rpms/python3.11
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS python3.11-3.11.13-3.el9

Browse Source
This commit is contained in:
eabdullin 2025-09-15 12:35:59 +00:00
parent c85974220f
commit 5804a97c2e
8 changed files with 467 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.11.11.tar.xz SOURCES/Python-3.11.13.tar.xz

2
.python3.11.metadata
View File

@ -1 +1 @@
acf539109b024d3c5f1fc63d6e7f08cd294ba56d SOURCES/Python-3.11.11.tar.xz fec9a494efd3520f7efe6f822111f22249549d0a SOURCES/Python-3.11.13.tar.xz

119
SOURCES/00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
View File

@ -1,119 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 31 Jan 2025 11:41:34 -0600
Subject: [PATCH] 00450: CVE-2025-0938: Disallow square brackets ([ and ]) in
domain names for parsed URLs
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
---
Lib/test/test_urlparse.py | 37 ++++++++++++++++++-
Lib/urllib/parse.py | 20 +++++++++-
...-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 ++
3 files changed, 58 insertions(+), 3 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 2376dad81b..a283063f24 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1224,16 +1224,51 @@ def test_invalid_bracketed_hosts(self):
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
def test_splitting_bracketed_hosts(self):
- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
self.assertEqual(p1.hostname, 'v6a.ip')
self.assertEqual(p1.username, 'user')
self.assertEqual(p1.path, '/path')
+ self.assertEqual(p1.port, 1234)
p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
self.assertEqual(p2.username, 'user')
self.assertEqual(p2.path, '/path')
+ self.assertIs(p2.port, None)
p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
self.assertEqual(p3.username, 'user')
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index abf1d1b546..724cce8d39 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -436,6 +436,23 @@ def _checknetloc(netloc):
raise ValueError("netloc '" + netloc + "' contains invalid " +
"characters under NFKC normalization")
+def _check_bracketed_netloc(netloc):
+ # Note that this function must mirror the splitting
+ # done in NetlocResultMixins._hostinfo().
+ hostname_and_port = netloc.rpartition('@')[2]
+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
+ if have_open_br:
+ # No data is allowed before a bracket.
+ if before_bracket:
+ raise ValueError("Invalid IPv6 URL")
+ hostname, _, port = bracketed.partition(']')
+ # No data is allowed after the bracket but before the port delimiter.
+ if port and not port.startswith(":"):
+ raise ValueError("Invalid IPv6 URL")
+ else:
+ hostname, _, port = hostname_and_port.partition(':')
+ _check_bracketed_host(hostname)
+
# Valid bracketed hosts are defined in
# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
def _check_bracketed_host(hostname):
@@ -496,8 +513,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
(']' in netloc and '[' not in netloc)):
raise ValueError("Invalid IPv6 URL")
if '[' in netloc and ']' in netloc:
- bracketed_host = netloc.partition('[')[2].partition(']')[0]
- _check_bracketed_host(bracketed_host)
+ _check_bracketed_netloc(netloc)
if allow_fragments and '#' in url:
url, fragment = url.split('#', 1)
if '?' in url:
diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
new file mode 100644
index 0000000000..bff1bc6b0d
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
@@ -0,0 +1,4 @@
+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
+parsing would not reject domain names containing square brackets (``[`` and
+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

