import python3.9-3.9.14-1.el9
This commit is contained in:
parent
1310944532
commit
6fe778f718
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/Python-3.9.10.tar.xz
|
||||
SOURCES/Python-3.9.14.tar.xz
|
||||
|
@ -1 +1 @@
|
||||
936fc25ac4e1b482a0cefa82dd6092a0c6b575e6 SOURCES/Python-3.9.10.tar.xz
|
||||
fa48bd60aee6abf2d41aafb273ebf9fb6b790458 SOURCES/Python-3.9.14.tar.xz
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From 12b919396f3fd24521b5ded51e18beb55973f0ff Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
|
||||
Date: Wed, 15 Aug 2018 15:36:29 +0200
|
||||
Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
|
||||
@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
|
||||
1 file changed, 26 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
|
||||
index 2a140a2624..5bd16a6c59 100644
|
||||
index e510cc7..5bd16a6 100644
|
||||
--- a/Lib/ensurepip/__init__.py
|
||||
+++ b/Lib/ensurepip/__init__.py
|
||||
@@ -1,3 +1,5 @@
|
||||
@ -31,7 +31,7 @@ index 2a140a2624..5bd16a6c59 100644
|
||||
|
||||
__all__ = ["version", "bootstrap"]
|
||||
-_SETUPTOOLS_VERSION = "58.1.0"
|
||||
-_PIP_VERSION = "21.2.4"
|
||||
-_PIP_VERSION = "22.0.4"
|
||||
+
|
||||
+_WHEEL_DIR = "/usr/share/python-wheels/"
|
||||
+
|
||||
@ -73,3 +73,6 @@ index 2a140a2624..5bd16a6c59 100644
|
||||
|
||||
additional_paths.append(os.path.join(tmpdir, wheel_name))
|
||||
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
@ -1,47 +1,7 @@
|
||||
From 355e975a386b60d787b98cc4cd08b98f876ff858 Mon Sep 17 00:00:00 2001
|
||||
From: "Miss Islington (bot)"
|
||||
<31488909+miss-islington@users.noreply.github.com>
|
||||
Date: Mon, 7 Feb 2022 00:08:10 -0800
|
||||
Subject: [PATCH 01/11] bpo-40479: Fix undefined behavior in
|
||||
Modules/_hashopenssl.c (GH-31153)
|
||||
|
||||
va_end() must be called before returning.
|
||||
(cherry picked from commit 59e004af63742361b67d1e1ae70229ff0db1059d)
|
||||
|
||||
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
||||
---
|
||||
.../Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst | 1 +
|
||||
Modules/_hashopenssl.c | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst
|
||||
|
||||
diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst b/Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst
|
||||
new file mode 100644
|
||||
index 00000000000..52701d53d8f
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Core and Builtins/2022-02-06-23-08-30.bpo-40479.zED3Zu.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Add a missing call to ``va_end()`` in ``Modules/_hashopenssl.c``.
|
||||
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
|
||||
index a4889450821..4873bb11aa0 100644
|
||||
--- a/Modules/_hashopenssl.c
|
||||
+++ b/Modules/_hashopenssl.c
|
||||
@@ -311,6 +311,7 @@ _setException(PyObject *exc, const char* altmsg, ...)
|
||||
} else {
|
||||
PyErr_FormatV(exc, altmsg, vargs);
|
||||
}
|
||||
+ va_end(vargs);
|
||||
return NULL;
|
||||
}
|
||||
va_end(vargs);
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From b906713972396823c9e2e04421f9dbcfdc6a6c94 Mon Sep 17 00:00:00 2001
|
||||
From a350f1e323977baffc6d709c0dc877c7f3faba73 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Wed, 11 Aug 2021 16:51:03 +0200
|
||||
Subject: [PATCH 02/11] Backport PyModule_AddObjectRef as
|
||||
Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as
|
||||
_PyModule_AddObjectRef
|
||||
|
||||
Having PyModule_AddObjectRef available should make backporting
|
||||
@ -111,13 +71,13 @@ index 13482c6..fca1083 100644
|
||||
PyModule_AddIntConstant(PyObject *m, const char *name, long value)
|
||||
{
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From c67b383ffd3ccacedacbeb91c3bdeaf5f829ca09 Mon Sep 17 00:00:00 2001
|
||||
From 500314edea579965f5641d8ebdce8c8899fe2838 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Fri, 13 Aug 2021 13:16:43 +0200
|
||||
Subject: [PATCH 03/11] _hashopenssl: Uncomment and use initialization function
|
||||
Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function
|
||||
list
|
||||
|
||||
This simplifies backporting of future changes.
|
||||
@ -129,10 +89,10 @@ We use this change instead of Python 3.10's:
|
||||
1 file changed, 5 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
|
||||
index a488945..62cf769 100644
|
||||
index 4db058c..56dfff9 100644
|
||||
--- a/Modules/_hashopenssl.c
|
||||
+++ b/Modules/_hashopenssl.c
|
||||
@@ -2216,7 +2216,6 @@ hashlib_init_hmactype(PyObject *module)
|
||||
@@ -2227,7 +2227,6 @@ hashlib_init_hmactype(PyObject *module)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -140,7 +100,7 @@ index a488945..62cf769 100644
|
||||
static PyModuleDef_Slot hashlib_slots[] = {
|
||||
/* OpenSSL 1.0.2 and LibreSSL */
|
||||
{Py_mod_exec, hashlib_openssl_legacy_init},
|
||||
@@ -2227,7 +2226,6 @@ static PyModuleDef_Slot hashlib_slots[] = {
|
||||
@@ -2238,7 +2237,6 @@ static PyModuleDef_Slot hashlib_slots[] = {
|
||||
{Py_mod_exec, hashlib_md_meth_names},
|
||||
{0, NULL}
|
||||
};
|
||||
@ -148,7 +108,7 @@ index a488945..62cf769 100644
|
||||
|
||||
static struct PyModuleDef _hashlibmodule = {
|
||||
PyModuleDef_HEAD_INIT,
|
||||
@@ -2255,29 +2253,11 @@ PyInit__hashlib(void)
|
||||
@@ -2266,29 +2264,11 @@ PyInit__hashlib(void)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -184,13 +144,13 @@ index a488945..62cf769 100644
|
||||
|
||||
return m;
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From c49c1416d22fffc78204d66987f40e6d17a95c01 Mon Sep 17 00:00:00 2001
|
||||
From 76402d145bb24912f92d4013b8464e87b1493b45 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Sat, 27 Mar 2021 14:55:03 +0100
|
||||
Subject: [PATCH 04/11] bpo-40645: use C implementation of HMAC (GH-24920,
|
||||
Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920,
|
||||
GH-25063, GH-26079)
|
||||
|
||||
This backports the feature and 2 subsequent bugfixes
|
||||
@ -621,7 +581,7 @@ index 0000000..a9ab1c0
|
||||
+The :mod:`hmac` module now uses OpenSSL's HMAC implementation when digestmod
|
||||
+argument is a hash name or builtin hash function.
