From a3bab2af211f1f277b5ab693e27d8bf0479e3ca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= Date: Wed, 7 Aug 2024 17:00:50 +0200 Subject: [PATCH] Update to 3.12.5 Security fix for CVE-2024-6923 Removed patch 323 due to being upstreamed Resolves: RHEL-53036 --- 00323-static-analysis-fixes.patch | 216 ------------------ ...or-the-main-thread-gh-28549-gh-28589.patch | 4 +- ...-addresses-in-email-parseaddr-111116.patch | 4 +- python3.12.spec | 51 ++--- sources | 4 +- 5 files changed, 28 insertions(+), 251 deletions(-) delete mode 100644 00323-static-analysis-fixes.patch diff --git a/00323-static-analysis-fixes.patch b/00323-static-analysis-fixes.patch deleted file mode 100644 index 00610f5..0000000 --- a/00323-static-analysis-fixes.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 833c91e1cb9219937c15b6c913e540e7aae07168 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Wed, 12 Jun 2024 15:57:45 +0200 -Subject: [PATCH 1/5] gh-120155: Add assertion to sre.c match_getindex() - (GH-120402) (#120410) - -gh-120155: Add assertion to sre.c match_getindex() (GH-120402) - -Add an assertion to help static analyzers to detect that i*2 cannot -overflow. -(cherry picked from commit 42b25dd61ff3593795c4cc2ffe876ab766098b24) - -Co-authored-by: Victor Stinner ---- - Modules/_sre/sre.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/Modules/_sre/sre.c b/Modules/_sre/sre.c -index 0547390..59a5b11 100644 ---- a/Modules/_sre/sre.c -+++ b/Modules/_sre/sre.c -@@ -2166,6 +2166,8 @@ match_getindex(MatchObject* self, PyObject* index) - return -1; - } - -+ // Check that i*2 cannot overflow to make static analyzers happy -+ assert(i <= SRE_MAXGROUPS); - return i; - } - --- -2.45.2 - - -From eedc88971887bea9f37eab8bb8a1af6f650f88d8 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Fri, 7 Jun 2024 18:26:03 +0200 -Subject: [PATCH 2/5] gh-120155: Fix copy/paste error in - HAVE_SUBOFFSETS_IN_LAST_DIM() (GH-120228) (#120240) - -gh-120155: Fix copy/paste error in HAVE_SUBOFFSETS_IN_LAST_DIM() (GH-120228) - -Don't hardcode 'dest' in HAVE_SUBOFFSETS_IN_LAST_DIM() macro of -memoryobject.c, but use its 'view' parameter instead. - -Fix the Coverity issue: - -Error: COPY_PASTE_ERROR (CWE-398): -Python-3.12.2/Objects/memoryobject.c:273:14: original: ""dest->suboffsets + (dest->ndim - 1)"" looks like the original copy. -Python-3.12.2/Objects/memoryobject.c:274:14: copy_paste_error: ""dest"" in ""src->suboffsets + (dest->ndim - 1)"" looks like a copy-paste error. -Python-3.12.2/Objects/memoryobject.c:274:14: remediation: Should it say ""src"" instead? -GH- 272| assert(dest->ndim > 0 && src->ndim > 0); -GH- 273| return (!HAVE_SUBOFFSETS_IN_LAST_DIM(dest) && -GH- 274|-> !HAVE_SUBOFFSETS_IN_LAST_DIM(src) && -GH- 275| dest->strides[dest->ndim-1] == dest->itemsize && -GH- 276| src->strides[src->ndim-1] == src->itemsize); -(cherry picked from commit 90b75405260467814c93738a3325645918d4ea51) - -Co-authored-by: Victor Stinner ---- - Objects/memoryobject.