import python38-3.8.13-1.module+el8.7.0+15641+2ece4388
This commit is contained in:
parent
3197658843
commit
c6ab7bd6a7
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/Python-3.8.12-noexe.tar.xz
|
||||
SOURCES/Python-3.8.13-noexe.tar.xz
|
||||
|
@ -1 +1 @@
|
||||
d6a093ce67cb3c7b43a75c1925b8823e571a8311 SOURCES/Python-3.8.12-noexe.tar.xz
|
||||
b1558d21c10c88078e11d74168b06ae8a49df19f SOURCES/Python-3.8.13-noexe.tar.xz
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 7558ea14881f9afdf622375b5140b209c0c2f84d Mon Sep 17 00:00:00 2001
|
||||
From ff07393a8c9c3d69090a775a8d4b89a3019f71a9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
|
||||
Date: Wed, 15 Aug 2018 15:36:29 +0200
|
||||
Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
|
||||
@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels
|
||||
Downstream only: upstream bundles
|
||||
We might eventually pursuit upstream support, but it's low prio
|
||||
---
|
||||
Lib/ensurepip/__init__.py | 33 +++++++++++++++++++++++----------
|
||||
1 file changed, 23 insertions(+), 10 deletions(-)
|
||||
Lib/ensurepip/__init__.py | 36 ++++++++++++++++++++++++++----------
|
||||
1 file changed, 26 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
|
||||
index 597a1ef..3c2287f 100644
|
||||
index b291e9a..798d0f4 100644
|
||||
--- a/Lib/ensurepip/__init__.py
|
||||
+++ b/Lib/ensurepip/__init__.py
|
||||
@@ -1,6 +1,7 @@
|
||||
@ -24,14 +24,15 @@ index 597a1ef..3c2287f 100644
|
||||
import sys
|
||||
import runpy
|
||||
import tempfile
|
||||
@@ -9,9 +10,24 @@ import subprocess
|
||||
@@ -9,8 +10,26 @@ import subprocess
|
||||
|
||||
__all__ = ["version", "bootstrap"]
|
||||
|
||||
_PACKAGE_NAMES = ('setuptools', 'pip')
|
||||
-_SETUPTOOLS_VERSION = "56.0.0"
|
||||
-_PIP_VERSION = "22.0.4"
|
||||
+
|
||||
+_WHEEL_DIR = "/usr/share/python38-wheels/"
|
||||
|
||||
-_PIP_VERSION = "21.1.1"
|
||||
+
|
||||
+_wheels = {}
|
||||
+
|
||||
+def _get_most_recent_wheel_version(pkg):
|
||||
@ -48,10 +49,11 @@ index 597a1ef..3c2287f 100644
|
||||
+_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools")
|
||||
+
|
||||
+_PIP_VERSION = _get_most_recent_wheel_version("pip")
|
||||
|
||||
+
|
||||
_PROJECTS = [
|
||||
("setuptools", _SETUPTOOLS_VERSION, "py3"),
|
||||
@@ -101,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
|
||||
("pip", _PIP_VERSION, "py3"),
|
||||
@@ -99,13 +118,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
|
||||
# additional paths that need added to sys.path
|
||||
additional_paths = []
|
||||
for project, version, py_tag in _PROJECTS:
|
||||
@ -70,5 +72,5 @@ index 597a1ef..3c2287f 100644
|
||||
additional_paths.append(os.path.join(tmpdir, wheel_name))
|
||||
|
||||
--
|
||||
2.31.1
|
||||
2.35.3
|
||||
|
||||
|
36
SOURCES/00378-support-expat-2-4-5.patch
Normal file
36
SOURCES/00378-support-expat-2-4-5.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
|
||||
index 06c9107..6c3f5a8 100644
|
||||
--- a/Lib/test/test_minidom.py
|
||||
+++ b/Lib/test/test_minidom.py
|
||||
@@ -1149,14 +1149,11 @@ class MinidomTest(unittest.TestCase):
|
||||
|
||||
# Verify that character decoding errors raise exceptions instead
|
||||
# of crashing
|
||||
- if pyexpat.version_info >= (2, 4, 5):
|
||||
- self.assertRaises(ExpatError, parseString,
|
||||
- b'<fran\xe7ais></fran\xe7ais>')
|
||||
- self.assertRaises(ExpatError, parseString,
|
||||
- b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
|
||||
- else:
|
||||
- self.assertRaises(UnicodeDecodeError, parseString,
|
||||
- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
|