|
||||
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
|
||||
index 62cf769..71ac832 100644
|
||||
index 56dfff9..ca9fea9 100644
|
||||
--- a/Modules/_hashopenssl.c
|
||||
+++ b/Modules/_hashopenssl.c
|
||||
@@ -260,6 +260,8 @@ typedef struct {
|
||||
@ -765,7 +725,7 @@ index 62cf769..71ac832 100644
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2106,6 +2145,8 @@ hashlib_traverse(PyObject *m, visitproc visit, void *arg)
|
||||
@@ -2117,6 +2156,8 @@ hashlib_traverse(PyObject *m, visitproc visit, void *arg)
|
||||
#ifdef PY_OPENSSL_HAS_SHAKE
|
||||
Py_VISIT(state->EVPXOFtype);
|
||||
#endif
|
||||
@ -774,7 +734,7 @@ index 62cf769..71ac832 100644
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -2118,10 +2159,14 @@ hashlib_clear(PyObject *m)
|
||||
@@ -2129,10 +2170,14 @@ hashlib_clear(PyObject *m)
|
||||
#ifdef PY_OPENSSL_HAS_SHAKE
|
||||
Py_CLEAR(state->EVPXOFtype);
|
||||
#endif
|
||||
@ -789,7 +749,7 @@ index 62cf769..71ac832 100644
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -2216,6 +2261,79 @@ hashlib_init_hmactype(PyObject *module)
|
||||
@@ -2227,6 +2272,79 @@ hashlib_init_hmactype(PyObject *module)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -869,7 +829,7 @@ index 62cf769..71ac832 100644
|
||||
static PyModuleDef_Slot hashlib_slots[] = {
|
||||
/* OpenSSL 1.0.2 and LibreSSL */
|
||||
{Py_mod_exec, hashlib_openssl_legacy_init},
|
||||
@@ -2224,6 +2342,8 @@ static PyModuleDef_Slot hashlib_slots[] = {
|
||||
@@ -2235,6 +2353,8 @@ static PyModuleDef_Slot hashlib_slots[] = {
|
||||
{Py_mod_exec, hashlib_init_evpxoftype},
|
||||
{Py_mod_exec, hashlib_init_hmactype},
|
||||
{Py_mod_exec, hashlib_md_meth_names},
|
||||
@ -967,13 +927,13 @@ index 68aa765..4466ec4 100644
|
||||
-/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
|
||||
+/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From f7ce31ebf3200952dadff556bfcbf2876139c823 Mon Sep 17 00:00:00 2001
|
||||
From 668a5b57d6454ff1a0e5c4db80002321e38cadfd Mon Sep 17 00:00:00 2001
|
||||
From: Charalampos Stratakis <cstratak@redhat.com>
|
||||
Date: Thu, 12 Dec 2019 16:58:31 +0100
|
||||
Subject: [PATCH 05/11] Expose blake2b and blake2s hashes from OpenSSL
|
||||
Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL
|
||||
|
||||
These aren't as powerful as Python's own implementation, but they can be
|
||||
used under FIPS.
|
||||
@ -984,10 +944,10 @@ used under FIPS.
|
||||
3 files changed, 148 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
|
||||
index 969e5e4..5b46016 100644
|
||||
index f845c7a..7aaeb76 100644
|
||||
--- a/Lib/test/test_hashlib.py
|
||||
+++ b/Lib/test/test_hashlib.py
|
||||
@@ -354,6 +354,12 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -363,6 +363,12 @@ class HashLibTestCase(unittest.TestCase):
