CVE-2007-4559, PEP-706: Add filters for tarfile extraction

2023-06-06 16:40:22 +02:00 · 2023-06-06 16:40:22 +02:00 · f93296c9b5
commit f93296c9b5
parent 76c5cd8724
2 changed files with 3512 additions and 1 deletions
--- a/00397-tarfile-filter.patch
+++ b/00397-tarfile-filter.patch
--- a/python3.spec
+++ b/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: Python
@ -765,6 +765,16 @@ Patch387: 00387-cve-2020-10735-prevent-dos-by-very-large-int.patch
 # the behavior to linear.
 Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
 # 00397 #
 # Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
 # The first patches in the file backport the upstream fix:
 # - https://github.com/python/cpython/pull/104583
 #   (see the linked issue for merged backports)
 # The last patch is Red Hat configuration, see KB for documentation:
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1110,6 +1120,7 @@ git apply %{PATCH351}
 %patch386 -p1
 %patch387 -p1
 %patch394 -p1
 %patch397 -p1
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@ -2041,6 +2052,10 @@ fi
 # ======================================================
 %changelog
 * Tue Jun 06 2023 Petr Viktorin <pviktori@redhat.com> - 3.6.8-52
 - Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
 Resolves: rhbz#263261
 * Tue Jan 24 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-51
 - Properly strip the LTO bytecode from python.o
 Resolves: rhbz#2137707