||||
+
|
||||
+ self.assertRaises(ExpatError, parseString,
|
||||
+ b'<fran\xe7ais></fran\xe7ais>')
|
||||
+ self.assertRaises(ExpatError, parseString,
|
||||
+ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
|
||||
|
||||
doc.unlink()
|
||||
|
||||
@@ -1601,10 +1598,7 @@ class MinidomTest(unittest.TestCase):
|
||||
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
|
||||
|
||||
def testExceptionOnSpacesInXMLNSValue(self):
|
||||
- if pyexpat.version_info >= (2, 4, 5):
|
||||
- context = self.assertRaisesRegex(ExpatError, 'syntax error')
|
||||
- else:
|
||||
- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
|
||||
+ context = self.assertRaisesRegex(ExpatError, 'syntax error')
|
||||
|
||||
with context:
|
||||
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
|
150
SOURCES/00382-cve-2015-20107.patch
Normal file
150
SOURCES/00382-cve-2015-20107.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Fri, 3 Jun 2022 11:43:35 +0200
|
||||
Subject: [PATCH] 00382: CVE-2015-20107
|
||||
|
||||
Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
|
||||
|
||||
Upstream: https://github.com/python/cpython/issues/68966
|
||||
|
||||
Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
---
|
||||
Doc/library/mailcap.rst | 12 +++++++++
|
||||
Lib/mailcap.py | 26 +++++++++++++++++--
|
||||
Lib/test/test_mailcap.py | 8 ++++--
|
||||
...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
|
||||
4 files changed, 46 insertions(+), 4 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
|
||||
diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
|
||||
index bf9639bdac..a75857be62 100644
|
||||
--- a/Doc/library/mailcap.rst
|
||||
+++ b/Doc/library/mailcap.rst
|
||||
@@ -54,6 +54,18 @@ standard. However, mailcap files are supported on most Unix systems.
|
||||
use) to determine whether or not the mailcap line applies. :func:`findmatch`
|
||||
will automatically check such conditions and skip the entry if the check fails.
|
||||
|
||||
+ .. versionchanged:: 3.11
|
||||
+
|
||||
+ To prevent security issues with shell metacharacters (symbols that have
|
||||
+ special effects in a shell command line), ``findmatch`` will refuse
|
||||
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
|
||||
+ into the returned command line.
|
||||
+
|
||||
+ If a disallowed character appears in *filename*, ``findmatch`` will always
|
||||
+ return ``(None, None)`` as if no entry was found.
|
||||
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
|
||||
+ ``findmatch`` will ignore all mailcap entries which use that value.
|
||||
+ A :mod:`warning <warnings>` will be raised in either case.
|
||||
|
||||
.. function:: getcaps()
|
||||
|
||||
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
|
||||
index bd0fc0981c..dcd4b449e8 100644
|
||||
--- a/Lib/mailcap.py
|
||||
+++ b/Lib/mailcap.py
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
import os
|
||||
import warnings
|
||||
+import re
|
||||
|
||||
__all__ = ["getcaps","findmatch"]
|
||||
|
||||
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
|
||||
else:
|
||||
return 1, 0
|
||||
|
||||
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
|
||||
+
|
||||
+class UnsafeMailcapInput(Warning):
|
||||
+ """Warning raised when refusing unsafe input"""
|
||||
+
|
||||
|
||||
# Part 1: top-level interface.
|
||||
|
||||
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
|
||||
entry to use.
|
||||
|
||||
"""
|
||||
+ if _find_unsafe(filename):
|
||||
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None, None
|
||||
entries = lookup(caps, MIMEtype, key)
