diff --git a/.gitignore b/.gitignore index 6fdfde7..33fa1d5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.12.3.tar.xz +SOURCES/Python-3.12.5.tar.xz diff --git a/.python3.12.metadata b/.python3.12.metadata index f12e9fa..ffed180 100644 --- a/.python3.12.metadata +++ b/.python3.12.metadata @@ -1 +1 @@ -3df73004a9b224d021fd397724e8bd4f9b6cc824 SOURCES/Python-3.12.3.tar.xz +d9b83c17a717e1cbd3ab6bd14cfe3e508e6d87b2 SOURCES/Python-3.12.5.tar.xz diff --git a/SOURCES/00251-change-user-install-location.patch b/SOURCES/00251-change-user-install-location.patch index c3938ae..2f33b5a 100644 --- a/SOURCES/00251-change-user-install-location.patch +++ b/SOURCES/00251-change-user-install-location.patch @@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/Lib/site.py b/Lib/site.py -index 924b2460d9..51b5baca93 100644 +index 924cfbecec..e2871ecc89 100644 --- a/Lib/site.py +++ b/Lib/site.py -@@ -387,8 +387,15 @@ def getsitepackages(prefixes=None): +@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): diff --git a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch index 2392a78..1a202f7 100644 --- a/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch +++ b/SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch @@ -60,10 +60,10 @@ index 2e4b860b97..3066b23ee1 100644 code = """if 1: import _thread diff --git a/Lib/threading.py b/Lib/threading.py -index 98cb43c697..ee647f8549 100644 +index 0bba85d08a..b256e3273f 100644 --- a/Lib/threading.py +++ b/Lib/threading.py -@@ -1585,29 +1585,20 @@ def _shutdown(): +@@ -1587,29 +1587,20 @@ def _shutdown(): global _SHUTTING_DOWN _SHUTTING_DOWN = True diff --git a/SOURCES/00397-tarfile-filter.patch b/SOURCES/00397-tarfile-filter.patch index 3ead891..7c87d73 100644 --- a/SOURCES/00397-tarfile-filter.patch +++ b/SOURCES/00397-tarfile-filter.patch @@ -1,19 +1,24 @@ -From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001 +From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin -Date: Mon, 6 Mar 2023 17:24:24 +0100 +Date: Tue, 2 Jul 2024 11:40:37 +0200 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction (downstream) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit Add and test RHEL-specific ways of configuring the default behavior: environment variable and config file. + +Co-Authored-By: Tomáš Hrnčiar --- - Lib/tarfile.py | 47 +++++++++++++-- + Lib/tarfile.py | 47 +++++++++++-- Lib/test/test_shutil.py | 2 +- - Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++- - 3 files changed, 163 insertions(+), 9 deletions(-) + Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++-- + 3 files changed, 185 insertions(+), 11 deletions(-) diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index 02f5e3b..f7109f3 100755 +index e1487e3..89b6843 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError", @@ -30,7 +35,7 @@ index 02f5e3b..f7109f3 100755 #--------------------------------------------------------- # tar constants -@@ -2217,11 +2224,41 @@ class TarFile(object): +@@ -2218,11 +2225,41 @@ class TarFile(object): if filter is None: filter = self.extraction_filter if filter is None: @@ -38,7 +43,7 @@ index 02f5e3b..f7109f3 100755 - 'Python 3.14 will, by default, filter extracted tar ' - + 'archives and reject files or modify their metadata. ' - + 'Use the filter argument to control this behavior.', -- DeprecationWarning) +- DeprecationWarning, stacklevel=3) + name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER') + if name is None: + try: @@ -72,16 +77,16 @@ index 02f5e3b..f7109f3 100755 + + 'and some mode bits are cleared. ' + + 