From 194e06e23d3eea44bb9bd12a93619b9829980e37 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 09:54:45 -0400 Subject: [PATCH] import python3.9-3.9.13-3.el9 --- .gitignore | 2 +- .python3.9.metadata | 2 +- SOURCES/00189-use-rpm-wheels.patch | 9 +- SOURCES/00329-fips.patch | 219 +++++++++++++++-------------- SOURCES/00382-cve-2015-20107.patch | 150 ++++++++++++++++++++ SOURCES/Python-3.9.10.tar.xz.asc | 16 --- SOURCES/Python-3.9.13.tar.xz.asc | 16 +++ SPECS/python3.9.spec | 28 +++- 8 files changed, 314 insertions(+), 128 deletions(-) create mode 100644 SOURCES/00382-cve-2015-20107.patch delete mode 100644 SOURCES/Python-3.9.10.tar.xz.asc create mode 100644 SOURCES/Python-3.9.13.tar.xz.asc diff --git a/.gitignore b/.gitignore index 59b16ab..c5bf0b1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.9.10.tar.xz +SOURCES/Python-3.9.13.tar.xz diff --git a/.python3.9.metadata b/.python3.9.metadata index 2556089..00daee8 100644 --- a/.python3.9.metadata +++ b/.python3.9.metadata @@ -1 +1 @@ -936fc25ac4e1b482a0cefa82dd6092a0c6b575e6 SOURCES/Python-3.9.10.tar.xz +d57e5c8b94fe42e2b403e6eced02b25ed47ca8da SOURCES/Python-3.9.13.tar.xz diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index e5cf8f7..9a180c4 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -1,4 +1,4 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From 12b919396f3fd24521b5ded51e18beb55973f0ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 15 Aug 2018 15:36:29 +0200 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels @@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index 2a140a2624..5bd16a6c59 100644 +index e510cc7..5bd16a6 100644 --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py @@ -1,3 +1,5 @@ @@ -31,7 +31,7 @@ index 2a140a2624..5bd16a6c59 100644 __all__ = ["version", "bootstrap"] -_SETUPTOOLS_VERSION = "58.1.0" --_PIP_VERSION = "21.2.4" +-_PIP_VERSION = "22.0.4" + +_WHEEL_DIR = "/usr/share/python-wheels/" + @@ -73,3 +73,6 @@ index 2a140a2624..5bd16a6c59 100644 additional_paths.append(os.path.join(tmpdir, wheel_name)) +-- +2.35.3 + diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index 0548005..84aee1d 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,47 +1,58 @@ -From 355e975a386b60d787b98cc4cd08b98f876ff858 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 7 Feb 2022 00:08:10 -0800 -Subject: [PATCH 01/11] bpo-40479: Fix undefined behavior in - Modules/_hashopenssl.c (GH-31153) +From 3ccbf41ad18431fcb7e6e83cb4b6bf13c6c22f3e Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 27 Jul 2022 09:19:49 +0200 +Subject: [PATCH] gh-95280: Fix test_get_ciphers on systems without RSA key + exchange (GH-95282) (cherry picked from commit + 565403038b75eb64ea483b2757ba30769246d853) -va_end() must be called before returning. -(cherry picked from commit 59e004af63742361b67d1e1ae70229ff0db1059d) - -Co-authored-by: Zackery Spytz +Co-authored-by: Christian Heimes --- - .../Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst | 1 + - Modules/_hashopenssl.c | 1 + - 2 files changed, 2 insertions(+) - create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst + Lib/test/test_ssl.py | 16 ++++++++++++++-- + ...2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst | 2 ++ + 2 files changed, 16 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst -diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst b/Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index 9f364fa4bbb6d..f97227b11bcde 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -1177,8 +1177,20 @@ def test_get_ciphers(self): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + ctx.set_ciphers('AESGCM') + names = set(d['name'] for d in ctx.get_ciphers()) +- self.assertIn('AES256-GCM-SHA384', names) +- self.assertIn('AES128-GCM-SHA256', names) ++ expected = { ++ 'AES128-GCM-SHA256', ++ 'ECDHE-ECDSA-AES128-GCM-SHA256', ++ 'ECDHE-RSA-AES128-GCM-SHA256', ++ 