import python38-3.8.3-3.module+el8.3.0+7680+79e7e61a

.gitignore

@@ -1 +1 @@
-SOURCES/Python-3.8.0.tar.xz
+SOURCES/Python-3.8.3.tar.xz

.python38.metadata

@@ -1 +1 @@
-7720e0384558c598107cf046c48165fd7e1f5b2c SOURCES/Python-3.8.0.tar.xz
+3bafa40df1cd069c112761c388a9f2e94b5d33dd SOURCES/Python-3.8.3.tar.xz

SOURCES/00001-rpath.patch

@@ -1,4 +1,4 @@
-From 8ecb6d320c03242ca94bf2e99d9d80510d5011e1 Mon Sep 17 00:00:00 2001
+From 08c67bfedd07ebec54f5087b59045b8c78fa2a6d Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
 Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
@@ -9,7 +9,7 @@ Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
  1 file changed, 9 insertions(+)
 
 diff --git a/Lib/distutils/unixccompiler.py b/Lib/distutils/unixccompiler.py
-index d10a78da31..4df4b67810 100644
+index 4d7a6de740..353086a648 100644
 --- a/Lib/distutils/unixccompiler.py
 +++ b/Lib/distutils/unixccompiler.py
 @@ -82,6 +82,15 @@ class UnixCCompiler(CCompiler):
@@ -29,5 +29,5 @@ index d10a78da31..4df4b67810 100644
                     include_dirs=None, extra_preargs=None, extra_postargs=None):
          fixed_args = self._fix_compile_args(None, macros, include_dirs)
 -- 
-2.21.0
+2.26.2
 

SOURCES/00102-lib64.patch

@@ -1,4 +1,4 @@
-From b9f1dd6be195cc3b11a80e6f0dde2096dd8b9855 Mon Sep 17 00:00:00 2001
+From be6b9803109c3702dbff0ed8b0953913206008ca Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
 Subject: [PATCH] 00102: Change the various install paths to use /usr/lib64/
@@ -139,10 +139,10 @@ index b9e2fafbc0..0ae6d35b69 100644
          'scripts': '{userbase}/bin',
          'data': '{userbase}',
 diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py
-index 41c4229919..543c88432a 100644
+index 1bbc697936..9a7e80dfa0 100644
 --- a/Lib/test/test_site.py
 +++ b/Lib/test/test_site.py
-@@ -266,8 +266,8 @@ class HelperFunctionsTests(unittest.TestCase):
+@@ -267,8 +267,8 @@ class HelperFunctionsTests(unittest.TestCase):
          dirs = site.getsitepackages()
          if os.sep == '/':
              # OS X, Linux, FreeBSD, etc
@@ -154,7 +154,7 @@ index 41c4229919..543c88432a 100644
                                    'site-packages')
              self.assertEqual(dirs[0], wanted)
 diff --git a/Makefile.pre.in b/Makefile.pre.in
-index 502317aa0c..4ad3df1122 100644
+index a914a9c70f..406a441082 100644
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
 @@ -143,7 +143,7 @@ LIBDIR=		@libdir@
@@ -198,10 +198,10 @@ index b727f66953..a0c5fb6139 100644
          return DECODE_LOCALE_ERR("EXEC_PREFIX define", len);
      }
 diff --git a/configure b/configure
-index 2a933cdbeb..bec365124e 100755
+index 8886561645..78867c6ffc 100755
 --- a/configure
 +++ b/configure
-@@ -15182,9 +15182,9 @@ fi
+@@ -15214,9 +15214,9 @@ fi
  
  
  if test x$PLATFORM_TRIPLET = x; then
@@ -214,10 +214,10 @@ index 2a933cdbeb..bec365124e 100755
  
  
 diff --git a/configure.ac b/configure.ac
-index a189d42c2c..154a0aa5cc 100644
+index d8de9d4943..477a5ff1cb 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4668,9 +4668,9 @@ fi
+@@ -4689,9 +4689,9 @@ fi
  dnl define LIBPL after ABIFLAGS and LDVERSION is defined.
  AC_SUBST(PY_ENABLE_SHARED)
  if test x$PLATFORM_TRIPLET = x; then
@@ -230,7 +230,7 @@ index a189d42c2c..154a0aa5cc 100644
  AC_SUBST(LIBPL)
  
 diff --git a/setup.py b/setup.py
-index 20d7f35652..024a1035c0 100644
+index b168ed4082..8628b9d1cd 100644
 --- a/setup.py
 +++ b/setup.py
 @@ -649,7 +649,7 @@ class PyBuildExt(build_ext):
@@ -257,5 +257,5 @@ index 20d7f35652..024a1035c0 100644
                                 libraries=readline_libs))
          else:
 -- 
-2.21.0
+2.26.2
 

