rpms/python38
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python38-3.8.6-3.module+el8.4.0+9579+e9717e18

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:51:28 -04:00 committed by Andrew Lukoshko
parent 798f38d780
commit 44ea086d80
14 changed files with 504 additions and 12001 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.8.3.tar.xz
SOURCES/Python-3.8.6-noexe.tar.xz

2
.python38.metadata
View File

@ -1 +1 @@
3bafa40df1cd069c112761c388a9f2e94b5d33dd SOURCES/Python-3.8.3.tar.xz
e77d08894869ecf483e9f945663f75316ad68bf1 SOURCES/Python-3.8.6-noexe.tar.xz

20
SOURCES/00189-use-rpm-wheels.patch
View File

@ -1,15 +1,18 @@
From 36f1f2b4620b13bdc7ac1c349253ac07960c33b3 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Wed, 15 Aug 2018 15:36:29 +0200
Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
We keep them in /usr/share/python-wheels
Downstream only: upstream bundles
We might eventually pursuit upstream support, but it's low prio
---
Lib/ensurepip/__init__.py | 32 ++++++++++++++++++++++----------
1 file changed, 22 insertions(+), 10 deletions(-)
diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
index 566fb2a096..47da08d3d5 100644
index 9415fd73b8..f58dab1800 100644
--- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py
@@ -1,6 +1,7 @@
@ -27,10 +30,10 @@ index 566fb2a096..47da08d3d5 100644
+_WHEEL_DIR = "/usr/share/python38-wheels/"
-_SETUPTOOLS_VERSION = "41.2.0"
-_SETUPTOOLS_VERSION = "49.2.1"
+_wheels = {}
-_PIP_VERSION = "19.2.3"
-_PIP_VERSION = "20.2.1"
+def _get_most_recent_wheel_version(pkg):
+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))
+ _wheels[pkg] = {}
@ -47,12 +50,12 @@ index 566fb2a096..47da08d3d5 100644
+_PIP_VERSION = _get_most_recent_wheel_version("pip")
_PROJECTS = [
("setuptools", _SETUPTOOLS_VERSION),
("setuptools", _SETUPTOOLS_VERSION, "py3"),
@@ -105,13 +120,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
# additional paths that need added to sys.path
additional_paths = []
for project, version in _PROJECTS:
- wheel_name = "{}-{}-py2.py3-none-any.whl".format(project, version)
for project, version, py_tag in _PROJECTS:
- wheel_name = "{}-{}-{}-none-any.whl".format(project, version, py_tag)
- whl = pkgutil.get_data(
- "ensurepip",
- "_bundled/{}".format(wheel_name),
@ -66,6 +69,3 @@ index 566fb2a096..47da08d3d5 100644
additional_paths.append(os.path.join(tmpdir, wheel_name))
--
2.26.2

86
SOURCES/00274-fix-arch-names.patch
View File

@ -1,86 +0,0 @@
From 3172104314227af128f3ce68e9650663a7c1268c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 28 Aug 2017 17:16:46 +0200
Subject: [PATCH] 00274: Upstream uses Debian-style architecture naming, change
to match Fedora
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Petr Viktorin <pviktori@redhat.com>
Co-authored-by: Miro Hrončok <miro@hroncok.cz>
Co-authored-by: Tomas Orsava <torsava@redhat.com>
---
config.sub | 2 +-
configure.ac | 16 ++++++++--------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/config.sub b/config.sub
index ba37cf99e2..52a9ec6662 100755
--- a/config.sub
+++ b/config.sub
@@ -1042,7 +1042,7 @@ case $basic_machine in
;;
ppc64) basic_machine=powerpc64-unknown
;;
- ppc64-*) basic_machine=powerpc64-`echo "$basic_machine" | sed 's/^[^-]*-//'`
+ ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo "$basic_machine" | sed 's/^[^-]*-//'`
;;
ppc64le | powerpc64little)
basic_machine=powerpc64le-unknown
diff --git a/configure.ac b/configure.ac
index 477a5ff1cb..aea27ef86a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -747,9 +747,9 @@ cat >> conftest.c <<EOF
alpha-linux-gnu
# elif defined(__ARM_EABI__) && defined(__ARM_PCS_VFP)
# if defined(__ARMEL__)
- arm-linux-gnueabihf
+ arm-linux-gnueabi
# else
- armeb-linux-gnueabihf
+ armeb-linux-gnueabi
# endif
# elif defined(__ARM_EABI__) && !defined(__ARM_PCS_VFP)
# if defined(__ARMEL__)
@@ -789,7 +789,7 @@ cat >> conftest.c <<EOF
# elif _MIPS_SIM == _ABIN32
mips64el-linux-gnuabin32
# elif _MIPS_SIM == _ABI64
- mips64el-linux-gnuabi64
+ mips64el-linux-gnu
# else
# error unknown platform triplet
# endif
@@ -799,22 +799,22 @@ cat >> conftest.c <<EOF
# elif _MIPS_SIM == _ABIN32
mips64-linux-gnuabin32
# elif _MIPS_SIM == _ABI64
- mips64-linux-gnuabi64
+ mips64-linux-gnu
# else
# error unknown platform triplet
# endif
# elif defined(__or1k__)
or1k-linux-gnu
# elif defined(__powerpc__) && defined(__SPE__)
- powerpc-linux-gnuspe
+ ppc-linux-gnuspe
# elif defined(__powerpc64__)
# if defined(__LITTLE_ENDIAN__)
- powerpc64le-linux-gnu
+ ppc64le-linux-gnu
# else
- powerpc64-linux-gnu
+ ppc64-linux-gnu
# endif
# elif defined(__powerpc__)
- powerpc-linux-gnu
+ ppc-linux-gnu
# elif defined(__s390x__)
s390x-linux-gnu
# elif defined(__s390__)
--
2.26.2