|
||||
# 2 is for hashlib.name(...) and hashlib.new(name, ...)
|
||||
self.assertGreaterEqual(len(constructors), 2)
|
||||
for hash_object_constructor in constructors:
|
||||
@ -1001,7 +961,7 @@ index 969e5e4..5b46016 100644
|
||||
computed = m.hexdigest() if not shake else m.hexdigest(length)
|
||||
self.assertEqual(
|
||||
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
|
||||
index 71ac832..0b2c65e 100644
|
||||
index ca9fea9..9d98d20 100644
|
||||
--- a/Modules/_hashopenssl.c
|
||||
+++ b/Modules/_hashopenssl.c
|
||||
@@ -1138,6 +1138,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
|
||||
@ -1046,7 +1006,7 @@ index 71ac832..0b2c65e 100644
|
||||
#ifdef PY_OPENSSL_HAS_SHA3
|
||||
|
||||
/*[clinic input]
|
||||
@@ -2124,6 +2159,8 @@ static struct PyMethodDef EVP_functions[] = {
|
||||
@@ -2135,6 +2170,8 @@ static struct PyMethodDef EVP_functions[] = {
|
||||
_HASHLIB_OPENSSL_SHA256_METHODDEF
|
||||
_HASHLIB_OPENSSL_SHA384_METHODDEF
|
||||
_HASHLIB_OPENSSL_SHA512_METHODDEF
|
||||
@ -1177,13 +1137,13 @@ index 4466ec4..54c22b2 100644
|
||||
-/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
|
||||
+/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From b8956168975170b8e7a797b6aa23e0d356f5ebec Mon Sep 17 00:00:00 2001
|
||||
From 1613c11b882e192456592a6adb63f73351f82829 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <pviktori@redhat.com>
|
||||
Date: Thu, 1 Aug 2019 17:57:05 +0200
|
||||
Subject: [PATCH 06/11] Use a stronger hash in multiprocessing handshake
|
||||
Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake
|
||||
|
||||
Adapted from patch by David Malcolm,
|
||||
https://bugs.python.org/issue17258
|
||||
@ -1225,13 +1185,13 @@ index 510e4b5..b68f2fb 100644
|
||||
response = connection.recv_bytes(256) # reject large message
|
||||
if response != WELCOME:
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From 20d86957b863e80d1f71b5681fccdb1fd16128b9 Mon Sep 17 00:00:00 2001
|
||||
From c0413586c6fb26bd4b7c4d5c40094ceeffb74612 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <pviktori@redhat.com>
|
||||
Date: Thu, 25 Jul 2019 17:19:06 +0200
|
||||
Subject: [PATCH 07/11] Disable Python's hash implementations in FIPS mode,
|
||||
Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode,
|
||||
forcing OpenSSL
|
||||
|
||||
---
|
||||
@ -1271,7 +1231,7 @@ index ffa3be0..3e3f4dd 100644
|
||||
def __get_builtin_constructor(name):
|
||||
cache = __builtin_constructor_cache
|
||||
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
|
||||
index 5b46016..72fdc67 100644
|
||||
index 7aaeb76..fa4a8d7 100644
|
||||
--- a/Lib/test/test_hashlib.py
|
||||
+++ b/Lib/test/test_hashlib.py
|
||||
@@ -35,14 +35,15 @@ else:
|
||||
@ -1295,7 +1255,7 @@ index 5b46016..72fdc67 100644
|
||||
|
||||
try:
|
||||
from _hashlib import HASH, HASHXOF, openssl_md_meth_names, get_fips_mode
|
||||
@@ -116,6 +117,12 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -118,6 +119,12 @@ class HashLibTestCase(unittest.TestCase):
|
||||
except ModuleNotFoundError as error:
|
||||
if self._warn_on_extension_import and module_name in builtin_hashes:
|
||||
warnings.warn('Did a C extension fail to compile? %s' % error)
|
||||
@ -1411,10 +1371,10 @@ index 56ae7a5..45fb403 100644
|
||||
+ if (_Py_hashlib_fips_error(exc, name)) return NULL; \
|
||||
+} while (0)
|
||||
diff --git a/setup.py b/setup.py
|
||||
index c6023e1..371674c 100644
|
||||
index 0bec170..479f4b5 100644
|
||||
--- a/setup.py
|
||||
+++ b/setup.py
|
||||
@@ -2313,7 +2313,7 @@ class PyBuildExt(build_ext):
|
||||
@@ -2315,7 +2315,7 @@ class PyBuildExt(build_ext):
|
||||
sources=sources,
|
||||
depends=depends))
|
||||
|
||||
@ -1423,7 +1383,7 @@ index c6023e1..371674c 100644
|
||||
# Detect SSL support for the socket module (via _ssl)
|
||||
config_vars = sysconfig.get_config_vars()
|
||||
|
||||
@@ -2333,16 +2333,14 @@ class PyBuildExt(build_ext):
|
||||
@@ -2335,16 +2335,14 @@ class PyBuildExt(build_ext):
|
||||
openssl_libs = split_var('OPENSSL_LIBS', '-l')
|
||||
if not openssl_libs:
|
||||
# libssl and libcrypto not found
|
||||
@ -1442,7 +1402,7 @@ index c6023e1..371674c 100644
|
||||
|
||||
# OpenSSL 1.0.2 uses Kerberos for KRB5 ciphers
|
||||
krb5_h = find_file(
|
||||
@@ -2352,12 +2350,20 @@ class PyBuildExt(build_ext):
|
||||
@@ -2354,12 +2352,20 @@ class PyBuildExt(build_ext):
|
||||
if krb5_h:
|
||||
ssl_incs.extend(krb5_h)
|
||||
|
||||
@ -1466,7 +1426,7 @@ index c6023e1..371674c 100644
|
||||
depends=[
|
||||
'socketmodule.h',
|
||||
'_ssl/debughelpers.c',
|
||||
@@ -2370,9 +2376,7 @@ class PyBuildExt(build_ext):
|
||||
@@ -2372,9 +2378,7 @@ class PyBuildExt(build_ext):
|
||||
|
||||
self.add(Extension('_hashlib', ['_hashopenssl.c'],
|
||||
depends=['hashlib.h'],
|
||||
@ -1477,7 +1437,7 @@ index c6023e1..371674c 100644
|
||||
|
||||
def detect_hash_builtins(self):
|
||||
# By default we always compile these even when OpenSSL is available
|
||||
@@ -2429,6 +2433,7 @@ class PyBuildExt(build_ext):
|
||||
@@ -2431,6 +2435,7 @@ class PyBuildExt(build_ext):
|
||||
'_blake2/blake2b_impl.c',
|
||||
'_blake2/blake2s_impl.c'
|
||||
],
|
||||
@ -1486,13 +1446,13 @@ index c6023e1..371674c 100644
|
||||
))
|
||||
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From 76d17b46469d642f2acda31bb5e9e636d69fe945 Mon Sep 17 00:00:00 2001
|
||||
From 205bd746c16c7f8ac09251316c62bf78d6c31611 Mon Sep 17 00:00:00 2001
|
||||
From: Charalampos Stratakis <cstratak@redhat.com>
|
||||
Date: Fri, 29 Jan 2021 14:16:21 +0100
|
||||
Subject: [PATCH 08/11] Use python's fall back crypto implementations only if
|
||||
