rpms/python39
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python39-3.9.13-1.module+el8.7.0+15656+ffd4a257

Browse Source
This commit is contained in:
CentOS Sources 2022-11-08 01:45:47 -05:00 committed by Stepan Oksanichenko
parent 81ef7a1731
commit 73dc0b07aa
9 changed files with 2034 additions and 2187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.9.7.tar.xz SOURCES/Python-3.9.13.tar.xz

2
.python39.metadata
View File

@ -1 +1 @@
5208c1d1e0e859f42a9bdbb110efd0855ec4ecf1 SOURCES/Python-3.9.7.tar.xz d57e5c8b94fe42e2b403e6eced02b25ed47ca8da SOURCES/Python-3.9.13.tar.xz

28
SOURCES/00189-use-rpm-wheels.patch
View File

@ -1,4 +1,4 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From 2c91575950d4de95d308e30cc4ab20d032b1aceb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Wed, 15 Aug 2018 15:36:29 +0200 Date: Wed, 15 Aug 2018 15:36:29 +0200
Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels
Downstream only: upstream bundles Downstream only: upstream bundles
We might eventually pursuit upstream support, but it's low prio We might eventually pursuit upstream support, but it's low prio
--- ---
Lib/ensurepip/__init__.py | 33 ++++++++++++++++++++++----------- Lib/ensurepip/__init__.py | 37 ++++++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-) 1 file changed, 26 insertions(+), 11 deletions(-)
diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
index 97dfa7ea71..984e587ea0 100644 index e510cc7..8de2e55 100644
--- a/Lib/ensurepip/__init__.py --- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py
@@ -1,3 +1,5 @@ @@ -1,3 +1,5 @@
@ -21,7 +21,7 @@ index 97dfa7ea71..984e587ea0 100644
import os import os
import os.path import os.path
import sys import sys
@@ -6,16 +8,28 @@ import tempfile @@ -6,13 +8,29 @@ import tempfile
import subprocess import subprocess
from importlib import resources from importlib import resources
@ -30,13 +30,13 @@ index 97dfa7ea71..984e587ea0 100644
__all__ = ["version", "bootstrap"] __all__ = ["version", "bootstrap"]
-_SETUPTOOLS_VERSION = "58.1.0"
-_PIP_VERSION = "22.0.4"
+
+_WHEEL_DIR = "/usr/share/python39-wheels/" +_WHEEL_DIR = "/usr/share/python39-wheels/"
+
-_SETUPTOOLS_VERSION = "57.4.0"
+_wheels = {} +_wheels = {}
+
-_PIP_VERSION = "21.2.3"
+def _get_most_recent_wheel_version(pkg): +def _get_most_recent_wheel_version(pkg):
+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))
+ _wheels[pkg] = {} + _wheels[pkg] = {}
@ -51,10 +51,11 @@ index 97dfa7ea71..984e587ea0 100644
+_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools") +_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools")
+ +
+_PIP_VERSION = _get_most_recent_wheel_version("pip") +_PIP_VERSION = _get_most_recent_wheel_version("pip")
+
_PROJECTS = [ _PROJECTS = [
("setuptools", _SETUPTOOLS_VERSION, "py3"), ("setuptools", _SETUPTOOLS_VERSION, "py3"),
@@ -105,13 +119,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, ("pip", _PIP_VERSION, "py3"),
@@ -101,13 +119,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
# additional paths that need added to sys.path # additional paths that need added to sys.path
additional_paths = [] additional_paths = []
for project, version, py_tag in _PROJECTS: for project, version, py_tag in _PROJECTS:
@ -72,3 +73,6 @@ index 97dfa7ea71..984e587ea0 100644
additional_paths.append(os.path.join(tmpdir, wheel_name)) additional_paths.append(os.path.join(tmpdir, wheel_name))
--
2.35.3

3850
SOURCES/00329-fips.patch
View File

File diff suppressed because it is too large Load Diff

47
SOURCES/00378-support-expat-2-4-5.patch Normal file
View File

@ -0,0 +1,47 @@
From db083095e3bdb93e4f8170d814664c482b1e94da Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 14 Jun 2022 06:38:43 +0200
Subject: [PATCH] Fix test suite for Expat >= 2.4.5
---
Lib/test/test_minidom.py | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
index 9762025..5f52ed1 100644
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -1149,14 +1149,10 @@ class MinidomTest(unittest.TestCase):
# Verify that character decoding errors raise exceptions instead
# of crashing
- if pyexpat.version_info >= (2, 4, 5):
- self.assertRaises(ExpatError, parseString,
- b'<fran\xe7ais></fran\xe7ais>')
- self.assertRaises(ExpatError, parseString,
- b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
- else:
- self.assertRaises(UnicodeDecodeError, parseString,
- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
+ self.assertRaises(ExpatError, parseString,
+ b'<fran\xe7ais></fran\xe7ais>')
+ self.assertRaises(ExpatError, parseString,
+ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
doc.unlink()
@@ -1617,10 +1613,7 @@ class MinidomTest(unittest.TestCase):
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
def testExceptionOnSpacesInXMLNSValue(self):
- if pyexpat.version_info >= (2, 4, 5):
- context = self.assertRaisesRegex(ExpatError, 'syntax error')
- else:
- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
+ context = self.assertRaisesRegex(ExpatError, 'syntax error')
with context:
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
--
2.35.3

