import python3.12-3.12.5-2.el9

c9-beta imports/c9-beta/python3.12-3.12.5-2.el9
MSVSphere Packaging Team 3 months ago
parent c80812f9e8
commit c23fa10ea2
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

2
.gitignore vendored

@ -1 +1 @@
SOURCES/Python-3.12.1.tar.xz SOURCES/Python-3.12.5.tar.xz

@ -1 +1 @@
5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz d9b83c17a717e1cbd3ab6bd14cfe3e508e6d87b2 SOURCES/Python-3.12.5.tar.xz

@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
3 files changed, 71 insertions(+), 4 deletions(-) 3 files changed, 71 insertions(+), 4 deletions(-)
diff --git a/Lib/site.py b/Lib/site.py diff --git a/Lib/site.py b/Lib/site.py
index 672fa7b000..0a9c5be53e 100644 index 924cfbecec..e2871ecc89 100644
--- a/Lib/site.py --- a/Lib/site.py
+++ b/Lib/site.py +++ b/Lib/site.py
@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None): @@ -398,8 +398,15 @@ def getsitepackages(prefixes=None):
return sitepackages return sitepackages
def addsitepackages(known_paths, prefixes=None): def addsitepackages(known_paths, prefixes=None):
@ -129,7 +129,7 @@ index 122d441bd1..2d354a11da 100644
# On Windows we want to substitute 'lib' for schemes rather # On Windows we want to substitute 'lib' for schemes rather
# than the native value (without modifying vars, in case it # than the native value (without modifying vars, in case it
diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
index b6dbf3d52c..4f06a7673c 100644 index 1137c2032b..8fc2b84f52 100644
--- a/Lib/test/test_sysconfig.py --- a/Lib/test/test_sysconfig.py
+++ b/Lib/test/test_sysconfig.py +++ b/Lib/test/test_sysconfig.py
@@ -110,8 +110,19 @@ def test_get_path(self): @@ -110,8 +110,19 @@ def test_get_path(self):
@ -153,7 +153,7 @@ index b6dbf3d52c..4f06a7673c 100644
os.path.normpath(expected), os.path.normpath(expected),
) )
@@ -335,7 +346,7 @@ def test_get_config_h_filename(self): @@ -344,7 +355,7 @@ def test_get_config_h_filename(self):
self.assertTrue(os.path.isfile(config_h), config_h) self.assertTrue(os.path.isfile(config_h), config_h)
def test_get_scheme_names(self): def test_get_scheme_names(self):
@ -162,7 +162,7 @@ index b6dbf3d52c..4f06a7673c 100644
if HAS_USER_BASE: if HAS_USER_BASE:
wanted.extend(['nt_user', 'osx_framework_user', 'posix_user']) wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
self.assertEqual(get_scheme_names(), tuple(sorted(wanted))) self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880 @@ -356,6 +367,8 @@ def test_symlink(self): # Issue 7880
cmd = "-c", "import sysconfig; print(sysconfig.get_platform())" cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
self.assertEqual(py.call_real(*cmd), py.call_link(*cmd)) self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))