SOURCES/00111-no-static-lib.patch

@@ -1,4 +1,4 @@
-From f6df02cde47874f10e183ead483c90941bb8076f Mon Sep 17 00:00:00 2001
+From 50236468e82a7a19ed3dd7e13cb922e7d3e0ff7f Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Mon, 18 Jan 2010 17:59:07 +0000
 Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a
@@ -21,7 +21,7 @@ Co-authored-by: Miro Hrončok <miro@hroncok.cz>
  1 file changed, 2 insertions(+), 19 deletions(-)
 
 diff --git a/Makefile.pre.in b/Makefile.pre.in
-index 4ad3df1122..72d202d71b 100644
+index 406a441082..917303dd92 100644
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
 @@ -562,7 +562,7 @@ clinic: check-clean-src $(srcdir)/Modules/_blake2/blake2s_impl.c
@@ -74,5 +74,5 @@ index 4ad3df1122..72d202d71b 100644
  	$(INSTALL_DATA) Programs/python.o $(DESTDIR)$(LIBPL)/python.o
  	$(INSTALL_DATA) $(srcdir)/Modules/config.c.in $(DESTDIR)$(LIBPL)/config.c.in
 -- 
-2.21.0
+2.26.2
 

SOURCES/00189-use-rpm-wheels.patch

@@ -1,40 +1,45 @@
-From e5c11f104e1d2543ac3ba4b3f0a7989821e57947 Mon Sep 17 00:00:00 2001
+From 36f1f2b4620b13bdc7ac1c349253ac07960c33b3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
 
 We keep them in /usr/share/python-wheels
 ---
- Lib/ensurepip/__init__.py | 26 +++++++++++++++++---------
- 1 file changed, 17 insertions(+), 9 deletions(-)
+ Lib/ensurepip/__init__.py | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index fc0edec6e3..4d17e413db 100644
+index 566fb2a096..47da08d3d5 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
-@@ -1,16 +1,27 @@
+@@ -1,6 +1,7 @@
 +import distutils.version
 +import glob
  import os
  import os.path
 -import pkgutil
  import sys
+ import runpy
  import tempfile
- 
+@@ -8,10 +9,24 @@ import tempfile
  
  __all__ = ["version", "bootstrap"]
  
 +_WHEEL_DIR = "/usr/share/python38-wheels/"
  
 -_SETUPTOOLS_VERSION = "41.2.0"
++_wheels = {}
  
 -_PIP_VERSION = "19.2.3"
 +def _get_most_recent_wheel_version(pkg):
 +    prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))
-+    suffix = "-py2.py3-none-any.whl"
-+    pattern = "{}*{}".format(prefix, suffix)
-+    versions = (p[len(prefix):-len(suffix)] for p in glob.glob(pattern))
-+    return str(max(versions, key=distutils.version.LooseVersion))
++    _wheels[pkg] = {}
++    for suffix in "-py2.py3-none-any.whl", "-py3-none-any.whl":
++        pattern = "{}*{}".format(prefix, suffix)
++        for path in glob.glob(pattern):
++            version_str = path[len(prefix):-len(suffix)]
++            _wheels[pkg][version_str] = os.path.basename(path)
++    return str(max(_wheels[pkg], key=distutils.version.LooseVersion))
 +
 +
 +_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools")
@@ -43,16 +48,18 @@ index fc0edec6e3..4d17e413db 100644
  
  _PROJECTS = [
      ("setuptools", _SETUPTOOLS_VERSION),
-@@ -96,12 +107,9 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
+@@ -105,13 +120,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
+         # additional paths that need added to sys.path
          additional_paths = []
          for project, version in _PROJECTS:
-             wheel_name = "{}-{}-py2.py3-none-any.whl".format(project, version)
+-            wheel_name = "{}-{}-py2.py3-none-any.whl".format(project, version)
 -            whl = pkgutil.get_data(
 -                "ensurepip",
 -                "_bundled/{}".format(wheel_name),
 -            )
 -            with open(os.path.join(tmpdir, wheel_name), "wb") as fp:
 -                fp.write(whl)
++            wheel_name = _wheels[project][version]
 +            with open(os.path.join(_WHEEL_DIR, wheel_name), "rb") as sfp:
 +                with open(os.path.join(tmpdir, wheel_name), "wb") as fp:
 +                    fp.write(sfp.read())
@@ -60,5 +67,5 @@ index fc0edec6e3..4d17e413db 100644
              additional_paths.append(os.path.join(tmpdir, wheel_name))
  
