CVE-2007-4559, PEP-706: Add filters for tarfile extraction

python3.spec

@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: Python
 
 
@@ -765,6 +765,16 @@ Patch387: 00387-cve-2020-10735-prevent-dos-by-very-large-int.patch
 # the behavior to linear.
 Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
 
+# 00397 #
+# Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# The first patches in the file backport the upstream fix:
+# - https://github.com/python/cpython/pull/104583
+#   (see the linked issue for merged backports)
+# The last patch is Red Hat configuration, see KB for documentation:
+# - https://access.redhat.com/articles/7004769
+Patch397: 00397-tarfile-filter.patch
+
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1110,6 +1120,7 @@ git apply %{PATCH351}
 %patch386 -p1
 %patch387 -p1
 %patch394 -p1
+%patch397 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -2041,6 +2052,10 @@ fi
 # ======================================================
 
 %changelog
+* Tue Jun 06 2023 Petr Viktorin <pviktori@redhat.com> - 3.6.8-52
+- Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+Resolves: rhbz#263261
+
 * Tue Jan 24 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-51
 - Properly strip the LTO bytecode from python.o
 Resolves: rhbz#2137707