196
SOURCES/00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch Normal file
View File

@ -0,0 +1,196 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: yevgeny hong <hongyevgeny@gmail.com>
Date: Tue, 26 Mar 2024 16:45:43 +0900
Subject: 00462: Fix PySSL_SetError handling SSL_ERROR_SYSCALL
Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and
SSL_read_ex(), but did not update handling of the return value.
Change error handling so that the return value is not examined.
OSError (not EOF) is now returned when retval is 0.
This resolves the issue of failing tests when a system is
stressed on OpenSSL 3.5.
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
---
Lib/test/test_ssl.py | 28 ++++++-----
...-02-18-09-50-31.gh-issue-115627.HGchj0.rst | 2 +
Modules/_ssl.c | 48 +++++++------------
3 files changed, 35 insertions(+), 43 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0b169c37d5..921c41bd0d 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2633,16 +2633,18 @@ def run(self):
self.write(msg.lower())
except OSError as e:
# handles SSLError and socket errors
+ if isinstance(e, ConnectionError):
+ # OpenSSL 1.1.1 sometimes raises
+ # ConnectionResetError when connection is not
+ # shut down gracefully.
+ if self.server.chatty and support.verbose:
+ print(f" Connection reset by peer: {self.addr}")
+
+ self.close()
+ self.running = False
+ return
if self.server.chatty and support.verbose:
- if isinstance(e, ConnectionError):
- # OpenSSL 1.1.1 sometimes raises
- # ConnectionResetError when connection is not
- # shut down gracefully.
- print(
- f" Connection reset by peer: {self.addr}"
- )
- else:
- handle_error("Test server failure:\n")
+ handle_error("Test server failure:\n")
try:
self.write(b"ERROR\n")
except OSError:
@@ -3337,8 +3339,8 @@ def test_wrong_cert_tls13(self):
suppress_ragged_eofs=False) as s:
s.connect((HOST, server.port))
with self.assertRaisesRegex(
- ssl.SSLError,
- 'alert unknown ca|EOF occurred'
+ OSError,
+ 'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA|closed by the remote host|Connection reset by peer'
):
# TLS 1.3 perform client cert exchange after handshake
s.write(b'data')
@@ -4610,8 +4612,8 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
# test sometimes fails with EOF error. Test passes as long as
# server aborts connection with an error.
with self.assertRaisesRegex(
- ssl.SSLError,
- '(certificate required|EOF occurred)'
+ OSError,
+ 'certificate required|EOF occurred|closed by the remote host|Connection reset by peer'
):
# receive CertificateRequest
data = s.recv(1024)
diff --git a/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
new file mode 100644
index 0000000000..75d926ab59
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
@@ -0,0 +1,2 @@
+Fix the :mod:`ssl` module error handling of connection terminate by peer.
+It now throws an OSError with the appropriate error code instead of an EOFError.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 09207abde1..787c241133 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -576,7 +576,7 @@ PySSL_ChainExceptions(PySSLSocket *sslsock) {
}
static PyObject *
-PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+PySSL_SetError(PySSLSocket *sslsock, const char *filename, int lineno)
{
PyObject *type;
char *errstr = NULL;
@@ -589,7 +589,6 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
_sslmodulestate *state = get_state_sock(sslsock);
type = state->PySSLErrorObject;
- assert(ret <= 0);
e = ERR_peek_last_error();
if (sslsock->ssl != NULL) {
@@ -622,32 +621,21 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
case SSL_ERROR_SYSCALL:
{
if (e == 0) {
- PySocketSockObject *s = GET_SOCKET(sslsock);
- if (ret == 0 || (((PyObject *)s) == Py_None)) {
+ /* underlying BIO reported an I/O error */
+ ERR_clear_error();
+#ifdef MS_WINDOWS
+ if (err.ws) {
+ return PyErr_SetFromWindowsErr(err.ws);
+ }
+#endif
+ if (err.c) {
+ errno = err.c;
+ return PyErr_SetFromErrno(PyExc_OSError);
+ }
+ else {
p = PY_SSL_ERROR_EOF;
type = state->PySSLEOFErrorObject;
errstr = "EOF occurred in violation of protocol";
- } else if (s && ret == -1) {
- /* underlying BIO reported an I/O error */
- ERR_clear_error();
-#ifdef MS_WINDOWS
- if (err.ws) {
- return PyErr_SetFromWindowsErr(err.ws);
- }
-#endif
- if (err.c) {
- errno = err.c;
- return PyErr_SetFromErrno(PyExc_OSError);
- }
- else {
- p = PY_SSL_ERROR_EOF;
- type = state->PySSLEOFErrorObject;
- errstr = "EOF occurred in violation of protocol";
- }
- } else { /* possible? */
- p = PY_SSL_ERROR_SYSCALL;
- type = state->PySSLSyscallErrorObject;
- errstr = "Some I/O error occurred";
}
} else {
if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
@@ -1013,7 +1001,7 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self)
err.ssl == SSL_ERROR_WANT_WRITE);
Py_XDECREF(sock);
if (ret < 1)
- return PySSL_SetError(self, ret, __FILE__, __LINE__);
+ return PySSL_SetError(self, __FILE__, __LINE__);
if (PySSL_ChainExceptions(self) < 0)
return NULL;
Py_RETURN_NONE;
@@ -2434,7 +2422,7 @@ _ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
Py_XDECREF(sock);
if (retval == 0)
- return PySSL_SetError(self, retval, __FILE__, __LINE__);
+ return PySSL_SetError(self, __FILE__, __LINE__);
if (PySSL_ChainExceptions(self) < 0)
return NULL;
return PyLong_FromSize_t(count);
@@ -2464,7 +2452,7 @@ _ssl__SSLSocket_pending_impl(PySSLSocket *self)
self->err = err;
if (count < 0)
- return PySSL_SetError(self, count, __FILE__, __LINE__);
+ return PySSL_SetError(self, __FILE__, __LINE__);
else
return PyLong_FromLong(count);
}
@@ -2587,7 +2575,7 @@ _ssl__SSLSocket_read_impl(PySSLSocket *self, Py_ssize_t len,
err.ssl == SSL_ERROR_WANT_WRITE);
if (retval == 0) {
- PySSL_SetError(self, retval, __FILE__, __LINE__);
+ PySSL_SetError(self, __FILE__, __LINE__);
goto error;
}
if (self->exc_type != NULL)
@@ -2713,7 +2701,7 @@ _ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
}
if (ret < 0) {
Py_XDECREF(sock);
- PySSL_SetError(self, ret, __FILE__, __LINE__);
+ PySSL_SetError(self, __FILE__, __LINE__);
return NULL;
}
if (self->exc_type != NULL)