'DHE-RSA-AES128-GCM-SHA256', ++ 'AES256-GCM-SHA384', ++ 'ECDHE-ECDSA-AES256-GCM-SHA384', ++ 'ECDHE-RSA-AES256-GCM-SHA384', ++ 'DHE-RSA-AES256-GCM-SHA384', ++ } ++ intersection = names.intersection(expected) ++ self.assertGreaterEqual( ++ len(intersection), 2, f"\ngot: {sorted(names)}\nexpected: {sorted(expected)}" ++ ) + + def test_options(self): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) +diff --git a/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst new file mode 100644 -index 00000000000..52701d53d8f +index 0000000000000..523d9d5f2f8bf --- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst -@@ -0,0 +1 @@ -+Add a missing call to ``va_end()`` in ``Modules/_hashopenssl.c``. -diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index a4889450821..4873bb11aa0 100644 ---- a/Modules/_hashopenssl.c -+++ b/Modules/_hashopenssl.c -@@ -311,6 +311,7 @@ _setException(PyObject *exc, const char* altmsg, ...) - } else { - PyErr_FormatV(exc, altmsg, vargs); - } -+ va_end(vargs); - return NULL; - } - va_end(vargs); --- -2.34.1 ++++ b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst +@@ -0,0 +1,2 @@ ++Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require ++perfect forward secrecy (PFS) ciphers. -From b906713972396823c9e2e04421f9dbcfdc6a6c94 Mon Sep 17 00:00:00 2001 +From 37aa11f4c57e08bd3859c0de1c22f1d5296b6fdc Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 11 Aug 2021 16:51:03 +0200 -Subject: [PATCH 02/11] Backport PyModule_AddObjectRef as +Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as _PyModule_AddObjectRef Having PyModule_AddObjectRef available should make backporting @@ -111,13 +122,13 @@ index 13482c6..fca1083 100644 PyModule_AddIntConstant(PyObject *m, const char *name, long value) { -- -2.34.1 +2.35.3 -From c67b383ffd3ccacedacbeb91c3bdeaf5f829ca09 Mon Sep 17 00:00:00 2001 +From 3fc28233b7244bb891499a974c3f3cda42454760 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 13 Aug 2021 13:16:43 +0200 -Subject: [PATCH 03/11] _hashopenssl: Uncomment and use initialization function +Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function list This simplifies backporting of future changes. @@ -129,10 +140,10 @@ We use this change instead of Python 3.10's: 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index a488945..62cf769 100644 +index 4db058c..56dfff9 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -2216,7 +2216,6 @@ hashlib_init_hmactype(PyObject *module) +@@ -2227,7 +2227,6 @@ hashlib_init_hmactype(PyObject *module) return 0; } @@ -140,7 +151,7 @@ index a488945..62cf769 100644 static PyModuleDef_Slot hashlib_slots[] = { /* OpenSSL 1.0.2 and LibreSSL */ {Py_mod_exec, hashlib_openssl_legacy_init}, -@@ -2227,7 +2226,6 @@ static PyModuleDef_Slot hashlib_slots[] = { +@@ -2238,7 +2237,6 @@ static PyModuleDef_Slot hashlib_slots[] = { {Py_mod_exec, hashlib_md_meth_names}, {0, NULL} }; @@ -148,7 +159,7 @@ index a488945..62cf769 100644 static struct PyModuleDef _hashlibmodule = { PyModuleDef_HEAD_INIT, -@@ -2255,29 +2253,11 @@ PyInit__hashlib(void) +@@ -2266,29 +2264,11 @@ PyInit__hashlib(void) return NULL; } @@ -184,13 +195,13 @@ index a488945..62cf769 100644 return m; -- -2.34.1 +2.35.3 -From c49c1416d22fffc78204d66987f40e6d17a95c01 Mon Sep 17 00:00:00 2001 +From 309e06621a9a8b8220c8f83d588cc76e1fa2380d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sat, 27 Mar 2021 14:55:03 +0100 -Subject: [PATCH 04/11] bpo-40645: use C implementation of HMAC (GH-24920, +Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920, GH-25063, GH-26079) This backports the feature and 2 subsequent bugfixes @@ -621,7 +632,7 @@ index 0000000..a9ab1c0 +The :mod:`hmac` module now uses OpenSSL's HMAC implementation when digestmod +argument is a hash name or builtin hash function. diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 62cf769..71ac832 100644 +index 56dfff9..ca9fea9 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -260,6 +260,8 @@ typedef struct { @@ -765,7 +776,7 @@ index 62cf769..71ac832 100644 return NULL; } -@@ -2106,6 +2145,8 @@ hashlib_traverse(PyObject *m, visitproc visit, void *arg) +@@ -2117,6 +2156,8 @@ hashlib_traverse(PyObject *m, visitproc visit, void *arg) #ifdef PY_OPENSSL_HAS_SHAKE Py_VISIT(state->EVPXOFtype); #endif @@ -774,7 +785,7 @@ index 62cf769..71ac832 100644 return 0; } -@@ -2118,10 +2159,14 @@ hashlib_clear(PyObject *m) +@@ -2129,10 +2170,14 @@ hashlib_clear(PyObject *m) #ifdef PY_OPENSSL_HAS_SHAKE Py_CLEAR(state->EVPXOFtype); #endif @@ -789,7 +800,7 @@ index 62cf769..71ac832 100644 return 0; } -@@ -2216,6 +2261,79 @@ hashlib_init_hmactype(PyObject *module) +@@ -2227,6 +2272,79 @@ hashlib_init_hmactype(PyObject *module) return 0; } @@ -869,7 +880,7 @@ index 62cf769..71ac832 100644 static PyModuleDef_Slot hashlib_slots[] = { /* OpenSSL 1.0.2 and LibreSSL */ {Py_mod_exec, hashlib_openssl_legacy_init}, -@@ -2224,6 +2342,8 @@ static PyModuleDef_Slot hashlib_slots[] = { +@@ -2235,6 +2353,8 @@ static PyModuleDef_Slot hashlib_slots[] = { {Py_mod_exec, hashlib_init_evpxoftype}, {Py_mod_exec, hashlib_init_hmactype}, {Py_mod_exec, hashlib_md_meth_names}, @@ -967,13 +978,13 @@ index 68aa765..4466ec4 100644 -/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/ -- -2.34.1 +2.35.3 -From f7ce31ebf3200952dadff556bfcbf2876139c823 Mon Sep 17 00:00:00 2001 +From 2656f4998c17d8a63b5b45462a2dae5b1b3d520f Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 -Subject: [PATCH 05/11] Expose blake2b and blake2s hashes from OpenSSL +Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL These aren't as powerful as Python's own implementation, but they can be used under FIPS. @@ -984,10 +995,10 @@ used under FIPS. 3 files changed, 148 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 969e5e4..5b46016 100644 +index f845c7a..7aaeb76 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py -@@ -354,6 +354,12 @@ class HashLibTestCase(unittest.TestCase): +@@ -363,6 +363,12 @@ class HashLibTestCase(unittest.TestCase): # 2 is for hashlib.name(...) and hashlib.new(name, ...) self.assertGreaterEqual(len(constructors), 2) for hash_object_constructor in constructors: @@ -1001,7 +1012,7 @@ index 969e5e4..5b46016 100644 computed = m.hexdigest() if not shake else m.hexdigest(length) self.assertEqual( diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 71ac832..0b2c65e 100644 +index ca9fea9..9d98d20 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -1138,6 +1138,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, @@ -1046,7 +1057,7 @@ index 71ac832..0b2c65e 100644 #ifdef PY_OPENSSL_HAS_SHA3 /*[clinic input] -@@ -2124,6 +2159,8 @@ static struct PyMethodDef EVP_functions[] = { +@@ -2135,6 +2170,8 @@ static struct PyMethodDef EVP_functions[] = { _HASHLIB_OPENSSL_SHA256_METHODDEF _HASHLIB_OPENSSL_SHA384_METHODDEF _HASHLIB_OPENSSL_SHA512_METHODDEF @@ -1177,13 +1188,13 @@ index 4466ec4..54c22b2 100644 -/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/ +/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/ -- -2.34.1 +2.35.3 -From b8956168975170b8e7a797b6aa23e0d356f5ebec Mon Sep 17 00:00:00 2001 +From 652264a57ab6564bfe775d88502776df95cd897d Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 1 Aug 2019 17:57:05 +0200 -Subject: [PATCH 06/11] Use a stronger hash in multiprocessing handshake +Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake Adapted from patch by David Malcolm, https://bugs.python.org/issue17258 @@ -1225,13 +1236,13 @@ index 510e4b5..b68f2fb 100644 response = connection.recv_bytes(256) # reject large message if response != WELCOME: -- -2.34.1 +2.35.3 -From 20d86957b863e80d1f71b5681fccdb1fd16128b9 Mon Sep 17 00:00:00 2001 +From 4a8637f114196b1ab19435ea64c19c7acf77776c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 -Subject: [PATCH 07/11] Disable Python's hash implementations in FIPS mode, +Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode, forcing OpenSSL --- @@ -1271,7 +1282,7 @@ index ffa3be0..3e3f4dd 100644 def __get_builtin_constructor(name): cache = __builtin_constructor_cache diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 5b46016..72fdc67 100644 +index 7aaeb76..fa4a8d7 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -35,14 +35,15 @@ else: @@ -1295,7 +1306,7 @@ index 5b46016..72fdc67 100644 try: from _hashlib import HASH, HASHXOF, openssl_md_meth_names, get_fips_mode -@@ -116,6 +117,12 @@ class HashLibTestCase(unittest.TestCase): +@@ -118,6 +119,12 @@ class HashLibTestCase(unittest.TestCase): except ModuleNotFoundError as error: if self._warn_on_extension_import and module_name in builtin_hashes: warnings.warn('Did a C extension fail to compile? %s' % error) @@ -1411,10 +1422,10 @@ index 56ae7a5..45fb403 100644 + if (_Py_hashlib_fips_error(exc, name)) return NULL; \ +} while (0) diff --git a/setup.py b/setup.py -index c6023e1..371674c 100644 +index 0bec170..479f4b5 100644 --- a/setup.py +++ b/setup.py -@@ -2313,7 +2313,7 @@ class PyBuildExt(build_ext): +@@ -2315,7 +2315,7 @@ class PyBuildExt(build_ext): sources=sources, depends=depends)) @@ -1423,7 +1434,7 @@ index c6023e1..371674c 100644 # Detect SSL support for the socket module (via _ssl) config_vars = sysconfig.get_config_vars() -@@ -2333,16 +2333,14 @@ class PyBuildExt(build_ext): +@@ -2335,16 +2335,14 @@ class PyBuildExt(build_ext): openssl_libs = split_var('OPENSSL_LIBS', '-l') if not openssl_libs: # libssl and libcrypto not found @@ -1442,7 +1453,7 @@ index c6023e1..371674c 100644 # OpenSSL 1.0.2 uses Kerberos for KRB5 ciphers krb5_h = find_file( -@@ -2352,12 +2350,20 @@ class PyBuildExt(build_ext): +@@ -2354,12 +2352,20 @@ class PyBuildExt(build_ext): if krb5_h: ssl_incs.extend(krb5_h) @@ -1466,7 +1477,7 @@ index c6023e1..371674c 100644 depends=[ 'socketmodule.h', '_ssl/debughelpers.c', -@@ -2370,9 +2376,7 @@ class PyBuildExt(build_ext): +@@ -2372,9 +2378,7 @@ class PyBuildExt(build_ext): self.add(Extension('_hashlib', ['_hashopenssl.c'], depends=['hashlib.h'], @@ -1477,7 +1488,7 @@ index c6023e1..371674c 100644 def detect_hash_builtins(self): # By default we always compile these even when OpenSSL is available -@@ -2429,6 +2433,7 @@ class PyBuildExt(build_ext): +@@ -2431,6 +2435,7 @@ class PyBuildExt(build_ext): '_blake2/blake2b_impl.c', '_blake2/blake2s_impl.c' ], @@ -1486,13 +1497,13 @@ index c6023e1..371674c 100644 )) -- -2.34.1 +2.35.3 -From 76d17b46469d642f2acda31bb5e9e636d69fe945 Mon Sep 17 00:00:00 2001 +From 165bcd0377075dbac9fa3f988ed5189668597ab6 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 29 Jan 2021 14:16:21 +0100 -Subject: [PATCH 08/11] Use python's fall back crypto implementations only if +Subject: [PATCH 07/10] Use python's fall back crypto implementations only if we are not in FIPS mode --- @@ -1605,10 +1616,10 @@ index 3e3f4dd..b842f5f 100644 for __func_name in __always_supported: diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 72fdc67..ac9c057 100644 +index fa4a8d7..ec6c883 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py -@@ -167,7 +167,13 @@ class HashLibTestCase(unittest.TestCase): +@@ -171,7 +171,13 @@ class HashLibTestCase(unittest.TestCase): constructors.add(constructor) def add_builtin_constructor(name): @@ -1623,7 +1634,7 @@ index 72fdc67..ac9c057 100644 self.constructors_to_test[name].add(constructor) _md5 = self._conditional_import_module('_md5') -@@ -257,6 +263,20 @@ class HashLibTestCase(unittest.TestCase): +@@ -266,6 +272,20 @@ class HashLibTestCase(unittest.TestCase): def test_new_upper_to_lower(self): self.assertEqual(hashlib.new("SHA256").name, "sha256") @@ -1644,7 +1655,7 @@ index 72fdc67..ac9c057 100644 def test_get_builtin_constructor(self): get_builtin_constructor = getattr(hashlib, '__get_builtin_constructor') -@@ -1052,6 +1072,7 @@ class KDFTests(unittest.TestCase): +@@ -1061,6 +1081,7 @@ class KDFTests(unittest.TestCase): iterations=1, dklen=None) self.assertEqual(out, self.pbkdf2_results['sha1'][0][0]) @@ -1653,13 +1664,13 @@ index 72fdc67..ac9c057 100644 def test_pbkdf2_hmac_py(self): self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes) -- -2.34.1 +2.35.3 -From 95c861dda1659f5bc47d56bed8d096f4debbe281 Mon Sep 17 00:00:00 2001 +From f4383a6e0be8b75db2380fdcf0174b09709b613f Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 -Subject: [PATCH 09/11] Test equivalence of hashes for the various digests with +Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with usedforsecurity=True/False --- @@ -1699,7 +1710,7 @@ index 0000000..1f99dd7 +if __name__ == "__main__": + unittest.main() diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index ac9c057..0aa0129 100644 +index ec6c883..0fd036f 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -20,6 +20,7 @@ import warnings @@ -1722,7 +1733,7 @@ index ac9c057..0aa0129 100644 try: import _blake2 except ImportError: -@@ -96,6 +102,11 @@ def read_vectors(hash_name): +@@ -98,6 +104,11 @@ def read_vectors(hash_name): parts[0] = bytes.fromhex(parts[0]) yield parts @@ -1734,8 +1745,8 @@ index ac9c057..0aa0129 100644 class HashLibTestCase(unittest.TestCase): supported_hash_names = ( 'md5', 'MD5', 'sha1', 'SHA1', -@@ -138,15 +149,21 @@ class HashLibTestCase(unittest.TestCase): - for algorithm in algorithms: +@@ -142,15 +153,21 @@ class HashLibTestCase(unittest.TestCase): + continue self.constructors_to_test[algorithm] = set() + def _add_constructor(algorithm, constructor): @@ -1758,7 +1769,7 @@ index ac9c057..0aa0129 100644 _hashlib = self._conditional_import_module('_hashlib') self._hashlib = _hashlib -@@ -158,13 +175,7 @@ class HashLibTestCase(unittest.TestCase): +@@ -162,13 +179,7 @@ class HashLibTestCase(unittest.TestCase): for algorithm, constructors in self.constructors_to_test.items(): constructor = getattr(_hashlib, 'openssl_'+algorithm, None) if constructor: @@ -1773,7 +1784,7 @@ index ac9c057..0aa0129 100644 def add_builtin_constructor(name): try: -@@ -337,6 +348,8 @@ class HashLibTestCase(unittest.TestCase): +@@ -346,6 +357,8 @@ class HashLibTestCase(unittest.TestCase): self.assertIn(h.name, self.supported_hash_names) else: self.assertNotIn(h.name, self.supported_hash_names) @@ -1782,7 +1793,7 @@ index ac9c057..0aa0129 100644 self.assertEqual( h.name, hashlib.new(h.name, usedforsecurity=False).name -@@ -383,8 +396,10 @@ class HashLibTestCase(unittest.TestCase): +@@ -392,8 +405,10 @@ class HashLibTestCase(unittest.TestCase): for hash_object_constructor in constructors: # OpenSSL's blake2s & blake2d don't support `key` @@ -1795,7 +1806,7 @@ index ac9c057..0aa0129 100644 return m = hash_object_constructor(data, **kwargs) -@@ -965,6 +980,15 @@ class HashLibTestCase(unittest.TestCase): +@@ -974,6 +989,15 @@ class HashLibTestCase(unittest.TestCase): ): HASHXOF() @@ -1812,13 +1823,13 @@ index ac9c057..0aa0129 100644 class KDFTests(unittest.TestCase): -- -2.34.1 +2.35.3 -From 62cf5b80d205ff6d6e719286feccca6bd6fdd862 Mon Sep 17 00:00:00 2001 +From 5ecf11d53225bbe04e35970a834bcc90cd944391 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 -Subject: [PATCH 10/11] Guard against Python HMAC in FIPS mode +Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode --- Lib/hmac.py | 13 +++++++++---- @@ -1929,13 +1940,13 @@ index adf52ad..41e6a14 100644 def test_realcopy_old(self): # Testing if the copy method created a real copy. -- -2.34.1 +2.35.3 -From ff7f518d32b7f1c47f35b841da78f5869470e381 Mon Sep 17 00:00:00 2001 +From 532ce8649bf743c029aa5ddb25d74604d9798da9 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 25 Aug 2021 16:44:43 +0200 -Subject: [PATCH 11/11] Disable hash-based PYCs in FIPS mode +Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode If FIPS mode is on, we can't use siphash-based HMAC (_Py_KeyedHash), so: @@ -1975,10 +1986,10 @@ index bba3642..02db901 100644 return PycInvalidationMode.CHECKED_HASH else: diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py -index 4ced130..11818ac 100644 +index 86ac8f0..dc042f7 100644 --- a/Lib/test/support/__init__.py +++ b/Lib/test/support/__init__.py -@@ -3249,3 +3249,17 @@ def clear_ignored_deprecations(*tokens: object) -> None: +@@ -3294,3 +3294,17 @@ def clear_ignored_deprecations(*tokens: object) -> None: if warnings.filters != new_filters: warnings.filters[:] = new_filters warnings._filters_mutated() @@ -2017,10 +2028,10 @@ index 7cb1370..61df232 100644 with support.temp_dir() as script_dir: script_name = _make_test_script(script_dir, '__main__') diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py -index 6e1f4b2..ec6b165 100644 +index ab647d6..7d50f07 100644 --- a/Lib/test/test_compileall.py +++ b/Lib/test/test_compileall.py -@@ -773,14 +773,23 @@ class CommandLineTestsBase: +@@ -758,14 +758,23 @@ class CommandLineTestsBase: out = self.assertRunOK('badfilename') self.assertRegex(out, b"Can't list 'badfilename'") @@ -2121,7 +2132,7 @@ diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py index b2d3dcf..7e4b0c5 100644 --- a/Lib/test/test_py_compile.py +++ b/Lib/test/test_py_compile.py -@@ -139,13 +139,16 @@ class PyCompileTestsBase: +@@ -141,13 +141,16 @@ class PyCompileTestsBase: importlib.util.cache_from_source(bad_coding))) def test_source_date_epoch(self): @@ -2139,7 +2150,7 @@ index b2d3dcf..7e4b0c5 100644 expected_flags = 0b11 else: expected_flags = 0b00 -@@ -176,7 +179,8 @@ class PyCompileTestsBase: +@@ -178,7 +181,8 @@ class PyCompileTestsBase: # Specifying optimized bytecode should lead to a path reflecting that. self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2)) @@ -2149,7 +2160,7 @@ index b2d3dcf..7e4b0c5 100644 py_compile.compile( self.source_path, invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH, -@@ -185,6 +189,9 @@ class PyCompileTestsBase: +@@ -187,6 +191,9 @@ class PyCompileTestsBase: flags = importlib._bootstrap_external._classify_pyc( fp.read(), 'test', {}) self.assertEqual(flags, 0b11) @@ -2160,7 +2171,7 @@ index b2d3dcf..7e4b0c5 100644 self.source_path, invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH, diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py -index 2e24388..11e7978 100644 +index b7347a3..09ea990 100644 --- a/Lib/test/test_zipimport.py +++ b/Lib/test/test_zipimport.py @@ -186,6 +186,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase): @@ -2211,5 +2222,5 @@ index 8358d70..1b7fb85 100644 uint64_t x; char data[sizeof(uint64_t)]; -- -2.34.1 +2.35.3 diff --git a/SOURCES/00382-cve-2015-20107.patch b/SOURCES/00382-cve-2015-20107.patch new file mode 100644 index 0000000..619f636 --- /dev/null +++ b/SOURCES/00382-cve-2015-20107.patch @@ -0,0 +1,150 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 3 Jun 2022 11:43:35 +0200 +Subject: [PATCH] 00382: CVE-2015-20107 + +Make mailcap refuse to match unsafe filenames/types/params (GH-91993) + +Upstream: https://github.com/python/cpython/issues/68966 + +Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 +--- + Doc/library/mailcap.rst | 12 +++++++++ + Lib/mailcap.py | 26 +++++++++++++++++-- + Lib/test/test_mailcap.py | 8 ++++-- + ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++ + 4 files changed, 46 insertions(+), 4 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst + +diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst +index a22b5b9c9e..7aa3380fec 100644 +--- a/Doc/library/mailcap.rst ++++ b/Doc/library/mailcap.rst +@@ -60,6 +60,18 @@ standard. However, mailcap files are supported on most Unix systems. + use) to determine whether or not the mailcap line applies. :func:`findmatch` + will automatically