From 3f202242a68342a16df7f6063351403a6d9d22bf Mon Sep 17 00:00:00 2001 From: mcepl <> Date: Tue, 26 Mar 2024 18:24:42 +0000 Subject: [PATCH] Update python39 to version 3.9.19 / rev 56 via SR 1161042 https://build.opensuse.org/request/show/1161042 by user mcepl + anag+factory - Add old-libexpat.patch making the test suite work with libexpat < 2.6.0 (gh#python/cpython#117187). - Update to 3.9.19: - Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115399: Update bundled libexpat to 2.6.0 - gh-113659: Skip .pth files with names starting with a dot or hidden file attribute. - Core and Builtins - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of --- packages/p/python39/.files | Bin 2467 -> 2386 bytes packages/p/python39/.rev | 60 ++++++ ...E-2023-6597-TempDir-cleaning-symlink.patch | 191 ------------------ .../F00251-change-user-install-location.patch | 6 +- packages/p/python39/Python-3.9.18.tar.xz | 1 - packages/p/python39/Python-3.9.18.tar.xz.asc | 16 -- packages/p/python39/Python-3.9.19.tar.xz | 1 + packages/p/python39/Python-3.9.19.tar.xz.asc | 16 ++ packages/p/python39/libexpat260.patch | 107 ---------- packages/p/python39/old-libexpat.patch | 79 ++++++++ .../p/python39/python-3.3.0b1-localpath.patch | 8 +- packages/p/python39/python39.changes | 60 ++++++ packages/p/python39/python39.spec | 12 +- 13 files changed, 229 insertions(+), 328 deletions(-) delete mode 100644 packages/p/python39/CVE-2023-6597-TempDir-cleaning-symlink.patch delete mode 120000 packages/p/python39/Python-3.9.18.tar.xz delete mode 100644 packages/p/python39/Python-3.9.18.tar.xz.asc create mode 120000 packages/p/python39/Python-3.9.19.tar.xz create mode 100644 packages/p/python39/Python-3.9.19.tar.xz.asc delete mode 100644 packages/p/python39/libexpat260.patch create mode 100644 packages/p/python39/old-libexpat.patch diff --git a/packages/p/python39/.files b/packages/p/python39/.files index 83fe2c4b404abdd562a4e953c936b32b0c7d80d3..ce16a8c8b3d987a1bb76ca9e773cc289e2f5dadb 100644 GIT binary patch delta 469 zcmZvYy;4*`5QTU5a(7{^t+If?q6jw7kjqTZPtQaW7?FUInOO7F<62U%<=y~Dh)hk| z+_LrwOnd>~zz80|_h2wEGB`m8U!Cvtdgu4{ljW)x?X(#T1~2&AhUJen`x_@`MQVit zHG!pq6iG*0T$F{-6sL0qX3Oh-ae1M9w^~w~&Iy!Jpt8UM#bpq>ptd5XoTE#S`CWU+ zn=SH}_L$Gcr@S>j=DSw%Z1Rfl$C_VHG_S{Y{dqFvUz@1WOQ%uiXjHU8OES5bLP~=n zLY=C^(|-9%?ul#0oG7mn+oS;6> zI7AbO>J3IqnVlu{+>M^|_t8t820iOe4-dj0xv{m`tp6xZ5$?pzQ~C_tM4m5WH02lCN! zRZv^)ACz=W*G9@uDz_I6I*Ts(7!jl_r@;zuB1JGf`jmI8d--j3kZH*C?(iUgsb+aP zGWpw3<#)sVd}XB0UyZ8!Nl7J{C1y|tQ4j_IL*zvG7mFebZn^x!-U) zDDc9A3(1&7A{E~Z(EurJJy}}-+slQIr$x0e?62{k8&f538+jf6r--tE1Tc0tzaZKL7v# diff --git a/packages/p/python39/.rev b/packages/p/python39/.rev index 9f6982457c8..0c463929e17 100644 --- a/packages/p/python39/.rev +++ b/packages/p/python39/.rev @@ -1024,4 +1024,64 @@ Automatic submission by obs-autosubmit 1157648 + + 8819880258c03e8766833c037179190a + 3.9.19 + + anag+factory + - Add old-libexpat.patch making the test suite work with + libexpat < 2.6.0 (gh#python/cpython#117187). +- Update to 3.9.19: + - Security + - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral + (CVE-2023-52425, bsc#1219559) by adding five new methods: + xml.etree.ElementTree.XMLParser.flush() + xml.etree.ElementTree.XMLPullParser.flush() + xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() + xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() + xml.sax.expatreader.ExpatParser.flush() + - gh-115399: Update bundled libexpat to 2.6.0 + - gh-113659: Skip .pth files with names starting with a dot + or hidden file attribute. + - Core and Builtins + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - Library + - gh-115197: urllib.request no longer resolves the hostname + before checking it against the system’s proxy bypass list + on macOS and Windows. + - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. + - gh-81194: Fix a crash in socket.if_indextoname() with + specific value (UINT_MAX). Fix an integer overflow in + socket.if_indextoname() on 64-bit non-Windows platforms. + - gh-109858: Protect zipfile from “quoted-overlap” + zipbomb. It now raises BadZipFile when try to read an + entry that overlaps with other entry or central directory + (CVE-2024-0450, bsc#1221854). + - gh-107077: Seems that in some conditions, OpenSSL will + return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL + when a certification verification has failed, but + the error parameters will still contain ERR_LIB_SSL + and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now + detecting this situation and raising the appropiate + ssl.SSLCertVerificationError. Patch by Pablo Galindo + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working + around file system permission errors (CVE-2023-6597, + bsc#1219666). + - Documentation + - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under + “XML vulnerabilities”. + - Tools/Demos + - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 + and multissltests to use 1.1.1w and 3.0.11. +- Remove upstreamed patches: + - CVE-2023-6597-TempDir-cleaning-symlink.patch + - libexpat260.patch +- Refreshed patches: + - F00251-change-user-install-location.patch + - python-3.3.0b1-localpath.patch + + 1161042 + diff --git a/packages/p/python39/CVE-2023-6597-TempDir-cleaning-symlink.patch b/packages/p/python39/CVE-2023-6597-TempDir-cleaning-symlink.patch deleted file mode 100644 index d886f202c87..00000000000 --- a/packages/p/python39/CVE-2023-6597-TempDir-cleaning-symlink.patch +++ /dev/null @@ -1,191 +0,0 @@ ---- - Lib/tempfile.py | 26 +- - Lib/test/test_tempfile.py | 117 +++++++++- - Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst | 2 - 3 files changed, 136 insertions(+), 9 deletions(-) - ---- a/Lib/tempfile.py -+++ b/Lib/tempfile.py -@@ -268,6 +268,22 @@ def _mkstemp_inner(dir, pre, suf, flags, - raise FileExistsError(_errno.EEXIST, - "No usable temporary file name found") - -+def _dont_follow_symlinks(func, path, *args): -+ # Pass follow_symlinks=False, unless not supported on this platform. -+ if func in _os.supports_follow_symlinks: -+ func(path, *args, follow_symlinks=False) -+ elif _os.name == 'nt' or not _os.path.islink(path): -+ func(path, *args) -+ -+def _resetperms(path): -+ try: -+ chflags = _os.chflags -+ except AttributeError: -+ pass -+ else: -+ _dont_follow_symlinks(chflags, path, 0) -+ _dont_follow_symlinks(_os.chmod, path, 0o700) -+ - - # User visible interfaces. - -@@ -789,17 +805,11 @@ class TemporaryDirectory(object): - def _rmtree(cls, name): - def onerror(func, path, exc_info): - if issubclass(exc_info[0], PermissionError): -- def resetperms(path): -- try: -- _os.chflags(path, 0) -- except AttributeError: -- pass -- _os.chmod(path, 0o700) - - try: - if path != name: -- resetperms(_os.path.dirname(path)) -- resetperms(path) -+ _resetperms(_os.path.dirname(path)) -+ _resetperms(path) - - try: - _os.unlink(path) ---- a/Lib/test/test_tempfile.py -+++ b/Lib/test/test_tempfile.py -@@ -1394,6 +1394,103 @@ class TestTemporaryDirectory(BaseTestCas - "were deleted") - d2.cleanup() - -+ @support.skip_unless_symlink -+ def test_cleanup_with_symlink_modes(self): -+ # cleanup() should not follow symlinks when fixing mode bits (#91133) -+ with self.do_create(recurse=0) as d2: -+ file1 = os.path.join(d2, 'file1') -+ open(file1, 'wb').close() -+ dir1 = os.path.join(d2, 'dir1') -+ os.mkdir(dir1) -+ for mode in range(8): -+ mode <<= 6 -+ with self.subTest(mode=format(mode, '03o')): -+ def test(target, target_is_directory): -+ d1 = self.do_create(recurse=0) -+ symlink = os.path.join(d1.name, 'symlink') -+ os.symlink(target, symlink, -+ target_is_directory=target_is_directory) -+ try: -+ os.chmod(symlink, mode, follow_symlinks=False) -+ except NotImplementedError: -+ pass -+ try: -+ os.chmod(symlink, mode) -+ except FileNotFoundError: -+ pass -+ os.chmod(d1.name, mode) -+ d1.cleanup() -+ self.assertFalse(os.path.exists(d1.name)) -+ -+ with self.subTest('nonexisting file'): -+ test('nonexisting', target_is_directory=False) -+ with self.subTest('nonexisting dir'): -+ test('nonexisting', target_is_directory=True) -+ -+ with self.subTest('existing file'): -+ os.chmod(file1, mode) -+ old_mode = os.stat(file1).st_mode -+ test(file1, target_is_directory=False) -+ new_mode = os.stat(file1).st_mode -+ self.assertEqual(new_mode, old_mode, -+ '%03o != %03o' % (new_mode, old_mode)) -+ -+ with self.subTest('existing dir'): -+ os.chmod(dir1, mode) -+ old_mode = os.stat(dir1).st_mode -+ test(dir1, target_is_directory=True) -+ new_mode = os.stat(dir1).st_mode -+ self.assertEqual(new_mode, old_mode, -+ '%03o != %03o' % (new_mode, old_mode)) -+ -+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags') -+ @support.skip_unless_symlink -+ def test_cleanup_with_symlink_flags(self): -+ # cleanup() should not follow symlinks when fixing flags (#91133) -+ flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK -+ self.check_flags(flags) -+ -+ with self.do_create(recurse=0) as d2: -+ file1 = os.path.join(d2, 'file1') -+ open(file1, 'wb').close() -+ dir1 = os.path.join(d2, 'dir1') -+ os.mkdir(dir1) -+ def test(target, target_is_directory): -+ d1 = self.do_create(recurse=0) -+ symlink = os.path.join(d1.name, 'symlink') -+ os.symlink(target, symlink, -+ target_is_directory=target_is_directory) -+ try: -+ os.chflags(symlink, flags, follow_symlinks=False) -+ except NotImplementedError: -+ pass -+ try: -+ os.chflags(symlink, flags) -+ except FileNotFoundError: -+ pass -+ os.chflags(d1.name, flags) -+ d1.cleanup() -+ self.assertFalse(os.path.exists(d1.name)) -+ -+ with self.subTest('nonexisting file'): -+ test('nonexisting', target_is_directory=False) -+ with self.subTest('nonexisting dir'): -+ test('nonexisting', target_is_directory=True) -+ -+ with self.subTest('existing file'): -+ os.chflags(file1, flags) -+ old_flags = os.stat(file1).st_flags -+ test(file1, target_is_directory=False) -+ new_flags = os.stat(file1).st_flags -+ self.assertEqual(new_flags, old_flags) -+ -+ with self.subTest('existing dir'): -+ os.chflags(dir1, flags) -+ old_flags = os.stat(dir1).st_flags -+ test(dir1, target_is_directory=True) -+ new_flags = os.stat(dir1).st_flags -+ self.assertEqual(new_flags, old_flags) -+ - @support.cpython_only - def test_del_on_collection(self): - # A TemporaryDirectory is deleted when garbage collected -@@ -1506,9 +1603,27 @@ class TestTemporaryDirectory(BaseTestCas - d.cleanup() - self.assertFalse(os.path.exists(d.name)) - -- @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.lchflags') -+ def check_flags(self, flags): -+ # skip the test if these flags are not supported (ex: FreeBSD 13) -+ filename = support.TESTFN -+ try: -+ open(filename, "w").close() -+ try: -+ os.chflags(filename, flags) -+ except OSError as exc: -+ # "OSError: [Errno 45] Operation not supported" -+ self.skipTest(f"chflags() doesn't support flags " -+ f"{flags:#b}: {exc}") -+ else: -+ os.chflags(filename, 0) -+ finally: -+ support.unlink(filename) -+ -+ @unittest.skipUnless(hasattr(os, 'chflags'), 'requires os.chflags') - def test_flags(self): - flags = stat.UF_IMMUTABLE | stat.UF_NOUNLINK -+ self.check_flags(flags) -+ - d = self.do_create(recurse=3, dirs=2, files=2) - with d: - # Change files and directories flags recursively. ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-12-01-16-57-44.gh-issue-91133.LKMVCV.rst -@@ -0,0 +1,2 @@ -+Fix a bug in :class:`tempfile.TemporaryDirectory` cleanup, which now no longer -+dereferences symlinks when working around file system permission errors. diff --git a/packages/p/python39/F00251-change-user-install-location.patch b/packages/p/python39/F00251-change-user-install-location.patch index 3f2f2d06994..b4ed2af433a 100644 --- a/packages/p/python39/F00251-change-user-install-location.patch +++ b/packages/p/python39/F00251-change-user-install-location.patch @@ -9,8 +9,8 @@ is not detected to make pip and distutils install into separate location. Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe --- - Lib/distutils/command/install.py | 15 +++++++++++++-- - Lib/site.py | 9 ++++++++- + Lib/distutils/command/install.py | 15 +++++++++++++-- + Lib/site.py | 9 ++++++++- 2 files changed, 21 insertions(+), 3 deletions(-) --- a/Lib/distutils/command/install.py @@ -39,7 +39,7 @@ Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe if self.exec_prefix is None: --- a/Lib/site.py +++ b/Lib/site.py -@@ -353,7 +353,14 @@ def getsitepackages(prefixes=None): +@@ -362,7 +362,14 @@ def getsitepackages(prefixes=None): return sitepackages def addsitepackages(known_paths, prefixes=None): diff --git a/packages/p/python39/Python-3.9.18.tar.xz b/packages/p/python39/Python-3.9.18.tar.xz deleted file mode 120000 index e74226e454c..00000000000 --- a/packages/p/python39/Python-3.9.18.tar.xz +++ /dev/null @@ -1 +0,0 @@ -/ipfs/bafybeigiq4wly67om7tim7juyb2zpyo46zpolrkftww5wfbhglacvmfjbq \ No newline at end of file diff --git a/packages/p/python39/Python-3.9.18.tar.xz.asc b/packages/p/python39/Python-3.9.18.tar.xz.asc deleted file mode 100644 index ea445852436..00000000000 --- a/packages/p/python39/Python-3.9.18.