From a37f8c40f8fd2e63656c891109c826088d09004c Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 7 Sep 2023 02:28:27 +0200 Subject: [PATCH] Rebase to 3.11.5 Security fixes for CVE-2023-40217 and CVE-2023-41105 Resolves: RHEL-3045, RHEL-3269 --- .gitignore | 2 + 00397-tarfile-filter.patch | 110 ------------------------------------- python3.11.spec | 15 ++++- sources | 4 +- tests/tests.yml | 4 +- 5 files changed, 18 insertions(+), 117 deletions(-) diff --git a/.gitignore b/.gitignore index 40fb861..5b599b7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ /Python-3.11.2.tar.xz.asc /Python-3.11.4.tar.xz /Python-3.11.4.tar.xz.asc +/Python-3.11.5.tar.xz +/Python-3.11.5.tar.xz.asc diff --git a/00397-tarfile-filter.patch b/00397-tarfile-filter.patch index bd8f98f..3c4ebf4 100644 --- a/00397-tarfile-filter.patch +++ b/00397-tarfile-filter.patch @@ -1,113 +1,3 @@ -From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Wed, 9 Aug 2023 20:23:03 +0200 -Subject: [PATCH] Fix symlink handling for tarfile.data_filter - ---- - Doc/library/tarfile.rst | 5 +++++ - Lib/tarfile.py | 9 ++++++++- - Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++-- - 3 files changed, 37 insertions(+), 3 deletions(-) - -diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst -index 00f3070324e..e0511bfeb64 100644 ---- a/Doc/library/tarfile.rst -+++ b/Doc/library/tarfile.rst -@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes: - Name of the target file name, which is only present in :class:`TarInfo` objects - of type :const:`LNKTYPE` and :const:`SYMTYPE`. - -+ For symbolic links (``SYMTYPE``), the linkname is relative to the directory -+ that contains the link. -+ For hard links (``LNKTYPE``), the linkname is relative to the root of -+ the archive. -+ - - .. attribute:: TarInfo.uid - :type: int -diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index df4e41f7a0d..d62323715b4 100755 ---- a/Lib/tarfile.py -+++ b/Lib/tarfile.py -@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True): - if member.islnk() or member.issym(): - if os.path.isabs(member.linkname): - raise AbsoluteLinkError(member) -- target_path = os.path.realpath(os.path.join(dest_path, member.linkname)) -+ if member.issym(): -+ target_path = os.path.join(dest_path, -+ os.path.dirname(name), -+ member.linkname) -+ else: -+ target_path = os.path.join(dest_path, -+ member.linkname) -+ target_path = os.path.realpath(target_path) - if os.path.commonpath([target_path, dest_path]) != dest_path: - raise LinkOutsideDestinationError(member, target_path) - return new_attrs -diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index 2eda7fc4cea..79fc35c2895 100644 ---- a/Lib/test/test_tarfile.py -+++ b/Lib/test/test_tarfile.py -@@ -3337,10 +3337,12 @@ def __exit__(self, *exc): - self.bio = None - - def add(self, name, *, type=None, symlink_to=None, hardlink_to=None, -- mode=None, **kwargs): -+ mode=None, size=None, **kwargs): - """Add a member to the test archive. Call within `with`.""" - name = str(name) - tarinfo = tarfile.TarInfo(name).replace(**kwargs) -+ if size is not None: -+ tarinfo.size = size - if mode: - tarinfo.mode = _filemode_to_int(mode) - if symlink_to is not None: -@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter): - raise self.raised_exception - self.assertEqual(self.expected_paths, set()) - -- def expect_file(self, name, type=None, symlink_to=None, mode=None): -+ def expect_file(self, name, type=None, symlink_to=None, mode=None, -+ size=None): - """Check a single file. See check_context.""" - if self.raised_exception: - raise self.raised_exception -@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None): - self.assertTrue(path.is_fifo()) - else: - raise NotImplementedError(type) -+ if size is not None: -+ self.assertEqual(path.stat().st_size, size) - for parent in path.parents: - self.expected_paths.discard(parent) - -@@ -3649,6 +3654,22 @@ def test_sly_relative2(self): - + """['"].