@ -1,7 +1,7 @@
From 5cedde59cde3f05af798a7cb5bc722cb0deb4835 Mon Sep 17 00:00:00 2001 From 43ce74d971fad62db6ccd723fe6b01da9c7ff407 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com> From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 12 Dec 2019 16:58:31 +0100 Date: Thu, 12 Dec 2019 16:58:31 +0100
Subject: [PATCH 1/6] Expose blake2b and blake2s hashes from OpenSSL Subject: [PATCH 1/5] Expose blake2b and blake2s hashes from OpenSSL
These aren't as powerful as Python's own implementation, but they can be These aren't as powerful as Python's own implementation, but they can be
used under FIPS. used under FIPS.
@ -251,13 +251,13 @@ index fb61a44..1e42b87 100644
-/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/ -/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/ +/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/
-- --
2.43.0 2.45.0
From 2a12baa9e201f54560ec99ad5ee1fa5b0006aa39 Mon Sep 17 00:00:00 2001 From 6872b634078a2c69644235781ebffb07f8edcb83 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com> From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 17:19:06 +0200 Date: Thu, 25 Jul 2019 17:19:06 +0200
Subject: [PATCH 2/6] Disable Python's hash implementations in FIPS mode, Subject: [PATCH 2/5] Disable Python's hash implementations in FIPS mode,
forcing OpenSSL forcing OpenSSL
--- ---
@ -445,10 +445,10 @@ index a8bad9d..1b1d937 100644
+ if (_Py_hashlib_fips_error(exc, name)) return NULL; \ + if (_Py_hashlib_fips_error(exc, name)) return NULL; \
+} while (0) +} while (0)
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index 1876f77..1875d1e 100644 index 65ad1c2..b5f9ab5 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -7439,7 +7439,8 @@ PY_STDLIB_MOD([_sha2], @@ -7463,7 +7463,8 @@ PY_STDLIB_MOD([_sha2],
PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes]) PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes])
PY_STDLIB_MOD([_blake2], PY_STDLIB_MOD([_blake2],
[test "$with_builtin_blake2" = yes], [], [test "$with_builtin_blake2" = yes], [],
@ -459,13 +459,13 @@ index 1876f77..1875d1e 100644
PY_STDLIB_MOD([_crypt], PY_STDLIB_MOD([_crypt],
[], [test "$ac_cv_crypt_crypt" = yes], [], [test "$ac_cv_crypt_crypt" = yes],
-- --
2.43.0 2.45.0
From bca05b7fdb8dcab21ef80db1d59dd5daa835d84b Mon Sep 17 00:00:00 2001 From f904abdd7a607282c2cdfd18288045cedfa28414 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com> From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 29 Jan 2021 14:16:21 +0100 Date: Fri, 29 Jan 2021 14:16:21 +0100
Subject: [PATCH 3/6] Use python's fall back crypto implementations only if we Subject: [PATCH 3/5] Use python's fall back crypto implementations only if we
are not in FIPS mode are not in FIPS mode
--- ---
@ -552,13 +552,13 @@ index dd61a9a..6031b02 100644
get_builtin_constructor = getattr(hashlib, get_builtin_constructor = getattr(hashlib,
'__get_builtin_constructor') '__get_builtin_constructor')
-- --
2.43.0 2.45.0
From c9a79f0aafd28677e3e0b8a1f6410105a71ff071 Mon Sep 17 00:00:00 2001 From 9bf0a53b7831409613c44fd7feecb56476f5e5e7 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com> From: Charalampos Stratakis <cstratak@redhat.com>
Date: Wed, 31 Jul 2019 15:43:43 +0200 Date: Wed, 31 Jul 2019 15:43:43 +0200
Subject: [PATCH 4/6] Test equivalence of hashes for the various digests with Subject: [PATCH 4/5] Test equivalence of hashes for the various digests with
usedforsecurity=True/False usedforsecurity=True/False
--- ---
@ -712,13 +712,13 @@ index 6031b02..5bd5297 100644
class KDFTests(unittest.TestCase): class KDFTests(unittest.TestCase):
-- --
2.43.0 2.45.0
From e972a838729ea84a0f2e0ca8e88ae1bfc129e7d8 Mon Sep 17 00:00:00 2001 From 8a76571515a64a57b4ea0586ae8376cf2ef0ac60 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com> From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:39:48 +0200 Date: Mon, 26 Aug 2019 19:39:48 +0200
Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode Subject: [PATCH 5/5] Guard against Python HMAC in FIPS mode
--- ---
Lib/hmac.py | 13 +++++++++---- Lib/hmac.py | 13 +++++++++----
@ -726,7 +726,7 @@ Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode
2 files changed, 19 insertions(+), 4 deletions(-) 2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/Lib/hmac.py b/Lib/hmac.py diff --git a/Lib/hmac.py b/Lib/hmac.py
index 8b4f920..20ef96c 100644 index 8b4eb2f..e8e4864 100644
--- a/Lib/hmac.py --- a/Lib/hmac.py
+++ b/Lib/hmac.py +++ b/Lib/hmac.py
@@ -16,8 +16,9 @@ else: @@ -16,8 +16,9 @@ else:
@ -750,7 +750,7 @@ index 8b4f920..20ef96c 100644
raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__) raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
if not digestmod: if not digestmod:
raise TypeError("Missing required parameter 'digestmod'.") raise TypeError("Missing required argument 'digestmod'.")
- if _hashopenssl and isinstance(digestmod, (str, _functype)): - if _hashopenssl and isinstance(digestmod, (str, _functype)):
+ if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))): + if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))):
@ -773,7 +773,7 @@ index 8b4f920..20ef96c 100644
digest_cons = digestmod digest_cons = digestmod
elif isinstance(digestmod, str): elif isinstance(digestmod, str):
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index a39a2c4..b7b24ab 100644 index 1502fba..7997073 100644
--- a/Lib/test/test_hmac.py --- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py
@@ -5,6 +5,7 @@ import hashlib @@ -5,6 +5,7 @@ import hashlib
@ -812,7 +812,7 @@ index a39a2c4..b7b24ab 100644
@unittest.skipUnless(sha256_module is not None, 'need _sha256') @unittest.skipUnless(sha256_module is not None, 'need _sha256')
def test_with_sha256_module(self): def test_with_sha256_module(self):
h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256) h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256)
@@ -481,6 +489,7 @@ class SanityTestCase(unittest.TestCase): @@ -489,6 +497,7 @@ class UpdateTestCase(unittest.TestCase):
class CopyTestCase(unittest.TestCase): class CopyTestCase(unittest.TestCase):
@ -820,7 +820,7 @@ index a39a2c4..b7b24ab 100644
@hashlib_helper.requires_hashdigest('sha256') @hashlib_helper.requires_hashdigest('sha256')
def test_attributes_old(self): def test_attributes_old(self):
# Testing if attributes are of same type. # Testing if attributes are of same type.
@@ -492,6 +501,7 @@ class CopyTestCase(unittest.TestCase): @@ -500,6 +509,7 @@ class CopyTestCase(unittest.TestCase):
self.assertEqual(type(h1._outer), type(h2._outer), self.assertEqual(type(h1._outer), type(h2._outer),
"Types of outer don't match.") "Types of outer don't match.")
@ -829,270 +829,5 @@ index a39a2c4..b7b24ab 100644
def test_realcopy_old(self): def test_realcopy_old(self):
# Testing if the copy method created a real copy. # Testing if the copy method created a real copy.
-- --
2.43.0 2.45.0
From b12202196a78b877dcd32cfea273051b60038a41 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 25 Aug 2021 16:44:43 +0200
Subject: [PATCH 6/6] Disable hash-based PYCs in FIPS mode
If FIPS mode is on, we can't use siphash-based HMAC
(_Py_KeyedHash), so:
- Unchecked hash PYCs can be imported, but not created
- Checked hash PYCs can not be imported nor created
- The default mode is timestamp-based PYCs, even if
SOURCE_DATE_EPOCH is set.
If FIPS mode is off, there are no changes in behavior.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
---
Lib/py_compile.py | 4 +++-
Lib/test/support/__init__.py | 14 +++++++++++++
Lib/test/test_cmd_line_script.py | 2 ++
Lib/test/test_compileall.py | 11 +++++++++-
.../test_importlib/source/test_file_loader.py | 6 ++++++
Lib/test/test_py_compile.py | 11 ++++++++--
Lib/test/test_zipimport.py | 2 ++
Python/import.c | 20 +++++++++++++++++++
