From 074f26a5d9bcc6c0e8131009ec6ebb1830e3debd Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 18 Dec 2025 01:23:43 +0000 Subject: [PATCH] import UBI python39-3.9.25-2.module+el8.10.0+23718+1842ae33 --- .gitignore | 2 +- .python39.metadata | 2 +- SOURCES/00001-rpath.patch | 5 +- SOURCES/00111-no-static-lib.patch | 2 +- SOURCES/00189-use-rpm-wheels.patch | 6 +- .../00251-change-user-install-location.patch | 2 +- ...chitecture-names-upstream-downstream.patch | 2 +- SOURCES/00397-tarfile-filter.patch | 28 +-- SOURCES/00414-skip_test_zlib_s390x.patch | 88 ------- ...d-cflags-for-dtrace-systemtap-builds.patch | 51 +++++ SOURCES/00467-CVE-2025-8194.patch | 215 ------------------ SOURCES/Python-3.9.20.tar.xz.asc | 16 -- SOURCES/Python-3.9.25.tar.xz.asc | 16 ++ SPECS/python39.spec | 55 +++-- 14 files changed, 129 insertions(+), 361 deletions(-) delete mode 100644 SOURCES/00414-skip_test_zlib_s390x.patch create mode 100644 SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch delete mode 100644 SOURCES/00467-CVE-2025-8194.patch delete mode 100644 SOURCES/Python-3.9.20.tar.xz.asc create mode 100644 SOURCES/Python-3.9.25.tar.xz.asc diff --git a/.gitignore b/.gitignore index 93e245f..e45d6ba 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.9.20.tar.xz +SOURCES/Python-3.9.25.tar.xz diff --git a/.python39.metadata b/.python39.metadata index c380e1b..3b7f785 100644 --- a/.python39.metadata +++ b/.python39.metadata @@ -1 +1 @@ -52902dd820d2d41c47ef927ecebb24a96a51cc4b SOURCES/Python-3.9.20.tar.xz +36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz diff --git a/SOURCES/00001-rpath.patch b/SOURCES/00001-rpath.patch index 170908e..7cd925f 100644 --- a/SOURCES/00001-rpath.patch +++ b/SOURCES/00001-rpath.patch @@ -1,9 +1,10 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Wed, 13 Jan 2010 21:25:18 +0000 -Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard - library path from rpath Was Patch0 in ivazquez' python3000 specfile +Subject: 00001: Fixup distutils/unixccompiler.py to remove standard library + path from rpath +Was Patch0 in ivazquez' python3000 specfile --- Lib/distutils/unixccompiler.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SOURCES/00111-no-static-lib.patch b/SOURCES/00111-no-static-lib.patch index 6cf3020..82e9dea 100644 --- a/SOURCES/00111-no-static-lib.patch +++ b/SOURCES/00111-no-static-lib.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Mon, 18 Jan 2010 17:59:07 +0000 -Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a +Subject: 00111: Don't try to build a libpythonMAJOR.MINOR.a MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index 6a5f923..2948876 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -1,7 +1,7 @@ From 2c91575950d4de95d308e30cc4ab20d032b1aceb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 15 Aug 2018 15:36:29 +0200 -Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels +Subject: 00189: Instead of bundled wheels, use our RPM packaged wheels We keep them in /usr/share/python-wheels @@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index e510cc7..8de2e55 100644 +index d61bb089e3..77d7ec5a65 100644 --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py @@ -1,3 +1,5 @@ @@ -30,7 +30,7 @@ index e510cc7..8de2e55 100644 __all__ = ["version", "bootstrap"] --_SETUPTOOLS_VERSION = "58.1.0" +-_SETUPTOOLS_VERSION = "79.0.1" -_PIP_VERSION = "23.0.1" + +_WHEEL_DIR = "/usr/share/python39-wheels/" diff --git a/SOURCES/00251-change-user-install-location.patch b/SOURCES/00251-change-user-install-location.patch index 57b71bf..4e7c8b8 100644 --- a/SOURCES/00251-change-user-install-location.patch +++ b/SOURCES/00251-change-user-install-location.