import python3-3.6.8-31.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:43:02 -05:00 committed by Andrew Lukoshko
parent 08ad15e6fb
commit 87132fa408
11 changed files with 745 additions and 222 deletions

View File

@ -200,3 +200,19 @@ index 0f2dfc4..da37896 100644
] ) ] )
if (ssl_incs is not None and if (ssl_incs is not None and
diff --git a/configure.ac b/configure.ac
index 01c66fe..1e6d515 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4772,9 +4772,9 @@ AC_MSG_RESULT($LDVERSION)
dnl define LIBPL after ABIFLAGS and LDVERSION is defined.
AC_SUBST(PY_ENABLE_SHARED)
if test x$PLATFORM_TRIPLET = x; then
- LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}"
+ LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}"
else
- LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}"
+ LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}"
fi
AC_SUBST(LIBPL)

View File

@ -1,30 +0,0 @@
diff -r 39b9b05c3085 Lib/distutils/sysconfig.py
--- a/Lib/distutils/sysconfig.py Wed Apr 10 00:27:23 2013 +0200
+++ b/Lib/distutils/sysconfig.py Wed Apr 10 10:14:18 2013 +0200
@@ -362,7 +362,10 @@
done[n] = item = ""
if found:
after = value[m.end():]
- value = value[:m.start()] + item + after
+ value = value[:m.start()]
+ if item.strip() not in value:
+ value += item
+ value += after
if "$" in after:
notdone[name] = value
else:
diff -r 39b9b05c3085 Lib/sysconfig.py
--- a/Lib/sysconfig.py Wed Apr 10 00:27:23 2013 +0200
+++ b/Lib/sysconfig.py Wed Apr 10 10:14:18 2013 +0200
@@ -296,7 +296,10 @@
if found:
after = value[m.end():]
- value = value[:m.start()] + item + after
+ value = value[:m.start()]
+ if item.strip() not in value:
+ value += item
+ value += after
if "$" in after:
notdone[name] = value
else:

View File

@ -1,12 +0,0 @@
diff -up Python-3.5.0/Makefile.pre.in.lib Python-3.5.0/Makefile.pre.in
--- Python-3.5.0/Makefile.pre.in.lib 2015-09-21 15:39:47.928286620 +0200
+++ Python-3.5.0/Makefile.pre.in 2015-09-21 15:42:58.004042762 +0200
@@ -1340,7 +1340,7 @@ inclinstall:
# Install the library and miscellaneous stuff needed for extending/embedding
# This goes into $(exec_prefix)
-LIBPL= @LIBPL@
+LIBPL= $(LIBDEST)/config-$(LDVERSION)-$(MULTIARCH)
# pkgconfig directory
LIBPC= $(LIBDIR)/pkgconfig

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,22 @@
diff --git a/Lib/test/test_gdb.py b/Lib/test/test_gdb.py
index 9c15fca..c972409 100644
--- a/Lib/test/test_gdb.py
+++ b/Lib/test/test_gdb.py
@@ -279,8 +279,15 @@ class DebuggerTests(unittest.TestCase):
# gdb can insert additional '\n' and space characters in various places
# in its output, depending on the width of the terminal it's connected
# to (using its "wrap_here" function)
- m = re.match(r'.*#0\s+builtin_id\s+\(self\=.*,\s+v=\s*(.*?)\)\s+at\s+\S*Python/bltinmodule.c.*',
- gdb_output, re.DOTALL)
+ m = re.search(
+ # Match '#0 builtin_id(self=..., v=...)'
+ r'#0\s+builtin_id\s+\(self\=.*,\s+v=\s*(.*?)?\)'
+ # Match ' at Python/bltinmodule.c'.
+ # bpo-38239: builtin_id() is defined in Python/bltinmodule.c,
+ # but accept any "Directory\file.c" to support Link Time
+ # Optimization (LTO).
+ r'\s+at\s+\S*[A-Za-z]+/[A-Za-z0-9_-]+\.c',
+ gdb_output, re.DOTALL)
if not m:
self.fail('Unexpected gdb output: %r\n%s' % (gdb_output, gdb_output))
return m.group(1), gdb_output

