.gitignore

@@ -1 +1 @@
-SOURCES/Python-3.6.8-noexe.tar.xz
+/*.tar.*

.python3.metadata

@@ -1 +0,0 @@
-a39802ac8f0c61645c6a50fbdd32e3ca92862ff5 SOURCES/Python-3.6.8-noexe.tar.xz

SOURCES/00443-gh-124651-quote-template-strings-in-venv-activation-scripts.patch

@@ -1,281 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Fri, 1 Nov 2024 14:11:47 +0100
-Subject: [PATCH] 00443: gh-124651: Quote template strings in `venv` activation
- scripts
-
-(cherry picked from 3.9)
----
- Lib/test/test_venv.py                         | 82 +++++++++++++++++++
- Lib/venv/__init__.py                          | 42 ++++++++--
- Lib/venv/scripts/common/activate              |  8 +-
- Lib/venv/scripts/posix/activate.csh           |  8 +-
- Lib/venv/scripts/posix/activate.fish          |  8 +-
- ...-09-28-02-03-04.gh-issue-124651.bLBGtH.rst |  1 +
- 6 files changed, 132 insertions(+), 17 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
-
-diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py
-index 842470fef0..67fdcd86bb 100644
---- a/Lib/test/test_venv.py
-+++ b/Lib/test/test_venv.py
-@@ -13,6 +13,8 @@ import struct
- import subprocess
- import sys
- import tempfile
-+import shlex
-+import shutil
- from test.support import (captured_stdout, captured_stderr, requires_zlib,
-                           can_symlink, EnvironmentVarGuard, rmtree)
- import unittest
-@@ -80,6 +82,10 @@ class BaseTest(unittest.TestCase):
-             result = f.read()
-         return result
- 
-+    def assertEndsWith(self, string, tail):
-+        if not string.endswith(tail):
-+            self.fail(f"String {string!r} does not end with {tail!r}")
-+
- class BasicTest(BaseTest):
-     """Test venv module functionality."""
- 
-@@ -293,6 +299,82 @@ class BasicTest(BaseTest):
-             'import sys; print(sys.executable)'])
-         self.assertEqual(out.strip(), envpy.encode())
- 
-+    # gh-124651: test quoted strings
-+    @unittest.skipIf(os.name == 'nt', 'contains invalid characters on Windows')
-+    def test_special_chars_bash(self):
-+        """
-+        Test that the template strings are quoted properly (bash)
-+        """
-+        rmtree(self.env_dir)
-+        bash = shutil.which('bash')
-+        if bash is None:
-+            self.skipTest('bash required for this test')
-+        env_name = '"\';&&$e|\'"'
-+        env_dir = os.path.join(os.path.realpath(self.env_dir), env_name)
-+        builder = venv.EnvBuilder(clear=True)
-+        builder.create(env_dir)
-+        activate = os.path.join(env_dir, self.bindir, 'activate')
-+        test_script = os.path.join(self.env_dir, 'test_special_chars.sh')
-+        with open(test_script, "w") as f:
-+            f.write(f'source {shlex.quote(activate)}\n'
-+                    'python -c \'import sys; print(sys.executable)\'\n'
-+                    'python -c \'import os; print(os.environ["VIRTUAL_ENV"])\'\n'
-+                    'deactivate\n')
-+        out, err = check_output([bash, test_script])
-+        lines = out.splitlines()
-+        self.assertTrue(env_name.encode() in lines[0])
-+        self.assertEndsWith(lines[1], env_name.encode())
-+
-+    # gh-124651: test quoted strings
-+    @unittest.skipIf(os.name == 'nt', 'contains invalid characters on Windows')
-+    def test_special_chars_csh(self):
-+        """
-+        Test that the template strings are quoted properly (csh)
-+        """
-+        rmtree(self.env_dir)
-+        csh = shutil.which('tcsh') or shutil.which('csh')
-+        if csh is None:
-+            self.skipTest('csh required for this test')
-+        env_name = '"\';&&$e|\'"'
-+        env_dir = os.path.join(os.path.realpath(self.env_dir), env_name)
-+        builder = venv.EnvBuilder(clear=True)
-+        builder.create(env_dir)
-+        activate = os.path.join(env_dir, self.bindir, 'activate.csh')
-+        test_script = os.path.join(self.env_dir, 'test_special_chars.csh')