216
SOURCES/00467-CVE-2025-8194.patch Normal file
View File

@ -0,0 +1,216 @@
From b4ec17488eedec36d3c05fec127df71c0071f6cb Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Tue, 19 Aug 2025 20:00:46 +0200
Subject: [PATCH] [3.11] gh-130577: tarfile now validates archives to ensure
member offsets are non-negative (GH-137027) (#137172)
gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38)
Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/tarfile.py | 3 +
Lib/test/test_tarfile.py | 156 ++++++++++++++++++
...-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 +
3 files changed, 162 insertions(+)
create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index 2423e14bc540d8..c04c576ea22d2d 100755
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1614,6 +1614,9 @@ def _block(self, count):
"""Round up a byte count by BLOCKSIZE and return it,
e.g. _block(834) => 1024.
"""
+ # Only non-negative offsets are allowed
+ if count < 0:
+ raise InvalidHeaderError("invalid offset")
blocks, remainder = divmod(count, BLOCKSIZE)
if remainder:
blocks += 1
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index 7377acdf398622..366aac781df1e7 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -50,6 +50,7 @@ def sha256sum(data):
xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
tmpname = os.path.join(TEMPDIR, "tmp.tar")
dotlessname = os.path.join(TEMPDIR, "testtar")
+SPACE = b" "
sha256_regtype = (
"e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
@@ -4386,6 +4387,161 @@ def extractall(self, ar):
ar.extractall(self.testdir, filter='fully_trusted')
+class OffsetValidationTests(unittest.TestCase):
+ tarname = tmpname
+ invalid_posix_header = (
+ # name: 100 bytes
+ tarfile.NUL * tarfile.LENGTH_NAME
+ # mode, space, null terminator: 8 bytes
+ + b"000755" + SPACE + tarfile.NUL
+ # uid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # gid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # size, space: 12 bytes
+ + b"\xff" * 11 + SPACE
+ # mtime, space: 12 bytes
+ + tarfile.NUL * 11 + SPACE
+ # chksum: 8 bytes
+ + b"0011407" + tarfile.NUL
+ # type: 1 byte
+ + tarfile.REGTYPE
+ # linkname: 100 bytes
+ + tarfile.NUL * tarfile.LENGTH_LINK
+ # magic: 6 bytes, version: 2 bytes
+ + tarfile.POSIX_MAGIC
+ # uname: 32 bytes
+ + tarfile.NUL * 32
+ # gname: 32 bytes
+ + tarfile.NUL * 32
+ # devmajor, space, null terminator: 8 bytes
+ + tarfile.NUL * 6 + SPACE + tarfile.NUL
+ # devminor, space, null terminator: 8 bytes
+ + tarfile.NUL * 6 + SPACE + tarfile.NUL
+ # prefix: 155 bytes
+ + tarfile.NUL * tarfile.LENGTH_PREFIX
+ # padding: 12 bytes
+ + tarfile.NUL * 12
+ )
+ invalid_gnu_header = (
+ # name: 100 bytes
+ tarfile.NUL * tarfile.LENGTH_NAME
+ # mode, null terminator: 8 bytes
+ + b"0000755" + tarfile.NUL
+ # uid, null terminator: 8 bytes
+ + b"0000001" + tarfile.NUL
+ # gid, space, null terminator: 8 bytes
+ + b"0000001" + tarfile.NUL
+ # size, space: 12 bytes
+ + b"\xff" * 11 + SPACE
+ # mtime, space: 12 bytes
+ + tarfile.NUL * 11 + SPACE
+ # chksum: 8 bytes
+ + b"0011327" + tarfile.NUL
+ # type: 1 byte
+ + tarfile.REGTYPE
+ # linkname: 100 bytes
+ + tarfile.NUL * tarfile.LENGTH_LINK
+ # magic: 8 bytes
+ + tarfile.GNU_MAGIC
+ # uname: 32 bytes