150
SOURCES/00382-cve-2015-20107.patch Normal file
View File

@ -0,0 +1,150 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Fri, 3 Jun 2022 11:43:35 +0200
Subject: [PATCH] 00382: CVE-2015-20107
Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
Upstream: https://github.com/python/cpython/issues/68966
Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
---
Doc/library/mailcap.rst | 12 +++++++++
Lib/mailcap.py | 26 +++++++++++++++++--
Lib/test/test_mailcap.py | 8 ++++--
...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
4 files changed, 46 insertions(+), 4 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
index a22b5b9c9e..7aa3380fec 100644
--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -60,6 +60,18 @@ standard. However, mailcap files are supported on most Unix systems.
use) to determine whether or not the mailcap line applies. :func:`findmatch`
will automatically check such conditions and skip the entry if the check fails.
+ .. versionchanged:: 3.11
+
+ To prevent security issues with shell metacharacters (symbols that have
+ special effects in a shell command line), ``findmatch`` will refuse
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
+ into the returned command line.
+
+ If a disallowed character appears in *filename*, ``findmatch`` will always
+ return ``(None, None)`` as if no entry was found.
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
+ ``findmatch`` will ignore all mailcap entries which use that value.
+ A :mod:`warning <warnings>` will be raised in either case.
.. function:: getcaps()
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
index ae416a8e9f..444c6408b5 100644
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
import os
import warnings
+import re
__all__ = ["getcaps","findmatch"]
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
else:
return 1, 0
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+ """Warning raised when refusing unsafe input"""
+
# Part 1: top-level interface.
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
entry to use.
"""
+ if _find_unsafe(filename):
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
entries = lookup(caps, MIMEtype, key)
# XXX This code should somehow check for the needsterminal flag.
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts
diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
index c08423c670..920283d9a2 100644
--- a/Lib/test/test_mailcap.py
+++ b/Lib/test/test_mailcap.py
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
(["", "audio/*", "foo.txt"], ""),
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
+ (["echo %t", "audio/*", "foo.txt"], None),
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
('"An audio fragment"', audio_basic_entry)),
([c, "audio/*"],
{"filename": fname},
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
+ (None, None)),
+ ([c, "audio/wav"],
+ {"filename": fname},
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
([c, "message/external-body"],
{"plist": plist},
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
new file mode 100644
index 0000000000..da81a1f699
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
+MIME types, parameters) into shell commands. Instead of using such text, it
+will warn and act as if a match was not found (or for test commands, as if
+the test failed).

16
SOURCES/Python-3.9.13.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl
BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g
lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+
uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW
oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS
3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN
7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs
1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X
ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3
YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z
hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4
sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc=
=RYbS
-----END PGP SIGNATURE-----

16
SOURCES/Python-3.9.7.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmEtNmkACgkQsmmV4xAl
BWgFxA/+PbfnJKXOLH5s4cUARd5K1WAB7BvPKb5C3dxILvn7tp6nPFrMknhjGj5h
cAe/2uaAm6IsMXLm0hJLE1fZy1ht5M6U7e7gxSNWIjX/qKQYVKBlP7w9BK1BALE/
YGyv3jDH7tgECkELGE0bePtuTLVr7HzdTmyKeI6BHHIklOeJBmYl/4JuUi2UxZKD
76dq0a7XTuk6ce5BUvsWsOoZ80+lms5mfVq5mNkiERdxPYvGrrxkqQz89xHU08qw
ISIBF8hX62zmRzzmuTQCPRGYsd00jPYrZ5d2aKMI36wTA/O2ICVSrzeQB6ixYOfP
ex2DbYRfMMghQ942Q9wM53TYhieibVMxEJD8MPlxleDe7O5jbe+djuwgKE9mnfCI
MZrOOuXOk4pY0l6CwgIyCWCuDNQYTip9HYqP4AMjwM1Rt1UjMsvjIds1bWgL3pEc
EV3r1f2RpuAL7kKpjzrw5qFgg87z4IVKp21Ikg2T5rvKZrSmMFyz/tr8Kuw7W0LP
KYKDKrh+J0haTpZyIOxYL+WQZ3GaXqQQaIyLI1rx2Qt9jbIt7/ieguKOx44hTLuc
sUE5I+q5Nv/nI4BsJiKiK/Oa7nDJX1xNNaaX/7p/MjAP5waGWowZutQtpSTMSm6U
ymmtmVg8xrt3zrEHJl4HQWhBvf0if1dsWvbtcP+iOdyFOw2Bn/c=
=+3CX
-----END PGP SIGNATURE-----