'See https://access.redhat.com/articles/7004769 ' + + 'for more details.', -+ RuntimeWarning) ++ RuntimeWarning, stacklevel=3) + return tar_filter return fully_trusted_filter if isinstance(filter, str): raise TypeError( diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py -index 5fd8fb4..501da8f 100644 +index 7bc5d12..88b4bdb 100644 --- a/Lib/test/test_shutil.py +++ b/Lib/test/test_shutil.py -@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase): +@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase): self.check_unpack_archive(format, filter='fully_trusted') self.check_unpack_archive(format, filter='data') with warnings_helper.check_warnings( @@ -91,10 +96,48 @@ index 5fd8fb4..501da8f 100644 def test_unpack_archive_tar(self): diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index c5fc76d..397e334 100644 +index 3fbd25e..9aa727e 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py -@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest): +@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest): + tarfile.open(tarname, encoding="iso8859-1") as tar + ): + directories = [t for t in tar if t.isdir()] +- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm: ++ with self.assertWarnsRegex( ++ RuntimeWarning, ++ re.escape( ++ 'The default behavior of tarfile extraction has been ' ++ 'changed to disallow common exploits ' ++ '(including CVE-2007-4559). ' ++ 'By default, absolute/parent paths are disallowed ' ++ 'and some mode bits are cleared. ' ++ 'See https://access.redhat.com/articles/7004769 ' ++ 'for more details.' ++ )) as cm: + tar.extractall(DIR, directories) + # check that the stacklevel of the deprecation warning is correct: + self.assertEqual(cm.filename, __file__) +@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest): + tarfile.open(tarname, encoding="iso8859-1") as tar + ): + tarinfo = tar.getmember(dirtype) +- with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm: ++ with self.assertWarnsRegex( ++ RuntimeWarning, ++ re.escape( ++ 'The default behavior of tarfile extraction has been ' ++ 'changed to disallow common exploits ' ++ '(including CVE-2007-4559). ' ++ 'By default, absolute/parent paths are disallowed ' ++ 'and some mode bits are cleared. ' ++ 'See https://access.redhat.com/articles/7004769 ' ++ 'for more details.' ++ )) as cm: + tar.extract(tarinfo, path=DIR) + # check that the stacklevel of the deprecation warning is correct: + self.assertEqual(cm.filename, __file__) +@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest): tar.errorlevel = 0 with ExitStack() as cm: if cls.extraction_filter is None: @@ -105,7 +148,7 @@ index c5fc76d..397e334 100644 tar.extractall(cls.control_dir, filter=cls.extraction_filter) tar.close() cls.control_paths = set( -@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase): +@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase): with ArchiveMaker() as arc: arc.add('foo') with warnings_helper.check_warnings( @@ -114,7 +157,7 @@ index c5fc76d..397e334 100644 with self.check_context(arc.open(), None): self.expect_file('foo') -@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase): +@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase): self.expect_exception(TypeError) # errorlevel is not int @@ -239,5 +282,5 @@ index c5fc76d..397e334 100644 testdir = os.path.join(TEMPDIR, "testoverwrite") -- -2.43.0 +2.44.0 diff --git a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch index 192c8b7..4274663 100644 --- a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch +++ b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch @@ -19,7 +19,7 @@ Co-Authored-By: Thomas Dwyer create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst -index 345b64001c..d693a9bc39 100644 +index 6ba42491d6..6bd45200d8 100644 --- a/Doc/library/email.utils.rst +++ b/Doc/library/email.utils.rst @@ -58,13 +58,18 @@ of the new API. @@ -72,7 +72,7 @@ index 345b64001c..d693a9bc39 100644 .. function:: parsedate(date) diff --git a/Lib/email/utils.py b/Lib/email/utils.py -index aa949aa933..af2fb14754 100644 +index 1de547a011..e53abc8b84 100644 --- a/Lib/email/utils.py +++ b/Lib/email/utils.py @@ -48,6 +48,7 @@ @@ -255,7 +255,7 @@ index aa949aa933..af2fb14754 100644 diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py -index a373c53c7c..c616398eb1 100644 +index fc8d87974e..ef8aa0d53c 100644 --- a/Lib/test/test_email/test_email.py +++ b/Lib/test/test_email/test_email.py @@ -16,6 +16,7 @@ diff --git a/SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch b/SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch deleted file mode 100644 index ea2df3a..0000000 --- a/SOURCES/00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Karolina Surma -Date: Wed, 10 Apr 2024 15:35:04 +0200 -Subject: [PATCH] 00425: Only check for 'test/wheeldata' when it's actually - used - -We build Python in Fedora 39+ with option `--with-wheel-pkg-dir` -pointing to a custom wheel directory and delete the contents of -upstream's `test/wheeldata`. Don't include the directory in the test set -if the wheels are used from a different location. ---- - Lib/test/test_tools/test_makefile.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/Lib/test/test_tools/test_makefile.py b/Lib/test/test_tools/test_makefile.py -index 17a1a6d0d3..9ce874033d 100644 ---- a/Lib/test/test_tools/test_makefile.py -+++ b/Lib/test/test_tools/test_makefile.py -@@ -66,6 +66,9 @@ def test_makefile_test_folders(self): - ) - used.append(relpath) - -+ if sysconfig.get_config_var('WHEEL_PKG_DIR'): -+ test_dirs.remove('test/wheeldata') -+ - # Check that there are no extra entries: - unique_test_dirs = set(test_dirs) - self.assertSetEqual(unique_test_dirs, set(used)) diff --git a/SOURCES/00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch b/SOURCES/00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch new file mode 100644 index 0000000..c0552ce --- /dev/null +++ b/SOURCES/00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch @@ -0,0 +1,121 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 12 Aug 2024 02:35:17 +0200 +Subject: [PATCH] 00436: [CVE-2024-8088] gh-122905: Sanitize names in + zipfile.Path. + +--- + Lib/test/test_zipfile/_path/test_path.py | 17 +++++ + Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++- + ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 + + 3 files changed, 81 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst + +diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py +index 06d5aab69b..90885dbbe3 100644 +--- a/Lib/test/test_zipfile/_path/test_path.py ++++ b/Lib/test/test_zipfile/_path/test_path.py +@@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep): + zipfile.Path(alpharep) + with self.assertRaises(KeyError): + alpharep.getinfo('does-not-exist') ++ ++ def test_malformed_paths(self): ++ """ ++ Path should handle malformed paths. ++ """ ++ data = io.BytesIO() ++ zf = zipfile.ZipFile(data, "w") ++ zf.writestr("/one-slash.txt", b"content") ++ zf.writestr("//two-slash.txt", b"content") ++ zf.writestr("../parent.txt", b"content") ++ zf.filename = '' ++ root = zipfile.Path(zf) ++ assert list(map(str, root.iterdir())) == [ ++ 'one-slash.txt', ++ 'two-slash.txt', ++ 'parent.txt', ++ ] +diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py +index 78c413563b..42f9fded21 100644 +--- a/Lib/zipfile/_path/__init__.py ++++ b/Lib/zipfile/_path/__init__.py +@@ -83,7 +83,69 @@ def __setstate__(self, state): + super().