From 28fa5f87fc5f01b630e451a084cf6f5823994d30 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 2 Jul 2024 18:50:13 +0000 Subject: [PATCH] import UBI python3.12-3.12.3-2.el8_10 --- .gitignore | 2 +- .python3.12.metadata | 2 +- .../00251-change-user-install-location.patch | 10 +- SOURCES/00329-fips.patch | 309 ++---------------- ...or-the-main-thread-gh-28549-gh-28589.patch | 12 +- SOURCES/00397-tarfile-filter.patch | 6 +- ...-addresses-in-email-parseaddr-111116.patch | 10 +- ...s-for-xmlpullparser-with-expat-2-6-0.patch | 63 ++++ ...st-wheeldata-when-it-s-actually-used.patch | 28 ++ SOURCES/Python-3.12.1.tar.xz.asc | 18 - SOURCES/Python-3.12.3.tar.xz.asc | 18 + SPECS/python3.12.spec | 90 +++-- 12 files changed, 217 insertions(+), 351 deletions(-) create mode 100644 SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch create mode 100644 SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch delete mode 100644 SOURCES/Python-3.12.1.tar.xz.asc create mode 100644 SOURCES/Python-3.12.3.tar.xz.asc diff --git a/.gitignore b/.gitignore index 285bb0f..6fdfde7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.12.1.tar.xz +SOURCES/Python-3.12.3.tar.xz diff --git a/.python3.12.metadata b/.python3.12.metadata index de37775..f12e9fa 100644 --- a/.python3.12.metadata +++ b/.python3.12.metadata @@ -1 +1 @@ -5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz +3df73004a9b224d021fd397724e8bd4f9b6cc824 SOURCES/Python-3.12.3.tar.xz diff --git a/SOURCES/00251-change-user-install-location.patch b/SOURCES/00251-change-user-install-location.patch index 1622e53..c3938ae 100644 --- a/SOURCES/00251-change-user-install-location.patch +++ b/SOURCES/00251-change-user-install-location.patch @@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/Lib/site.py b/Lib/site.py -index 672fa7b000..0a9c5be53e 100644 +index 924b2460d9..51b5baca93 100644 --- a/Lib/site.py +++ b/Lib/site.py -@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None): +@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): @@ -129,7 +129,7 @@ index 122d441bd1..2d354a11da 100644 # On Windows we want to substitute 'lib' for schemes rather # than the native value (without modifying vars, in case it diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py -index b6dbf3d52c..4f06a7673c 100644 +index 1137c2032b..8fc2b84f52 100644 --- a/Lib/test/test_sysconfig.py +++ b/Lib/test/test_sysconfig.py @@ -110,8 +110,19 @@ def test_get_path(self): @@ -153,7 +153,7 @@ index b6dbf3d52c..4f06a7673c 100644 os.path.normpath(expected), ) -@@ -335,7 +346,7 @@ def test_get_config_h_filename(self): +@@ -344,7 +355,7 @@ def test_get_config_h_filename(self): self.assertTrue(os.path.isfile(config_h), config_h) def test_get_scheme_names(self): @@ -162,7 +162,7 @@ index b6dbf3d52c..4f06a7673c 100644 if HAS_USER_BASE: wanted.extend(['nt_user', 'osx_framework_user', 'posix_user']) self.assertEqual(get_scheme_names(), tuple(sorted(wanted))) -@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880 +@@ -356,6 +367,8 @@ def test_symlink(self): # Issue 7880 cmd = "-c", "import sysconfig; print(sysconfig.get_platform())" self.assertEqual(py.call_real(*cmd), py.call_link(*cmd)) diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index 5cda8e7..f95b71e 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,7 +1,7 @@ -From 5cedde59cde3f05af798a7cb5bc722cb0deb4835 Mon Sep 17 00:00:00 2001 +From 43ce74d971fad62db6ccd723fe6b01da9c7ff407 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 -Subject: [PATCH 1/6] Expose blake2b and blake2s hashes from OpenSSL +Subject: [PATCH 1/5] Expose blake2b and blake2s hashes from OpenSSL These aren't as powerful as Python's own implementation, but they can be used under FIPS. @@ -251,13 +251,13 @@ index fb61a44..1e42b87 100644 -/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/ -- -2.43.0 +2.45.0 -From 2a12baa9e201f54560ec99ad5ee1fa5b0006aa39 Mon Sep 17 00:00:00 2001 +From 6872b634078a2c69644235781ebffb07f8edcb83 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 -Subject: [PATCH 2/6] Disable Python's hash implementations in FIPS mode, +Subject: [PATCH 2/5] Disable Python's hash implementations in