check such conditions and skip the entry if the check fails. + ++ .. versionchanged:: 3.11 ++ ++ To prevent security issues with shell metacharacters (symbols that have ++ special effects in a shell command line), ``findmatch`` will refuse ++ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` ++ into the returned command line. ++ ++ If a disallowed character appears in *filename*, ``findmatch`` will always ++ return ``(None, None)`` as if no entry was found. ++ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), ++ ``findmatch`` will ignore all mailcap entries which use that value. ++ A :mod:`warning ` will be raised in either case. + + .. function:: getcaps() + +diff --git a/Lib/mailcap.py b/Lib/mailcap.py +index ae416a8e9f..444c6408b5 100644 +--- a/Lib/mailcap.py ++++ b/Lib/mailcap.py +@@ -2,6 +2,7 @@ + + import os + import warnings ++import re + + __all__ = ["getcaps","findmatch"] + +@@ -13,6 +14,11 @@ def lineno_sort_key(entry): + else: + return 1, 0 + ++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search ++ ++class UnsafeMailcapInput(Warning): ++ """Warning raised when refusing unsafe input""" ++ + + # Part 1: top-level interface. + +@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): + entry to use. + + """ ++ if _find_unsafe(filename): ++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None, None + entries = lookup(caps, MIMEtype, key) + # XXX This code should somehow check for the needsterminal flag. + for e in entries: + if 'test' in e: + test = subst(e['test'], filename, plist) ++ if test is None: ++ continue + if test and os.system(test) != 0: + continue + command = subst(e[key], MIMEtype, filename, plist) +- return command, e ++ if command is not None: ++ return command, e + return None, None + + def lookup(caps, MIMEtype, key=None): +@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]): + elif c == 's': + res = res + filename + elif c == 't': ++ if _find_unsafe(MIMEtype): ++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None + res = res + MIMEtype + elif c == '{': + start = i +@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]): + i = i+1 + name = field[start:i] + i = i+1 +- res = res + findparam(name, plist) ++ param = findparam(name, plist) ++ if _find_unsafe(param): ++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None ++ res = res + param + # XXX To do: + # %n == number of parts if type is multipart/* + # %F == list of alternating type and filename for parts +diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py +index c08423c670..920283d9a2 100644 +--- a/Lib/test/test_mailcap.py ++++ b/Lib/test/test_mailcap.py +@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase): + (["", "audio/*", "foo.txt"], ""), + (["echo foo", "audio/*", "foo.txt"], "echo foo"), + (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), +- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), ++ (["echo %t", "audio/*", "foo.txt"], None), ++ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), + (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), + (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), + (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") +@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase): + ('"An audio fragment"', audio_basic_entry)), + ([c, "audio/*"], + {"filename": fname}, +- ("/usr/local/bin/showaudio audio/*", audio_entry)), ++ (None, None)), ++ ([c, "audio/wav"], ++ {"filename": fname}, ++ ("/usr/local/bin/showaudio audio/wav", audio_entry)), + ([c, "message/external-body"], + {"plist": plist}, + ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) +diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +new file mode 100644 +index 0000000000..da81a1f699 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +@@ -0,0 +1,4 @@ ++The deprecated mailcap module now refuses to inject unsafe text (filenames, ++MIME types, parameters) into shell commands. Instead of using such text, it ++will warn and act as if a match was not found (or for test commands, as if ++the test failed). diff --git a/SOURCES/Python-3.9.10.tar.xz.asc b/SOURCES/Python-3.9.10.tar.xz.asc deleted file mode 100644 index ca807b4..0000000 --- a/SOURCES/Python-3.9.10.