import UBI python39-3.9.25-2.module+el8.10.0+23718+1842ae33

2025-12-18 01:23:43 +00:00 · 2025-12-18 01:23:43 +00:00 · 074f26a5d9
commit 074f26a5d9
parent 4c1cd376ad
14 changed files with 129 additions and 361 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/Python-3.9.20.tar.xz
+SOURCES/Python-3.9.25.tar.xz
--- a/.python39.metadata
+++ b/.python39.metadata
@ -1 +1 @@
-52902dd820d2d41c47ef927ecebb24a96a51cc4b SOURCES/Python-3.9.20.tar.xz
+36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz
--- a/SOURCES/00001-rpath.patch
+++ b/SOURCES/00001-rpath.patch
@ -1,9 +1,10 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
-Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
+Subject: 00001: Fixup distutils/unixccompiler.py to remove standard library
- library path from rpath Was Patch0 in ivazquez' python3000 specfile
+ path from rpath
 Was Patch0 in ivazquez' python3000 specfile
 ---
 Lib/distutils/unixccompiler.py | 9 +++++++++
 1 file changed, 9 insertions(+)
--- a/SOURCES/00111-no-static-lib.patch
+++ b/SOURCES/00111-no-static-lib.patch
@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Mon, 18 Jan 2010 17:59:07 +0000
-Subject: [PATCH] 00111: Don't try to build a libpythonMAJOR.MINOR.a
+Subject: 00111: Don't try to build a libpythonMAJOR.MINOR.a
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
--- a/SOURCES/00189-use-rpm-wheels.patch
+++ b/SOURCES/00189-use-rpm-wheels.patch
@ -1,7 +1,7 @@
 From 2c91575950d4de95d308e30cc4ab20d032b1aceb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
-Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
+Subject: 00189: Instead of bundled wheels, use our RPM packaged wheels
 We keep them in /usr/share/python-wheels
@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
 1 file changed, 26 insertions(+), 11 deletions(-)
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index e510cc7..8de2e55 100644
+index d61bb089e3..77d7ec5a65 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
@@ -1,3 +1,5 @@
@ -30,7 +30,7 @@ index e510cc7..8de2e55 100644
 __all__ = ["version", "bootstrap"]
-_SETUPTOOLS_VERSION = "58.1.0"
+-_SETUPTOOLS_VERSION = "79.0.1"
 -_PIP_VERSION = "23.0.1"
 +
 +_WHEEL_DIR = "/usr/share/python39-wheels/"
--- a/SOURCES/00251-change-user-install-location.patch
+++ b/SOURCES/00251-change-user-install-location.patch
@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
-Subject: [PATCH] 00251: Change user install location
+Subject: 00251: Change user install location
 Set values of prefix and exec_prefix in distutils install command
 to /usr/local if executable is /usr/bin/python* and RPM build
--- a/SOURCES/00353-architecture-names-upstream-downstream.patch
+++ b/SOURCES/00353-architecture-names-upstream-downstream.patch
@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 4 Aug 2020 12:04:03 +0200
-Subject: [PATCH] 00353: Original names for architectures with different names
+Subject: 00353: Original names for architectures with different names
 downstream
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
--- a/SOURCES/00397-tarfile-filter.patch
+++ b/SOURCES/00397-tarfile-filter.patch
@ -1,8 +1,8 @@
-From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
+From fc3e5ff91495aaf9905bd38ac61db0c3279d17e0 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
-Date: Mon, 6 Mar 2023 17:24:24 +0100
+Date: Fri, 21 Nov 2025 14:30:02 +0100
-Subject: [PATCH 2/2] CVE-2007-4559, PEP-706: Add filters for tarfile
+Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
- extraction (downstream)
+ (downstream)
 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
@ -13,7 +13,7 @@ variable and config file.