View File

@ -0,0 +1,54 @@
diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
index 0090333..d2adb21 100644
--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
@@ -1,5 +1,6 @@
from xmlrpc.server import DocXMLRPCServer
import http.client
+import re
import sys
from test import support
threading = support.import_module('threading')
@@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
response.read())
+ def test_server_title_escape(self):
+ # bpo-38243: Ensure that the server title and documentation
+ # are escaped for HTML.
+ self.serv.set_server_title('test_title<script>')
+ self.serv.set_server_documentation('test_documentation<script>')
+ self.assertEqual('test_title<script>', self.serv.server_title)
+ self.assertEqual('test_documentation<script>',
+ self.serv.server_documentation)
+
+ generated = self.serv.generate_html_documentation()
+ title = re.search(r'<title>(.+?)</title>', generated).group()
+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
+ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)
+ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)
+
if __name__ == '__main__':
unittest.main()
diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
index 3e0dca0..efe5937 100644
--- a/Lib/xmlrpc/server.py
+++ b/Lib/xmlrpc/server.py
@@ -106,6 +106,7 @@ server.handle_request()
from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
from http.server import BaseHTTPRequestHandler
+import html
import http.server
import socketserver
import sys
@@ -904,7 +905,7 @@ class XMLRPCDocGenerator:
methods
)
- return documenter.page(self.server_title, documentation)
+ return documenter.page(html.escape(self.server_title), documentation)
class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
"""XML-RPC and documentation request handler class.

View File

@ -0,0 +1,44 @@
diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py
index d0cd84f..9d2c28c 100644
--- a/Lib/test/test_site.py
+++ b/Lib/test/test_site.py
@@ -10,6 +10,7 @@ from test import support
from test.support import (captured_stderr, TESTFN, EnvironmentVarGuard,
change_cwd)
import builtins
+import glob
import os
import sys
import re
@@ -500,6 +501,23 @@ class ImportSideEffectTests(unittest.TestCase):
class StartupImportTests(unittest.TestCase):
def test_startup_imports(self):
+ # Get sys.path in isolated mode (python3 -I)
+ popen = subprocess.Popen([sys.executable, '-I', '-c',
+ 'import sys; print(repr(sys.path))'],
+ stdout=subprocess.PIPE,
+ encoding='utf-8')
+ stdout = popen.communicate()[0]
+ self.assertEqual(popen.returncode, 0, repr(stdout))
+ isolated_paths = eval(stdout)
+
+ # bpo-27807: Even with -I, the site module executes all .pth files
+ # found in sys.path (see site.addpackage()). Skip the test if at least
+ # one .pth file is found.
+ for path in isolated_paths:
+ pth_files = glob.glob(os.path.join(path, "*.pth"))
+ if pth_files:
+ self.skipTest(f"found {len(pth_files)} .pth files in: {path}")
+
# This tests checks which modules are loaded by Python when it
# initially starts upon startup.
popen = subprocess.Popen([sys.executable, '-I', '-v', '-c',
@@ -508,6 +526,7 @@ class StartupImportTests(unittest.TestCase):
stderr=subprocess.PIPE,
encoding='utf-8')
stdout, stderr = popen.communicate()
+ self.assertEqual(popen.returncode, 0, (stdout, stderr))
modules = eval(stdout)
self.assertIn('site', modules)

