Update to 3.12.4
Resolves: RHEL-44103
This commit is contained in:
parent
a1ecc4406e
commit
2aa39aaa1f
@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
|
||||
3 files changed, 71 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Lib/site.py b/Lib/site.py
|
||||
index 924b2460d9..51b5baca93 100644
|
||||
index 924cfbecec..e2871ecc89 100644
|
||||
--- a/Lib/site.py
|
||||
+++ b/Lib/site.py
|
||||
@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None):
|
||||
@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None):
|
||||
return sitepackages
|
||||
|
||||
def addsitepackages(known_paths, prefixes=None):
|
||||
|
@ -1,19 +1,24 @@
|
||||
From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001
|
||||
From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Mon, 6 Mar 2023 17:24:24 +0100
|
||||
Date: Tue, 2 Jul 2024 11:40:37 +0200
|
||||
Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
|
||||
(downstream)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add and test RHEL-specific ways of configuring the default behavior: environment
|
||||
variable and config file.
|
||||
|
||||
Co-Authored-By: Tomáš Hrnčiar <thrnciar@redhat.com>
|
||||
---
|
||||
Lib/tarfile.py | 47 +++++++++++++--
|
||||
Lib/tarfile.py | 47 +++++++++++--
|
||||
Lib/test/test_shutil.py | 2 +-
|
||||
Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++-
|
||||
3 files changed, 163 insertions(+), 9 deletions(-)
|
||||
Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++--
|
||||
3 files changed, 185 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
|
||||
index 02f5e3b..f7109f3 100755
|
||||
index e1487e3..89b6843 100755
|
||||
--- a/Lib/tarfile.py
|
||||
+++ b/Lib/tarfile.py
|
||||
@@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
|
||||
@ -30,7 +35,7 @@ index 02f5e3b..f7109f3 100755
|
||||
|
||||
#---------------------------------------------------------
|
||||
# tar constants
|
||||
@@ -2217,11 +2224,41 @@ class TarFile(object):
|
||||
@@ -2218,11 +2225,41 @@ class TarFile(object):
|
||||
if filter is None:
|
||||
filter = self.extraction_filter
|
||||
if filter is None:
|
||||
@ -38,7 +43,7 @@ index 02f5e3b..f7109f3 100755
|
||||
- 'Python 3.14 will, by default, filter extracted tar '
|
||||
- + 'archives and reject files or modify their metadata. '
|
||||
- + 'Use the filter argument to control this behavior.',
|
||||
- DeprecationWarning)
|
||||
- DeprecationWarning, stacklevel=3)
|
||||
+ name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
|
||||
+ if name is None:
|
||||
+ try:
|
||||
@ -72,16 +77,16 @@ index 02f5e3b..f7109f3 100755
|
||||
+ + 'and some mode bits are cleared. '
|
||||
+ + 'See https://access.redhat.com/articles/7004769 '
|
||||
+ + 'for more details.',
|
||||
+ RuntimeWarning)
|
||||
+ RuntimeWarning, stacklevel=3)
|
||||
+ return tar_filter
|
||||
return fully_trusted_filter
|
||||
if isinstance(filter, str):
|
||||
raise TypeError(
|
||||
diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
|
||||
index 5fd8fb4..501da8f 100644
|
||||
index 7bc5d12..88b4bdb 100644
|
||||
--- a/Lib/test/test_shutil.py
|
||||
+++ b/Lib/test/test_shutil.py
|
||||
@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase):
|
||||
@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase):
|
||||
self.check_unpack_archive(format, filter='fully_trusted')
|
||||
self.check_unpack_archive(format, filter='data')
|
||||
with warnings_helper.check_warnings(
|
||||
@ -91,10 +96,48 @@ index 5fd8fb4..501da8f 100644
|
||||
|
||||
def test_unpack_archive_tar(self):
|
||||
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
|
||||
index c5fc76d..397e334 100644
|
||||
index 3fbd25e..9aa727e 100644
|
||||
--- a/Lib/test/test_tarfile.py
|
||||
+++ b/Lib/test/test_tarfile.py
|
||||
@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest):
|
||||
@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest):
|
||||
tarfile.open(tarname, encoding="iso8859-1") as tar
|
||||
):
|
||||
directories = [t for t in tar if t.isdir()]
|
||||
- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
|
||||
+ with self.assertWarnsRegex(
|
||||
+ RuntimeWarning,
|
||||
+ re.escape(
|
||||
+ 'The default behavior of tarfile extraction has been '
|
||||
+ 'changed to disallow common exploits '
|
||||
+ '(including CVE-2007-4559). '
|
||||
+ 'By default, absolute/parent paths are disallowed '
|
||||
+ 'and some mode bits are cleared. '
|
||||
+ 'See https://access.redhat.com/articles/7004769 '
|
||||
+ 'for more details.'