-+        with open(test_script, "w") as f:
-+            f.write(f'source {shlex.quote(activate)}\n'
-+                    'python -c \'import sys; print(sys.executable)\'\n'
-+                    'python -c \'import os; print(os.environ["VIRTUAL_ENV"])\'\n'
-+                    'deactivate\n')
-+        out, err = check_output([csh, test_script])
-+        lines = out.splitlines()
-+        self.assertTrue(env_name.encode() in lines[0])
-+        self.assertEndsWith(lines[1], env_name.encode())
-+
-+    # gh-124651: test quoted strings on Windows
-+    @unittest.skipUnless(os.name == 'nt', 'only relevant on Windows')
-+    def test_special_chars_windows(self):
-+        """
-+        Test that the template strings are quoted properly on Windows
-+        """
-+        rmtree(self.env_dir)
-+        env_name = "'&&^$e"
-+        env_dir = os.path.join(os.path.realpath(self.env_dir), env_name)
-+        builder = venv.EnvBuilder(clear=True)
-+        builder.create(env_dir)
-+        activate = os.path.join(env_dir, self.bindir, 'activate.bat')
-+        test_batch = os.path.join(self.env_dir, 'test_special_chars.bat')
-+        with open(test_batch, "w") as f:
-+            f.write('@echo off\n'
-+                    f'"{activate}" & '
-+                    f'{self.exe} -c "import sys; print(sys.executable)" & '
-+                    f'{self.exe} -c "import os; print(os.environ[\'VIRTUAL_ENV\'])" & '
-+                    'deactivate')
-+        out, err = check_output([test_batch])
-+        lines = out.splitlines()
-+        self.assertTrue(env_name.encode() in lines[0])
-+        self.assertEndsWith(lines[1], env_name.encode())
-+
-     @unittest.skipUnless(os.name == 'nt', 'only relevant on Windows')
-     def test_unicode_in_batch_file(self):
-         """
-diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py
-index 716129d139..0c44dfd07d 100644
---- a/Lib/venv/__init__.py
-+++ b/Lib/venv/__init__.py
-@@ -10,6 +10,7 @@ import shutil
- import subprocess
- import sys
- import types
-+import shlex
- 
- logger = logging.getLogger(__name__)
- 
-@@ -280,11 +281,41 @@ class EnvBuilder:
-         :param context: The information for the environment creation request
-                         being processed.
-         """
--        text = text.replace('__VENV_DIR__', context.env_dir)
--        text = text.replace('__VENV_NAME__', context.env_name)
--        text = text.replace('__VENV_PROMPT__', context.prompt)
--        text = text.replace('__VENV_BIN_NAME__', context.bin_name)
--        text = text.replace('__VENV_PYTHON__', context.env_exe)
-+        replacements = {
-+            '__VENV_DIR__': context.env_dir,
-+            '__VENV_NAME__': context.env_name,
-+            '__VENV_PROMPT__': context.prompt,
-+            '__VENV_BIN_NAME__': context.bin_name,
-+            '__VENV_PYTHON__': context.env_exe,
-+        }
-+
-+        def quote_ps1(s):
-+            """
-+            This should satisfy PowerShell quoting rules [1], unless the quoted
-+            string is passed directly to Windows native commands [2].
-+            [1]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules
-+            [2]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parsing#passing-arguments-that-contain-quote-characters
-+            """
-+            s = s.replace("'", "''")
-+            return f"'{s}'"
-+
-+        def quote_bat(s):
-+            return s
-+
-+        # gh-124651: need to quote the template strings properly
-+        quote = shlex.quote
-+        script_path = context.script_path
-+        if script_path.endswith('.ps1'):
-+            quote = quote_ps1
-+        elif script_path.endswith('.bat'):
-+            quote = quote_bat
-+        else:
-+            # fallbacks to POSIX shell compliant quote
-+            quote = shlex.quote
-+