178
SOURCES/00329-fips.patch
View File

@ -1,4 +1,4 @@
From eba7874ad8a269c1e6e7f56a3f1d759448a0ea83 Mon Sep 17 00:00:00 2001
From 7b70e87ecc1a75f005bdffd644ceca6c9e9679fa Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 16:19:52 +0200
Subject: [PATCH 01/36] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode()
@ -26,7 +26,7 @@ index 56873b7..63ae836 100644
for __func_name in __always_supported:
# try them all, some may not work due to the OpenSSL
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 3e5f9c3..d38aae9 100644
index edadbcb..9874b06 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -26,6 +26,9 @@
@ -36,10 +36,10 @@ index 3e5f9c3..d38aae9 100644
+/* Expose FIPS_mode */
+#include <openssl/crypto.h>
+
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
/* OpenSSL < 1.1.0 */
#define EVP_MD_CTX_new EVP_MD_CTX_create
@@ -1068,12 +1071,46 @@ generate_hash_name_list(void)
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
@@ -1072,12 +1075,46 @@ generate_hash_name_list(void)
return state.set;
}
@ -126,7 +126,7 @@ index 9aaea47..30fd8a9 100644
2.25.4
From 692168044948a41211bb0efabacf0cbfade8db14 Mon Sep 17 00:00:00 2001
From 4e1fa0339c257987984caa278516d46c35463385 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 25 Jul 2019 17:04:06 +0200
Subject: [PATCH 02/36] Use python's fall backs for the crypto it implements
@ -425,7 +425,7 @@ index 8b53d23..e9abcbb 100644
2.25.4
From 25b2075a04c0622cd11b8ea986d7d817a1a5d375 Mon Sep 17 00:00:00 2001
From 91b5c97d586a98cb95e215ecd2c02b18c8783e7a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 17:19:06 +0200
Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode,
@ -438,8 +438,8 @@ Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode,
Modules/_blake2/blake2s_impl.c | 5 +++
Modules/_hashopenssl.c | 37 +------------------
Modules/_sha3/sha3module.c | 5 +++
setup.py | 48 +++++++++++++------------
7 files changed, 110 insertions(+), 59 deletions(-)
setup.py | 47 ++++++++++++------------
7 files changed, 110 insertions(+), 58 deletions(-)
create mode 100644 Include/_hashopenssl.h
diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h
@ -596,7 +596,7 @@ index ef2f7e1..389711a 100644
if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index d38aae9..10a987d 100644
index 9874b06..d733a39 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -17,6 +17,7 @@
@ -616,9 +616,9 @@ index d38aae9..10a987d 100644
-/* Expose FIPS_mode */
-#include <openssl/crypto.h>
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
/* OpenSSL < 1.1.0 */
@@ -65,38 +62,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype"
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
@@ -69,38 +66,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype"
[clinic start generated code]*/
/*[clinic end generated code: output=da39a3ee5e6b4b0d input=a881a5092eecad28]*/
@ -695,7 +695,7 @@ index c1fb618..34d09b4 100644
return NULL;
}
diff --git a/setup.py b/setup.py
index 024a103..a16961e 100644
index 84f7300..06d1ce6 100644
--- a/setup.py
+++ b/setup.py
@@ -1688,7 +1688,6 @@ class PyBuildExt(build_ext):
@ -785,24 +785,24 @@ index 024a103..a16961e 100644
+ # don't build Python's implementations.
+ # sha3 and blake2 have extra functionality, so do build those:
blake2_deps = glob(os.path.join(self.srcdir,
blake2_deps = glob(os.path.join(escape(self.srcdir),
'Modules/_blake2/impl/*'))
@@ -2264,14 +2264,16 @@ class PyBuildExt(build_ext):
@@ -2264,6 +2264,7 @@ class PyBuildExt(build_ext):
['_blake2/blake2module.c',
'_blake2/blake2b_impl.c',
'_blake2/blake2s_impl.c'],
- depends=blake2_deps))
+ **self.detect_openssl_args(),
+ depends=blake2_deps))
+ **self.detect_openssl_args(),
depends=blake2_deps))
sha3_deps = glob(os.path.join(self.srcdir,
'Modules/_sha3/kcp/*'))
sha3_deps = glob(os.path.join(escape(self.srcdir),
@@ -2271,7 +2272,9 @@ class PyBuildExt(build_ext):
sha3_deps.append('hashlib.h')
self.add(Extension('_sha3',
['_sha3/sha3module.c'],
- depends=sha3_deps))
+ **self.detect_openssl_args(),
+ depends=sha3_deps + ['hashlib.h']))
+
def detect_nis(self):
if MS_WINDOWS or CYGWIN or HOST_PLATFORM == 'qnx6':
@ -810,7 +810,7 @@ index 024a103..a16961e 100644
2.25.4
From 97d839b2d8c03a7b428907e51a44269fdfe3a48d Mon Sep 17 00:00:00 2001
From d9b8f21a1b5feb177ece4c595ce8b639f02548c8 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 12 Dec 2019 16:58:31 +0100
Subject: [PATCH 04/36] Expose all hashes available to OpenSSL
@ -821,10 +821,10 @@ Subject: [PATCH 04/36] Expose all hashes available to OpenSSL
2 files changed, 447 insertions(+), 1 deletion(-)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 10a987d..e10dbd7 100644
index d733a39..6982268 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -190,6 +190,12 @@ py_digest_by_name(const char *name)
@@ -194,6 +194,12 @@ py_digest_by_name(const char *name)
else if (!strcmp(name, "blake2b512")) {
digest = EVP_blake2b512();
}
@ -837,7 +837,7 @@ index 10a987d..e10dbd7 100644
#endif
}
@@ -708,6 +714,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj)
@@ -712,6 +718,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj)
return EVP_fast_new(module, data_obj, EVP_sha512());
}
@ -980,7 +980,7 @@ index 10a987d..e10dbd7 100644
/*[clinic input]
_hashlib.pbkdf2_hmac as pbkdf2_hmac
@@ -1083,6 +1225,14 @@ static struct PyMethodDef EVP_functions[] = {
@@ -1087,6 +1229,14 @@ static struct PyMethodDef EVP_functions[] = {
_HASHLIB_OPENSSL_SHA256_METHODDEF
_HASHLIB_OPENSSL_SHA384_METHODDEF
_HASHLIB_OPENSSL_SHA512_METHODDEF
@ -1312,7 +1312,7 @@ index 30fd8a9..e96a752 100644
2.25.4
From b681f084a48d5f2f3eb5257b33e968268850ea7b Mon Sep 17 00:00:00 2001
From d4c78750ffb431fe34a18aab7cdf84d3a68d7fc1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 18:13:45 +0200
Subject: [PATCH 05/36] Fix tests
@ -1444,7 +1444,7 @@ index e9abcbb..2a55fd4 100644
2.25.4
From 78dea79c8a284940a5d5997646745cb29f74d720 Mon Sep 17 00:00:00 2001
From 4ec7034d73e681041758fc80f75e061c0e506449 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 11:27:57 +0200
Subject: [PATCH 06/36] Change FIPS exceptions from _blake2, _sha3 module init
@ -1586,7 +1586,7 @@ index 34d09b4..3079e1e 100644
2.25.4
From be76f342f801a674fdbb622fd6e096bd7a09e1e6 Mon Sep 17 00:00:00 2001
From ed6f93218c2190d34ee0b0f4c7599d306708449f Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 11:24:09 +0200
Subject: [PATCH 07/36] Make hashlib importable under FIPS mode
@ -1621,7 +1621,7 @@ index 1bcfdf9..898e6dc 100644
2.25.4
From 15b34c0943d79ec7d236a5eefab636a288dc0ae1 Mon Sep 17 00:00:00 2001
From 66c5862bb09586168caac4d6ba6142ed3198fe1d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 15:41:10 +0200
Subject: [PATCH 08/36] Implement hmac.new using new built-in module,
@ -2249,7 +2249,7 @@ index 0000000..b472a6e
+}
+/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/
diff --git a/setup.py b/setup.py
index a16961e..3d2465d 100644
index 06d1ce6..ca8bc2b 100644
--- a/setup.py
+++ b/setup.py
@@ -2251,6 +2251,10 @@ class PyBuildExt(build_ext):
@ -2267,7 +2267,7 @@ index a16961e..3d2465d 100644
2.25.4
From f72ffcdcee6c59aa61a8df4a3bf6633d200d6417 Mon Sep 17 00:00:00 2001
From 6ec3a1afd87a3aa411a19727e212ebf81fee49cc Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Mon, 29 Jul 2019 12:45:11 +0200
Subject: [PATCH 09/36] FIPS review
@ -2482,7 +2482,7 @@ index ca95d72..216ed04 100644
2.25.4
From 408a7d606654249f4aaa2c26cd960b770429229c Mon Sep 17 00:00:00 2001
From 8645a4cf6ee2ad10fac3d081da78eabb06099a9c Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Mon, 29 Jul 2019 13:05:04 +0200
Subject: [PATCH 10/36] revert cosmetic nitpick and remove trailing whitespace
@ -2531,7 +2531,7 @@ index 216ed04..221714c 100644
2.25.4
From 6ed4037723b1ac437cfd8401355350ef5c47f0e1 Mon Sep 17 00:00:00 2001
From d80ae6ac0abf1e0ca5a32ff80343e927587cf5a6 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Wed, 31 Jul 2019 15:43:43 +0200
Subject: [PATCH 11/36] Add initial tests for various hashes under FIPS mode
@ -2615,7 +2615,7 @@ index 0000000..bee911e
2.25.4