8 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/Lib/py_compile.py b/Lib/py_compile.py
index 388614e..fd9a139 100644
--- a/Lib/py_compile.py
+++ b/Lib/py_compile.py
@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
def _get_default_invalidation_mode():
- if os.environ.get('SOURCE_DATE_EPOCH'):
+ import _hashlib
+ if (os.environ.get('SOURCE_DATE_EPOCH') and not
+ _hashlib.get_fips_mode()):
return PycInvalidationMode.CHECKED_HASH
else:
return PycInvalidationMode.TIMESTAMP
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
index fd9265c..fcd1ea7 100644
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -2346,6 +2346,20 @@ def sleeping_retry(timeout, err_msg=None, /,
delay = min(delay * 2, max_delay)
+def fails_in_fips_mode(expected_error):
+ import _hashlib
+ if _hashlib.get_fips_mode():
+ def _decorator(func):
+ def _wrapper(self, *args, **kwargs):
+ with self.assertRaises(expected_error):
+ func(self, *args, **kwargs)
+ return _wrapper
+ else:
+ def _decorator(func):
+ return func
+ return _decorator
+
+
@contextlib.contextmanager
def adjust_int_max_str_digits(max_digits):
"""Temporarily change the integer string conversion length limit."""
diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
index 1b58882..d6caff1 100644
--- a/Lib/test/test_cmd_line_script.py
+++ b/Lib/test/test_cmd_line_script.py
@@ -286,6 +286,7 @@ class CmdLineTest(unittest.TestCase):
self._check_script(zip_name, run_name, zip_name, zip_name, '',
zipimport.zipimporter)
+ @support.fails_in_fips_mode(ImportError)
def test_zipfile_compiled_checked_hash(self):
with os_helper.temp_dir() as script_dir:
script_name = _make_test_script(script_dir, '__main__')
@@ -296,6 +297,7 @@ class CmdLineTest(unittest.TestCase):
self._check_script(zip_name, run_name, zip_name, zip_name, '',
zipimport.zipimporter)
+ @support.fails_in_fips_mode(ImportError)
def test_zipfile_compiled_unchecked_hash(self):
with os_helper.temp_dir() as script_dir:
script_name = _make_test_script(script_dir, '__main__')
diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
index 9cd92ad..4ec29a1 100644
--- a/Lib/test/test_compileall.py
+++ b/Lib/test/test_compileall.py
@@ -806,14 +806,23 @@ class CommandLineTestsBase:
out = self.assertRunOK('badfilename')
self.assertRegex(out, b"Can't list 'badfilename'")
- def test_pyc_invalidation_mode(self):
+ @support.fails_in_fips_mode(AssertionError)
+ def test_pyc_invalidation_mode_checked(self):
script_helper.make_script(self.pkgdir, 'f1', '')
pyc = importlib.util.cache_from_source(
os.path.join(self.pkgdir, 'f1.py'))
+
self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
with open(pyc, 'rb') as fp:
data = fp.read()
self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
+
+ @support.fails_in_fips_mode(AssertionError)
+ def test_pyc_invalidation_mode_unchecked(self):
+ script_helper.make_script(self.pkgdir, 'f1', '')
+ pyc = importlib.util.cache_from_source(
+ os.path.join(self.pkgdir, 'f1.py'))
+
self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
with open(pyc, 'rb') as fp:
data = fp.read()
diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
index f35adec..62087c6 100644
--- a/Lib/test/test_importlib/source/test_file_loader.py
+++ b/Lib/test/test_importlib/source/test_file_loader.py
@@ -16,6 +16,7 @@ import types
import unittest
import warnings
+from test import support
from test.support.import_helper import make_legacy_pyc, unload
from test.test_py_compile import without_source_date_epoch
@@ -237,6 +238,7 @@ class SimpleTest(abc.LoaderTests):
loader.load_module('bad name')
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_checked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping:
source = mapping['_temp']
@@ -268,6 +270,7 @@ class SimpleTest(abc.LoaderTests):
)
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_overridden_checked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping, \
unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
@@ -293,6 +296,7 @@ class SimpleTest(abc.LoaderTests):
self.assertEqual(mod.state, 'old')
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_unchecked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping:
source = mapping['_temp']
@@ -323,6 +327,7 @@ class SimpleTest(abc.LoaderTests):
)
@util.writes_bytecode_files
+ @support.fails_in_fips_mode(ImportError)
def test_overridden_unchecked_hash_based_pyc(self):
with util.create_modules('_temp') as mapping, \
unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
@@ -432,6 +437,7 @@ class BadBytecodeTest:
del_source=del_source)
test('_temp', mapping, bc_path)
+ @support.fails_in_fips_mode(ImportError)
def _test_partial_hash(self, test, *, del_source=False):
with util.create_modules('_temp') as mapping:
bc_path = self.manipulate_bytecode(
diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
index c4e6551..81fd962 100644
--- a/Lib/test/test_py_compile.py
+++ b/Lib/test/test_py_compile.py
@@ -141,13 +141,16 @@ class PyCompileTestsBase:
importlib.util.cache_from_source(bad_coding)))
def test_source_date_epoch(self):
+ import _hashlib
py_compile.compile(self.source_path, self.pyc_path)
self.assertTrue(os.path.exists(self.pyc_path))
self.assertFalse(os.path.exists(self.cache_path))
with open(self.pyc_path, 'rb') as fp:
flags = importlib._bootstrap_external._classify_pyc(
fp.read(), 'test', {})
- if os.environ.get('SOURCE_DATE_EPOCH'):
+ if _hashlib.get_fips_mode():
+ expected_flags = 0b00
+ elif os.environ.get('SOURCE_DATE_EPOCH'):
expected_flags = 0b11
else:
expected_flags = 0b00
@@ -178,7 +181,8 @@ class PyCompileTestsBase:
# Specifying optimized bytecode should lead to a path reflecting that.
self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
- def test_invalidation_mode(self):
+ @support.fails_in_fips_mode(ImportError)
+ def test_invalidation_mode_checked(self):
py_compile.compile(
self.source_path,
invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
@@ -187,6 +191,9 @@ class PyCompileTestsBase:
flags = importlib._bootstrap_external._classify_pyc(
fp.read(), 'test', {})
self.assertEqual(flags, 0b11)
+
+ @support.fails_in_fips_mode(ImportError)
+ def test_invalidation_mode_unchecked(self):
py_compile.compile(
self.source_path,
invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
index 14c1971..bcd1466 100644
--- a/Lib/test/test_zipimport.py
+++ b/Lib/test/test_zipimport.py
@@ -190,6 +190,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
TESTMOD + pyc_ext: (NOW, test_pyc)}
self.doTest(pyc_ext, files, TESTMOD)
+ @support.fails_in_fips_mode(ImportError)
def testUncheckedHashBasedPyc(self):
source = b"state = 'old'"
source_hash = importlib.util.source_hash(source)
@@ -204,6 +205,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
self.assertEqual(mod.state, 'old')
self.doTest(None, files, TESTMOD, call=check)
+ @support.fails_in_fips_mode(ImportError)
@unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
def test_checked_hash_based_change_pyc(self):
source = b"state = 'old'"
diff --git a/Python/import.c b/Python/import.c
index 54232a1..236786b 100644
--- a/Python/import.c
+++ b/Python/import.c
@@ -3829,6 +3829,26 @@ static PyObject *
_imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
/*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
{
+ PyObject *_hashlib = PyImport_ImportModule("_hashlib");
+ if (_hashlib == NULL) {
+ return NULL;
+ }
+ PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
+ Py_DECREF(_hashlib);
+ if (fips_mode_obj == NULL) {
+ return NULL;
+ }
+ int fips_mode = PyObject_IsTrue(fips_mode_obj);
+ Py_DECREF(fips_mode_obj);
+ if (fips_mode < 0) {
+ return NULL;
+ }
+ if (fips_mode) {
+ PyErr_SetString(
+ PyExc_ImportError,
+ "hash-based PYC validation (siphash24) not available in FIPS mode");
+ return NULL;
+ };
union {
uint64_t x;
char data[sizeof(uint64_t)];
--
2.43.0