Subject: [PATCH 07/10] Use python's fall back crypto implementations only if
|
||||
we are not in FIPS mode
|
||||
|
||||
---
|
||||
@ -1605,10 +1565,10 @@ index 3e3f4dd..b842f5f 100644
|
||||
|
||||
for __func_name in __always_supported:
|
||||
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
|
||||
index 72fdc67..ac9c057 100644
|
||||
index fa4a8d7..ec6c883 100644
|
||||
--- a/Lib/test/test_hashlib.py
|
||||
+++ b/Lib/test/test_hashlib.py
|
||||
@@ -167,7 +167,13 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -171,7 +171,13 @@ class HashLibTestCase(unittest.TestCase):
|
||||
constructors.add(constructor)
|
||||
|
||||
def add_builtin_constructor(name):
|
||||
@ -1623,7 +1583,7 @@ index 72fdc67..ac9c057 100644
|
||||
self.constructors_to_test[name].add(constructor)
|
||||
|
||||
_md5 = self._conditional_import_module('_md5')
|
||||
@@ -257,6 +263,20 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -266,6 +272,20 @@ class HashLibTestCase(unittest.TestCase):
|
||||
def test_new_upper_to_lower(self):
|
||||
self.assertEqual(hashlib.new("SHA256").name, "sha256")
|
||||
|
||||
@ -1644,7 +1604,7 @@ index 72fdc67..ac9c057 100644
|
||||
def test_get_builtin_constructor(self):
|
||||
get_builtin_constructor = getattr(hashlib,
|
||||
'__get_builtin_constructor')
|
||||
@@ -1052,6 +1072,7 @@ class KDFTests(unittest.TestCase):
|
||||
@@ -1061,6 +1081,7 @@ class KDFTests(unittest.TestCase):
|
||||
iterations=1, dklen=None)
|
||||
self.assertEqual(out, self.pbkdf2_results['sha1'][0][0])
|
||||
|
||||
@ -1653,13 +1613,13 @@ index 72fdc67..ac9c057 100644
|
||||
def test_pbkdf2_hmac_py(self):
|
||||
self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes)
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From 95c861dda1659f5bc47d56bed8d096f4debbe281 Mon Sep 17 00:00:00 2001
|
||||
From 016e7dbfd92bd24b5f7cb613786fb99456ca6069 Mon Sep 17 00:00:00 2001
|
||||
From: Charalampos Stratakis <cstratak@redhat.com>
|
||||
Date: Wed, 31 Jul 2019 15:43:43 +0200
|
||||
Subject: [PATCH 09/11] Test equivalence of hashes for the various digests with
|
||||
Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with
|
||||
usedforsecurity=True/False
|
||||
|
||||
---
|
||||
@ -1699,7 +1659,7 @@ index 0000000..1f99dd7
|
||||
+if __name__ == "__main__":
|
||||
+ unittest.main()
|
||||
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
|
||||
index ac9c057..0aa0129 100644
|
||||
index ec6c883..0fd036f 100644
|
||||
--- a/Lib/test/test_hashlib.py
|
||||
+++ b/Lib/test/test_hashlib.py
|
||||
@@ -20,6 +20,7 @@ import warnings
|
||||
@ -1722,7 +1682,7 @@ index ac9c057..0aa0129 100644
|
||||
try:
|
||||
import _blake2
|
||||
except ImportError:
|
||||
@@ -96,6 +102,11 @@ def read_vectors(hash_name):
|
||||
@@ -98,6 +104,11 @@ def read_vectors(hash_name):
|
||||
parts[0] = bytes.fromhex(parts[0])
|
||||
yield parts
|
||||
|
||||
@ -1734,8 +1694,8 @@ index ac9c057..0aa0129 100644
|
||||
|
||||
class HashLibTestCase(unittest.TestCase):
|
||||
supported_hash_names = ( 'md5', 'MD5', 'sha1', 'SHA1',
|
||||
@@ -138,15 +149,21 @@ class HashLibTestCase(unittest.TestCase):
|
||||
for algorithm in algorithms:
|
||||
@@ -142,15 +153,21 @@ class HashLibTestCase(unittest.TestCase):
|
||||
continue
|
||||
self.constructors_to_test[algorithm] = set()
|
||||
|
||||
+ def _add_constructor(algorithm, constructor):
|
||||
@ -1758,7 +1718,7 @@ index ac9c057..0aa0129 100644
|
||||
|
||||
_hashlib = self._conditional_import_module('_hashlib')
|
||||
self._hashlib = _hashlib
|
||||
@@ -158,13 +175,7 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -162,13 +179,7 @@ class HashLibTestCase(unittest.TestCase):
|
||||
for algorithm, constructors in self.constructors_to_test.items():
|
||||
constructor = getattr(_hashlib, 'openssl_'+algorithm, None)
|
||||
if constructor:
|
||||
@ -1773,7 +1733,7 @@ index ac9c057..0aa0129 100644
|
||||
|
||||
def add_builtin_constructor(name):
|
||||
try:
|
||||
@@ -337,6 +348,8 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -346,6 +357,8 @@ class HashLibTestCase(unittest.TestCase):
|
||||
self.assertIn(h.name, self.supported_hash_names)
|
||||
else:
|
||||
self.assertNotIn(h.name, self.supported_hash_names)
|
||||
@ -1782,7 +1742,7 @@ index ac9c057..0aa0129 100644
|
||||
self.assertEqual(
|
||||
h.name,
|
||||
hashlib.new(h.name, usedforsecurity=False).name
|
||||
@@ -383,8 +396,10 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -392,8 +405,10 @@ class HashLibTestCase(unittest.TestCase):
|
||||
for hash_object_constructor in constructors:
|
||||
|
||||
# OpenSSL's blake2s & blake2d don't support `key`
|
||||
@ -1795,7 +1755,7 @@ index ac9c057..0aa0129 100644
|
||||
return
|
||||
|
||||
m = hash_object_constructor(data, **kwargs)
|
||||
@@ -965,6 +980,15 @@ class HashLibTestCase(unittest.TestCase):
|
||||
@@ -974,6 +989,15 @@ class HashLibTestCase(unittest.TestCase):
|
||||
):
|
||||
HASHXOF()
|
||||
|
||||
@ -1812,13 +1772,13 @@ index ac9c057..0aa0129 100644
|
||||
class KDFTests(unittest.TestCase):
|
||||
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From 62cf5b80d205ff6d6e719286feccca6bd6fdd862 Mon Sep 17 00:00:00 2001
|
||||
From 7c7a3260746d06d5f319944dc40d51f7642d92dc Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <pviktori@redhat.com>
|
||||
Date: Mon, 26 Aug 2019 19:39:48 +0200
|
||||
Subject: [PATCH 10/11] Guard against Python HMAC in FIPS mode
|
||||
Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode
|
||||
|
||||
---
|
||||
Lib/hmac.py | 13 +++++++++----
|
||||
@ -1929,13 +1889,13 @@ index adf52ad..41e6a14 100644
|
||||
def test_realcopy_old(self):