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Objects/memoryobject.c b/Objects/memoryobject.c -index b016804..3c88859 100644 ---- a/Objects/memoryobject.c -+++ b/Objects/memoryobject.c -@@ -264,7 +264,7 @@ PyTypeObject _PyManagedBuffer_Type = { - /* Assumptions: ndim >= 1. The macro tests for a corner case that should - perhaps be explicitly forbidden in the PEP. */ - #define HAVE_SUBOFFSETS_IN_LAST_DIM(view) \ -- (view->suboffsets && view->suboffsets[dest->ndim-1] >= 0) -+ (view->suboffsets && view->suboffsets[view->ndim-1] >= 0) - - static inline int - last_dim_is_contiguous(const Py_buffer *dest, const Py_buffer *src) --- -2.45.2 - - -From d8eaaecbc2823a5d093248467a13111c1f821889 Mon Sep 17 00:00:00 2001 -From: Victor Stinner -Date: Fri, 7 Jun 2024 17:17:06 +0200 -Subject: [PATCH 3/5] gh-120155: Fix optimize_and_assemble_code_unit() error - handling (#120231) - -gh-120155: Fix optimize_and_assemble_code_unit() error handling - -Don't use 'g' before it's being initialized: don't use the 'error' -label if consts_dict_keys_inorder() failed. - -Fix the Coverity issue: - -Error: UNINIT (CWE-457): -Python-3.12.2/Python/compile.c:7670:5: skipped_decl: Jumping over declaration of ""g"". -Python-3.12.2/Python/compile.c:7714:5: uninit_use_in_call: Using uninitialized value ""g.g_block_list"" when calling ""_PyCfgBuilder_Fini"". -Python-3.12.2/Python/compile.c:7714:5: uninit_use_in_call: Using uninitialized value ""g.g_entryblock"" when calling ""_PyCfgBuilder_Fini"". - 7712| Py_XDECREF(consts); - 7713| instr_sequence_fini(&optimized_instrs); - 7714|-> _PyCfgBuilder_Fini(&g); - 7715| return co; - 7716| } ---- - Python/compile.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Python/compile.c b/Python/compile.c -index 40335f6..0cd8d60 100644 ---- a/Python/compile.c -+++ b/Python/compile.c -@@ -7682,7 +7682,7 @@ optimize_and_assemble_code_unit(struct compiler_unit *u, PyObject *const_cache, - PyCodeObject *co = NULL; - PyObject *consts = consts_dict_keys_inorder(u->u_metadata.u_consts); - if (consts == NULL) { -- goto error; -+ return NULL; - } - cfg_builder g; - if (instr_sequence_to_cfg(&u->u_instr_sequence, &g) < 0) { --- -2.45.2 - - -From 85f555bd5d59cf5a29c8f7ef410b0f78a0b839cc Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 10 Jun 2024 12:12:25 +0200 -Subject: [PATCH 4/5] gh-120155: Fix Coverity issue in zoneinfo load_data() - (GH-120232) (#120311) - -gh-120155: Fix Coverity issue in zoneinfo load_data() (GH-120232) - -Declare the 'rv' varaible at the top of the load_data() function to -make sure that it's initialized before the first 'goto error' which -uses 'rv' (return rv). - -Fix the Coverity issue: - -Error: UNINIT (CWE-457): -Python-3.12.2/Modules/_zoneinfo.c:1233:5: skipped_decl: Jumping over declaration of ""rv"". -Python-3.12.2/Modules/_zoneinfo.c:1284:5: uninit_use: Using uninitialized value ""rv"". - 1282| } - 1283| - 1284|-> return rv; - 1285| } - 1286| -(cherry picked from commit b90bd3e5bbc136f53b24ee791824acd6b17e0d42) - -Co-authored-by: Victor Stinner ---- - Modules/_zoneinfo.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Modules/_zoneinfo.c b/Modules/_zoneinfo.c -index 8fc8616..47e4012 100644 ---- a/Modules/_zoneinfo.c -+++ b/Modules/_zoneinfo.c -@@ -954,6 +954,7 @@ end: - static int - load_data(zoneinfo_state *state, PyZoneInfo_ZoneInfo *self, PyObject *file_obj) - { -+ int rv = 0; - PyObject *data_tuple = NULL; - - long *utcoff = NULL; -@@ -1230,7 +1231,6 @@ load_data(zoneinfo_state *state, PyZoneInfo_ZoneInfo *self, PyObject *file_obj) - } - } - -- int rv = 0; - goto cleanup; - error: - // These resources only need to be freed if we have failed, if we succeed --- -2.45.2 - - -From 94346cac4ee78d624b0dbe9d67f5dc2a03fa2a4f Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Tue, 25 Jun 2024 19:40:08 +0200 -Subject: [PATCH 5/5] gh-120155: Fix Coverity issue in parse_string() - (GH-120997) (#121006) - -gh-120155: Fix Coverity issue in parse_string() (GH-120997) -(cherry picked from commit 769aea332940f03c3e5b1ad9badd6635c1ac992a) - -Co-authored-by: Victor Stinner ---- - Parser/string_parser.