View File

@ -0,0 +1,193 @@
diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
index 876fcd4..fe9a32b 100644
--- a/Lib/test/test_urllib2.py
+++ b/Lib/test/test_urllib2.py
@@ -1445,40 +1445,64 @@ class HandlerTests(unittest.TestCase):
bypass = {'exclude_simple': True, 'exceptions': []}
self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
- def test_basic_auth(self, quote_char='"'):
- opener = OpenerDirector()
- password_manager = MockPasswordManager()
- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
- realm = "ACME Widget Store"
- http_handler = MockHTTPHandler(
- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
- (quote_char, realm, quote_char))
- opener.add_handler(auth_handler)
- opener.add_handler(http_handler)
- self._test_basic_auth(opener, auth_handler, "Authorization",
- realm, http_handler, password_manager,
- "http://acme.example.com/protected",
- "http://acme.example.com/protected",
- )
-
- def test_basic_auth_with_single_quoted_realm(self):
- self.test_basic_auth(quote_char="'")
-
- def test_basic_auth_with_unquoted_realm(self):
- opener = OpenerDirector()
- password_manager = MockPasswordManager()
- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
- realm = "ACME Widget Store"
- http_handler = MockHTTPHandler(
- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
- opener.add_handler(auth_handler)
- opener.add_handler(http_handler)
- with self.assertWarns(UserWarning):
+ def check_basic_auth(self, headers, realm):
+ with self.subTest(realm=realm, headers=headers):
+ opener = OpenerDirector()
+ password_manager = MockPasswordManager()
+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+ body = '\r\n'.join(headers) + '\r\n\r\n'
+ http_handler = MockHTTPHandler(401, body)
+ opener.add_handler(auth_handler)
+ opener.add_handler(http_handler)
self._test_basic_auth(opener, auth_handler, "Authorization",
- realm, http_handler, password_manager,
- "http://acme.example.com/protected",
- "http://acme.example.com/protected",
- )
+ realm, http_handler, password_manager,
+ "http://acme.example.com/protected",
+ "http://acme.example.com/protected")
+
+ def test_basic_auth(self):
+ realm = "realm2@example.com"
+ realm2 = "realm2@example.com"
+ basic = f'Basic realm="{realm}"'
+ basic2 = f'Basic realm="{realm2}"'
+ other_no_realm = 'Otherscheme xxx'
+ digest = (f'Digest realm="{realm2}", '
+ f'qop="auth, auth-int", '
+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
+ for realm_str in (
+ # test "quote" and 'quote'
+ f'Basic realm="{realm}"',
+ f"Basic realm='{realm}'",
+
+ # charset is ignored
+ f'Basic realm="{realm}", charset="UTF-8"',
+
+ # Multiple challenges per header
+ f'{basic}, {basic2}',
+ f'{basic}, {other_no_realm}',
+ f'{other_no_realm}, {basic}',
+ f'{basic}, {digest}',
+ f'{digest}, {basic}',
+ ):
+ headers = [f'WWW-Authenticate: {realm_str}']
+ self.check_basic_auth(headers, realm)
+
+ # no quote: expect a warning
+ with support.check_warnings(("Basic Auth Realm was unquoted",
+ UserWarning)):
+ headers = [f'WWW-Authenticate: Basic realm={realm}']
+ self.check_basic_auth(headers, realm)
+
+ # Multiple headers: one challenge per header.
+ # Use the first Basic realm.
+ for challenges in (
+ [basic, basic2],
+ [basic, digest],
+ [digest, basic],
+ ):
+ headers = [f'WWW-Authenticate: {challenge}'
+ for challenge in challenges]
+ self.check_basic_auth(headers, realm)
def test_proxy_basic_auth(self):
opener = OpenerDirector()
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index c9945d9..6624e04 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -945,8 +945,15 @@ class AbstractBasicAuthHandler:
# allow for double- and single-quoted realm values
# (single quotes are a violation of the RFC, but appear in the wild)
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
- 'realm=(["\']?)([^"\']*)\\2', re.I)
+ rx = re.compile('(?:^|,)' # start of the string or ','
+ '[ \t]*' # optional whitespaces
+ '([^ \t]+)' # scheme like "Basic"
+ '[ \t]+' # mandatory whitespaces
+ # realm=xxx
+ # realm='xxx'
+ # realm="xxx"
+ 'realm=(["\']?)([^"\']*)\\2',
+ re.I)
# XXX could pre-emptively send auth info already accepted (RFC 2617,
# end of section 2, and section 1.2 immediately after "credentials"
@@ -958,27 +965,51 @@ class AbstractBasicAuthHandler:
self.passwd = password_mgr
self.add_password = self.passwd.add_password
+ def _parse_realm(self, header):
+ # parse WWW-Authenticate header: accept multiple challenges per header
+ found_challenge = False
+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
+ scheme, quote, realm = mo.groups()
+ if quote not in ['"', "'"]:
+ warnings.warn("Basic Auth Realm was unquoted",
+ UserWarning, 3)
+
+ yield (scheme, realm)
+
+ found_challenge = True
+
+ if not found_challenge:
+ if header:
+ scheme = header.split()[0]
+ else:
+ scheme = ''
+ yield (scheme, None)
+
def http_error_auth_reqed(self, authreq, host, req, headers):
# host may be an authority (without userinfo) or a URL with an
# authority
- # XXX could be multiple headers
- authreq = headers.get(authreq, None)
+ headers = headers.get_all(authreq)
+ if not headers:
+ # no header found
+ return
- if authreq:
- scheme = authreq.split()[0]
- if scheme.lower() != 'basic':
- raise ValueError("AbstractBasicAuthHandler does not"
- " support the following scheme: '%s'" %
- scheme)
- else:
- mo = AbstractBasicAuthHandler.rx.search(authreq)
- if mo:
- scheme, quote, realm = mo.groups()
- if quote not in ['"',"'"]:
- warnings.warn("Basic Auth Realm was unquoted",
- UserWarning, 2)
- if scheme.lower() == 'basic':
- return self.retry_http_basic_auth(host, req, realm)
+ unsupported = None
+ for header in headers:
+ for scheme, realm in self._parse_realm(header):
+ if scheme.lower() != 'basic':
+ unsupported = scheme
+ continue
+
+ if realm is not None:
+ # Use the first matching Basic challenge.
+ # Ignore following challenges even if they use the Basic
+ # scheme.
+ return self.retry_http_basic_auth(host, req, realm)
+
+ if unsupported is not None:
+ raise ValueError("AbstractBasicAuthHandler does not "
+ "support the following scheme: %r"
+ % (scheme,))
def retry_http_basic_auth(self, host, req, realm):
user, pw = self.passwd.find_user_password(realm, host)