 3 files changed, 169 insertions(+), 4 deletions(-)
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index b6ad7dbe2a4..dc7050b2c63 100755
+index 209c206..fa3f922 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@ -30,7 +30,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755
 #---------------------------------------------------------
 # tar constants
-@@ -2197,6 +2204,41 @@ class TarFile(object):
+@@ -2253,6 +2260,41 @@ class TarFile(object):
         if filter is None:
             filter = self.extraction_filter
             if filter is None:
@ -73,7 +73,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755
             if isinstance(filter, str):
                 raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 9041e7aa368..1eb1116cc10 100644
+index 9041e7a..1eb1116 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
@@ -1613,7 +1613,8 @@ class TestArchives(BaseTest, unittest.TestCase):
@ -87,10 +87,10 @@ index 9041e7aa368..1eb1116cc10 100644
     def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index a66f7efd2d6..6fd3c384b5c 100644
+index 17d2239..8b9aea2 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
-@@ -2,7 +2,7 @@ import sys
+@@ -3,7 +3,7 @@ import sys
 import os
 import io
 from hashlib import sha256
@ -99,7 +99,7 @@ index a66f7efd2d6..6fd3c384b5c 100644
 from random import Random
 import pathlib
 import shutil
-@@ -2929,7 +2929,11 @@ class NoneInfoExtractTests(ReadTest):
+@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest):
         tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
         cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
         tar.errorlevel = 0
@ -112,7 +112,7 @@ index a66f7efd2d6..6fd3c384b5c 100644
         tar.close()
         cls.control_paths = set(
             p.relative_to(cls.control_dir)
-@@ -3592,7 +3596,8 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4065,7 +4069,8 @@ class TestExtractionFilters(unittest.TestCase):
         """Ensure the default filter does not warn (like in 3.12)"""
         with ArchiveMaker() as arc:
             arc.add('foo')
@ -122,8 +122,8 @@ index a66f7efd2d6..6fd3c384b5c 100644
             with self.check_context(arc.open(), None):
                 self.expect_file('foo')
-@@ -3762,6 +3767,123 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4390,6 +4395,123 @@ class OffsetValidationTests(unittest.TestCase):
-             self.expect_exception(TypeError)  # errorlevel is not int
+             self.assertEqual(members[0].offset, expected_offset)
 +    @contextmanager
@ -247,5 +247,5 @@ index a66f7efd2d6..6fd3c384b5c 100644
     support.unlink(TEMPDIR)
     os.makedirs(TEMPDIR)
 -- 
-2.40.1
+2.51.1
--- a/SOURCES/00414-skip_test_zlib_s390x.patch
+++ b/SOURCES/00414-skip_test_zlib_s390x.patch
@ -1,88 +0,0 @@
 From f253f1e7e8283b876d40af385d5729646f2c18b6 Mon Sep 17 00:00:00 2001
 From: Victor Stinner <vstinner@python.org>
 Date: Wed, 17 Jan 2024 14:53:23 +0100
 Subject: [PATCH] bpo-46623: Skip two test_zlib tests on s390x (GH-31096)
 Skip test_pair() and test_speech128() of test_zlib on s390x since
 they fail if zlib uses the s390x hardware accelerator.
 ---
 Lib/test/test_zlib.py                         | 32 +++++++++++++++++++
 .../2022-02-03-09-45-26.bpo-46623.vxzuhV.rst  |  2 ++
 2 files changed, 34 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
 diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
 index aa7943f..8945b10 100644
 --- a/Lib/test/test_zlib.py
 +++ b/Lib/test/test_zlib.py
@@ -2,6 +2,7 @@ import unittest
 from test import support
 import binascii
 import copy
 +import os
 import pickle
 import random
 import sys
@@ -16,6 +17,35 @@ requires_Decompress_copy = unittest.skipUnless(
         hasattr(zlib.decompressobj(), "copy"),
         'requires Decompress.copy()')
 +# bpo-46623: On s390x, when a hardware accelerator is used, using different
 +# ways to compress data with zlib can produce different compressed data.
 +# Simplified test_pair() code:
 +#
 +#   def func1(data):
 +#       return zlib.compress(data)
 +#
 +#   def func2(data)
 +#       co = zlib.compressobj()
 +#       x1 = co.compress(data)
 +#       x2 = co.flush()
 +#       return x1 + x2
 +#
 +# On s390x if zlib uses a hardware accelerator, func1() creates a single
 +# "final" compressed block whereas func2() produces 3 compressed blocks (the
 +# last one is a final block). On other platforms with no accelerator, func1()
 +# and func2() produce the same compressed data made of a single (final)
 +# compressed block.