From 2548227dff8ae23fb7d3dd45b6e044ff17796547 Mon Sep 17 00:00:00 2001
From 414c04713ad89bdeeb7a074f953c0085d541eae6 Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Thu, 1 Aug 2019 16:39:37 +0200
Subject: [PATCH 12/36] Initialize HMAC type.
@ -2684,7 +2684,7 @@ index 221714c..239445a 100644
2.25.4
From 4d40c61ed97eae9169df2e526d935d4997902f97 Mon Sep 17 00:00:00 2001
From 0157b52ac7f15610526497f9188eb84ed3846993 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 1 Aug 2019 17:57:05 +0200
Subject: [PATCH 13/36] Use a stronger hash in multiprocessing handshake
@ -2696,7 +2696,7 @@ https://bugs.python.org/issue17258
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
index c9f995e..64180b2 100644
index 8e2facf..bb4acb6 100644
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -42,6 +42,10 @@ BUFSIZE = 8192
@ -2710,7 +2710,7 @@ index c9f995e..64180b2 100644
_mmap_counter = itertools.count()
default_family = 'AF_INET'
@@ -735,7 +739,7 @@ def deliver_challenge(connection, authkey):
@@ -736,7 +740,7 @@ def deliver_challenge(connection, authkey):
"Authkey must be bytes, not {0!s}".format(type(authkey)))
message = os.urandom(MESSAGE_LENGTH)
connection.send_bytes(CHALLENGE + message)
@ -2719,7 +2719,7 @@ index c9f995e..64180b2 100644
response = connection.recv_bytes(256) # reject large message
if response == digest:
connection.send_bytes(WELCOME)
@@ -751,7 +755,7 @@ def answer_challenge(connection, authkey):
@@ -752,7 +756,7 @@ def answer_challenge(connection, authkey):
message = connection.recv_bytes(256) # reject large message
assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
message = message[len(CHALLENGE):]
@ -2732,7 +2732,7 @@ index c9f995e..64180b2 100644
2.25.4
From bc917ee79da1166e9ff94e76bbb2a64044db2fc0 Mon Sep 17 00:00:00 2001
From 3730b4186cf708bb8ea528c22734d4c1176fc9ad Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Fri, 2 Aug 2019 17:36:01 +0200
Subject: [PATCH 14/36] Fix refcounting
@ -2806,7 +2806,7 @@ index 239445a..9c28828 100644
2.25.4
From 5807870fbc69dcd107a2fac7ce58da052d5e7fea Mon Sep 17 00:00:00 2001
From 1873bfe385a1b952ba11c2b2f15755353f2411df Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 13:37:05 +0200
Subject: [PATCH 15/36] hmac: Don't default to md5 in FIPS mode
@ -2832,7 +2832,7 @@ index daabc8c..0302364 100644
2.25.4
From 04a69823b36ee8626aa74b40d5a631dd09759451 Mon Sep 17 00:00:00 2001
From f77c854b9c5aab3e2bb517b6d0c08197a116efb1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 14:20:58 +0200
Subject: [PATCH 16/36] Make _hmacopenssl.HMAC subclassable; subclass it as
@ -3123,7 +3123,7 @@ index b472a6e..861acc1 100644
2.25.4
From e0cbbc9dac64f173baa5348cf3608536ea8aea70 Mon Sep 17 00:00:00 2001
From b357a1f823b7b231d1a8bc149b5a950246350d3c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 16:10:36 +0200
Subject: [PATCH 17/36] Fix _hmacopenssl.HMAC.block_size
@ -3149,7 +3149,7 @@ index 7d3d973..a24c8ba 100644
2.25.4
From d90c5c55ad983d84b09b366d4b62f06aa535fad6 Mon Sep 17 00:00:00 2001
From ee03c8ff14206070a7e4e4d13c4b067bcf25193d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 15:02:08 +0200
Subject: [PATCH 18/36] distutils upload: Skip md5 checksum in FIPS mode
@ -3231,7 +3231,7 @@ index c17d8e7..b4b64e9 100644
2.25.4
From 885f7b41697f252260a67d78ca8c46450843fa5e Mon Sep 17 00:00:00 2001
From fd0fd3310ff7c7dae0ea4377b71928ca3e242a21 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 15:32:25 +0200
Subject: [PATCH 19/36] Fix HMAC tests on FIPS mode
@ -3324,7 +3324,7 @@ index 23c108f..0a85981 100644
2.25.4
From 288d91b4752801264b37f7e94d964e1dffdee562 Mon Sep 17 00:00:00 2001
From e0c4dfcfc3070d0b3b25f77357509b9daa5f9891 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 16:37:12 +0200
Subject: [PATCH 20/36] test_tools: Skip md5sum tests in FIPS mode
@ -3357,7 +3357,7 @@ index fb565b7..7028a4d 100644
2.25.4
From 2c89b2e465e60558e0e066cc42a087ee6f31d520 Mon Sep 17 00:00:00 2001
From 510915020bb7c7c91d297fb3330ee9be3ee16b6f Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 18:23:57 +0200
Subject: [PATCH 21/36] Make hashlib tests pass in FIPS mode
@ -3552,7 +3552,7 @@ index 2a55fd4..9ae5efc 100644
2.25.4
From 14f26f4f378718024d0b0f300ab2f84429d23044 Mon Sep 17 00:00:00 2001
From de9997db1f55fe4c70f0a5c4fe5b497e8c6839a2 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Wed, 14 Aug 2019 14:43:07 +0200
Subject: [PATCH 22/36] distutils upload: only add md5 if available, but
@ -3622,7 +3622,7 @@ index b4b64e9..f720a79 100644
2.25.4
From 24e57cc45dc18146a583257e5825d6b6e672742d Mon Sep 17 00:00:00 2001
From 30407ef6fd2fb0fcb950cab57d4bd23121ef9084 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 13 Sep 2019 02:30:00 +0200
Subject: [PATCH 23/36] bpo-9216: Add usedforsecurity to hashlib constructors
@ -3728,10 +3728,10 @@ index 9ae5efc..08bb91f 100644
self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam')
self.assertRaises(TypeError, hashlib.new, 1)
diff --git a/Lib/uuid.py b/Lib/uuid.py
index 188e16b..5f3bc9e 100644
index 9540c21..be724ba 100644
--- a/Lib/uuid.py
+++ b/Lib/uuid.py
@@ -772,8 +772,11 @@ def uuid1(node=None, clock_seq=None):
@@ -774,8 +774,11 @@ def uuid1(node=None, clock_seq=None):
def uuid3(namespace, name):
"""Generate a UUID from the MD5 hash of a namespace UUID and a name."""
from hashlib import md5
@ -3944,10 +3944,10 @@ index 560bd68..71c5706 100644
-/*[clinic end generated code: output=39af5a74c8805b36 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=c80d8d06ce40a192 input=a9049054013a1b77]*/
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index e10dbd7..29c1bd8 100644
index 6982268..a1f81eb 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -517,7 +517,7 @@ static PyTypeObject EVPtype = {
@@ -521,7 +521,7 @@ static PyTypeObject EVPtype = {
\
static PyObject *
EVPnew(const EVP_MD *digest,
@ -3956,7 +3956,7 @@ index e10dbd7..29c1bd8 100644
{
int result = 0;
EVPobject *self;
@@ -530,6 +530,12 @@ EVPnew(const EVP_MD *digest,
@@ -534,6 +534,12 @@ EVPnew(const EVP_MD *digest,
if ((self = newEVPobject()) == NULL)
return NULL;
@ -3969,7 +3969,7 @@ index e10dbd7..29c1bd8 100644
if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) {
_setException(PyExc_ValueError);
Py_DECREF(self);
@@ -561,6 +567,8 @@ _hashlib.new as EVP_new
@@ -565,6 +571,8 @@ _hashlib.new as EVP_new
name as name_obj: object
string as data_obj: object(c_default="NULL") = b''
@ -3978,7 +3978,7 @@ index e10dbd7..29c1bd8 100644
Return a new hash object using the named algorithm.
@@ -571,8 +579,9 @@ The MD5 and SHA1 algorithms are always supported.
@@ -575,8 +583,9 @@ The MD5 and SHA1 algorithms are always supported.
[clinic start generated code]*/
static PyObject *
@ -3990,7 +3990,7 @@ index e10dbd7..29c1bd8 100644
{
Py_buffer view = { 0 };
PyObject *ret_obj;
@@ -589,7 +598,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
@@ -593,7 +602,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
digest = py_digest_by_name(name);
@ -4001,7 +4001,7 @@ index e10dbd7..29c1bd8 100644
if (data_obj)
PyBuffer_Release(&view);
@@ -597,7 +608,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
@@ -601,7 +612,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
}
static PyObject*
@ -4011,7 +4011,7 @@ index e10dbd7..29c1bd8 100644
{
Py_buffer view = { 0 };
PyObject *ret_obj;
@@ -605,7 +617,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
@@ -609,7 +621,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
if (data_obj)
GET_BUFFER_VIEW_OR_ERROUT(data_obj, &view);
@ -4021,7 +4021,7 @@ index e10dbd7..29c1bd8 100644
if (data_obj)
PyBuffer_Release(&view);
@@ -617,16 +630,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
@@ -621,16 +634,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
_hashlib.openssl_md5
string as data_obj: object(py_default="b''") = NULL
@ -4044,7 +4044,7 @@ index e10dbd7..29c1bd8 100644
}
@@ -634,16 +650,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj)
@@ -638,16 +654,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha1
string as data_obj: object(py_default="b''") = NULL
@ -4067,7 +4067,7 @@ index e10dbd7..29c1bd8 100644