 -- 
-2.21.0
+2.26.2
 

SOURCES/00251-change-user-install-location.patch

@@ -1,4 +1,4 @@
-From 76330e0a8798b3b03160edc7e8d42d3dbee756fd Mon Sep 17 00:00:00 2001
+From 197b8de27ebcd17fc5dd51426a639950c6f6c284 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
 Subject: [PATCH] 00251: Change user install location
@@ -60,5 +60,5 @@ index 22d53fa562..9513526109 100644
          if os.path.isdir(sitedir):
              addsitedir(sitedir, known_paths)
 -- 
-2.21.0
+2.26.2
 

SOURCES/00274-fix-arch-names.patch

@@ -1,4 +1,4 @@
-From 64c67dbfa789f242e8ffd1ac88bafb4df2842401 Mon Sep 17 00:00:00 2001
+From 3172104314227af128f3ce68e9650663a7c1268c Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 28 Aug 2017 17:16:46 +0200
 Subject: [PATCH] 00274: Upstream uses Debian-style architecture naming, change
@@ -29,10 +29,10 @@ index ba37cf99e2..52a9ec6662 100755
  	ppc64le | powerpc64little)
  		basic_machine=powerpc64le-unknown
 diff --git a/configure.ac b/configure.ac
-index 154a0aa5cc..273954f461 100644
+index 477a5ff1cb..aea27ef86a 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -741,9 +741,9 @@ cat >> conftest.c <<EOF
+@@ -747,9 +747,9 @@ cat >> conftest.c <<EOF
          alpha-linux-gnu
  # elif defined(__ARM_EABI__) && defined(__ARM_PCS_VFP)
  #  if defined(__ARMEL__)
@@ -44,7 +44,7 @@ index 154a0aa5cc..273954f461 100644
  #  endif
  # elif defined(__ARM_EABI__) && !defined(__ARM_PCS_VFP)
  #  if defined(__ARMEL__)
-@@ -783,7 +783,7 @@ cat >> conftest.c <<EOF
+@@ -789,7 +789,7 @@ cat >> conftest.c <<EOF
  #  elif _MIPS_SIM == _ABIN32
          mips64el-linux-gnuabin32
  #  elif _MIPS_SIM == _ABI64
@@ -53,7 +53,7 @@ index 154a0aa5cc..273954f461 100644
  #  else
  #   error unknown platform triplet
  #  endif
-@@ -793,22 +793,22 @@ cat >> conftest.c <<EOF
+@@ -799,22 +799,22 @@ cat >> conftest.c <<EOF
  #  elif _MIPS_SIM == _ABIN32
          mips64-linux-gnuabin32
  #  elif _MIPS_SIM == _ABI64
@@ -82,5 +82,5 @@ index 154a0aa5cc..273954f461 100644
          s390x-linux-gnu
  # elif defined(__s390__)
 -- 
-2.21.0
+2.26.2
 

SOURCES/00328-pyc-timestamp-invalidation-mode.patch

@@ -1,4 +1,4 @@
-From c706770ce2d951d9357ffc872b7e3f70ad36c264 Mon Sep 17 00:00:00 2001
+From aedd897c6371bc54d3b2e2c9420fce6730c2acff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Thu, 11 Jul 2019 13:44:13 +0200
 Subject: [PATCH] 00328: Restore pyc to TIMESTAMP invalidation mode as default
@@ -31,7 +31,7 @@ index 21736896af..310bed5620 100644
      else:
          return PycInvalidationMode.TIMESTAMP
 diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
-index d6677ab45f..88059b127e 100644
+index d4a68c9320..ed09874023 100644
 --- a/Lib/test/test_py_compile.py
 +++ b/Lib/test/test_py_compile.py
 @@ -17,6 +17,7 @@ def without_source_date_epoch(fxn):
@@ -51,5 +51,5 @@ index d6677ab45f..88059b127e 100644
      return wrapper
  