|
||||
# Testing if the copy method created a real copy.
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
||||
From ff7f518d32b7f1c47f35b841da78f5869470e381 Mon Sep 17 00:00:00 2001
|
||||
From 0db6e1bad3663006fe9352819bbbb53bfc5637be Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Wed, 25 Aug 2021 16:44:43 +0200
|
||||
Subject: [PATCH 11/11] Disable hash-based PYCs in FIPS mode
|
||||
Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode
|
||||
|
||||
If FIPS mode is on, we can't use siphash-based HMAC
|
||||
(_Py_KeyedHash), so:
|
||||
@ -1975,15 +1935,13 @@ index bba3642..02db901 100644
|
||||
return PycInvalidationMode.CHECKED_HASH
|
||||
else:
|
||||
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
|
||||
index 4ced130..11818ac 100644
|
||||
index 6dc0813..b9d5f9a 100644
|
||||
--- a/Lib/test/support/__init__.py
|
||||
+++ b/Lib/test/support/__init__.py
|
||||
@@ -3249,3 +3249,17 @@ def clear_ignored_deprecations(*tokens: object) -> None:
|
||||
if warnings.filters != new_filters:
|
||||
warnings.filters[:] = new_filters
|
||||
@@ -3296,6 +3296,20 @@ def clear_ignored_deprecations(*tokens: object) -> None:
|
||||
warnings._filters_mutated()
|
||||
+
|
||||
+
|
||||
|
||||
|
||||
+def fails_in_fips_mode(expected_error):
|
||||
+ import _hashlib
|
||||
+ if _hashlib.get_fips_mode():
|
||||
@ -1996,6 +1954,11 @@ index 4ced130..11818ac 100644
|
||||
+ def _decorator(func):
|
||||
+ return func
|
||||
+ return _decorator
|
||||
+
|
||||
+
|
||||
@contextlib.contextmanager
|
||||
def adjust_int_max_str_digits(max_digits):
|
||||
"""Temporarily change the integer string conversion length limit."""
|
||||
diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
|
||||
index 7cb1370..61df232 100644
|
||||
--- a/Lib/test/test_cmd_line_script.py
|
||||
@ -2017,10 +1980,10 @@ index 7cb1370..61df232 100644
|
||||
with support.temp_dir() as script_dir:
|
||||
script_name = _make_test_script(script_dir, '__main__')
|
||||
diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
|
||||
index 6e1f4b2..ec6b165 100644
|
||||
index ab647d6..7d50f07 100644
|
||||
--- a/Lib/test/test_compileall.py
|
||||
+++ b/Lib/test/test_compileall.py
|
||||
@@ -773,14 +773,23 @@ class CommandLineTestsBase:
|
||||
@@ -758,14 +758,23 @@ class CommandLineTestsBase:
|
||||
out = self.assertRunOK('badfilename')
|
||||
self.assertRegex(out, b"Can't list 'badfilename'")
|
||||
|
||||
@ -2121,7 +2084,7 @@ diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
|
||||
index b2d3dcf..7e4b0c5 100644
|
||||
--- a/Lib/test/test_py_compile.py
|
||||
+++ b/Lib/test/test_py_compile.py
|
||||
@@ -139,13 +139,16 @@ class PyCompileTestsBase:
|
||||
@@ -141,13 +141,16 @@ class PyCompileTestsBase:
|
||||
importlib.util.cache_from_source(bad_coding)))
|
||||
|
||||
def test_source_date_epoch(self):
|
||||
@ -2139,7 +2102,7 @@ index b2d3dcf..7e4b0c5 100644
|
||||
expected_flags = 0b11
|
||||
else:
|
||||
expected_flags = 0b00
|
||||
@@ -176,7 +179,8 @@ class PyCompileTestsBase:
|
||||
@@ -178,7 +181,8 @@ class PyCompileTestsBase:
|
||||
# Specifying optimized bytecode should lead to a path reflecting that.
|
||||
self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
|
||||
|
||||
@ -2149,7 +2112,7 @@ index b2d3dcf..7e4b0c5 100644
|
||||
py_compile.compile(
|
||||
self.source_path,
|
||||
invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
|
||||
@@ -185,6 +189,9 @@ class PyCompileTestsBase:
|
||||
@@ -187,6 +191,9 @@ class PyCompileTestsBase:
|
||||
flags = importlib._bootstrap_external._classify_pyc(
|
||||
fp.read(), 'test', {})
|
||||
self.assertEqual(flags, 0b11)
|
||||
@ -2160,7 +2123,7 @@ index b2d3dcf..7e4b0c5 100644
|
||||
self.source_path,
|
||||
invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
|
||||
diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
|
||||
index 2e24388..11e7978 100644
|
||||
index b7347a3..09ea990 100644
|
||||
--- a/Lib/test/test_zipimport.py
|
||||
+++ b/Lib/test/test_zipimport.py
|
||||
@@ -186,6 +186,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
|
||||
@ -2211,5 +2174,5 @@ index 8358d70..1b7fb85 100644
|
||||
uint64_t x;
|
||||
char data[sizeof(uint64_t)];
|
||||
--
|
||||
2.34.1
|
||||
2.37.3
|
||||
|
||||
|
@ -1,101 +0,0 @@
|
||||
From 3950e203a4c625b7bc53e67e96d5d5239758f4fa Mon Sep 17 00:00:00 2001
|
||||
From: "Miss Islington (bot)"
|
||||
<31488909+miss-islington@users.noreply.github.com>
|
||||
Date: Mon, 21 Feb 2022 08:16:23 -0800
|
||||
Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
|
||||
(GH-31469)
|
||||
|
||||
Curly brackets were never allowed in namespace URIs
|
||||
according to RFC 3986, and so-called namespace-validating
|
||||
XML parsers have the right to reject them a invalid URIs.