@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730
2 files changed, 8 insertions(+), 50 deletions(-) 2 files changed, 8 insertions(+), 50 deletions(-)
diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
index 756d5e329f..5d09775efc 100644 index 2e4b860b97..3066b23ee1 100644
--- a/Lib/test/test_threading.py --- a/Lib/test/test_threading.py
+++ b/Lib/test/test_threading.py +++ b/Lib/test/test_threading.py
@@ -1007,39 +1007,6 @@ def noop(): pass @@ -1100,39 +1100,6 @@ def noop(): pass
threading.Thread(target=noop).start() threading.Thread(target=noop).start()
# Thread.join() is not called # Thread.join() is not called
@ -56,14 +56,14 @@ index 756d5e329f..5d09775efc 100644
- self.assertEqual(out, b'') - self.assertEqual(out, b'')
- self.assertEqual(err, b'') - self.assertEqual(err, b'')
- -
def test_start_new_thread_at_exit(self): def test_start_new_thread_at_finalization(self):
code = """if 1: code = """if 1:
import atexit import _thread
diff --git a/Lib/threading.py b/Lib/threading.py diff --git a/Lib/threading.py b/Lib/threading.py
index 8dcaf8ca6a..ed0b0f4632 100644 index 0bba85d08a..b256e3273f 100644
--- a/Lib/threading.py --- a/Lib/threading.py
+++ b/Lib/threading.py +++ b/Lib/threading.py
@@ -1586,29 +1586,20 @@ def _shutdown(): @@ -1587,29 +1587,20 @@ def _shutdown():
global _SHUTTING_DOWN global _SHUTTING_DOWN
_SHUTTING_DOWN = True _SHUTTING_DOWN = True