 -- 
-2.21.0
+2.26.2
 

SOURCES/00337-test_ssl-test_min_max_version-add-range.patch

@@ -1,38 +0,0 @@
-From 4e4445efad2d3aa17b455a2683884e500d1a7c90 Mon Sep 17 00:00:00 2001
-From: Tomas Orsava <torsava@redhat.com>
-Date: Fri, 29 Nov 2019 16:07:27 +0100
-Subject: [PATCH] Adjust the test_min_max_version in test_ssl
-
-to accept the new settings in RHEL 8.2 where maximum_version is set to TLS 1.3.
----
- Lib/test/test_ssl.py | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index 419506f..c9b2cf9 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -1200,12 +1200,18 @@ class ContextTests(unittest.TestCase):
-             # RHEL 8 uses TLS 1.2 by default
-             ssl.TLSVersion.TLSv1_2
-         }
-+        maximum_range = {
-+            # stock OpenSSL
-+            ssl.TLSVersion.MAXIMUM_SUPPORTED,
-+            # RHEL 8.2 requires maximum TLS 1.3
-+            ssl.TLSVersion.TLSv1_3
-+        }
- 
-         self.assertIn(
-             ctx.minimum_version, minimum_range
-         )
--        self.assertEqual(
--            ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
-+        self.assertIn(
-+            ctx.maximum_version, maximum_range
-         )
- 
-         ctx.minimum_version = ssl.TLSVersion.TLSv1_1
--- 
-2.20.1
-

SOURCES/00350-sqlite-fix-deterministic-test.patch

@@ -0,0 +1,76 @@
+commit 00a240bf7f95bbd220f1cfbf9eb58484a5f9681a
+Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
+Date:   Fri May 29 05:46:34 2020 -0700
+
+    bpo-40784: Fix sqlite3 deterministic test (GH-20448)
+    
+    (cherry picked from commit c610d970f5373b143bf5f5900d4645e6a90fb460)
+    
+    Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
+
+diff --git a/Lib/sqlite3/test/userfunctions.py b/Lib/sqlite3/test/userfunctions.py
+index 9501f53..c11c82e 100644
+--- a/Lib/sqlite3/test/userfunctions.py
++++ b/Lib/sqlite3/test/userfunctions.py
+@@ -1,8 +1,7 @@
+-#-*- coding: iso-8859-1 -*-
+ # pysqlite2/test/userfunctions.py: tests for user-defined functions and
+ #                                  aggregates.
+ #
+-# Copyright (C) 2005-2007 Gerhard Häring <gh@ghaering.de>
++# Copyright (C) 2005-2007 Gerhard Häring <gh@ghaering.de>
+ #
+ # This file is part of pysqlite.
+ #
+@@ -158,6 +157,7 @@ class FunctionTests(unittest.TestCase):
+         self.con.create_function("isblob", 1, func_isblob)
+         self.con.create_function("islonglong", 1, func_islonglong)
+         self.con.create_function("spam", -1, func)
++        self.con.execute("create table test(t text)")
+ 
+     def tearDown(self):
+         self.con.close()
+@@ -276,18 +276,36 @@ class FunctionTests(unittest.TestCase):
+         val = cur.fetchone()[0]
+         self.assertEqual(val, 2)
+ 
++    # Regarding deterministic functions:
++    #
++    # Between 3.8.3 and 3.15.0, deterministic functions were only used to
++    # optimize inner loops, so for those versions we can only test if the
++    # sqlite machinery has factored out a call or not. From 3.15.0 and onward,
++    # deterministic functions were permitted in WHERE clauses of partial
++    # indices, which allows testing based on syntax, iso. the query optimizer.
++    @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "Requires SQLite 3.8.3 or higher")
+     def CheckFuncNonDeterministic(self):
+         mock = unittest.mock.Mock(return_value=None)
+-        self.con.create_function("deterministic", 0, mock, deterministic=False)
+-        self.con.execute("select deterministic() = deterministic()")
+-        self.assertEqual(mock.call_count, 2)
+-
+-    @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "deterministic parameter not supported")
++        self.con.create_function("nondeterministic", 0, mock, deterministic=False)
++        if sqlite.sqlite_version_info < (3, 15, 0):
++            self.con.execute("select nondeterministic() = nondeterministic()")
++            self.assertEqual(mock.call_count, 2)
++        else:
++            with self.assertRaises(sqlite.OperationalError):
++                self.con.execute("create index t on test(t) where nondeterministic() is not null")
++
++    @unittest.skipIf(sqlite.sqlite_version_info < (3, 8, 3), "Requires SQLite 3.8.3 or higher")
+     def CheckFuncDeterministic(self):
+         mock = unittest.mock.Mock(return_value=None)
+         self.con.create_function("deterministic", 0, mock, deterministic=True)
+-        self.con.execute("select deterministic() = deterministic()")
+-        self.assertEqual(mock.call_count, 1)
++        if sqlite.sqlite_version_info < (3, 15, 0):
++            self.con.execute("select deterministic() = deterministic()")
++            self.assertEqual(mock.call_count, 1)
++        else:
++            try:
++                self.con.execute("create index t on test(t) where deterministic() is not null")
++            except sqlite.OperationalError:
++                self.fail("Unexpected failure while creating partial index")
+ 
+     @unittest.skipIf(sqlite.sqlite_version_info >= (3, 8, 3), "SQLite < 3.8.3 needed")
+     def CheckFuncDeterministicNotSupported(self):