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/Parser/string_parser.c b/Parser/string_parser.c -index 65c320c..164f715 100644 ---- a/Parser/string_parser.c -+++ b/Parser/string_parser.c -@@ -226,9 +226,14 @@ _PyPegen_parse_string(Parser *p, Token *t) - PyErr_BadInternalCall(); - return NULL; - } -+ - /* Skip the leading quote char. */ - s++; - len = strlen(s); -+ // gh-120155: 's' contains at least the trailing quote, -+ // so the code '--len' below is safe. -+ assert(len >= 1); -+ - if (len > INT_MAX) { - PyErr_SetString(PyExc_OverflowError, "string to parse is too long"); - return NULL; --- -2.45.2 - diff --git a/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch b/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch index 2392a78..1a202f7 100644 --- a/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch +++ b/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch @@ -60,10 +60,10 @@ index 2e4b860b97..3066b23ee1 100644 code = """if 1: import _thread diff --git a/Lib/threading.py b/Lib/threading.py -index 98cb43c697..ee647f8549 100644 +index 0bba85d08a..b256e3273f 100644 --- a/Lib/threading.py +++ b/Lib/threading.py -@@ -1585,29 +1585,20 @@ def _shutdown(): +@@ -1587,29 +1587,20 @@ def _shutdown(): global _SHUTTING_DOWN _SHUTTING_DOWN = True diff --git a/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch b/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch index d2b8f88..f579896 100644 --- a/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch +++ b/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch @@ -19,7 +19,7 @@ Co-Authored-By: Thomas Dwyer create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst -index 092bfa8146..6f0bed130b 100644 +index 6ba42491d6..6bd45200d8 100644 --- a/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst @@ -58,13 +58,18 @@ of the new API. @@ -72,7 +72,7 @@ index 092bfa8146..6f0bed130b 100644 .. function:: parsedate(date) diff --git a/Lib/email/utils.py b/Lib/email/utils.py -index aa949aa933..af2fb14754 100644 +index 1de547a011..e53abc8b84 100644 --- a/Lib/email/utils.py +++ b/Lib/email/utils.py @@ -48,6 +48,7 @@ diff --git a/python3.12.spec b/python3.12.spec index d828f2f..a48654f 100644 --- a/python3.12.spec +++ b/python3.12.spec @@ -13,11 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.4 +%global general_version %{pybasever}.5 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 4%{?dist} +Release: 1%{?dist} License: Python-2.0.1 @@ -71,37 +71,31 @@ License: Python-2.0.1 # If the rpmwheels condition is disabled, we use the bundled wheel packages # from Python with the versions below. # This needs to be manually updated when we update Python. -%global pip_version 24.0 +%global pip_version 24.2 %global setuptools_version 67.6.1 %global wheel_version 0.40.0 # All of those also include a list of indirect bundled libs: # pip # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) %global pip_bundled_provides %{expand: -Provides: bundled(python3dist(cachecontrol)) = 0.13.1 -Provides: bundled(python3dist(certifi)) = 2023.7.22 -Provides: bundled(python3dist(chardet)) = 