@ -1,19 +1,24 @@
From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001 From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com> From: Petr Viktorin <encukou@gmail.com>
Date: Mon, 6 Mar 2023 17:24:24 +0100 Date: Tue, 2 Jul 2024 11:40:37 +0200
Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
(downstream) (downstream)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add and test RHEL-specific ways of configuring the default behavior: environment Add and test RHEL-specific ways of configuring the default behavior: environment
variable and config file. variable and config file.
Co-Authored-By: Tomáš Hrnčiar <thrnciar@redhat.com>
--- ---
Lib/tarfile.py | 47 +++++++++++++-- Lib/tarfile.py | 47 +++++++++++--
Lib/test/test_shutil.py | 2 +- Lib/test/test_shutil.py | 2 +-
Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++- Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++--
3 files changed, 163 insertions(+), 9 deletions(-) 3 files changed, 185 insertions(+), 11 deletions(-)
diff --git a/Lib/tarfile.py b/Lib/tarfile.py diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index 02f5e3b..f7109f3 100755 index e1487e3..89b6843 100755
--- a/Lib/tarfile.py --- a/Lib/tarfile.py
+++ b/Lib/tarfile.py +++ b/Lib/tarfile.py
@@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError", @@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@ -30,7 +35,7 @@ index 02f5e3b..f7109f3 100755
#--------------------------------------------------------- #---------------------------------------------------------
# tar constants # tar constants
@@ -2217,11 +2224,41 @@ class TarFile(object): @@ -2218,11 +2225,41 @@ class TarFile(object):
if filter is None: if filter is None:
filter = self.extraction_filter filter = self.extraction_filter
if filter is None: if filter is None:
@ -38,7 +43,7 @@ index 02f5e3b..f7109f3 100755
- 'Python 3.14 will, by default, filter extracted tar ' - 'Python 3.14 will, by default, filter extracted tar '
- + 'archives and reject files or modify their metadata. ' - + 'archives and reject files or modify their metadata. '
- + 'Use the filter argument to control this behavior.', - + 'Use the filter argument to control this behavior.',
- DeprecationWarning) - DeprecationWarning, stacklevel=3)
+ name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER') + name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
+ if name is None: + if name is None:
+ try: + try:
@ -72,16 +77,16 @@ index 02f5e3b..f7109f3 100755
+ + 'and some mode bits are cleared. ' + + 'and some mode bits are cleared. '
+ + 'See https://access.redhat.com/articles/7004769 ' + + 'See https://access.redhat.com/articles/7004769 '
+ + 'for more details.', + + 'for more details.',
+ RuntimeWarning) + RuntimeWarning, stacklevel=3)
+ return tar_filter + return tar_filter
return fully_trusted_filter return fully_trusted_filter
if isinstance(filter, str): if isinstance(filter, str):
raise TypeError( raise TypeError(
diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
index 5fd8fb4..501da8f 100644 index 7bc5d12..88b4bdb 100644
--- a/Lib/test/test_shutil.py --- a/Lib/test/test_shutil.py
+++ b/Lib/test/test_shutil.py +++ b/Lib/test/test_shutil.py
@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase): @@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase):
self.check_unpack_archive(format, filter='fully_trusted') self.check_unpack_archive(format, filter='fully_trusted')
self.check_unpack_archive(format, filter='data') self.check_unpack_archive(format, filter='data')
with warnings_helper.check_warnings( with warnings_helper.check_warnings(
@ -91,10 +96,48 @@ index 5fd8fb4..501da8f 100644
def test_unpack_archive_tar(self): def test_unpack_archive_tar(self):
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index c5fc76d..397e334 100644 index 3fbd25e..9aa727e 100644
--- a/Lib/test/test_tarfile.py --- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py
@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest): @@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest):
tarfile.open(tarname, encoding="iso8859-1") as tar
):
directories = [t for t in tar if t.isdir()]
- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
+ with self.assertWarnsRegex(
+ RuntimeWarning,
+ re.escape(
+ 'The default behavior of tarfile extraction has been '
+ 'changed to disallow common exploits '
+ '(including CVE-2007-4559). '
+ 'By default, absolute/parent paths are disallowed '
+ 'and some mode bits are cleared. '
+ 'See https://access.redhat.com/articles/7004769 '
+ 'for more details.'
+ )) as cm:
tar.extractall(DIR, directories)
# check that the stacklevel of the deprecation warning is correct:
self.assertEqual(cm.filename, __file__)
@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest):
tarfile.open(tarname, encoding="iso8859-1") as tar
):
tarinfo = tar.getmember(dirtype)
- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
+ with self.assertWarnsRegex(
+ RuntimeWarning,
+ re.escape(
+ 'The default behavior of tarfile extraction has been '
+ 'changed to disallow common exploits '
+ '(including CVE-2007-4559). '
+ 'By default, absolute/parent paths are disallowed '
+ 'and some mode bits are cleared. '
+ 'See https://access.redhat.com/articles/7004769 '
+ 'for more details.'
+ )) as cm:
tar.extract(tarinfo, path=DIR)
# check that the stacklevel of the deprecation warning is correct:
self.assertEqual(cm.filename, __file__)
@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest):
tar.errorlevel = 0 tar.errorlevel = 0
with ExitStack() as cm: with ExitStack() as cm:
if cls.extraction_filter is None: if cls.extraction_filter is None:
@ -105,7 +148,7 @@ index c5fc76d..397e334 100644
tar.extractall(cls.control_dir, filter=cls.extraction_filter) tar.extractall(cls.control_dir, filter=cls.extraction_filter)
tar.close() tar.close()
cls.control_paths = set( cls.control_paths = set(
@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase): @@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase):
with ArchiveMaker() as arc: with ArchiveMaker() as arc:
arc.add('foo') arc.add('foo')
with warnings_helper.check_warnings( with warnings_helper.check_warnings(
@ -114,7 +157,7 @@ index c5fc76d..397e334 100644
with self.check_context(arc.open(), None): with self.check_context(arc.open(), None):
self.expect_file('foo') self.expect_file('foo')
@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase): @@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase):
self.expect_exception(TypeError) # errorlevel is not int self.expect_exception(TypeError) # errorlevel is not int
@ -235,9 +278,9 @@ index c5fc76d..397e334 100644
+ self.check_trusted_default(tar, tempdir) + self.check_trusted_default(tar, tempdir)
+ +
+ +
def setUpModule(): class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
os_helper.unlink(TEMPDIR) testdir = os.path.join(TEMPDIR, "testoverwrite")
os.makedirs(TEMPDIR)
-- --
2.43.0 2.44.0