SOURCES/00351-avoid-infinite-loop-in-the-tarfile-module.patch

@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Wed, 15 Jul 2020 05:36:36 -0700
+Subject: [PATCH] 00351: Avoid infinite loop in the tarfile module
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module
+(CVE-2019-20907).
+Fixed upstream: https://bugs.python.org/issue39017
+---
+ Lib/tarfile.py                                    |   2 ++
+ Lib/test/recursion.tar                            | Bin 0 -> 516 bytes
+ Lib/test/test_tarfile.py                          |   7 +++++++
+ .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst      |   1 +
+ 4 files changed, 10 insertions(+)
+ create mode 100644 Lib/test/recursion.tar
+ create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 62d22150f5..2ea47978ff 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1231,6 +1231,8 @@ class TarInfo(object):
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             # Normally, we could just use "utf-8" as the encoding and "strict"
+diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar
+new file mode 100644
+index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4
+GIT binary patch
+literal 516
+zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e
+I1_}|j06>QaCIA2c
+
+literal 0
+HcmV?d00001
+
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 4cd7d5370f..573be812ea 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -395,6 +395,13 @@ class CommonReadTest(ReadTest):
+                 with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"):
+                     tar.extractfile(t).read()
+ 
++    def test_length_zero_header(self):
++        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
++        # with an exception
++        with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
++            with tarfile.open(support.findfile('recursion.tar')) as tar:
++                pass
++
+ class MiscReadTestBase(CommonReadTest):
+     def requires_name_attribute(self):
+         pass
+diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+new file mode 100644
+index 0000000000..ad26676f8b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+@@ -0,0 +1 @@
++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

SOURCES/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch

@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 01:00:22 +0530
+Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and
+ IPv6Interface
+
+CVE-2020-14422
+The hash() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation.
+Fixed upstream: https://bugs.python.org/issue41004
+---
+ Lib/ipaddress.py                                      |  4 ++--
+ Lib/test/test_ipaddress.py                            | 11 +++++++++++
+ .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst |  1 +
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 583f02ad54..98492136ca 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1418,7 +1418,7 @@ class IPv4Interface(IPv4Address):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+@@ -2092,7 +2092,7 @@ class IPv6Interface(IPv6Address):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 1cef4217bc..7de444af4a 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -1990,6 +1990,17 @@ class IpaddrUnitTest(unittest.TestCase):
+                          sixtofouraddr.sixtofour)
+         self.assertFalse(bad_addr.sixtofour)
+ 
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV4HashIsNotConstant(self):
++        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++        self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
++
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV6HashIsNotConstant(self):
++        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++        self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
+ 
+ if __name__ == '__main__':
+     unittest.main()
+diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+new file mode 100644
+index 0000000000..f5a9db52ff
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+@@ -0,0 +1 @@
++CVE-2020-14422: The __hash__() methods of  ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