 +#
 +# Only the compressed data is different, the decompression returns the original
 +# data:
 +#
 +#   zlib.decompress(func1(data)) == zlib.decompress(func2(data)) == data
 +#
 +# Make the assumption that s390x always has an accelerator to simplify the skip
 +# condition. Windows doesn't have os.uname() but it doesn't support s390x.
 +skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
 +                                 'skipped on s390x')
 +
 def _zlib_runtime_version_tuple(zlib_version=zlib.ZLIB_RUNTIME_VERSION):
     # Register "1.2.3" as "1.2.3.0"
     # or "1.2.0-linux","1.2.0.f","1.2.0.f-linux"
@@ -187,6 +217,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
                                          bufsize=zlib.DEF_BUF_SIZE),
                          HAMLET_SCENE)
 +    @skip_on_s390x
     def test_speech128(self):
         # compress more data
         data = HAMLET_SCENE * 128
@@ -238,6 +269,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
 class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase):
     # Test compression object
 +    @skip_on_s390x
     def test_pair(self):
         # straightforward compress/decompress objects
         datasrc = HAMLET_SCENE * 128
 diff --git a/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
 new file mode 100644
 index 0000000..be085c0
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
@@ -0,0 +1,2 @@
 +Skip test_pair() and test_speech128() of test_zlib on s390x since they fail
 +if zlib uses the s390x hardware accelerator. Patch by Victor Stinner.
 -- 
 2.46.0
--- a/SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
+++ b/SOURCES/00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
@ -0,0 +1,51 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Mon, 31 Mar 2025 20:29:04 +0200
 Subject: 00452: Properly apply exported CFLAGS for dtrace/systemtap builds
 When using --with-dtrace the resulting object file could be missing
 specific CFLAGS exported by the build system due to the systemtap
 script using specific defaults.
 Exporting the CC and CFLAGS variables before the dtrace invocation
 allows us to properly apply CFLAGS exported by the build system
 even when cross-compiling.
 Co-authored-by: stratakis <cstratak@redhat.com>
 ---
 Makefile.pre.in                                               | 4 ++--
 .../next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
 diff --git a/Makefile.pre.in b/Makefile.pre.in
 index 568018827b..b401724d92 100644
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
@@ -989,7 +989,7 @@ Python/frozen.o: $(srcdir)/Python/importlib.h $(srcdir)/Python/importlib_externa
 # an include guard, so we can't use a pipeline to transform its output.
 Include/pydtrace_probes.h: $(srcdir)/Include/pydtrace.d
 	$(MKDIR_P) Include
 -	$(DTRACE) $(DFLAGS) -o $@ -h -s $<
 +	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -h -s $<
 	: sed in-place edit with POSIX-only tools
 	sed 's/PYTHON_/PyDTrace_/' $@ > $@.tmp
 	mv $@.tmp $@
@@ -999,7 +999,7 @@ Python/import.o: $(srcdir)/Include/pydtrace.h
 Modules/gcmodule.o: $(srcdir)/Include/pydtrace.h
 Python/pydtrace.o: $(srcdir)/Include/pydtrace.d $(DTRACE_DEPS)
 -	$(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
 +	CC="$(CC)" CFLAGS="$(CFLAGS)" $(DTRACE) $(DFLAGS) -o $@ -G -s $< $(DTRACE_DEPS)
 Objects/typeobject.o: Objects/typeslots.inc
 diff --git a/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
 new file mode 100644
 index 0000000000..a287e0b228
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Build/2025-03-31-19-22-41.gh-issue-131865.PIJy7X.rst
@@ -0,0 +1,2 @@
 +The DTrace build now properly passes the ``CC`` and ``CFLAGS`` variables
 +to the ``dtrace`` command when utilizing SystemTap on Linux.
