yVA0MhHzdiAL8nVUEdG3KecIq0RWCJLGLWWIjd6KAJl1 +yAmhRYKK/sjPDsL3elHsFACfZbyx3o5GGQNlas1FYoPLWbaNGaJtgFTF2QARAQAB +tCtQYWJsbyBHYWxpbmRvIFNhbGdhZG8gPHBhYmxvZ3NhbEBnbWFpbC5jb20+iQJO +BBMBCgA4FiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+ToQCGwMFCwkIBwMFFQoJ +CAsFFgIDAQACHgECF4AACgkQZOYo+NaEaW2bmA/+PXIap2udLoUVOHxnsIBdqYwp +sv1Aj5lfIJmNhmxPbHShwp1Jg+w4urxe+2Dj5ofKVlIo1i83bQkvnKJMDXDVuc/K +P6zqhBJ3rT4Q3qx2mzX8bIfQoJ2JHuH4lkP+I7doDcHHRyeNASyk72VdQmU4twNw +Ibn8nSNV6ThKHdoPYzVnO2rZUFcGIqH5HNsvR+B7cc1MBCHsgURYwSVhSePIFGlZ +iasdBD6QQkDSe4QWi7AcJFWFElw4kbOKJWxAWsrEk+tMXJVGRjnmL289EmPCx/vx +BqKy7Mse0yWCSRR3vB+O6TB1S5SgEyEgqlYsfGNv1qf/rfRD4KkyCbNU3LhY1Aim +vJP4pDW+KFxTk2Ks8vrx8gOSd2aFqPeO/pFDrpsF7PD62XwsfoXu4xc5V0Giw7r1 +Nai0nax7kOrldNF8TbbtRjW0jmoC7wLIDujAkwDIOroZ0CXA3N4HVHdSbrHm/urX +nyxJXupXAQNwGx64JCBcbF2fp3Kvu1VAXBEFnd01KaopthHcbG5pA50Kl2Vhe+98 +OdezUX42fHkQpQkB7HgtXfm6W1bw6YRBamrNvs1OoHBYmUjlECpe566IIu25Hc8s +x3qA+6eca7iqizyLG+WyMT8ZIYTWGAS59jxwR4esqGczbbZPSAPHFwLbGv7Wr0Rd +TPu5B0FcKpDkTd4IxQW5Ag0EWr5O2gEQAMjLe4CtbSfofmJrz5wfNkMVsZ81Gbqe +MoYd3dtkJnQYERUj8flzBj3ucaxGJ+Cuf7ybh3naPopKvEI1q0vkcgCDqrEgXK// +jKJbP28uPSMGhOG28q4PbamG55gy5FtM3ezzAxPWWKe9qBpV65GMmFy7eBQx2iJs +yiDIOOQQ4kraS+cTqNFimEXAGLCOQRNLcwIZzwAAHoW7HEpNUfVwaBD9kMlbo1ND +I60IKcNrNcmcmRxhJqfxjj8YBMwcKHO6GBE3AVpaE/+UO9zyr4TH+0YuQUgxKlPW +Dkg5XlkDo0S1GyLY5e9ckIDIlkTdDa2pOkoE2yB5MQCEga3YiHrKUVTTWaxn9XVJ +6x5ZjUF6bgSWGkrG5dUqSYoO1iDMuNVjtiujNyf/rvfj5cNxS7/lgxchhQKZHZXL +WVqxlneeVJ6s0P4+ROVG9ga2Sve7aUJ6wXIewZwulBcV2sE/W/DgxHgLBi53CUQt +vEzFzKvo48GnDqL5VYjA7l0HMYHd4GksCLi8E8U6Cgj+imXiM8voL7pHRZfs8mY8 +udR+UT4e1Scl2MYP2qBJ9/17B/X52B3s1EZdqI/r+hfOyqrhPs+dbAN0mtMPn68+ +nrvY1+nscvrSYEP6ZBlc9Hp2mgJdb6IcTvINXBEeLRjgc3pjViva443pkiFp9Axm +ecOckMKP3uSlABEBAAGJBGwEGAEKACAWIQSgNcjBkhm6gh7OqGtk5ij41oRpbQUC +Wr5O2gIbAgJACRBk5ij41oRpbcF0IAQZAQoAHRYhBM/cokWxBDzypfl4Zf/odAQW +i9hHBQJavk7aAAoJEP/odAQWi9hHr7YP/RCLre1CmOoWYpAtoa1yVCeYMDV6eQgL +B488/BEZHQE1zbrYy16XkhORob3JF/kUMjmJW7XaFF8FrWvRcdj/xaUGbOOEulKg +v+8zWfswYQRiZ4/JlwER4vRLi6fTE89MVER6Fkj2ASD4D2cifY+EztD4flV3sq3s +vIogGFaN9IvdrdeptOVGXs1RmAyoTsiS2mKQ6xsGh8B9ZAm55W8fBOGiSzLX21Xk +Ofdw53BrFQxn3cu/JgIKpdeZxgukcvEAI62B6X+YL6Na4j0eqEGLzsNtU1+xeJlo +WtVvmRwnRHGSxF6fzIZ3mk/p/aFiXAEq/xITCTY6tDv7x7pFE/RpdlJZyNJ+R5Y4 +SQiuDsylxNCa/4G5EB6q+7iVYtbEQ9MnZg2phowEE42tlj0rz8/rvDK3LH3xibot +KHIodCWKlWByxH99u2PuHUQ0c1oCVBUE1KkruMpvI236DpU/dvdq4JLSg/fWrys/ +VIjqLZgsIE5g/KO9XqngWHkLcBLh4CNAmHJ8Iia+s+/rfgsejQWB5uJb6eYg2JjB +4WP1EI0rULM6fdrCNB+MJ36wE2Lnb4bfT0phOMgjjH5/Ki7ZCbkxkOsBs4SRjiS+ +weCsmpAtMqodWY/Cnw9pWSA/qLSRD5/mKeb9SO6OZ/OPfAatwnGHsvZ2sAueC6rR +04W5BfXZWrnJUXQP/id/EKE1Ksp5fKoxSCbkKTCig+Sf5Afwe36yFN+niZBqzn5b +BgL/HIKaZM97oDHersPPANeEgS+JVlBf95iKIYnQbZP43FLVbvOuaINhBIVtFO54 +2Y7EYwl41kP7ILDElVy36KAmdQyBAfrjnZiRA70xShOxApLug1L0lxhR3YfmLwNi +RJ0V6KnYDKf0pfdhO9VFyFFWUojX1usn2SmSsXNizsNtvRqHXzPnX0rbJzZ9+N4O +9k1nxygYFG/2R/jGonVmTjRzcAHrAkNJETMWXMA7/8wRMDwluz8j+cCldey9x8Vk +JwgLGnZSbQtVpcFAnm5r/36Gt+9wc1VWMyrUrVr6Z679aqAbG7PMaeR5h5ygMj1k +VqRTYAUPSk1f8bZKRssQkQwEbp9dVIjm9SsR8VT7/tB+UuB85dABxgHfv3psJRT+ +tL8g9V7kSZqQfcLNGmvEVvr2Zl9NtxwXtsFM2OBprxCenwb+e9Ppm1LjfJG/NE72 +mAnOERfDaiLt4bqNo36Ei5sGCJ4Fx61phzNBXzkdRNM47i8J5UZRKFkE91c99BVM +HKUaY61NRK24fR0zP98ftDU82YFw0VRFJpTeBrO5ivN1MlQxUPzUWxKxMxO+20wa +UOXroEw11Tb4SRLGOla1pCl6lCUPJRy9IzadPDgTr/OTMkob/snt/XLdnV5/uQIN +BFq+TvoBEAC8Oy1g6pPWBbrCMhIq7VWY2fjylJ1fwg5BPXkOKVK1dsGYO4QD7oW9 +L0aSqcFSNFGF9Cl0Ri4TFXZC3hnG4HeSXUWApuKdBLn21H3jba36Ay1oGcGfdm0v +Zght4c6BlMVBpGCw2wIkJbUNEy6InMM+O8CCbbaH3iJkJ4141P7pODHignx5AmZI +conMui4YOhC+IXQXynVEv1Juk7erB1Nh1RcRvsA4lb44HWx49lIwe85ejOmoZ0O3 +6f9NJRer6bV0+rHWmg4IV5Q9h/Gn4IhEDZxA0DZl1RQI7dMgaMbIFbXGq7Kgzstz +EUnOoy29hXodxVmwIsMrAiQUYtwJ9hW+ESsw47+W2iPHVgviGWl7r/SgcgMYmf6m +5kiTBtwU7BQPS9G3zwwP2Rm3AA/6g39Q+tQKjOwi1I8+GZsY2On44Zly7BreBNg5 +4gJgdAGcMOYU9etr050clH3UpTYcAEtX++ahtOKhJgLIPNcIAQNlnifqvU0VYpgw +R4YpZ7hgg+AVDzC73PIM0lFI0XiDuqChbxE+K1jmLXWe5iJF0dzgVTwP+PmsifNZ +Wg3+YxSsS+hDMPQ2xPiQN49gT4JJDHcDuyhHyCGYgyMiVJCsku9KrkubbfVRivyN +ZF2Zfo3f+nbrRxsftz0yjAq8byCvb0V0XOpt4pJ/ddlug9ytRxALNwARAQABiQI2 +BBgBCgAgFiEEoDXIwZIZuoIezqhrZOYo+NaEaW0FAlq+TvoCGwwACgkQZOYo+NaE +aW3urA//UQ/cKQ7HvWjcLphzQOZc+6m5YL0wxvZkSjemU7mqjZdpacteIvRAoers +EqXHc208liIBtNfRzoreXdcXNzie65xXkrRnWoHVH/fTWy4lOnHr2CMXLeHjUgg/ +M6PYi8+sARm05YFB8nsYhlhx3IdLhcfeVVbJedQKO0yL3CK1okT30DUVq5Lq6X/K +DC6AxuJR3D6UMSoT0WLaoX8qbhAp88qLynInfBVL18d97h916WPLTPeP0eHwhwND +bYtKDCMDuKQ9XX5+QsNH0RmbxlX274LHrUMMvkLKxcfCBvP+iuqrBeIuoeVzXYJZ +j7ZJtEH79bW44eecl/CY/STFYgSQ2XGTp2BI2q60wAmtKlNhwxY5ena0FgyFl6Tm +5OBHW/Pwo+ndQJGfbrCyWkTgRay9c8er3gl3GQYIBH6X0kCiG7h/Epj0b5CHOPU5 +hCw0kEB8MB4poTIjeiY+Q01472/lQ68CL3DX158hR5d3XaPSIxAN+qFsfB1o316p +yjxhfK1MD/IfrOgjlggPPnc/KmLkCzpgdwKcZwLCdZq9hYBvF1Zs34HbaVMYbWTK +uxLowtXGU43vatCXXqmPOvl4/g4tZD6rysJDgOrHQnEHzT+Napn07s0BRC0IbbNn +FynUrkr5KMSuRz7Hg7xMApENOrb0nqdHSUJ914ZpuMIS6RhJgGu5Ag0EWr5PIAEQ +ALfh9vPD2B+miHDTMADI8aRZ7g9tnzynZYkk3+2sCiiusetsQQ+HIPJ/ASEJB7On +ane9dyT/LTRhrK9qaxgVMimk2COXB/xyh7Mnw7nJgFU0aRSbtX0vbvQz2suSzrQ6 +9mPKzan28JGoClqB0bw1vwf3VjjxHV2dgD57CmqFPv7kAC/2a56dE+etzXattZAL ++2JWTpmfQ0ePRRadtBm0VahQhnU8x0+jvAVrEawqpVW83ozYFyW/0WInM2J7jHgQ +16OosY4lj5L/DxpVxaArhRFoRfWPXfC37iE8Mou/I95isvPQIhp1wTo4jG0KM02B +oIVbp/QRNBQ6WtpOzvJs1gqQiJJTfqbKJXQ3NDEY9crpVS83HJ+Zv99PNsyNkFjG +QpU84U3ZhsI4ygjdY45mpZueqI1RVcRQdu8Hgvoo/78Q/Sir6gMGop3mVdVo2guI +kFcJrXh0Xk3ech4aVqrmKx/mPXGwOAQU0DAul4RW3fKg1QxQE7Tlw3+95Ee/+q5j +HARL0uDbCJpRO8Sl8NDEuL32n/2Ot6kQeCSHrU7KJRYAkTxkKvr8zNow7hFhHFPE +SnHvTnskI6noh0VY6NwMhmLvhm0wKkRxZPzUNc3sgLvbK1NymIZ9aKCZamzhZrmG +vnblEz/OSLwGUua465H3hM1vvBQiartj7+6ZqWIkSmBPABEBAAGJAjYEGAEKACAW +IQSgNcjBkhm6gh7OqGtk5ij41oRpbQUCWr5PIAIbIAAKCRBk5ij41oRpbWmeEACG ++axtDC8UoNp9ORiYwEWLzZWDuugE+ah7DYYGD4Vs633FXVZW3SgM/bFtJ/0Lg8CF +74jI4LMHyIjDzEjcoItwnhBLix+kUoJTvrY58GPydwekLuw1p4KXLqtRs4fsZbNQ +YTknl4jYtRWoxO98x7tun7Gq2gqmJkIB2uj630fKz5cBk6p6oDFKjzyrHe+V7BiK +3okQPaD4x7hq8OnTy7lOy92ZZAqztS4tNEb4DkYW1MpuwsJ7hbBZitc1siI+FVVb +GjVVGZz6ssXoW67Tz8+VxdWJxNLXlv27eMcj4sme5S0th/YYNA5fRRv6zuzqZAru +YNGLpYYU7JLvZJ+3lCwa5j5ycOGBF0GvsGs6gj6h+CHkjR/BgzAgWC+GgUgslt6q +aH04rWtV6rVz+Y91LcrX5P6OM4anmXD3Gp3kl35AypXb4KyASF19+11RUziD4Z7q +wQEWfbwOltNyZv2lD8s2jPr7P02axWRQUbZAEhxRmvOQev/FZPyCF6gqUo/HxRbQ +y3bzmnipyHSv1DlXNfCFCHvN8kGyZnRWARqIKRg+j9ediJgOUqlLhg6KmrTVxd5v +3Dfv52PW2UODDTM20s3cQGuX/UswzMRwPI/+P44iCMwEKdm7duM/5oisZT9Vhy7g +P15MreFZLcZvUVgjqgy0u57cstyGK1Bo9e2sFcK2fA== +=6Zb4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS/python3.11.spec b/SPECS/python3.11.spec index 0cbd1ba..e838321 100644 --- a/SPECS/python3.11.spec +++ b/SPECS/python3.11.spec @@ -16,11 +16,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.2 +%global general_version %{pybasever}.4 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 3%{?dist} License: Python @@ -63,7 +63,7 @@ License: Python # If the rpmwheels condition is disabled, we use the bundled wheel packages # from Python with the versions below. # This needs to be manually updated when we update Python. -%global pip_version 22.3.1 +%global pip_version 23.1.2 %global setuptools_version 65.5.0 # Expensive optimizations (mainly, profile-guided optimizations) @@ -332,6 +332,16 @@ Patch329: 00329-fips.patch # https://github.com/GrahamDumpleton/mod_wsgi/issues/730 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch +# 00397 # +# Filters for tarfile extraction (CVE-2007-4559, PEP-706) +# First patch fixes determination of symlink targets, which were treated +# as relative to the root of the archive, +# rather than the directory containing the symlink. +# Not yet upstream as of this writing. +# The second patch is Red Hat configuration, see KB for documentation: +# - https://access.redhat.com/articles/7004769 +Patch397: 00397-tarfile-filter.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1599,6 +1609,19 @@ CheckPython optimized # ====================================================== %changelog +* Wed Aug 09 2023 Petr Viktorin - 3.11.4-3 +- Fix symlink handling in the fix for CVE-2023-24329 +Resolves: rhbz#263261 + +* Fri Jun 30 2023 Charalampos Stratakis - 3.11.4-2 +- Security fix for CVE-2007-4559 +Resolves: rhbz#263261 + +* Mon Jun 26 2023 Charalampos Stratakis - 3.11.4-1 +- Update to 3.11.4 +- Security fix for CVE-2023-24329 +Resolves: rhbz#2173917 + * Thu Feb 16 2023 Charalampos Stratakis - 3.11.2-2 - Support OpenSSL FIPS mode