SOURCES/Python-3.8.0.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl2kmqsACgkQsmmV4xAl
-BWgUvRAAjomYhRM5CBKP99ygaTKAqeTHVnJt32O8n3OHPWL6YSSm2GBSnX4fhtqn
-uX9VysXFc90zEX+ww2+n2+IwDzsddItWtdZfNnVAUeBs8GNGpq5KbnGX7LB7+orp
-nJPcDUMsF2Mutuk7fREr8KHFUGSyMkUj+bh/1Ml+R7LGoTtPKywqtu7X0ACoJ3N0
-hds0qd79o8u5i2N5rLWfuj6/1HmorNwNhtJo7vIACZIUyIKP3rB8WXtE8+drptuv
-ApYJdxE74iixntMuk6sCwPKBquIzwfEI3NzcmtJCV32cpASHB3+8FHJIlp94++9y
-AUF4Kxp3aQui1XaeeLRdIpprl6M+PwB6tTQKoSkkecTVysj5GOdBRFEhGl5bFNO9
-DSiHU7uy8JkeOZVdcz4zIdZnlUUtCq4Ycpc8PXKjI0kbHlsp38y7F8lFNP10UY/D
-iKDDGxQowCtVgKCORNhmKWCmEZcgbDZA9EAz9rgCdhPY7we3Qdj68L820ELxJeQj
-50ss/6GcIJK1jgOSXng7DvUhlpsp5avhaM3iWnqCtU+a2fOVm0pQR826q62majLR
-uui7SDKtVPU7VaLetfppuNjI3T8xUX86niSRtmlYjsjweJ+jXJWTnkkHUNI04UjH
-2WANZRJ10NXl7UVRlnGYVzAcslyabnnlRw6Zf1haWtAWTLyP7Tw=
-=bg98
------END PGP SIGNATURE-----

SOURCES/Python-3.8.3.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAl68Z1QACgkQsmmV4xAl
+BWhdxQ/+PUi0er9eBEaWNaatCsEDXnBvrCs1OooL3WWJ2GC5zf3buMwj2pFOZf9D
+YFFGdomhYhvRnyQCJQSXuWJXQaafzKAl1tvkgS2ycOnLvCJ/qw71SqorQxkMGK1m
+TYZyLEapNkXrfDXRHfGybuVlNsHw9++abpEITqwucTWm9LiHZoF/zdK+JX/5RYQ0
+bfb8819DMZEyCsF+S8Jo6ZNyEIQyQxidFFt5HbMllFwsgzu37P8RqGSIoVNFJ8n9
+f7BWfXAIyGr7pIlJ+3qBYDXOeOx8iwIUxGu3Gbmiri+dlxz28Iei4mxPYHG4ji5B
+3zMsqKcaVAMHzKuAwdF5ZbUg0DRRJweNoiDOsfKp0CI814pXmOLH0zi9OiLrxBzj
+7v9H3dAPMC2f2zAFdNcjYVBRovCxIork/Lj3+6jGn67+8oV+eb23gnN5YpDAFAAu
+ybtrt6fEi0uVJuxUl+MO5HkSmH3sLggVDskvuWPFLiuahcbSuiZoCvlB+osO9J0H
+el/3Awv5TjckY/EVDt1T61aYLX0CHNcb8c/CjAf0OSd/96WxV3svtusllqcSYwiC
+NxBRf0klpGn0Tpa+9hTAMc4dEKILgao1KsKiI8dj8YY3HcE0Lb3y9UdFcIDLCeqn
+Sk5turYyKak7apZTY31/0eqqCUl/RlZwpmxVUUNViwR5F2ZPeAQ=
+=jF/G
+-----END PGP SIGNATURE-----

SPECS/python38.spec

@@ -13,11 +13,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.0
+%global general_version %{pybasever}.3
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 6%{?dist}
+Release: 3%{?dist}
 License: Python
 
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@@ -62,6 +62,9 @@ ExcludeArch: i686
 # Expensive optimizations (mainly, profile-guided optimizations)
 %bcond_without optimizations
 
+# https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup
+%bcond_without no_semantic_interposition
+
 # Run the test suite in %%check
 %bcond_without tests
 
@@ -141,16 +144,6 @@ ExcludeArch: i686
 # on files that test invalid syntax.
 %undefine py_auto_byte_compile
 
-# For multilib support, files that are different between 32- and 64-bit arches
-# need different filenames. Use "64" or "32" according to the word size.
-# Currently, the best way to determine an architecture's word size happens to
-# be checking %%{_lib}.
-%if "%{_lib}" == "lib64"
-%global wordsize 64
-%else
-%global wordsize 32
-%endif
-
 