__init__(*args, **kwargs) + + +-class CompleteDirs(InitializedState, zipfile.ZipFile): ++class SanitizedNames: ++ """ ++ ZipFile mix-in to ensure names are sanitized. ++ """ ++ ++ def namelist(self): ++ return list(map(self._sanitize, super().namelist())) ++ ++ @staticmethod ++ def _sanitize(name): ++ r""" ++ Ensure a relative path with posix separators and no dot names. ++ ++ Modeled after ++ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 ++ but provides consistent cross-platform behavior. ++ ++ >>> san = SanitizedNames._sanitize ++ >>> san('/foo/bar') ++ 'foo/bar' ++ >>> san('//foo.txt') ++ 'foo.txt' ++ >>> san('foo/.././bar.txt') ++ 'foo/bar.txt' ++ >>> san('foo../.bar.txt') ++ 'foo../.bar.txt' ++ >>> san('\\foo\\bar.txt') ++ 'foo/bar.txt' ++ >>> san('D:\\foo.txt') ++ 'D/foo.txt' ++ >>> san('\\\\server\\share\\file.txt') ++ 'server/share/file.txt' ++ >>> san('\\\\?\\GLOBALROOT\\Volume3') ++ '?/GLOBALROOT/Volume3' ++ >>> san('\\\\.\\PhysicalDrive1\\root') ++ 'PhysicalDrive1/root' ++ ++ Retain any trailing slash. ++ >>> san('abc/') ++ 'abc/' ++ ++ Raises a ValueError if the result is empty. ++ >>> san('../..') ++ Traceback (most recent call last): ++ ... ++ ValueError: Empty filename ++ """ ++ ++ def allowed(part): ++ return part and part not in {'..', '.'} ++ ++ # Remove the drive letter. ++ # Don't use ntpath.splitdrive, because that also strips UNC paths ++ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) ++ clean = bare.replace('\\', '/') ++ parts = clean.split('/') ++ joined = '/'.join(filter(allowed, parts)) ++ if not joined: ++ raise ValueError("Empty filename") ++ return joined + '/' * name.endswith('/') ++ ++ ++class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): + """ + A ZipFile subclass that ensures that implied directories + are always included in the namelist. +diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst +new file mode 100644 +index 0000000000..1be44c906c +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst +@@ -0,0 +1 @@ ++:class:`zipfile.Path` objects now sanitize names from the zipfile. diff --git a/SOURCES/Python-3.12.3.tar.xz.asc b/SOURCES/Python-3.12.3.tar.xz.asc deleted file mode 100644 index a8f084e..0000000 --- a/SOURCES/Python-3.12.3.tar.xz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmYVDdNfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx -Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6 -YwU8Vg//aP8bxzPTDIM9Af1LLJj5LNLIuZOl5QysWQVbakoCpS8Z8ZiK3LyzGi7H -pQ5uJEnRjhULnOi+va2TPBDqiYvY1CkVizYzmUe1dMtzHdJUBE1TzybfON02JzPD -62oDHxUC1hvITyLE8tjnsgBuP9bbYYHnS+qqmDgBWS1M60i4bqcBiSdlWZp7ZTI4 -KIxIy9eyNujHnNQrQQ1oqIoj7ty1Hrtkfqia/3cVq7rkQT8HecBIW0K82WuIXizm -/Ua/TQslTJsypslFYpoJBoIkWG2nk7RhJvfU5iLxQHen6cr7JOUo/u3jv0DIJyJs -LdBWG6noTIiqKJb65UswLUxexM5f3Y7gLEZ4FCqlbAOAPG16xwwC8Xd7LIF33cHK -133BvYCkwdl0MCpmsQuxi8i6Kql0MaEqJ9MEj6UN66ZJVpRx8hOm2FtZGhn5ZNxx -r5C2zXGw/IjXeS01wgD8cSRVA0XJdN4bu88vmvhqMuezg3CDF5bX85isoFUaLUjS -c5Lv1HNrqPiaWHOctnvzasy0djpwze+WCzsXFMI6VfejPpYwNlhmnxS7i3R9A4RK -gBwViMd5q5rwx365tCfRfGcBW6OOvrHZalhSGYmUw13sBarFliW9CvN4ghN9kWbN -YQwSggf5KD6v5mAAyReMrOJTyBG6B5hMlxKai5CzbRLlG25T2wI= -=ZQxz ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.12.5.tar.xz.asc b/SOURCES/Python-3.12.5.tar.xz.asc