CVE-2007-4559, PEP-706: Add filters for tarfile extraction

2023-05-31 12:30:23 +00:00 · 2023-05-31 12:30:23 +00:00 · a1023e197c
parent e5389fd0f4
commit a1023e197c
2 changed files with 2726 additions and 1 deletions
--- a/00397-tarfile-filter.patch
+++ b/00397-tarfile-filter.patch
--- a/python3.9.spec
+++ b/python3.9.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python


@ -399,6 +399,14 @@ Patch329: 00329-fips.patch
 # a nightmare because it's basically a binary file.
 Patch353: 00353-architecture-names-upstream-downstream.patch

+# 00397 #
+# Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# The first patch backports the upstream fix:
+# - https://github.com/python/cpython/pull/104382
+# The second patch is Red Hat configuration, see KB for documentation:
+# - https://access.redhat.com/articles/7004769
+Patch397: 00397-tarfile-filter.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1800,6 +1808,10 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Tue Mar 07 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.16-2
+- Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+Resolves: rhbz#263261
+
 * Thu Dec 08 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-1
 - Update to 3.9.16
 - Security fixes for CVE-2022-42919 and CVE-2022-45061