|
||||
|
||||
libexpat >=2.4.5 has become strcter in that regard due to
|
||||
related security issues; with ET.XML instantiating a
|
||||
namespace-aware parser under the hood, this test has no
|
||||
future in CPython.
|
||||
|
||||
References:
|
||||
- https://datatracker.ietf.org/doc/html/rfc3968
|
||||
- https://www.w3.org/TR/xml-names/
|
||||
|
||||
Also, test_minidom.py: Support Expat >=2.4.5
|
||||
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
|
||||
|
||||
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
||||
|
||||
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
||||
---
|
||||
Lib/test/test_minidom.py | 12 +++++++++---
|
||||
Lib/test/test_xml_etree.py | 6 ------
|
||||
.../Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 +
|
||||
3 files changed, 10 insertions(+), 9 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
|
||||
|
||||
diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
|
||||
index 1663b1f..5f52ed1 100644
|
||||
--- a/Lib/test/test_minidom.py
|
||||
+++ b/Lib/test/test_minidom.py
|
||||
@@ -6,10 +6,12 @@ import io
|
||||
from test import support
|
||||
import unittest
|
||||
|
||||
+import pyexpat
|
||||
import xml.dom.minidom
|
||||
|
||||
from xml.dom.minidom import parse, Node, Document, parseString
|
||||
from xml.dom.minidom import getDOMImplementation
|
||||
+from xml.parsers.expat import ExpatError
|
||||
|
||||
|
||||
tstfile = support.findfile("test.xml", subdir="xmltestdata")
|
||||
@@ -1147,8 +1149,10 @@ class MinidomTest(unittest.TestCase):
|
||||
|
||||
# Verify that character decoding errors raise exceptions instead
|
||||
# of crashing
|
||||
- self.assertRaises(UnicodeDecodeError, parseString,
|
||||
- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
|
||||
+ self.assertRaises(ExpatError, parseString,
|
||||
+ b'<fran\xe7ais></fran\xe7ais>')
|
||||
+ self.assertRaises(ExpatError, parseString,
|
||||
+ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
|
||||
|
||||
doc.unlink()
|
||||
|
||||
@@ -1609,7 +1613,9 @@ class MinidomTest(unittest.TestCase):
|
||||
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
|
||||
|
||||
def testExceptionOnSpacesInXMLNSValue(self):
|
||||
- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'):
|
||||
+ context = self.assertRaisesRegex(ExpatError, 'syntax error')
|
||||
+
|
||||
+ with context:
|
||||
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
|
||||
|
||||
def testDocRemoveChild(self):
|
||||
diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
|
||||
index 23c4cd5..142ce2c 100644
|
||||
--- a/Lib/test/test_xml_etree.py
|
||||
+++ b/Lib/test/test_xml_etree.py
|
||||
@@ -2159,12 +2159,6 @@ class BugsTest(unittest.TestCase):
|
||||
b"<?xml version='1.0' encoding='ascii'?>\n"
|
||||
b'<body>tãg</body>')
|
||||
|
||||
- def test_issue3151(self):
|
||||
- e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
|
||||
- self.assertEqual(e.tag, '{${stuff}}localname')
|
||||
- t = ET.ElementTree(e)
|
||||
- self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}" />')
|
||||
-
|
||||
def test_issue6565(self):
|
||||
elem = ET.XML("<body><tag/></body>")
|
||||
self.assertEqual(summarize_list(elem), ['tag'])
|
||||
diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
|
||||
new file mode 100644
|
||||
index 0000000..6969bd1
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Make test suite support Expat >=2.4.5
|
||||
--
|
||||
2.37.3
|
||||
|
150
SOURCES/00382-cve-2015-20107.patch
Normal file
150
SOURCES/00382-cve-2015-20107.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Fri, 3 Jun 2022 11:43:35 +0200
|
||||
Subject: [PATCH] 00382: CVE-2015-20107
|
||||
|
||||
Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
|
||||
|
||||
Upstream: https://github.com/python/cpython/issues/68966
|
||||
|
||||
Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
---
|
||||
Doc/library/mailcap.rst | 12 +++++++++
|
||||
Lib/mailcap.py | 26 +++++++++++++++++--
|
||||
Lib/test/test_mailcap.py | 8 ++++--
|
||||
...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
|
||||
4 files changed, 46 insertions(+), 4 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
|
||||
diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
|
||||
index a22b5b9c9e..7aa3380fec 100644
|
||||
--- a/Doc/library/mailcap.rst
|
||||
+++ b/Doc/library/mailcap.rst
|
||||
@@ -60,6 +60,18 @@ standard. However, mailcap files are supported on most Unix systems.
|
||||
use) to determine whether or not the mailcap line applies. :func:`findmatch`
|
||||
will automatically check such conditions and skip the entry if the check fails.
|
||||
|
||||
+ .. versionchanged:: 3.11
|
||||
+
|
||||
+ To prevent security issues with shell metacharacters (symbols that have
|
||||
+ special effects in a shell command line), ``findmatch`` will refuse
|
||||
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
|
||||
+ into the returned command line.
|
||||
+
|
||||
+ If a disallowed character appears in *filename*, ``findmatch`` will always
|
||||
+ return ``(None, None)`` as if no entry was found.
|
||||
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
|
||||
+ ``findmatch`` will ignore all mailcap entries which use that value.
|
||||
+ A :mod:`warning <warnings>` will be raised in either case.