5.1 -Provides: bundled(python3dist(colorama)) = 0.4.6 +Provides: bundled(python3dist(cachecontrol)) = 0.14 +Provides: bundled(python3dist(certifi)) = 2024.7.4 Provides: bundled(python3dist(distlib)) = 0.3.8 -Provides: bundled(python3dist(distro)) = 1.8 -Provides: bundled(python3dist(idna)) = 3.4 -Provides: bundled(python3dist(msgpack)) = 1.0.5 -Provides: bundled(python3dist(packaging)) = 21.3 -Provides: bundled(python3dist(platformdirs)) = 3.8.1 -Provides: bundled(python3dist(pygments)) = 2.15.1 -Provides: bundled(python3dist(pyparsing)) = 3.1 +Provides: bundled(python3dist(distro)) = 1.9 +Provides: bundled(python3dist(idna)) = 3.7 +Provides: bundled(python3dist(msgpack)) = 1.0.8 +Provides: bundled(python3dist(packaging)) = 24.1 +Provides: bundled(python3dist(platformdirs)) = 4.2.2 +Provides: bundled(python3dist(pygments)) = 2.18 Provides: bundled(python3dist(pyproject-hooks)) = 1 -Provides: bundled(python3dist(requests)) = 2.31 +Provides: bundled(python3dist(requests)) = 2.32.3 Provides: bundled(python3dist(resolvelib)) = 1.0.1 -Provides: bundled(python3dist(rich)) = 13.4.2 -Provides: bundled(python3dist(setuptools)) = 68 -Provides: bundled(python3dist(six)) = 1.16 -Provides: bundled(python3dist(tenacity)) = 8.2.2 +Provides: bundled(python3dist(rich)) = 13.7.1 +Provides: bundled(python3dist(setuptools)) = 70.3 Provides: bundled(python3dist(tomli)) = 2.0.1 -Provides: bundled(python3dist(truststore)) = 0.8 -Provides: bundled(python3dist(typing-extensions)) = 4.7.1 -Provides: bundled(python3dist(urllib3)) = 1.26.17 -Provides: bundled(python3dist(webencodings)) = 0.5.1 +Provides: bundled(python3dist(truststore)) = 0.9.1 +Provides: bundled(python3dist(typing-extensions)) = 4.12.2 +Provides: bundled(python3dist(urllib3)) = 1.26.18 } # setuptools # vendor.txt files not in .whl @@ -374,12 +368,6 @@ Source11: idle3.appdata.xml # pypa/distutils integration: https://github.com/pypa/distutils/pull/70 Patch251: 00251-change-user-install-location.patch -# 00323 # -# Fix issues uncovered by static analysis scanners -# Resolved upstream: -# https://github.com/python/cpython/issues/120155 -Patch323: 00323-static-analysis-fixes.patch - # 00329 # # Support OpenSSL FIPS mode # - In FIPS mode, OpenSSL wrappers are always used in hashlib @@ -1786,6 +1774,11 @@ CheckPython optimized # ====================================================== %changelog +* Wed Aug 07 2024 Tomáš Hrnčiar - 3.12.5-1 +- Update to 3.12.5 +- Security fix for CVE-2024-6923 +Resolves: RHEL-53036 + * Wed Jul 17 2024 Charalampos Stratakis - 3.12.4-4 - Build Python with -O3 - https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3 diff --git a/sources b/sources index 114362d..69c99d0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (Python-3.12.4.tar.xz) = 750132ee6369196096130a924f4ddb78b9a55804133e5d136a70b9280928822974d1aa559d844486df02e89155fb0d8117871e1ac532abc18174309ca4b08369 -SHA512 (Python-3.12.4.tar.xz.asc) = 1102b17f395e0ec5de5368d04a4dceb8cc98dd408b68b53998071cf129eb9a6c259316a416128f1dfa37a739f86e599507502a98430348da2272442ce1b7059e +SHA512 (Python-3.12.5.tar.xz) = 7a1c30d798434fe24697bc253f6010d75145e7650f66803328425c8525331b9fa6b63d12a652687582db205f8d4c8279c8f73c338168592481517b063351c921 +SHA512 (Python-3.12.5.tar.xz.asc) = 65ce92272a38cc6bf8bf56fa2a99a830cf5b33b811b1788508e7b6f8b5d3e93e0b143412f829271be40cbb4e7c154f84499239b3e8ab63b2ccf0a5a22d2f84ee