Rebase to 3.11.5

Security fixes for CVE-2023-40217 and CVE-2023-41105

Resolves: RHEL-3047, RHEL-3267

.gitignore

@@ -4,3 +4,5 @@
 /Python-3.11.2.tar.xz.asc
 /Python-3.11.4.tar.xz
 /Python-3.11.4.tar.xz.asc
+/Python-3.11.5.tar.xz
+/Python-3.11.5.tar.xz.asc

00397-tarfile-filter.patch

@@ -1,113 +1,3 @@
-From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 9 Aug 2023 20:23:03 +0200
-Subject: [PATCH] Fix symlink handling for tarfile.data_filter
-
----
- Doc/library/tarfile.rst  |  5 +++++
- Lib/tarfile.py           |  9 ++++++++-
- Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++--
- 3 files changed, 37 insertions(+), 3 deletions(-)
-
-diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst
-index 00f3070324e..e0511bfeb64 100644
---- a/Doc/library/tarfile.rst
-+++ b/Doc/library/tarfile.rst
-@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes:
-    Name of the target file name, which is only present in :class:`TarInfo` objects
-    of type :const:`LNKTYPE` and :const:`SYMTYPE`.
- 
-+   For symbolic links (``SYMTYPE``), the linkname is relative to the directory
-+   that contains the link.
-+   For hard links (``LNKTYPE``), the linkname is relative to the root of
-+   the archive.
-+
- 
- .. attribute:: TarInfo.uid
-    :type: int
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index df4e41f7a0d..d62323715b4 100755
---- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True):
-         if member.islnk() or member.issym():
-             if os.path.isabs(member.linkname):
-                 raise AbsoluteLinkError(member)
--            target_path = os.path.realpath(os.path.join(dest_path, member.linkname))
-+            if member.issym():
-+                target_path = os.path.join(dest_path,
-+                                           os.path.dirname(name),
-+                                           member.linkname)
-+            else:
-+                target_path = os.path.join(dest_path,
-+                                           member.linkname)
-+            target_path = os.path.realpath(target_path)
-             if os.path.commonpath([target_path, dest_path]) != dest_path:
-                 raise LinkOutsideDestinationError(member, target_path)
-     return new_attrs
-diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index 2eda7fc4cea..79fc35c2895 100644
---- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -3337,10 +3337,12 @@ def __exit__(self, *exc):
-         self.bio = None
- 
-     def add(self, name, *, type=None, symlink_to=None, hardlink_to=None,
--            mode=None, **kwargs):
-+            mode=None, size=None, **kwargs):
-         """Add a member to the test archive. Call within `with`."""
-         name = str(name)
-         tarinfo = tarfile.TarInfo(name).replace(**kwargs)
-+        if size is not None:
-+            tarinfo.size = size
-         if mode:
-             tarinfo.mode = _filemode_to_int(mode)
-         if symlink_to is not None:
-@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter):
-                 raise self.raised_exception
-             self.assertEqual(self.expected_paths, set())
- 
--    def expect_file(self, name, type=None, symlink_to=None, mode=None):
-+    def expect_file(self, name, type=None, symlink_to=None, mode=None,
-+                    size=None):
-         """Check a single file. See check_context."""
-         if self.raised_exception:
-             raise self.raised_exception
-@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None):
-             self.assertTrue(path.is_fifo())
-         else:
-             raise NotImplementedError(type)
-+        if size is not None:
-+            self.assertEqual(path.stat().st_size, size)
-         for parent in path.parents:
-             self.expected_paths.discard(parent)
- 
-@@ -3649,6 +3654,22 @@ def test_sly_relative2(self):
-                     + """['"].*moo['"], which is outside the """
-                     + "destination")
- 
-+    def test_deep_symlink(self):
-+        with ArchiveMaker() as arc:
-+            arc.add('targetdir/target', size=3)
-+            arc.add('linkdir/hardlink', hardlink_to='targetdir/target')
-+            arc.add('linkdir/symlink', symlink_to='../targetdir/target')
-+
-+        for filter in 'tar', 'data', 'fully_trusted':
-+            with self.check_context(arc.open(), filter):
-+                self.expect_file('targetdir/target', size=3)
-+                self.expect_file('linkdir/hardlink', size=3)
-+                if os_helper.can_symlink():
-+                    self.expect_file('linkdir/symlink', size=3,
-+                                     symlink_to='../targetdir/target')
-+                else:
-+                    self.expect_file('linkdir/symlink', size=3)
-+
-     def test_modes(self):
-         # Test how file modes are extracted
-         # (Note that the modes are ignored on platforms without working chmod)
--- 
-2.41.0
-
 From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Mon, 6 Mar 2023 17:24:24 +0100

python3.11.spec

@@ -16,11 +16,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.4
+%global general_version %{pybasever}.5
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 4%{?dist}
+Release: 1%{?dist}
 License: Python
 
 
@@ -63,7 +63,7 @@ License: Python
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 23.1.2
+%global pip_version 23.2.1
 %global setuptools_version 65.5.0
 
 # Expensive optimizations (mainly, profile-guided optimizations)
@@ -1189,10 +1189,14 @@ CheckPython() {
   # test_freeze_simple_script is skipped, because it fails when bundled wheels
   #  are removed in Fedora.
   #  upstream report: https://bugs.python.org/issue45783
+  # test_check_probes is failing since it was introduced in 3.11.5,
+  # the test is skipped until it is fixed in upstream.
+  # see: https://github.com/python/cpython/issues/104280#issuecomment-1669249980
 
   LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \
     -wW --slowest -j0 --timeout=1800 \
     -i test_freeze_simple_script \
+    -i test_check_probes \
     %if %{with bootstrap}
     -x test_distutils \
     %endif
@@ -1817,6 +1821,11 @@ fi
 # ======================================================
 
 %changelog
+* Thu Sep 07 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.5-1
+- Rebase to 3.11.5
+- Security fixes for CVE-2023-40217 and CVE-2023-41105
+Resolves: RHEL-3047, RHEL-3267
+
 * Thu Aug 10 2023 Tomas Orsava <torsava@redhat.com> - 3.11.4-4
 - Add the import_all_modules_py3_11.py file for the python3.11-rpm-macros subpackage
 Resolves: rhbz#2207631

sources

@@ -1,2 +1,2 @@
-SHA512 (Python-3.11.4.tar.xz) = 7eb14fecbf60824d10c22a9057584c3a142c2866f4af6caa2525c10c8bcb24e6e7afb32a44a0e118df0a2b2543d578c3b422ffd4a5fa317dfe6ea371cc7ee1ee
-SHA512 (Python-3.11.4.tar.xz.asc) = 8ee82bf116b2cc7407e260eccf53e7fee4d7497165d0b9c3e59931c73f3b419bc0299b459eee9544a6e51e323ff0a6aa07827efd89f9c320b54556feeea04a78
+SHA512 (Python-3.11.5.tar.xz) = 93fa640bedcea449060caac8aa691aa315a19f172fd9f0422183d17749c3512d4ecac60e7599f9ef14e3cdb3c8b4b060e484c9061b1e7ee8d958200d6041e408
+SHA512 (Python-3.11.5.tar.xz.asc) = 5a8e1b1cabe89de03c050d581bbd3ec917d93ec943b2e8241db05c245809cf80294022c4cfc1bea3b90aa0570176109aac90455057256c025e2596aa136375fc