new file mode 100644 index 0000000..b8c4cf1 --- /dev/null +++ b/SOURCES/Python-3.12.5.tar.xz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmayiFtfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx +Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6 +YwUr4g//VyVs9tvbtiSp8pGe8f1gYErEw54r124sL/CBuNii8Irts1j5ymGxcm+l +hshPK5UlqRnhd5dCJWFTvLTXa5Ko2R1L3JyyxfGd1hmDuMhrWsDHijI0R7L/mGM5 +6X2LTaadBVNvk8HaNKvR8SEWvo68rdnOuYElFA9ir7uqwjO26ZWz9FfH80YDGwo8 +Blef2NYw8rNhiaZMFV0HYV7D+YyUAZnFNfW8M7Fd4oskUyj1tD9J89T9FFLYN09d +BcCIf+EdiEfqRpKxH89bW2g52kDrm4jYGONtpyF8eruyS3YwYSbvbuWioBYKmlxC +s51mieXz6G325GTZnmPxLek3ywPv6Gil9y0wH3fIr2BsWsmXust4LBpjDGt56Fy6 +seokGBg8xzsBSk3iEqNoFmNsy/QOiuCcDejX4XqBDNodOlETQPJb07TkTI2iOmg9 +NG4Atiz1HvGVxK68UuK9IIcNHyaWUmH8h4VQFGvc6KV6feP5Nm21Y12PZ5XIqJBO +Y8M/VJIJ5koaNPQfnBbbI5YBkUr4BVpIXIpY5LM/L5sUo2C3R7hMi0VGK88HGfSQ +KV4JmZgf6RMBNmrWY12sryS1QQ6q3P110GTUGQWB3sxxNbhmfcrK+4viqHc83yDz +ifmk33HuqaQGU7OzUMHeNcoCJIPo3H1FpoHOn9wLLCtA1pT+as4= +=t0Rk +-----END PGP SIGNATURE----- diff --git a/SPECS/python3.12.spec b/SPECS/python3.12.spec index 1b6886d..da9bae8 100644 --- a/SPECS/python3.12.spec +++ b/SPECS/python3.12.spec @@ -16,7 +16,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.3 +%global general_version %{pybasever}.5 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} @@ -65,37 +65,31 @@ License: Python-2.0.1 # If the rpmwheels condition is disabled, we use the bundled wheel packages # from Python with the versions below. # This needs to be manually updated when we update Python. -%global pip_version 24.0 +%global pip_version 24.2 %global setuptools_version 67.6.1 %global wheel_version 0.40.0 # All of those also include a list of indirect bundled libs: # pip # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) %global pip_bundled_provides %{expand: -Provides: bundled(python3dist(cachecontrol)) = 0.13.1 -Provides: bundled(python3dist(certifi)) = 2023.7.22 -Provides: bundled(python3dist(chardet)) = 5.1 -Provides: bundled(python3dist(colorama)) = 0.4.6 +Provides: bundled(python3dist(cachecontrol)) = 0.14 +Provides: bundled(python3dist(certifi)) = 2024.7.4 Provides: bundled(python3dist(distlib)) = 0.3.8 -Provides: bundled(python3dist(distro)) = 1.8 -Provides: bundled(python3dist(idna)) = 3.4 -Provides: bundled(python3dist(msgpack)) = 1.0.5 -Provides: bundled(python3dist(packaging)) = 21.3 -Provides: bundled(python3dist(platformdirs)) = 3.8.1 -Provides: bundled(python3dist(pygments)) = 2.15.1 -Provides: bundled(python3dist(pyparsing)) = 3.1 +Provides: bundled(python3dist(distro)) = 1.9 +Provides: bundled(python3dist(idna)) = 3.7 +Provides: bundled(python3dist(msgpack)) = 1.0.8 +Provides: bundled(python3dist(packaging)) = 24.1 +Provides: bundled(python3dist(platformdirs)) = 4.2.2 +Provides: bundled(python3dist(pygments)) = 2.18 Provides: bundled(python3dist(pyproject-hooks)) = 1 -Provides: bundled(python3dist(requests)) = 2.31 +Provides: bundled(python3dist(requests)) = 2.32.3 Provides: bundled(python3dist(resolvelib)) = 1.0.1 -Provides: bundled(python3dist(rich)) = 13.4.2 -Provides: bundled(python3dist(setuptools)) = 68 -Provides: bundled(python3dist(six)) = 1.16 -Provides: bundled(python3dist(tenacity)) = 8.2.2 +Provides: bundled(python3dist(rich)) = 13.7.1 +Provides: bundled(python3dist(setuptools)) = 70.3 Provides: bundled(python3dist(tomli)) = 2.0.1 -Provides: bundled(python3dist(truststore)) = 0.8 -Provides: bundled(python3dist(typing-extensions)) = 4.7.1 -Provides: bundled(python3dist(urllib3)) = 1.26.17 -Provides: bundled(python3dist(webencodings)) = 0.5.1 +Provides: bundled(python3dist(truststore)) = 0.9.1 +Provides: bundled(python3dist(typing-extensions)) = 4.12.2 +Provides: bundled(python3dist(urllib3)) = 1.26.18 } # setuptools # vendor.txt files not in .whl @@ -200,6 +194,13 @@ Provides: bundled(python3dist(packaging)) = 23 %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION} %global py_INSTSONAME_debug libpython%{LDVERSION_debug}.so.