rpms
/
python38
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python38-3.8.12-1.module+el8.6.0+12642+c3710b74

This commit is contained in:
CentOS Sources 2021-09-20 22:04:28 +00:00 committed by root
parent ea0bed0fe2
commit af519ff8e3
8 changed files with 178 additions and 348 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.8.8-noexe.tar.xz
SOURCES/Python-3.8.12-noexe.tar.xz

2
.python38.metadata
View File

@ -1 +1 @@
e3e4bc64d5e353b8db5882570d6eaec8e4d42f71 SOURCES/Python-3.8.8-noexe.tar.xz
d6a093ce67cb3c7b43a75c1925b8823e571a8311 SOURCES/Python-3.8.12-noexe.tar.xz

21
SOURCES/00189-use-rpm-wheels.patch
View File

@ -1,4 +1,4 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From 7558ea14881f9afdf622375b5140b209c0c2f84d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Wed, 15 Aug 2018 15:36:29 +0200
Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels
Downstream only: upstream bundles
We might eventually pursuit upstream support, but it's low prio
---
Lib/ensurepip/__init__.py | 32 ++++++++++++++++++++++----------
1 file changed, 22 insertions(+), 10 deletions(-)
Lib/ensurepip/__init__.py | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
index 38bb42104b..413c1b300e 100644
index 597a1ef..3c2287f 100644
--- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py
@@ -1,6 +1,7 @@
@ -24,16 +24,16 @@ index 38bb42104b..413c1b300e 100644
import sys
import runpy
import tempfile
@@ -9,10 +10,24 @@ import subprocess
@@ -9,9 +10,24 @@ import subprocess
__all__ = ["version", "bootstrap"]
-_SETUPTOOLS_VERSION = "56.0.0"
+_WHEEL_DIR = "/usr/share/python38-wheels/"
-_SETUPTOOLS_VERSION = "49.2.1"
-_PIP_VERSION = "21.1.1"
+_wheels = {}
-_PIP_VERSION = "20.2.3"
+
+def _get_most_recent_wheel_version(pkg):
+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))
+ _wheels[pkg] = {}
@ -51,7 +51,7 @@ index 38bb42104b..413c1b300e 100644
_PROJECTS = [
("setuptools", _SETUPTOOLS_VERSION, "py3"),
@@ -102,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
@@ -101,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
# additional paths that need added to sys.path
additional_paths = []
for project, version, py_tag in _PROJECTS:
@ -69,3 +69,6 @@ index 38bb42104b..413c1b300e 100644
additional_paths.append(os.path.join(tmpdir, wheel_name))
--
2.31.1

