diff --git a/00251-change-user-install-location.patch b/00251-change-user-install-location.patch index c3938ae..2f33b5a 100644 --- a/00251-change-user-install-location.patch +++ b/00251-change-user-install-location.patch @@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/Lib/site.py b/Lib/site.py -index 924b2460d9..51b5baca93 100644 +index 924cfbecec..e2871ecc89 100644 --- a/Lib/site.py +++ b/Lib/site.py -@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None): +@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): diff --git a/00397-tarfile-filter.patch b/00397-tarfile-filter.patch index 0256977..7c87d73 100644 --- a/00397-tarfile-filter.patch +++ b/00397-tarfile-filter.patch @@ -1,19 +1,24 @@ -From 6fa46b71f7010ed17f6a44fe89bbc0cbcc2441f3 Mon Sep 17 00:00:00 2001 +From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin -Date: Mon, 6 Mar 2023 17:24:24 +0100 +Date: Tue, 2 Jul 2024 11:40:37 +0200 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction (downstream) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit Add and test RHEL-specific ways of configuring the default behavior: environment variable and config file. + +Co-Authored-By: Tomáš Hrnčiar --- - Lib/tarfile.py | 47 +++++++++++++-- + Lib/tarfile.py | 47 +++++++++++-- Lib/test/test_shutil.py | 2 +- - Lib/test/test_tarfile.py | 122 ++++++++++++++++++++++++++++++++++++++- - 3 files changed, 162 insertions(+), 9 deletions(-) + Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++-- + 3 files changed, 185 insertions(+), 11 deletions(-) diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index 3bbbcaa..91c7754 100755 +index e1487e3..89b6843 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError", @@ -38,7 +43,7 @@ index 3bbbcaa..91c7754 100755 - 'Python 3.14 will, by default, filter extracted tar ' - + 'archives and reject files or modify their metadata. ' - + 'Use the filter argument to control this behavior.', -- DeprecationWarning) +- DeprecationWarning, stacklevel=3) + name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER') + if name is None: + try: @@ -72,16 +77,16 @@ index 3bbbcaa..91c7754 100755 + + 'and some mode bits are cleared. ' + + 'See https://access.redhat.com/articles/7004769 ' + + 'for more details.', -+ RuntimeWarning) ++ RuntimeWarning, stacklevel=3) + return tar_filter return fully_trusted_filter if isinstance(filter, str): raise TypeError( diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py -index bf60f37..242f4af 100644 +index 7bc5d12..88b4bdb 100644 --- a/Lib/test/test_shutil.py +++ b/Lib/test/test_shutil.py -@@ -1964,7 +1964,7 @@ class TestArchives(BaseTest, unittest.TestCase): +@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase): self.check_unpack_archive(format, filter='fully_trusted') self.check_unpack_archive(format, filter='data') with warnings_helper.check_warnings( @@ -91,10 +96,48 @@ index bf60f37..242f4af 100644 def test_unpack_archive_tar(self): diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index 71489ea..1c08110 100644 +index 3fbd25e..9aa727e 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py -@@ -3098,8 +3098,8 @@ class NoneInfoExtractTests(ReadTest): +@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest): + tarfile.open(tarname, encoding="iso8859-1") as tar + ): + directories = [t for t in tar if t.isdir()] +- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm: ++ with self.assertWarnsRegex( ++ RuntimeWarning, ++ re.escape( ++ 'The default behavior of tarfile extraction has been ' ++ 'changed to disallow common exploits ' ++ '(including CVE-2007-4559). ' ++ 'By default, absolute/parent paths are disallowed ' ++ 'and some mode bits are cleared. ' ++ 'See https://access.redhat.com/articles/7004769 ' ++ 'for more details.' ++ )) as cm: + tar.extractall(DIR, directories) + # check that the stacklevel of the deprecation warning is correct: + self.assertEqual(cm.filename, __file__) +@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest): + tarfile.open(tarname, encoding="iso8859-1") as tar + ): + tarinfo = tar.getmember(dirtype) +- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm: ++ with self.assertWarnsRegex( ++ RuntimeWarning, ++ re.escape( ++ 'The default behavior of tarfile extraction has been ' ++ 'changed to disallow common exploits ' ++ '(including CVE-2007-4559). ' ++ 'By default, absolute/parent paths are disallowed ' ++ 'and some mode bits are cleared. ' ++ 'See https://access.redhat.com/articles/7004769 ' ++ 'for more details.' ++ )) as cm: + tar.extract(tarinfo, path=DIR) + # check that the stacklevel of the deprecation warning is correct: + self.assertEqual(cm.filename, __file__) +@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest): tar.errorlevel = 0 with ExitStack() as cm: if cls.extraction_filter