FIPS mode, forcing OpenSSL --- @@ -445,10 +445,10 @@ index a8bad9d..1b1d937 100644 + if (_Py_hashlib_fips_error(exc, name)) return NULL; \ +} while (0) diff --git a/configure.ac b/configure.ac -index 1876f77..1875d1e 100644 +index 65ad1c2..b5f9ab5 100644 --- a/configure.ac +++ b/configure.ac -@@ -7439,7 +7439,8 @@ PY_STDLIB_MOD([_sha2], +@@ -7463,7 +7463,8 @@ PY_STDLIB_MOD([_sha2], PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes]) PY_STDLIB_MOD([_blake2], [test "$with_builtin_blake2" = yes], [], @@ -459,13 +459,13 @@ index 1876f77..1875d1e 100644 PY_STDLIB_MOD([_crypt], [], [test "$ac_cv_crypt_crypt" = yes], -- -2.43.0 +2.45.0 -From bca05b7fdb8dcab21ef80db1d59dd5daa835d84b Mon Sep 17 00:00:00 2001 +From f904abdd7a607282c2cdfd18288045cedfa28414 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 29 Jan 2021 14:16:21 +0100 -Subject: [PATCH 3/6] Use python's fall back crypto implementations only if we +Subject: [PATCH 3/5] Use python's fall back crypto implementations only if we are not in FIPS mode --- @@ -552,13 +552,13 @@ index dd61a9a..6031b02 100644 get_builtin_constructor = getattr(hashlib, '__get_builtin_constructor') -- -2.43.0 +2.45.0 -From c9a79f0aafd28677e3e0b8a1f6410105a71ff071 Mon Sep 17 00:00:00 2001 +From 9bf0a53b7831409613c44fd7feecb56476f5e5e7 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 -Subject: [PATCH 4/6] Test equivalence of hashes for the various digests with +Subject: [PATCH 4/5] Test equivalence of hashes for the various digests with usedforsecurity=True/False --- @@ -712,13 +712,13 @@ index 6031b02..5bd5297 100644 class KDFTests(unittest.TestCase): -- -2.43.0 +2.45.0 -From e972a838729ea84a0f2e0ca8e88ae1bfc129e7d8 Mon Sep 17 00:00:00 2001 +From 8a76571515a64a57b4ea0586ae8376cf2ef0ac60 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 -Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode +Subject: [PATCH 5/5] Guard against Python HMAC in FIPS mode --- Lib/hmac.py | 13 +++++++++---- @@ -726,7 +726,7 @@ Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/Lib/hmac.py b/Lib/hmac.py -index 8b4f920..20ef96c 100644 +index 8b4eb2f..e8e4864 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -16,8 +16,9 @@ else: @@ -750,7 +750,7 @@ index 8b4f920..20ef96c 100644 raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__) if not digestmod: - raise TypeError("Missing required parameter 'digestmod'.") + raise TypeError("Missing required argument 'digestmod'.") - if _hashopenssl and isinstance(digestmod, (str, _functype)): + if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))): @@ -773,7 +773,7 @@ index 8b4f920..20ef96c 100644 digest_cons = digestmod elif isinstance(digestmod, str): diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index a39a2c4..b7b24ab 100644 +index 1502fba..7997073 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -5,6 +5,7 @@ import hashlib @@ -812,7 +812,7 @@ index a39a2c4..b7b24ab 100644 @unittest.skipUnless(sha256_module is not None, 'need _sha256') def test_with_sha256_module(self): h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256) -@@ -481,6 +489,7 @@ class SanityTestCase(unittest.TestCase): +@@ -489,6 +497,7 @@ class UpdateTestCase(unittest.TestCase): class CopyTestCase(unittest.TestCase): @@ -820,7 +820,7 @@ index a39a2c4..b7b24ab 100644 @hashlib_helper.requires_hashdigest('sha256') def test_attributes_old(self): # Testing if attributes are of same type. -@@ -492,6 +501,7 @@ class CopyTestCase(unittest.TestCase): +@@ -500,6 +509,7 @@ class CopyTestCase(unittest.TestCase): self.assertEqual(type(h1._outer), type(h2._outer), "Types of outer don't match.") @@ -829,270 +829,5 @@ index a39a2c4..b7b24ab 100644 def test_realcopy_old(self): # Testing if the copy method created a real copy. -- -2.43.0 - - -From b12202196a78b877dcd32cfea273051b60038a41 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Wed, 25 Aug 2021 16:44:43 +0200 -Subject: [PATCH 6/6] Disable hash-based PYCs in FIPS mode - -If FIPS mode is on, we can't use siphash-based HMAC -(_Py_KeyedHash), so: - -- Unchecked hash PYCs can be imported, but not created -- Checked hash PYCs can not be imported nor created -- The default mode is timestamp-based PYCs, even if - SOURCE_DATE_EPOCH is set. - -If FIPS mode is off, there are no changes in behavior. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169 ---- - Lib/py_compile.py | 4 +++- - Lib/test/support/__init__.py | 14 +++++++++++++ - Lib/test/test_cmd_line_script.py | 2 ++ - Lib/test/test_compileall.py | 11 +++++++++- - .../test_importlib/source/test_file_loader.py | 6 ++++++ - Lib/test/test_py_compile.py | 11 ++++++++-- - Lib/test/test_zipimport.py | 2 ++ - Python/import.c | 20 +++++++++++++++++++ - 8 files changed, 66 insertions(+), 4 deletions(-) - -diff --git a/Lib/py_compile.py b/Lib/py_compile.py -index 388614e..fd9a139 100644 ---- a/Lib/py_compile.py -+++ b/Lib/py_compile.py -@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum): - - - def _get_default_invalidation_mode(): -- if os.environ.get('SOURCE_DATE_EPOCH'): -+ import _hashlib -+ if (os.environ.get('SOURCE_DATE_EPOCH') and not -+ _hashlib.get_fips_mode()): - return PycInvalidationMode.CHECKED_HASH - else: - return PycInvalidationMode.TIMESTAMP -diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py -index fd9265c..fcd1ea7 100644 ---- a/Lib/test/support/__init__.py -+++ b/Lib/test/support/__init__.py -@@ -2346,6 +2346,20 @@ def sleeping_retry(timeout, err_msg=None, /, - delay = min(delay * 2, max_delay) - - -+def fails_in_fips_mode(expected_error): -+ import _hashlib -+ if _hashlib.get_fips_mode(): -+ def _decorator(func): -+ def _wrapper(self, *args, **kwargs): -+ with self.assertRaises(expected_error): -+ func(self, *args, **kwargs) -+ return _wrapper -+ else: -+ def _decorator(func): -+ return func -+ return _decorator -+ -+ - @contextlib.contextmanager - def adjust_int_max_str_digits(max_digits): - """Temporarily change the integer string conversion length limit.""" -diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py -index 1b58882..d6caff1 100644 ---- a/Lib/test/test_cmd_line_script.py -+++ b/Lib/test/test_cmd_line_script.py -@@ -286,6 +286,7 @@ class CmdLineTest(unittest.TestCase): - self._check_script(zip_name, run_name, zip_name, zip_name, '', - zipimport.zipimporter) - -+ @support.fails_in_fips_mode(ImportError) - def test_zipfile_compiled_checked_hash(self): - with os_helper.temp_dir() as script_dir: - script_name = _make_test_script(script_dir, '__main__') -@@ -296,6 +297,7 @@ class CmdLineTest(unittest.TestCase): - self._check_script(zip_name, run_name, zip_name, zip_name, '', - zipimport.zipimporter) - -+ @support.fails_in_fips_mode(ImportError) - def test_zipfile_compiled_unchecked_hash(self): - with os_helper.temp_dir() as script_dir: - script_name = _make_test_script(script_dir, '__main__') -diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py -index 9cd92ad..4ec29a1 100644 ---- a/Lib/test/test_compileall.py -+++ b/Lib/test/test_compileall.py -@@ -806,14 +806,23 @@ class CommandLineTestsBase: - out = self.assertRunOK('badfilename') - self.assertRegex(out, b"Can't list 'badfilename'") - -- def test_pyc_invalidation_mode(self): -+ @support.fails_in_fips_mode(AssertionError) -+ def test_pyc_invalidation_mode_checked(self): - script_helper.make_script(self.pkgdir, 'f1', '') - pyc = importlib.util.cache_from_source( - os.path.join(self.pkgdir, 'f1.py')) -+ - self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir) - with open(pyc, 'rb') as fp: - data = fp.read() - self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11) -+ -+ @support.fails_in_fips_mode(AssertionError) -+ def test_pyc_invalidation_mode_unchecked(self): -+ script_helper.make_script(self.pkgdir, 'f1', '') -+ pyc = importlib.util.cache_from_source( -+ os.path.join(self.pkgdir, 'f1.py')) -+ - self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir) - with open(pyc, 'rb') as fp: - data = fp.read() -diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py -index f35adec..62087c6 100644 ---- a/Lib/test/test_importlib/source/test_file_loader.py -+++ b/Lib/test/test_importlib/source/test_file_loader.py -@@ -16,6 +16,7 @@ import types - import unittest - import warnings - -+from test import support - from test.support.import_helper import make_legacy_pyc, unload - - from