%{py_SOVERSION} +# The -O flag for the compiler, optimized builds +# https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3 +%global optflags_optimized -O3 +# The -O flag for the compiler, debug builds +# -Wno-cpp avoids some warnings with -O0 +%global optflags_debug -O0 -Wno-cpp + # Disable automatic bytecompilation. The python3 binary is not yet be # available in /usr/bin when Python is built. Also, the bytecompilation fails # on files that test invalid syntax. @@ -397,14 +398,9 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par # CVE-2023-52425. Future versions of Expat may be more reactive. Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch -# 00425 # a563ac3076a00f0f48b3f94ff63d91d37cb4f1e9 -# Only check for 'test/wheeldata' when it's actually used -# -# We build Python in Fedora 39+ with option `--with-wheel-pkg-dir` -# pointing to a custom wheel directory and delete the contents of -# upstream's `test/wheeldata`. Don't include the directory in the test set -# if the wheels are used from a different location. -Patch425: 00425-only-check-for-test-wheeldata-when-it-s-actually-used.patch +# 00436 # c76cc2aa3a2c30375ade4859b732ada851cc89ed +# [CVE-2024-8088] gh-122905: Sanitize names in zipfile.Path. +Patch436: 00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch # (New patches go here ^^^) # @@ -852,6 +848,7 @@ BuildPython() { ConfName=$1 ExtraConfigArgs=$2 MoreCFlags=$3 + MoreCFlagsNodist=$4 # Each build is done in its own directory ConfDir=build/$ConfName @@ -891,7 +888,7 @@ BuildPython() { $ExtraConfigArgs \ %{nil} -%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags" +%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist" %if %{without bootstrap} # Regenerate generated files (needs python3) @@ -914,12 +911,14 @@ BuildPython() { # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857 BuildPython debug \ "--without-ensurepip --with-pydebug" \ - "-O0 -Wno-cpp" + "%{optflags_debug}" \ + "" %endif # with debug_build BuildPython optimized \ "--without-ensurepip %{optimizations_flag}" \ - "" + "" \ + "%{optflags_optimized}" # ====================================================== # Installing the built code: @@ -1024,7 +1023,7 @@ EOF %if %{with debug_build} InstallPython debug \ %{py_INSTSONAME_debug} \ - -O0 \ + "%{optflags_debug}" \ %{LDVERSION_debug} %endif # with debug_build @@ -1893,6 +1892,26 @@ fi # ====================================================== %changelog +* Fri Aug 23 2024 Charalampos Stratakis - 3.12.5-2 +- Security fix for CVE-2024-8088 +Resolves: RHEL-55939 + +* Wed Aug 07 2024 Tomáš Hrnčiar - 3.12.5-1 +- Update to 3.12.5 +- Security fix for CVE-2024-6923 +Resolves: RHEL-53075 + +* Thu Jul 25 2024 Charalampos Stratakis - 3.12.4-3 +- Properly propagate the optimization flags to C extensions + +* Wed Jul 17 2024 Charalampos Stratakis - 3.12.4-2 +- Build Python with -O3 +- https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3 + +* Fri Jun 28 2024 Tomáš Hrnčiar - 3.12.4-1 +- Update to 3.12.4 +Resolves: RHEL-44074 + * Tue Jun 11 2024 Charalampos Stratakis - 3.12.3-2 - Enable importing of hash-based .pyc files under FIPS mode Resolves: RHEL-40776