|
||||
|
||||
.. function:: getcaps()
|
||||
|
||||
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
|
||||
index ae416a8e9f..444c6408b5 100644
|
||||
--- a/Lib/mailcap.py
|
||||
+++ b/Lib/mailcap.py
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
import os
|
||||
import warnings
|
||||
+import re
|
||||
|
||||
__all__ = ["getcaps","findmatch"]
|
||||
|
||||
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
|
||||
else:
|
||||
return 1, 0
|
||||
|
||||
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
|
||||
+
|
||||
+class UnsafeMailcapInput(Warning):
|
||||
+ """Warning raised when refusing unsafe input"""
|
||||
+
|
||||
|
||||
# Part 1: top-level interface.
|
||||
|
||||
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
|
||||
entry to use.
|
||||
|
||||
"""
|
||||
+ if _find_unsafe(filename):
|
||||
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None, None
|
||||
entries = lookup(caps, MIMEtype, key)
|
||||
# XXX This code should somehow check for the needsterminal flag.
|
||||
for e in entries:
|
||||
if 'test' in e:
|
||||
test = subst(e['test'], filename, plist)
|
||||
+ if test is None:
|
||||
+ continue
|
||||
if test and os.system(test) != 0:
|
||||
continue
|
||||
command = subst(e[key], MIMEtype, filename, plist)
|
||||
- return command, e
|
||||
+ if command is not None:
|
||||
+ return command, e
|
||||
return None, None
|
||||
|
||||
def lookup(caps, MIMEtype, key=None):
|
||||
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
|
||||
elif c == 's':
|
||||
res = res + filename
|
||||
elif c == 't':
|
||||
+ if _find_unsafe(MIMEtype):
|
||||
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None
|
||||
res = res + MIMEtype
|
||||
elif c == '{':
|
||||
start = i
|
||||
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
|
||||
i = i+1
|
||||
name = field[start:i]
|
||||
i = i+1
|
||||
- res = res + findparam(name, plist)
|
||||
+ param = findparam(name, plist)
|
||||
+ if _find_unsafe(param):
|
||||
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None
|
||||
+ res = res + param
|
||||
# XXX To do:
|
||||
# %n == number of parts if type is multipart/*
|
||||
# %F == list of alternating type and filename for parts
|
||||
diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
|
||||
index c08423c670..920283d9a2 100644
|
||||
--- a/Lib/test/test_mailcap.py
|
||||
+++ b/Lib/test/test_mailcap.py
|
||||
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
|
||||
(["", "audio/*", "foo.txt"], ""),
|
||||
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
|
||||
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
|
||||
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
|
||||
+ (["echo %t", "audio/*", "foo.txt"], None),
|
||||
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
|
||||
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
|
||||
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
|
||||
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
|
||||
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
|
||||
('"An audio fragment"', audio_basic_entry)),
|
||||
([c, "audio/*"],
|
||||
{"filename": fname},
|
||||
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
|
||||
+ (None, None)),
|
||||
+ ([c, "audio/wav"],
|
||||
+ {"filename": fname},
|
||||
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
|
||||
([c, "message/external-body"],
|
||||
{"plist": plist},
|
||||
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
|
||||
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
new file mode 100644
|
||||
index 0000000000..da81a1f699
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
|
||||
+MIME types, parameters) into shell commands. Instead of using such text, it
|
||||
+will warn and act as if a match was not found (or for test commands, as if
|
||||
+the test failed).
|
File diff suppressed because it is too large
Load Diff
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmHgts4ACgkQsmmV4xAl
|
||||
BWiDfQ/6A6ALwx3xrU5ks0Fec91x56ixg+S91cMGDwHM78/KT+gOSva0FxLlpVDO
|
||||
OD0yLoBOwVjSaiFAZC9wH2tf6xWLujVeBscrVX3Di1DZznZGgusDhP+gWpugULrF
|
||||
WCr1ZLxnerhOMmBU9hSOx1ObBc91CIsagqafeMuAWoEwsQpkG0hDHuRN8QeJn79s
|
||||
mFt4/X6/2NQEw/ucxftwoLIfqDbeP468wthOBgr9TrYfseSojnnYCxOiitC8k2GS
|
||||
ieLq1RQu6ZjSYtHyL+mvXwTy2tEyc6v/3s+3lJCcM6uK+vyAvwP4QwIXwpjwHMDW
|
||||
0YdyB812pWUleAt7P+BvVbumjGCs3hFHydMm6iA1eiONQk5Z0QQv0qrh+rqorXkJ
|
||||
aUgjiXjbNkx93m+hftUXXEcKWm6hi8CikcajBPbTZt6PlOCL2ZbN5NclTDpG3JMK
|
||||
8WHFpeFF1uaKcsDF5L9QU+ilXR0wxrh99DePQiLqsMvzbocB3cd5x8Ws1MNX/5tU
|
||||
6p88qUf1Zdg3EA7VQD7m90cTOHcskH8o+Bw+Jd+uDo+H8Pg9Yz9yHik6rHe8OwiA
|
||||
ol7eiEO07WePwqX4PqHozRtCVNSOZtrSSoWK2LNQdK9Z+EhVhQvDDk3hFQiE7ymM
|
||||
ZXHYHATjmGFN7WSThMR/8IFgTSqpuird+RXEkVZKorYPsA0P55I=
|
||||
=KRy4
|
||||
-----END PGP SIGNATURE-----
|
16
SOURCES/Python-3.9.14.tar.xz.asc
Normal file
16
SOURCES/Python-3.9.14.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmMXib8ACgkQsmmV4xAl
|
||||
BWiwtA/+LhNMVhCwNFNtDaxDLv2Pt43oX07ka9kuRau6WU0bicf4zBboQW2Ut9en
|
||||
epdnw06klvOrb2wlxU4jeWdzuq5bNlhW3rVyT2npbRfYeXqsi/i+sY9eV5SFRPAM
|
||||
eZrnCOkuWJxTy/XRQsPFbhE0bG+npoR80RpDtZ9EfjKyL2PSyOsvudKHjepcdHMi
|
||||
tCzcmHwJbakD18g268RiDZsR8q7lSQW0c3OhOPwXfFV2Xh+jS8eEEcdp2QSBq/S9