*moo['"], which is outside the """ - + "destination") - -+ def test_deep_symlink(self): -+ with ArchiveMaker() as arc: -+ arc.add('targetdir/target', size=3) -+ arc.add('linkdir/hardlink', hardlink_to='targetdir/target') -+ arc.add('linkdir/symlink', symlink_to='../targetdir/target') -+ -+ for filter in 'tar', 'data', 'fully_trusted': -+ with self.check_context(arc.open(), filter): -+ self.expect_file('targetdir/target', size=3) -+ self.expect_file('linkdir/hardlink', size=3) -+ if os_helper.can_symlink(): -+ self.expect_file('linkdir/symlink', size=3, -+ symlink_to='../targetdir/target') -+ else: -+ self.expect_file('linkdir/symlink', size=3) -+ - def test_modes(self): - # Test how file modes are extracted - # (Note that the modes are ignored on platforms without working chmod) --- -2.41.0 - From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 6 Mar 2023 17:24:24 +0100 diff --git a/python3.11.spec b/python3.11.spec index e838321..4afa3bb 100644 --- a/python3.11.spec +++ b/python3.11.spec @@ -16,11 +16,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.4 +%global general_version %{pybasever}.5 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 3%{?dist} +Release: 1%{?dist} License: Python @@ -63,7 +63,7 @@ License: Python # If the rpmwheels condition is disabled, we use the bundled wheel packages # from Python with the versions below. # This needs to be manually updated when we update Python. -%global pip_version 23.1.2 +%global pip_version 23.2.1 %global setuptools_version 65.5.0 # Expensive optimizations (mainly, profile-guided optimizations) @@ -1095,10 +1095,14 @@ CheckPython() { # test_freeze_simple_script is skipped, because it fails when bundled wheels # are removed in Fedora. # upstream report: https://bugs.python.org/issue45783 + # test_check_probes is failing since it was introduced in 3.11.5, + # the test is skipped until it is fixed in upstream. + # see: https://github.com/python/cpython/issues/104280#issuecomment-1669249980 LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \ -wW --slowest -j0 --timeout=1800 \ -i test_freeze_simple_script \ + -i test_check_probes \ %if %{with bootstrap} -x test_distutils \ %endif @@ -1609,6 +1613,11 @@ CheckPython optimized # ====================================================== %changelog +* Thu Sep 07 2023 Charalampos Stratakis - 3.11.5-1 +- Rebase to 3.11.5 +- Security fixes for CVE-2023-40217 and CVE-2023-41105 +Resolves: RHEL-3045, RHEL-3269 + * Wed Aug 09 2023 Petr Viktorin - 3.11.4-3 - Fix symlink handling in the fix for CVE-2023-24329 Resolves: rhbz#263261 diff --git a/sources b/sources index 6b8930e..be0708a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (Python-3.11.4.tar.xz) = 7eb14fecbf60824d10c22a9057584c3a142c2866f4af6caa2525c10c8bcb24e6e7afb32a44a0e118df0a2b2543d578c3b422ffd4a5fa317dfe6ea371cc7ee1ee -SHA512 (Python-3.11.4.tar.xz.asc) = 8ee82bf116b2cc7407e260eccf53e7fee4d7497165d0b9c3e59931c73f3b419bc0299b459eee9544a6e51e323ff0a6aa07827efd89f9c320b54556feeea04a78 +SHA512 (Python-3.11.5.tar.xz) = 93fa640bedcea449060caac8aa691aa315a19f172fd9f0422183d17749c3512d4ecac60e7599f9ef14e3cdb3c8b4b060e484c9061b1e7ee8d958200d6041e408 +SHA512 (Python-3.11.5.tar.xz.asc) = 5a8e1b1cabe89de03c050d581bbd3ec917d93ec943b2e8241db05c245809cf80294022c4cfc1bea3b90aa0570176109aac90455057256c025e2596aa136375fc diff --git a/tests/tests.yml b/tests/tests.yml index 52d7b2b..2f9a73b 100644 --- a/tests/tests.yml +++ b/tests/tests.yml @@ -30,10 +30,10 @@ run: "PYTHON=python{{ pybasever }}d TOX=false VERSION={{ pybasever }} ./venv.sh" - selftest: dir: python/selftest - run: "VERSION={{ pybasever }} X='' ./parallel.sh" + run: "VERSION={{ pybasever }} X='-i test_check_probes' ./parallel.sh" - debugtest: dir: python/selftest - run: "VERSION={{ pybasever }} PYTHON=python{{ pybasever }}d X='' ./parallel.sh" + run: "VERSION={{ pybasever }} PYTHON=python{{ pybasever }}d X='-i test_check_probes' ./parallel.sh" - debugflags: dir: python/flags run: "python{{ pybasever }}d ./assertflags.py -O0"