-+        replacements = {key: quote(s) for key, s in replacements.items()}
-+        for key, quoted in replacements.items():
-+            text = text.replace(key, quoted)
-         return text
- 
-     def install_scripts(self, context, path):
-@@ -321,6 +352,7 @@ class EnvBuilder:
-                 with open(srcfile, 'rb') as f:
-                     data = f.read()
-                 if not srcfile.endswith('.exe'):
-+                    context.script_path = srcfile
-                     try:
-                         data = data.decode('utf-8')
-                         data = self.replace_variables(data, context)
-diff --git a/Lib/venv/scripts/common/activate b/Lib/venv/scripts/common/activate
-index fff0765af5..c2e2f968fa 100644
---- a/Lib/venv/scripts/common/activate
-+++ b/Lib/venv/scripts/common/activate
-@@ -37,11 +37,11 @@ deactivate () {
- # unset irrelevant variables
- deactivate nondestructive
- 
--VIRTUAL_ENV="__VENV_DIR__"
-+VIRTUAL_ENV=__VENV_DIR__
- export VIRTUAL_ENV
- 
- _OLD_VIRTUAL_PATH="$PATH"
--PATH="$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH"
-+PATH="$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH"
- export PATH
- 
- # unset PYTHONHOME if set
-@@ -54,8 +54,8 @@ fi
- 
- if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then
-     _OLD_VIRTUAL_PS1="${PS1:-}"
--    if [ "x__VENV_PROMPT__" != x ] ; then
--	PS1="__VENV_PROMPT__${PS1:-}"
-+    if [ "x"__VENV_PROMPT__ != x ] ; then
-+	PS1=__VENV_PROMPT__"${PS1:-}"
-     else
-     if [ "`basename \"$VIRTUAL_ENV\"`" = "__" ] ; then
-         # special case for Aspen magic directories
-diff --git a/Lib/venv/scripts/posix/activate.csh b/Lib/venv/scripts/posix/activate.csh
-index b0c7028a92..0e90d54008 100644
---- a/Lib/venv/scripts/posix/activate.csh
-+++ b/Lib/venv/scripts/posix/activate.csh
-@@ -8,17 +8,17 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA
- # Unset irrelevant variables.
- deactivate nondestructive
- 
--setenv VIRTUAL_ENV "__VENV_DIR__"
-+setenv VIRTUAL_ENV __VENV_DIR__
- 
- set _OLD_VIRTUAL_PATH="$PATH"
--setenv PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH"
-+setenv PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH"
- 
- 
- set _OLD_VIRTUAL_PROMPT="$prompt"
- 
- if (! "$?VIRTUAL_ENV_DISABLE_PROMPT") then
--    if ("__VENV_NAME__" != "") then
--        set env_name = "__VENV_NAME__"
-+    if (__VENV_NAME__ != "") then
-+        set env_name = __VENV_NAME__
-     else
-         if (`basename "VIRTUAL_ENV"` == "__") then
-             # special case for Aspen magic directories
-diff --git a/Lib/venv/scripts/posix/activate.fish b/Lib/venv/scripts/posix/activate.fish
-index 4d4f0bd7a4..0407f9c7be 100644
---- a/Lib/venv/scripts/posix/activate.fish
-+++ b/Lib/venv/scripts/posix/activate.fish
-@@ -29,10 +29,10 @@ end
- # unset irrelevant variables
- deactivate nondestructive
- 
--set -gx VIRTUAL_ENV "__VENV_DIR__"
-+set -gx VIRTUAL_ENV __VENV_DIR__
- 
- set -gx _OLD_VIRTUAL_PATH $PATH
--set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH
-+set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH
- 
- # unset PYTHONHOME if set
- if set -q PYTHONHOME
-@@ -52,8 +52,8 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
-         set -l old_status $status
- 
-         # Prompt override?
--        if test -n "__VENV_PROMPT__"            
--            printf "%s%s" "__VENV_PROMPT__" (set_color normal)
-+        if test -n __VENV_PROMPT__            
-+            printf "%s%s" __VENV_PROMPT__ (set_color normal)
-         else
-             # ...Otherwise, prepend env
-             set -l _checkbase (basename "$VIRTUAL_ENV")
-diff --git a/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
-new file mode 100644
-index 0000000000..17fc917139
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
-@@ -0,0 +1 @@
-+Properly quote template strings in :mod:`venv` activation scripts.