--- a/SOURCES/00467-CVE-2025-8194.patch
+++ b/SOURCES/00467-CVE-2025-8194.patch
@ -1,215 +0,0 @@
 From eda136637fc7f056b403e1797a9b0403d6914d9e Mon Sep 17 00:00:00 2001
 From: Alexander Urieles <aeurielesn@users.noreply.github.com>
 Date: Tue, 19 Aug 2025 12:18:15 +0200
 Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member 
 offsets are non-negative (GH-137027)
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 (cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38)
 ---
 Lib/tarfile.py                                |   3 +
 Lib/test/test_tarfile.py                      | 156 ++++++++++++++++++
 ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst |   3 +
 3 files changed, 162 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
 index 21ffd83..fa3f922 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -1609,6 +1609,9 @@ class TarInfo(object):
         """Round up a byte count by BLOCKSIZE and return it,
            e.g. _block(834) => 1024.
         """
 +        # Only non-negative offsets are allowed
 +        if count < 0:
 +            raise InvalidHeaderError("invalid offset")
         blocks, remainder = divmod(count, BLOCKSIZE)
         if remainder:
             blocks += 1
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
 index 29f65d0..0bba25a 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
@@ -48,6 +48,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2")
 xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
 tmpname = os.path.join(TEMPDIR, "tmp.tar")
 dotlessname = os.path.join(TEMPDIR, "testtar")
 +SPACE = b" "
 sha256_regtype = (
     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
@@ -4356,6 +4357,161 @@ class TestExtractionFilters(unittest.TestCase):
                 self.check_trusted_default(tar, tempdir)
 +class OffsetValidationTests(unittest.TestCase):
 +    tarname = tmpname
 +    invalid_posix_header = (
 +        # name: 100 bytes
 +        tarfile.NUL * tarfile.LENGTH_NAME
 +        # mode, space, null terminator: 8 bytes
 +        + b"000755" + SPACE + tarfile.NUL
 +        # uid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # gid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # size, space: 12 bytes
 +        + b"\xff" * 11 + SPACE
 +        # mtime, space: 12 bytes
 +        + tarfile.NUL * 11 + SPACE
 +        # chksum: 8 bytes
 +        + b"0011407" + tarfile.NUL
 +        # type: 1 byte
 +        + tarfile.REGTYPE
 +        # linkname: 100 bytes
 +        + tarfile.NUL * tarfile.LENGTH_LINK
 +        # magic: 6 bytes, version: 2 bytes
 +        + tarfile.POSIX_MAGIC
 +        # uname: 32 bytes
 +        + tarfile.NUL * 32
 +        # gname: 32 bytes
 +        + tarfile.NUL * 32
 +        # devmajor, space, null terminator: 8 bytes
 +        + tarfile.NUL * 6 + SPACE + tarfile.NUL
 +        # devminor, space, null terminator: 8 bytes
 +        + tarfile.NUL * 6 + SPACE + tarfile.NUL
 +        # prefix: 155 bytes
 +        + tarfile.NUL * tarfile.LENGTH_PREFIX
 +        # padding: 12 bytes
 +        + tarfile.NUL * 12
 +    )
 +    invalid_gnu_header = (
 +        # name: 100 bytes
 +        tarfile.NUL * tarfile.LENGTH_NAME
 +        # mode, null terminator: 8 bytes
 +        + b"0000755" + tarfile.NUL
 +        # uid, null terminator: 8 bytes
 +        + b"0000001" + tarfile.NUL
 +        # gid, space, null terminator: 8 bytes
 +        + b"0000001" + tarfile.NUL
 +        # size, space: 12 bytes
 +        + b"\xff" * 11 + SPACE
 +        # mtime, space: 12 bytes
 +        + tarfile.NUL * 11 + SPACE
 +        # chksum: 8 bytes
 +        + b"0011327" + tarfile.NUL
 +        # type: 1 byte
 +        + tarfile.REGTYPE
 +        # linkname: 100 bytes
 +        + tarfile.NUL * tarfile.LENGTH_LINK
 +        # magic: 8 bytes
 +        + tarfile.GNU_MAGIC
 +        # uname: 32 bytes
 +        + tarfile.NUL * 32
 +        # gname: 32 bytes
 +        + tarfile.NUL * 32