}
@@ -651,16 +670,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj)
@@ -655,16 +674,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha224
string as data_obj: object(py_default="b''") = NULL
@ -4090,7 +4090,7 @@ index e10dbd7..29c1bd8 100644
}
@@ -668,16 +690,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj)
@@ -672,16 +694,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha256
string as data_obj: object(py_default="b''") = NULL
@ -4113,7 +4113,7 @@ index e10dbd7..29c1bd8 100644
}
@@ -685,16 +710,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj)
@@ -689,16 +714,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha384
string as data_obj: object(py_default="b''") = NULL
@ -4136,7 +4136,7 @@ index e10dbd7..29c1bd8 100644
}
@@ -702,152 +730,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj)
@@ -706,152 +734,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha512
string as data_obj: object(py_default="b''") = NULL
@ -5729,7 +5729,7 @@ index 459a934..b8185b6 100644
-/*[clinic end generated code: output=580df4b667084a7e input=a9049054013a1b77]*/
+/*[clinic end generated code: output=bbfa72d8703c82b5 input=a9049054013a1b77]*/
diff --git a/Modules/md5module.c b/Modules/md5module.c
index b9a351a..f2c2d32 100644
index c2ebaaf..fdc4d7b 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -503,13 +503,15 @@ static PyTypeObject MD5type = {
@ -5856,7 +5856,7 @@ index 98b9791..df4f9d2 100644
2.25.4
From 372b2b63bf8ffb3201dc3c8d2488f6a5a55c5b21 Mon Sep 17 00:00:00 2001
From 095d8ea318b20b5d42ada0367ca770c15e6f6fa2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:09:39 +0200
Subject: [PATCH 24/36] Test the usedforsecurity flag
@ -6102,7 +6102,7 @@ index 08bb91f..1368e91 100644
2.25.4
From 7e2295b42d705d7d9cc0ccea472ff93bfa268b8c Mon Sep 17 00:00:00 2001
From 59b7e853d919380ca6c11655bbc7041ee395417d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 29 Aug 2019 10:25:28 +0200
Subject: [PATCH 25/36] Skip error checking in _hashlib.get_fips_mode
@ -6113,10 +6113,10 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 29c1bd8..d208f5c 100644
index a1f81eb..eff331b 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -1249,20 +1249,22 @@ _hashlib_get_fips_mode_impl(PyObject *module)
@@ -1253,20 +1253,22 @@ _hashlib_get_fips_mode_impl(PyObject *module)
/*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/
{
@ -6157,7 +6157,7 @@ index 29c1bd8..d208f5c 100644
2.25.4
From dd5f58152edbcac44bcb1cafbee511c44d60ff67 Mon Sep 17 00:00:00 2001
From 7f5432d72546f60078989b6cadf26cd51de84ebd Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 10 Oct 2019 13:04:50 +0200
Subject: [PATCH 26/36] Skip error checking in _Py_hashlib_fips_error
@ -6195,7 +6195,7 @@ index 47ed003..d4cbdef 100644
2.25.4
From c76f0df2561ae64952f347d294aec2866e6b0586 Mon Sep 17 00:00:00 2001
From 05f7188136bda8eeec06428aa4ddf9ab14a178a0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 19:12:38 +0200
Subject: [PATCH 27/36] Fixups
@ -6237,7 +6237,7 @@ index 0a85981..0b481ec 100644
2.25.4
From b6139620fa7aaf401ebd510a0dbca14629096f94 Mon Sep 17 00:00:00 2001
From 0f707443431d9dc22218be7208d940f4d42f122d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:39:48 +0200
Subject: [PATCH 28/36] Don't re-export get_fips_mode from hashlib
@ -6607,7 +6607,7 @@ index 1cb358f..6f5cb7f 100644
2.25.4
From 1de6c9e0e86e5c661ae32517492ecdf79a372e52 Mon Sep 17 00:00:00 2001
From 9515f9be3409fdc59cf9c09dd200917483e1651a Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 20 Nov 2019 10:59:25 +0100
Subject: [PATCH 29/36] Use FIPS compliant CSPRNG
@ -6624,7 +6624,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
4 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py
index 4a076e3..f60ad6d 100644
index 2a4ae15..5ad5bd6 100644
--- a/Lib/test/test_os.py
+++ b/Lib/test/test_os.py
@@ -1546,6 +1546,11 @@ class GetRandomTests(unittest.TestCase):
@ -6640,7 +6640,7 @@ index 4a076e3..f60ad6d 100644
def test_getrandom_type(self):
data = os.getrandom(16)
diff --git a/Makefile.pre.in b/Makefile.pre.in
index 72d202d..9c34f99 100644
index 917303d..ddfbfd0 100644
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR
@ -6653,7 +6653,7 @@ index 72d202d..9c34f99 100644
CFLAGS_ALIASING=@CFLAGS_ALIASING@
diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
index 850769f..039392e 100644
index 726e372..9a1249a 100644
--- a/Modules/posixmodule.c
+++ b/Modules/posixmodule.c
@@ -388,6 +388,9 @@ extern char *ctermid_r(char *);
@ -6666,7 +6666,7 @@ index 850769f..039392e 100644
#if defined(__sun)
/* Something to implement in autoconf, not present in autoconf 2.69 */
#define HAVE_STRUCT_STAT_ST_FSTYPE 1
@@ -13388,6 +13391,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags)
@@ -13558,6 +13561,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags)
return posix_error();
}
@ -6679,7 +6679,7 @@ index 850769f..039392e 100644
if (bytes == NULL) {
PyErr_NoMemory();
diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c
index 43f5264..6716647 100644
index eb2b6d0..cb38cfe 100644
--- a/Python/bootstrap_hash.c
+++ b/Python/bootstrap_hash.c
@@ -409,6 +409,77 @@ dev_urandom_close(void)
@ -6775,7 +6775,7 @@ index 43f5264..6716647 100644
2.25.4
From 2af1274a6f6f7eb7aeb106007fd62e9fc889a86e Mon Sep 17 00:00:00 2001
From ba95383d9b37f252bd153674404dc4055d49bf82 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 28 Nov 2019 17:26:02 +0100
Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG
@ -6786,7 +6786,7 @@ Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG
2 files changed, 5 insertions(+), 31 deletions(-)
diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py
index f60ad6d..be057ad 100644
index 5ad5bd6..ae53de9 100644
--- a/Lib/test/test_os.py
+++ b/Lib/test/test_os.py
@@ -28,6 +28,7 @@ import time
@ -6807,7 +6807,7 @@ index f60ad6d..be057ad 100644
else:
raise
diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c
index 6716647..7466d5f 100644
index cb38cfe..08fa29a 100644
--- a/Python/bootstrap_hash.c
+++ b/Python/bootstrap_hash.c
@@ -409,40 +409,13 @@ dev_urandom_close(void)
@ -6874,7 +6874,7 @@ index 6716647..7466d5f 100644
2.25.4
From 17c962efe979581d12e1cf80a04b9538bdfe7c45 Mon Sep 17 00:00:00 2001
From 496a58146aa42b97661c5ea1afeaa223e8fd4ceb Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 2 Apr 2020 16:50:37 +0200
Subject: [PATCH 31/36] Do not raise a ValueError if digestmod is missing in
@ -6904,7 +6904,7 @@ index 5055027..ee1ad76 100644
2.25.4
From 4acd1c8665231881335b6036a8595ac3220c0220 Mon Sep 17 00:00:00 2001
From 3f346ea93c2504e169a2df21e2de206031a08600 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 2 Apr 2020 16:55:36 +0200
Subject: [PATCH 32/36] Regenerate the clinic files
@ -6991,7 +6991,7 @@ index 861acc1..527be83 100644
2.25.4
From 900bbdc1e2d9498829731da4591f1ea4a5602fa4 Mon Sep 17 00:00:00 2001
From f4465980ae75c0e56cd1edecf9a42fa38b9cd12a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 7 Apr 2020 15:16:45 +0200
Subject: [PATCH 33/36] Pass kwargs (like usedforsecurity) through __hash_new
@ -7026,7 +7026,7 @@ index 2fc214e..785858f 100644
2.25.4
From ab62e35c2c3a71b2ff50098966e654c91fb861d0 Mon Sep 17 00:00:00 2001
From 6c0ba219c01052f8b079ce67b89a75920b3aa867 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 7 Apr 2020 15:18:48 +0200
Subject: [PATCH 34/36] Adjust new upstream test for failing hashes with
@ -7072,7 +7072,7 @@ index a4b7840..a858bf4 100644
2.25.4
From 2b6bf1615e9e04a688f622e4b45e0e062a09578f Mon Sep 17 00:00:00 2001
From 041105f888785599e58213dfea55115a4e861d77 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 24 Apr 2020 19:57:16 +0200
Subject: [PATCH 35/36] Skip the test_with_digestmod_no_default under FIPS
@ -7118,7 +7118,7 @@ index cc77928..fd068e0 100644
2.25.4
From 65903540be85cbd6f188f6b5e69431859d0cbc0e Mon Sep 17 00:00:00 2001
From e20750200d560a549cbbf224ded74bb086ef3e66 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Tue, 31 Mar 2020 18:00:42 +0200
Subject: [PATCH 36/36] Add a sentinel value on the Hmac_members table of the

