Update to v2.9.0.post0 and revise patches
Resolves: RHEL-113228 Signed-off-by: Kseniia Nivnia <knivnia@redhat.com>
This commit is contained in:
Kseniia Nivnia
parent
8f4fa349cd
commit
9e50889967
1
.gitignore
vendored
1
.gitignore
vendored
@ -18,3 +18,4 @@
|
||||
/python-dateutil-2.7.5.tar.gz
|
||||
/python-dateutil-2.8.0.tar.gz
|
||||
/python-dateutil-2.8.1.tar.gz
|
||||
/python-dateutil-2.9.0.post0.tar.gz
|
||||
|
||||
57
1295.patch
57
1295.patch
@ -1,57 +0,0 @@
|
||||
From a97d0ff4b7559a431f42102b6208fb876f511194 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Tue, 27 Jun 2023 15:28:36 +0200
|
||||
Subject: [PATCH 1/2] zoneinfo.rebuild: Extract using tarfile data filter (PEP
|
||||
706) if available
|
||||
|
||||
---
|
||||
src/dateutil/zoneinfo/rebuild.py | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/dateutil/zoneinfo/rebuild.py b/src/dateutil/zoneinfo/rebuild.py
|
||||
index 684c6586f..1b6e34b15 100644
|
||||
--- a/dateutil/zoneinfo/rebuild.py
|
||||
+++ b/dateutil/zoneinfo/rebuild.py
|
||||
@@ -4,6 +4,7 @@
|
||||
import shutil
|
||||
import json
|
||||
from subprocess import check_call
|
||||
+import tarfile
|
||||
from tarfile import TarFile
|
||||
|
||||
from dateutil.zoneinfo import METADATA_FN, ZONEFILENAME
|
||||
@@ -20,6 +21,13 @@ def rebuild(filename, tag=None, format="gz", zonegroups=[], metadata=None):
|
||||
moduledir = os.path.dirname(__file__)
|
||||
try:
|
||||
with TarFile.open(filename) as tf:
|
||||
+
|
||||
+ # Limit extraction to safe, plain data files, if this Python
|
||||
+ # allows it easily. If not, just trust the input.
|
||||
+ # See: https://docs.python.org/3/library/tarfile.html#supporting-older-python-versions
|
||||
+ tf.extraction_filter = getattr(tarfile, 'data_filter',
|
||||
+ (lambda member, path: member))
|
||||
+
|
||||
for name in zonegroups:
|
||||
tf.extract(name, tmpdir)
|
||||
filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
|
||||
|
||||
From 4790f9d64451002fd3c31c2fbe0d70322019a92a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Tue, 27 Jun 2023 16:12:14 +0200
|
||||
Subject: [PATCH 2/2] Add changelog entry
|
||||
|
||||
---
|
||||
changelog.d/1295.misc.rst | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
create mode 100644 changelog.d/1295.misc.rst
|
||||
|
||||
diff --git a/changelog.d/1295.misc.rst b/changelog.d/1295.misc.rst
|
||||
new file mode 100644
|
||||
index 000000000..c2876dd65
|
||||
--- /dev/null
|
||||
+++ b/changelog.d/1295.misc.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+On Python versions that support it, ``zoneinfo.rebuild`` now uses the
|
||||
+tarfile ``data`` filter to limit damage in case it's used with a
|
||||
+malicious tarball, and to avoid a deprecation warning on Python 3.12.
|
||||
+Reported and fixed by @encukou (gh pr #1295)
