diff --git a/.gitignore b/.gitignore index 285bb0f..33fa1d5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.12.1.tar.xz +SOURCES/Python-3.12.5.tar.xz diff --git a/.python3.12.metadata b/.python3.12.metadata index de37775..ffed180 100644 --- a/.python3.12.metadata +++ b/.python3.12.metadata @@ -1 +1 @@ -5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz +d9b83c17a717e1cbd3ab6bd14cfe3e508e6d87b2 SOURCES/Python-3.12.5.tar.xz diff --git a/SOURCES/00251-change-user-install-location.patch b/SOURCES/00251-change-user-install-location.patch index 1622e53..2f33b5a 100644 --- a/SOURCES/00251-change-user-install-location.patch +++ b/SOURCES/00251-change-user-install-location.patch @@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/Lib/site.py b/Lib/site.py -index 672fa7b000..0a9c5be53e 100644 +index 924cfbecec..e2871ecc89 100644 --- a/Lib/site.py +++ b/Lib/site.py -@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None): +@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): @@ -129,7 +129,7 @@ index 122d441bd1..2d354a11da 100644 # On Windows we want to substitute 'lib' for schemes rather # than the native value (without modifying vars, in case it diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py -index b6dbf3d52c..4f06a7673c 100644 +index 1137c2032b..8fc2b84f52 100644 --- a/Lib/test/test_sysconfig.py +++ b/Lib/test/test_sysconfig.py @@ -110,8 +110,19 @@ def test_get_path(self): @@ -153,7 +153,7 @@ index b6dbf3d52c..4f06a7673c 100644 os.path.normpath(expected), ) -@@ -335,7 +346,7 @@ def test_get_config_h_filename(self): +@@ -344,7 +355,7 @@ def test_get_config_h_filename(self): self.assertTrue(os.path.isfile(config_h), config_h) def test_get_scheme_names(self): @@ -162,7 +162,7 @@ index b6dbf3d52c..4f06a7673c 100644 if HAS_USER_BASE: wanted.extend(['nt_user', 'osx_framework_user', 'posix_user']) self.assertEqual(get_scheme_names(), tuple(sorted(wanted))) -@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880 +@@ -356,6 +367,8 @@ def test_symlink(self): # Issue 7880 cmd = "-c", "import sysconfig; print(sysconfig.get_platform())" self.assertEqual(py.call_real(*cmd), py.call_link(*cmd)) diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index b980364..f95b71e 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -750,7 +750,7 @@ index 8b4eb2f..e8e4864 100644 raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__) if not digestmod: - raise TypeError("Missing required parameter 'digestmod'.") + raise TypeError("Missing required argument 'digestmod'.") - if _hashopenssl and isinstance(digestmod, (str, _functype)): + if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))): diff --git a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch index 5603025..1a202f7 100644 --- a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch +++ b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch @@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730 2 files changed, 8 insertions(+), 50 deletions(-) diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py -index 756d5e329f..5d09775efc 100644 +index 2e4b860b97..3066b23ee1 100644 --- a/Lib/test/test_threading.py +++ b/Lib/test/test_threading.py -@@ -1007,39 +1007,6 @@ def noop(): pass +@@ -1100,39 +1100,6 @@ def noop(): pass threading.Thread(target=noop).start() # Thread.join() is not called @@ -56,14 +56,14 @@ index 756d5e329f..5d09775efc 100644 - self.assertEqual(out, b'') - self.assertEqual(err, b'') - - def test_start_new_thread_at_exit(self): + def test_start_new_thread_at_finalization(self): code = """if 1: - import atexit + import _thread diff --git a/Lib/threading.py b/Lib/threading.py -index 8dcaf8ca6a..ed0b0f4632 100644 +index 0bba85d08a..b256e3273f 100644 --- a/Lib/threading.py +++ b/Lib/threading.py -@@ -1586,29 +1586,20 @@ def _shutdown(): +@@ -1587,29 +1587,20 @@ def _shutdown(): global _SHUTTING_DOWN _SHUTTING_DOWN = True diff --git a/SOURCES/00397-tarfile-filter.patch b/SOURCES/00397-tarfile-filter.patch index 3ef4d59..7c87d73 100644 --- a/SOURCES/00397-tarfile-filter.patch +++ b/SOURCES/00397-tarfile-filter.patch @@ -1,19 +1,24 @@ -From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001 +From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin -Date: Mon, 6 Mar 2023 17:24:24 +0100 +Date: Tue, 2 Jul 2024 11:40:37 +0200 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction (downstream) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit Add and test RHEL-specific ways of configuring the default behavior: environment variable and config file. + +Co-Authored-By: Tomáš Hrnčiar --- - Lib/tarfile.py | 47 +++++++++++++-- + Lib/tarfile.py | 47 +++++++++++-- Lib/test/test_shutil.py | 2 +- - Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++- - 3 files changed, 163 insertions(+), 9 deletions(-) + Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++-- + 3 files changed, 185 insertions(+), 11 deletions(-) diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index 02f5e3b..f7109f3 100755 +index e1487e3..89b6843 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError", @@ -30,7 +35,7 @@ index 02f5e3b..f7109f3 100755 #--------------------------------------------------------- # tar constants -@@ -2217,11 +2224,41 @@ class TarFile(object): +@@ -2218,11 +2225,41 @@ class TarFile(object): if filter is None: filter = self.extraction_filter if filter is None: @@ -38,7 +43,7 @@ index 02f5e3b..f7109f3 100755 - 'Python 3.14 will, by default, filter extracted tar ' - + 'archives and reject files or modify their metadata. ' - + 'Use the filter argument to control this behavior.', -- DeprecationWarning) +- DeprecationWarning, stacklevel=3) + name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER') + if name is None: + try: @@ -72,16 +77,16 @@ index 02f5e3b..f7109f3 100755 + + 'and some mode bits are cleared. ' + + 'See https://access.redhat.com/articles/7004769 ' + + 'for more details.', -+ RuntimeWarning) ++ RuntimeWarning, stacklevel=3) + return tar_filter return fully_trusted_filter if isinstance(filter, str): raise TypeError( diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py -index 5fd8fb4..501da8f 100644 +index 7bc5d12..88b4bdb 100644 --- a/Lib/test/test_shutil.py +++ b/Lib/test/test_shutil.py -@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase): +@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase): self.check_unpack_archive(format, filter='fully_trusted') self.check_unpack_archive(format, filter='data') with warnings_helper.check_warnings( @@ -91,10 +96,48 @@ index 5fd8fb4..501da8f 100644 def test_unpack_archive_tar(self): diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index c5fc76d..397e334 100644 +index 3fbd25e..9aa727e 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py -@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest): +@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest): + tarfile.open(tarname, encoding="iso8859-1") as tar + ): + directories = [t for t in tar if t.isdir()] +- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm: ++ with self.assertWarnsRegex( ++ RuntimeWarning, ++ re.escape( ++ 'The default behavior of tarfile extraction has been ' ++ 'changed to disallow common exploits ' ++ '(including CVE-2007-4559). ' ++ 'By default, absolute/parent paths are disallowed ' ++ 'and some mode bits are cleared. ' ++ 'See https://access.redhat.com/articles/7004769 ' ++ 'for more details.' ++ )) as cm: + tar.extractall(DIR, directories) + # check that the stacklevel of the deprecation warning is correct: + self.assertEqual(cm.filename, __file__) +@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest): + tarfile.open(tarname, encoding="iso8859-1") as tar + ): + tarinfo = tar.getmember(dirtype) +- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm: ++ with self.assertWarnsRegex( ++ RuntimeWarning, ++ re.escape( ++ 'The default behavior of tarfile extraction has been ' ++ 'changed to disallow common exploits ' ++ '(including CVE-2007-4559). ' ++ 'By default, absolute/parent paths are disallowed ' ++ 'and some mode bits are cleared. ' ++ 'See https://access.redhat.com/articles/7004769 ' ++ 'for more details.' ++ )) as cm: + tar.extract(tarinfo, path=DIR) + # check that the stacklevel of the deprecation warning is correct: + self.assertEqual(cm.filename, __file__) +@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest): tar.errorlevel = 0 with ExitStack() as cm: if cls.extraction_filter is None: @@ -105,7 +148,7 @@ index c5fc76d..397e334 100644 tar.extractall(cls.control_dir, filter=cls.extraction_filter) tar.close() cls.control_paths = set( -@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase): +@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase): with ArchiveMaker() as arc: arc.add('foo') with warnings_helper.check_warnings( @@ -114,7 +157,7 @@ index c5fc76d..397e334 100644 with self.check_context(arc.open(), None): self.expect_file('foo') -@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase): +@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase): self.expect_exception(TypeError) # errorlevel is not int @@ -235,9 +278,9 @@ index c5fc76d..397e334 100644 + self.check_trusted_default(tar, tempdir) + + - def setUpModule(): - os_helper.unlink(TEMPDIR) - os.makedirs(TEMPDIR) + class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + testdir = os.path.join(TEMPDIR, "testoverwrite") + -- -2.43.0 +2.44.0 diff --git a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch index e77ddd8..4274663 100644 --- a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch +++ b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch @@ -19,7 +19,7 @@ Co-Authored-By: Thomas Dwyer create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst -index 345b64001c..d693a9bc39 100644 +index 6ba42491d6..6bd45200d8 100644 --- a/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst @@ -58,13 +58,18 @@ of the new API. @@ -72,7 +72,7 @@ index 345b64001c..d693a9bc39 100644 .. function:: parsedate(date) diff --git a/Lib/email/utils.py b/Lib/email/utils.py -index 81da5394ea..43c3627fca 100644 +index 1de547a011..e53abc8b84 100644 --- a/Lib/email/utils.py +++ b/Lib/email/utils.py @@ -48,6 +48,7 @@ @@ -81,7 +81,7 @@ index 81da5394ea..43c3627fca 100644 + def _has_surrogates(s): - """Return True if s contains surrogate-escaped binary data.""" + """Return True if s may contain surrogate-escaped binary data.""" # This check is based on the fact that unless there are surrogates, utf8 @@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'): return address @@ -255,7 +255,7 @@ index 81da5394ea..43c3627fca 100644 diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py -index 2a237095b9..4672b790d8 100644 +index fc8d87974e..ef8aa0d53c 100644 --- a/Lib/test/test_email/test_email.py +++ b/Lib/test/test_email/test_email.py @@ -16,6 +16,7 @@ @@ -266,7 +266,7 @@ index 2a237095b9..4672b790d8 100644 from email.charset import Charset from email.generator import Generator, DecodedGenerator, BytesGenerator -@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self): +@@ -3352,15 +3353,137 @@ def test_getaddresses_comma_in_name(self): ], ) @@ -412,7 +412,7 @@ index 2a237095b9..4672b790d8 100644 def test_getaddresses_embedded_comment(self): """Test proper handling of a nested comment""" -@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self): +@@ -3551,6 +3674,54 @@ def test_mime_classes_policy_argument(self): m = cls(*constructor, policy=email.policy.default) self.assertIs(m.policy, email.policy.default) diff --git a/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch b/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch new file mode 100644 index 0000000..59637d8 --- /dev/null +++ b/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch @@ -0,0 +1,63 @@ +From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 3 May 2024 14:17:48 +0200 +Subject: [PATCH] Expect failures in tests not working properly with expat with + a fixed CVE in RHEL + +--- + Lib/test/test_pyexpat.py | 1 + + Lib/test/test_sax.py | 1 + + Lib/test/test_xml_etree.py | 3 +++ + 3 files changed, 5 insertions(+) + +diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py +index 43cbd27..27b1502 100644 +--- a/Lib/test/test_pyexpat.py ++++ b/Lib/test/test_pyexpat.py +@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase): + + self.assertEqual(started, ['doc']) + ++ @unittest.expectedFailure + def test_reparse_deferral_disabled(self): + started = [] + +diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py +index 9b3014a..646c92d 100644 +--- a/Lib/test/test_sax.py ++++ b/Lib/test/test_sax.py +@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase): + + self.assertEqual(result.getvalue(), start + b"") + ++ @unittest.expectedFailure + def test_flush_reparse_deferral_disabled(self): + result = BytesIO() + xmlgen = XMLGenerator(result) +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index 9c382d1..62f2871 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase): + self.assert_event_tags(parser, [('end', 'root')]) + self.assertIsNone(parser.close()) + ++ @unittest.expectedFailure + def test_simple_xml_chunk_1(self): + self.test_simple_xml(chunk_size=1, flush=True) + ++ @unittest.expectedFailure + def test_simple_xml_chunk_5(self): + self.test_simple_xml(chunk_size=5, flush=True) + +@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase): + + self.assert_event_tags(parser, [('end', 'doc')]) + ++ @unittest.expectedFailure + def test_flush_reparse_deferral_disabled(self): + parser = ET.XMLPullParser(events=('start', 'end')) + +-- +2.44.0 + diff --git a/SOURCES/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch b/SOURCES/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch deleted file mode 100644 index a395e17..0000000 --- a/SOURCES/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Sun, 11 Feb 2024 12:08:39 +0200 -Subject: [PATCH] 00422: gh-115133: Fix tests for XMLPullParser with Expat - 2.6.0 - -Feeding the parser by too small chunks defers parsing to prevent -CVE-2023-52425. Future versions of Expat may be more reactive. - -(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) ---- - Lib/test/test_xml_etree.py | 58 ++++++++++++------- - ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 + - 2 files changed, 38 insertions(+), 22 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst - -diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py -index b50898f1d1..6fb888cb21 100644 ---- a/Lib/test/test_xml_etree.py -+++ b/Lib/test/test_xml_etree.py -@@ -1400,28 +1400,37 @@ class XMLPullParserTest(unittest.TestCase): - self.assertEqual([(action, elem.tag) for action, elem in events], - expected) - -- def test_simple_xml(self): -- for chunk_size in (None, 1, 5): -- with self.subTest(chunk_size=chunk_size): -- parser = ET.XMLPullParser() -- self.assert_event_tags(parser, []) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, []) -- self._feed(parser, -- "\n text\n", chunk_size) -- self.assert_event_tags(parser, [('end', 'element')]) -- self._feed(parser, "texttail\n", chunk_size) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, [ -- ('end', 'element'), -- ('end', 'empty-element'), -- ]) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, [('end', 'root')]) -- self.assertIsNone(parser.close()) -+ def test_simple_xml(self, chunk_size=None): -+ parser = ET.XMLPullParser() -+ self.assert_event_tags(parser, []) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, []) -+ self._feed(parser, -+ "\n text\n", chunk_size) -+ self.assert_event_tags(parser, [('end', 'element')]) -+ self._feed(parser, "texttail\n", chunk_size) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, [ -+ ('end', 'element'), -+ ('end', 'empty-element'), -+ ]) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, [('end', 'root')]) -+ self.assertIsNone(parser.close()) -+ -+ @unittest.expectedFailure -+ def test_simple_xml_chunk_1(self): -+ self.test_simple_xml(chunk_size=1) -+ -+ @unittest.expectedFailure -+ def test_simple_xml_chunk_5(self): -+ self.test_simple_xml(chunk_size=5) -+ -+ def test_simple_xml_chunk_22(self): -+ self.test_simple_xml(chunk_size=22) - - def test_feed_while_iterating(self): - parser = ET.XMLPullParser() -diff --git a/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst -new file mode 100644 -index 0000000000..6f1015235c ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst -@@ -0,0 +1,2 @@ -+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat -+2.6.0. diff --git a/SOURCES/00435-CVE-2024-6923.patch b/SOURCES/00435-CVE-2024-6923.patch deleted file mode 100644 index 8ed6cf2..0000000 --- a/SOURCES/00435-CVE-2024-6923.patch +++ /dev/null @@ -1,345 +0,0 @@ -From 7a25b2f511054dd2011308275bb24e914e1977af Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Tue, 6 Aug 2024 19:07:19 +0200 -Subject: [PATCH] gh-121650: Encode newlines in headers, and verify headers are - sound (GH-122233) (#122599) - -* gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) - -- Encode header parts that contain newlines - -Per RFC 2047: - -> [...] these encoding schemes allow the -> encoding of arbitrary octet values, mail readers that implement this -> decoding should also ensure that display of the decoded data on the -> recipient's terminal will not cause unwanted side-effects - -It seems that the "quoted-word" scheme is a valid way to include -a newline character in a header value, just like we already allow -undecodable bytes or control characters. -They do need to be properly quoted when serialized to text, though. - -- Verify that email headers are well-formed - -This should fail for custom fold() implementations that aren't careful -about newlines. - -Co-authored-by: Bas Bloemsaat -Co-authored-by: Serhiy Storchaka -(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) - -* Document changes as made in 3.12.5 ---- - Doc/library/email.errors.rst | 7 +++ - Doc/library/email.policy.rst | 18 ++++++ - Lib/email/_header_value_parser.py | 12 +++- - Lib/email/_policybase.py | 8 +++ - Lib/email/errors.py | 4 ++ - Lib/email/generator.py | 13 +++- - Lib/test/test_email/test_generator.py | 62 +++++++++++++++++++ - Lib/test/test_email/test_policy.py | 26 ++++++++ - ...-07-27-16-10-41.gh-issue-121650.nf6oc9.rst | 5 ++ - 9 files changed, 151 insertions(+), 4 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst - -diff --git a/Doc/library/email.errors.rst b/Doc/library/email.errors.rst -index 56aea65..27b0481 100644 ---- a/Doc/library/email.errors.rst -+++ b/Doc/library/email.errors.rst -@@ -58,6 +58,13 @@ The following exception classes are defined in the :mod:`email.errors` module: - :class:`~email.mime.nonmultipart.MIMENonMultipart` (e.g. - :class:`~email.mime.image.MIMEImage`). - -+ -+.. exception:: HeaderWriteError() -+ -+ Raised when an error occurs when the :mod:`~email.generator` outputs -+ headers. -+ -+ - .. exception:: MessageDefect() - - This is the base class for all defects found when parsing email messages. -diff --git a/Doc/library/email.policy.rst b/Doc/library/email.policy.rst -index fd47dd0..6ec6e4d 100644 ---- a/Doc/library/email.policy.rst -+++ b/Doc/library/email.policy.rst -@@ -230,6 +230,24 @@ added matters. To illustrate:: - - .. versionadded:: 3.6 - -+ -+ .. attribute:: verify_generated_headers -+ -+ If ``True`` (the default), the generator will raise -+ :exc:`~email.errors.HeaderWriteError` instead of writing a header -+ that is improperly folded or delimited, such that it would -+ be parsed as multiple headers or joined with adjacent data. -+ Such headers can be generated by custom header classes or bugs -+ in the ``email`` module. -+ -+ As it's a security feature, this defaults to ``True`` even in the -+ :class:`~email.policy.Compat32` policy. -+ For backwards compatible, but unsafe, behavior, it must be set to -+ ``False`` explicitly. -+ -+ .. versionadded:: 3.12.5 -+ -+ - The following :class:`Policy` method is intended to be called by code using - the email library to create policy instances with custom settings: - -diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py -index 0d6bd81..362edc5 100644 ---- a/Lib/email/_header_value_parser.py -+++ b/Lib/email/_header_value_parser.py -@@ -92,6 +92,8 @@ TOKEN_ENDS = TSPECIALS | WSP - ASPECIALS = TSPECIALS | set("*'%") - ATTRIBUTE_ENDS = ASPECIALS | WSP - EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%') -+NLSET = {'\n', '\r'} -+SPECIALSNL = SPECIALS | NLSET - - def quote_string(value): - return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"' -@@ -2776,9 +2778,13 @@ def _refold_parse_tree(parse_tree, *, policy): - wrap_as_ew_blocked -= 1 - continue - tstr = str(part) -- if part.token_type == 'ptext' and set(tstr) & SPECIALS: -- # Encode if tstr contains special characters. -- want_encoding = True -+ if not want_encoding: -+ if part.token_type == 'ptext': -+ # Encode if tstr contains special characters. -+ want_encoding = not SPECIALSNL.isdisjoint(tstr) -+ else: -+ # Encode if tstr contains newlines. -+ want_encoding = not NLSET.isdisjoint(tstr) - try: - tstr.encode(encoding) - charset = encoding -diff --git a/Lib/email/_policybase.py b/Lib/email/_policybase.py -index c9cbadd..d1f4821 100644 ---- a/Lib/email/_policybase.py -+++ b/Lib/email/_policybase.py -@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta): - message_factory -- the class to use to create new message objects. - If the value is None, the default is Message. - -+ verify_generated_headers -+ -- if true, the generator verifies that each header -+ they are properly folded, so that a parser won't -+ treat it as multiple headers, start-of-body, or -+ part of another header. -+ This is a check against custom Header & fold() -+ implementations. - """ - - raise_on_defect = False -@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta): - max_line_length = 78 - mangle_from_ = False - message_factory = None -+ verify_generated_headers = True - - def handle_defect(self, obj, defect): - """Based on policy, either raise defect or call register_defect. -diff --git a/Lib/email/errors.py b/Lib/email/errors.py -index 3ad0056..02aa5ec 100644 ---- a/Lib/email/errors.py -+++ b/Lib/email/errors.py -@@ -29,6 +29,10 @@ class CharsetError(MessageError): - """An illegal charset was given.""" - - -+class HeaderWriteError(MessageError): -+ """Error while writing headers.""" -+ -+ - # These are parsing defects which the parser was able to work around. - class MessageDefect(ValueError): - """Base class for a message defect.""" -diff --git a/Lib/email/generator.py b/Lib/email/generator.py -index 7ccbe10..ea87ad2 100644 ---- a/Lib/email/generator.py -+++ b/Lib/email/generator.py -@@ -14,12 +14,14 @@ import random - from copy import deepcopy - from io import StringIO, BytesIO - from email.utils import _has_surrogates -+from email.errors import HeaderWriteError - - UNDERSCORE = '_' - NL = '\n' # XXX: no longer used by the code below. - - NLCRE = re.compile(r'\r\n|\r|\n') - fcre = re.compile(r'^From ', re.MULTILINE) -+NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') - - - class Generator: -@@ -222,7 +224,16 @@ class Generator: - - def _write_headers(self, msg): - for h, v in msg.raw_items(): -- self.write(self.policy.fold(h, v)) -+ folded = self.policy.fold(h, v) -+ if self.policy.verify_generated_headers: -+ linesep = self.policy.linesep -+ if not folded.endswith(self.policy.linesep): -+ raise HeaderWriteError( -+ f'folded header does not end with {linesep!r}: {folded!r}') -+ if NEWLINE_WITHOUT_FWSP.search(folded.removesuffix(linesep)): -+ raise HeaderWriteError( -+ f'folded header contains newline: {folded!r}') -+ self.write(folded) - # A blank line always separates headers from body - self.write(self._NL) - -diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py -index 89e7ede..d29400f 100644 ---- a/Lib/test/test_email/test_generator.py -+++ b/Lib/test/test_email/test_generator.py -@@ -6,6 +6,7 @@ from email.message import EmailMessage - from email.generator import Generator, BytesGenerator - from email.headerregistry import Address - from email import policy -+import email.errors - from test.test_email import TestEmailBase, parameterize - - -@@ -216,6 +217,44 @@ class TestGeneratorBase: - g.flatten(msg) - self.assertEqual(s.getvalue(), self.typ(expected)) - -+ def test_keep_encoded_newlines(self): -+ msg = self.msgmaker(self.typ(textwrap.dedent("""\ -+ To: nobody -+ Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com -+ -+ None -+ """))) -+ expected = textwrap.dedent("""\ -+ To: nobody -+ Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com -+ -+ None -+ """) -+ s = self.ioclass() -+ g = self.genclass(s, policy=self.policy.clone(max_line_length=80)) -+ g.flatten(msg) -+ self.assertEqual(s.getvalue(), self.typ(expected)) -+ -+ def test_keep_long_encoded_newlines(self): -+ msg = self.msgmaker(self.typ(textwrap.dedent("""\ -+ To: nobody -+ Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com -+ -+ None -+ """))) -+ expected = textwrap.dedent("""\ -+ To: nobody -+ Subject: Bad subject -+ =?utf-8?q?=0A?=Bcc: -+ injection@example.com -+ -+ None -+ """) -+ s = self.ioclass() -+ g = self.genclass(s, policy=self.policy.clone(max_line_length=30)) -+ g.flatten(msg) -+ self.assertEqual(s.getvalue(), self.typ(expected)) -+ - - class TestGenerator(TestGeneratorBase, TestEmailBase): - -@@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, TestEmailBase): - ioclass = io.StringIO - typ = str - -+ def test_verify_generated_headers(self): -+ """gh-121650: by default the generator prevents header injection""" -+ class LiteralHeader(str): -+ name = 'Header' -+ def fold(self, **kwargs): -+ return self -+ -+ for text in ( -+ 'Value\r\nBad Injection\r\n', -+ 'NoNewLine' -+ ): -+ with self.subTest(text=text): -+ message = message_from_string( -+ "Header: Value\r\n\r\nBody", -+ policy=self.policy, -+ ) -+ -+ del message['Header'] -+ message['Header'] = LiteralHeader(text) -+ -+ with self.assertRaises(email.errors.HeaderWriteError): -+ message.as_string() -+ - - class TestBytesGenerator(TestGeneratorBase, TestEmailBase): - -diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py -index e87c275..ff1ddf7 100644 ---- a/Lib/test/test_email/test_policy.py -+++ b/Lib/test/test_email/test_policy.py -@@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase): - 'raise_on_defect': False, - 'mangle_from_': True, - 'message_factory': None, -+ 'verify_generated_headers': True, - } - # These default values are the ones set on email.policy.default. - # If any of these defaults change, the docs must be updated. -@@ -277,6 +278,31 @@ class