import UBI python3.12-3.12.9-2.el10_0.2

00464-enable-pac-and-bti-protections-for-aarch64.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Tue, 3 Jun 2025 03:02:15 +0200
+Subject: 00464: Enable PAC and BTI protections for aarch64
+
+Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S
+
+The BTI flag must be applied in the assembler sources for this class
+of attacks to be mitigated on newer aarch64 processors.
+
+Upstream PR: https://github.com/python/cpython/pull/130864/files
+
+The upstream patch is incomplete but only for the case where
+frame pointers are not used on 3.13+.
+
+Since on Fedora we always compile with frame pointers the BTI/PAC
+hardware protections can be enabled without losing Perf unwinding.
+---
+ Python/asm_trampoline.S         |  4 +++
+ Python/asm_trampoline_aarch64.h | 50 +++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 Python/asm_trampoline_aarch64.h
+
+diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
+index 341d0bbe51..ae882660b5 100644
+--- a/Python/asm_trampoline.S
++++ b/Python/asm_trampoline.S
+@@ -1,3 +1,5 @@
++#include "asm_trampoline_aarch64.h"
++
+     .text
+     .globl	_Py_trampoline_func_start
+ # The following assembly is equivalent to:
+@@ -20,10 +22,12 @@ _Py_trampoline_func_start:
+ #if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
+     // ARM64 little endian, 64bit ABI
+     // generate with aarch64-linux-gnu-gcc 12.1
++    SIGN_LR
+     stp     x29, x30, [sp, -16]!
+     mov     x29, sp
+     blr     x3
+     ldp     x29, x30, [sp], 16
++    VERIFY_LR
+     ret
+ #endif
+     .globl	_Py_trampoline_func_end
+diff --git a/Python/asm_trampoline_aarch64.h b/Python/asm_trampoline_aarch64.h
+new file mode 100644
+index 0000000000..4b0ec4a7dc
+--- /dev/null
++++ b/Python/asm_trampoline_aarch64.h
+@@ -0,0 +1,50 @@
++#ifndef ASM_TRAMPOLINE_AARCH_64_H_
++#define ASM_TRAMPOLINE_AARCH_64_H_
++
++/*
++ * References:
++ *  - https://developer.arm.com/documentation/101028/0012/5--Feature-test-macros
++ *  - https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst
++ */
++
++#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
++  #define BTI_J hint 36 /* bti j: for jumps, IE br instructions */
++  #define BTI_C hint 34  /* bti c: for calls, IE bl instructions */
++  #define GNU_PROPERTY_AARCH64_BTI 1 /* bit 0 GNU Notes is for BTI support */
++#else
++  #define BTI_J
++  #define BTI_C
++  #define GNU_PROPERTY_AARCH64_BTI 0
++#endif
++
++#if defined(__ARM_FEATURE_PAC_DEFAULT)
++  #if __ARM_FEATURE_PAC_DEFAULT & 1
++    #define SIGN_LR hint 25 /* paciasp: sign with the A key */
++    #define VERIFY_LR hint 29 /* autiasp: verify with the A key */
++  #elif __ARM_FEATURE_PAC_DEFAULT & 2
++    #define SIGN_LR hint 27 /* pacibsp: sign with the b key */
++    #define VERIFY_LR hint 31 /* autibsp: verify with the b key */
++  #endif
++  #define GNU_PROPERTY_AARCH64_POINTER_AUTH 2 /* bit 1 GNU Notes is for PAC support */
++#else
++  #define SIGN_LR BTI_C
++  #define VERIFY_LR
++  #define GNU_PROPERTY_AARCH64_POINTER_AUTH 0
++#endif
++
++/* Add the BTI and PAC support to GNU Notes section */
++#if GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_POINTER_AUTH != 0
++    .pushsection .note.gnu.property, "a"; /* Start a new allocatable section */
++    .balign 8; /* align it on a byte boundry */
++    .long 4; /* size of "GNU\0" */
++    .long 0x10; /* size of descriptor */
++    .long 0x5; /* NT_GNU_PROPERTY_TYPE_0 */
++    .asciz "GNU";
++    .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
++    .long 4; /* Four bytes of data */
++    .long (GNU_PROPERTY_AARCH64_BTI|GNU_PROPERTY_AARCH64_POINTER_AUTH); /* BTI or PAC is enabled */
++    .long 0; /* padding for 8 byte alignment */
++    .popsection; /* end the section */
++#endif
++
++#endif

python3.12.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}.1
+Release: 2%{?dist}.2
 License: Python-2.0.1
 
 
@@ -423,6 +423,30 @@ Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
 # See also: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
 Patch459: 00459-apply-intel-control-flow-technology-for-x86-64.patch
 
+# 00464 # 1c713e02a26bf8865bb6421749d19d0766cac178
+# Enable PAC and BTI protections for aarch64
+#
+# Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S
+#
+# The BTI flag must be applied in the assembler sources for this class
+# of attacks to be mitigated on newer aarch64 processors.
+#
+# Upstream PR: https://github.com/python/cpython/pull/130864/
+#
+# The upstream patch is incomplete but only for the case where
+# frame pointers are not used on 3.13+.
+#
+# Since we don't utilize frame pointers on RHEL and CS, Perf profiling
+# will not show the Python functions, irrespective of this patch.
+Patch464: 00464-enable-pac-and-bti-protections-for-aarch64.patch
+
+# 00465 #
+# Security fixes for:
+# CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718 and CVE-2025-4435 in the tarfile module.
+#
+# Resolved upstream: https://github.com/python/cpython/pull/135066
+Patch465: 00465-tarfile-cves.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1787,6 +1811,11 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Fri Jun 20 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.12.9-2.2
+- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
+- Enable PAC and BTI hardware protections for aarch64
+- Resolves: RHEL-98059, RHEL-98046, RHEL-97812, RHEL-98061, RHEL-98179, RHEL-98865
+
 * Tue Apr 22 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.12.9-2.1
 - Apply Intel's CET for mitigation against control-flow hijacking attacks
 Resolves: RHEL-88325