diff --git a/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch b/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch index 1b36e9b..92c451e 100644 --- a/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch +++ b/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch @@ -41,7 +41,7 @@ index 5c10bcedc6..1fd7a273b5 100644 result = BytesIO() xmlgen = XMLGenerator(result) diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py -index 25c084c8b9..e26e6e0c26 100644 +index 0b343cc4bb..145ecacd21 100644 --- a/Lib/test/test_xml_etree.py +++ b/Lib/test/test_xml_etree.py @@ -1573,9 +1573,13 @@ def test_simple_xml(self, chunk_size=None, flush=False): diff --git a/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch b/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch new file mode 100644 index 0000000..808dac8 --- /dev/null +++ b/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch @@ -0,0 +1,156 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 6 Feb 2026 10:51:02 +0100 +Subject: 00477: Raise an error when importing stdlib modules compiled for a + different Python version + +This is a downstream workaround "implementing" +https://github.com/python/cpython/pull/137212 - +the mechanism for the check exists in Python 3.15+, where it needs to be +added to the standard library modules. +In Fedora, we need it also in previous Python versions, as we experience +segmentation fault when importing stdlib modules after update while +Python is running. + +_tkinter, _tracemalloc and readline are not calling PyModuleDef_Init, +which is modified with this patch, hence they need a +direct call to the check function. + +Co-Authored-By: Karolina Surma +--- + Include/moduleobject.h | 43 ++++++++++++++++++++++++++++++++++++++++++ + Makefile.pre.in | 3 +++ + Modules/_tkinter.c | 6 ++++++ + Modules/_tracemalloc.c | 6 ++++++ + Modules/readline.c | 6 ++++++ + Objects/moduleobject.c | 1 + + 6 files changed, 65 insertions(+) + +diff --git a/Include/moduleobject.h b/Include/moduleobject.h +index 2a17c891dd..64017c666c 100644 +--- a/Include/moduleobject.h ++++ b/Include/moduleobject.h +@@ -116,6 +116,49 @@ struct PyModuleDef { + freefunc m_free; + }; + ++#if defined(_PyHack_check_version_on_modinit) && defined(Py_BUILD_CORE) ++/* The mechanism for the check has been implemented on Python 3.15+: ++ * https://github.com/python/cpython/pull/137212. ++ * In Fedora, we need this in older Pythons too: ++ * if somebody attempts to import a module compiled for a different Python version, ++ * instead of segmentation fault a meaningful error is raised. ++ */ ++PyAPI_DATA(const unsigned long) Py_Version; ++ ++static inline int ++_PyHack_CheckInternalAPIVersion(const char *mod_name) ++{ ++ if (PY_VERSION_HEX != Py_Version) { ++ PyErr_Format( ++ PyExc_ImportError, ++ "internal Python C API version mismatch: " ++ "module %s compiled with %lu.%lu.%lu; " ++ "runtime version is %lu.%lu.%lu", ++ mod_name, ++ (const unsigned long)((PY_VERSION_HEX >> 24) & 0xFF), ++ (const unsigned long)((PY_VERSION_HEX >> 16) & 0xFF), ++ (const unsigned long)((PY_VERSION_HEX >> 8) & 0xFF), ++ (const unsigned long)((Py_Version >> 24) & 0xFF), ++ (const unsigned long)((Py_Version >> 16) & 0xFF), ++ (const unsigned long)((Py_Version >> 8) & 0xFF) ++ ); ++ return -1; ++ } ++ return 0; ++} ++ ++static inline PyObject * ++PyModuleDef_Init_with_check(PyModuleDef *def) ++{ ++ if (_PyHack_CheckInternalAPIVersion(def->m_name) < 0) { ++ return NULL; ++ } ++ return PyModuleDef_Init(def); ++} ++ ++#define PyModuleDef_Init PyModuleDef_Init_with_check ++#endif ++ + #ifdef __cplusplus + } + #endif +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 38a355a23f..67c19c329e 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -3415,3 +3415,6 @@ MODULE__MULTIBYTECODEC_DEPS=$(srcdir)/Modules/cjkcodecs/multibytecodec.h + # Local Variables: + # mode: makefile + # End: ++ ++# Fedora-specific, downstream only ++PY_STDMODULE_CFLAGS += -D_PyHack_check_version_on_modinit=1 +diff --git a/Modules/_tkinter.c b/Modules/_tkinter.c +index 2216de509e..a640496f7f 100644 +--- a/Modules/_tkinter.c ++++ b/Modules/_tkinter.c +@@ -3489,6 +3489,12 @@ static struct PyModuleDef _tkintermodule = { + PyMODINIT_FUNC + PyInit__tkinter(void) + { ++ #ifdef _PyHack_check_version_on_modinit ++ if (_PyHack_CheckInternalAPIVersion("_tkinter") < 0) { ++ return NULL; ++ } ++ #endif ++ + PyObject *m, *uexe, *cexe; + + tcl_lock = PyThread_allocate_lock(); +diff --git a/Modules/_tracemalloc.c b/Modules/_tracemalloc.c +index be71fc9fc9..67922098b2 100644 +--- a/Modules/_tracemalloc.c ++++ b/Modules/_tracemalloc.c +@@ -215,6 +215,12 @@ static struct PyModuleDef module_def = { + PyMODINIT_FUNC + PyInit__tracemalloc(void) + { ++ #ifdef _PyHack_check_version_on_modinit ++ if (_PyHack_CheckInternalAPIVersion("_tracemalloc") < 0) { ++ return NULL; ++ } ++ #endif ++ + PyObject *mod = PyModule_Create(&module_def); + if (mod == NULL) { + return NULL; +diff --git a/Modules/readline.c b/Modules/readline.c +index 8475846eef..b3f5eb3a1f 100644 +--- a/Modules/readline.c ++++ b/Modules/readline.c +@@ -1604,6 +1604,12 @@ static struct PyModuleDef readlinemodule = { + PyMODINIT_FUNC + PyInit_readline(void) + { ++ #ifdef _PyHack_check_version_on_modinit ++ if (_PyHack_CheckInternalAPIVersion("readline") < 0) { ++ return NULL; ++ } ++ #endif ++ + const char *backend = "readline"; + PyObject *m; + readlinestate *mod_state; +diff --git a/Objects/moduleobject.c b/Objects/moduleobject.c +index b68584b5dd..cbf95dc92a 100644 +--- a/Objects/moduleobject.c ++++ b/Objects/moduleobject.c +@@ -50,6 +50,7 @@ _PyModule_IsExtension(PyObject *obj) + } + + ++#undef PyModuleDef_Init + PyObject* + PyModuleDef_Init(PyModuleDef* def) + { diff --git a/plan.fmf b/plan.fmf index db5d4f5..860a1bc 100644 --- a/plan.fmf +++ b/plan.fmf @@ -24,15 +24,14 @@ discover: test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} CYTHON=true ./venv.sh" - name: selftest path: /selftest - test: "VERSION=${pybasever} X='-i test_check_probes -i test_margin_is_sufficient' ./parallel.sh" + test: "VERSION=${pybasever} X='-i test_check_probes' ./parallel.sh" - name: debugtest path: /selftest # test_base_interpreter: https://github.com/python/cpython/issues/131372 - # test_margin_is_sufficient: https://github.com/python/cpython/issues/140222 - test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes -i test_base_interpreter -i test_margin_is_sufficient' ./parallel.sh" + test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes -i test_base_interpreter' ./parallel.sh" - name: freethreadingtest path: /selftest - test: "VERSION=${pybasever}t X='-i test_check_probes -i test_base_interpreter -i test_margin_is_sufficient' ./parallel.sh" + test: "VERSION=${pybasever}t X='-i test_check_probes -i test_base_interpreter' ./parallel.sh" - name: optimizedflags path: /flags test: "python${pybasever} ./assertflags.py -O3 CFLAGS PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS PY_CORE_CFLAGS PY_CFLAGS_NODIST PY_STDMODULE_CFLAGS" diff --git a/python3.14.spec b/python3.14.spec index 162d060..4dea2fc 100644 --- a/python3.14.spec +++ b/python3.14.spec @@ -45,11 +45,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.2 +%global general_version %{pybasever}.3 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 3%{?dist} +Release: 1%{?dist} License: Python-2.0.1 @@ -410,6 +410,22 @@ Patch464: 00464-enable-pac-and-bti-protections-for-aarch64.patch # which is tested as working. Patch466: 00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch +# 00477 # f9f53e560d161531a0c3476c08ee26b89a628bde +# Raise an error when importing stdlib modules compiled for a different Python version +# +# This is a downstream workaround "implementing" +# https://github.com/python/cpython/pull/137212 - +# the mechanism for the check exists in Python 3.15+, where it needs to be +# added to the standard library modules. +# In Fedora, we need it also in previous Python versions, as we experience +# segmentation fault when importing stdlib modules after update while +# Python is running. +# +# _tkinter, _tracemalloc and readline are not calling PyModuleDef_Init, +# which is modified with this patch, hence they need a +# direct call to the check function. +Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1455,8 +1471,6 @@ CheckPython() { # test_check_probes is failing since it was introduced in 3.12.0rc1, # the test is skipped until it is fixed in upstream. # see: https://github.com/python/cpython/issues/104280#issuecomment-1669249980 - # test_margin_is_sufficient - # reported in https://github.com/python/cpython/issues/140222 LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \ -wW --slowest %{_smp_mflags} \ %ifarch riscv64 @@ -1465,7 +1479,6 @@ CheckPython() { --timeout=2700 \ %endif -i test_check_probes \ - -i test_margin_is_sufficient \ echo FINISHED: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName @@ -1950,6 +1963,12 @@ CheckPython freethreading # ====================================================== %changelog +* Wed Feb 04 2026 Karolina Surma - 3.14.3-1 +- Update to Python 3.14.3 +- Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865, +CVE-2025-15282, CVE-2026-1299, CVE-2025-11468 +Resolves: RHEL-144855 + * Mon Jan 19 2026 Charalampos Stratakis - 3.14.2-3 - Support OpenSSL FIPS mode - Disable the builtin hashlib hashes except blake2 diff --git a/sources b/sources index 386b602..ece54ca 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (Python-3.14.2.tar.xz) = 165256b4c713e0262767cd7a2c65622f3f086423524646a39bfa64912376be9e5b70863d5a3c95224b516152d0b79e7ccbfe2f2cf35b809d132f2c38ebb3ab3b +SHA512 (Python-3.14.3.tar.xz) = 9fd875f7a1d96d64e7150913ef38b72b0aeecfcbc24ba46967e57b6495146b0cba6b940c273561fc4d656b6d0ce2e23ffb7bd32bcd0b61fd59a6d90585998c07