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmTnntEACgkQsmmV4xAl -BWgmQw/9EFWMXtSfWBV93AQF37r0nbUnOBvrOcubkO7ygt+GfHKzN8EPuNeO2It7 -yNZDuCmwepnNGaIkO7UkgbwYyNw3YaoHQqxG8izAfJAVqK6BSk8UAET/YKWFXbLv -cZBfgxSa0tTEkwq3BAY4vDewRXnLkUq7k6JRRCKFGLNSi/ygC56SijxyAV2g4Vio -Qcwr9VhsTvz6ujoWuPrfVpUY4I81LBJxKK7n9zBreYzh5uUXRu5k4lN2W8HrE4q0 -7tTdsccB9j1CJAiUacYLxTFsvwd/hBs9+g9Eu5kqGeChqEU56Gd8wR96TEu8cVIZ -Bv5UEo9MgT1KsJwk0FMfV8qVScqZrGG3QaoMtNAeAm/tUrhhZO9ANYsC9dey03ut -tU6s5GAeh6i17bqW5WfvzCdhY9ayCInndzkq7SPi9F7fYx79PgdsofqPdyCSBXUo -Ozfn1VQkYQJTmYtrwqLfdAivubaEPIf1+fLqMOXbrI85Ujuy5xzlgVrrqO2K9rbE -DYyPgGZjPtss/yZGRCUdJX6rbW8Tq0HKt/8HpbW5fCt9o0wCSawR71GhzPA1fpNs -0mkAGvvoNGdiSizTLLPvNCaecw4kSzeBNViyP6oRCv69ifNqHPErItsMZ0YIMU14 -w4/d9yI9kUa2bvE3cmx6G+9OS8PYip9MsJbQgP7kJsZ8wgt9rQU= -=aw+P ------END PGP SIGNATURE----- diff --git a/packages/p/python39/Python-3.9.19.tar.xz b/packages/p/python39/Python-3.9.19.tar.xz new file mode 120000 index 00000000000..dff164dc27f --- /dev/null +++ b/packages/p/python39/Python-3.9.19.tar.xz @@ -0,0 +1 @@ +/ipfs/bafybeib5zdhewyy2jyrskifhq45pbv5zldajmwppbc2izqt6zjw4ewl5nm \ No newline at end of file diff --git a/packages/p/python39/Python-3.9.19.tar.xz.asc b/packages/p/python39/Python-3.9.19.tar.xz.asc new file mode 100644 index 00000000000..0dbbb2252e1 --- /dev/null +++ b/packages/p/python39/Python-3.9.19.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmX5uMIACgkQsmmV4xAl +BWj1tQ//T2qX0m08xWGV7az0D1sH3qjoY+4fEYrknw5uAHqZFiQecRsF27jxv6iH +gP/6GAUw+lbH+9UofhCc0NbPOklliS7gFLNqJdKYFB6JXRNxiRYKh3uVx5o2n0ES +kR3kRl77S47rtCbSMrKTh6ZoWowyIUZGFsIonk5KsLv+oELXY1AK/Im9i3/iTJ1Z +jd/e2oHWuseIxbGZAO8AEP8zOsMMIHfsL3ry8H9xhhPyQM6t5DldqLH3UVE6kq95 +fs+olGO4FEKif3VDuLaHVlgtGZOUr6aDIYUmWxctPicboSb6RJAq37CCYgWykOyB +WQec0ONbU7lxt5jhemLSDRy0mEio7+nXIKsO9rDN0Wk1QMpHUl77/C5qVlzfHal7 +NhPt8Yl0hBnOjzTq+di+xhAKJcdKp+zZH7/ugAbthuqhNfnkqiF68PANHrCm3gbY +myN0eSaQ9yIa/MbHW8Am9NL/nuFbxdJUL/OIKQ9kFHgD7Qid86TZF0G2vbiBH/eF +IVYoMxRZLd7eu5dIcwXSef+Ai97pODbx9y7bOCFyBO9FuFrlhPObgc7KXCeAzP+y +k5eWvZtWTvvQ+2si2iT22EPBO0D0pnhYWZKpGK5EuKuw8nasNS1yLbhDTVpARynd +8buQh3t2wPfILlQr0+JzDY8GSdQ/nIHGgx2IERdSX/v+9Yo2AvU= +=gYAl +-----END PGP SIGNATURE----- diff --git a/packages/p/python39/libexpat260.patch b/packages/p/python39/libexpat260.patch deleted file mode 100644 index f0225ca6679..00000000000 --- a/packages/p/python39/libexpat260.patch +++ /dev/null @@ -1,107 +0,0 @@ -From f2eebf3c38eae77765247791576b437ec25ccfe2 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Sun, 11 Feb 2024 12:08:39 +0200 -Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 - (GH-115164) - -Feeding the parser by too small chunks defers parsing to prevent -CVE-2023-52425. Future versions of Expat may be more reactive. -(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) - -Co-authored-by: Serhiy Storchaka ---- - Lib/test/test_xml_etree.py | 58 ++++++++++++------- - ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 + - 2 files changed, 38 insertions(+), 22 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst - -Index: Python-3.9.18/Lib/test/test_xml_etree.py -=================================================================== ---- Python-3.9.18.orig/Lib/test/test_xml_etree.py -+++ Python-3.9.18/Lib/test/test_xml_etree.py -@@ -13,6 +13,7 @@ import itertools - import operator - import os - import pickle -+import pyexpat - import sys - import textwrap - import types -@@ -102,6 +103,10 @@ EXTERNAL_ENTITY_XML = """\ - &entity; - """ - -+fails_with_expat_2_6_0 = (unittest.expectedFailure -+ if pyexpat.version_info >= (2, 6, 0) else -+ lambda test: test) -+ - def checkwarnings(*filters, quiet=False): - def decorator(test): - def newtest(*args, **kwargs): -@@ -1391,28 +1396,37 @@ class XMLPullParserTest(unittest.TestCas - self.assertEqual([(action, elem.tag) for action, elem in events], - expected) - -- def test_simple_xml(self): -- for chunk_size in (None, 1, 5): -- with self.subTest(chunk_size=chunk_size): -- parser = ET.XMLPullParser() -- self.assert_event_tags(parser, []) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, []) -- self._feed(parser, -- "\n text\n", chunk_size) -- self.assert_event_tags(parser, [('end', 'element')]) -- self._feed(parser, "texttail\n", chunk_size) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, [ -- ('end', 'element'), -- ('end', 'empty-element'), -- ]) -- self._feed(parser, "\n", chunk_size) -- self.assert_event_tags(parser, [('end', 'root')]) -- self.assertIsNone(parser.close()) -+ def test_simple_xml(self, chunk_size=None): -+ parser = ET.XMLPullParser() -+ self.assert_event_tags(parser, []) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, []) -+ self._feed(parser, -+ "\n text\n", chunk_size) -+ self.assert_event_tags(parser, [('end', 'element')]) -+ self._feed(parser, "texttail\n", chunk_size) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, [ -+ ('end', 'element'), -+ ('end', 'empty-element'), -+ ]) -+ self._feed(parser, "\n", chunk_size) -+ self.assert_event_tags(parser, [('end', 'root')]) -+ self.assertIsNone(parser.close()) -+ -+ @fails_with_expat_2_6_0 -+ def test_simple_xml_chunk_1(self): -+ self.test_simple_xml(chunk_size=1) -+ -+ @fails_with_expat_2_6_0 -+ def test_simple_xml_chunk_5(self): -+ self.test_simple_xml(chunk_size=5) -+ -+ def test_simple_xml_chunk_22(self): -+ self.test_simple_xml(chunk_size=22) - - def test_feed_while_iterating(self): - parser = ET.XMLPullParser() -Index: Python-3.9.18/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst -=================================================================== ---- /dev/null -+++ Python-3.9.18/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst -@@ -0,0 +1,2 @@ -+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat -+2.6.0. diff --git a/packages/p/python39/old-libexpat.patch b/packages/p/python39/old-libexpat.patch new file mode 100644 index 00000000000..b443628f3a9 --- /dev/null +++ b/packages/p/python39/old-libexpat.patch @@ -0,0 +1,79 @@ +--- + Lib/test/test_sax.py | 10 +++++----- + Lib/test/test_xml_etree.py | 17 ++++++++--------- + 2 files changed, 13 insertions(+), 14 deletions(-) + +--- a/Lib/test/test_sax.py ++++ b/Lib/test/test_sax.py +@@ -1211,10 +1211,9 @@ class ExpatReaderTest(XmlTestBase): + + self.assertEqual(result.getvalue(), start + b"text") + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ "Reparse deferral not defined for libexpat < 2.6.0") + def test_flush_reparse_deferral_enabled(self): +- if pyexpat.version_info < (2, 6, 0): +- self.skipTest(f'Expat {pyexpat.version_info} does not support reparse deferral') +- + result = BytesIO() + xmlgen = XMLGenerator(result) + parser = create_parser() +@@ -1236,6 +1235,8 @@ class