SOURCES/00444-security-fix-for-cve-2024-11168.patch

@@ -1,110 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Tue, 9 May 2023 23:35:24 -0700
-Subject: [PATCH] 00444: Security fix for CVE-2024-11168
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849)
-
-Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses.
-
-(cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5)
-
-Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
-Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
----
- Lib/test/test_urlparse.py                     | 26 +++++++++++++++++++
- Lib/urllib/parse.py                           | 15 +++++++++++
- ...-04-26-09-54-25.gh-issue-103848.aDSnpR.rst |  2 ++
- 3 files changed, 43 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 7fd61ffea9..090d2f17bf 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1076,6 +1076,32 @@ class UrlParseTestCase(unittest.TestCase):
-         self.assertEqual(p2.scheme, 'tel')
-         self.assertEqual(p2.path, '+31641044153')
- 
-+    def test_invalid_bracketed_hosts(self):
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[192.0.2.146]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[important.com:8000]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123r.IP]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v12ae]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v.IP]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123.]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
-+
-+    def test_splitting_bracketed_hosts(self):
-+        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
-+        self.assertEqual(p1.hostname, 'v6a.ip')
-+        self.assertEqual(p1.username, 'user')
-+        self.assertEqual(p1.path, '/path')
-+        p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7]/path?query')
-+        self.assertEqual(p2.hostname, '0439:23af:2309::fae7')
-+        self.assertEqual(p2.username, 'user')
-+        self.assertEqual(p2.path, '/path')
-+        p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146]/path?query')
-+        self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146')
-+        self.assertEqual(p3.username, 'user')
-+        self.assertEqual(p3.path, '/path')
-+
-     def test_telurl_params(self):
-         p1 = urllib.parse.urlparse('tel:123-4;phone-context=+1-650-516')
-         self.assertEqual(p1.scheme, 'tel')
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 717e990997..bf186b7984 100644
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -34,6 +34,7 @@ It serves as a useful guide when making changes.
- import os
- import sys
- import collections
-+import ipaddress
- 
- __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
-            "urlsplit", "urlunsplit", "urlencode", "parse_qs",
-@@ -425,6 +426,17 @@ def _remove_unsafe_bytes_from_url(url):
-         url = url.replace(b, "")
-     return url
- 
-+# Valid bracketed hosts are defined in
-+# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
-+def _check_bracketed_host(hostname):
-+    if hostname.startswith('v'):
-+        if not re.match(r"\Av[a-fA-F0-9]+\..+\Z", hostname):
-+            raise ValueError(f"IPvFuture address is invalid")
-+    else:
-+        ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
-+        if isinstance(ip, ipaddress.IPv4Address):
-+            raise ValueError(f"An IPv4 address cannot be in brackets")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
-     """Parse a URL into 5 components:
-     <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -480,6 +492,9 @@ def urlsplit(url, scheme='', allow_fragments=True):
-         if (('[' in netloc and ']' not in netloc) or
-                 (']' in netloc and '[' not in netloc)):
-             raise ValueError("Invalid IPv6 URL")
-+        if '[' in netloc and ']' in netloc:
-+            bracketed_host = netloc.partition('[')[2].partition(']')[0]
-+            _check_bracketed_host(bracketed_host)
-     if allow_fragments and '#' in url:
-         url, fragment = url.split('#', 1)
-     if '?' in url:
-diff --git a/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
-new file mode 100644
-index 0000000000..81e5904aa6
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst
-@@ -0,0 +1,2 @@
-+Add checks to ensure that ``[`` bracketed ``]`` hosts found by
-+:func:`urllib.parse.urlsplit` are of IPv6 or IPvFuture format.