@ -19,7 +19,7 @@ Co-Authored-By: Thomas Dwyer <github@tomd.tel>
create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
index 345b64001c..d693a9bc39 100644 index 6ba42491d6..6bd45200d8 100644
--- a/Doc/library/email.utils.rst --- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst
@@ -58,13 +58,18 @@ of the new API. @@ -58,13 +58,18 @@ of the new API.
@ -72,7 +72,7 @@ index 345b64001c..d693a9bc39 100644
.. function:: parsedate(date) .. function:: parsedate(date)
diff --git a/Lib/email/utils.py b/Lib/email/utils.py diff --git a/Lib/email/utils.py b/Lib/email/utils.py
index 81da5394ea..43c3627fca 100644 index 1de547a011..e53abc8b84 100644
--- a/Lib/email/utils.py --- a/Lib/email/utils.py
+++ b/Lib/email/utils.py +++ b/Lib/email/utils.py
@@ -48,6 +48,7 @@ @@ -48,6 +48,7 @@
@ -81,7 +81,7 @@ index 81da5394ea..43c3627fca 100644
+ +
def _has_surrogates(s): def _has_surrogates(s):
"""Return True if s contains surrogate-escaped binary data.""" """Return True if s may contain surrogate-escaped binary data."""
# This check is based on the fact that unless there are surrogates, utf8 # This check is based on the fact that unless there are surrogates, utf8
@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'): @@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
return address return address
@ -255,7 +255,7 @@ index 81da5394ea..43c3627fca 100644
diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
index 2a237095b9..4672b790d8 100644 index fc8d87974e..ef8aa0d53c 100644
--- a/Lib/test/test_email/test_email.py --- a/Lib/test/test_email/test_email.py
+++ b/Lib/test/test_email/test_email.py +++ b/Lib/test/test_email/test_email.py
@@ -16,6 +16,7 @@ @@ -16,6 +16,7 @@
@ -266,7 +266,7 @@ index 2a237095b9..4672b790d8 100644
from email.charset import Charset from email.charset import Charset
from email.generator import Generator, DecodedGenerator, BytesGenerator from email.generator import Generator, DecodedGenerator, BytesGenerator
@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self): @@ -3352,15 +3353,137 @@ def test_getaddresses_comma_in_name(self):
], ],
) )
@ -412,7 +412,7 @@ index 2a237095b9..4672b790d8 100644
def test_getaddresses_embedded_comment(self): def test_getaddresses_embedded_comment(self):
"""Test proper handling of a nested comment""" """Test proper handling of a nested comment"""
@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self): @@ -3551,6 +3674,54 @@ def test_mime_classes_policy_argument(self):
m = cls(*constructor, policy=email.policy.default) m = cls(*constructor, policy=email.policy.default)
self.assertIs(m.policy, email.policy.default) self.assertIs(m.policy, email.policy.default)

@ -0,0 +1,63 @@
From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 3 May 2024 14:17:48 +0200
Subject: [PATCH] Expect failures in tests not working properly with expat with
a fixed CVE in RHEL
---
Lib/test/test_pyexpat.py | 1 +
Lib/test/test_sax.py | 1 +
Lib/test/test_xml_etree.py | 3 +++
3 files changed, 5 insertions(+)
diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
index 43cbd27..27b1502 100644
--- a/Lib/test/test_pyexpat.py
+++ b/Lib/test/test_pyexpat.py
@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase):
self.assertEqual(started, ['doc'])
+ @unittest.expectedFailure
def test_reparse_deferral_disabled(self):
started = []
diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py
index 9b3014a..646c92d 100644
--- a/Lib/test/test_sax.py
+++ b/Lib/test/test_sax.py
@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase):
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
+ @unittest.expectedFailure
def test_flush_reparse_deferral_disabled(self):
result = BytesIO()
xmlgen = XMLGenerator(result)
diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
index 9c382d1..62f2871 100644
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase):
self.assert_event_tags(parser, [('end', 'root')])
self.assertIsNone(parser.close())
+ @unittest.expectedFailure
def test_simple_xml_chunk_1(self):
self.test_simple_xml(chunk_size=1, flush=True)
+ @unittest.expectedFailure
def test_simple_xml_chunk_5(self):
self.test_simple_xml(chunk_size=5, flush=True)
@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase):
self.assert_event_tags(parser, [('end', 'doc')])
+ @unittest.expectedFailure
def test_flush_reparse_deferral_disabled(self):
parser = ET.XMLPullParser(events=('start', 'end'))
--
2.44.0