View File

@ -0,0 +1,67 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Wed, 15 Jul 2020 05:36:36 -0700
Subject: [PATCH] 00351: Avoid infinite loop in the tarfile module
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
Fixed upstream: https://bugs.python.org/issue39017
---
Lib/tarfile.py | 2 ++
Lib/test/recursion.tar | Bin 0 -> 516 bytes
Lib/test/test_tarfile.py | 7 +++++++
.../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
4 files changed, 10 insertions(+)
create mode 100644 Lib/test/recursion.tar
create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index 62d22150f5..2ea47978ff 100755
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1231,6 +1231,8 @@ class TarInfo(object):
length, keyword = match.groups()
length = int(length)
+ if length == 0:
+ raise InvalidHeaderError("invalid header")
value = buf[match.end(2) + 1:match.start(1) + length - 1]
# Normally, we could just use "utf-8" as the encoding and "strict"
diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar
new file mode 100644
index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4
GIT binary patch
literal 516
zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e
I1_}|j06>QaCIA2c
literal 0
HcmV?d00001
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index 4cd7d5370f..573be812ea 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -395,6 +395,13 @@ class CommonReadTest(ReadTest):
with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"):
tar.extractfile(t).read()
+ def test_length_zero_header(self):
+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
+ # with an exception
+ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
+ with tarfile.open(support.findfile('recursion.tar')) as tar:
+ pass
+
class MiscReadTestBase(CommonReadTest):
def requires_name_attribute(self):
pass
diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
new file mode 100644
index 0000000000..ad26676f8b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
@@ -0,0 +1 @@
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

View File

@ -0,0 +1,70 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
Date: Wed, 1 Jul 2020 01:00:22 +0530
Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and
IPv6Interface
CVE-2020-14422
The hash() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation.
Fixed upstream: https://bugs.python.org/issue41004
---
Lib/ipaddress.py | 4 ++--
Lib/test/test_ipaddress.py | 11 +++++++++++
.../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
3 files changed, 14 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
index 583f02ad54..98492136ca 100644
--- a/Lib/ipaddress.py
+++ b/Lib/ipaddress.py
@@ -1418,7 +1418,7 @@ class IPv4Interface(IPv4Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
@@ -2092,7 +2092,7 @@ class IPv6Interface(IPv6Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
index 1cef4217bc..7de444af4a 100644
--- a/Lib/test/test_ipaddress.py
+++ b/Lib/test/test_ipaddress.py
@@ -1990,6 +1990,17 @@ class IpaddrUnitTest(unittest.TestCase):
sixtofouraddr.sixtofour)
self.assertFalse(bad_addr.sixtofour)
+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
+ def testV4HashIsNotConstant(self):
+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
+
+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
+ def testV6HashIsNotConstant(self):
+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
if __name__ == '__main__':
unittest.main()
diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
new file mode 100644
index 0000000000..f5a9db52ff
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
@@ -0,0 +1 @@
+CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