is None: @@ -105,7 +148,7 @@ index 71489ea..1c08110 100644 tar.extractall(cls.control_dir, filter=cls.extraction_filter) tar.close() cls.control_paths = set( -@@ -3920,7 +3920,7 @@ class TestExtractionFilters(unittest.TestCase): +@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase): with ArchiveMaker() as arc: arc.add('foo') with warnings_helper.check_warnings( @@ -114,10 +157,10 @@ index 71489ea..1c08110 100644 with self.check_context(arc.open(), None): self.expect_file('foo') -@@ -4089,6 +4089,122 @@ class TestExtractionFilters(unittest.TestCase): - with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter): +@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase): self.expect_exception(TypeError) # errorlevel is not int + + @contextmanager + def rh_config_context(self, config_lines=None): + """Set up for testing various ways of overriding the default filter @@ -234,9 +277,10 @@ index 71489ea..1c08110 100644 + ): + self.check_trusted_default(tar, tempdir) + - ++ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): testdir = os.path.join(TEMPDIR, "testoverwrite") + -- 2.44.0 diff --git a/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch b/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch index 192c8b7..d2b8f88 100644 --- a/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch +++ b/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch @@ -19,7 +19,7 @@ Co-Authored-By: Thomas Dwyer create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst -index 345b64001c..d693a9bc39 100644 +index 092bfa8146..6f0bed130b 100644 --- a/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst @@ -58,13 +58,18 @@ of the new API. diff --git a/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch b/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch deleted file mode 100644 index ea2df3a..0000000 --- a/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Karolina Surma -Date: Wed, 10 Apr 2024 15:35:04 +0200 -Subject: [PATCH] 00425: Only check for 'test/wheeldata' when it's actually - used - -We build Python in Fedora 39+ with option `--with-wheel-pkg-dir` -pointing to a custom wheel directory and delete the contents of -upstream's `test/wheeldata`. Don't include the directory in the test set -if the wheels are used from a different location. ---- - Lib/test/test_tools/test_makefile.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/Lib/test/test_tools/test_makefile.py b/Lib/test/test_tools/test_makefile.py -index 17a1a6d0d3..9ce874033d 100644 ---- a/Lib/test/test_tools/test_makefile.py -+++ b/Lib/test/test_tools/test_makefile.py -@@ -66,6 +66,9 @@ def test_makefile_test_folders(self): - ) - used.append(relpath) - -+ if sysconfig.get_config_var('WHEEL_PKG_DIR'): -+ test_dirs.remove('test/wheeldata') -+ - # Check that there are no extra entries: - unique_test_dirs = set(test_dirs) - self.assertSetEqual(unique_test_dirs, set(used)) diff --git a/python3.12.spec b/python3.12.spec index 4ee1a5d..1369ea7 100644 --- a/python3.12.spec +++ b/python3.12.spec @@ -13,7 +13,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.3 +%global general_version %{pybasever}.4 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} @@ -405,15 +405,6 @@ Patch397: 00397-tarfile-filter.patch # Thomas Dwyer. Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch -# 00425 # a563ac3076a00f0f48b3f94ff63d91d37cb4f1e9 -# Only check for 'test/wheeldata' when it's actually used -# -# We build Python in Fedora 39+ with option `--with-wheel-pkg-dir` -# pointing to a custom wheel directory and delete the contents of -# upstream's `test/wheeldata`. Don't include the directory in the test set -# if the wheels are used from a different location. -Patch425: 00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1771,6 +1762,10 @@ CheckPython optimized # ====================================================== %changelog +* Wed Jul 03 2024 Tomáš Hrnčiar - 3.12.4-1 +- Update to 3.12.4 +Resolves: RHEL-44054 + * Wed Jul 03 2024 Tomáš Hrnčiar - 3.12.3-1 - Update to 3.12.3 diff --git a/sources b/sources index a31bb26..114362d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (Python-3.12.3.tar.xz) = 4a2213b108e7f1f1525baa8348e68b2a2336d925e60d0a59f0225fc470768a2c8031edafc0b8243f94dbae18afda335ee5adf2785328c2218fd64cbb439f13a4 -SHA512 (Python-3.12.3.tar.xz.asc) = c291ec5b5e4f8deba867cc517624dd9a174745f04061ef737e58f3d52b9b30318264aec350e339fe88ccb493809ca1a90a378e86d86b8ec4a4f578b1a5843624 +SHA512 (Python-3.12.4.tar.xz) = 750132ee6369196096130a924f4ddb78b9a55804133e5d136a70b9280928822974d1aa559d844486df02e89155fb0d8117871e1ac532abc18174309ca4b08369 +SHA512 (Python-3.12.4.tar.xz.asc) = 1102b17f395e0ec5de5368d04a4dceb8cc98dd408b68b53998071cf129eb9a6c259316a416128f1dfa37a739f86e599507502a98430348da2272442ce1b7059e