@ -0,0 +1,121 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 12 Aug 2024 02:35:17 +0200
Subject: [PATCH] 00436: [CVE-2024-8088] gh-122905: Sanitize names in
zipfile.Path.
---
Lib/test/test_zipfile/_path/test_path.py | 17 +++++
Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++-
...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 +
3 files changed, 81 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
index 06d5aab69b..90885dbbe3 100644
--- a/Lib/test/test_zipfile/_path/test_path.py
+++ b/Lib/test/test_zipfile/_path/test_path.py
@@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep):
zipfile.Path(alpharep)
with self.assertRaises(KeyError):
alpharep.getinfo('does-not-exist')
+
+ def test_malformed_paths(self):
+ """
+ Path should handle malformed paths.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr("/one-slash.txt", b"content")
+ zf.writestr("//two-slash.txt", b"content")
+ zf.writestr("../parent.txt", b"content")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ assert list(map(str, root.iterdir())) == [
+ 'one-slash.txt',
+ 'two-slash.txt',
+ 'parent.txt',
+ ]
diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
index 78c413563b..42f9fded21 100644
--- a/Lib/zipfile/_path/__init__.py
+++ b/Lib/zipfile/_path/__init__.py
@@ -83,7 +83,69 @@ def __setstate__(self, state):
super().__init__(*args, **kwargs)
-class CompleteDirs(InitializedState, zipfile.ZipFile):
+class SanitizedNames:
+ """
+ ZipFile mix-in to ensure names are sanitized.
+ """
+
+ def namelist(self):
+ return list(map(self._sanitize, super().namelist()))
+
+ @staticmethod
+ def _sanitize(name):
+ r"""
+ Ensure a relative path with posix separators and no dot names.
+
+ Modeled after
+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
+ but provides consistent cross-platform behavior.
+
+ >>> san = SanitizedNames._sanitize
+ >>> san('/foo/bar')
+ 'foo/bar'
+ >>> san('//foo.txt')
+ 'foo.txt'
+ >>> san('foo/.././bar.txt')
+ 'foo/bar.txt'
+ >>> san('foo../.bar.txt')
+ 'foo../.bar.txt'
+ >>> san('\\foo\\bar.txt')
+ 'foo/bar.txt'
+ >>> san('D:\\foo.txt')
+ 'D/foo.txt'
+ >>> san('\\\\server\\share\\file.txt')
+ 'server/share/file.txt'
+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
+ '?/GLOBALROOT/Volume3'
+ >>> san('\\\\.\\PhysicalDrive1\\root')
+ 'PhysicalDrive1/root'
+
+ Retain any trailing slash.
+ >>> san('abc/')
+ 'abc/'
+
+ Raises a ValueError if the result is empty.
+ >>> san('../..')
+ Traceback (most recent call last):
+ ...
+ ValueError: Empty filename
+ """
+
+ def allowed(part):
+ return part and part not in {'..', '.'}
+
+ # Remove the drive letter.
+ # Don't use ntpath.splitdrive, because that also strips UNC paths
+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
+ clean = bare.replace('\\', '/')
+ parts = clean.split('/')
+ joined = '/'.join(filter(allowed, parts))
+ if not joined:
+ raise ValueError("Empty filename")
+ return joined + '/' * name.endswith('/')
+
+
+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
"""
A ZipFile subclass that ensures that implied directories
are always included in the namelist.
diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
new file mode 100644
index 0000000000..1be44c906c
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
@@ -0,0 +1 @@
+:class:`zipfile.Path` objects now sanitize names from the zipfile.

@ -1,18 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmVyMspfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
YwWv5w/+JlGtfy+x+6mtauH1uOkt7n9PMQou1LcthDs5s41wuwjO7RbwnmJD6aDk
DqwLHheoq6Kjbl6PF1kG2T8ZbHkMudhnc5yH4eQG52IGNQ6evilxoC6AyhVg8ANi
+u6Juh9r2Hjz/LDWFB4hzwcOBKy0jYw98+A0uMvpPd2bmdFMBLQE0GTZCdrRsGYs
q0oysUX7uCJBfINp7XwiVGAK/6ma0nrr0A1ho6LCau+VGkDnJZdKZgIMyyxp6qL1
7tMjb3LUpV3FWp57L2za59TaayApNf5BlanC+de6oKEhEJ8oEFyWxOx2GmXHZwch
ucj7Z1dxuI7fjNVkEvZ+JuheLGtB9mAmUZslXgUJf5wo49bCo9E4/ZlIFQk7VJR3
Bm9VlQb5mMydB8QJbMy/BpgNjgKmEvBTnir37prJpUV/TL1YZT0eZ5JxCnlUIL/F
6cOzAE3zHPnvHcyHhKV3q5CoONdBtB3RWgS66m4eMneuWoNKaoEbO5IDxtKvCd1J
AKLmzCB0/KCWVUIYBTfJ8ytBVQA0Z2w8CZ7SC8asX4DocDCvxim1sQg5s8c4mzh+
1JVbyqqEmf9m74Mqby0vICC6UVvgaPyiOxTphtRXLIYHUscLVn5+586RMYnM9nP4
nEK+H/fq6Rcp1XEtIPzCG4IPUAYnuDLjbGQegltpKV/SAYn+DGg=
=dCpy
-----END PGP SIGNATURE-----

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmayiFtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
YwUr4g//VyVs9tvbtiSp8pGe8f1gYErEw54r124sL/CBuNii8Irts1j5ymGxcm+l
hshPK5UlqRnhd5dCJWFTvLTXa5Ko2R1L3JyyxfGd1hmDuMhrWsDHijI0R7L/mGM5
6X2LTaadBVNvk8HaNKvR8SEWvo68rdnOuYElFA9ir7uqwjO26ZWz9FfH80YDGwo8
Blef2NYw8rNhiaZMFV0HYV7D+YyUAZnFNfW8M7Fd4oskUyj1tD9J89T9FFLYN09d
BcCIf+EdiEfqRpKxH89bW2g52kDrm4jYGONtpyF8eruyS3YwYSbvbuWioBYKmlxC
s51mieXz6G325GTZnmPxLek3ywPv6Gil9y0wH3fIr2BsWsmXust4LBpjDGt56Fy6
seokGBg8xzsBSk3iEqNoFmNsy/QOiuCcDejX4XqBDNodOlETQPJb07TkTI2iOmg9
NG4Atiz1HvGVxK68UuK9IIcNHyaWUmH8h4VQFGvc6KV6feP5Nm21Y12PZ5XIqJBO
Y8M/VJIJ5koaNPQfnBbbI5YBkUr4BVpIXIpY5LM/L5sUo2C3R7hMi0VGK88HGfSQ
KV4JmZgf6RMBNmrWY12sryS1QQ6q3P110GTUGQWB3sxxNbhmfcrK+4viqHc83yDz
ifmk33HuqaQGU7OzUMHeNcoCJIPo3H1FpoHOn9wLLCtA1pT+as4=
=t0Rk
-----END PGP SIGNATURE-----