SOURCES/00467-tarfile-cve-2025-8194.patch

@@ -1,215 +0,0 @@
-From 738482c8b9a8a8f3ccdb678ad508a86d702a6751 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Mon, 11 Aug 2025 13:39:27 +0200
-Subject: [PATCH] 00467: tarfile CVE-2025-8194
-
-tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
-
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
----
- Lib/tarfile.py                                |   3 +
- Lib/test/test_tarfile.py                      | 156 ++++++++++++++++++
- ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst |   3 +
- 3 files changed, 162 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 7d94b5c..3e03ebf 100755
---- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -1589,6 +1589,9 @@ class TarInfo(object):
-         """Round up a byte count by BLOCKSIZE and return it,
-            e.g. _block(834) => 1024.
-         """
-+        # Only non-negative offsets are allowed
-+        if count < 0:
-+            raise InvalidHeaderError("invalid offset")
-         blocks, remainder = divmod(count, BLOCKSIZE)
-         if remainder:
-             blocks += 1
-diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index 01da819..0a7586a 100644
---- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -43,6 +43,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2")
- xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
- tmpname = os.path.join(TEMPDIR, "tmp.tar")
- dotlessname = os.path.join(TEMPDIR, "testtar")
-+SPACE = b" "
- 
- sha256_regtype = (
-     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
-@@ -4018,6 +4019,161 @@ class TestExtractionFilters(unittest.TestCase):
-                 self.check_trusted_default(tar, tempdir)
- 
- 
-+class OffsetValidationTests(unittest.TestCase):
-+    tarname = tmpname
-+    invalid_posix_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, space, null terminator: 8 bytes
-+        + b"000755" + SPACE + tarfile.NUL
-+        # uid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0011407" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # magic: 6 bytes, version: 2 bytes
-+        + tarfile.POSIX_MAGIC
-+        # uname: 32 bytes
-+        + tarfile.NUL * 32
-+        # gname: 32 bytes
-+        + tarfile.NUL * 32
-+        # devmajor, space, null terminator: 8 bytes
-+        + tarfile.NUL * 6 + SPACE + tarfile.NUL
-+        # devminor, space, null terminator: 8 bytes
-+        + tarfile.NUL * 6 + SPACE + tarfile.NUL
-+        # prefix: 155 bytes
-+        + tarfile.NUL * tarfile.LENGTH_PREFIX
-+        # padding: 12 bytes
-+        + tarfile.NUL * 12
-+    )
-+    invalid_gnu_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, null terminator: 8 bytes
-+        + b"0000755" + tarfile.NUL
-+        # uid, null terminator: 8 bytes
-+        + b"0000001" + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"0000001" + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0011327" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # magic: 8 bytes
-+        + tarfile.GNU_MAGIC
-+        # uname: 32 bytes
-+        + tarfile.NUL * 32
-+        # gname: 32 bytes
-+        + tarfile.NUL * 32
-+        # devmajor, null terminator: 8 bytes
-+        + tarfile.NUL * 8
-+        # devminor, null terminator: 8 bytes
-+        + tarfile.NUL * 8
-+        # padding: 167 bytes
-+        + tarfile.NUL * 167
-+    )
-+    invalid_v7_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, space, null terminator: 8 bytes
-+        + b"000755" + SPACE + tarfile.NUL
-+        # uid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0010070" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # padding: 255 bytes
-+        + tarfile.NUL * 255
-+    )
-+    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
-+    data_block = b"\xff" * tarfile.BLOCKSIZE
-+
-+    def _write_buffer(self, buffer):
-+        with open(self.tarname, "wb") as f:
-+            f.write(buffer)
-+
-+    def _get_members(self, ignore_zeros=None):
-+        with open(self.tarname, "rb") as f:
-+            with tarfile.open(
-+                mode="r", fileobj=f, ignore_zeros=ignore_zeros
-+            ) as tar:
-+                return tar.getmembers()
-+
-+    def _assert_raises_read_error_exception(self):
-+        with self.assertRaisesRegex(
-+            tarfile.ReadError, "file could not be opened successfully"
-+        ):
-+            self._get_members()
-+
-+    def test_invalid_offset_header_validations(self):
-+        for tar_format, invalid_header in (
-+            ("posix", self.invalid_posix_header),
-+            ("gnu", self.invalid_gnu_header),
-+            ("v7", self.invalid_v7_header),
-+        ):
-+            with self.subTest(format=tar_format):
-+                self._write_buffer(invalid_header)
-+                self._assert_raises_read_error_exception()
-+
-+    def test_early_stop_at_invalid_offset_header(self):
-+        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
-+        self._write_buffer(buffer)
-+        members = self._get_members()
-+        self.assertEqual(len(members), 1)
-+        self.assertEqual(members[0].name, "filename")
-+        self.assertEqual(members[0].offset, 0)
-+
-+    def test_ignore_invalid_archive(self):
-+        # 3 invalid headers with their respective data
-+        buffer = (self.invalid_gnu_header + self.data_block) * 3
-+        self._write_buffer(buffer)
-+        members = self._get_members(ignore_zeros=True)
-+        self.assertEqual(len(members), 0)
-+
-+    def test_ignore_invalid_offset_headers(self):
-+        for first_block, second_block, expected_offset in (
-+            (
-+                (self.valid_gnu_header),
-+                (self.invalid_gnu_header + self.data_block),
-+                0,
-+            ),
-+            (
-+                (self.invalid_gnu_header + self.data_block),
-+                (self.valid_gnu_header),
-+                1024,
-+            ),
-+        ):
-+            self._write_buffer(first_block + second_block)
-+            members = self._get_members(ignore_zeros=True)
-+            self.assertEqual(len(members), 1)
-+            self.assertEqual(members[0].name, "filename")
-+            self.assertEqual(members[0].offset, expected_offset)
-+
-+
- def setUpModule():
-     support.unlink(TEMPDIR)
-     os.makedirs(TEMPDIR)
-diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-new file mode 100644
-index 0000000..342cabb
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-@@ -0,0 +1,3 @@
-+:mod:`tarfile` now validates archives to ensure member offsets are
-+non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
-+:gh:`130577`.)
--- 
-2.50.1
-