View File

@ -14,7 +14,7 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version, # WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well # remember to update the python3-docs package as well
Version: %{pybasever}.8 Version: %{pybasever}.8
Release: 23%{?dist} Release: 31%{?dist}
License: Python License: Python
@ -170,6 +170,7 @@ BuildRequires: gcc-c++
%if %{with gdbm} %if %{with gdbm}
BuildRequires: gdbm-devel >= 1:1.13 BuildRequires: gdbm-devel >= 1:1.13
%endif %endif
BuildRequires: git-core
BuildRequires: glibc-devel BuildRequires: glibc-devel
BuildRequires: gmp-devel BuildRequires: gmp-devel
BuildRequires: libappstream-glib BuildRequires: libappstream-glib
@ -309,22 +310,11 @@ Patch163: 00163-disable-parts-of-test_socket-in-rpm-build.patch
# See https://bugzilla.redhat.com/show_bug.cgi?id=614680 # See https://bugzilla.redhat.com/show_bug.cgi?id=614680
Patch170: 00170-gc-assertions.patch Patch170: 00170-gc-assertions.patch
# 00178 #
# Don't duplicate various FLAGS in sysconfig values
# http://bugs.python.org/issue17679
# Does not affect python2 AFAICS (different sysconfig values initialization)
Patch178: 00178-dont-duplicate-flags-in-sysconfig.patch
# 00189 # # 00189 #
# Instead of bundled wheels, use our RPM packaged wheels from # Instead of bundled wheels, use our RPM packaged wheels from
# /usr/share/python3-wheels # /usr/share/python3-wheels
Patch189: 00189-use-rpm-wheels.patch Patch189: 00189-use-rpm-wheels.patch
# 00205 #
# LIBPL variable in makefile takes LIBPL from configure.ac
# but the LIBPL variable defined there doesn't respect libdir macro
Patch205: 00205-make-libpl-respect-lib64.patch
# 00251 # 00251
# Set values of prefix and exec_prefix in distutils install command # Set values of prefix and exec_prefix in distutils install command
# to /usr/local if executable is /usr/bin/python* and RPM build # to /usr/local if executable is /usr/bin/python* and RPM build
@ -488,6 +478,47 @@ Patch332: 00332-CVE-2019-16056.patch
# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749576 # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1749576
Patch333: 00333-reduce-pgo-tests.patch Patch333: 00333-reduce-pgo-tests.patch
# 00338 #
# Fix test_gdb for when compiling python with Link Time Optimizations
# Fixed upstream: https://bugs.python.org/issue38239
Patch338: 00338-fix-test_gdb-for-LTO.patch
# 00344 #
# Fix CVE-2019-16935: XSS vulnerability in the ocumentation XML-RPC server in server_title field
# Fixed upstream: https://bugs.python.org/issue38243
# Resolves: https://bugzilla.redhat.com/how_bug.cgi?id=1798001
Patch344: 00344-CVE-2019-16935.patch
# 00345 #
# Skip from test_site the test_startup_imports case if a path of sys.path
# contains a .pth file
# Fixed upstream: https://bugs.python.org/issue27807
# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1814392
Patch345: 00345-fix-test_site-with-extra-pth-files.patch
# 00346 #
# Fix CVE-2020-8492: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
# Fixed upstream: https://bugs.python.org/issue39503
# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1810618
Patch346: 00346-CVE-2020-8492.patch
# 00351 #
# Avoid infinite loop when reading specially crafted TAR files using the tarfile module
# (CVE-2019-20907).
# See: https://bugs.python.org/issue39017
Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch
# 00352 # 5253c417a23b3658fa115d2c72fa54b20293a31c
# Resolve hash collisions for IPv4Interface and IPv6Interface
#
# CVE-2020-14422
# The hash() methods of classes IPv4Interface and IPv6Interface had issue
# of generating constant hash values of 32 and 128 respectively causing hash collisions.
# The fix uses the hash() function to generate hash values for the objects
# instead of XOR operation.
# Fixed upstream: https://bugs.python.org/issue41004
Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
# When adding new patches to "python" and "python3" in Fedora, EL, etc., # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -778,14 +809,12 @@ rm -r Modules/zlib
%patch160 -p1 %patch160 -p1
%patch163 -p1 %patch163 -p1
%patch170 -p1 %patch170 -p1
%patch178 -p1
%if %{with rpmwheels} %if %{with rpmwheels}
%patch189 -p1 %patch189 -p1
rm Lib/ensurepip/_bundled/*.whl rm Lib/ensurepip/_bundled/*.whl
%endif %endif
%patch205 -p1
%patch251 -p1 %patch251 -p1
%patch262 -p1 %patch262 -p1
%patch274 -p1 %patch274 -p1