76
SOURCES/00350-sqlite-fix-deterministic-test.patch
View File

@ -1,76 +0,0 @@
commit 00a240bf7f95bbd220f1cfbf9eb58484a5f9681a
Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Fri May 29 05:46:34 2020 -0700
bpo-40784: Fix sqlite3 deterministic test (GH-20448)
(cherry picked from commit c610d970f5373b143bf5f5900d4645e6a90fb460)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
diff --git a/Lib/sqlite3/test/userfunctions.py b/Lib/sqlite3/test/userfunctions.py
index 9501f53..c11c82e 100644
--- a/Lib/sqlite3/test/userfunctions.py
+++ b/Lib/sqlite3/test/userfunctions.py
@@ -1,8 +1,7 @@
-#-*- coding: iso-8859-1 -*-
# pysqlite2/test/userfunctions.py: tests for user-defined functions and
# aggregates.
#
-# Copyright (C) 2005-2007 Gerhard Häring <gh@ghaering.de>
+# Copyright (C) 2005-2007 Gerhard Häring <gh@ghaering.de>
#
# This file is part of pysqlite.
#
@@ -158,6 +157,7 @@ class FunctionTests(unittest.TestCase):
self.con.create_function("isblob", 1, func_isblob)
self.con.create_function("islonglong", 1, func_islonglong)
self.con.create_function("spam", -1, func)
+ self.con.execute("create table test(t text)")
def tearDown(self):
self.con.close()
@@ -276,18 +276,36 @@ class FunctionTests(unittest.TestCase):
val = cur.fetchone()[0]
self.assertEqual(val, 2)
+ # Regarding deterministic functions:
+ #
+ # Between 3.8.3 and 3.15.0, deterministic functions were only used to
+ # optimize inner loops, so for those versions we can only test if the
+ # sqlite machinery has factored out a call or not. From 3.15.0 and onward,
+ # deterministic functions were permitted in WHERE clauses of partial
+ # indices, which allows testing based on syntax, iso. the query optimizer.
+ @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "Requires SQLite 3.8.3 or higher")
def CheckFuncNonDeterministic(self):
mock = unittest.mock.Mock(return_value=None)
- self.con.create_function("deterministic", 0, mock, deterministic=False)
- self.con.execute("select deterministic() = deterministic()")
- self.assertEqual(mock.call_count, 2)
-
- @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "deterministic parameter not supported")
+ self.con.create_function("nondeterministic", 0, mock, deterministic=False)
+ if sqlite.sqlite_version_info < (3, 15, 0):
+ self.con.execute("select nondeterministic() = nondeterministic()")
+ self.assertEqual(mock.call_count, 2)
+ else:
+ with self.assertRaises(sqlite.OperationalError):
+ self.con.execute("create index t on test(t) where nondeterministic() is not null")
+
+ @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "Requires SQLite 3.8.3 or higher")
def CheckFuncDeterministic(self):
mock = unittest.mock.Mock(return_value=None)
self.con.create_function("deterministic", 0, mock, deterministic=True)
- self.con.execute("select deterministic() = deterministic()")
- self.assertEqual(mock.call_count, 1)
+ if sqlite.sqlite_version_info < (3, 15, 0):
+ self.con.execute("select deterministic() = deterministic()")
+ self.assertEqual(mock.call_count, 1)
+ else:
+ try:
+ self.con.execute("create index t on test(t) where deterministic() is not null")
+ except sqlite.OperationalError:
+ self.fail("Unexpected failure while creating partial index")
@unittest.skipIf(sqlite.sqlite_version_info >= (3, 8, 3), "SQLite < 3.8.3 needed")
def CheckFuncDeterministicNotSupported(self):