 +        # devmajor, null terminator: 8 bytes
 +        + tarfile.NUL * 8
 +        # devminor, null terminator: 8 bytes
 +        + tarfile.NUL * 8
 +        # padding: 167 bytes
 +        + tarfile.NUL * 167
 +    )
 +    invalid_v7_header = (
 +        # name: 100 bytes
 +        tarfile.NUL * tarfile.LENGTH_NAME
 +        # mode, space, null terminator: 8 bytes
 +        + b"000755" + SPACE + tarfile.NUL
 +        # uid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # gid, space, null terminator: 8 bytes
 +        + b"000001" + SPACE + tarfile.NUL
 +        # size, space: 12 bytes
 +        + b"\xff" * 11 + SPACE
 +        # mtime, space: 12 bytes
 +        + tarfile.NUL * 11 + SPACE
 +        # chksum: 8 bytes
 +        + b"0010070" + tarfile.NUL
 +        # type: 1 byte
 +        + tarfile.REGTYPE
 +        # linkname: 100 bytes
 +        + tarfile.NUL * tarfile.LENGTH_LINK
 +        # padding: 255 bytes
 +        + tarfile.NUL * 255
 +    )
 +    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
 +    data_block = b"\xff" * tarfile.BLOCKSIZE
 +
 +    def _write_buffer(self, buffer):
 +        with open(self.tarname, "wb") as f:
 +            f.write(buffer)
 +
 +    def _get_members(self, ignore_zeros=None):
 +        with open(self.tarname, "rb") as f:
 +            with tarfile.open(
 +                mode="r", fileobj=f, ignore_zeros=ignore_zeros
 +            ) as tar:
 +                return tar.getmembers()
 +
 +    def _assert_raises_read_error_exception(self):
 +        with self.assertRaisesRegex(
 +            tarfile.ReadError, "file could not be opened successfully"
 +        ):
 +            self._get_members()
 +
 +    def test_invalid_offset_header_validations(self):
 +        for tar_format, invalid_header in (
 +            ("posix", self.invalid_posix_header),
 +            ("gnu", self.invalid_gnu_header),
 +            ("v7", self.invalid_v7_header),
 +        ):
 +            with self.subTest(format=tar_format):
 +                self._write_buffer(invalid_header)
 +                self._assert_raises_read_error_exception()
 +
 +    def test_early_stop_at_invalid_offset_header(self):
 +        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
 +        self._write_buffer(buffer)
 +        members = self._get_members()
 +        self.assertEqual(len(members), 1)
 +        self.assertEqual(members[0].name, "filename")
 +        self.assertEqual(members[0].offset, 0)
 +
 +    def test_ignore_invalid_archive(self):
 +        # 3 invalid headers with their respective data
 +        buffer = (self.invalid_gnu_header + self.data_block) * 3
 +        self._write_buffer(buffer)
 +        members = self._get_members(ignore_zeros=True)
 +        self.assertEqual(len(members), 0)
 +
 +    def test_ignore_invalid_offset_headers(self):
 +        for first_block, second_block, expected_offset in (
 +            (
 +                (self.valid_gnu_header),
 +                (self.invalid_gnu_header + self.data_block),
 +                0,
 +            ),
 +            (
 +                (self.invalid_gnu_header + self.data_block),
 +                (self.valid_gnu_header),
 +                1024,
 +            ),
 +        ):
 +            self._write_buffer(first_block + second_block)
 +            members = self._get_members(ignore_zeros=True)
 +            self.assertEqual(len(members), 1)
 +            self.assertEqual(members[0].name, "filename")
 +            self.assertEqual(members[0].offset, expected_offset)
 +
 +
 def setUpModule():
     support.unlink(TEMPDIR)
     os.makedirs(TEMPDIR)
 diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
 new file mode 100644
 index 0000000..342cabb
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
@@ -0,0 +1,3 @@
 +:mod:`tarfile` now validates archives to ensure member offsets are
 +non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
 +:gh:`130577`.)