@ -16,12 +16,12 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version, # WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well # remember to update the python3-docs package as well
%global general_version %{pybasever}.1 %global general_version %{pybasever}.5
#global prerel ... #global prerel ...
%global upstream_version %{general_version}%{?prerel} %global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}} Version: %{general_version}%{?prerel:~%{prerel}}
Release: 4%{?dist} Release: 2%{?dist}
License: Python License: Python-2.0.1
# ================================== # ==================================
@ -66,36 +66,31 @@ License: Python
# If the rpmwheels condition is disabled, we use the bundled wheel packages # If the rpmwheels condition is disabled, we use the bundled wheel packages
# from Python with the versions below. # from Python with the versions below.
# This needs to be manually updated when we update Python. # This needs to be manually updated when we update Python.
%global pip_version 23.2.1 %global pip_version 24.2
%global setuptools_version 67.6.1 %global setuptools_version 67.6.1
%global wheel_version 0.40.0 %global wheel_version 0.40.0
# All of those also include a list of indirect bundled libs: # All of those also include a list of indirect bundled libs:
# pip # pip
# $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt)
%global pip_bundled_provides %{expand: %global pip_bundled_provides %{expand:
Provides: bundled(python3dist(cachecontrol)) = 0.12.11 Provides: bundled(python3dist(cachecontrol)) = 0.14
Provides: bundled(python3dist(certifi)) = 2023.5.7 Provides: bundled(python3dist(certifi)) = 2024.7.4
Provides: bundled(python3dist(chardet)) = 5.1 Provides: bundled(python3dist(distlib)) = 0.3.8
Provides: bundled(python3dist(colorama)) = 0.4.6 Provides: bundled(python3dist(distro)) = 1.9
Provides: bundled(python3dist(distlib)) = 0.3.6 Provides: bundled(python3dist(idna)) = 3.7
Provides: bundled(python3dist(distro)) = 1.8 Provides: bundled(python3dist(msgpack)) = 1.0.8
Provides: bundled(python3dist(idna)) = 3.4 Provides: bundled(python3dist(packaging)) = 24.1
Provides: bundled(python3dist(msgpack)) = 1.0.5 Provides: bundled(python3dist(platformdirs)) = 4.2.2
Provides: bundled(python3dist(packaging)) = 21.3 Provides: bundled(python3dist(pygments)) = 2.18
Provides: bundled(python3dist(platformdirs)) = 3.8.1
Provides: bundled(python3dist(pygments)) = 2.15.1
Provides: bundled(python3dist(pyparsing)) = 3.1
Provides: bundled(python3dist(pyproject-hooks)) = 1 Provides: bundled(python3dist(pyproject-hooks)) = 1
Provides: bundled(python3dist(requests)) = 2.31 Provides: bundled(python3dist(requests)) = 2.32.3
Provides: bundled(python3dist(resolvelib)) = 1.0.1 Provides: bundled(python3dist(resolvelib)) = 1.0.1
Provides: bundled(python3dist(rich)) = 13.4.2 Provides: bundled(python3dist(rich)) = 13.7.1
Provides: bundled(python3dist(setuptools)) = 68 Provides: bundled(python3dist(setuptools)) = 70.3
Provides: bundled(python3dist(six)) = 1.16
Provides: bundled(python3dist(tenacity)) = 8.2.2
Provides: bundled(python3dist(tomli)) = 2.0.1 Provides: bundled(python3dist(tomli)) = 2.0.1
Provides: bundled(python3dist(typing-extensions)) = 4.7.1 Provides: bundled(python3dist(truststore)) = 0.9.1
Provides: bundled(python3dist(urllib3)) = 1.26.16 Provides: bundled(python3dist(typing-extensions)) = 4.12.2
Provides: bundled(python3dist(webencodings)) = 0.5.1 Provides: bundled(python3dist(urllib3)) = 1.26.18
} }
# setuptools # setuptools
# vendor.txt files not in .whl # vendor.txt files not in .whl
@ -116,7 +111,7 @@ Provides: bundled(python3dist(typing-extensions)) = 4.4
Provides: bundled(python3dist(zipp)) = 3.7 Provides: bundled(python3dist(zipp)) = 3.7
} }
# wheel # wheel
# $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt) # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt)
%global wheel_bundled_provides %{expand: %global wheel_bundled_provides %{expand:
Provides: bundled(python3dist(packaging)) = 23 Provides: bundled(python3dist(packaging)) = 23
} }
@ -200,6 +195,13 @@ Provides: bundled(python3dist(packaging)) = 23
%global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION} %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION}
%global py_INSTSONAME_debug libpython%{LDVERSION_debug}.so.%{py_SOVERSION} %global py_INSTSONAME_debug libpython%{LDVERSION_debug}.so.%{py_SOVERSION}
# The -O flag for the compiler, optimized builds
# https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
%global optflags_optimized -O3
# The -O flag for the compiler, debug builds
# -Wno-cpp avoids some warnings with -O0
%global optflags_debug -O0 -Wno-cpp
# Disable automatic bytecompilation. The python3 binary is not yet be # Disable automatic bytecompilation. The python3 binary is not yet be
# available in /usr/bin when Python is built. Also, the bytecompilation fails # available in /usr/bin when Python is built. Also, the bytecompilation fails
# on files that test invalid syntax. # on files that test invalid syntax.
@ -385,6 +387,17 @@ Patch397: 00397-tarfile-filter.patch
# Thomas Dwyer. # Thomas Dwyer.
Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
# 00422 # a353cebef737c41420dc7ae2469dd657371b8881
# Fix tests for XMLPullParser with Expat 2.6.0
#
# Feeding the parser by too small chunks defers parsing to prevent
# CVE-2023-52425. Future versions of Expat may be more reactive.
Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
# 00436 # c76cc2aa3a2c30375ade4859b732ada851cc89ed
# [CVE-2024-8088] gh-122905: Sanitize names in zipfile.Path.
Patch436: 00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
# When adding new patches to "python" and "python3" in Fedora, EL, etc., # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -710,13 +723,13 @@ The debug runtime additionally supports debug builds of C-API extensions
# setuptools.whl does not contain the vendored.txt files # setuptools.whl does not contain the vendored.txt files
if [ -f %{_rpmconfigdir}/pythonbundles.py ]; then if [ -f %{_rpmconfigdir}/pythonbundles.py ]; then
%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) --compare-with '%pip_bundled_provides' %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) --compare-with '%pip_bundled_provides'
%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt) --compare-with '%wheel_bundled_provides' %{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt) --compare-with '%wheel_bundled_provides'
fi fi
%if %{with rpmwheels} %if %{with rpmwheels}
rm Lib/ensurepip/_bundled/pip-%{pip_version}-py3-none-any.whl rm Lib/ensurepip/_bundled/pip-%{pip_version}-py3-none-any.whl
rm Lib/test/setuptools-%{setuptools_version}-py3-none-any.whl rm Lib/test/wheeldata/setuptools-%{setuptools_version}-py3-none-any.whl
rm Lib/test/wheel-%{wheel_version}-py3-none-any.whl rm Lib/test/wheeldata/wheel-%{wheel_version}-py3-none-any.whl
%endif %endif
# Remove all exe files to ensure we are not shipping prebuilt binaries # Remove all exe files to ensure we are not shipping prebuilt binaries
@ -795,6 +808,7 @@ BuildPython() {
ConfName=$1 ConfName=$1
ExtraConfigArgs=$2 ExtraConfigArgs=$2
MoreCFlags=$3 MoreCFlags=$3
MoreCFlagsNodist=$4
# Each build is done in its own directory # Each build is done in its own directory
ConfDir=build/$ConfName ConfDir=build/$ConfName
@ -834,7 +848,7 @@ BuildPython() {
$ExtraConfigArgs \ $ExtraConfigArgs \
%{nil} %{nil}
%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags" %global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist"
%if %{without bootstrap} %if %{without bootstrap}
# Regenerate generated files (needs python3) # Regenerate generated files (needs python3)
@ -857,12 +871,14 @@ BuildPython() {
# See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857 # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857
BuildPython debug \ BuildPython debug \
"--without-ensurepip --with-pydebug" \ "--without-ensurepip --with-pydebug" \
"-O0 -Wno-cpp" "%{optflags_debug}" \
""
%endif # with debug_build %endif # with debug_build
BuildPython optimized \ BuildPython optimized \
"--without-ensurepip %{optimizations_flag}" \ "--without-ensurepip %{optimizations_flag}" \
"" "" \
"%{optflags_optimized}"
# ====================================================== # ======================================================
# Installing the built code: # Installing the built code:
@ -967,7 +983,7 @@ EOF
%if %{with debug_build} %if %{with debug_build}
InstallPython debug \ InstallPython debug \
%{py_INSTSONAME_debug} \ %{py_INSTSONAME_debug} \
-O0 \ "%{optflags_debug}" \
%{LDVERSION_debug} %{LDVERSION_debug}
%endif # with debug_build %endif # with debug_build
@ -1342,10 +1358,6 @@ CheckPython optimized
%{dynload_dir}/termios.%{SOABI_optimized}.so %{dynload_dir}/termios.%{SOABI_optimized}.so
%{dynload_dir}/unicodedata.%{SOABI_optimized}.so %{dynload_dir}/unicodedata.%{SOABI_optimized}.so
%{dynload_dir}/_uuid.%{SOABI_optimized}.so %{dynload_dir}/_uuid.%{SOABI_optimized}.so
%{dynload_dir}/xxlimited.%{SOABI_optimized}.so
%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so
%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so
%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so
%{dynload_dir}/zlib.%{SOABI_optimized}.so %{dynload_dir}/zlib.%{SOABI_optimized}.so
%{dynload_dir}/_zoneinfo.%{SOABI_optimized}.so %{dynload_dir}/_zoneinfo.%{SOABI_optimized}.so
@ -1446,12 +1458,6 @@ CheckPython optimized
%{pylibdir}/zoneinfo %{pylibdir}/zoneinfo
%dir %{pylibdir}/__phello__/
%dir %{pylibdir}/__phello__/__pycache__/
%{pylibdir}/__phello__/__init__.py
%{pylibdir}/__phello__/spam.py
%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes}
%if "%{_lib}" == "lib64" %if "%{_lib}" == "lib64"
%attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever} %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}
%attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages
@ -1546,7 +1552,17 @@ CheckPython optimized
%{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so %{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so
%{dynload_dir}/_testsinglephase.%{SOABI_optimized}.so %{dynload_dir}/_testsinglephase.%{SOABI_optimized}.so
%{dynload_dir}/_xxinterpchannels.%{SOABI_optimized}.so %{dynload_dir}/_xxinterpchannels.%{SOABI_optimized}.so
%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so
%{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so
%{dynload_dir}/xxlimited.%{SOABI_optimized}.so
%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so
%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so
%dir %{pylibdir}/__phello__/
%dir %{pylibdir}/__phello__/__pycache__/
%{pylibdir}/__phello__/__init__.py
%{pylibdir}/__phello__/spam.py
%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes}
# We don't bother splitting the debug build out into further subpackages: # We don't bother splitting the debug build out into further subpackages:
# if you need it, you're probably a developer. # if you need it, you're probably a developer.
@ -1628,10 +1644,6 @@ CheckPython optimized
%{dynload_dir}/termios.%{SOABI_debug}.so %{dynload_dir}/termios.%{SOABI_debug}.so
%{dynload_dir}/unicodedata.%{SOABI_debug}.so %{dynload_dir}/unicodedata.%{SOABI_debug}.so
%{dynload_dir}/_uuid.%{SOABI_debug}.so %{dynload_dir}/_uuid.%{SOABI_debug}.so
%{dynload_dir}/xxlimited.%{SOABI_debug}.so
%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so
%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so
%{dynload_dir}/xxsubtype.%{SOABI_debug}.so
%{dynload_dir}/zlib.%{SOABI_debug}.so %{dynload_dir}/zlib.%{SOABI_debug}.so
%{dynload_dir}/_zoneinfo.%{SOABI_debug}.so %{dynload_dir}/_zoneinfo.%{SOABI_debug}.so
@ -1668,7 +1680,11 @@ CheckPython optimized
%{dynload_dir}/_testmultiphase.%{SOABI_debug}.so %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
%{dynload_dir}/_testsinglephase.%{SOABI_debug}.so %{dynload_dir}/_testsinglephase.%{SOABI_debug}.so
%{dynload_dir}/_xxinterpchannels.%{SOABI_debug}.so %{dynload_dir}/_xxinterpchannels.%{SOABI_debug}.so
%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so
%{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so
%{dynload_dir}/xxlimited.%{SOABI_debug}.so
%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so
%{dynload_dir}/xxsubtype.%{SOABI_debug}.so
%{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
%{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes} %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
@ -1696,6 +1712,49 @@ CheckPython optimized
# ====================================================== # ======================================================
%changelog %changelog
* Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.5-2
- Security fix for CVE-2024-8088
Resolves: RHEL-55963
* Wed Aug 07 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.5-1
- Update to 3.12.5
- Security fix for CVE-2024-6923
Resolves: RHEL-53041
* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.4-3
- Properly propagate the optimization flags to C extensions
* Wed Jul 17 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.4-2
- Build Python with -O3
- https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
* Fri Jun 28 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.4-1
- Update to 3.12.4
Resolves: RHEL-44103
* Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.3-2
- Enable importing of hash-based .pyc files under FIPS mode
Resolves: RHEL-40772
* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.3-1
- Update to 3.12.3
Related: RHEL-33690
* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-3
- Move all test modules to the python3-test package, namely:
- __phello__
- _xxsubinterpreters
- xxlimited
- xxlimited_35
- xxsubtype
* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-2
- Fix tests for XMLPullParser with Expat with fixed CVE
* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-1
- Update to 3.12.2
Resolves: RHEL-33690
* Mon Feb 19 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-4 * Mon Feb 19 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-4
- Add Red Hat configuration for CVE-2007-4559 - Add Red Hat configuration for CVE-2007-4559

Loading…
Cancel
Save