261
SOURCES/00329-fips.patch
View File

@ -1,4 +1,4 @@
From 7b70e87ecc1a75f005bdffd644ceca6c9e9679fa Mon Sep 17 00:00:00 2001
From 9e1da6c093529d7b314f3703158a213824c3521e Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 16:19:52 +0200
Subject: [PATCH 01/36] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode()
@ -26,12 +26,12 @@ index 56873b7..63ae836 100644
for __func_name in __always_supported:
# try them all, some may not work due to the OpenSSL
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index edadbcb..9874b06 100644
index 93bf25f..2409522 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -26,6 +26,9 @@
@@ -33,6 +33,9 @@
#include <openssl/objects.h>
#include "openssl/err.h"
#include <openssl/err.h>
+/* Expose FIPS_mode */
+#include <openssl/crypto.h>
@ -39,7 +39,7 @@ index edadbcb..9874b06 100644
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
@@ -1072,12 +1075,46 @@ generate_hash_name_list(void)
@@ -1079,12 +1082,46 @@ generate_hash_name_list(void)
return state.set;
}
@ -123,10 +123,10 @@ index 9aaea47..30fd8a9 100644
-/*[clinic end generated code: output=38c2637f67e9bb79 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/
--
2.25.4
2.31.1
From 4e1fa0339c257987984caa278516d46c35463385 Mon Sep 17 00:00:00 2001
From 5a8faeb61d7acd6c7036efe24efe269c683dc1a0 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 25 Jul 2019 17:04:06 +0200
Subject: [PATCH 02/36] Use python's fall backs for the crypto it implements
@ -422,10 +422,10 @@ index 8b53d23..e9abcbb 100644
self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac)
--
2.25.4
2.31.1
From 91b5c97d586a98cb95e215ecd2c02b18c8783e7a Mon Sep 17 00:00:00 2001
From d21c5a098dda889de21985e57f12852ce9fbbcf1 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 17:19:06 +0200
Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode,
@ -438,8 +438,8 @@ Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode,
Modules/_blake2/blake2s_impl.c | 5 +++
Modules/_hashopenssl.c | 37 +------------------
Modules/_sha3/sha3module.c | 5 +++
setup.py | 47 ++++++++++++------------
7 files changed, 110 insertions(+), 58 deletions(-)
setup.py | 48 +++++++++++++------------
7 files changed, 111 insertions(+), 58 deletions(-)
create mode 100644 Include/_hashopenssl.h
diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h
@ -596,10 +596,10 @@ index ef2f7e1..389711a 100644
if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 9874b06..d733a39 100644
index 2409522..a51c502 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -17,6 +17,7 @@
@@ -24,6 +24,7 @@
#include "structmember.h"
#include "hashlib.h"
#include "pystrhex.h"
@ -607,18 +607,18 @@ index 9874b06..d733a39 100644
/* EVP is the preferred interface to hashing in OpenSSL */
@@ -24,10 +25,6 @@
@@ -31,10 +32,6 @@
#include <openssl/hmac.h>
/* We use the object interface to discover what hashes OpenSSL supports. */
#include <openssl/objects.h>
-#include "openssl/err.h"
-#include <openssl/err.h>
-
-/* Expose FIPS_mode */
-#include <openssl/crypto.h>
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
@@ -69,38 +66,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype"
@@ -76,38 +73,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype"
[clinic start generated code]*/
/*[clinic end generated code: output=da39a3ee5e6b4b0d input=a881a5092eecad28]*/
@ -695,10 +695,10 @@ index c1fb618..34d09b4 100644
return NULL;
}
diff --git a/setup.py b/setup.py
index 84f7300..06d1ce6 100644
index c28c096..a11bbda 100644
--- a/setup.py
+++ b/setup.py
@@ -1688,7 +1688,6 @@ class PyBuildExt(build_ext):
@@ -1673,7 +1673,6 @@ class PyBuildExt(build_ext):
def detect_modules(self):
self.configure_compiler()
self.init_inc_lib_dirs()
@ -706,7 +706,7 @@ index 84f7300..06d1ce6 100644
self.detect_simple_extensions()
if TEST_EXTENSIONS:
self.detect_test_extensions()
@@ -2187,7 +2186,7 @@ class PyBuildExt(build_ext):
@@ -2161,7 +2160,7 @@ class PyBuildExt(build_ext):
sources=sources,
depends=depends))
@ -715,7 +715,7 @@ index 84f7300..06d1ce6 100644
# Detect SSL support for the socket module (via _ssl)
config_vars = sysconfig.get_config_vars()
@@ -2208,7 +2207,7 @@ class PyBuildExt(build_ext):
@@ -2182,7 +2181,7 @@ class PyBuildExt(build_ext):
if not openssl_libs:
# libssl and libcrypto not found
self.missing.extend(['_ssl', '_hashlib'])
@ -724,7 +724,7 @@ index 84f7300..06d1ce6 100644
# Find OpenSSL includes
ssl_incs = find_file(
@@ -2216,7 +2215,7 @@ class PyBuildExt(build_ext):
@@ -2190,7 +2189,7 @@ class PyBuildExt(build_ext):
)
if ssl_incs is None:
self.missing.extend(['_ssl', '_hashlib'])
@ -733,7 +733,7 @@ index 84f7300..06d1ce6 100644
# OpenSSL 1.0.2 uses Kerberos for KRB5 ciphers
krb5_h = find_file(
@@ -2226,12 +2225,23 @@ class PyBuildExt(build_ext):
@@ -2200,12 +2199,24 @@ class PyBuildExt(build_ext):
if krb5_h:
ssl_incs.extend(krb5_h)
@ -749,6 +749,7 @@ index 84f7300..06d1ce6 100644
+ def detect_openssl_hashlib(self):
+
+ config_vars = sysconfig.get_config_vars()
+
+
if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
self.add(Extension(
@ -757,10 +758,10 @@ index 84f7300..06d1ce6 100644
- library_dirs=openssl_libdirs,
- libraries=openssl_libs,
+ **self.detect_openssl_args(),
depends=['socketmodule.h', '_ssl/debughelpers.c'])
)
else:
@@ -2239,22 +2249,12 @@ class PyBuildExt(build_ext):
depends=[
'socketmodule.h',
'_ssl/debughelpers.c',
@@ -2218,22 +2229,12 @@ class PyBuildExt(build_ext):
self.add(Extension('_hashlib', ['_hashopenssl.c'],
depends=['hashlib.h'],
@ -787,7 +788,7 @@ index 84f7300..06d1ce6 100644
blake2_deps = glob(os.path.join(escape(self.srcdir),
'Modules/_blake2/impl/*'))
@@ -2264,6 +2264,7 @@ class PyBuildExt(build_ext):