|
||||
+HIHEAYJWvAEtg9q3KMKDWOi5rd0Q6Cw4zcO8GI0HTCkNsnJmtLUJ4qTTZWOHC5t
|
||||
M8Z0hzuXI9wK23GpxWuThuaMyQCW5HX8tBVuxaHNyWuJ4T6ID0eJJP4ijLNMXv4U
|
||||
Q0MRbLYtIIagB8BsZtBnEIIsQ1k7THdJ5KAsWIjVaPe80yQWLOrmuXulJi+E4F/C
|
||||
bBKcsFXC605xg5C3AQk58QXpyLDoPtLtRVVPtVi1aqpHCLRCikHA8kqwc7JQIf7v
|
||||
p4VsfcNsYga/EF6FArdmVz8fOpQgItvhuHgMRWBZ35p/t9Ckbl7fJQB0PYfVKYWC
|
||||
F+uNahFYvJ+gH96U6MddEzZlB0AHx3gfysBrgWXvgUAqvAZ/Vq6FiOf0jhFWUtb1
|
||||
8b7sp8GSp7QzIP9U3J75sonXEAvNOA31vuKSJ2sKdxsIP9/KgZE=
|
||||
=kQup
|
||||
-----END PGP SIGNATURE-----
|
@ -13,11 +13,11 @@ URL: https://www.python.org/
|
||||
|
||||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
%global general_version %{pybasever}.10
|
||||
%global general_version %{pybasever}.14
|
||||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 3%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: Python
|
||||
|
||||
|
||||
@ -325,7 +325,7 @@ Patch189: 00189-use-rpm-wheels.patch
|
||||
# The versions are written in Lib/ensurepip/__init__.py, this patch removes them.
|
||||
# When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
|
||||
# In such cases, the patch needs to be amended and the versions updated here:
|
||||
%global pip_version 21.2.4
|
||||
%global pip_version 22.0.4
|
||||
%global setuptools_version 58.1.0
|
||||
|
||||
# 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62
|
||||
@ -399,51 +399,15 @@ Patch329: 00329-fips.patch
|
||||
# a nightmare because it's basically a binary file.
|
||||
Patch353: 00353-architecture-names-upstream-downstream.patch
|
||||
|
||||
# 00378 #
|
||||
# Support expat 2.4.5
|
||||
# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
|
||||
# CVE-2015-20107
|
||||
#
|
||||
# Curly brackets were never allowed in namespace URIs
|
||||
# according to RFC 3986, and so-called namespace-validating
|
||||
# XML parsers have the right to reject them a invalid URIs.
|
||||
# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
|
||||
#
|
||||
# libexpat >=2.4.5 has become strcter in that regard due to
|
||||
# related security issues; with ET.XML instantiating a
|
||||
# namespace-aware parser under the hood, this test has no
|
||||
# future in CPython.
|
||||
# Upstream: https://github.com/python/cpython/issues/68966
|
||||
#
|
||||
# References:
|
||||
# - https://datatracker.ietf.org/doc/html/rfc3968
|
||||
# - https://www.w3.org/TR/xml-names/
|
||||
#
|
||||
# Also, test_minidom.py: Support Expat >=2.4.5
|
||||
#
|
||||
# The patch has diverged from upstream as the python test
|
||||
# suite was relying on checking the expat version, whereas
|
||||
# in RHEL fixes get backported instead of rebasing packages.
|
||||
#
|
||||
# Upstream: https://bugs.python.org/issue46811
|
||||
Patch378: 00378-support-expat-2-4-5.patch
|
||||
|
||||
# 00387 # 87d28f3f0f0c9165c67b2a156134c614c6f6dcf5
|
||||
# CVE-2020-10735: Prevent DoS by very large int()
|
||||
#
|
||||
# gh-95778: CVE-2020-10735: Prevent DoS by very large int() (GH-96504)
|
||||
#
|
||||
# Converting between `int` and `str` in bases other than 2
|
||||
# (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
|
||||
# raises a `ValueError` if the number of digits in string form is above a
|
||||
# limit to avoid potential denial of service attacks due to the algorithmic
|
||||
# complexity. This is a mitigation for CVE-2020-10735
|
||||
# (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).
|
||||
#
|
||||
# This new limit can be configured or disabled by environment variable, command
|
||||
# line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
|
||||
# Limitation` documentation. The default limit is 4300
|
||||
# digits in string form.
|
||||
#
|
||||
# Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
|
||||
# from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
|
||||
Patch387: 00387-cve-2020-10735-prevent-dos-by-very-large-int.patch
|
||||
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
Patch382: 00382-cve-2015-20107.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
@ -1846,10 +1810,22 @@ CheckPython optimized
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Fri Sep 23 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.10-3
|
||||
- Security fix for CVE-2020-10735
|
||||
- Fix the test suite support for Expat >= 2.4.5
|
||||
Resolves: rhbz#1834423
|
||||
* Wed Sep 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.14-1
|
||||
- Update to 3.9.14
|
||||
- Security fixes for CVE-2020-10735 and CVE-2021-28861
|
||||
Resolves: rhbz#2120642, rhbz#1834423, rhbz#2128249
|
||||
|
||||
* Mon Jul 25 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.13-3
|
||||
- Fix test_get_ciphers in test_ssl.py for FIPS mode
|
||||
Resolves: rhbz#2058233
|
||||
|
||||
* Thu Jun 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-2
|
||||
- Security fix for CVE-2015-20107
|
||||
Resolves: rhbz#2075390
|
||||
|
||||
* Wed Jun 01 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-1
|
||||
- Update to 3.9.13
|
||||
Resolves: rhbz#2054702, rhbz#2059951
|
||||
|
||||
* Wed Feb 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.10-2
|
||||
- Fix undefined behavior in Modules/_hashopenssl.c
|
||||
|
Loading…
Reference in New Issue
Block a user