67
SOURCES/00351-avoid-infinite-loop-in-the-tarfile-module.patch
View File

@ -1,67 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Wed, 15 Jul 2020 05:36:36 -0700
Subject: [PATCH] 00351: Avoid infinite loop in the tarfile module
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
Fixed upstream: https://bugs.python.org/issue39017
---
Lib/tarfile.py | 2 ++
Lib/test/recursion.tar | Bin 0 -> 516 bytes
Lib/test/test_tarfile.py | 7 +++++++
.../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
4 files changed, 10 insertions(+)
create mode 100644 Lib/test/recursion.tar
create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index 62d22150f5..2ea47978ff 100755
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1231,6 +1231,8 @@ class TarInfo(object):
length, keyword = match.groups()
length = int(length)
+ if length == 0:
+ raise InvalidHeaderError("invalid header")
value = buf[match.end(2) + 1:match.start(1) + length - 1]
# Normally, we could just use "utf-8" as the encoding and "strict"
diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar
new file mode 100644
index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4
GIT binary patch
literal 516
zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e
I1_}|j06>QaCIA2c
literal 0
HcmV?d00001
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index 4cd7d5370f..573be812ea 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -395,6 +395,13 @@ class CommonReadTest(ReadTest):
with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"):
tar.extractfile(t).read()
+ def test_length_zero_header(self):
+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
+ # with an exception
+ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
+ with tarfile.open(support.findfile('recursion.tar')) as tar:
+ pass
+
class MiscReadTestBase(CommonReadTest):
def requires_name_attribute(self):
pass
diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
new file mode 100644
index 0000000000..ad26676f8b
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
@@ -0,0 +1 @@
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

70
SOURCES/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
View File

@ -1,70 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
Date: Wed, 1 Jul 2020 01:00:22 +0530
Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and
IPv6Interface
CVE-2020-14422
The hash() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation.
Fixed upstream: https://bugs.python.org/issue41004
---
Lib/ipaddress.py | 4 ++--
Lib/test/test_ipaddress.py | 11 +++++++++++
.../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
3 files changed, 14 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
index 583f02ad54..98492136ca 100644
--- a/Lib/ipaddress.py
+++ b/Lib/ipaddress.py
@@ -1418,7 +1418,7 @@ class IPv4Interface(IPv4Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
@@ -2092,7 +2092,7 @@ class IPv6Interface(IPv6Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
index 1cef4217bc..7de444af4a 100644
--- a/Lib/test/test_ipaddress.py
+++ b/Lib/test/test_ipaddress.py
@@ -1990,6 +1990,17 @@ class IpaddrUnitTest(unittest.TestCase):
sixtofouraddr.sixtofour)
self.assertFalse(bad_addr.sixtofour)
+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
+ def testV4HashIsNotConstant(self):
+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
+
+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
+ def testV6HashIsNotConstant(self):
+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
if __name__ == '__main__':
unittest.main()
diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
new file mode 100644
index 0000000000..f5a9db52ff
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
@@ -0,0 +1 @@
+CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

97
SOURCES/00353-architecture-names-upstream-downstream.patch Normal file
View File

@ -0,0 +1,97 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Tue, 4 Aug 2020 12:04:03 +0200
Subject: [PATCH] 00353: Original names for architectures with different names
downstream
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names
Pythons in RHEL/Fedora used different names for some architectures
than upstream and other distros (for example ppc64 vs. powerpc64).
This was patched in patch 274, now it is sedded if %with legacy_archnames.
That meant that an extension built with the default upstream settings
(on other distro or as an manylinux wheel) could not been found by Python
on RHEL/Fedora because it had a different suffix.
This patch adds the legacy names to importlib so Python is able
to import extensions with a legacy architecture name in its
file name.
It work both ways, so it support both %with and %without legacy_archnames.
WARNING: This patch has no effect on Python built with bootstrap
enabled because Python/importlib_external.h is not regenerated
and therefore Python during bootstrap contains importlib from
upstream without this feature. It's possible to include
Python/importlib_external.h to this patch but it'd make rebasing
a nightmare because it's basically a binary file.
Co-authored-by: Miro Hrončok <miro@hroncok.cz>
---
Lib/importlib/_bootstrap_external.py | 40 ++++++++++++++++++++++++++--
1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
index b8ac482994..62e937b819 100644
--- a/Lib/importlib/_bootstrap_external.py
+++ b/Lib/importlib/_bootstrap_external.py
@@ -1559,7 +1559,7 @@ def _get_supported_file_loaders():
Each item is a tuple (loader, suffixes).
"""
- extensions = ExtensionFileLoader, _imp.extension_suffixes()
+ extensions = ExtensionFileLoader, _alternative_architectures(_imp.extension_suffixes())
source = SourceFileLoader, SOURCE_SUFFIXES
bytecode = SourcelessFileLoader, BYTECODE_SUFFIXES
return [extensions, source, bytecode]
@@ -1623,7 +1623,7 @@ def _setup(_bootstrap_module):
# Constants
setattr(self_module, '_relax_case', _make_relax_case())
- EXTENSION_SUFFIXES.extend(_imp.extension_suffixes())
+ EXTENSION_SUFFIXES.extend(_alternative_architectures(_imp.extension_suffixes()))
if builtin_os == 'nt':
SOURCE_SUFFIXES.append('.pyw')
if '_d.pyd' in EXTENSION_SUFFIXES:
@@ -1636,3 +1636,39 @@ def _install(_bootstrap_module):
supported_loaders = _get_supported_file_loaders()
sys.path_hooks.extend([FileFinder.path_hook(*supported_loaders)])
sys.meta_path.append(PathFinder)
+
+
+_ARCH_MAP = {
+ "-arm-linux-gnueabi.": "-arm-linux-gnueabihf.",
+ "-armeb-linux-gnueabi.": "-armeb-linux-gnueabihf.",
+ "-mips64-linux-gnu.": "-mips64-linux-gnuabi64.",
+ "-mips64el-linux-gnu.": "-mips64el-linux-gnuabi64.",
+ "-ppc-linux-gnu.": "-powerpc-linux-gnu.",
+ "-ppc-linux-gnuspe.": "-powerpc-linux-gnuspe.",
+ "-ppc64-linux-gnu.": "-powerpc64-linux-gnu.",
+ "-ppc64le-linux-gnu.": "-powerpc64le-linux-gnu.",
+ # The above, but the other way around:
+ "-arm-linux-gnueabihf.": "-arm-linux-gnueabi.",
+ "-armeb-linux-gnueabihf.": "-armeb-linux-gnueabi.",
+ "-mips64-linux-gnuabi64.": "-mips64-linux-gnu.",
+ "-mips64el-linux-gnuabi64.": "-mips64el-linux-gnu.",
+ "-powerpc-linux-gnu.": "-ppc-linux-gnu.",
+ "-powerpc-linux-gnuspe.": "-ppc-linux-gnuspe.",
+ "-powerpc64-linux-gnu.": "-ppc64-linux-gnu.",
+ "-powerpc64le-linux-gnu.": "-ppc64le-linux-gnu.",
+}
+
+
+def _alternative_architectures(suffixes):
+ """Add a suffix with an alternative architecture name
+ to the list of suffixes so an extension built with
+ the default (upstream) setting is loadable with our Pythons
+ """
+
+ for suffix in suffixes:
+ for original, alternative in _ARCH_MAP.items():
+ if original in suffix:
+ suffixes.append(suffix.replace(original, alternative))
+ return suffixes
+
+ return suffixes