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Michal Cyprian Date: Mon, 26 Jun 2017 16:32:56 +0200 -Subject: [PATCH] 00251: Change user install location +Subject: 00251: Change user install location Set values of prefix and exec_prefix in distutils install command to /usr/local if executable is /usr/bin/python* and RPM build diff --git a/SOURCES/00353-architecture-names-upstream-downstream.patch b/SOURCES/00353-architecture-names-upstream-downstream.patch index cc531b9..df8e4ab 100644 --- a/SOURCES/00353-architecture-names-upstream-downstream.patch +++ b/SOURCES/00353-architecture-names-upstream-downstream.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 4 Aug 2020 12:04:03 +0200 -Subject: [PATCH] 00353: Original names for architectures with different names +Subject: 00353: Original names for architectures with different names downstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/SOURCES/00397-tarfile-filter.patch b/SOURCES/00397-tarfile-filter.patch index 3851cb6..fd984b6 100644 --- a/SOURCES/00397-tarfile-filter.patch +++ b/SOURCES/00397-tarfile-filter.patch @@ -1,8 +1,8 @@ -From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001 +From fc3e5ff91495aaf9905bd38ac61db0c3279d17e0 Mon Sep 17 00:00:00 2001 From: Petr Viktorin -Date: Mon, 6 Mar 2023 17:24:24 +0100 -Subject: [PATCH 2/2] CVE-2007-4559, PEP-706: Add filters for tarfile - extraction (downstream) +Date: Fri, 21 Nov 2025 14:30:02 +0100 +Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction + (downstream) Add and test RHEL-specific ways of configuring the default behavior: environment variable and config file. @@ -13,7 +13,7 @@ variable and config file. 3 files changed, 169 insertions(+), 4 deletions(-) diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index b6ad7dbe2a4..dc7050b2c63 100755 +index 209c206..fa3f922 100755 --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError", @@ -30,7 +30,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755 #--------------------------------------------------------- # tar constants -@@ -2197,6 +2204,41 @@ class TarFile(object): +@@ -2253,6 +2260,41 @@ class TarFile(object): if filter is None: filter = self.extraction_filter if filter is None: @@ -73,7 +73,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755 if isinstance(filter, str): raise TypeError( diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py -index 9041e7aa368..1eb1116cc10 100644 +index 9041e7a..1eb1116 100644 --- a/Lib/test/test_shutil.py +++ b/Lib/test/test_shutil.py @@ -1613,7 +1613,8 @@ class TestArchives(BaseTest, unittest.TestCase): @@ -87,10 +87,10 @@ index 9041e7aa368..1eb1116cc10 100644 def test_unpack_archive_tar(self): diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index a66f7efd2d6..6fd3c384b5c 100644 +index 17d2239..8b9aea2 100644 --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py -@@ -2,7 +2,7 @@ import sys +@@ -3,7 +3,7 @@ import sys import os import io from hashlib import sha256 @@ -99,7 +99,7 @@ index a66f7efd2d6..6fd3c384b5c 100644 from random import Random import pathlib import shutil -@@ -2929,7 +2929,11 @@ class NoneInfoExtractTests(ReadTest): +@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest): tar = tarfile.open(tarname, mode='r', encoding="iso8859-1") cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl" tar.errorlevel = 0 @@ -112,7 +112,7 @@ index a66f7efd2d6..6fd3c384b5c 100644 tar.close() cls.control_paths = set( p.relative_to(cls.control_dir) -@@ -3592,7 +3596,8 @@ class TestExtractionFilters(unittest.TestCase): +@@ -4065,7 +4069,8 @@ class TestExtractionFilters(unittest.TestCase): """Ensure the default filter does not warn (like in 3.12)""" with ArchiveMaker() as arc: arc.add('foo') @@ -122,8 +122,8 @@ index a66f7efd2d6..6fd3c384b5c 100644 with self.check_context(arc.open(), None): self.expect_file('foo') -@@ -3762,6 +3767,123 @@ class