Fix tests for XMLPullParser with Expat with fixed CVE

2024-05-03 13:25:28 +02:00 · 2024-05-03 13:25:28 +02:00 · 3d6c7f0451
parent d33666c7bb
commit 3d6c7f0451
2 changed files with 99 additions and 1 deletions
--- a/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+++ b/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
@ -0,0 +1,88 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Sun, 11 Feb 2024 12:08:39 +0200
+Subject: [PATCH] 00422: gh-115133: Fix tests for XMLPullParser with Expat
+ 2.6.0
+
+Feeding the parser by too small chunks defers parsing to prevent
+CVE-2023-52425. Future versions of Expat may be more reactive.
+
+(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
+---
+ Lib/test/test_xml_etree.py                    | 58 ++++++++++++-------
+ ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst |  2 +
+ 2 files changed, 38 insertions(+), 22 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index b50898f1d1..6fb888cb21 100644
+--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
+@@ -1400,28 +1400,37 @@ class XMLPullParserTest(unittest.TestCase):
+         self.assertEqual([(action, elem.tag) for action, elem in events],
+                          expected)
+ 
+-    def test_simple_xml(self):
+-        for chunk_size in (None, 1, 5):
+-            with self.subTest(chunk_size=chunk_size):
+-                parser = ET.XMLPullParser()
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser, "<!-- comment -->\n", chunk_size)
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser,
+-                           "<root>\n  <element key='value'>text</element",
+-                           chunk_size)
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser, ">\n", chunk_size)
+-                self.assert_event_tags(parser, [('end', 'element')])
+-                self._feed(parser, "<element>text</element>tail\n", chunk_size)
+-                self._feed(parser, "<empty-element/>\n", chunk_size)
+-                self.assert_event_tags(parser, [
+-                    ('end', 'element'),
+-                    ('end', 'empty-element'),
+-                    ])
+-                self._feed(parser, "</root>\n", chunk_size)
+-                self.assert_event_tags(parser, [('end', 'root')])
+-                self.assertIsNone(parser.close())
+    def test_simple_xml(self, chunk_size=None):
+        parser = ET.XMLPullParser()
+        self.assert_event_tags(parser, [])
+        self._feed(parser, "<!-- comment -->\n", chunk_size)
+        self.assert_event_tags(parser, [])
+        self._feed(parser,
+                   "<root>\n  <element key='value'>text</element",
+                   chunk_size)
+        self.assert_event_tags(parser, [])
+        self._feed(parser, ">\n", chunk_size)
+        self.assert_event_tags(parser, [('end', 'element')])
+        self._feed(parser, "<element>text</element>tail\n", chunk_size)
+        self._feed(parser, "<empty-element/>\n", chunk_size)
+        self.assert_event_tags(parser, [
+            ('end', 'element'),
+            ('end', 'empty-element'),
+            ])
+        self._feed(parser, "</root>\n", chunk_size)
+        self.assert_event_tags(parser, [('end', 'root')])
+        self.assertIsNone(parser.close())
+
+    @unittest.expectedFailure
+    def test_simple_xml_chunk_1(self):
+        self.test_simple_xml(chunk_size=1)
+
+    @unittest.expectedFailure
+    def test_simple_xml_chunk_5(self):
+        self.test_simple_xml(chunk_size=5)
+
+    def test_simple_xml_chunk_22(self):
+        self.test_simple_xml(chunk_size=22)
+ 
+     def test_feed_while_iterating(self):
+         parser = ET.XMLPullParser()
+diff --git a/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+new file mode 100644
+index 0000000000..6f1015235c
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+@@ -0,0 +1,2 @@
+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat
+2.6.0.
--- a/python3.12.spec
+++ b/python3.12.spec
@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python-2.0.1


@ -396,6 +396,13 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # and https://github.com/python/cpython/issues/114244
 Patch418: 00418-don-t-generate-sbom-in-make-regen-all.patch

+# 00422 # a353cebef737c41420dc7ae2469dd657371b8881
+# gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
+#
+# Feeding the parser by too small chunks defers parsing to prevent
+# CVE-2023-52425. Future versions of Expat may be more reactive.
+Patch422: 00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1707,6 +1714,9 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-2
+- Fix tests for XMLPullParser with Expat with fixed CVE
+
 * Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-1
 - Update to 3.12.2
 Resolves: RHEL-33690