186
SOURCES/00357-CVE-2021-3177.patch Normal file
View File

@ -0,0 +1,186 @@
From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 18 Jan 2021 13:28:52 -0800
Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
formatting in ctypes param reprs. (GH-24248)
(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
Co-authored-by: Benjamin Peterson <benjamin@python.org>
---
Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++
.../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
Modules/_ctypes/callproc.c | 51 +++++++------------
3 files changed, 64 insertions(+), 32 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
index e4c25fd880cef..531894fdec838 100644
--- a/Lib/ctypes/test/test_parameters.py
+++ b/Lib/ctypes/test/test_parameters.py
@@ -201,6 +201,49 @@ def __dict__(self):
with self.assertRaises(ZeroDivisionError):
WorseStruct().__setstate__({}, b'foo')
+ def test_parameter_repr(self):
+ from ctypes import (
+ c_bool,
+ c_char,
+ c_wchar,
+ c_byte,
+ c_ubyte,
+ c_short,
+ c_ushort,
+ c_int,
+ c_uint,
+ c_long,
+ c_ulong,
+ c_longlong,
+ c_ulonglong,
+ c_float,
+ c_double,
+ c_longdouble,
+ c_char_p,
+ c_wchar_p,
+ c_void_p,
+ )
+ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
+ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
+ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
+ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
+
################################################################
if __name__ == '__main__':
diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
new file mode 100644
index 0000000000000..7df65a156feab
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
@@ -0,0 +1,2 @@
+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
+:class:`ctypes.c_longdouble` values.
diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
index a9b8675cd951b..de75918d49f37 100644
--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
@@ -484,58 +484,47 @@ is_literal_char(unsigned char c)
static PyObject *
PyCArg_repr(PyCArgObject *self)
{
- char buffer[256];
switch(self->tag) {
case 'b':
case 'B':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.b);
- break;
case 'h':
case 'H':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.h);
- break;
case 'i':
case 'I':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.i);
- break;
case 'l':
case 'L':
- sprintf(buffer, "<cparam '%c' (%ld)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
self->tag, self->value.l);
- break;
case 'q':
case 'Q':
- sprintf(buffer,
-#ifdef MS_WIN32
- "<cparam '%c' (%I64d)>",
-#else
- "<cparam '%c' (%lld)>",
-#endif
+ return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
self->tag, self->value.q);
- break;
case 'd':
- sprintf(buffer, "<cparam '%c' (%f)>",
- self->tag, self->value.d);
- break;
- case 'f':
- sprintf(buffer, "<cparam '%c' (%f)>",
- self->tag, self->value.f);
- break;
-
+ case 'f': {
+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
+ if (f == NULL) {
+ return NULL;
+ }
+ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
+ Py_DECREF(f);
+ return result;
+ }
case 'c':
if (is_literal_char((unsigned char)self->value.c)) {
- sprintf(buffer, "<cparam '%c' ('%c')>",
+ return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
self->tag, self->value.c);
}
else {
- sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
+ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
self->tag, (unsigned char)self->value.c);
}
- break;
/* Hm, are these 'z' and 'Z' codes useful at all?
Shouldn't they be replaced by the functionality of c_string
@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self)
case 'z':
case 'Z':
case 'P':
- sprintf(buffer, "<cparam '%c' (%p)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%p)>",
self->tag, self->value.p);
break;
default:
if (is_literal_char((unsigned char)self->tag)) {
- sprintf(buffer, "<cparam '%c' at %p>",
+ return PyUnicode_FromFormat("<cparam '%c' at %p>",
(unsigned char)self->tag, (void *)self);
}
else {
- sprintf(buffer, "<cparam 0x%02x at %p>",
+ return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
(unsigned char)self->tag, (void *)self);
}
- break;
}
- return PyUnicode_FromString(buffer);
}
static PyMemberDef PyCArgType_members[] = {

16
SOURCES/Python-3.8.3.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl68Z1QACgkQsmmV4xAl
BWhdxQ/+PUi0er9eBEaWNaatCsEDXnBvrCs1OooL3WWJ2GC5zf3buMwj2pFOZf9D
YFFGdomhYhvRnyQCJQSXuWJXQaafzKAl1tvkgS2ycOnLvCJ/qw71SqorQxkMGK1m
TYZyLEapNkXrfDXRHfGybuVlNsHw9++abpEITqwucTWm9LiHZoF/zdK+JX/5RYQ0
bfb8819DMZEyCsF+S8Jo6ZNyEIQyQxidFFt5HbMllFwsgzu37P8RqGSIoVNFJ8n9
f7BWfXAIyGr7pIlJ+3qBYDXOeOx8iwIUxGu3Gbmiri+dlxz28Iei4mxPYHG4ji5B
3zMsqKcaVAMHzKuAwdF5ZbUg0DRRJweNoiDOsfKp0CI814pXmOLH0zi9OiLrxBzj
7v9H3dAPMC2f2zAFdNcjYVBRovCxIork/Lj3+6jGn67+8oV+eb23gnN5YpDAFAAu
ybtrt6fEi0uVJuxUl+MO5HkSmH3sLggVDskvuWPFLiuahcbSuiZoCvlB+osO9J0H
el/3Awv5TjckY/EVDt1T61aYLX0CHNcb8c/CjAf0OSd/96WxV3svtusllqcSYwiC
NxBRf0klpGn0Tpa+9hTAMc4dEKILgao1KsKiI8dj8YY3HcE0Lb3y9UdFcIDLCeqn
Sk5turYyKak7apZTY31/0eqqCUl/RlZwpmxVUUNViwR5F2ZPeAQ=
=jF/G
-----END PGP SIGNATURE-----

28
SOURCES/get-source.sh Executable file
View File

@ -0,0 +1,28 @@
#! /bin/bash -ex
# Download a release of Python (if missing) and remove .exe files from it
version=$1
if [ -z "${version}" ]; then
echo "Usage: $0 VERSION" >& 2
echo "" >& 2
echo "example: $0 3.6.6" >& 2
exit 1
fi
versionedname=Python-${version}
orig_archive=${versionedname}.tar.xz
new_archive=${versionedname}-noexe.tar.xz
if [ ! -e ${orig_archive} ]; then
wget -N https://www.python.org/ftp/python/${version}/${orig_archive}
fi
deleted_names=$(tar --list -Jf ${orig_archive} | grep '\.exe$')
# tar --delete does not operate on compressed archives, so do
# xz compression/decompression explicitly
xz --decompress --stdout ${orig_archive} | \
tar --delete -v ${deleted_names} | \
xz --compress --stdout -3 -T0 > ${new_archive}