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

python3.rpmlintrc

@@ -0,0 +1,67 @@
+# KNOWN BUGS:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1489816
+addFilter(r'crypto-policy-non-compliance-openssl')
+
+
+# TESTS:
+addFilter(r'(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3.\d/test')
+
+
+# OTHER DELIBERATES:
+# chroot function
+addFilter(r'missing-call-to-chdir-with-chroot')
+
+# intentionally unversioned and selfobsoleted
+addFilter(r'unversioned-explicit-obsoletes python')
+addFilter(r'self-obsoletion python3\d obsoletes python3\d')
+
+# intentionally hardcoded
+addFilter(r'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})')
+
+# we have non binary stuff, python files
+addFilter(r'only-non-binary-in-usr-lib')
+
+# some devel files that are deliberately needed
+addFilter(r'devel-file-in-non-devel-package /usr/include/python3\.\dm/pyconfig-(32|64)\.h')
+addFilter(r'devel-file-in-non-devel-package /usr/lib64/python3\.\d/distutils/tests/xxmodule\.c')
+
+
+# SORRY, NOT SORRY:
+# manual pages
+addFilter(r'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3-debug|pathfix\.py)')
+addFilter(r'no-manual-page-for-binary python3.*-config$')
+addFilter(r'no-manual-page-for-binary python3.\dd?m$')
+
+# missing documentation from subpackages
+addFilter(r'^python3\d?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation')
+
+# platform python is obsoleted, but not provided
+addFilter(r'obsolete-not-provided platform-python')
+
+
+# RPMLINT IMPERFECTIONS:
+# ifarch applied patches are OK
+# https://fedoraproject.org/wiki/Packaging:Guidelines#Architecture_Support
+addFilter(r'%ifarch-applied-patch')
+
+# debugsource
+addFilter(r'^python3\d?-debugsource\.[^:]+: (E|W): no-documentation')
+
+# debuginfo
+addFilter(r'^python3\d?-debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)')
+
+# this is OK for F28+
+addFilter(r'library-without-ldconfig-post')
+
+# debug package contains devel and non-devel files
+addFilter(r'python3\d?-debug.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package')
+
+# this goes to other subpackage, hence not actually dangling, the read error is bogus
+addFilter(r'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\ddm\.pc python-3\.\d\.pc')
+addFilter(r'read-error /usr/lib(64)?/pkgconfig/python-3\.\ddm\.pc \[Errno 2\]')
+
+# we need this macro to evaluate, even if the line starts with #
+addFilter(r'macro-in-comment %\{_pyconfig(32|64)_h\}')
+
+# SPELLING ERRORS
+addFilter(r'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ')

python3.spec

@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 71%{?dist}
+Release: 67%{?dist}
 License: Python
 
 
@@ -904,43 +904,6 @@ Patch435: 00435-cve-2024-6923.patch
 # Cherry-picked from 3.8.
 Patch437: 00437-cve-2024-6232.patch
 