|
||||
@ -1,31 +1,39 @@
|
||||
%global modname dateutil
|
||||
|
||||
Name: python-%{modname}
|
||||
Version: 2.8.1
|
||||
Release: 7%{?dist}
|
||||
Version: 2.9.0.post0
|
||||
Release: 1%{?dist}
|
||||
Epoch: 1
|
||||
Summary: Powerful extensions to the standard datetime module
|
||||
|
||||
License: BSD
|
||||
# According to the LICENSE file:
|
||||
# - Apache-2.0 applies to all contributions after 2017-12-01, as well as
|
||||
# all contributions that have been re-licensed.
|
||||
# - BSD-3-Clause applies to all code, even that also covered by Apache-2.0
|
||||
License: (Apache-2.0 AND BSD-3-Clause) OR BSD-3-Clause
|
||||
|
||||
URL: https://github.com/dateutil/dateutil
|
||||
Source: %{pypi_source}
|
||||
Source: %{pypi_source python-dateutil}
|
||||
|
||||
# Mitigate CVE-2007-4559 (tarfile directory traversal).
|
||||
# `dateutil.zoneinfo.rebuild` handles "pure data" tarballs,
|
||||
# here we disable tar features that are potentially unsafe.
|
||||
# Submitted upstream, but rejected because they're removing this
|
||||
# code entirely.
|
||||
# BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2203905
|
||||
Patch1: https://github.com/dateutil/dateutil/pull/1295.patch
|
||||
|
||||
# Disable tests to avoid pulling in test dependencies on RHEL9
|
||||
# Specify --with tests to run the tests e.g. on EPEL
|
||||
%bcond_with tests
|
||||
# when bootstrapping dateutil-freezegun, we cannot run tests
|
||||
# on RHEL, we do not have or want all test dependencies
|
||||
%bcond tests %{undefined rhel}
|
||||
|
||||
BuildArch: noarch
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-sphinx
|
||||
BuildRequires: python3-sphinx_rtd_theme
|
||||
BuildRequires: python3-devel
|
||||
|
||||
# For docs
|
||||
BuildRequires: make
|
||||
BuildRequires: python3dist(sphinx)
|
||||
BuildRequires: python3dist(sphinx-rtd-theme)
|
||||
|
||||
# For tests
|
||||
%if %{with tests}
|
||||
BuildRequires: python3dist(pytest)
|
||||
BuildRequires: python3dist(freezegun)
|
||||
BuildRequires: python3dist(hypothesis)
|
||||
BuildRequires: python3dist(six)
|
||||
%endif
|
||||
|
||||
%global _description \
|
||||
The dateutil module provides powerful extensions to the standard datetime\
|
||||
@ -35,17 +43,7 @@ module available in Python.
|
||||
|
||||
%package -n python3-%{modname}
|
||||
Summary: %summary
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python3-setuptools
|
||||
BuildRequires: python3-setuptools_scm
|
||||
%if %{with tests}
|
||||
BuildRequires: python3-freezegun
|
||||
BuildRequires: python3-hypothesis
|
||||
BuildRequires: python3-pytest
|
||||
BuildRequires: python3-six
|
||||
%endif
|
||||
Requires: tzdata
|
||||
%{?python_provide:%python_provide python3-%{modname}}
|
||||
|
||||
%description -n python3-%{modname} %_description
|
||||
|
||||
@ -54,34 +52,53 @@ Summary: API documentation for python-dateutil
|
||||
%description doc
|
||||
This package contains %{summary}.
|
||||
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
%autosetup -p1 -n %{name}-%{version}
|
||||
|
||||
# Relax version requirements
|
||||
sed -i 's/setuptools_scm<8\.0/setuptools_scm/' pyproject.toml
|
||||
# Fix sphinx import
|
||||
sed -i "s|os.path.abspath('../')|os.path.abspath('../src/')|" docs/conf.py
|
||||
|
||||
iconv --from=ISO-8859-1 --to=UTF-8 NEWS > NEWS.new
|
||||
mv NEWS.new NEWS
|
||||
|
||||
%generate_buildrequires
|
||||
%pyproject_buildrequires
|
||||
|
||||
|
||||
%build
|
||||
%py3_build
|
||||
%pyproject_wheel
|
||||
make -C docs html
|
||||
|
||||
|
||||
%install
|
||||
%py3_install
|
||||
%pyproject_install
|
||||
%pyproject_save_files %{modname} -l
|
||||
|
||||
|
||||
%check
|
||||
%pyproject_check_import -e dateutil.tz.win -e dateutil.tzwin
|
||||
|
||||
%if %{with tests}
|
||||
%check
|
||||
%{__python3} -m pytest -W ignore::pytest.PytestUnknownMarkWarning
|
||||
%pytest -W ignore::pytest.PytestUnknownMarkWarning
|
||||
%endif
|
||||
|
||||
%files -n python3-%{modname}
|
||||
%license LICENSE
|
||||
%files -n python3-%{modname} -f %{pyproject_files}
|
||||
%doc NEWS README.rst
|
||||
%{python3_sitelib}/%{modname}/
|
||||
%{python3_sitelib}/*.egg-info
|
||||
|
||||
|
||||
%files doc
|
||||
%license LICENSE
|
||||
%doc docs/_build/html
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Sep 05 2025 Kseniia Nivnia <knivnia@redhat.com> - 2.9.0.post0-1
|
||||
- Update to 2.9.0.post0 and revise patches
|
||||
Resolves: RHEL-113228
|
||||
|
||||
* Wed Jul 12 2023 Petr Viktorin <pviktori@redhat.com> - 1:2.8.1-7
|
||||
- Mitigate CVE-2007-4559 (tarfile directory traversal).
|
||||
Resolves: rhbz#2203905
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (python-dateutil-2.8.1.tar.gz) = 337000216e0f8ce32d6363768444144183ab9268f69082f20858f2b3322b1c449e53b2f2b5dcb3645be22294659ce7838f74ace2fd7a7c4f2adc6cf806a9fa2c
|
||||
SHA512 (python-dateutil-2.9.0.post0.tar.gz) = f76522de0ff21547327eaf6966e80a15c57f8f92588d520eabd354a732e5c4b51d9c3ac5effd9eaa6dd451d1bce329a54a3f4c6bf4f1bd08ff06b0305c994e5a
|
||||
|
||||
Loading…
Reference in New Issue
Block a user