+ + tarfile.NUL * 32
+ # gname: 32 bytes
+ + tarfile.NUL * 32
+ # devmajor, null terminator: 8 bytes
+ + tarfile.NUL * 8
+ # devminor, null terminator: 8 bytes
+ + tarfile.NUL * 8
+ # padding: 167 bytes
+ + tarfile.NUL * 167
+ )
+ invalid_v7_header = (
+ # name: 100 bytes
+ tarfile.NUL * tarfile.LENGTH_NAME
+ # mode, space, null terminator: 8 bytes
+ + b"000755" + SPACE + tarfile.NUL
+ # uid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # gid, space, null terminator: 8 bytes
+ + b"000001" + SPACE + tarfile.NUL
+ # size, space: 12 bytes
+ + b"\xff" * 11 + SPACE
+ # mtime, space: 12 bytes
+ + tarfile.NUL * 11 + SPACE
+ # chksum: 8 bytes
+ + b"0010070" + tarfile.NUL
+ # type: 1 byte
+ + tarfile.REGTYPE
+ # linkname: 100 bytes
+ + tarfile.NUL * tarfile.LENGTH_LINK
+ # padding: 255 bytes
+ + tarfile.NUL * 255
+ )
+ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
+ data_block = b"\xff" * tarfile.BLOCKSIZE
+
+ def _write_buffer(self, buffer):
+ with open(self.tarname, "wb") as f:
+ f.write(buffer)
+
+ def _get_members(self, ignore_zeros=None):
+ with open(self.tarname, "rb") as f:
+ with tarfile.open(
+ mode="r", fileobj=f, ignore_zeros=ignore_zeros
+ ) as tar:
+ return tar.getmembers()
+
+ def _assert_raises_read_error_exception(self):
+ with self.assertRaisesRegex(
+ tarfile.ReadError, "file could not be opened successfully"
+ ):
+ self._get_members()
+
+ def test_invalid_offset_header_validations(self):
+ for tar_format, invalid_header in (
+ ("posix", self.invalid_posix_header),
+ ("gnu", self.invalid_gnu_header),
+ ("v7", self.invalid_v7_header),
+ ):
+ with self.subTest(format=tar_format):
+ self._write_buffer(invalid_header)
+ self._assert_raises_read_error_exception()
+
+ def test_early_stop_at_invalid_offset_header(self):
+ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
+ self._write_buffer(buffer)
+ members = self._get_members()
+ self.assertEqual(len(members), 1)
+ self.assertEqual(members[0].name, "filename")
+ self.assertEqual(members[0].offset, 0)
+
+ def test_ignore_invalid_archive(self):
+ # 3 invalid headers with their respective data
+ buffer = (self.invalid_gnu_header + self.data_block) * 3
+ self._write_buffer(buffer)
+ members = self._get_members(ignore_zeros=True)
+ self.assertEqual(len(members), 0)
+
+ def test_ignore_invalid_offset_headers(self):
+ for first_block, second_block, expected_offset in (
+ (
+ (self.valid_gnu_header),
+ (self.invalid_gnu_header + self.data_block),
+ 0,
+ ),
+ (
+ (self.invalid_gnu_header + self.data_block),
+ (self.valid_gnu_header),
+ 1024,
+ ),
+ ):
+ self._write_buffer(first_block + second_block)
+ members = self._get_members(ignore_zeros=True)
+ self.assertEqual(len(members), 1)
+ self.assertEqual(members[0].name, "filename")
+ self.assertEqual(members[0].offset, expected_offset)
+
+
def setUpModule():
os_helper.unlink(TEMPDIR)
os.makedirs(TEMPDIR)
diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
new file mode 100644
index 00000000000000..342cabbc865dc4
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
@@ -0,0 +1,3 @@
+:mod:`tarfile` now validates archives to ensure member offsets are
+non-negative. (Contributed by Alexander Enrique Urieles Nieto in
+:gh:`130577`.)