|
||||
# XXX This code should somehow check for the needsterminal flag.
|
||||
for e in entries:
|
||||
if 'test' in e:
|
||||
test = subst(e['test'], filename, plist)
|
||||
+ if test is None:
|
||||
+ continue
|
||||
if test and os.system(test) != 0:
|
||||
continue
|
||||
command = subst(e[key], MIMEtype, filename, plist)
|
||||
- return command, e
|
||||
+ if command is not None:
|
||||
+ return command, e
|
||||
return None, None
|
||||
|
||||
def lookup(caps, MIMEtype, key=None):
|
||||
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
|
||||
elif c == 's':
|
||||
res = res + filename
|
||||
elif c == 't':
|
||||
+ if _find_unsafe(MIMEtype):
|
||||
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None
|
||||
res = res + MIMEtype
|
||||
elif c == '{':
|
||||
start = i
|
||||
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
|
||||
i = i+1
|
||||
name = field[start:i]
|
||||
i = i+1
|
||||
- res = res + findparam(name, plist)
|
||||
+ param = findparam(name, plist)
|
||||
+ if _find_unsafe(param):
|
||||
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None
|
||||
+ res = res + param
|
||||
# XXX To do:
|
||||
# %n == number of parts if type is multipart/*
|
||||
# %F == list of alternating type and filename for parts
|
||||
diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
|
||||
index c08423c670..920283d9a2 100644
|
||||
--- a/Lib/test/test_mailcap.py
|
||||
+++ b/Lib/test/test_mailcap.py
|
||||
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
|
||||
(["", "audio/*", "foo.txt"], ""),
|
||||
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
|
||||
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
|
||||
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
|
||||
+ (["echo %t", "audio/*", "foo.txt"], None),
|
||||
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
|
||||
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
|
||||
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
|
||||
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
|
||||
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
|
||||
('"An audio fragment"', audio_basic_entry)),
|
||||
([c, "audio/*"],
|
||||
{"filename": fname},
|
||||
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
|
||||
+ (None, None)),
|
||||
+ ([c, "audio/wav"],
|
||||
+ {"filename": fname},
|
||||
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
|
||||
([c, "message/external-body"],
|
||||
{"plist": plist},
|
||||
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
|
||||
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
new file mode 100644
|
||||
index 0000000000..da81a1f699
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
|
||||
+MIME types, parameters) into shell commands. Instead of using such text, it
|
||||
+will warn and act as if a match was not found (or for test commands, as if
|
||||
+the test failed).
|
@ -13,7 +13,7 @@ URL: https://www.python.org/
|
||||
|
||||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
%global general_version %{pybasever}.12
|
||||
%global general_version %{pybasever}.13
|
||||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
@ -357,6 +357,41 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
|
||||
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
|
||||
Patch359: 00359-CVE-2021-23336.patch
|
||||
|
||||
# 00378 #
|
||||
# Support expat 2.4.5
|
||||
#
|
||||
# Curly brackets were never allowed in namespace URIs
|
||||
# according to RFC 3986, and so-called namespace-validating
|
||||
# XML parsers have the right to reject them a invalid URIs.
|
||||
#
|
||||
# libexpat >=2.4.5 has become strcter in that regard due to
|
||||
# related security issues; with ET.XML instantiating a
|
||||
# namespace-aware parser under the hood, this test has no
|
||||
# future in CPython.
|
||||
#
|
||||
# References:
|
||||
# - https://datatracker.ietf.org/doc/html/rfc3968
|
||||
# - https://www.w3.org/TR/xml-names/
|
||||
#
|
||||
# Also, test_minidom.py: Support Expat >=2.4.5
|
||||
#
|
||||
# The patch has diverged from upstream as the python test
|
||||
# suite was relying on checking the expat version, whereas
|
||||
# in RHEL fixes get backported instead of rebasing packages.
|
||||
#
|
||||
# Upstream: https://bugs.python.org/issue46811
|
||||
Patch378: 00378-support-expat-2-4-5.patch
|
||||
|
||||
# 00382 #
|
||||
# CVE-2015-20107
|
||||
#
|
||||
# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
|
||||
#
|
||||
# Upstream: https://github.com/python/cpython/issues/68966
|
||||
#
|
||||
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
Patch382: 00382-cve-2015-20107.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
@ -713,6 +748,8 @@ rm Lib/ensurepip/_bundled/*.whl
|
||||
%patch329 -p1
|
||||
%patch353 -p1
|
||||
%patch359 -p1
|
||||
%patch378 -p1
|
||||
%patch382 -p1
|
||||
|
||||
# Remove files that should be generated by the build
|
||||
# (This is after patching, so that we can use patches directly from upstream)
|
||||
@ -1801,6 +1838,12 @@ fi
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Tue Jun 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.8.13-1
|
||||
- Rebase to 3.8.13
|
||||
- Security fix for CVE-2015-20107
|
||||
- Fix the test suite support for Expat >= 2.4.5
|
||||
Resolves: rhbz#2075390
|
||||
|
||||
* Wed Sep 15 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.12-1
|
||||
- Update to 3.8.12
|
||||
Resolves: rhbz#2004587
|
||||
|
Loading…
Reference in New Issue
Block a user