@@ -2243,6 +2244,7 @@ class PyBuildExt(build_ext):
['_blake2/blake2module.c',
'_blake2/blake2b_impl.c',
'_blake2/blake2s_impl.c'],
@ -795,7 +796,7 @@ index 84f7300..06d1ce6 100644
depends=blake2_deps))
sha3_deps = glob(os.path.join(escape(self.srcdir),
@@ -2271,7 +2272,9 @@ class PyBuildExt(build_ext):
@@ -2250,7 +2252,9 @@ class PyBuildExt(build_ext):
sha3_deps.append('hashlib.h')
self.add(Extension('_sha3',
['_sha3/sha3module.c'],
@ -807,10 +808,10 @@ index 84f7300..06d1ce6 100644
def detect_nis(self):
if MS_WINDOWS or CYGWIN or HOST_PLATFORM == 'qnx6':
--
2.25.4
2.31.1
From d9b8f21a1b5feb177ece4c595ce8b639f02548c8 Mon Sep 17 00:00:00 2001
From 668177d86702b10da881f76cf17bda44d8823be9 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 12 Dec 2019 16:58:31 +0100
Subject: [PATCH 04/36] Expose all hashes available to OpenSSL
@ -821,10 +822,10 @@ Subject: [PATCH 04/36] Expose all hashes available to OpenSSL
2 files changed, 447 insertions(+), 1 deletion(-)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index d733a39..6982268 100644
index a51c502..713e15a 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -194,6 +194,12 @@ py_digest_by_name(const char *name)
@@ -201,6 +201,12 @@ py_digest_by_name(const char *name)
else if (!strcmp(name, "blake2b512")) {
digest = EVP_blake2b512();
}
@ -837,7 +838,7 @@ index d733a39..6982268 100644
#endif
}
@@ -712,6 +718,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj)
@@ -719,6 +725,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj)
return EVP_fast_new(module, data_obj, EVP_sha512());
}
@ -980,7 +981,7 @@ index d733a39..6982268 100644
/*[clinic input]
_hashlib.pbkdf2_hmac as pbkdf2_hmac
@@ -1087,6 +1229,14 @@ static struct PyMethodDef EVP_functions[] = {
@@ -1094,6 +1236,14 @@ static struct PyMethodDef EVP_functions[] = {
_HASHLIB_OPENSSL_SHA256_METHODDEF
_HASHLIB_OPENSSL_SHA384_METHODDEF
_HASHLIB_OPENSSL_SHA512_METHODDEF
@ -1309,10 +1310,10 @@ index 30fd8a9..e96a752 100644
-/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/
+/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/
--
2.25.4
2.31.1
From d4c78750ffb431fe34a18aab7cdf84d3a68d7fc1 Mon Sep 17 00:00:00 2001
From 7137c003853b8672eed4d28fe8703756b75ab790 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 18:13:45 +0200
Subject: [PATCH 05/36] Fix tests
@ -1441,10 +1442,10 @@ index e9abcbb..2a55fd4 100644
@requires_sha3
def test_extra_sha3(self):
--
2.25.4
2.31.1
From 4ec7034d73e681041758fc80f75e061c0e506449 Mon Sep 17 00:00:00 2001
From 94f13c68d2a4845e58d4c7b7adf01e64f993c4f5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 11:27:57 +0200
Subject: [PATCH 06/36] Change FIPS exceptions from _blake2, _sha3 module init
@ -1583,10 +1584,10 @@ index 34d09b4..3079e1e 100644
if ((m = PyModule_Create(&_SHA3module)) == NULL) {
return NULL;
--
2.25.4
2.31.1
From ed6f93218c2190d34ee0b0f4c7599d306708449f Mon Sep 17 00:00:00 2001
From 805af2c3dcbe1855a9fb8eb534b985aed338c2ba Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 11:24:09 +0200
Subject: [PATCH 07/36] Make hashlib importable under FIPS mode
@ -1618,10 +1619,10 @@ index 1bcfdf9..898e6dc 100644
--
2.25.4
2.31.1
From 66c5862bb09586168caac4d6ba6142ed3198fe1d Mon Sep 17 00:00:00 2001
From bc3f033f0a832e6b7ddf50e1059de8fc5df08d3f Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 15:41:10 +0200
Subject: [PATCH 08/36] Implement hmac.new using new built-in module,
@ -2249,10 +2250,10 @@ index 0000000..b472a6e
+}
+/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/
diff --git a/setup.py b/setup.py
index 06d1ce6..ca8bc2b 100644
index a11bbda..ca30105 100644
--- a/setup.py
+++ b/setup.py
@@ -2251,6 +2251,10 @@ class PyBuildExt(build_ext):
@@ -2231,6 +2231,10 @@ class PyBuildExt(build_ext):
depends=['hashlib.h'],
**self.detect_openssl_args()) )
@ -2264,10 +2265,10 @@ index 06d1ce6..ca8bc2b 100644
# RHEL: Always force OpenSSL for md5, sha1, sha256, sha512;
# don't build Python's implementations.
--
2.25.4
2.31.1
From 6ec3a1afd87a3aa411a19727e212ebf81fee49cc Mon Sep 17 00:00:00 2001
From da75615e1f3e6b8f44a16e5113a4a6fd55e48629 Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Mon, 29 Jul 2019 12:45:11 +0200
Subject: [PATCH 09/36] FIPS review
@ -2479,10 +2480,10 @@ index ca95d72..216ed04 100644
+ return PyModuleDef_Init(&_hmacopenssl_def);
}
--
2.25.4
2.31.1
From 8645a4cf6ee2ad10fac3d081da78eabb06099a9c Mon Sep 17 00:00:00 2001
From f48fab4946308008e989d845ce0dbc2cff6ce9ff Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Mon, 29 Jul 2019 13:05:04 +0200
Subject: [PATCH 10/36] revert cosmetic nitpick and remove trailing whitespace
@ -2528,10 +2529,10 @@ index 216ed04..221714c 100644
.m_methods = hmacopenssl_functions,
.m_slots = hmacopenssl_slots,
--
2.25.4
2.31.1
From d80ae6ac0abf1e0ca5a32ff80343e927587cf5a6 Mon Sep 17 00:00:00 2001
From dc55436077250ba791ee67692fdc8704a900987b Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Wed, 31 Jul 2019 15:43:43 +0200
Subject: [PATCH 11/36] Add initial tests for various hashes under FIPS mode
@ -2612,10 +2613,10 @@ index 0000000..bee911e
+if __name__ == "__main__":
+ unittest.main()
--
2.25.4
2.31.1
From 414c04713ad89bdeeb7a074f953c0085d541eae6 Mon Sep 17 00:00:00 2001
From 446c6a790ef878bda6137ebfc570f36dee01c380 Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Thu, 1 Aug 2019 16:39:37 +0200
Subject: [PATCH 12/36] Initialize HMAC type.
@ -2681,10 +2682,10 @@ index 221714c..239445a 100644
fail:
--
2.25.4
2.31.1
From 0157b52ac7f15610526497f9188eb84ed3846993 Mon Sep 17 00:00:00 2001
From 357007a6034cc3409ad2e2fe9fc77974ea6de626 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 1 Aug 2019 17:57:05 +0200