 -- 
 2.50.1
--- a/SOURCES/Python-3.9.20.tar.xz.asc
+++ b/SOURCES/Python-3.9.20.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmbcKf0ACgkQsmmV4xAl
 BWh4rg//R5E1EjsifYqhLeIyT+JnrBvbTZeEcdxPXevsgilojYmrxBUKuXXViul0
 YZFaoDf6wjbHh6NMNgUpqcOH/5S/LsFZvuEcrw0jyGlMr0AMA4KLmNvQ9Wxf+wp4
 mUmhymQx555nVivsdPiziNnDwubZeA870ZllYEMWP5vXw7p2LbnlZvn7A+LSKjqM
 S/6xbiKYVexK3vHY/uG0xo4z24FySfvs0/PF11JfRJCxm9+bli7FmHOoFMwpOO6S
 caZLok4987YWOcPIPY6h+o2sFhDqHs8POGKd8k+0KQNQs5UbEQ4t/eKgnaoATkGn
 nfcAGXSjX5RSv5uXPzBUc0PulYo6EalIn1b5fu96La/FEg9GLMR/n9g75Fgm/j9L
 QGYu/DSaastY/c7Ot4QVyB6pxbQKjM438yneQrjhKBILGla4Crh1k6yRCx93j/TH
 hF9kiuRf7jtLIGTp0cnquELGnatmL1RhOySn/1Y+asMR+oK8d+XQab//w4VsAt7C
 SIfVXg25PUgZoaiYj/qIjLK9vkcj/EZ1IacivP5qBWb3O1E8gzSV8Z9duGT8Ef3P
 ch4M/pd6hefVVVfyCoazB3gwDs68O6U2BIRdYLRlet8AuKTBysQKFwOo3EcCMmJV
 W20KutPnERCzt8jeJdzFd0z3po9mvxNTKDLYaABtNI6NN00LcsM=
 =svjf
 -----END PGP SIGNATURE-----
--- a/SOURCES/Python-3.9.25.tar.xz.asc
+++ b/SOURCES/Python-3.9.25.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmkFBpsACgkQsmmV4xAl
 BWgwbw//Tx78tZg3/tJ47YDzDCf68XurBPbdgSfmmGTRrveMt6nQbV+c7XKS5MKK
 6hP0jt4W8tP6zC/zRPTexqYwetTaM7+ZKuxzwXABXzi+rfmL/L6BtQQpzwK+vesE
 hSSkjl4R2FF3YBrTBNqG0ewf5j4Y41yc4V9UHJWXbmQt6sg/nF+lDvG3K3wzP6zV
 rs6LsayeO3AXhi7+c0q7d2oYTFhv/RPOGl6/fLy5j1bxNNE1i2yeIfcR9BqjqB9y
 Ue1Tea8RGjh3dSq06/8ubpcqf+tlE4cCDkLERqDWSafZnNA5X4eymAQP9urUoH2n
 78X8DXkGbKqyJ+3w97S6zqVnZvL2jSOog8R+yvT5snqzJDp+UK0lcbowPILsOGm4
 BE54dQTG5bT+1bUicvQZIbP4vOswZufl8LGmodkW06edSEcylwO8bHWNcY/gC5HO
 WcTbqTFyV+FtwAJxsfgkqKcI6xUyYHqeMhqCUvkpHFFMjsinVOBFVbow8fgiJGUV
 GIo3kMNPZPirqgl9bhc3F7qvdgVDQsCqnKJ8B1WegdIlKWxXBj3qQB0U4Qbecpdt
 2AhVQAmcOu4LzJYtatDp/0tw6KMr8nWGdofrLVJgzQuu6MmhGW+2cJ0e+wUAxw6v
 OBjQ0o42ylQKeS8VGP4yFbYv1umeeWHje26z9az3uOVUFaAoptk=
 =5qMt
 -----END PGP SIGNATURE-----
--- a/SPECS/python39.spec
+++ b/SPECS/python39.spec
@ -13,7 +13,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.20
+%global general_version %{pybasever}.25
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@ -237,6 +237,7 @@ BuildRequires: libnsl2-devel
 BuildRequires: libtirpc-devel
 BuildRequires: libGL-devel
 BuildRequires: libuuid-devel
 BuildRequires: libxcrypt-devel
 BuildRequires: libX11-devel
 BuildRequires: make
 BuildRequires: ncurses-devel
@ -249,9 +250,9 @@ BuildRequires: sqlite-devel
 BuildRequires: gdb
 BuildRequires: tar
-BuildRequires: tcl-devel
+BuildRequires: tcl-devel < 1:9
 BuildRequires: tix-devel
-BuildRequires: tk-devel
+BuildRequires: tk-devel < 1:9
 BuildRequires: tzdata
 %if %{with valgrind}
@ -303,6 +304,7 @@ Source11: idle3.appdata.xml
 # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
 # Fixup distutils/unixccompiler.py to remove standard library path from rpath
 #
 # Was Patch0 in ivazquez' python3000 specfile
 Patch1: 00001-rpath.patch
@ -314,7 +316,7 @@ Patch1: 00001-rpath.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=556092
 Patch111: 00111-no-static-lib.patch
-# 00189 # 4242864a6a12f1f4cf9fd63a6699a73f35261aa3
+# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5
 # Instead of bundled wheels, use our RPM packaged wheels
 #
 # We keep them in /usr/share/python-wheels
@ -327,7 +329,7 @@ Patch189: 00189-use-rpm-wheels.patch