ExpatReaderTest(XmlTestBase): + + self.assertEqual(result.getvalue(), start + b"") + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ "Reparse deferral not defined for libexpat < 2.6.0") + def test_flush_reparse_deferral_disabled(self): + result = BytesIO() + xmlgen = XMLGenerator(result) +@@ -1245,8 +1246,7 @@ class ExpatReaderTest(XmlTestBase): + for chunk in (""): + parser.feed(chunk) + +- if pyexpat.version_info >= (2, 6, 0): +- parser._parser.SetReparseDeferralEnabled(False) ++ parser._parser.SetReparseDeferralEnabled(False) + + self.assertEqual(result.getvalue(), start) # i.e. no elements started + self.assertFalse(parser._parser.GetReparseDeferralEnabled()) +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1619,11 +1619,9 @@ class XMLPullParserTest(unittest.TestCas + with self.assertRaises(ValueError): + ET.XMLPullParser(events=('start', 'end', 'bogus')) + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ "Reparse deferral not defined for libexpat < 2.6.0") + def test_flush_reparse_deferral_enabled(self): +- if pyexpat.version_info < (2, 6, 0): +- self.skipTest(f'Expat {pyexpat.version_info} does not ' +- 'support reparse deferral') +- + parser = ET.XMLPullParser(events=('start', 'end')) + + for chunk in (""): +@@ -1644,17 +1642,18 @@ class XMLPullParserTest(unittest.TestCas + + self.assert_event_tags(parser, [('end', 'doc')]) + ++ @unittest.skipIf(pyexpat.version_info < (2, 6, 0), ++ "Reparse deferral not defined for libexpat < 2.6.0") + def test_flush_reparse_deferral_disabled(self): + parser = ET.XMLPullParser(events=('start', 'end')) + + for chunk in (""): + parser.feed(chunk) + +- if pyexpat.version_info >= (2, 6, 0): +- if not ET is pyET: +- self.skipTest(f'XMLParser.(Get|Set)ReparseDeferralEnabled ' +- 'methods not available in C') +- parser._parser._parser.SetReparseDeferralEnabled(False) ++ if not ET is pyET: ++ self.skipTest(f'XMLParser.(Get|Set)ReparseDeferralEnabled ' ++ 'methods not available in C') ++ parser._parser._parser.SetReparseDeferralEnabled(False) + + self.assert_event_tags(parser, []) # i.e. no elements started + if ET is pyET: diff --git a/packages/p/python39/python-3.3.0b1-localpath.patch b/packages/p/python39/python-3.3.0b1-localpath.patch index f6cac491334..8d2f8a5134c 100644 --- a/packages/p/python39/python-3.3.0b1-localpath.patch +++ b/packages/p/python39/python-3.3.0b1-localpath.patch @@ -1,7 +1,11 @@ +--- + Lib/site.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + --- a/Lib/site.py +++ b/Lib/site.py -@@ -76,7 +76,7 @@ import _sitebuiltins - import io +@@ -77,7 +77,7 @@ import io + import stat # Prefixes for site-packages; add additional prefixes like /usr/local here -PREFIXES = [sys.prefix, sys.exec_prefix] diff --git a/packages/p/python39/python39.changes b/packages/p/python39/python39.changes index f6950c0d1a5..412c78b218c 100644 --- a/packages/p/python39/python39.changes +++ b/packages/p/python39/python39.changes @@ -1,3 +1,63 @@ +------------------------------------------------------------------- +Sun Mar 24 00:43:14 UTC 2024 - Matej Cepl + +- Add old-libexpat.patch making the test suite work with + libexpat < 2.6.0 (gh#python/cpython#117187). + +------------------------------------------------------------------- +Thu Mar 21 20:24:05 UTC 2024 - Matej Cepl + +- Update to 