-# 00443 # 49e939f29e3551ec4e7bdb2cc8b8745e3d1fca35
-# gh-124651: Quote template strings in `venv` activation scripts
-#
-# (cherry picked from 3.9)
-Patch443: 00443-gh-124651-quote-template-strings-in-venv-activation-scripts.patch
-
-# 00444 # fed0071c8c86599091f93967a5fa2cce42ceb840
-# Security fix for CVE-2024-11168
-#
-# gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849)
-#
-# Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses.
-Patch444: 00444-security-fix-for-cve-2024-11168.patch
-
-# 00465 #
-# Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 on tarfile
-#
-# The backported fixes do not contain changes for ntpath.py and related tests,
-# because the support for symlinks and junctions were added later in Python 3.9,
-# and it does not make sense to backport them to 3.6 here.
-#
-# The patch consist of the following commits:
-# - https://github.com/python/cpython/commit/9d2c2a8e3b8fe18ee1568bfa4a419847b3e78575
-#   fixes handling of existing files/symlinks in tarfile
-# - https://github.com/python/cpython/commit/00af9794dd118f7b835dd844b2b609a503ad951e
-#   adds a new "strict" argument to realpath()
-# - https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1
-#   fixes multiple CVE fixes in the tarfile module
-# - downstream only patch that makes the changes work and compatible with Python 3.6
-Patch465: 00465-tarfile-cves.patch
-
-# 00467 #
-# tarfile CVE-2025-8194
-#
-# tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
-Patch467: 00467-tarfile-cve-2025-8194.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1272,7 +1235,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch346 -p1
 
 # Patch 351 adds binary file for testing. We need to apply it using Git.
-GIT_DIR=$PWD git apply %{PATCH351}
+git apply %{PATCH351}
 
 %patch352 -p1
 %patch353 -p1
@@ -1308,10 +1271,6 @@ GIT_DIR=$PWD git apply %{PATCH351}
 %patch431 -p1
 %patch435 -p1
 %patch437 -p1
-%patch443 -p1
-%patch444 -p1
-%patch465 -p1
-%patch467 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -2243,22 +2202,6 @@ fi
 # ======================================================
 
 %changelog
-* Mon Aug 11 2025 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-71
-- Security fix for CVE-2025-8194
-Resolves: RHEL-106333
-
-* Tue Jun 24 2025 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-70
-- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
-Resolves: RHEL-98030, RHEL-97987, RHEL-98232, RHEL-98065, RHEL-98189
-
-* Thu Nov 14 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-69
-- Security fix for CVE-2024-11168
-Resolves: RHEL-67252
-
-* Tue Nov 05 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-68
-- Security fix for CVE-2024-9287
-Resolves: RHEL-64878
-
 * Thu Sep 05 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-67
 - Security fix for CVE-2024-6232
 Resolves: RHEL-57399

rpminspect.yaml

@@ -0,0 +1,41 @@
+# exclude test XML data (not always valid) from XML validity check:
+xml:
+    ignore:
+        - /usr/lib*/python*/test/xmltestdata/*
+        - /usr/lib*/python*/test/xmltestdata/*/*
+
+# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
+badfuncs:
+    allowed:
+        /usr/lib*/python*/lib-dynload/_socket.*:
+            - inet_aton
+            - inet_ntoa
+
+# exclude the debug build from annocheck entirely
+annocheck:
+    ignore:
+        - /usr/bin/python*d
+        - /usr/lib*/libpython*d.so.1.0
+        - /usr/lib*/python*/lib-dynload/*.cpython-*d-*-*-*.so
+
+# don't report changed content of compiled files
+# that is expected with every toolchain update and not reproducible yet
+changedfiles:
+    # note that this is a posix regex, so no \d
+    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
+
+# files change size all the time, we don't need to VERIFY it
+# however, the INFO is useful, so we don't disable the check entirely
+filesize:
+    # artificially large number, TODO a better way
+    size_threshold: 100000
+
+debuginfo:
+    ignore:
+        # libpython3.so doesn't contain compiled code
+        - /usr/lib/debug/usr/lib*/libpython3.so*debug
+
+# completely disabled inspections:
+inspections:
+    # we know about our patches, no need to report anything
+    patches: off

sources

@@ -0,0 +1 @@
+SHA512 (Python-3.6.8-noexe.tar.xz) = 469a05b9d1f5338e870bb582c1ea71e03584d67fb37c0e59ed32a60ae10af9e5d031cbb40853a2261919dabbcd0c6223a0671e3b1c532398a6e599acecaa1cd1