import python39-3.9.6-1.module+el8.5.0+12043+ff46b40f

This commit is contained in:
CentOS Sources 2021-07-30 05:15:56 +00:00 committed by Andrew Lukoshko
parent 6821411dff
commit eb7dc5ac30
8 changed files with 133 additions and 210 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.9.2.tar.xz
SOURCES/Python-3.9.6.tar.xz

View File

@ -1 +1 @@
110ca5bca7989f9558a54ee6762e6774a4b9644a SOURCES/Python-3.9.2.tar.xz
05826c93a178872958f6685094ee3514e53ba653 SOURCES/Python-3.9.6.tar.xz

View File

@ -33,10 +33,10 @@ index 97dfa7ea71..984e587ea0 100644
+_WHEEL_DIR = "/usr/share/python39-wheels/"
-_SETUPTOOLS_VERSION = "49.2.1"
-_SETUPTOOLS_VERSION = "56.0.0"
+_wheels = {}
-_PIP_VERSION = "20.2.3"
-_PIP_VERSION = "21.1.3"
+def _get_most_recent_wheel_version(pkg):
+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))
+ _wheels[pkg] = {}

View File

@ -1,4 +1,4 @@
From 0d4515001c99025c024d773f34d3eb97833d0b5d Mon Sep 17 00:00:00 2001
From 918e294d56e646e67553550c87b4a9e30cac1f67 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 29 Jan 2021 14:16:21 +0100
Subject: [PATCH 01/13] Use python's fall backs for the crypto it implements
@ -10,7 +10,7 @@ Subject: [PATCH 01/13] Use python's fall backs for the crypto it implements
2 files changed, 76 insertions(+), 119 deletions(-)
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 58c340d56e3..1fd80c7d4fd 100644
index 58c340d..1fd80c7 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -68,8 +68,6 @@ __all__ = __always_supported + ('new', 'algorithms_guaranteed',
@ -260,7 +260,7 @@ index 58c340d56e3..1fd80c7d4fd 100644
+if not get_fips_mode():
+ del __py_new
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 86f31a55878..8235505092b 100644
index 86f31a5..8235505 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -1039,6 +1039,7 @@ class KDFTests(unittest.TestCase):
@ -272,10 +272,10 @@ index 86f31a55878..8235505092b 100644
def test_pbkdf2_hmac_py(self):
self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes)
--
2.26.2
2.31.1
From 8a174c9a8d4180a5a7b19f4419b98c63b91b13ab Mon Sep 17 00:00:00 2001
From 93696af7133bf08fd76fb759b24c7f82b90220da Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 17:19:06 +0200
Subject: [PATCH 02/13] Disable Python's hash implementations in FIPS mode,
@ -293,7 +293,7 @@ Subject: [PATCH 02/13] Disable Python's hash implementations in FIPS mode,
diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h
new file mode 100644
index 00000000000..a726c0d3fbf
index 0000000..a726c0d
--- /dev/null
+++ b/Include/_hashopenssl.h
@@ -0,0 +1,66 @@
@ -364,7 +364,7 @@ index 00000000000..a726c0d3fbf
+
+#endif // !Py_HASHOPENSSL_H
diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c
index 7fb1296f8b2..67620afcad2 100644
index 7fb1296..67620af 100644
--- a/Modules/_blake2/blake2b_impl.c
+++ b/Modules/_blake2/blake2b_impl.c
@@ -14,6 +14,7 @@
@ -394,7 +394,7 @@ index 7fb1296f8b2..67620afcad2 100644
if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE)
diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c
index ff142c9f3ed..bc67529cb5e 100644
index ff142c9..bc67529 100644
--- a/Modules/_blake2/blake2module.c
+++ b/Modules/_blake2/blake2module.c
@@ -9,6 +9,7 @@
@ -415,7 +415,7 @@ index ff142c9f3ed..bc67529cb5e 100644
if (m == NULL)
return NULL;
diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c
index e3e90d0587b..57c0f3fcbd7 100644
index e3e90d0..57c0f3f 100644
--- a/Modules/_blake2/blake2s_impl.c
+++ b/Modules/_blake2/blake2s_impl.c
@@ -14,6 +14,7 @@
@ -445,28 +445,28 @@ index e3e90d0587b..57c0f3fcbd7 100644
if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE)
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index adc86537732..deecc077ef8 100644
index ff3a1ae..3d788f5 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -16,6 +16,7 @@
@@ -23,6 +23,7 @@
#include "Python.h"
#include "hashlib.h"
#include "pystrhex.h"
+#include "_hashopenssl.h"
/* EVP is the preferred interface to hashing in OpenSSL */
@@ -24,9 +25,6 @@
#include <openssl/evp.h>
@@ -30,9 +31,6 @@
#include <openssl/crypto.h>
/* We use the object interface to discover what hashes OpenSSL supports. */
#include <openssl/objects.h>
-#include "openssl/err.h"
-#include <openssl/err.h>
-
-#include <openssl/crypto.h> // FIPS_mode()
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
@@ -118,37 +116,6 @@ class _hashlib.HMAC "HMACobject *" "((_hashlibstate *)PyModule_GetState(module))
@@ -124,37 +122,6 @@ class _hashlib.HMAC "HMACobject *" "((_hashlibstate *)PyModule_GetState(module))
/*[clinic end generated code: output=da39a3ee5e6b4b0d input=7df1bcf6f75cb8ef]*/
@ -505,7 +505,7 @@ index adc86537732..deecc077ef8 100644
static PyObject *
_disabled_new(PyTypeObject *type, PyObject *args, PyObject *kwargs)
diff --git a/setup.py b/setup.py
index bd5f7369244..89edbb627fa 100644
index 04eb6b2..f72d7ca 100644
--- a/setup.py
+++ b/setup.py
@@ -2306,7 +2306,7 @@ class PyBuildExt(build_ext):
@ -559,10 +559,10 @@ index bd5f7369244..89edbb627fa 100644
- library_dirs=openssl_libdirs,
- libraries=openssl_libs,
+ **self.detect_openssl_args(),
depends=['socketmodule.h', '_ssl/debughelpers.c'])
)
else:
@@ -2358,9 +2369,7 @@ class PyBuildExt(build_ext):
depends=[
'socketmodule.h',
'_ssl/debughelpers.c',
@@ -2363,9 +2374,7 @@ class PyBuildExt(build_ext):
self.add(Extension('_hashlib', ['_hashopenssl.c'],
depends=['hashlib.h'],
@ -573,7 +573,7 @@ index bd5f7369244..89edbb627fa 100644
def detect_hash_builtins(self):
# By default we always compile these even when OpenSSL is available
@@ -2417,6 +2426,7 @@ class PyBuildExt(build_ext):
@@ -2422,6 +2431,7 @@ class PyBuildExt(build_ext):
'_blake2/blake2b_impl.c',
'_blake2/blake2s_impl.c'
],
@ -582,10 +582,10 @@ index bd5f7369244..89edbb627fa 100644
))
--
2.26.2
2.31.1
From 56171083467bd5798adcb1946cfc0b1d68403755 Mon Sep 17 00:00:00 2001
From 0b9b72c27e24e159ed3180e9a7a2a9efa24de7e8 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 12 Dec 2019 16:58:31 +0100
Subject: [PATCH 03/13] Expose all hashes available to OpenSSL
@ -600,7 +600,7 @@ Subject: [PATCH 03/13] Expose all hashes available to OpenSSL
6 files changed, 158 insertions(+), 12 deletions(-)
diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h
index a726c0d3fbf..47ed0030422 100644
index a726c0d..47ed003 100644
--- a/Include/_hashopenssl.h
+++ b/Include/_hashopenssl.h
@@ -39,7 +39,7 @@ _setException(PyObject *exc)
@ -636,7 +636,7 @@ index a726c0d3fbf..47ed0030422 100644
#endif // !Py_HASHOPENSSL_H
diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c
index 67620afcad2..9e125dcbf43 100644
index 67620af..9e125dc 100644
--- a/Modules/_blake2/blake2b_impl.c
+++ b/Modules/_blake2/blake2b_impl.c
@@ -97,7 +97,7 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size,
@ -658,7 +658,7 @@ index 67620afcad2..9e125dcbf43 100644
GET_BUFFER_VIEW_OR_ERROUT(data, &buf);
diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c
index bc67529cb5e..79a9eed5c13 100644
index bc67529..79a9eed 100644
--- a/Modules/_blake2/blake2module.c
+++ b/Modules/_blake2/blake2module.c
@@ -58,7 +58,7 @@ PyInit__blake2(void)
@ -671,7 +671,7 @@ index bc67529cb5e..79a9eed5c13 100644
m = PyModule_Create(&blake2_module);
if (m == NULL)
diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c
index 57c0f3fcbd7..b59624d7d98 100644
index 57c0f3f..b59624d 100644
--- a/Modules/_blake2/blake2s_impl.c
+++ b/Modules/_blake2/blake2s_impl.c
@@ -97,7 +97,7 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size,
@ -693,10 +693,10 @@ index 57c0f3fcbd7..b59624d7d98 100644
GET_BUFFER_VIEW_OR_ERROUT(data, &buf);
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index deecc077ef8..a805183721b 100644
index 3d788f5..dc130f6 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -253,6 +253,12 @@ py_digest_by_name(const char *name)
@@ -259,6 +259,12 @@ py_digest_by_name(const char *name)
else if (!strcmp(name, "blake2b512")) {
digest = EVP_blake2b512();
}
@ -709,7 +709,7 @@ index deecc077ef8..a805183721b 100644
#endif
}
@@ -946,6 +952,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
@@ -952,6 +958,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
}
@ -751,7 +751,7 @@ index deecc077ef8..a805183721b 100644
#ifdef PY_OPENSSL_HAS_SHA3
/*[clinic input]
@@ -1931,6 +1972,8 @@ static struct PyMethodDef EVP_functions[] = {
@@ -1938,6 +1979,8 @@ static struct PyMethodDef EVP_functions[] = {
_HASHLIB_OPENSSL_SHA256_METHODDEF
_HASHLIB_OPENSSL_SHA384_METHODDEF
_HASHLIB_OPENSSL_SHA512_METHODDEF
@ -761,7 +761,7 @@ index deecc077ef8..a805183721b 100644
_HASHLIB_OPENSSL_SHA3_256_METHODDEF
_HASHLIB_OPENSSL_SHA3_384_METHODDEF
diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h
index 68aa765e529..2957ae2e135 100644
index 68aa765..2957ae2 100644
--- a/Modules/clinic/_hashopenssl.c.h
+++ b/Modules/clinic/_hashopenssl.c.h
@@ -540,6 +540,110 @@ exit:
@ -882,10 +882,10 @@ index 68aa765e529..2957ae2e135 100644
-/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=4f8cc45bf0337f8e input=a9049054013a1b77]*/
--
2.26.2
2.31.1
From e024cae691bffa2d093a63f8e2058331fce94d2a Mon Sep 17 00:00:00 2001
From 23e9a37ced6523d2e15c97f716d4dcb6605b1b9a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 18:13:45 +0200
Subject: [PATCH 04/13] Fix tests
@ -895,7 +895,7 @@ Subject: [PATCH 04/13] Fix tests
1 file changed, 5 insertions(+)
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 8235505092b..a838bcee2a8 100644
index 8235505..a838bce 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -354,6 +354,11 @@ class HashLibTestCase(unittest.TestCase):
@ -911,10 +911,10 @@ index 8235505092b..a838bcee2a8 100644
computed = m.hexdigest() if not shake else m.hexdigest(length)
self.assertEqual(
--
2.26.2
2.31.1
From 3e87bf1c3d32c09a50385d8576b1164cafce4158 Mon Sep 17 00:00:00 2001
From 20828756a8df0a693b09167d03bf2724bcfddc51 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 26 Jul 2019 15:41:10 +0200
Subject: [PATCH 05/13] Implement hmac.new using new built-in module,
@ -934,7 +934,7 @@ This removes the _hmacopenssl.new function.
create mode 100644 Modules/clinic/_hmacopenssl.c.h
diff --git a/Lib/hmac.py b/Lib/hmac.py
index 180bc378b52..482e443bfe4 100644
index 180bc37..482e443 100644
--- a/Lib/hmac.py
+++ b/Lib/hmac.py
@@ -14,6 +14,8 @@ else:
@ -1003,7 +1003,7 @@ index 180bc378b52..482e443bfe4 100644
"""Create a new hashing object and return it.
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index 6daf22ca06f..544ec7cb411 100644
index 6daf22c..544ec7c 100644
--- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py
@@ -322,6 +322,7 @@ class TestVectorsTestCase(unittest.TestCase):
@ -1078,7 +1078,7 @@ index 6daf22ca06f..544ec7cb411 100644
# Testing if the copy has the same digests.
diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c
new file mode 100644
index 00000000000..c31d233fbe4
index 0000000..c31d233
--- /dev/null
+++ b/Modules/_hmacopenssl.c
@@ -0,0 +1,459 @@
@ -1543,7 +1543,7 @@ index 00000000000..c31d233fbe4
+}
diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h
new file mode 100644
index 00000000000..a2af550838a
index 0000000..a2af550
--- /dev/null
+++ b/Modules/clinic/_hmacopenssl.c.h
@@ -0,0 +1,104 @@
@ -1652,10 +1652,10 @@ index 00000000000..a2af550838a
+}
+/*[clinic end generated code: output=e0c910f3c9ed523e input=a9049054013a1b77]*/
diff --git a/setup.py b/setup.py
index 89edbb627fa..5c2cbd665af 100644
index f72d7ca..11fca20 100644
--- a/setup.py
+++ b/setup.py
@@ -2371,6 +2371,10 @@ class PyBuildExt(build_ext):
@@ -2376,6 +2376,10 @@ class PyBuildExt(build_ext):
depends=['hashlib.h'],
**self.detect_openssl_args()) )
@ -1667,10 +1667,10 @@ index 89edbb627fa..5c2cbd665af 100644
# By default we always compile these even when OpenSSL is available
# (issue #14693). It's harmless and the object code is tiny
--
2.26.2
2.31.1
From a6d7c4268a6e305b1178b633e59dde7b5c8a1069 Mon Sep 17 00:00:00 2001
From bda4c9de583ee2272812c25d506bea294a54dee8 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 1 Aug 2019 17:57:05 +0200
Subject: [PATCH 06/13] Use a stronger hash in multiprocessing handshake
@ -1682,7 +1682,7 @@ https://bugs.python.org/issue17258
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
index 510e4b5aba4..b68f2fb837a 100644
index 510e4b5..b68f2fb 100644
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -42,6 +42,10 @@ BUFSIZE = 8192
@ -1715,10 +1715,10 @@ index 510e4b5aba4..b68f2fb837a 100644
response = connection.recv_bytes(256) # reject large message
if response != WELCOME:
--
2.26.2
2.31.1
From 86868ca46c47112f771d54a54ee89e2d6c00f56f Mon Sep 17 00:00:00 2001
From 381d423df59d59f953ed817e1611dd929393dea9 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Wed, 31 Jul 2019 15:43:43 +0200
Subject: [PATCH 07/13] Add initial tests for various hashes under FIPS mode
@ -1730,7 +1730,7 @@ Subject: [PATCH 07/13] Add initial tests for various hashes under FIPS mode
diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py
new file mode 100644
index 00000000000..fe4ea72296e
index 0000000..fe4ea72
--- /dev/null
+++ b/Lib/test/test_fips.py
@@ -0,0 +1,31 @@
@ -1766,10 +1766,10 @@ index 00000000000..fe4ea72296e
+if __name__ == "__main__":
+ unittest.main()
--
2.26.2
2.31.1
From 5badab85d3fc725b56a19658f1e9b16aeb0ed663 Mon Sep 17 00:00:00 2001
From 31c0ebb0612e0f058a45058b5c92d1cfa672eca2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 5 Aug 2019 18:23:57 +0200
Subject: [PATCH 08/13] Make hashlib tests pass in FIPS mode
@ -1779,7 +1779,7 @@ Subject: [PATCH 08/13] Make hashlib tests pass in FIPS mode
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index a838bcee2a8..6f60ad4b8fb 100644
index a838bce..6f60ad4 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -44,6 +44,12 @@ if builtin_hashes == default_builtin_hashes:
@ -1878,10 +1878,10 @@ index a838bcee2a8..6f60ad4b8fb 100644
self.check(
'md5',
--
2.26.2
2.31.1
From 0f7a3094bc4cf691ae0dd093567ceea149e14e8a Mon Sep 17 00:00:00 2001
From 42e85e3a54a806e9460ae67598f473b4a839d223 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:09:39 +0200
Subject: [PATCH 09/13] Test the usedforsecurity flag
@ -1891,7 +1891,7 @@ Subject: [PATCH 09/13] Test the usedforsecurity flag
1 file changed, 42 insertions(+), 24 deletions(-)
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index 6f60ad4b8fb..f306ba33b20 100644
index 6f60ad4..f306ba3 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -20,6 +20,7 @@ import warnings
@ -2070,10 +2070,10 @@ index 6f60ad4b8fb..f306ba33b20 100644
class KDFTests(unittest.TestCase):
--
2.26.2
2.31.1
From 5feafbf68d297e3f4fcafe4cbeff97817c592c53 Mon Sep 17 00:00:00 2001
From 7ea94845a8c8f5b2081237e69ff41993da1e5a5e Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:39:48 +0200
Subject: [PATCH 10/13] Don't re-export get_fips_mode from hashlib
@ -2089,7 +2089,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745685
6 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 1fd80c7d4fd..6121d251267 100644
index 1fd80c7..6121d25 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -53,6 +53,8 @@ More condensed:
@ -2169,7 +2169,7 @@ index 1fd80c7d4fd..6121d251267 100644
+if not _hashlib.get_fips_mode():
del __py_new
diff --git a/Lib/hmac.py b/Lib/hmac.py
index 482e443bfe4..ff466322d7b 100644
index 482e443..ff46632 100644
--- a/Lib/hmac.py
+++ b/Lib/hmac.py
@@ -50,7 +50,7 @@ class HMAC:
@ -2200,7 +2200,7 @@ index 482e443bfe4..ff466322d7b 100644
diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py
index fe4ea72296e..6b50f8b45d4 100644
index fe4ea72..6b50f8b 100644
--- a/Lib/test/test_fips.py
+++ b/Lib/test/test_fips.py
@@ -6,7 +6,7 @@ import hashlib, _hashlib
@ -2222,7 +2222,7 @@ index fe4ea72296e..6b50f8b45d4 100644
self.assertEqual(hashlib.blake2b(b'abc').hexdigest(), _hashlib.openssl_blake2b(b'abc').hexdigest())
self.assertEqual(hashlib.blake2s(b'abc').hexdigest(), _hashlib.openssl_blake2s(b'abc').hexdigest())
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index f306ba33b20..03cfb6b2fb4 100644
index f306ba3..03cfb6b 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -46,7 +46,9 @@ else:
@ -2288,7 +2288,7 @@ index f306ba33b20..03cfb6b2fb4 100644
"""Make sure usedforsecurity flag isn't copied to other contexts"""
for i in range(3):
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index 544ec7cb411..2d4484911c2 100644
index 544ec7c..2d44849 100644
--- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py
@@ -5,6 +5,7 @@ import hashlib
@ -2336,7 +2336,7 @@ index 544ec7cb411..2d4484911c2 100644
def test_properties(self):
# deprecated properties
diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py
index ed426b05a71..faec6844f9a 100644
index ed426b0..faec684 100644
--- a/Lib/test/test_urllib2_localnet.py
+++ b/Lib/test/test_urllib2_localnet.py
@@ -7,6 +7,7 @@ import http.server
@ -2348,10 +2348,10 @@ index ed426b05a71..faec6844f9a 100644
from test import support
from test.support import hashlib_helper
--
2.26.2
2.31.1
From 3e314b647bc316dda3cef1f611fbac9170ed1030 Mon Sep 17 00:00:00 2001
From 62c667aed616986e8b6df9883ccebf9326f041ee Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 20 Nov 2019 10:59:25 +0100
Subject: [PATCH 11/13] Use FIPS compliant CSPRNG
@ -2368,7 +2368,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
4 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py
index bf1cb5f5112..d3b1d9c8969 100644
index 35933e9..f67a65d 100644
--- a/Lib/test/test_os.py
+++ b/Lib/test/test_os.py
@@ -29,6 +29,7 @@ import types
@ -2392,7 +2392,7 @@ index bf1cb5f5112..d3b1d9c8969 100644
def test_getrandom_type(self):
data = os.getrandom(16)
diff --git a/Makefile.pre.in b/Makefile.pre.in
index f128444b985..3ea348a5461 100644
index c57fc96..7b94db1 100644
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR
@ -2405,10 +2405,10 @@ index f128444b985..3ea348a5461 100644
CFLAGS_ALIASING=@CFLAGS_ALIASING@
diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
index 12f72f525f7..d244d264d8a 100644
index c984e2e..d1b0e39 100644
--- a/Modules/posixmodule.c
+++ b/Modules/posixmodule.c
@@ -495,6 +495,9 @@ extern char *ctermid_r(char *);
@@ -502,6 +502,9 @@ extern char *ctermid_r(char *);
# define MODNAME "posix"
#endif
@ -2418,7 +2418,7 @@ index 12f72f525f7..d244d264d8a 100644
#if defined(__sun)
/* Something to implement in autoconf, not present in autoconf 2.69 */
# define HAVE_STRUCT_STAT_ST_FSTYPE 1
@@ -14171,6 +14174,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags)
@@ -14256,6 +14259,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags)
return posix_error();
}
@ -2431,7 +2431,7 @@ index 12f72f525f7..d244d264d8a 100644
if (bytes == NULL) {
PyErr_NoMemory();
diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c
index a212f69870e..6333cd446dc 100644
index a212f69..6333cd4 100644
--- a/Python/bootstrap_hash.c
+++ b/Python/bootstrap_hash.c
@@ -429,6 +429,50 @@ dev_urandom_close(void)
@ -2497,10 +2497,10 @@ index a212f69870e..6333cd446dc 100644
return win32_urandom((unsigned char *)buffer, size, raise);
#else
--
2.26.2
2.31.1
From 16b9a981697b94c348fdc0d73d2d12e12b1b4227 Mon Sep 17 00:00:00 2001
From 58e51c67ce2afa268e7a44100d4ca9025b54117c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 7 Apr 2020 15:16:45 +0200
Subject: [PATCH 12/13] Pass kwargs (like usedforsecurity) through __hash_new
@ -2510,7 +2510,7 @@ Subject: [PATCH 12/13] Pass kwargs (like usedforsecurity) through __hash_new
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Lib/hashlib.py b/Lib/hashlib.py
index 6121d251267..00794adffc1 100644
index 6121d25..00794ad 100644
--- a/Lib/hashlib.py
+++ b/Lib/hashlib.py
@@ -171,7 +171,7 @@ def __hash_new(name, data=b'', **kwargs):
@ -2523,10 +2523,10 @@ index 6121d251267..00794adffc1 100644
try:
--
2.26.2
2.31.1
From 48fb6366a0fcb95c8565be35495b25a23dc03896 Mon Sep 17 00:00:00 2001
From ea7b14d45e9a41182ca2411ad6730a9987ec49f1 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 24 Apr 2020 19:57:16 +0200
Subject: [PATCH 13/13] Skip the test_with_digestmod_no_default under FIPS
@ -2538,7 +2538,7 @@ the digestmod parameter misuse under FIPS mode.
1 file changed, 13 insertions(+)
diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
index 2d4484911c2..e0a5b6a053b 100644
index 2d44849..e0a5b6a 100644
--- a/Lib/test/test_hmac.py
+++ b/Lib/test/test_hmac.py
@@ -347,6 +347,7 @@ class TestVectorsTestCase(unittest.TestCase):
@ -2569,5 +2569,5 @@ index 2d4484911c2..e0a5b6a053b 100644
class ConstructorTestCase(unittest.TestCase):
--
2.26.2
2.31.1

View File

@ -1,100 +0,0 @@
From ed753d94856213ae9fc028195f670e66a24e2334 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 29 Mar 2021 06:08:00 -0700
Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
---
Lib/pydoc.py | 18 ------------------
Lib/test/test_pydoc.py | 6 ------
.../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++
3 files changed, 4 insertions(+), 24 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
diff --git a/Lib/pydoc.py b/Lib/pydoc.py
index 35ef3ebdc688e6..ffa4b62c1f17b7 100755
--- a/Lib/pydoc.py
+++ b/Lib/pydoc.py
@@ -2457,9 +2457,6 @@ def page(self, title, contents):
%s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
</body></html>''' % (title, css_link, html_navbar(), contents)
- def filelink(self, url, path):
- return '<a href="getfile?key=%s">%s</a>' % (url, path)
-
html = _HTMLDoc()
@@ -2545,19 +2542,6 @@ def bltinlink(name):
'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
return 'Search Results', contents
- def html_getfile(path):
- """Get and display a source file listing safely."""
- path = urllib.parse.unquote(path)
- with tokenize.open(path) as fp:
- lines = html.escape(fp.read())
- body = '<pre>%s</pre>' % lines
- heading = html.heading(
- '<big><big><strong>File Listing</strong></big></big>',
- '#ffffff', '#7799ee')
- contents = heading + html.bigsection(
- 'File: %s' % path, '#ffffff', '#ee77aa', body)
- return 'getfile %s' % path, contents
-
def html_topics():
"""Index of topic texts available."""
@@ -2649,8 +2633,6 @@ def get_html_page(url):
op, _, url = url.partition('=')
if op == "search?key":
title, content = html_search(url)
- elif op == "getfile?key":
- title, content = html_getfile(url)
elif op == "topic?key":
# try topics first, then objects.
try:
diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
index ffabb7f1b94072..0bbdc42c635be4 100644
--- a/Lib/test/test_pydoc.py
+++ b/Lib/test/test_pydoc.py
@@ -1374,18 +1374,12 @@ def test_url_requests(self):
("topic?key=def", "Pydoc: KEYWORD def"),
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
("foobar", "Pydoc: Error - foobar"),
- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
]
with self.restrict_walk_packages():
for url, title in requests:
self.call_url_handler(url, title)
- path = string.__file__
- title = "Pydoc: getfile " + path
- url = "getfile?key=" + path
- self.call_url_handler(url, title)
-
class TestHelper(unittest.TestCase):
def test_keywords(self):
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
new file mode 100644
index 00000000000000..4b42dd05305a83
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
+could be abused to read arbitrary files on the disk (directory traversal
+vulnerability). Moreover, even source code of Python modules can contain
+sensitive data like passwords. Vulnerability reported by David Schwörer.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmAvyCoACgkQsmmV4xAl
BWhP7g//XBDQxNrjEaLSBfGy8tGbNPqlrBAOWsuH02JzvRXnr2gBX2m8TfaUSAnq
8Kzafrpsfw0+7LFoPfrp+YwUO5k2WprovW9Iw+LoUM0d5DABL/gXKwVb0j9i8nRj
uaPLzX9SRnCQQPfYQW/5wRFIm+/aqz4fx93k3Gw0AfeYh9Ka1pUJOCxCvihS47+E
dUeoC6S8SUDrm5lPLj8t1uVVtp8W7GpGMwF5Zn31ThrlUA4V/dTMmqSUXCaAI9Ii
zXditd26EfySKSxps+VQgL7GB778XcIYxlnMYzoqd6SD/pCQgagpFP2nZ1zdZ0/g
qpwgeGE2SK++w8iiOs2Q59tisREU7PHNVtpdILhw9Me892mwxIjl8wDMTZHY8vvU
6OZRI9G8UktpkEcT9FeFgwna2T3T16rEVbrzpteeDLFgqUpt84yXD+pd5W/Oozaj
sfbd7lCFBcdzCQIKa+DGDuJKFPExu8oqGg7Zq25wxLvkNosmHXny9NylE1VIJ5ad
WHadwBeFSFCR7faplO8s+hO/BmT5PcEwIXrz/xVqwf28o/0im63llkE6WUCRW4MU
x/S5uWjB/HSDw2NHLRRc0bLabl30mMCf7J/EkVmm9dsIpmXhn6SLC9YCYjJtIjC7
ChSQs+U8MgEnwk/un/DELIRUtu+rQZ1GkQnJ4tooaYJlYr/m7Ww=
=s/wm
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmDZkQMACgkQsmmV4xAl
BWj09RAAoAJZTivNUSuw9H4UBr5Y7O/y09t2SoSDnyQTv8OWXhFh6uSQQvUah8oh
BtyfIHHJrPK+h6oX5mNmFcuv0GVKpmn5yuIYExeMBvG78mqSybYuQuHqWISEK5Vt
NUt0ZBbOzQyqidO2Q++kRf+zfrc5BK5SZ/iCaT8fTcxISs/GuKmG2R/SoRzjYDNa
XSqJi0/3jH/hSS/XIhKzDRzlkSemOCBuGeBi8rLCEtLE1faeeMYBB/StLzs8lkpb
VIZ26jMN5BDtT2Srm2tJk3Yze3I4jSvhkDLVS3gWd5IKH0jrFFoGwswXuc8V6aLP
tt87artPasOhLvEBy7y/1c3MZw+WOsZS5ogKrfI2QSMbuXT4HMOyFnrb7zz3nsKy
wtwRP0I03P1KbI0RrM4LQj1r05RSvMSSJsbslIThL274Fh44/xanNgIM1xyf1Ios
GiKkfo9xkkwB2/et2WJd9M4MfWcLiGvkRoFGxyon5uoNDrIaZaQF8JWZeXctIyDP
MbdoLQod7PevKnr+XNxZNN1JVQ1uatghuTtXQcZ34WWkSGxb1zf+uh2ghayEKSeC
nOhk2/j3CDHh5j+9oYqmDi1yvQGLucVIhu7cc2mFk6nljROzOu5Ga7M1+XSv7RNe
cB0N1XRmpD075HEPHDmV7HSQc9A3B6fdDa5bHgyDBML7flIj5Vs=
=j4X2
-----END PGP SIGNATURE-----

View File

@ -13,11 +13,11 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
%global general_version %{pybasever}.2
%global general_version %{pybasever}.6
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 2%{?dist}
Release: 1%{?dist}
License: Python
# Exclude i686 arch. Due to a modularity issue it's being added to the
@ -164,6 +164,13 @@ ExcludeArch: i686
# foo/__pycache__/bar.cpython-%%{pyshortver}.opt-2.pyc
%global bytecode_suffixes .cpython-%{pyshortver}*.pyc
# libmpdec (mpdecimal package in Fedora) is tightly coupled with the
# decimal module. We keep it bundled as to avoid incompatibilities
# with the packaged version.
# The version information can be found at Modules/_decimal/libmpdec/mpdecimal.h
# defined as MPD_VERSION.
%global libmpdec_version 2.5.0
# Python's configure script defines SOVERSION, and this is used in the Makefile
# to determine INSTSONAME, the name of the libpython DSO:
# LDLIBRARY='libpython$(VERSION).so'
@ -300,7 +307,7 @@ Patch1: 00001-rpath.patch
# See https://bugzilla.redhat.com/show_bug.cgi?id=556092
Patch111: 00111-no-static-lib.patch
# 00189 # 7c07eec60735bd65bda7d8e821d34718497cba27
# 00189 # 4242864a6a12f1f4cf9fd63a6699a73f35261aa3
# Instead of bundled wheels, use our RPM packaged wheels
#
# We keep them in /usr/share/python-wheels
@ -312,8 +319,8 @@ Patch189: 00189-use-rpm-wheels.patch
# The versions are written in Lib/ensurepip/__init__.py, this patch removes them.
# When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
# In such cases, the patch needs to be amended and the versions updated here:
%global pip_version 20.2.3
%global setuptools_version 49.2.1
%global pip_version 21.1.3
%global setuptools_version 56.0.0
# 00251 # 2eabd04356402d488060bc8fe316ad13fc8a3356
# Change user install location
@ -383,12 +390,6 @@ Patch329: 00329-fips.patch
# a nightmare because it's basically a binary file.
Patch353: 00353-architecture-names-upstream-downstream.patch
# 00360 #
# CVE-2021-3426: information disclosure via pydoc
# Upstream: https://bugs.python.org/issue42988
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
Patch360: 00360-CVE-2021-3426.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -526,6 +527,11 @@ Requires: python3 == %{version}-%{release}
Provides: python = %{version}-%{release}
# This also save us an explicit conflict for older python3 builds
# Also provide the name of the Ubuntu package with the same function,
# to be nice to people who temporarily forgot which distro they're on.
# C.f. https://packages.ubuntu.com/hirsute/all/python-is-python3/filelist
Provides: python-is-python3 = %{version}-%{release}
%description -n python-unversioned-command
This package contains /usr/bin/python - the "python" command that runs Python 3.
@ -543,6 +549,10 @@ Provides: bundled(python3dist(pip)) = %{pip_version}
Provides: bundled(python3dist(setuptools)) = %{setuptools_version}
%endif
# Provides for the bundled libmpdec
Provides: bundled(mpdecimal) = %{libmpdec_version}
Provides: bundled(libmpdec) = %{libmpdec_version}
# There are files in the standard library that have python shebang.
# We've filtered the automatic requirement out so libs are installable without
# the main package. This however makes it pulled in by default.
@ -726,6 +736,10 @@ Provides: bundled(python3dist(pip)) = %{pip_version}
Provides: bundled(python3dist(setuptools)) = %{setuptools_version}
%endif
# Provides for the bundled libmpdec
Provides: bundled(mpdecimal) = %{libmpdec_version}
Provides: bundled(libmpdec) = %{libmpdec_version}
# The zoneinfo module needs tzdata
Requires: tzdata
@ -777,7 +791,6 @@ rm Lib/ensurepip/_bundled/*.whl
%apply_patch -q %{PATCH328}
%apply_patch -q %{PATCH329}
%apply_patch -q %{PATCH353}
%apply_patch -q %{PATCH360}
# Remove all exe files to ensure we are not shipping prebuilt binaries
# note that those are only used to create Microsoft Windows installers
@ -1251,6 +1264,11 @@ for Module in %{buildroot}/%{dynload_dir}/*.so ; do
esac
done
# Verify that the bundled libmpdec version python was compiled with, is the same version we have virtual
# provides for in the SPEC.
test "$(LD_LIBRARY_PATH=$(pwd)/build/optimized $(pwd)/build/optimized/python -c 'import decimal; print(decimal.__libmpdec_version__)')" = \
"%{libmpdec_version}"
# ======================================================
# Running the upstream test suite
@ -1941,6 +1959,11 @@ fi
# ======================================================
%changelog
* Tue Jul 27 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.9.6-1
- Update to 3.9.6
- Fix CVE-2021-29921: Improper input validation of octal strings in the ipaddress module
Resolves: rhbz#1957458
* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.9.2-2
- Security fix for CVE-2021-3426: information disclosure via pydoc
Resolves: rhbz#1935913