import CS python-dateutil-2.8.1-7.el9

2023-09-21 19:57:46 +00:00 · 2023-09-21 19:57:46 +00:00 · 884df32e28
commit 884df32e28
parent 25e7c9a2d4
2 changed files with 71 additions and 2 deletions
--- a/SOURCES/1295.patch
+++ b/SOURCES/1295.patch
@ -0,0 +1,57 @@
 From a97d0ff4b7559a431f42102b6208fb876f511194 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Tue, 27 Jun 2023 15:28:36 +0200
 Subject: [PATCH 1/2] zoneinfo.rebuild: Extract using tarfile data filter (PEP
 706) if available
 ---
 src/dateutil/zoneinfo/rebuild.py | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/src/dateutil/zoneinfo/rebuild.py b/src/dateutil/zoneinfo/rebuild.py
 index 684c6586f..1b6e34b15 100644
 --- a/dateutil/zoneinfo/rebuild.py
 +++ b/dateutil/zoneinfo/rebuild.py
@@ -4,6 +4,7 @@
 import shutil
 import json
 from subprocess import check_call
 +import tarfile
 from tarfile import TarFile
 from dateutil.zoneinfo import METADATA_FN, ZONEFILENAME
@@ -20,6 +21,13 @@ def rebuild(filename, tag=None, format="gz", zonegroups=[], metadata=None):
     moduledir = os.path.dirname(__file__)
     try:
         with TarFile.open(filename) as tf:
 +
 +            # Limit extraction to safe, plain data files, if this Python
 +            # allows it easily. If not, just trust the input.
 +            # See: https://docs.python.org/3/library/tarfile.html#supporting-older-python-versions
 +            tf.extraction_filter = getattr(tarfile, 'data_filter',
 +                                           (lambda member, path: member))
 +
             for name in zonegroups:
                 tf.extract(name, tmpdir)
             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
 From 4790f9d64451002fd3c31c2fbe0d70322019a92a Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Tue, 27 Jun 2023 16:12:14 +0200
 Subject: [PATCH 2/2] Add changelog entry
 ---
 changelog.d/1295.misc.rst | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 changelog.d/1295.misc.rst
 diff --git a/changelog.d/1295.misc.rst b/changelog.d/1295.misc.rst
 new file mode 100644
 index 000000000..c2876dd65
 --- /dev/null
 +++ b/changelog.d/1295.misc.rst
@@ -0,0 +1,4 @@
 +On Python versions that support it, ``zoneinfo.rebuild`` now uses the
 +tarfile ``data`` filter to limit damage in case it's used with a
 +malicious tarball, and to avoid a deprecation warning on Python 3.12.
 +Reported and fixed by @encukou (gh pr #1295)
--- a/SPECS/python-dateutil.spec
+++ b/SPECS/python-dateutil.spec
@ -2,7 +2,7 @@
 Name:           python-%{modname}
 Version:        2.8.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 Epoch:          1
 Summary:        Powerful extensions to the standard datetime module
@ -10,6 +10,14 @@ License:        BSD
 URL:            https://github.com/dateutil/dateutil
 Source:         %{pypi_source}
 # Mitigate CVE-2007-4559 (tarfile directory traversal).
 # `dateutil.zoneinfo.rebuild` handles "pure data" tarballs,
 # here we disable tar features that are potentially unsafe.
 # Submitted upstream, but rejected because they're removing this
 # code entirely.
 # BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2203905
 Patch1:         https://github.com/dateutil/dateutil/pull/1295.patch
 # Disable tests to avoid pulling in test dependencies on RHEL9
 # Specify --with tests to run the tests e.g. on EPEL
 %bcond_with tests
@ -47,7 +55,7 @@ Summary: API documentation for python-dateutil
 This package contains %{summary}.
 %prep
-%autosetup
+%autosetup -p1
 iconv --from=ISO-8859-1 --to=UTF-8 NEWS > NEWS.new
 mv NEWS.new NEWS
@ -74,6 +82,10 @@ make -C docs html
 %doc docs/_build/html
 %changelog
 * Wed Jul 12 2023 Petr Viktorin <pviktori@redhat.com> - 1:2.8.1-7
 - Mitigate CVE-2007-4559 (tarfile directory traversal).
  Resolves: rhbz#2203905
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.8.1-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688