50
SPECS/python39.spec
View File

@ -13,7 +13,7 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version, # WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well # remember to update the python3-docs package as well
%global general_version %{pybasever}.7 %global general_version %{pybasever}.13
#global prerel ... #global prerel ...
%global upstream_version %{general_version}%{?prerel} %global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}} Version: %{general_version}%{?prerel:~%{prerel}}
@ -390,6 +390,41 @@ Patch329: 00329-fips.patch
# a nightmare because it's basically a binary file. # a nightmare because it's basically a binary file.
Patch353: 00353-architecture-names-upstream-downstream.patch Patch353: 00353-architecture-names-upstream-downstream.patch
# 00378 #
# Support expat 2.4.5
#
# Curly brackets were never allowed in namespace URIs
# according to RFC 3986, and so-called namespace-validating
# XML parsers have the right to reject them a invalid URIs.
#
# libexpat >=2.4.5 has become strcter in that regard due to
# related security issues; with ET.XML instantiating a
# namespace-aware parser under the hood, this test has no
# future in CPython.
#
# References:
# - https://datatracker.ietf.org/doc/html/rfc3968
# - https://www.w3.org/TR/xml-names/
#
# Also, test_minidom.py: Support Expat >=2.4.5
#
# The patch has diverged from upstream as the python test
# suite was relying on checking the expat version, whereas
# in RHEL fixes get backported instead of rebasing packages.
#
# Upstream: https://bugs.python.org/issue46811
Patch378: 00378-support-expat-2-4-5.patch
# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
# CVE-2015-20107
#
# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
#
# Upstream: https://github.com/python/cpython/issues/68966
#
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
Patch382: 00382-cve-2015-20107.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
# When adding new patches to "python" and "python3" in Fedora, EL, etc., # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -783,6 +818,9 @@ If you want to build an RPM against the python%{pyshortver} module, you need to
%prep %prep
%autosetup -S git_am -N -n Python-%{upstream_version} %autosetup -S git_am -N -n Python-%{upstream_version}
# Temporary workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1954999
%{?!apply_patch:%define apply_patch(qp:m:) {%__apply_patch %**}}
# Apply patches up to 188 # Apply patches up to 188
%apply_patch -q %{PATCH1} %apply_patch -q %{PATCH1}
%apply_patch -q %{PATCH111} %apply_patch -q %{PATCH111}
@ -797,6 +835,8 @@ rm Lib/ensurepip/_bundled/*.whl
%apply_patch -q %{PATCH328} %apply_patch -q %{PATCH328}
%apply_patch -q %{PATCH329} %apply_patch -q %{PATCH329}
%apply_patch -q %{PATCH353} %apply_patch -q %{PATCH353}
%apply_patch -q %{PATCH378}
%apply_patch -q %{PATCH382}
# Remove all exe files to ensure we are not shipping prebuilt binaries # Remove all exe files to ensure we are not shipping prebuilt binaries
# note that those are only used to create Microsoft Windows installers # note that those are only used to create Microsoft Windows installers
@ -1541,7 +1581,6 @@ fi
%{pylibdir}/pydoc_data %{pylibdir}/pydoc_data
%{dynload_dir}/_blake2.%{SOABI_optimized}.so %{dynload_dir}/_blake2.%{SOABI_optimized}.so
%{dynload_dir}/_hmacopenssl.%{SOABI_optimized}.so
%{dynload_dir}/_asyncio.%{SOABI_optimized}.so %{dynload_dir}/_asyncio.%{SOABI_optimized}.so
%{dynload_dir}/_bisect.%{SOABI_optimized}.so %{dynload_dir}/_bisect.%{SOABI_optimized}.so
@ -1834,7 +1873,6 @@ fi
# ...with debug builds of the built-in "extension" modules: # ...with debug builds of the built-in "extension" modules:
%{dynload_dir}/_blake2.%{SOABI_debug}.so %{dynload_dir}/_blake2.%{SOABI_debug}.so
%{dynload_dir}/_hmacopenssl.%{SOABI_debug}.so
%{dynload_dir}/_asyncio.%{SOABI_debug}.so %{dynload_dir}/_asyncio.%{SOABI_debug}.so
%{dynload_dir}/_bisect.%{SOABI_debug}.so %{dynload_dir}/_bisect.%{SOABI_debug}.so
@ -1965,6 +2003,12 @@ fi
# ====================================================== # ======================================================
%changelog %changelog
* Tue Jun 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-1
- Update to 3.9.13
- Security fix for CVE-2015-20107
- Fix the test suite support for Expat >= 2.4.5
Resolves: rhbz#2075390
* Tue Sep 07 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.9.7-1 * Tue Sep 07 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.9.7-1
- Update to 3.9.7 - Update to 3.9.7
Resolves: rhbz#2003102 Resolves: rhbz#2003102