TestExtractionFilters(unittest.TestCase): - self.expect_exception(TypeError) # errorlevel is not int +@@ -4390,6 +4395,123 @@ class OffsetValidationTests(unittest.TestCase): + self.assertEqual(members[0].offset, expected_offset) + @contextmanager @@ -247,5 +247,5 @@ index a66f7efd2d6..6fd3c384b5c 100644 support.unlink(TEMPDIR) os.makedirs(TEMPDIR) -- -2.40.1 +2.51.1 diff --git a/SOURCES/00414-skip_test_zlib_s390x.patch b/SOURCES/00414-skip_test_zlib_s390x.patch deleted file mode 100644 index 71ef926..0000000 --- a/SOURCES/00414-skip_test_zlib_s390x.patch +++ /dev/null @@ -1,88 +0,0 @@ -From f253f1e7e8283b876d40af385d5729646f2c18b6 Mon Sep 17 00:00:00 2001 -From: Victor Stinner -Date: Wed, 17 Jan 2024 14:53:23 +0100 -Subject: [PATCH] bpo-46623: Skip two test_zlib tests on s390x (GH-31096) - -Skip test_pair() and test_speech128() of test_zlib on s390x since -they fail if zlib uses the s390x hardware accelerator. ---- - Lib/test/test_zlib.py | 32 +++++++++++++++++++ - .../2022-02-03-09-45-26.bpo-46623.vxzuhV.rst | 2 ++ - 2 files changed, 34 insertions(+) - create mode 100644 Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst - -diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py -index aa7943f..8945b10 100644 ---- a/Lib/test/test_zlib.py -+++ b/Lib/test/test_zlib.py -@@ -2,6 +2,7 @@ import unittest - from test import support - import binascii - import copy -+import os - import pickle - import random - import sys -@@ -16,6 +17,35 @@ requires_Decompress_copy = unittest.skipUnless( - hasattr(zlib.decompressobj(), "copy"), - 'requires Decompress.copy()') - -+# bpo-46623: On s390x, when a hardware accelerator is used, using different -+# ways to compress data with zlib can produce different compressed data. -+# Simplified test_pair() code: -+# -+# def func1(data): -+# return zlib.compress(data) -+# -+# def func2(data) -+# co = zlib.compressobj() -+# x1 = co.compress(data) -+# x2 = co.flush() -+# return x1 + x2 -+# -+# On s390x if zlib uses a hardware accelerator, func1() creates a single -+# "final" compressed block whereas func2() produces 3 compressed blocks (the -+# last one is a final block). On other platforms with no accelerator, func1() -+# and func2() produce the same compressed data made of a single (final) -+# compressed block. -+# -+# Only the compressed data is different, the decompression returns the original -+# data: -+# -+# zlib.decompress(func1(data)) == zlib.decompress(func2(data)) == data -+# -+# Make the assumption that s390x always has an accelerator to simplify the skip -+# condition. Windows doesn't have os.uname() but it doesn't support s390x. -+skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x', -+ 'skipped on s390x') -+ - def _zlib_runtime_version_tuple(zlib_version=zlib.ZLIB_RUNTIME_VERSION): - # Register "1.2.3" as "1.2.3.0" - # or "1.2.0-linux","1.2.0.f","1.2.0.f-linux" -@@ -187,6 +217,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase): - bufsize=zlib.DEF_BUF_SIZE), - HAMLET_SCENE) - -+ @skip_on_s390x - def test_speech128(self): - # compress more data - data = HAMLET_SCENE * 128 -@@ -238,6 +269,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase): - - class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase): - # Test compression object -+ @skip_on_s390x - def test_pair(self): - # straightforward compress/decompress objects - datasrc = HAMLET_SCENE * 128 -diff --git a/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst -new file mode 100644 -index 0000000..be085c0 ---- /dev/null -+++ b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst -@@ -0,0 +1,2 @@ -+Skip test_pair() and test_speech128() of test_zlib on s390x since they fail -+if zlib uses the s390x hardware accelerator. Patch by Victor Stinner. --- -2.46.0 - diff --git a/SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch b/SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch new file mode 100644 index 0000000..a8e849e --- /dev/null +++ b/SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 31 Mar 2025 20:29:04 +0200 +Subject: 00452: Properly apply exported CFLAGS for dtrace/systemtap builds + +When using --with-dtrace the resulting object file could be missing +specific CFLAGS exported by the build system due to the systemtap +script using specific defaults. + +Exporting the CC and CFLAGS variables before the dtrace invocation +allows us to properly apply CFLAGS exported by the build system +even when cross-compiling. + +Co-authored-by: stratakis +--- + Makefile.pre.in | 4 ++-- + .../next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst + +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 568018827b..b401724d92 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -989,7 +989,7 @@ Python/frozen.o: $(srcdir)/Python/importlib.h $(srcdir)/Python/importlib_externa + # an include guard, so we can't use a pipeline to transform its output. + Include/pydtrace_probes.h: $(srcdir)/Include/pydtrace.d + $(MKDIR_P) Include +- $(DTRACE) $(DFLAGS) -o $@ -h -s $< ++ CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -h -s $< + : sed in-place edit with POSIX-only tools + sed 's/PYTHON_/PyDTrace_/' $@ > $@.tmp + mv $@.tmp $@ +@@ -999,7 +999,7 @@ Python/import.o: $(srcdir)/Include/pydtrace.h + Modules/gcmodule.o: $(srcdir)/Include/pydtrace.h + + Python/pydtrace.o: $(srcdir)/Include/pydtrace.d $(DTRACE_DEPS) +- $(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS) ++ CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS) + + Objects/typeobject.o: Objects/typeslots.inc + +diff --git a/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst +new file mode 100644 +index 0000000000..a287e0b228 +--- /dev/null ++++ b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst +@@ -0,0 +1,2 @@ ++The DTrace build now properly passes the ``CC`` and ``CFLAGS`` variables ++to the ``dtrace`` command when utilizing SystemTap on Linux. diff --git a/SOURCES/00467-CVE-2025-8194.patch b/SOURCES/00467-CVE-2025-8194.patch deleted file mode 100644 index 01159f6..0000000 --- a/SOURCES/00467-CVE-2025-8194.patch +++ /dev/null @@ -1,215 +0,0 @@ -From eda136637fc7f056b403e1797a9b0403d6914d9e Mon Sep 17 00:00:00 2001 -From: Alexander Urieles -Date: Tue, 19 Aug 2025 12:18:15 +0200 -Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member - offsets are non-negative (GH-137027) - -Co-authored-by: Gregory P. Smith -(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38) ---- - Lib/tarfile.py | 3 + - Lib/test/test_tarfile.py | 156 ++++++++++++++++++ - ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 + - 3 files changed, 162 insertions(+) - create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst - -diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index 21ffd83..fa3f922 100755 ---- a/Lib/tarfile.py -+++ b/Lib/tarfile.py -@@ -1609,6 +1609,9 @@ class TarInfo(object): - """Round up a byte count by BLOCKSIZE and return it, - e.g. _block(834) => 1024. - """ -+ # Only non-negative offsets are allowed -+ if count < 0: -+ raise InvalidHeaderError("invalid offset") - blocks, remainder = divmod(count, BLOCKSIZE) - if remainder: - blocks += 1 -diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index 29f65d0..0bba25a 100644 ---- a/Lib/test/test_tarfile.py -+++ b/Lib/test/test_tarfile.py -@@ -48,6 +48,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2") - xzname = os.path.join(TEMPDIR, "testtar.tar.xz") - tmpname = os.path.join(TEMPDIR, "tmp.tar") - dotlessname = os.path.join(TEMPDIR, "testtar") -+SPACE = b" " - - sha256_regtype = ( - "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce" -@@ -4356,6 +4357,161 @@ class