@ -803,7 +832,15 @@ rm Lib/ensurepip/_bundled/*.whl
%patch330 -p1 %patch330 -p1
%patch332 -p1 %patch332 -p1
%patch333 -p1 %patch333 -p1
%patch338 -p1
%patch344 -p1
%patch345 -p1
%patch346 -p1
# Patch 351 adds binary file for testing. We need to apply it using Git.
git apply %{PATCH351}
%patch352 -p1
# Remove files that should be generated by the build # Remove files that should be generated by the build
# (This is after patching, so that we can use patches directly from upstream) # (This is after patching, so that we can use patches directly from upstream)
@ -845,14 +882,14 @@ topdir=$(pwd)
# RHEL packages utilizing %%py3_build will use them as well # RHEL packages utilizing %%py3_build will use them as well
# https://fedoraproject.org/wiki/Changes/Python_Extension_Flags # https://fedoraproject.org/wiki/Changes/Python_Extension_Flags
export CFLAGS="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv" export CFLAGS="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv"
export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv" export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv -fno-semantic-interposition"
export CXXFLAGS="%{extension_cxxflags} -D_GNU_SOURCE -fPIC -fwrapv" export CXXFLAGS="%{extension_cxxflags} -D_GNU_SOURCE -fPIC -fwrapv"
export CPPFLAGS="$(pkg-config --cflags-only-I libffi)" export CPPFLAGS="$(pkg-config --cflags-only-I libffi)"
export OPT="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv" export OPT="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv"
export LINKCC="gcc" export LINKCC="gcc"
export CFLAGS="$CFLAGS $(pkg-config --cflags openssl)" export CFLAGS="$CFLAGS $(pkg-config --cflags openssl)"
export LDFLAGS="%{extension_ldflags} -g $(pkg-config --libs-only-L openssl)" export LDFLAGS="%{extension_ldflags} -g $(pkg-config --libs-only-L openssl)"
export LDFLAGS_NODIST="%{build_ldflags} -g $(pkg-config --libs-only-L openssl)" export LDFLAGS_NODIST="%{build_ldflags} -fno-semantic-interposition -g $(pkg-config --libs-only-L openssl)"
# We can build several different configurations of Python: regular and debug. # We can build several different configurations of Python: regular and debug.
# Define a common function that does one build: # Define a common function that does one build:
@ -1720,6 +1757,42 @@ fi
# ====================================================== # ======================================================
%changelog %changelog
* Mon Aug 17 2020 Tomas Orsava <torsava@redhat.com> - 3.6.8-31
- Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907)
Resolves: rhbz#1856481
- Resolve hash collisions for Pv4Interface and IPv6Interface (CVE-2020-14422)
Resolves: rhbz#1854926
* Thu Jun 25 2020 Victor Stinner <vstinner@python.org> - 3.6.8-30
- Remove downstream 00178-dont-duplicate-flags-in-sysconfig.patch which
introduced a bug on distutils.sysconfig.get_config_var('LIBPL')
(rhbz#1851090).
* Thu Jun 18 2020 Victor Stinner <vstinner@python.org> - 3.6.8-29
- Fix python3-config --configdir (rhbz#1772992).
* Fri Apr 03 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-28
- Security fix for CVE-2020-8492
Resolves: rhbz#1810618
* Tue Mar 31 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-27
- Add a sentinel value on the Hmac_members table of the fips compliant hmac module
Resolves: rhbz#1800512
* Mon Mar 23 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-26
- Skip test_startup_imports from test_site if we have a .pth file in sys.path
Resolves: rhbz#1814392
* Fri Mar 20 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-25
- Security fix for CVE-2019-16935
Resolves: rhbz#1798001
* Mon Mar 16 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-24
- Build Python with -fno-semantic-interposition for better performance
- https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup
- Also fix test_gdb failures with Link Time Optimizations
Resolves: rhbz#1724996
* Wed Nov 27 2019 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-23 * Wed Nov 27 2019 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-23
- Modify the test suite to better handle disabled SSL/TLS versions and FIPS mode - Modify the test suite to better handle disabled SSL/TLS versions and FIPS mode
- Use OpenSSL's DRBG and disable os.getrandom() function in FIPS mode - Use OpenSSL's DRBG and disable os.getrandom() function in FIPS mode