Subject: [PATCH 13/36] Use a stronger hash in multiprocessing handshake
@ -2729,10 +2730,10 @@ index 8e2facf..bb4acb6 100644
response = connection.recv_bytes(256) # reject large message
if response != WELCOME:
--
2.25.4
2.31.1
From 3730b4186cf708bb8ea528c22734d4c1176fc9ad Mon Sep 17 00:00:00 2001
From fddd82fedc5ea8b49ceab49296c7bddb9f3f1204 Mon Sep 17 00:00:00 2001
From: Marcel Plch <mplch@redhat.com>
Date: Fri, 2 Aug 2019 17:36:01 +0200
Subject: [PATCH 14/36] Fix refcounting
@ -2803,10 +2804,10 @@ index 239445a..9c28828 100644
--
2.25.4
2.31.1
From 1873bfe385a1b952ba11c2b2f15755353f2411df Mon Sep 17 00:00:00 2001
From 42f7d2fbefe161607ad146f44d2abd19fe804810 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 13:37:05 +0200
Subject: [PATCH 15/36] hmac: Don't default to md5 in FIPS mode
@ -2829,10 +2830,10 @@ index daabc8c..0302364 100644
result = _hmacopenssl.new(key, digestmod=name)
if msg:
--
2.25.4
2.31.1
From f77c854b9c5aab3e2bb517b6d0c08197a116efb1 Mon Sep 17 00:00:00 2001
From e285342c3b17de9b13ccbf2dbdb68cce5b4df86c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 14:20:58 +0200
Subject: [PATCH 16/36] Make _hmacopenssl.HMAC subclassable; subclass it as
@ -3120,10 +3121,10 @@ index b472a6e..861acc1 100644
-/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/
--
2.25.4
2.31.1
From b357a1f823b7b231d1a8bc149b5a950246350d3c Mon Sep 17 00:00:00 2001
From 5dab92e1f96fc0940a2d5d365708329e8c282587 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 16:10:36 +0200
Subject: [PATCH 17/36] Fix _hmacopenssl.HMAC.block_size
@ -3146,10 +3147,10 @@ index 7d3d973..a24c8ba 100644
static PyMethodDef Hmac_methods[] = {
--
2.25.4
2.31.1
From ee03c8ff14206070a7e4e4d13c4b067bcf25193d Mon Sep 17 00:00:00 2001
From d39cc2e44d6debffce096b82d30909e2662379ab Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 15:02:08 +0200
Subject: [PATCH 18/36] distutils upload: Skip md5 checksum in FIPS mode
@ -3228,10 +3229,10 @@ index c17d8e7..b4b64e9 100644
def test_upload_fails(self):
--
2.25.4
2.31.1
From fd0fd3310ff7c7dae0ea4377b71928ca3e242a21 Mon Sep 17 00:00:00 2001
From 124f7e862bdbf6615e64fedfa73a76e199d68644 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 15:32:25 +0200
Subject: [PATCH 19/36] Fix HMAC tests on FIPS mode
@ -3321,10 +3322,10 @@ index 23c108f..0a85981 100644
def test_equality(self):
# Testing if the copy has the same digests.
--
2.25.4
2.31.1
From e0c4dfcfc3070d0b3b25f77357509b9daa5f9891 Mon Sep 17 00:00:00 2001
From 6bc6c745da5c2d860de9f76402ccf554e398bbbc Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 16:37:12 +0200
Subject: [PATCH 20/36] test_tools: Skip md5sum tests in FIPS mode
@ -3354,10 +3355,10 @@ index fb565b7..7028a4d 100644
@classmethod
def setUpClass(cls):
--
2.25.4
2.31.1
From 510915020bb7c7c91d297fb3330ee9be3ee16b6f Mon Sep 17 00:00:00 2001
From 22f2476f2a19dfc4e4c25e5df2f059bf8e15d397 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 18:23:57 +0200
Subject: [PATCH 21/36] Make hashlib tests pass in FIPS mode
@ -3549,10 +3550,10 @@ index 2a55fd4..9ae5efc 100644
@support.reap_threads
def test_threaded_hashing(self):
--
2.25.4
2.31.1
From de9997db1f55fe4c70f0a5c4fe5b497e8c6839a2 Mon Sep 17 00:00:00 2001
From ca8655cc0f8c1bcfb5ae970d33a826c092746203 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Wed, 14 Aug 2019 14:43:07 +0200
Subject: [PATCH 22/36] distutils upload: only add md5 if available, but
@ -3619,10 +3620,10 @@ index b4b64e9..f720a79 100644
def test_upload_fails(self):
--
2.25.4
2.31.1
From 30407ef6fd2fb0fcb950cab57d4bd23121ef9084 Mon Sep 17 00:00:00 2001
From 12f506902ee04749565485bb60f0b927b2895e71 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 13 Sep 2019 02:30:00 +0200
Subject: [PATCH 23/36] bpo-9216: Add usedforsecurity to hashlib constructors
@ -3656,7 +3657,7 @@ Contributed and Signed-off-by: Christian Heimes christian@python.org
create mode 100644 Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst
diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst
index a16c7cd..6eb3a7b 100644
index f5da6ec..86b9f65 100644
--- a/Doc/library/hashlib.rst
+++ b/Doc/library/hashlib.rst
@@ -67,7 +67,7 @@ Constructors for hash algorithms that are always present in this module are
@ -3944,10 +3945,10 @@ index 560bd68..71c5706 100644
-/*[clinic end generated code: output=39af5a74c8805b36 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=c80d8d06ce40a192 input=a9049054013a1b77]*/
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 6982268..a1f81eb 100644
index 713e15a..b4d05ab 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -521,7 +521,7 @@ static PyTypeObject EVPtype = {
@@ -528,7 +528,7 @@ static PyTypeObject EVPtype = {
\
static PyObject *
EVPnew(const EVP_MD *digest,
@ -3956,7 +3957,7 @@ index 6982268..a1f81eb 100644
{
int result = 0;
EVPobject *self;
@@ -534,6 +534,12 @@ EVPnew(const EVP_MD *digest,
@@ -541,6 +541,12 @@ EVPnew(const EVP_MD *digest,
if ((self = newEVPobject()) == NULL)
return NULL;
@ -3969,7 +3970,7 @@ index 6982268..a1f81eb 100644
if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) {
_setException(PyExc_ValueError);
Py_DECREF(self);
@@ -565,6 +571,8 @@ _hashlib.new as EVP_new
@@ -572,6 +578,8 @@ _hashlib.new as EVP_new
name as name_obj: object
string as data_obj: object(c_default="NULL") = b''
@ -3978,7 +3979,7 @@ index 6982268..a1f81eb 100644
Return a new hash object using the named algorithm.
@@ -575,8 +583,9 @@ The MD5 and SHA1 algorithms are always supported.
@@ -582,8 +590,9 @@ The MD5 and SHA1 algorithms are always supported.
[clinic start generated code]*/
static PyObject *
@ -3990,7 +3991,7 @@ index 6982268..a1f81eb 100644
{
Py_buffer view = { 0 };
PyObject *ret_obj;