16
SOURCES/Python-3.11.11.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmdPRgIACgkQ/+h0BBaL
2EeZ0g//W0Dw34k4l9Itf++MtfvRzfHIaELmo3w44y1bOl4WumgzTocVAoFf/vF2
BYupcHzPKV/3n2qrAEkEryutV21MykSZzcryDNXqXCAra/5WIFhpKfdGE+q6Ld/a
6bJEQwbXuuE703GWGwIVT8Dxeo7gPdpyZegnKpGS9ij/01m5s30DXSu9+HFkQmUL
dmqjPyE80hUbcrb5qoTedh0Kn+TsfhQ3QfSLTHailsCFpb6Y17KI2GSRAhKTvaEw
+to46LMximYc+Nz+frjTIzoUNsCh5wcBAnN5yLh3wIJTWdo7CGg8ffaZmBDJhRPR
drUl/8GFjC0WPfPSnwJFEfn+Dy9jmrhcoIzb/RdSZhe1NybxJ9o6cEybSM7/A/X3
RPMsywEiMElK4TAyjgMobxtDaZAC1V/qzfKP8bLdyhNWKC8pLwaL1S0xPZvToIT2
kZ4AyqEScZb23vI3P8orymawsdJBMhtZ7yJlUtsx1IdzgPEN3YLgjiqBTzRpOjZV
VcyUZZKn7aLZYFQlcY1ghtCj5Z5RIFwnOg4Ay+M3UNzXrd81rWc7IcIVLuQPGVgu
INlDLpQs2EuikXWT2ADvQ/Gm3Z42M3AZtSDIUyRb1gFWDWjqThjO0ypFA1rdZb6+
2MjmRsQ9nK6Nm5uJ+Ww+s0o8O/D52pMg/J9zshQGON/8LRBBoXk=
=UKo7
-----END PGP SIGNATURE-----

16
SOURCES/Python-3.11.13.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmg/TJcACgkQ/+h0BBaL
2EdZXA/+P2dP1QMiwB3RyWkSoYmRIGqzCW9avVXt+PPsuogJ0QgKwU74uPViks4r
jOGvNJq9xiGgObJV66LxZx/agtwQPCfNKH6PIYi5EQvDGrFNADvarJPS58bLqSeS
W6LGBeFV/9T62NtjMvO2ZhwQzDnGbt+SvIVhO9gQfO6Zq45OP3TOOGHZzQv0Uffr
Q1BNOUbhO8ARlVG9dJVd2WEO2MWPsirJcsY9rbDeXeKoj/sGlsb8wbAOP5ow16nR
QR304+MwqPaQCKom7miZzyT78pkWahzES3Wn1fMaiBqesRv8V+9NZShxOb7WEkEH
tySPm9DeFEuKIeBRVeealsURyBOEoRaplFKqXUQI+/tc6OlJYzhNuHGUZuG5oIIq
yVCI+nxkxk5QWbQj0z0A3F0Ko4oD3OX/m/YC9gnLdnQ5odf2Lu/nbuVy/nxc1Ecv
fQYUp6ebw8UquLIlj2KsSYjHO+qNi0E0JR+h+M0L8AyVroAEvyUYk5ikOwULv1Mp
FIOHTmOX1wFJ5p3HP5yIcUDVbLWOvxcX1qPv9v62k2vWXXJwTy5f7zpx0v4tXJ2T
4JtR5wghJzBcpyb7C98pX2dHSr6SD/UQk+gVeztjwZf5JXLMcifyhsJvR3TRuy2p
dD6kQ+gelg1OwSQH4QvZ4xbs9mSS14vJVEhGRO8dEjFTWYxJpIo=
=DdRc
-----END PGP SIGNATURE-----

42
SPECS/python3.11.spec
View File

@ -16,11 +16,11 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version, # WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well # remember to update the python3-docs package as well
%global general_version %{pybasever}.11 %global general_version %{pybasever}.13
#global prerel ... #global prerel ...
%global upstream_version %{general_version}%{?prerel} %global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}} Version: %{general_version}%{?prerel:~%{prerel}}
Release: 2%{?dist} Release: 3%{?dist}
License: Python License: Python
@ -228,6 +228,7 @@ BuildRequires: valgrind-devel
BuildRequires: xz-devel BuildRequires: xz-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: /usr/bin/dtrace BuildRequires: /usr/bin/dtrace
# workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig) # workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig)
@ -369,9 +370,26 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
# Downstream only. # Downstream only.
Patch422: 00422-fix-expat-tests.patch Patch422: 00422-fix-expat-tests.patch
# 00450 # 4ab8663661748eb994c09e4ae89f59eb84c5d3ea # 00462 # c9db492d8924b2d1a0991e36f3c2b4f9c2ec8942
# CVE-2025-0938: Disallow square brackets ([ and ]) in domain names for parsed URLs # Fix PySSL_SetError handling SSL_ERROR_SYSCALL
Patch450: 00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch #
# Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and
# SSL_read_ex(), but did not update handling of the return value.
#
# Change error handling so that the return value is not examined.
# OSError (not EOF) is now returned when retval is 0.
#
# This resolves the issue of failing tests when a system is
# stressed on OpenSSL 3.5.
Patch462: 00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch
# 00467 #
# CVE-2025-8194
#
# tarfile now validates archives to ensure member offsets are non-negative.
#
# Upstream issue: https://github.com/python/cpython/issues/130577
Patch467: 00467-CVE-2025-8194.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
@ -1651,6 +1669,20 @@ CheckPython optimized
# ====================================================== # ======================================================
%changelog %changelog
* Thu Aug 21 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-3
- Security fix for CVE-2025-8194
Resolves: RHEL-106365
* Wed Jul 23 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-2
- Fix PySSL_SetError handling SSL_ERROR_SYSCALL
- This fixes random flakiness of test_ssl on stressed machines
Resolves: RHEL-101551
* Wed Jun 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.11.13-1
- Update to 3.11.13
- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
Resolves: RHEL-98044, RHEL-98014, RHEL-98237, RHEL-98176, RHEL-98205
* Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.11-2 * Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.11-2
- Security fix for CVE-2025-0938 - Security fix for CVE-2025-0938
Resolves: RHEL-77262 Resolves: RHEL-77262