11542
SOURCES/pubkeys.txt
View File

File diff suppressed because it is too large Load Diff

135
SPECS/python38.spec
View File

@ -13,7 +13,7 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
%global general_version %{pybasever}.3
%global general_version %{pybasever}.6
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
@ -92,6 +92,15 @@ ExcludeArch: i686
%bcond_with valgrind
%endif
# https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names
# For a very long time we have converted "upstream architecture names" to "Fedora names".
# This made sense at the time, see https://github.com/pypa/manylinux/issues/687#issuecomment-666362947
# However, with manylinux wheels popularity growth, this is now a problem.
# Wheels built on a Linux that doesn't do this were not compatible with ours and vice versa.
# We now have a compatibility layer to workaround a problem,
# but we also no longer use the legacy arch names in Fedora 34+.
# This bcond controls the behavior. The defaults should be good for anybody.
%bcond_without legacy_archnames
# =====================
# General global macros
@ -114,8 +123,21 @@ ExcludeArch: i686
%global LDVERSION_optimized %{pybasever}%{ABIFLAGS_optimized}
%global LDVERSION_debug %{pybasever}%{ABIFLAGS_debug}
%global SOABI_optimized cpython-%{pyshortver}%{ABIFLAGS_optimized}-%{_arch}-linux%{_gnu}
%global SOABI_debug cpython-%{pyshortver}%{ABIFLAGS_debug}-%{_arch}-linux%{_gnu}
# When we use the upstream arch triplets, we convert them from the legacy ones
# This is reversed in prep when %%with legacy_archnames, so we keep both macros
%global platform_triplet_legacy %{_arch}-linux%{_gnu}
%global platform_triplet_upstream %{expand:%(echo %{platform_triplet_legacy} | sed -E \\
-e 's/^arm(eb)?-linux-gnueabi$/arm\\1-linux-gnueabihf/' \\
-e 's/^mips64(el)?-linux-gnu$/mips64\\1-linux-gnuabi64/' \\
-e 's/^ppc(64)?(le)?-linux-gnu$/powerpc\\1\\2-linux-gnu/')}
%if %{with legacy_archnames}
%global platform_triplet %{platform_triplet_legacy}
%else
%global platform_triplet %{platform_triplet_upstream}
%endif
%global SOABI_optimized cpython-%{pyshortver}%{ABIFLAGS_optimized}-%{platform_triplet}
%global SOABI_debug cpython-%{pyshortver}%{ABIFLAGS_debug}-%{platform_triplet}
# All bytecode files are in a __pycache__ subdirectory, with a name
# reflecting the version of the bytecode.
@ -163,7 +185,6 @@ BuildRequires: gcc-c++
%if %{with gdbm}
BuildRequires: gdbm-devel
%endif
BuildRequires: git-core
BuildRequires: glibc-all-langpacks
BuildRequires: glibc-devel
BuildRequires: gmp-devel
@ -217,9 +238,17 @@ BuildRequires: python%{pyshortver}
# Source code and patches
# =======================
Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc
Source2: %{url}static/files/pubkeys.txt
# The upstream tarball includes questionable executable files for Windows,
# which we should not ship even in the SRPM.
# Run the "get-source.sh" with the version as argument to download the upstream
# tarball and generate a version with the .exe files removed. For example:
# $ ./get-source.sh 3.7.0
Source: Python-%{version}-noexe.tar.xz
# A script to remove .exe files from the source distribution
Source1: get-source.sh
Source3: macros.python38
# A simple script to check timestamps of bytecode files
@ -266,10 +295,6 @@ Patch189: 00189-use-rpm-wheels.patch
# Downstream only: Awaiting resources to work on upstream PEP
Patch251: 00251-change-user-install-location.patch
# 00274 #
# Upstream uses Debian-style architecture naming. Change to match Fedora.
Patch274: 00274-fix-arch-names.patch
# 00328 #
# Restore pyc to TIMESTAMP invalidation mode as default in rpmbubild
# See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426
@ -300,28 +325,36 @@ Patch328: 00328-pyc-timestamp-invalidation-mode.patch
# Resolves: rhbz#1731424
Patch329: 00329-fips.patch
# 00350 #
# bpo-40784: Fix sqlite3 deterministic test (GH-20448)
# https://bugs.python.org/issue40784
# https://github.com/python/cpython/commit/00a240bf7f95bbd220f1cfbf9eb58484a5f9681a
Patch350: 00350-sqlite-fix-deterministic-test.patch
# 00351 #
# Avoid infinite loop when reading specially crafted TAR files using the tarfile module
# (CVE-2019-20907).
# See: https://bugs.python.org/issue39017
Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch
# 00352 #
# Resolve hash collisions for IPv4Interface and IPv6Interface
# 00353 #
# Original names for architectures with different names downstream
#
# CVE-2020-14422
# The hash() methods of classes IPv4Interface and IPv6Interface had issue
# of generating constant hash values of 32 and 128 respectively causing hash collisions.
# The fix uses the hash() function to generate hash values for the objects
# instead of XOR operation.
# Fixed upstream: https://bugs.python.org/issue41004
Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
# https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names
#
# Pythons in RHEL/Fedora used different names for some architectures
# than upstream and other distros (for example ppc64 vs. powerpc64).
# This was patched in patch 274, now it is sedded if %%with legacy_archnames.
#
# That meant that an extension built with the default upstream settings
# (on other distro or as an manylinux wheel) could not been found by Python
# on RHEL/Fedora because it had a different suffix.
# This patch adds the legacy names to importlib so Python is able
# to import extensions with a legacy architecture name in its
# file name.
# It work both ways, so it support both %%with and %%without legacy_archnames.
#
# WARNING: This patch has no effect on Python built with bootstrap
# enabled because Python/importlib_external.h is not regenerated
# and therefore Python during bootstrap contains importlib from
# upstream without this feature. It's possible to include
# Python/importlib_external.h to this patch but it'd make rebasing
# a nightmare because it's basically a binary file.
Patch353: 00353-architecture-names-upstream-downstream.patch
# 00357 #
# Security fix for CVE-2021-3177
# Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c
# Resolves upstream: https://bugs.python.org/issue42938
Patch357: 00357-CVE-2021-3177.patch
# (New patches go here ^^^)
#
@ -667,20 +700,22 @@ rm Lib/ensurepip/_bundled/*.whl
%endif
%patch251 -p1
%patch274 -p1
%patch328 -p1
%patch329 -p1
%patch350 -p1
%patch353 -p1
%patch357 -p1
# Patch 351 adds binary file for testing. We need to apply it using Git.
git apply %{PATCH351}
%patch352 -p1
# Remove files that should be generated by the build
# (This is after patching, so that we can use patches directly from upstream)
rm configure pyconfig.h.in
# When we use the legacy arch names, we need to change them in configure.ac
%if %{with legacy_archnames}
sed -i configure.ac \
-e 's/\b%{platform_triplet_upstream}\b/%{platform_triplet_legacy}/'
%endif
# ======================================================
# Configuring and building the code:
@ -1493,8 +1528,8 @@ fi
# "Makefile" and the config-32/64.h file are needed by
# distutils/sysconfig.py:_init_posix(), so we include them in the core
# package, along with their parent directories (bug 531901):
%dir %{pylibdir}/config-%{LDVERSION_optimized}-%{_arch}-linux%{_gnu}/
%{pylibdir}/config-%{LDVERSION_optimized}-%{_arch}-linux%{_gnu}/Makefile
%dir %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/
%{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/Makefile
%dir %{_includedir}/python%{LDVERSION_optimized}/
%{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h}
@ -1512,9 +1547,9 @@ fi
%{_bindir}/2to3
%endif
%{pylibdir}/config-%{LDVERSION_optimized}-%{_arch}-linux%{_gnu}/*
%{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/*
%if %{without flatpackage}
%exclude %{pylibdir}/config-%{LDVERSION_optimized}-%{_arch}-linux%{_gnu}/Makefile
%exclude %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/Makefile
%exclude %{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h}
%endif
%{_includedir}/python%{LDVERSION_optimized}/*.h
@ -1709,7 +1744,7 @@ fi
%{_libdir}/%{py_INSTSONAME_debug}
# Analog of the -devel subpackage's files:
%{pylibdir}/config-%{LDVERSION_debug}-%{_arch}-linux%{_gnu}
%{pylibdir}/config-%{LDVERSION_debug}-%{platform_triplet}
%{_includedir}/python%{LDVERSION_debug}
%{_bindir}/python%{LDVERSION_debug}-config
%{_bindir}/python%{LDVERSION_debug}-*-config
@ -1758,6 +1793,20 @@ fi
# ======================================================
%changelog
* Fri Jan 22 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.6-3
- Security fix for CVE-2021-3177
Resolves: rhbz#1919161
* Fri Oct 23 2020 Lumír Balhar <lbalhar@redhat.com> - 3.8.6-2
- Add support for upstream architecture names
https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names
Resolves: rhbz#1868006
* Fri Oct 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.8.6-1
- Update to 3.8.6
- Security fix for CVE-2020-26116
Resolves: rhbz#1886755, rhbz#1883259
* Mon Aug 17 2020 Tomas Orsava <torsava@redhat.com> - 3.8.3-3
- Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907)
Resolves: rhbz#1856481