PolicyAPITests(unittest.TestCase): - with self.assertRaises(email.errors.HeaderParseError): - policy.fold("Subject", subject) - -+ def test_verify_generated_headers(self): -+ """Turning protection off allows header injection""" -+ policy = email.policy.default.clone(verify_generated_headers=False) -+ for text in ( -+ 'Header: Value\r\nBad: Injection\r\n', -+ 'Header: NoNewLine' -+ ): -+ with self.subTest(text=text): -+ message = email.message_from_string( -+ "Header: Value\r\n\r\nBody", -+ policy=policy, -+ ) -+ class LiteralHeader(str): -+ name = 'Header' -+ def fold(self, **kwargs): -+ return self -+ -+ del message['Header'] -+ message['Header'] = LiteralHeader(text) -+ -+ self.assertEqual( -+ message.as_string(), -+ f"{text}\nBody", -+ ) -+ - # XXX: Need subclassing tests. - # For adding subclassed objects, make sure the usual rules apply (subclass - # wins), but that the order still works (right overrides left). -diff --git a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst -new file mode 100644 -index 0000000..83dd28d ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst -@@ -0,0 +1,5 @@ -+:mod:`email` headers with embedded newlines are now quoted on output. The -+:mod:`~email.generator` will now refuse to serialize (write) headers that -+are unsafely folded or delimited; see -+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas -+Bloemsaat and Petr Viktorin in :gh:`121650`.) --- -2.45.2 - diff --git a/SOURCES/Python-3.12.1.tar.xz.asc b/SOURCES/Python-3.12.1.tar.xz.asc deleted file mode 100644 index e695d62..0000000 --- a/SOURCES/Python-3.12.1.tar.xz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmVyMspfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx -Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6 -YwWv5w/+JlGtfy+x+6mtauH1uOkt7n9PMQou1LcthDs5s41wuwjO7RbwnmJD6aDk -DqwLHheoq6Kjbl6PF1kG2T8ZbHkMudhnc5yH4eQG52IGNQ6evilxoC6AyhVg8ANi -+u6Juh9r2Hjz/LDWFB4hzwcOBKy0jYw98+A0uMvpPd2bmdFMBLQE0GTZCdrRsGYs -q0oysUX7uCJBfINp7XwiVGAK/6ma0nrr0A1ho6LCau+VGkDnJZdKZgIMyyxp6qL1 -7tMjb3LUpV3FWp57L2za59TaayApNf5BlanC+de6oKEhEJ8oEFyWxOx2GmXHZwch -ucj7Z1dxuI7fjNVkEvZ+JuheLGtB9mAmUZslXgUJf5wo49bCo9E4/ZlIFQk7VJR3 -Bm9VlQb5mMydB8QJbMy/BpgNjgKmEvBTnir37prJpUV/TL1YZT0eZ5JxCnlUIL/F -6cOzAE3zHPnvHcyHhKV3q5CoONdBtB3RWgS66m4eMneuWoNKaoEbO5IDxtKvCd1J -AKLmzCB0/KCWVUIYBTfJ8ytBVQA0Z2w8CZ7SC8asX4DocDCvxim1sQg5s8c4mzh+ -1JVbyqqEmf9m74Mqby0vICC6UVvgaPyiOxTphtRXLIYHUscLVn5+586RMYnM9nP4 -nEK+H/fq6Rcp1XEtIPzCG4IPUAYnuDLjbGQegltpKV/SAYn+DGg= -=dCpy ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.12.5.tar.xz.asc b/SOURCES/Python-3.12.5.tar.xz.asc new file mode 100644 index 0000000..b8c4cf1 --- /dev/null +++ b/SOURCES/Python-3.12.5.tar.xz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmayiFtfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx +Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6 +YwUr4g//VyVs9tvbtiSp8pGe8f1gYErEw54r124sL/CBuNii8Irts1j5ymGxcm+l +hshPK5UlqRnhd5dCJWFTvLTXa5Ko2R1L3JyyxfGd1hmDuMhrWsDHijI0R7L/mGM5 +6X2LTaadBVNvk8HaNKvR8SEWvo68rdnOuYElFA9ir7uqwjO26ZWz9FfH80YDGwo8 +Blef2NYw8rNhiaZMFV0HYV7D+YyUAZnFNfW8M7Fd4oskUyj1tD9J89T9FFLYN09d +BcCIf+EdiEfqRpKxH89bW2g52kDrm4jYGONtpyF8eruyS3YwYSbvbuWioBYKmlxC +s51mieXz6G325GTZnmPxLek3ywPv6Gil9y0wH3fIr2BsWsmXust4LBpjDGt56Fy6 +seokGBg8xzsBSk3iEqNoFmNsy/QOiuCcDejX4XqBDNodOlETQPJb07TkTI2iOmg9 +NG4Atiz1HvGVxK68UuK9IIcNHyaWUmH8h4VQFGvc6KV6feP5Nm21Y12PZ5XIqJBO +Y8M/VJIJ5koaNPQfnBbbI5YBkUr4BVpIXIpY5LM/L5sUo2C3R7hMi0VGK88HGfSQ +KV4JmZgf6RMBNmrWY12sryS1QQ6q3P110GTUGQWB3sxxNbhmfcrK+4viqHc83yDz +ifmk33HuqaQGU7OzUMHeNcoCJIPo3H1FpoHOn9wLLCtA1pT+as4= +=t0Rk +-----END PGP SIGNATURE----- diff --git a/SPECS/python3.12.spec b/SPECS/python3.12.spec index 5fdc403..96b716b 100644 --- a/SPECS/python3.12.spec +++ b/SPECS/python3.12.spec @@ -16,12 +16,12 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.1 +%global general_version %{pybasever}.5 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 4%{?dist}.4 -License: Python +Release: 2%{?dist}.1 +License: Python-2.0.1 # ================================== @@ -66,36 +66,31 @@ License: Python # If the rpmwheels condition is disabled, we use the bundled wheel packages # from Python with the versions below. # This needs to be manually updated when we update Python. -%global pip_version 23.2.1 +%global pip_version 24.2 %global setuptools_version 67.6.1 %global wheel_version 0.40.0 # All of those also include a list of indirect bundled libs: # pip # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) %global pip_bundled_provides %{expand: -Provides: bundled(python3dist(cachecontrol)) = 0.12.11 -Provides: bundled(python3dist(certifi)) = 2023.5.7 -Provides: bundled(python3dist(chardet)) = 5.1 -Provides: bundled(python3dist(colorama)) = 0.4.6 -Provides: bundled(python3dist(distlib)) = 0.3.6 -Provides: bundled(python3dist(distro)) = 1.8 -Provides: bundled(python3dist(idna)) = 3.4 -Provides: bundled(python3dist(msgpack)) = 1.0.5 -Provides: bundled(python3dist(packaging)) = 21.3 -Provides: bundled(python3dist(platformdirs)) = 3.8.1 -Provides: bundled(python3dist(pygments)) = 2.15.1 -Provides: bundled(python3dist(pyparsing)) = 3.1 +Provides: bundled(python3dist(cachecontrol)) = 0.14 +Provides: bundled(python3dist(certifi)) = 2024.7.4 +Provides: bundled(python3dist(distlib)) = 0.3.8 +Provides: bundled(python3dist(distro)) = 