@@ -593,7 +602,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
@@ -600,7 +609,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
digest = py_digest_by_name(name);
@ -4001,7 +4002,7 @@ index 6982268..a1f81eb 100644
if (data_obj)
PyBuffer_Release(&view);
@@ -601,7 +612,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
@@ -608,7 +619,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj)
}
static PyObject*
@ -4011,7 +4012,7 @@ index 6982268..a1f81eb 100644
{
Py_buffer view = { 0 };
PyObject *ret_obj;
@@ -609,7 +621,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
@@ -616,7 +628,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
if (data_obj)
GET_BUFFER_VIEW_OR_ERROUT(data_obj, &view);
@ -4021,7 +4022,7 @@ index 6982268..a1f81eb 100644
if (data_obj)
PyBuffer_Release(&view);
@@ -621,16 +634,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
@@ -628,16 +641,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest)
_hashlib.openssl_md5
string as data_obj: object(py_default="b''") = NULL
@ -4044,7 +4045,7 @@ index 6982268..a1f81eb 100644
}
@@ -638,16 +654,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj)
@@ -645,16 +661,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha1
string as data_obj: object(py_default="b''") = NULL
@ -4067,7 +4068,7 @@ index 6982268..a1f81eb 100644
}
@@ -655,16 +674,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj)
@@ -662,16 +681,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha224
string as data_obj: object(py_default="b''") = NULL
@ -4090,7 +4091,7 @@ index 6982268..a1f81eb 100644
}
@@ -672,16 +694,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj)
@@ -679,16 +701,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha256
string as data_obj: object(py_default="b''") = NULL
@ -4113,7 +4114,7 @@ index 6982268..a1f81eb 100644
}
@@ -689,16 +714,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj)
@@ -696,16 +721,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha384
string as data_obj: object(py_default="b''") = NULL
@ -4136,7 +4137,7 @@ index 6982268..a1f81eb 100644
}
@@ -706,152 +734,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj)
@@ -713,152 +741,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj)
_hashlib.openssl_sha512
string as data_obj: object(py_default="b''") = NULL
@ -5729,7 +5730,7 @@ index 459a934..b8185b6 100644
-/*[clinic end generated code: output=580df4b667084a7e input=a9049054013a1b77]*/
+/*[clinic end generated code: output=bbfa72d8703c82b5 input=a9049054013a1b77]*/
diff --git a/Modules/md5module.c b/Modules/md5module.c
index c2ebaaf..fdc4d7b 100644
index 64fab80..ee4efe4 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -503,13 +503,15 @@ static PyTypeObject MD5type = {
@ -5751,7 +5752,7 @@ index c2ebaaf..fdc4d7b 100644
MD5object *new;
Py_buffer buf;
diff --git a/Modules/sha1module.c b/Modules/sha1module.c
index ce2ad26..4d191c3 100644
index 4a8dbd8..aec0bad 100644
--- a/Modules/sha1module.c
+++ b/Modules/sha1module.c
@@ -480,13 +480,15 @@ static PyTypeObject SHA1type = {
@ -5773,7 +5774,7 @@ index ce2ad26..4d191c3 100644
SHA1object *new;
Py_buffer buf;
diff --git a/Modules/sha256module.c b/Modules/sha256module.c
index b8d6c4c..245f4c0 100644
index a1c8b1a..8777c59 100644
--- a/Modules/sha256module.c
+++ b/Modules/sha256module.c
@@ -601,13 +601,15 @@ static PyTypeObject SHA256type = {
@ -5813,7 +5814,7 @@ index b8d6c4c..245f4c0 100644
SHAobject *new;
Py_buffer buf;
diff --git a/Modules/sha512module.c b/Modules/sha512module.c
index 98b9791..df4f9d2 100644
index 4167fd3..504d40a 100644
--- a/Modules/sha512module.c
+++ b/Modules/sha512module.c
@@ -666,13 +666,15 @@ static PyTypeObject SHA512type = {
@ -5853,10 +5854,10 @@ index 98b9791..df4f9d2 100644
SHAobject *new;
Py_buffer buf;
--
2.25.4
2.31.1
From 095d8ea318b20b5d42ada0367ca770c15e6f6fa2 Mon Sep 17 00:00:00 2001
From 041f34e22d7c458b611a72e3927deb85f20d1a85 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:09:39 +0200
Subject: [PATCH 24/36] Test the usedforsecurity flag
@ -6099,10 +6100,10 @@ index 08bb91f..1368e91 100644
class KDFTests(unittest.TestCase):
--
2.25.4
2.31.1
From 59b7e853d919380ca6c11655bbc7041ee395417d Mon Sep 17 00:00:00 2001
From 6ae69003979add3243d700e1f5154cf83818ea62 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 29 Aug 2019 10:25:28 +0200
Subject: [PATCH 25/36] Skip error checking in _hashlib.get_fips_mode
@ -6113,10 +6114,10 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index a1f81eb..eff331b 100644
index b4d05ab..a48b607 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -1253,20 +1253,22 @@ _hashlib_get_fips_mode_impl(PyObject *module)
@@ -1260,20 +1260,22 @@ _hashlib_get_fips_mode_impl(PyObject *module)
/*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/
{
@ -6154,10 +6155,10 @@ index a1f81eb..eff331b 100644
--
2.25.4
2.31.1
From 7f5432d72546f60078989b6cadf26cd51de84ebd Mon Sep 17 00:00:00 2001
From 95b58ae12206c7889e0159a720c1a96fcb2dc050 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 10 Oct 2019 13:04:50 +0200
Subject: [PATCH 26/36] Skip error checking in _Py_hashlib_fips_error
@ -6192,10 +6193,10 @@ index 47ed003..d4cbdef 100644
}
PyErr_Format(exc, "%s is not available in FIPS mode", name);
--
2.25.4
2.31.1
From 05f7188136bda8eeec06428aa4ddf9ab14a178a0 Mon Sep 17 00:00:00 2001
From ba0462edf8fb3ae3cb04151460002cf687758605 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 19:12:38 +0200
Subject: [PATCH 27/36] Fixups
@ -6234,10 +6235,10 @@ index 0a85981..0b481ec 100644
h1 = hmac.HMAC(b"key", digestmod="sha1")
h2 = h1.copy()
--
2.25.4
2.31.1
From 0f707443431d9dc22218be7208d940f4d42f122d Mon Sep 17 00:00:00 2001