 # =======================
 # Build-time requirements
@@ -170,6 +163,7 @@ BuildRequires: gcc-c++
 %if %{with gdbm}
 BuildRequires: gdbm-devel
 %endif
+BuildRequires: git-core
 BuildRequires: glibc-all-langpacks
 BuildRequires: glibc-devel
 BuildRequires: gmp-devel
@@ -260,6 +254,8 @@ Patch111: 00111-no-static-lib.patch
 # 00189 #
 # Instead of bundled wheels, use our RPM packaged wheels from
 # /usr/share/python38-wheels
+# Downstream only: upstream bundles
+# We might eventually pursuit upstream support, but it's low prio
 Patch189: 00189-use-rpm-wheels.patch
 
 # 00251
@@ -267,6 +263,7 @@ Patch189: 00189-use-rpm-wheels.patch
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 # Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
+# Downstream only: Awaiting resources to work on upstream PEP
 Patch251: 00251-change-user-install-location.patch
 
 # 00274 #
@@ -276,6 +273,8 @@ Patch274: 00274-fix-arch-names.patch
 # 00328 #
 # Restore pyc to TIMESTAMP invalidation mode as default in rpmbubild
 # See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426
+# Downstream only: only used when building RPM packages
+# Ideally, we should talk to upstream and explain why we don't want this
 Patch328: 00328-pyc-timestamp-invalidation-mode.patch
 
 # 00329 #
@@ -301,10 +300,28 @@ Patch328: 00328-pyc-timestamp-invalidation-mode.patch
 # Resolves: rhbz#1731424
 Patch329: 00329-fips.patch
 
-# 00337 #
-# Adjust the test_min_max_version in test_ssl to accept the new settings in
-# RHEL 8.2 where maximum_version is set to TLS 1.3
-Patch337: 00337-test_ssl-test_min_max_version-add-range.patch
+# 00350 #
+# bpo-40784: Fix sqlite3 deterministic test (GH-20448)
+# https://bugs.python.org/issue40784
+# https://github.com/python/cpython/commit/00a240bf7f95bbd220f1cfbf9eb58484a5f9681a
+Patch350: 00350-sqlite-fix-deterministic-test.patch
+
+# 00351 #
+# Avoid infinite loop when reading specially crafted TAR files using the tarfile module
+# (CVE-2019-20907).
+# See: https://bugs.python.org/issue39017
+Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch
+
+# 00352 #
+# Resolve hash collisions for IPv4Interface and IPv6Interface
+#
+# CVE-2020-14422
+# The hash() methods of classes IPv4Interface and IPv6Interface had issue
+# of generating constant hash values of 32 and 128 respectively causing hash collisions.
+# The fix uses the hash() function to generate hash values for the objects
+# instead of XOR operation.
+# Fixed upstream: https://bugs.python.org/issue41004
+Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
 
 # (New patches go here ^^^)
 #
@@ -441,6 +458,10 @@ Provides: bundled(python38-setuptools) = 41.2.0
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1547131
 Recommends: %{name}%{?_isa} = %{version}-%{release}
 
+# tkinter is part of the standard library,
+# but it is torn out to save an unwanted dependency on tk and X11.
+# we recommend it when tk is already installed (for better UX)
+Recommends: (%{name}-tkinter%{?_isa} = %{version}-%{release} if tk%{?_isa})
 
 %description libs
 This package contains runtime libraries for use by Python:
@@ -649,8 +670,12 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch274 -p1
 %patch328 -p1
 %patch329 -p1
-%patch337 -p1
+%patch350 -p1
 
+# Patch 351 adds binary file for testing. We need to apply it using Git.
+git apply %{PATCH351}
+
+%patch352 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -692,14 +717,14 @@ topdir=$(pwd)
 # Fedora packages utilizing %%py3_build will use them as well
 # https://fedoraproject.org/wiki/Changes/Python_Extension_Flags
 export CFLAGS="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv"
-export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv -fno-semantic-interposition"
+export CFLAGS_NODIST="%{build_cflags} -D_GNU_SOURCE -fPIC -fwrapv%{?with_no_semantic_interposition: -fno-semantic-interposition}"
 export CXXFLAGS="%{extension_cxxflags} -D_GNU_SOURCE -fPIC -fwrapv"
 export CPPFLAGS="$(pkg-config --cflags-only-I libffi)"
 export OPT="%{extension_cflags} -D_GNU_SOURCE -fPIC -fwrapv"
 export LINKCC="gcc"
 export CFLAGS="$CFLAGS $(pkg-config --cflags openssl)"
 export LDFLAGS="%{extension_ldflags} -g $(pkg-config --libs-only-L openssl)"
-export LDFLAGS_NODIST="%{build_ldflags} -fno-semantic-interposition -g $(pkg-config --libs-only-L openssl)"
+export LDFLAGS_NODIST="%{build_ldflags}%{?with_no_semantic_interposition: -fno-semantic-interposition} -g $(pkg-config --libs-only-L openssl)"
 