1.9 +Provides: bundled(python3dist(idna)) = 3.7 +Provides: bundled(python3dist(msgpack)) = 1.0.8 +Provides: bundled(python3dist(packaging)) = 24.1 +Provides: bundled(python3dist(platformdirs)) = 4.2.2 +Provides: bundled(python3dist(pygments)) = 2.18 Provides: bundled(python3dist(pyproject-hooks)) = 1 -Provides: bundled(python3dist(requests)) = 2.31 +Provides: bundled(python3dist(requests)) = 2.32.3 Provides: bundled(python3dist(resolvelib)) = 1.0.1 -Provides: bundled(python3dist(rich)) = 13.4.2 -Provides: bundled(python3dist(setuptools)) = 68 -Provides: bundled(python3dist(six)) = 1.16 -Provides: bundled(python3dist(tenacity)) = 8.2.2 +Provides: bundled(python3dist(rich)) = 13.7.1 +Provides: bundled(python3dist(setuptools)) = 70.3 Provides: bundled(python3dist(tomli)) = 2.0.1 -Provides: bundled(python3dist(typing-extensions)) = 4.7.1 -Provides: bundled(python3dist(urllib3)) = 1.26.16 -Provides: bundled(python3dist(webencodings)) = 0.5.1 +Provides: bundled(python3dist(truststore)) = 0.9.1 +Provides: bundled(python3dist(typing-extensions)) = 4.12.2 +Provides: bundled(python3dist(urllib3)) = 1.26.18 } # setuptools # vendor.txt files not in .whl @@ -116,7 +111,7 @@ Provides: bundled(python3dist(typing-extensions)) = 4.4 Provides: bundled(python3dist(zipp)) = 3.7 } # wheel -# $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt) +# $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt) %global wheel_bundled_provides %{expand: Provides: bundled(python3dist(packaging)) = 23 } @@ -200,6 +195,13 @@ Provides: bundled(python3dist(packaging)) = 23 %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION} %global py_INSTSONAME_debug libpython%{LDVERSION_debug}.so.%{py_SOVERSION} +# The -O flag for the compiler, optimized builds +# https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3 +%global optflags_optimized -O3 +# The -O flag for the compiler, debug builds +# -Wno-cpp avoids some warnings with -O0 +%global optflags_debug -O0 -Wno-cpp + # Disable automatic bytecompilation. The python3 binary is not yet be # available in /usr/bin when Python is built. Also, the bytecompilation fails # on files that test invalid syntax. @@ -386,42 +388,18 @@ Patch397: 00397-tarfile-filter.patch Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch # 00422 # a353cebef737c41420dc7ae2469dd657371b8881 -# gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 +# Fix tests for XMLPullParser with Expat 2.6.0 # # Feeding the parser by too small chunks defers parsing to prevent # CVE-2023-52425. Future versions of Expat may be more reactive. -Patch422: 00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch - -# 00435 # -# Security fix for CVE-2024-6923 -# gh-121650: Encode newlines in headers, and verify headers are sound -# -# Encode header parts that contain newlines -# -# Per RFC 2047: -# -# > [...] these encoding schemes allow the -# > encoding of arbitrary octet values, mail readers that implement this -# > decoding should also ensure that display of the decoded data on the -# > recipient's terminal will not cause unwanted side-effects -# -# It seems that the "quoted-word" scheme is a valid way to include -# a newline character in a header value, just like we already allow -# undecodable bytes or control characters. -# They do need to be properly quoted when serialized to text, though. -# -# Verify that email headers are well-formed -# -# This should fail for custom fold() implementations that aren't careful about newlines. -# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2302255 -# Resolved upstream: https://github.com/python/cpython/issues/121650 -Patch435: 00435-CVE-2024-6923.patch +Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch # 00436 # c76cc2aa3a2c30375ade4859b732ada851cc89ed # [CVE-2024-8088] gh-122905: Sanitize names in zipfile.Path. Patch436: 00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch -# CVE-2024-6232: Remove backtracking when parsing tarfile headers +# 00437 # +# CVE-2024-6232: gh-121285: Remove backtracking when parsing tarfile headers # Resolved upstream: https://github.com/python/cpython/issues/121285 Patch437: 00437-CVE-2024-6232.patch @@ -750,13 +728,13 @@ The debug runtime additionally supports debug builds of C-API extensions # setuptools.whl does not contain the vendored.txt files if [ -f %{_rpmconfigdir}/pythonbundles.py ]; then %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) --compare-with '%pip_bundled_provides' - %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt) --compare-with '%wheel_bundled_provides' + %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt) --compare-with '%wheel_bundled_provides' fi %if %{with rpmwheels} rm Lib/ensurepip/_bundled/pip-%{pip_version}-py3-none-any.whl -rm Lib/test/setuptools-%{setuptools_version}-py3-none-any.whl -rm Lib/test/wheel-%{wheel_version}-py3-none-any.whl +rm Lib/test/wheeldata/setuptools-%{setuptools_version}-py3-none-any.whl +rm Lib/test/wheeldata/wheel-%{wheel_version}-py3-none-any.whl %endif # Remove all exe files to ensure we are not shipping prebuilt binaries @@ -835,6 +813,7 @@ BuildPython() { ConfName=$1 ExtraConfigArgs=$2 MoreCFlags=$3 + MoreCFlagsNodist=$4 # Each build is done in its own directory ConfDir=build/$ConfName @@ -874,7 +853,7 @@ BuildPython() { $ExtraConfigArgs \ %{nil} -%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags" +%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist" %if %{without bootstrap} # Regenerate generated files (needs python3) @@ -897,12 +876,14 @@ BuildPython() { # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857 BuildPython debug \ "--without-ensurepip --with-pydebug" \ - "-O0 -Wno-cpp" + "%{optflags_debug}" \ + "" %endif # with debug_build BuildPython optimized \ "--without-ensurepip %{optimizations_flag}" \ - "" + "" \ + "%{optflags_optimized}" # ====================================================== # Installing the built code: @@ -1007,7 +988,7 @@ EOF %if %{with debug_build} InstallPython debug \ %{py_INSTSONAME_debug} \ - -O0 \ + "%{optflags_debug}" \ %{LDVERSION_debug} %endif # with debug_build @@ -1382,10 +1363,6 @@ CheckPython optimized %{dynload_dir}/termios.%{SOABI_optimized}.so %{dynload_dir}/unicodedata.%{SOABI_optimized}.so %{dynload_dir}/_uuid.%{SOABI_optimized}.so -%{dynload_dir}/xxlimited.%{SOABI_optimized}.so -%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so -%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so -%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so %{dynload_dir}/zlib.%{SOABI_optimized}.so %{dynload_dir}/_zoneinfo.%{SOABI_optimized}.so @@ -1486,12 +1463,6 @@ CheckPython optimized %{pylibdir}/zoneinfo -%dir %{pylibdir}/__phello__/ -%dir %{pylibdir}/__phello__/__pycache__/ -%{pylibdir}/__phello__/__init__.py -%{pylibdir}/__phello__/spam.py -%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes} - %if "%{_lib}" == "lib64" %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever} %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages @@ -1586,7 +1557,17 @@ CheckPython optimized %{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so %{dynload_dir}/_testsinglephase.%{SOABI_optimized}.so %{dynload_dir}/_xxinterpchannels.%{SOABI_optimized}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so +%{dynload_dir}/xxlimited.%{SOABI_optimized}.so +%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so +%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so + +%dir %{pylibdir}/__phello__/ +%dir %{pylibdir}/__phello__/__pycache__/ +%{pylibdir}/__phello__/__init__.py +%{pylibdir}/__phello__/spam.py +%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes} # We don't bother splitting the debug build out into further subpackages: # if you need it, you're probably a developer. @@ -1668,10 +1649,6 @@ CheckPython optimized %{dynload_dir}/termios.%{SOABI_debug}.so %{dynload_dir}/unicodedata.%{SOABI_debug}.so %{dynload_dir}/_uuid.%{SOABI_debug}.so -%{dynload_dir}/xxlimited.%{SOABI_debug}.so -%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so -%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so -%{dynload_dir}/xxsubtype.%{SOABI_debug}.so %{dynload_dir}/zlib.%{SOABI_debug}.so %{dynload_dir}/_zoneinfo.%{SOABI_debug}.so @@ -1708,7 +1685,11 @@ CheckPython optimized %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so %{dynload_dir}/_testsinglephase.%{SOABI_debug}.so %{dynload_dir}/_xxinterpchannels.%{SOABI_debug}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so +%{dynload_dir}/xxlimited.%{SOABI_debug}.so +%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so +%{dynload_dir}/xxsubtype.%{SOABI_debug}.so %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes} @@ -1736,25 +1717,55 @@ CheckPython optimized # ====================================================== %changelog -* Mon Oct 07 2024 Arti Agrawal - 3.12.1-4.4 +* Wed Sep 11 2024 Lumír Balhar - 3.12.5-2.1 - Security fix for CVE-2024-6232 -Resolves: RHEL-57416 +Resolves: RHEL-57415 -* Fri Aug 23 2024 Charalampos Stratakis - 3.12.1-4.3 +* Fri Aug 23 2024 Charalampos Stratakis - 3.12.5-2 - Security fix for CVE-2024-8088 -Resolves: RHEL-55964 +Resolves: RHEL-55963 -* Mon Aug 12 2024 Charalampos Stratakis - 3.12.1-4.2 +* Wed Aug 07 2024 Tomáš Hrnčiar - 3.12.5-1 +- Update to 3.12.5 - Security fix for CVE-2024-6923 -Resolves: RHEL-53087 +Resolves: RHEL-53041 -* Wed Jul 24 2024 MSVSphere Packaging Team - 3.12.1-4.1 +* Thu Jul 25 2024 Charalampos Stratakis - 3.12.4-3 +- Properly propagate the optimization flags to C extensions + +* Wed Jul 24 2024 MSVSphere Packaging Team - 3.12.4-2 - Rebuilt for MSVSphere 9.4 -* Fri May 03 2024 Lumír Balhar - 3.12.1-4.1 -- Fix tests for XMLPullParser with Expat with fixed CVE +* Wed Jul 17 2024 Charalampos Stratakis - 3.12.4-2 +- Build Python with -O3 +- https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3 + +* Fri Jun 28 2024 Tomáš Hrnčiar - 3.12.4-1 +- Update to 3.12.4 +Resolves: RHEL-44103 + +* Tue Jun 11 2024 Charalampos Stratakis - 3.12.3-2 - Enable importing of hash-based .pyc files under FIPS mode -Resolves: RHEL-40773 +Resolves: RHEL-40772 + +* Fri May 03 2024 Lumír Balhar - 3.12.3-1 +- Update to 3.12.3 +Related: RHEL-33690 + +* Fri May 03 2024 Lumír Balhar - 3.12.2-3 +- Move all test modules to the python3-test package, namely: + - __phello__ + - _xxsubinterpreters + - xxlimited + - xxlimited_35 + - xxsubtype + +* Fri May 03 2024 Lumír Balhar - 3.12.2-2 +- Fix tests for XMLPullParser with Expat with fixed CVE + +* Fri May 03 2024 Lumír Balhar - 3.12.2-1 +- Update to 3.12.2 +Resolves: RHEL-33690 * Mon Feb 19 2024 Charalampos Stratakis - 3.12.1-4 - Add Red Hat configuration for CVE-2007-4559