test.test_py_compile import without_source_date_epoch -@@ -237,6 +238,7 @@ class SimpleTest(abc.LoaderTests): - loader.load_module('bad name') - - @util.writes_bytecode_files -+ @support.fails_in_fips_mode(ImportError) - def test_checked_hash_based_pyc(self): - with util.create_modules('_temp') as mapping: - source = mapping['_temp'] -@@ -268,6 +270,7 @@ class SimpleTest(abc.LoaderTests): - ) - - @util.writes_bytecode_files -+ @support.fails_in_fips_mode(ImportError) - def test_overridden_checked_hash_based_pyc(self): - with util.create_modules('_temp') as mapping, \ - unittest.mock.patch('_imp.check_hash_based_pycs', 'never'): -@@ -293,6 +296,7 @@ class SimpleTest(abc.LoaderTests): - self.assertEqual(mod.state, 'old') - - @util.writes_bytecode_files -+ @support.fails_in_fips_mode(ImportError) - def test_unchecked_hash_based_pyc(self): - with util.create_modules('_temp') as mapping: - source = mapping['_temp'] -@@ -323,6 +327,7 @@ class SimpleTest(abc.LoaderTests): - ) - - @util.writes_bytecode_files -+ @support.fails_in_fips_mode(ImportError) - def test_overridden_unchecked_hash_based_pyc(self): - with util.create_modules('_temp') as mapping, \ - unittest.mock.patch('_imp.check_hash_based_pycs', 'always'): -@@ -432,6 +437,7 @@ class BadBytecodeTest: - del_source=del_source) - test('_temp', mapping, bc_path) - -+ @support.fails_in_fips_mode(ImportError) - def _test_partial_hash(self, test, *, del_source=False): - with util.create_modules('_temp') as mapping: - bc_path = self.manipulate_bytecode( -diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py -index c4e6551..81fd962 100644 ---- a/Lib/test/test_py_compile.py -+++ b/Lib/test/test_py_compile.py -@@ -141,13 +141,16 @@ class PyCompileTestsBase: - importlib.util.cache_from_source(bad_coding))) - - def test_source_date_epoch(self): -+ import _hashlib - py_compile.compile(self.source_path, self.pyc_path) - self.assertTrue(os.path.exists(self.pyc_path)) - self.assertFalse(os.path.exists(self.cache_path)) - with open(self.pyc_path, 'rb') as fp: - flags = importlib._bootstrap_external._classify_pyc( - fp.read(), 'test', {}) -- if os.environ.get('SOURCE_DATE_EPOCH'): -+ if _hashlib.get_fips_mode(): -+ expected_flags = 0b00 -+ elif os.environ.get('SOURCE_DATE_EPOCH'): - expected_flags = 0b11 - else: - expected_flags = 0b00 -@@ -178,7 +181,8 @@ class PyCompileTestsBase: - # Specifying optimized bytecode should lead to a path reflecting that. - self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2)) - -- def test_invalidation_mode(self): -+ @support.fails_in_fips_mode(ImportError) -+ def test_invalidation_mode_checked(self): - py_compile.compile( - self.source_path, - invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH, -@@ -187,6 +191,9 @@ class PyCompileTestsBase: - flags = importlib._bootstrap_external._classify_pyc( - fp.read(), 'test', {}) - self.assertEqual(flags, 0b11) -+ -+ @support.fails_in_fips_mode(ImportError) -+ def test_invalidation_mode_unchecked(self): - py_compile.compile( - self.source_path, - invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH, -diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py -index 14c1971..bcd1466 100644 ---- a/Lib/test/test_zipimport.py -+++ b/Lib/test/test_zipimport.py -@@ -190,6 +190,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase): - TESTMOD + pyc_ext: (NOW, test_pyc)} - self.doTest(pyc_ext, files, TESTMOD) - -+ @support.fails_in_fips_mode(ImportError) - def testUncheckedHashBasedPyc(self): - source = b"state = 'old'" - source_hash = importlib.util.source_hash(source) -@@ -204,6 +205,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase): - self.assertEqual(mod.state, 'old') - self.doTest(None, files, TESTMOD, call=check) - -+ @support.fails_in_fips_mode(ImportError) - @unittest.mock.patch('_imp.check_hash_based_pycs', 'always') - def test_checked_hash_based_change_pyc(self): - source = b"state = 'old'" -diff --git a/Python/import.c b/Python/import.c -index 54232a1..236786b 100644 ---- a/Python/import.c -+++ b/Python/import.c -@@ -3829,6 +3829,26 @@ static PyObject * - _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source) - /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/ - { -+ PyObject *_hashlib = PyImport_ImportModule("_hashlib"); -+ if (_hashlib == NULL) { -+ return NULL; -+ } -+ PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL); -+ Py_DECREF(_hashlib); -+ if (fips_mode_obj == NULL) { -+ return NULL; -+ } -+ int fips_mode = PyObject_IsTrue(fips_mode_obj); -+ Py_DECREF(fips_mode_obj); -+ if (fips_mode < 0) { -+ return NULL; -+ } -+ if (fips_mode) { -+ PyErr_SetString( -+ PyExc_ImportError, -+ "hash-based PYC validation (siphash24) not available in FIPS mode"); -+ return NULL; -+ }; - union { - uint64_t x; - char data[sizeof(uint64_t)]; --- -2.43.0 +2.45.0 diff --git a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch index 5603025..2392a78 100644 --- a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch +++ b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch @@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730 2 files changed, 8 insertions(+), 50 deletions(-) diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py -index 756d5e329f..5d09775efc 100644 +index 2e4b860b97..3066b23ee1 100644 --- a/Lib/test/test_threading.py +++ b/Lib/test/test_threading.py -@@ -1007,39 +1007,6 @@ def noop(): pass +@@ -1100,39 +1100,6 @@ def noop(): pass threading.Thread(target=noop).start() # Thread.join() is not called @@ -56,14 +56,14 @@ index 756d5e329f..5d09775efc 100644 - self.assertEqual(out, b'') - self.assertEqual(err, b'') - - def test_start_new_thread_at_exit(self): + def test_start_new_thread_at_finalization(self): code = """if 1: - import atexit + import _thread diff --git a/Lib/threading.py b/Lib/threading.py -index 8dcaf8ca6a..ed0b0f4632 100644 +index 98cb43c697..ee647f8549 100644 --- a/Lib/threading.py +++ b/Lib/threading.py -@@ -1586,29 +1586,20 @@ def _shutdown(): +@@ -1585,29 +1585,20 @@ def _shutdown(): global _SHUTTING_DOWN _SHUTTING_DOWN = True diff --git a/SOURCES/00397-tarfile-filter.patch b/SOURCES/00397-tarfile-filter.patch index 3ef4d59..3ead891 100644 --- a/SOURCES/00397-tarfile-filter.patch +++ b/SOURCES/00397-tarfile-filter.patch @@ -235,9 +235,9 @@ index c5fc76d..397e334 100644 + self.check_trusted_default(tar, tempdir) + + - def setUpModule(): - os_helper.unlink(TEMPDIR) - os.makedirs(TEMPDIR) + class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + testdir = os.path.join(TEMPDIR, "testoverwrite") + -- 2.43.0 diff --git a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch index e77ddd8..192c8b7 100644 --- a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch +++ b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch @@ -72,7 +72,7 @@ index 345b64001c..d693a9bc39 100644 .. function:: parsedate(date) diff --git a/Lib/email/utils.py b/Lib/email/utils.py -index 81da5394ea..43c3627fca 100644 +index aa949aa933..af2fb14754 100644 --- a/Lib/email/utils.py +++ b/Lib/email/utils.py @@ -48,6 +48,7 @@ @@ -81,7 +81,7 @@ index 81da5394ea..43c3627fca 100644 + def _has_surrogates(s): - """Return True if s contains surrogate-escaped binary data.""" + """Return True if s may contain surrogate-escaped binary data.""" # This check is based on the fact that unless there are surrogates, utf8 @@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'): return address @@ -255,7 +255,7 @@ index 81da5394ea..43c3627fca 100644 diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py -index 2a237095b9..4672b790d8 100644 +index a373c53c7c..c616398eb1 100644 --- a/Lib/test/test_email/test_email.py +++ b/Lib/test/test_email/test_email.py @@ -16,6 +16,7 @@ @@ -266,7 +266,7 @@ index 2a237095b9..4672b790d8 100644 from email.charset import Charset from email.generator import Generator, DecodedGenerator, BytesGenerator -@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self): +@@ -3352,15 +3353,137 @@ def test_getaddresses_comma_in_name(self): ], ) @@ -412,7 +412,7 @@ index 2a237095b9..4672b790d8 100644 def test_getaddresses_embedded_comment(self): """Test proper handling of a nested comment""" -@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self): +@@ -3551,6 +3674,54 @@ def test_mime_classes_policy_argument(self): m = cls(*constructor, policy=email.policy.default) self.assertIs(m.policy, email.policy.default) diff --git a/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch b/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch new file mode 100644 index 0000000..59637d8 --- /dev/null +++ b/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch @@ -0,0 +1,63 @@ +From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 3 May 2024 14:17:48 +0200 +Subject: [PATCH] Expect failures in tests not working properly with expat with + a fixed CVE in RHEL + +--- + Lib/test/test_pyexpat.py | 1 + + Lib/test/test_sax.py | 1 + + Lib/test/test_xml_etree.py | 3 +++ + 3 files changed, 5 insertions(+) + +diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py +index 43cbd27..27b1502 100644 +--- a/Lib/test/test_pyexpat.py ++++ b/Lib/test/test_pyexpat.py +@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase): + + self.assertEqual(started, ['doc']) + ++ @unittest.expectedFailure + def test_reparse_deferral_disabled(self): + started = [] + +diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py +index 9b3014a..646c92d 100644 +--- a/Lib/test/test_sax.py ++++ b/Lib/test/test_sax.py +@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase): + + self.assertEqual(result.getvalue(), start + b"") + ++ @unittest.expectedFailure + def test_flush_reparse_deferral_disabled(self): + result = BytesIO() + xmlgen = XMLGenerator(result) +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index 9c382d1..62f2871 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase): + self.assert_event_tags(parser, [('end', 'root')]) + self.assertIsNone(parser.close()) + ++ @unittest.expectedFailure + def test_simple_xml_chunk_1(self): + self.test_simple_xml(chunk_size=1, flush=True) + ++ @unittest.expectedFailure + def test_simple_xml_chunk_5(self): + self.test_simple_xml(chunk_size=5, flush=True) + +@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase): + + self.assert_event_tags(parser, [('end', 'doc')]) + ++ @unittest.expectedFailure + def test_flush_reparse_deferral_disabled(self): + parser = ET.XMLPullParser(events=('start', 'end')) + +-- +2.44.0 + diff --git a/SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch b/SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch new file mode 100644 index 0000000..ea2df3a --- /dev/null +++ b/SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Karolina Surma +Date: Wed, 10 Apr 2024 15:35:04 +0200 +Subject: [PATCH] 00425: Only check for 'test/wheeldata' when it's actually + used + +We build Python in Fedora 39+ with option `--with-wheel-pkg-dir` +pointing to a custom wheel directory and delete the contents of +upstream's `test/wheeldata`. Don't include the directory in the test set +if the wheels are used from a different location. +--- + Lib/test/test_tools/test_makefile.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Lib/test/test_tools/test_makefile.py b/Lib/test/test_tools/test_makefile.py +index 17a1a6d0d3..9ce874033d 100644 +--- a/Lib/test/test_tools/test_makefile.py ++++ b/Lib/test/test_tools/test_makefile.py +@@ -66,6 +66,9 @@ def test_makefile_test_folders(self): + ) + used.append(relpath) + ++ if sysconfig.get_config_var('WHEEL_PKG_DIR'): ++ test_dirs.remove('test/wheeldata') ++ + # Check that there are no extra entries: + unique_test_dirs = set(test_dirs) + self.assertSetEqual(unique_test_dirs, set(used)) diff --git a/SOURCES/Python-3.12.1.tar.xz.asc b/SOURCES/Python-3.12.1.tar.xz.asc deleted file mode 100644 index e695d62..0000000 --- a/SOURCES/Python-3.12.1.tar.xz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmVyMspfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx -Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6 -YwWv5w/+JlGtfy+x+6mtauH1uOkt7n9PMQou1LcthDs5s41wuwjO7RbwnmJD6aDk -DqwLHheoq6Kjbl6PF1kG2T8ZbHkMudhnc5yH4eQG52IGNQ6evilxoC6AyhVg8ANi -+u6Juh9r2Hjz/LDWFB4hzwcOBKy0jYw98+A0uMvpPd2bmdFMBLQE0GTZCdrRsGYs -q0oysUX7uCJBfINp7XwiVGAK/6ma0nrr0A1ho6LCau+VGkDnJZdKZgIMyyxp6qL1 -7tMjb3LUpV3FWp57L2za59TaayApNf5BlanC+de6oKEhEJ8oEFyWxOx2GmXHZwch -ucj7Z1dxuI7fjNVkEvZ+JuheLGtB9mAmUZslXgUJf5wo49bCo9E4/ZlIFQk7VJR3 -Bm9VlQb5mMydB8QJbMy/BpgNjgKmEvBTnir37prJpUV/TL1YZT0eZ5JxCnlUIL/F -6cOzAE3zHPnvHcyHhKV3q5CoONdBtB3RWgS66m4eMneuWoNKaoEbO5IDxtKvCd1J -AKLmzCB0/KCWVUIYBTfJ8ytBVQA0Z2w8CZ7SC8asX4DocDCvxim1sQg5s8c4mzh+ -1JVbyqqEmf9m74Mqby0vICC6UVvgaPyiOxTphtRXLIYHUscLVn5+586RMYnM9nP4 -nEK+H/fq6Rcp1XEtIPzCG4IPUAYnuDLjbGQegltpKV/SAYn+DGg= -=dCpy ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.12.3.tar.xz.asc b/SOURCES/Python-3.12.3.tar.xz.asc new file mode 100644 index 0000000..a8f084e --- /dev/null +++ b/SOURCES/Python-3.12.3.tar.xz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmYVDdNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx +Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6 +YwU8Vg//aP8bxzPTDIM9Af1LLJj5LNLIuZOl5QysWQVbakoCpS8Z8ZiK3LyzGi7H +pQ5uJEnRjhULnOi+va2TPBDqiYvY1CkVizYzmUe1dMtzHdJUBE1TzybfON02JzPD +62oDHxUC1hvITyLE8tjnsgBuP9bbYYHnS+qqmDgBWS1M60i4bqcBiSdlWZp7ZTI4 +KIxIy9eyNujHnNQrQQ1oqIoj7ty1Hrtkfqia/3cVq7rkQT8HecBIW0K82WuIXizm +/Ua/TQslTJsypslFYpoJBoIkWG2nk7RhJvfU5iLxQHen6cr7JOUo/u3jv0DIJyJs +LdBWG6noTIiqKJb65UswLUxexM5f3Y7gLEZ4FCqlbAOAPG16xwwC8Xd7LIF33cHK +133BvYCkwdl0MCpmsQuxi8i6Kql0MaEqJ9MEj6UN66ZJVpRx8hOm2FtZGhn5ZNxx +r5C2zXGw/IjXeS01wgD8cSRVA0XJdN4bu88vmvhqMuezg3CDF5bX85isoFUaLUjS +c5Lv1HNrqPiaWHOctnvzasy0djpwze+WCzsXFMI6VfejPpYwNlhmnxS7i3R9A4RK +gBwViMd5q5rwx365tCfRfGcBW6OOvrHZalhSGYmUw13sBarFliW9CvN4ghN9kWbN +YQwSggf5KD6v5mAAyReMrOJTyBG6B5hMlxKai5CzbRLlG25T2wI= +=ZQxz +-----END PGP SIGNATURE----- diff --git a/SPECS/python3.12.spec b/SPECS/python3.12.spec index 5ce84bd..1b6886d 100644 --- a/SPECS/python3.12.spec +++ b/SPECS/python3.12.spec @@ -16,12 +16,12 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.1 +%global general_version %{pybasever}.3 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 4%{?dist} -License: Python +Release: 2%{?dist} +License: Python-2.0.1 # ================================== @@ -65,18 +65,18 @@ License: Python # If the rpmwheels condition is disabled, we use the bundled wheel packages # from Python with the versions below. # This needs to be manually updated when we update Python. -%global pip_version 23.2.1 +%global pip_version 24.0 %global setuptools_version 67.6.1 %global wheel_version 0.40.0 # All of those also include a list of indirect bundled libs: # pip # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) %global pip_bundled_provides %{expand: -Provides: bundled(python3dist(cachecontrol)) = 0.12.11 -Provides: bundled(python3dist(certifi)) = 2023.5.7 +Provides: bundled(python3dist(cachecontrol)) = 0.13.1 +Provides: bundled(python3dist(certifi)) = 2023.7.22 Provides: bundled(python3dist(chardet)) = 5.1 Provides: bundled(python3dist(colorama)) = 0.4.6 -Provides: bundled(python3dist(distlib)) = 0.3.6 +Provides: bundled(python3dist(distlib)) = 0.3.8 Provides: bundled(python3dist(distro)) = 1.8 Provides: bundled(python3dist(idna)) = 3.4 Provides: bundled(python3dist(msgpack)) = 1.0.5 @@ -92,8 +92,9 @@ Provides: bundled(python3dist(setuptools)) = 68 Provides: bundled(python3dist(six)) = 1.16 Provides: bundled(python3dist(tenacity)) = 8.2.2 Provides: bundled(python3dist(tomli)) = 2.0.1 +Provides: bundled(python3dist(truststore)) = 0.8 Provides: bundled(python3dist(typing-extensions)) = 4.7.1 -Provides: bundled(python3dist(urllib3)) = 1.26.16 +Provides: bundled(python3dist(urllib3)) = 1.26.17 Provides: bundled(python3dist(webencodings)) = 0.5.1 } # setuptools @@ -115,7 +116,7 @@ Provides: bundled(python3dist(typing-extensions)) = 4.4 Provides: bundled(python3dist(zipp)) = 3.7 } # wheel -# $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt) +# $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt) %global wheel_bundled_provides %{expand: Provides: bundled(python3dist(packaging)) = 23 } @@ -389,6 +390,22 @@ Patch397: 00397-tarfile-filter.patch # Thomas Dwyer. Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch +# 00422 # a353cebef737c41420dc7ae2469dd657371b8881 +# Fix tests for XMLPullParser with Expat 2.6.0 +# +# Feeding the parser by too small chunks defers parsing to prevent +# CVE-2023-52425. Future versions of Expat may be more reactive. +Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch + +# 00425 # a563ac3076a00f0f48b3f94ff63d91d37cb4f1e9 +# Only check for 'test/wheeldata' when it's actually used +# +# We build Python in Fedora 39+ with option `--with-wheel-pkg-dir` +# pointing to a custom wheel directory and delete the contents of +# upstream's `test/wheeldata`. Don't include the directory in the test set +# if the wheels are used from a different location. +Patch425: 00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -755,8 +772,8 @@ If you want to build an RPM against the python%{pyshortver} module, you need to %if %{with rpmwheels} rm Lib/ensurepip/_bundled/pip-%{pip_version}-py3-none-any.whl -rm Lib/test/setuptools-%{setuptools_version}-py3-none-any.whl -rm Lib/test/wheel-%{wheel_version}-py3-none-any.whl +rm Lib/test/wheeldata/setuptools-%{setuptools_version}-py3-none-any.whl +rm Lib/test/wheeldata/wheel-%{wheel_version}-py3-none-any.whl %endif # Remove all exe files to ensure we are not shipping prebuilt binaries @@ -1517,10 +1534,6 @@ fi %{dynload_dir}/termios.%{SOABI_optimized}.so %{dynload_dir}/unicodedata.%{SOABI_optimized}.so %{dynload_dir}/_uuid.%{SOABI_optimized}.so -%{dynload_dir}/xxlimited.%{SOABI_optimized}.so -%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so -%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so -%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so %{dynload_dir}/zlib.%{SOABI_optimized}.so %{dynload_dir}/_zoneinfo.%{SOABI_optimized}.so @@ -1621,12 +1634,6 @@ fi %{pylibdir}/zoneinfo -%dir %{pylibdir}/__phello__/ -%dir %{pylibdir}/__phello__/__pycache__/ -%{pylibdir}/__phello__/__init__.py -%{pylibdir}/__phello__/spam.py -%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes} - %if "%{_lib}" == "lib64" %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever} %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages @@ -1726,7 +1733,17 @@ fi %{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so %{dynload_dir}/_testsinglephase.%{SOABI_optimized}.so %{dynload_dir}/_xxinterpchannels.%{SOABI_optimized}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so +%{dynload_dir}/xxlimited.%{SOABI_optimized}.so +%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so +%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so + +%dir %{pylibdir}/__phello__/ +%dir %{pylibdir}/__phello__/__pycache__/ +%{pylibdir}/__phello__/__init__.py +%{pylibdir}/__phello__/spam.py +%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes} # We don't bother splitting the debug build out into further subpackages: # if you need it, you're probably a developer. @@ -1808,10 +1825,6 @@ fi %{dynload_dir}/termios.%{SOABI_debug}.so %{dynload_dir}/unicodedata.%{SOABI_debug}.so %{dynload_dir}/_uuid.%{SOABI_debug}.so -%{dynload_dir}/xxlimited.%{SOABI_debug}.so -%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so -%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so -%{dynload_dir}/xxsubtype.%{SOABI_debug}.so %{dynload_dir}/zlib.%{SOABI_debug}.so %{dynload_dir}/_zoneinfo.%{SOABI_debug}.so @@ -1848,7 +1861,11 @@ fi %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so %{dynload_dir}/_testsinglephase.%{SOABI_debug}.so %{dynload_dir}/_xxinterpchannels.%{SOABI_debug}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so +%{dynload_dir}/xxlimited.%{SOABI_debug}.so +%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so +%{dynload_dir}/xxsubtype.%{SOABI_debug}.so %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes} @@ -1876,6 +1893,29 @@ fi # ====================================================== %changelog +* Tue Jun 11 2024 Charalampos Stratakis - 3.12.3-2 +- Enable importing of hash-based .pyc files under FIPS mode +Resolves: RHEL-40776 + +* Fri May 03 2024 Lumír Balhar - 3.12.3-1 +- Update to 3.12.3 +Related: RHEL-33685 + +* Fri May 03 2024 Lumír Balhar - 3.12.2-3 +- Move all test modules to the python3-test package, namely: + - __phello__ + - _xxsubinterpreters + - xxlimited + - xxlimited_35 + - xxsubtype + +* Fri May 03 2024 Lumír Balhar - 3.12.2-2 +- Fix tests for XMLPullParser with Expat with fixed CVE + +* Fri May 03 2024 Lumír Balhar - 3.12.2-1 +- Update to 3.12.2 +Resolves: RHEL-33685 + * Mon Feb 19 2024 Charalampos Stratakis - 3.12.1-4 - Add Red Hat configuration for CVE-2007-4559