|
||||
+ )) as cm:
|
||||
tar.extractall(DIR, directories)
|
||||
# check that the stacklevel of the deprecation warning is correct:
|
||||
self.assertEqual(cm.filename, __file__)
|
||||
@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest):
|
||||
tarfile.open(tarname, encoding="iso8859-1") as tar
|
||||
):
|
||||
tarinfo = tar.getmember(dirtype)
|
||||
- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
|
||||
+ with self.assertWarnsRegex(
|
||||
+ RuntimeWarning,
|
||||
+ re.escape(
|
||||
+ 'The default behavior of tarfile extraction has been '
|
||||
+ 'changed to disallow common exploits '
|
||||
+ '(including CVE-2007-4559). '
|
||||
+ 'By default, absolute/parent paths are disallowed '
|
||||
+ 'and some mode bits are cleared. '
|
||||
+ 'See https://access.redhat.com/articles/7004769 '
|
||||
+ 'for more details.'
|
||||
+ )) as cm:
|
||||
tar.extract(tarinfo, path=DIR)
|
||||
# check that the stacklevel of the deprecation warning is correct:
|
||||
self.assertEqual(cm.filename, __file__)
|
||||
@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest):
|
||||
tar.errorlevel = 0
|
||||
with ExitStack() as cm:
|
||||
if cls.extraction_filter is None:
|
||||
@ -105,7 +148,7 @@ index c5fc76d..397e334 100644
|
||||
tar.extractall(cls.control_dir, filter=cls.extraction_filter)
|
||||
tar.close()
|
||||
cls.control_paths = set(
|
||||
@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase):
|
||||
@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase):
|
||||
with ArchiveMaker() as arc:
|
||||
arc.add('foo')
|
||||
with warnings_helper.check_warnings(
|
||||
@ -114,7 +157,7 @@ index c5fc76d..397e334 100644
|
||||
with self.check_context(arc.open(), None):
|
||||
self.expect_file('foo')
|
||||
|
||||
@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase):
|
||||
@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase):
|
||||
self.expect_exception(TypeError) # errorlevel is not int
|
||||
|
||||
|
||||
@ -239,5 +282,5 @@ index c5fc76d..397e334 100644
|
||||
testdir = os.path.join(TEMPDIR, "testoverwrite")
|
||||
|
||||
--
|
||||
2.43.0
|
||||
2.44.0
|
||||
|
||||
|
@ -19,7 +19,7 @@ Co-Authored-By: Thomas Dwyer <github@tomd.tel>
|
||||
create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
|
||||
|
||||
diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
|
||||
index 345b64001c..d693a9bc39 100644
|
||||
index 092bfa8146..6f0bed130b 100644
|
||||
--- a/Doc/library/email.utils.rst
|
||||
+++ b/Doc/library/email.utils.rst
|
||||
@@ -58,13 +58,18 @@ of the new API.