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
 %global pip_version 23.0.1
-%global setuptools_version 58.1.0
+%global setuptools_version 79.0.1
 # 00251 # 2eabd04356402d488060bc8fe316ad13fc8a3356
 # Change user install location
@ -432,12 +434,6 @@ Patch378: 00378-support-expat-2-4-5.patch
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch
 # 00414 #
 #
 # Skip test_pair() and test_speech128() of test_zlib on s390x since
 # they fail if zlib uses the s390x hardware accelerator.
 Patch414: 00414-skip_test_zlib_s390x.patch
 # 00415 #
 # [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
 #
@ -459,13 +455,17 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
-# 00467 #
+# 00452 # eb11d070c5af7d1b5e47f4e02186152d08eaf793
-# CVE-2025-8194
+# Properly apply exported CFLAGS for dtrace/systemtap builds
 #
-# tarfile now validates archives to ensure member offsets are non-negative.
+# When using --with-dtrace the resulting object file could be missing
 # specific CFLAGS exported by the build system due to the systemtap
 # script using specific defaults.
 #
-# Upstream issue: https://github.com/python/cpython/issues/130577
+# Exporting the CC and CFLAGS variables before the dtrace invocation
-Patch467: 00467-CVE-2025-8194.patch
+# allows us to properly apply CFLAGS exported by the build system
 # even when cross-compiling.
 Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
 # (New patches go here ^^^)
 #
@ -879,10 +879,9 @@ rm Lib/ensurepip/_bundled/*.whl
 %apply_patch -q %{PATCH353}
 %apply_patch -q %{PATCH378}
 %apply_patch -q %{PATCH397}
 %apply_patch -q %{PATCH414}
 %apply_patch -q %{PATCH415}
 %apply_patch -q %{PATCH422}
-%apply_patch -q %{PATCH467}
+%apply_patch -q %{PATCH452}
 # Remove all exe files to ensure we are not shipping prebuilt binaries
 # note that those are only used to create Microsoft Windows installers
@ -1704,6 +1703,10 @@ fi
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
 %exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
 %exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@ -2034,6 +2037,9 @@ fi
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
 %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
 %endif # with debug_build
 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@ -2057,6 +2063,19 @@ fi
 # ======================================================
 %changelog
 * Mon Nov 24 2025 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-2
 - Add explicit BR: libxcrypt-devel
 - Properly apply exported CFLAGS for dtrace/systemtap builds
 - Update to Python 3.9.25
 - Move _sysconfigdata_d_linux*.py to the debug subpackage
 - Fedora contributions by:
      Björn Esser <besser82@fedoraproject.org>
      Charalampos Stratakis <cstratak@redhat.com>
      Karolina Surma <ksurma@redhat.com>
      Tomas Orsava <torsava@redhat.com>
      Tomáš Hrnčiar <thrnciar@redhat.com>
 Resolves: RHEL-128539
 * Tue Aug 19 2025 Lumír Balhar <lbalhar@redhat.com> - 3.9.20-2
 - Security fix for CVE-2025-8194
 Resolves: RHEL-106359
`@ -1 +1 @@`
	`SOURCES/Python-3.9.20.tar.xz`	`SOURCES/Python-3.9.25.tar.xz`
`@ -1 +1 @@`
	`52902dd820d2d41c47ef927ecebb24a96a51cc4b SOURCES/Python-3.9.20.tar.xz`	`36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz`