CVE-2007-4559, PEP-706: Add filters for tarfile extraction

python39.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@@ -415,6 +415,14 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # Upstream: https://bugs.python.org/issue46811
 Patch378: 00378-support-expat-2-4-5.patch
 
+# 00397 #
+# Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# The first patch backports the upstream fix:
+# - https://github.com/python/cpython/pull/104382
+# The second patch is Red Hat configuration, see KB for documentation:
+# - https://access.redhat.com/articles/7004769
+Patch397: 00397-tarfile-filter.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -826,6 +834,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %apply_patch -q %{PATCH329}
 %apply_patch -q %{PATCH353}
 %apply_patch -q %{PATCH378}
+%apply_patch -q %{PATCH397}
 
 # Remove all exe files to ensure we are not shipping prebuilt binaries
 # note that those are only used to create Microsoft Windows installers
@@ -1992,6 +2001,10 @@ fi
 # ======================================================
 
 %changelog
+* Mon Jun 19 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.16-2
+- Add filters for tarfile extraction (CVE-2007-4559, PEP-706)
+Resolves: rhbz#263261
+
 * Tue Dec 13 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-1
 - Update to 3.9.16
 - Security fix for CVE-2022-45061