TestExtractionFilters(unittest.TestCase): - self.check_trusted_default(tar, tempdir) - - -+class OffsetValidationTests(unittest.TestCase): -+ tarname = tmpname -+ invalid_posix_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, space, null terminator: 8 bytes -+ + b"000755" + SPACE + tarfile.NUL -+ # uid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0011407" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # magic: 6 bytes, version: 2 bytes -+ + tarfile.POSIX_MAGIC -+ # uname: 32 bytes -+ + tarfile.NUL * 32 -+ # gname: 32 bytes -+ + tarfile.NUL * 32 -+ # devmajor, space, null terminator: 8 bytes -+ + tarfile.NUL * 6 + SPACE + tarfile.NUL -+ # devminor, space, null terminator: 8 bytes -+ + tarfile.NUL * 6 + SPACE + tarfile.NUL -+ # prefix: 155 bytes -+ + tarfile.NUL * tarfile.LENGTH_PREFIX -+ # padding: 12 bytes -+ + tarfile.NUL * 12 -+ ) -+ invalid_gnu_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, null terminator: 8 bytes -+ + b"0000755" + tarfile.NUL -+ # uid, null terminator: 8 bytes -+ + b"0000001" + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"0000001" + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0011327" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # magic: 8 bytes -+ + tarfile.GNU_MAGIC -+ # uname: 32 bytes -+ + tarfile.NUL * 32 -+ # gname: 32 bytes -+ + tarfile.NUL * 32 -+ # devmajor, null terminator: 8 bytes -+ + tarfile.NUL * 8 -+ # devminor, null terminator: 8 bytes -+ + tarfile.NUL * 8 -+ # padding: 167 bytes -+ + tarfile.NUL * 167 -+ ) -+ invalid_v7_header = ( -+ # name: 100 bytes -+ tarfile.NUL * tarfile.LENGTH_NAME -+ # mode, space, null terminator: 8 bytes -+ + b"000755" + SPACE + tarfile.NUL -+ # uid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # gid, space, null terminator: 8 bytes -+ + b"000001" + SPACE + tarfile.NUL -+ # size, space: 12 bytes -+ + b"\xff" * 11 + SPACE -+ # mtime, space: 12 bytes -+ + tarfile.NUL * 11 + SPACE -+ # chksum: 8 bytes -+ + b"0010070" + tarfile.NUL -+ # type: 1 byte -+ + tarfile.REGTYPE -+ # linkname: 100 bytes -+ + tarfile.NUL * tarfile.LENGTH_LINK -+ # padding: 255 bytes -+ + tarfile.NUL * 255 -+ ) -+ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT) -+ data_block = b"\xff" * tarfile.BLOCKSIZE -+ -+ def _write_buffer(self, buffer): -+ with open(self.tarname, "wb") as f: -+ f.write(buffer) -+ -+ def _get_members(self, ignore_zeros=None): -+ with open(self.tarname, "rb") as f: -+ with tarfile.open( -+ mode="r", fileobj=f, ignore_zeros=ignore_zeros -+ ) as tar: -+ return tar.getmembers() -+ -+ def _assert_raises_read_error_exception(self): -+ with self.assertRaisesRegex( -+ tarfile.ReadError, "file could not be opened successfully" -+ ): -+ self._get_members() -+ -+ def test_invalid_offset_header_validations(self): -+ for tar_format, invalid_header in ( -+ ("posix", self.invalid_posix_header), -+ ("gnu", self.invalid_gnu_header), -+ ("v7", self.invalid_v7_header), -+ ): -+ with self.subTest(format=tar_format): -+ self._write_buffer(invalid_header) -+ self._assert_raises_read_error_exception() -+ -+ def test_early_stop_at_invalid_offset_header(self): -+ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header -+ self._write_buffer(buffer) -+ members = self._get_members() -+ self.assertEqual(len(members), 1) -+ self.assertEqual(members[0].name, "filename") -+ self.assertEqual(members[0].offset, 0) -+ -+ def test_ignore_invalid_archive(self): -+ # 3 invalid headers with their respective data -+ buffer = (self.invalid_gnu_header + self.data_block) * 3 -+ self._write_buffer(buffer) -+ members = self._get_members(ignore_zeros=True) -+ self.assertEqual(len(members), 0) -+ -+ def test_ignore_invalid_offset_headers(self): -+ for first_block, second_block, expected_offset in ( -+ ( -+ (self.valid_gnu_header), -+ (self.invalid_gnu_header + self.data_block), -+ 0, -+ ), -+ ( -+ (self.invalid_gnu_header + self.data_block), -+ (self.valid_gnu_header), -+ 1024, -+ ), -+ ): -+ self._write_buffer(first_block + second_block) -+ members = self._get_members(ignore_zeros=True) -+ self.assertEqual(len(members), 1) -+ self.assertEqual(members[0].name, "filename") -+ self.assertEqual(members[0].offset, expected_offset) -+ -+ - def setUpModule(): - support.unlink(TEMPDIR) - os.makedirs(TEMPDIR) -diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst -new file mode 100644 -index 0000000..342cabb ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst -@@ -0,0 +1,3 @@ -+:mod:`tarfile` now validates archives to ensure member offsets are -+non-negative. (Contributed by Alexander Enrique Urieles Nieto in -+:gh:`130577`.) --- -2.50.1 - diff --git a/SOURCES/Python-3.9.20.tar.xz.asc b/SOURCES/Python-3.9.20.tar.xz.asc deleted file mode 100644 index 1424bc7..0000000 --- a/SOURCES/Python-3.9.20.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmbcKf0ACgkQsmmV4xAl -BWh4rg//R5E1EjsifYqhLeIyT+JnrBvbTZeEcdxPXevsgilojYmrxBUKuXXViul0 -YZFaoDf6wjbHh6NMNgUpqcOH/5S/LsFZvuEcrw0jyGlMr0AMA4KLmNvQ9Wxf+wp4 -mUmhymQx555nVivsdPiziNnDwubZeA870ZllYEMWP5vXw7p2LbnlZvn7A+LSKjqM -S/6xbiKYVexK3vHY/uG0xo4z24FySfvs0/PF11JfRJCxm9+bli7FmHOoFMwpOO6S -caZLok4987YWOcPIPY6h+o2sFhDqHs8POGKd8k+0KQNQs5UbEQ4t/eKgnaoATkGn -nfcAGXSjX5RSv5uXPzBUc0PulYo6EalIn1b5fu96La/FEg9GLMR/n9g75Fgm/j9L -QGYu/DSaastY/c7Ot4QVyB6pxbQKjM438yneQrjhKBILGla4Crh1k6yRCx93j/TH -hF9kiuRf7jtLIGTp0cnquELGnatmL1RhOySn/1Y+asMR+oK8d+XQab//w4VsAt7C -SIfVXg25PUgZoaiYj/qIjLK9vkcj/EZ1IacivP5qBWb3O1E8gzSV8Z9duGT8Ef3P -ch4M/pd6hefVVVfyCoazB3gwDs68O6U2BIRdYLRlet8AuKTBysQKFwOo3EcCMmJV -W20KutPnERCzt8jeJdzFd0z3po9mvxNTKDLYaABtNI6NN00LcsM= -=svjf ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.9.25.tar.xz.asc b/SOURCES/Python-3.9.25.tar.xz.asc new file mode 100644 index 0000000..3075c39 --- /dev/null +++ b/SOURCES/Python-3.9.25.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmkFBpsACgkQsmmV4xAl +BWgwbw//Tx78tZg3/tJ47YDzDCf68XurBPbdgSfmmGTRrveMt6nQbV+c7XKS5MKK +6hP0jt4W8tP6zC/zRPTexqYwetTaM7+ZKuxzwXABXzi+rfmL/L6BtQQpzwK+vesE +hSSkjl4R2FF3YBrTBNqG0ewf5j4Y41yc4V9UHJWXbmQt6sg/nF+lDvG3K3wzP6zV +rs6LsayeO3AXhi7+c0q7d2oYTFhv/RPOGl6/fLy5j1bxNNE1i2yeIfcR9BqjqB9y +Ue1Tea8RGjh3dSq06/8ubpcqf+tlE4cCDkLERqDWSafZnNA5X4eymAQP9urUoH2n +78X8DXkGbKqyJ+3w97S6zqVnZvL2jSOog8R+yvT5snqzJDp+UK0lcbowPILsOGm4 +BE54dQTG5bT+1bUicvQZIbP4vOswZufl8LGmodkW06edSEcylwO8bHWNcY/gC5HO +WcTbqTFyV+FtwAJxsfgkqKcI6xUyYHqeMhqCUvkpHFFMjsinVOBFVbow8fgiJGUV +GIo3kMNPZPirqgl9bhc3F7qvdgVDQsCqnKJ8B1WegdIlKWxXBj3qQB0U4Qbecpdt +2AhVQAmcOu4LzJYtatDp/0tw6KMr8nWGdofrLVJgzQuu6MmhGW+2cJ0e+wUAxw6v +OBjQ0o42ylQKeS8VGP4yFbYv1umeeWHje26z9az3uOVUFaAoptk= +=5qMt +-----END PGP SIGNATURE----- diff --git a/SPECS/python39.spec b/SPECS/python39.spec index 7eb0205..89f4627 100644 --- a/SPECS/python39.spec +++ b/SPECS/python39.spec @@ -13,7 +13,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.20 +%global general_version %{pybasever}.25 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} @@ -237,6 +237,7 @@ BuildRequires: libnsl2-devel BuildRequires: libtirpc-devel BuildRequires: libGL-devel BuildRequires: libuuid-devel +BuildRequires: libxcrypt-devel BuildRequires: libX11-devel BuildRequires: make BuildRequires: ncurses-devel @@ -249,9 +250,9 @@ BuildRequires: sqlite-devel BuildRequires: gdb BuildRequires: tar -BuildRequires: tcl-devel +BuildRequires: tcl-devel < 1:9 BuildRequires: tix-devel -BuildRequires: tk-devel +BuildRequires: tk-devel < 1:9 BuildRequires: tzdata %if %{with valgrind} @@ -303,6 +304,7 @@ Source11: idle3.appdata.xml # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8 # Fixup distutils/unixccompiler.py to remove standard library path from rpath +# # Was Patch0 in ivazquez' python3000 specfile Patch1: 00001-rpath.patch @@ -314,7 +316,7 @@ Patch1: 00001-rpath.patch # See https://bugzilla.redhat.com/show_bug.cgi?id=556092 Patch111: 00111-no-static-lib.patch -# 00189 # 4242864a6a12f1f4cf9fd63a6699a73f35261aa3 +# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5 # Instead of bundled wheels, use our RPM packaged wheels # # We keep them in /usr/share/python-wheels @@ -327,7 +329,7 @@ Patch189: 00189-use-rpm-wheels.patch # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly. # In such cases, the patch needs to be amended and the versions updated here: %global pip_version 23.0.1 -%global setuptools_version 58.1.0 +%global setuptools_version 79.0.1 # 00251 # 2eabd04356402d488060bc8fe316ad13fc8a3356 # Change user install location @@ -432,12 +434,6 @@ Patch378: 00378-support-expat-2-4-5.patch # - https://access.redhat.com/articles/7004769 Patch397: 00397-tarfile-filter.patch -# 00414 # -# -# Skip test_pair() and test_speech128() of test_zlib on s390x since -# they fail if zlib uses the s390x hardware accelerator. -Patch414: 00414-skip_test_zlib_s390x.patch - # 00415 # # [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116) # @@ -459,13 +455,17 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par # CVE-2023-52425. Future versions of Expat may be more reactive. Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch -# 00467 # -# CVE-2025-8194 +# 00452 # eb11d070c5af7d1b5e47f4e02186152d08eaf793 +# Properly apply exported CFLAGS for dtrace/systemtap builds # -# tarfile now validates archives to ensure member offsets are non-negative. +# When using --with-dtrace the resulting object file could be missing +# specific CFLAGS exported by the build system due to the systemtap +# script using specific defaults. # -# Upstream issue: https://github.com/python/cpython/issues/130577 -Patch467: 00467-CVE-2025-8194.patch +# Exporting the CC and CFLAGS variables before the dtrace invocation +# allows us to properly apply CFLAGS exported by the build system +# even when cross-compiling. +Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch # (New patches go here ^^^) # @@ -879,10 +879,9 @@ rm Lib/ensurepip/_bundled/*.whl %apply_patch -q %{PATCH353} %apply_patch -q %{PATCH378} %apply_patch -q %{PATCH397} -%apply_patch -q %{PATCH414} %apply_patch -q %{PATCH415} %apply_patch -q %{PATCH422} -%apply_patch -q %{PATCH467} +%apply_patch -q %{PATCH452} # Remove all exe files to ensure we are not shipping prebuilt binaries # note that those are only used to create Microsoft Windows installers @@ -1704,6 +1703,10 @@ fi %dir %{pylibdir}/site-packages/ %dir %{pylibdir}/site-packages/__pycache__/ %{pylibdir}/site-packages/README.txt + +%exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py +%exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes} + %{pylibdir}/*.py %dir %{pylibdir}/__pycache__/ %{pylibdir}/__pycache__/*%{bytecode_suffixes} @@ -2034,6 +2037,9 @@ fi %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so +%{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py +%{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes} + %endif # with debug_build # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig @@ -2057,6 +2063,19 @@ fi # ====================================================== %changelog +* Mon Nov 24 2025 Lumír Balhar - 3.9.25-2 +- Add explicit BR: libxcrypt-devel +- Properly apply exported CFLAGS for dtrace/systemtap builds +- Update to Python 3.9.25 +- Move _sysconfigdata_d_linux*.py to the debug subpackage +- Fedora contributions by: + Björn Esser + Charalampos Stratakis + Karolina Surma + Tomas Orsava + Tomáš Hrnčiar +Resolves: RHEL-128539 + * Tue Aug 19 2025 Lumír Balhar - 3.9.20-2 - Security fix for CVE-2025-8194 Resolves: RHEL-106359