From d2596ea3fab68d2fc586abaae64323599c2a74c8 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:39:48 +0200
Subject: [PATCH 28/36] Don't re-export get_fips_mode from hashlib
@ -6550,7 +6551,7 @@ index 0b481ec..cc77928 100644
def test_realcopy(self):
# Testing if the copy method created a real copy.
diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py
index d0c9862..9a44c0d 100644
index c9205ae..e4d7fb4 100644
--- a/Lib/test/test_smtplib.py
+++ b/Lib/test/test_smtplib.py
@@ -17,6 +17,8 @@ import select
@ -6562,7 +6563,7 @@ index d0c9862..9a44c0d 100644
import unittest
from test import support, mock_socket
@@ -1021,7 +1023,7 @@ class SMTPSimTests(unittest.TestCase):
@@ -1059,7 +1061,7 @@ class SMTPSimTests(unittest.TestCase):
def testAUTH_multiple(self):
# Test that multiple authentication methods are tried.
@ -6604,10 +6605,10 @@ index 1cb358f..6f5cb7f 100644
from test import support
--
2.25.4
2.31.1
From 9515f9be3409fdc59cf9c09dd200917483e1651a Mon Sep 17 00:00:00 2001
From 7873a4a314732768bc4d11a095ae50f0553bdebd Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 20 Nov 2019 10:59:25 +0100
Subject: [PATCH 29/36] Use FIPS compliant CSPRNG
@ -6624,7 +6625,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
4 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py
index 2a4ae15..5ad5bd6 100644
index 5302b1c..ed335ad 100644
--- a/Lib/test/test_os.py
+++ b/Lib/test/test_os.py
@@ -1546,6 +1546,11 @@ class GetRandomTests(unittest.TestCase):
@ -6640,7 +6641,7 @@ index 2a4ae15..5ad5bd6 100644
def test_getrandom_type(self):
data = os.getrandom(16)
diff --git a/Makefile.pre.in b/Makefile.pre.in
index 917303d..ddfbfd0 100644
index 381a8ab..e7778f4 100644
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR
@ -6653,10 +6654,10 @@ index 917303d..ddfbfd0 100644
CFLAGS_ALIASING=@CFLAGS_ALIASING@
diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
index 726e372..9a1249a 100644
index d7edabe..f825d5a 100644
--- a/Modules/posixmodule.c
+++ b/Modules/posixmodule.c
@@ -388,6 +388,9 @@ extern char *ctermid_r(char *);
@@ -389,6 +389,9 @@ extern char *ctermid_r(char *);
#define MODNAME "posix"
#endif
@ -6666,7 +6667,7 @@ index 726e372..9a1249a 100644
#if defined(__sun)
/* Something to implement in autoconf, not present in autoconf 2.69 */
#define HAVE_STRUCT_STAT_ST_FSTYPE 1
@@ -13558,6 +13561,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags)
@@ -13650,6 +13653,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags)
return posix_error();
}
@ -6772,10 +6773,10 @@ index eb2b6d0..cb38cfe 100644
return win32_urandom((unsigned char *)buffer, size, raise);
#else
--
2.25.4
2.31.1
From ba95383d9b37f252bd153674404dc4055d49bf82 Mon Sep 17 00:00:00 2001
From 99ee25369116bf17731502e77a81bd0c5ac59b38 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 28 Nov 2019 17:26:02 +0100
Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG
@ -6786,7 +6787,7 @@ Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG
2 files changed, 5 insertions(+), 31 deletions(-)
diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py
index 5ad5bd6..ae53de9 100644
index ed335ad..f306316 100644
--- a/Lib/test/test_os.py
+++ b/Lib/test/test_os.py
@@ -28,6 +28,7 @@ import time
@ -6871,10 +6872,10 @@ index cb38cfe..08fa29a 100644
return 0;
}
--
2.25.4
2.31.1
From 496a58146aa42b97661c5ea1afeaa223e8fd4ceb Mon Sep 17 00:00:00 2001
From 3750c8b8b4c09c6bc795721bc353da23b015fe4d Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 2 Apr 2020 16:50:37 +0200
Subject: [PATCH 31/36] Do not raise a ValueError if digestmod is missing in
@ -6901,10 +6902,10 @@ index 5055027..ee1ad76 100644
return digestmod.lower()
elif callable(digestmod):
--
2.25.4
2.31.1
From 3f346ea93c2504e169a2df21e2de206031a08600 Mon Sep 17 00:00:00 2001
From 737af204f04bb39e5f87d53fe07713137639234e Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 2 Apr 2020 16:55:36 +0200
Subject: [PATCH 32/36] Regenerate the clinic files
@ -6988,10 +6989,10 @@ index 861acc1..527be83 100644
-/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=9b75c31e1116bf6f input=a9049054013a1b77]*/
--
2.25.4
2.31.1
From f4465980ae75c0e56cd1edecf9a42fa38b9cd12a Mon Sep 17 00:00:00 2001
From d0e7edf46ceef6ffb6075bb8b8b966f31df018fc Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 7 Apr 2020 15:16:45 +0200
Subject: [PATCH 33/36] Pass kwargs (like usedforsecurity) through __hash_new
@ -7023,10 +7024,10 @@ index 2fc214e..785858f 100644
try:
--
2.25.4
2.31.1
From 6c0ba219c01052f8b079ce67b89a75920b3aa867 Mon Sep 17 00:00:00 2001
From 0e3f635871d22831cbb5f0bffb9962f2a1ad29eb Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 7 Apr 2020 15:18:48 +0200
Subject: [PATCH 34/36] Adjust new upstream test for failing hashes with
@ -7069,10 +7070,10 @@ index a4b7840..a858bf4 100644
self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam')
self.assertRaises(TypeError, hashlib.new, 1)
--
2.25.4
2.31.1
From 041105f888785599e58213dfea55115a4e861d77 Mon Sep 17 00:00:00 2001
From 8145cfd2f71749a9fe844e5abc725f36e9085b22 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 24 Apr 2020 19:57:16 +0200
Subject: [PATCH 35/36] Skip the test_with_digestmod_no_default under FIPS
@ -7115,10 +7116,10 @@ index cc77928..fd068e0 100644
class ConstructorTestCase(unittest.TestCase):
--
2.25.4
2.31.1
From e20750200d560a549cbbf224ded74bb086ef3e66 Mon Sep 17 00:00:00 2001
From 969498fda9699b2e9d2df4a78a671e37d578daea Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Tue, 31 Mar 2020 18:00:42 +0200
Subject: [PATCH 36/36] Add a sentinel value on the Hmac_members table of the
@ -7141,5 +7142,5 @@ index 9577cad..4bd7c15 100644
PyDoc_STRVAR(hmactype_doc,
--
2.25.4
2.31.1