 # We can build several different configurations of Python: regular and debug.
 # Define a common function that does one build:
@@ -804,7 +829,7 @@ mkdir -p %{buildroot}$DirHoldingGdbPy
 # Filanames are defined here:
 %global _pyconfig32_h pyconfig-32.h
 %global _pyconfig64_h pyconfig-64.h
-%global _pyconfig_h pyconfig-%{wordsize}.h
+%global _pyconfig_h pyconfig-%{__isa_bits}.h
 
 # Use a common function to do an install for all our configurations:
 InstallPython() {
@@ -1082,6 +1107,7 @@ CheckPython() {
   LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.pythoninfo
 
   # Run the upstream test suite
+  # --timeout=1800: kill test running for longer than 30 minutes
   # test_gdb skipped on s390x:
   #   https://bugzilla.redhat.com/show_bug.cgi?id=1678277
   # test_gdb skipped everywhere:
@@ -1090,7 +1116,7 @@ CheckPython() {
   #   distutils.tests.test_bdist_rpm tests fail when bootstraping the Python
   #   package: rpmbuild requires /usr/bin/pythonX.Y to be installed
   LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \
-    -wW --slowest -j0 \
+    -wW --slowest -j0 --timeout=1800 \
     %if %{with bootstrap}
     -x test_distutils \
     %endif
@@ -1690,7 +1716,7 @@ fi
 %ghost %{_bindir}/python3-debug-config
 
 %{_libdir}/libpython%{LDVERSION_debug}.so
-%{_libdir}/libpython%{LDVERSION_debug}.so.1.0
+%{_libdir}/libpython%{LDVERSION_debug}.so.%{py_SOVERSION}
 %{_libdir}/pkgconfig/python-%{LDVERSION_debug}.pc
 %{_libdir}/pkgconfig/python-%{LDVERSION_debug}-embed.pc
 
@@ -1732,6 +1758,40 @@ fi
 # ======================================================
 
 %changelog
+* Mon Aug 17 2020 Tomas Orsava <torsava@redhat.com> - 3.8.3-3
+- Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907)
+Resolves: rhbz#1856481
+- Resolve hash collisions for Pv4Interface and IPv6Interface (CVE-2020-14422)
+Resolves: rhbz#1854926
+
+* Wed Jun 24 2020 Tomas Orsava <torsava@redhat.com> - 3.8.3-2
+- Fix sqlite3 deterministic test
+Related: rhbz#1847416
+
+* Wed Jun 24 2020 Tomas Orsava <torsava@redhat.com> - 3.8.3-1
+- Rebased to 3.8.3 final
+- Backported changes from Fedora
+  - Recommend python3-tkinter when tk is installed
+  - Add bcond for no_semantic_interposition (enabled by default)
+  - Update the ensurepip module to work with setuptools >= 45
+Resolves: rhbz#1847416
+
+* Thu May 07 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.8.0-10
+- Fix test_hashlib and test_hmac under FIPS mode
+Resolves: rhbz#1812477
+
+* Thu Apr 23 2020 Lumír Balhar <lbalhar@redhat.com> - 3.8.0-9
+- Fix ensurepip to run pip via runpy to fix compatibility with pip 19.3.1
+Resolves: rhbz#1827623
+
+* Wed Apr 22 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.8.0-8
+- Skip test_startup_imports from test_site if we have a .pth file in sys.path
+Resolves: rhbz#1815643
+
+* Fri Apr 03 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.8.0-7
+- Security fix for CVE-2020-8492
+Resolves: rhbz#1810622
+
 * Mon Feb 24 2020 Tomas Orsava <torsava@redhat.com> - 3.8.0-6
 - Implement alternatives for /usr/bin/python, python3 and related executables
 - Resolves: rhbz#1807041