|
||||
@ -255,7 +255,7 @@ index aa949aa933..af2fb14754 100644
|
||||
|
||||
|
||||
diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
|
||||
index a373c53c7c..c616398eb1 100644
|
||||
index fc8d87974e..ef8aa0d53c 100644
|
||||
--- a/Lib/test/test_email/test_email.py
|
||||
+++ b/Lib/test/test_email/test_email.py
|
||||
@@ -16,6 +16,7 @@
|
||||
|
@ -1,28 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Karolina Surma <ksurma@redhat.com>
|
||||
Date: Wed, 10 Apr 2024 15:35:04 +0200
|
||||
Subject: [PATCH] 00425: Only check for 'test/wheeldata' when it's actually
|
||||
used
|
||||
|
||||
We build Python in Fedora 39+ with option `--with-wheel-pkg-dir`
|
||||
pointing to a custom wheel directory and delete the contents of
|
||||
upstream's `test/wheeldata`. Don't include the directory in the test set
|
||||
if the wheels are used from a different location.
|
||||
---
|
||||
Lib/test/test_tools/test_makefile.py | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/Lib/test/test_tools/test_makefile.py b/Lib/test/test_tools/test_makefile.py
|
||||
index 17a1a6d0d3..9ce874033d 100644
|
||||
--- a/Lib/test/test_tools/test_makefile.py
|
||||
+++ b/Lib/test/test_tools/test_makefile.py
|
||||
@@ -66,6 +66,9 @@ def test_makefile_test_folders(self):
|
||||
)
|
||||
used.append(relpath)
|
||||
|
||||
+ if sysconfig.get_config_var('WHEEL_PKG_DIR'):
|
||||
+ test_dirs.remove('test/wheeldata')
|
||||
+
|
||||
# Check that there are no extra entries:
|
||||
unique_test_dirs = set(test_dirs)
|
||||
self.assertSetEqual(unique_test_dirs, set(used))
|
@ -16,11 +16,11 @@ URL: https://www.python.org/
|
||||
|
||||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
%global general_version %{pybasever}.3
|
||||
%global general_version %{pybasever}.4
|
||||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 2%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: Python-2.0.1
|
||||
|
||||
|
||||
@ -393,15 +393,6 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
|
||||
# CVE-2023-52425. Future versions of Expat may be more reactive.
|
||||
Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
|
||||
|
||||
# 00425 # a563ac3076a00f0f48b3f94ff63d91d37cb4f1e9
|
||||
# Only check for 'test/wheeldata' when it's actually used
|
||||
#
|
||||
# We build Python in Fedora 39+ with option `--with-wheel-pkg-dir`
|
||||
# pointing to a custom wheel directory and delete the contents of
|
||||
# upstream's `test/wheeldata`. Don't include the directory in the test set
|
||||
# if the wheels are used from a different location.
|
||||
Patch425: 00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
@ -1713,6 +1704,10 @@ CheckPython optimized
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Fri Jun 28 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.4-1
|
||||
- Update to 3.12.4
|
||||
Resolves: RHEL-44103
|
||||
|
||||
* Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.3-2
|
||||
- Enable importing of hash-based .pyc files under FIPS mode
|
||||
Resolves: RHEL-40772
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (Python-3.12.3.tar.xz) = 4a2213b108e7f1f1525baa8348e68b2a2336d925e60d0a59f0225fc470768a2c8031edafc0b8243f94dbae18afda335ee5adf2785328c2218fd64cbb439f13a4
|
||||
SHA512 (Python-3.12.3.tar.xz.asc) = c291ec5b5e4f8deba867cc517624dd9a174745f04061ef737e58f3d52b9b30318264aec350e339fe88ccb493809ca1a90a378e86d86b8ec4a4f578b1a5843624
|
||||
SHA512 (Python-3.12.4.tar.xz) = 750132ee6369196096130a924f4ddb78b9a55804133e5d136a70b9280928822974d1aa559d844486df02e89155fb0d8117871e1ac532abc18174309ca4b08369
|
||||
SHA512 (Python-3.12.4.tar.xz.asc) = 1102b17f395e0ec5de5368d04a4dceb8cc98dd408b68b53998071cf129eb9a6c259316a416128f1dfa37a739f86e599507502a98430348da2272442ce1b7059e
|
||||
|
Loading…
Reference in New Issue
Block a user