47
SOURCES/00359-CVE-2021-23336.patch
View File

@ -1,4 +1,4 @@
From a11d61081c3887c2b4c36e8726597e05f789c2e2 Mon Sep 17 00:00:00 2001
From 78da9e020385fe78e36c20f99a0910bbc4a0c100 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 1 Apr 2021 08:18:07 +0200
Subject: [PATCH] CVE-2021-23336: Add `separator` argument to parse_qs; warn
@ -21,15 +21,13 @@ Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
---
Doc/library/cgi.rst | 2 +-
Doc/library/urllib.parse.rst | 12 +-
Lib/cgi.py | 4 +-
Lib/test/test_cgi.py | 29 +++
Lib/test/test_urlparse.py | 232 +++++++++++++++++-
Lib/urllib/parse.py | 77 +++++-
.../2021-02-14-15-59-16.bpo-42967.YApqDS.rst | 1 +
7 files changed, 340 insertions(+), 17 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
Doc/library/cgi.rst | 2 +-
Doc/library/urllib.parse.rst | 12 +-
Lib/cgi.py | 4 +-
Lib/test/test_cgi.py | 29 +++++
Lib/test/test_urlparse.py | 232 ++++++++++++++++++++++++++++++++++-
Lib/urllib/parse.py | 78 +++++++++++-
6 files changed, 339 insertions(+), 18 deletions(-)
diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
index 880074b..d8a6dc1 100644
@ -45,7 +43,7 @@ index 880074b..d8a6dc1 100644
Parse a query in the environment or from a file (the file defaults to
``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are
diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
index fcad707..9bcef69 100644
index a6cfc5d..85b2448 100644
--- a/Doc/library/urllib.parse.rst
+++ b/Doc/library/urllib.parse.rst
@@ -165,7 +165,7 @@ or on combining URL components into a URL string.
@ -144,7 +142,7 @@ index 4e1506a..49b6926 100644
# test dict interface
self.assertEqual(len(expect), len(fs))
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 90c8d69..90349ee 100644
index 0f99130..4e0d7e5 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -2,6 +2,11 @@ import sys
@ -294,7 +292,7 @@ index 90c8d69..90349ee 100644
def test_roundtrips(self):
str_cases = [
('file:///tmp/junk.txt',
@@ -871,8 +961,8 @@ class UrlParseTestCase(unittest.TestCase):
@@ -919,8 +1009,8 @@ class UrlParseTestCase(unittest.TestCase):
def test_parse_qsl_max_num_fields(self):
with self.assertRaises(ValueError):
@ -305,8 +303,8 @@ index 90c8d69..90349ee 100644
def test_parse_qs_separator(self):
parse_qs_semicolon_cases = [
@@ -912,6 +1002,136 @@ class UrlParseTestCase(unittest.TestCase):
self.assertEqual(result, expect, "Error parsing %r" % orig)
@@ -964,6 +1054,136 @@ class UrlParseTestCase(unittest.TestCase):
self.assertEqual(result_bytes, expect, "Error parsing %r" % orig)
+ @contextlib.contextmanager
@ -443,7 +441,7 @@ index 90c8d69..90349ee 100644
# Other tests incidentally urlencode things; test non-covered cases:
# Sequence and object values.
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index 0c1c94f..83638bb 100644
index f0d9d4d..70fc268 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -28,6 +28,7 @@ test_urlparse.py provides a good indicator of parsing behavior.
@ -454,7 +452,7 @@ index 0c1c94f..83638bb 100644
import sys
import collections
import warnings
@@ -650,7 +651,7 @@ def unquote(string, encoding='utf-8', errors='replace'):
@@ -660,7 +661,7 @@ def unquote(string, encoding='utf-8', errors='replace'):
def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
@ -463,7 +461,7 @@ index 0c1c94f..83638bb 100644
"""Parse a query given as a string argument.
Arguments:
@@ -690,9 +691,16 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
@@ -700,9 +701,16 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False,
parsed_result[name] = [value]
return parsed_result
@ -481,9 +479,11 @@ index 0c1c94f..83638bb 100644
"""Parse a query given as a string argument.
Arguments:
@@ -722,18 +730,77 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
@@ -731,20 +739,78 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False,
Returns a list, as G-d intended.
"""
qs, _coerce_result = _coerce_args(qs)
- separator, _ = _coerce_args(separator)
- if not separator or (not isinstance(separator, (str, bytes))):
+ if isinstance(separator, bytes):
@ -562,13 +562,6 @@ index 0c1c94f..83638bb 100644
r = []
for name_value in pairs:
if not name_value and not strict_parsing:
diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
new file mode 100644
index 0000000..bc82c96
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst
@@ -0,0 +1 @@
+Make it possible to fix web cache poisoning vulnerability by allowing the user to choose a custom separator query args.
--
2.30.2
2.31.1