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmHgts4ACgkQsmmV4xAl -BWiDfQ/6A6ALwx3xrU5ks0Fec91x56ixg+S91cMGDwHM78/KT+gOSva0FxLlpVDO -OD0yLoBOwVjSaiFAZC9wH2tf6xWLujVeBscrVX3Di1DZznZGgusDhP+gWpugULrF -WCr1ZLxnerhOMmBU9hSOx1ObBc91CIsagqafeMuAWoEwsQpkG0hDHuRN8QeJn79s -mFt4/X6/2NQEw/ucxftwoLIfqDbeP468wthOBgr9TrYfseSojnnYCxOiitC8k2GS -ieLq1RQu6ZjSYtHyL+mvXwTy2tEyc6v/3s+3lJCcM6uK+vyAvwP4QwIXwpjwHMDW -0YdyB812pWUleAt7P+BvVbumjGCs3hFHydMm6iA1eiONQk5Z0QQv0qrh+rqorXkJ -aUgjiXjbNkx93m+hftUXXEcKWm6hi8CikcajBPbTZt6PlOCL2ZbN5NclTDpG3JMK -8WHFpeFF1uaKcsDF5L9QU+ilXR0wxrh99DePQiLqsMvzbocB3cd5x8Ws1MNX/5tU -6p88qUf1Zdg3EA7VQD7m90cTOHcskH8o+Bw+Jd+uDo+H8Pg9Yz9yHik6rHe8OwiA -ol7eiEO07WePwqX4PqHozRtCVNSOZtrSSoWK2LNQdK9Z+EhVhQvDDk3hFQiE7ymM -ZXHYHATjmGFN7WSThMR/8IFgTSqpuird+RXEkVZKorYPsA0P55I= -=KRy4 ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.9.13.tar.xz.asc b/SOURCES/Python-3.9.13.tar.xz.asc new file mode 100644 index 0000000..bbd8653 --- /dev/null +++ b/SOURCES/Python-3.9.13.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl +BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g +lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+ +uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW +oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS +3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN +7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs +1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X +ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3 +YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z +hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4 +sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc= +=RYbS +-----END PGP SIGNATURE----- diff --git a/SPECS/python3.9.spec b/SPECS/python3.9.spec index dea8a1d..57e7008 100644 --- a/SPECS/python3.9.spec +++ b/SPECS/python3.9.spec @@ -13,11 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.10 +%global general_version %{pybasever}.13 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 3%{?dist} License: Python @@ -325,7 +325,7 @@ Patch189: 00189-use-rpm-wheels.patch # The versions are written in Lib/ensurepip/__init__.py, this patch removes them. # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly. # In such cases, the patch needs to be amended and the versions updated here: -%global pip_version 21.2.4 +%global pip_version 22.0.4 %global setuptools_version 58.1.0 # 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62 @@ -399,6 +399,16 @@ Patch329: 00329-fips.patch # a nightmare because it's basically a binary file. Patch353: 00353-architecture-names-upstream-downstream.patch +# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985 +# CVE-2015-20107 +# +# Make mailcap refuse to match unsafe filenames/types/params (GH-91993) +# +# Upstream: https://github.com/python/cpython/issues/68966 +# +# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 +Patch382: 00382-cve-2015-20107.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1800,6 +1810,18 @@ CheckPython optimized # ====================================================== %changelog +* Mon Jul 25 2022 Lumír Balhar - 3.9.13-3 +- Fix test_get_ciphers in test_ssl.py for FIPS mode +Resolves: rhbz#2058233 + +* Thu Jun 09 2022 Charalampos Stratakis - 3.9.13-2 +- Security fix for CVE-2015-20107 +Resolves: rhbz#2075390 + +* Wed Jun 01 2022 Charalampos Stratakis - 3.9.13-1 +- Update to 3.9.13 +Resolves: rhbz#2054702, rhbz#2059951 + * Wed Feb 09 2022 Charalampos Stratakis - 3.9.10-2 - Fix undefined behavior in Modules/_hashopenssl.c Resolves: rhbz#1942527