100
SOURCES/00360-CVE-2021-3426.patch
View File

@ -1,100 +0,0 @@
From 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 29 Mar 2021 06:02:40 -0700
Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
---
Lib/pydoc.py | 18 ------------------
Lib/test/test_pydoc.py | 6 ------
.../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++
3 files changed, 4 insertions(+), 24 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
diff --git a/Lib/pydoc.py b/Lib/pydoc.py
index dc3377d68f8caa..afec613dd85a06 100644
--- a/Lib/pydoc.py
+++ b/Lib/pydoc.py
@@ -2364,9 +2364,6 @@ def page(self, title, contents):
%s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
</body></html>''' % (title, css_link, html_navbar(), contents)
- def filelink(self, url, path):
- return '<a href="getfile?key=%s">%s</a>' % (url, path)
-
html = _HTMLDoc()
@@ -2452,19 +2449,6 @@ def bltinlink(name):
'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
return 'Search Results', contents
- def html_getfile(path):
- """Get and display a source file listing safely."""
- path = urllib.parse.unquote(path)
- with tokenize.open(path) as fp:
- lines = html.escape(fp.read())
- body = '<pre>%s</pre>' % lines
- heading = html.heading(
- '<big><big><strong>File Listing</strong></big></big>',
- '#ffffff', '#7799ee')
- contents = heading + html.bigsection(
- 'File: %s' % path, '#ffffff', '#ee77aa', body)
- return 'getfile %s' % path, contents
-
def html_topics():
"""Index of topic texts available."""
@@ -2556,8 +2540,6 @@ def get_html_page(url):
op, _, url = url.partition('=')
if op == "search?key":
title, content = html_search(url)
- elif op == "getfile?key":
- title, content = html_getfile(url)
elif op == "topic?key":
# try topics first, then objects.
try:
diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
index c80477c50f0980..72ed8a93b712b0 100644
--- a/Lib/test/test_pydoc.py
+++ b/Lib/test/test_pydoc.py
@@ -1360,18 +1360,12 @@ def test_url_requests(self):
("topic?key=def", "Pydoc: KEYWORD def"),
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
("foobar", "Pydoc: Error - foobar"),
- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
]
with self.restrict_walk_packages():
for url, title in requests:
self.call_url_handler(url, title)
- path = string.__file__
- title = "Pydoc: getfile " + path
- url = "getfile?key=" + path
- self.call_url_handler(url, title)
-
class TestHelper(unittest.TestCase):
def test_keywords(self):
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
new file mode 100644
index 00000000000000..4b42dd05305a83
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
+could be abused to read arbitrary files on the disk (directory traversal
+vulnerability). Moreover, even source code of Python modules can contain
+sensitive data like passwords. Vulnerability reported by David Schwörer.

62
SOURCES/00365-CVE-2021-29921.patch
View File

@ -1,62 +0,0 @@
diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
index 2cdfddb..d464d2a 100644
--- a/Doc/library/ipaddress.rst
+++ b/Doc/library/ipaddress.rst
@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are
1. A string in decimal-dot notation, consisting of four decimal integers in
the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
integer represents an octet (byte) in the address. Leading zeroes are
- tolerated only for values less than 8 (as there is no ambiguity
- between the decimal and octal interpretations of such strings).
+ not tolerated to prevent confusion with octal notation.
2. An integer that fits into 32 bits.
3. An integer packed into a :class:`bytes` object of length 4 (most
significant octet first).
diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
index 28b7b61..d351f07 100644
--- a/Lib/ipaddress.py
+++ b/Lib/ipaddress.py
@@ -1173,6 +1173,11 @@ class _BaseV4:
if len(octet_str) > 3:
msg = "At most 3 characters permitted in %r"
raise ValueError(msg % octet_str)
+ # Handle leading zeros as strict as glibc's inet_pton()
+ # See security bug bpo-36384
+ if octet_str != '0' and octet_str[0] == '0':
+ msg = "Leading zeros are not permitted in %r"
+ raise ValueError(msg % octet_str)
# Convert to integer (we know digits are legal)
octet_int = int(octet_str, 10)
if octet_int > 255:
diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
index 2f1c5b6..1297b83 100644
--- a/Lib/test/test_ipaddress.py
+++ b/Lib/test/test_ipaddress.py
@@ -97,10 +97,23 @@ class CommonTestMixin:
class CommonTestMixin_v4(CommonTestMixin):
def test_leading_zeros(self):
- self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
- self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
- self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
- self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
+ # bpo-36384: no leading zeros to avoid ambiguity with octal notation
+ msg = "Leading zeros are not permitted in '\d+'"
+ addresses = [
+ "000.000.000.000",
+ "192.168.000.001",
+ "016.016.016.016",
+ "192.168.000.001",
+ "001.000.008.016",
+ "01.2.3.40",
+ "1.02.3.40",
+ "1.2.03.40",
+ "1.2.3.040",
+ ]
+ for address in addresses:
+ with self.subTest(address=address):
+ with self.assertAddressError(msg):
+ self.factory(address)
def test_int(self):
self.assertInstancesEqual(0, "0.0.0.0")

31
SPECS/python38.spec
View File

@ -13,11 +13,11 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
%global general_version %{pybasever}.8
%global general_version %{pybasever}.12
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 4%{?dist}
Release: 1%{?dist}
License: Python
# Exclude i686 arch. Due to a modularity issue it's being added to the
@ -357,18 +357,6 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
Patch359: 00359-CVE-2021-23336.patch
# 00360 #
# CVE-2021-3426: information disclosure via pydoc
# Upstream: https://bugs.python.org/issue42988
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
Patch360: 00360-CVE-2021-3426.patch
# 00365 #
# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module
# Upstream: https://bugs.python.org/issue36384
# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458
Patch365: 00365-CVE-2021-29921.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -661,8 +649,8 @@ The debug runtime additionally supports debug builds of C-API extensions
Requires: python38-setuptools-wheel
Requires: python38-pip-wheel
%else
Provides: bundled(python38-pip) = 19.2.3
Provides: bundled(python38-setuptools) = 41.2.0
Provides: bundled(python38-pip) = 21.1.1
Provides: bundled(python38-setuptools) = 56.0.0
%endif
# The description for the flat package
@ -725,8 +713,6 @@ rm Lib/ensurepip/_bundled/*.whl
%patch329 -p1
%patch353 -p1
%patch359 -p1
%patch360 -p1
%patch365 -p1
# Remove files that should be generated by the build
# (This is after patching, so that we can use patches directly from upstream)
@ -1815,6 +1801,15 @@ fi
# ======================================================
%changelog
* Wed Sep 15 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.12-1
- Update to 3.8.12
Resolves: rhbz#2004587
* Tue Sep 07 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.11-1
- Update to 3.8.11
- Fix for CVE-2021-3733 and CVE-2021-3737
Resolves: rhbz#1995234, rhbz#1995162
* Mon Aug 02 2021 Tomas Orsava <torsava@redhat.com> - 3.8.8-4
- Adjusted the postun scriptlets to enable upgrading to RHEL 9
- Resolves: rhbz#1933055