3.9.19: + - Security + - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral + (CVE-2023-52425, bsc#1219559) by adding five new methods: + xml.etree.ElementTree.XMLParser.flush() + xml.etree.ElementTree.XMLPullParser.flush() + xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() + xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() + xml.sax.expatreader.ExpatParser.flush() + - gh-115399: Update bundled libexpat to 2.6.0 + - gh-113659: Skip .pth files with names starting with a dot + or hidden file attribute. + - Core and Builtins + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - Library + - gh-115197: urllib.request no longer resolves the hostname + before checking it against the system’s proxy bypass list + on macOS and Windows. + - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. + - gh-81194: Fix a crash in socket.if_indextoname() with + specific value (UINT_MAX). Fix an integer overflow in + socket.if_indextoname() on 64-bit non-Windows platforms. + - gh-109858: Protect zipfile from “quoted-overlap” + zipbomb. It now raises BadZipFile when try to read an + entry that overlaps with other entry or central directory + (CVE-2024-0450, bsc#1221854). + - gh-107077: Seems that in some conditions, OpenSSL will + return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL + when a certification verification has failed, but + the error parameters will still contain ERR_LIB_SSL + and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now + detecting this situation and raising the appropiate + ssl.SSLCertVerificationError. Patch by Pablo Galindo + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working + around file system permission errors (CVE-2023-6597, + bsc#1219666). + - Documentation + - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under + “XML vulnerabilities”. + - Tools/Demos + - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 + and multissltests to use 1.1.1w and 3.0.11. +- Remove upstreamed patches: + - CVE-2023-6597-TempDir-cleaning-symlink.patch + - libexpat260.patch +- Refreshed patches: + - F00251-change-user-install-location.patch + - python-3.3.0b1-localpath.patch + ------------------------------------------------------------------- Wed Mar 6 14:13:58 UTC 2024 - Pedro Monreal diff --git a/packages/p/python39/python39.spec b/packages/p/python39/python39.spec index 30f5625c809..1be138c2165 100644 --- a/packages/p/python39/python39.spec +++ b/packages/p/python39/python39.spec @@ -93,7 +93,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.9.18 +Version: 3.9.19 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -178,12 +178,9 @@ Patch41: downport-Sphinx-features.patch # indicate the parsing error (old API), from gh#python/cpython!105127 # Patch carries a REGRESSION (gh#python/cpython#106669), so it has been also partially REVERTED Patch42: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289 -# Fix tests for XMLPullParser with Expat 2.6.0 -Patch43: libexpat260.patch -# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com -# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930) -Patch44: CVE-2023-6597-TempDir-cleaning-symlink.patch +# PATCH-FIX-UPSTREAM old-libexpat.patch gh#python/cpython#117187 mcepl@suse.com +# Make the test suite work with libexpat < 2.6.0 +Patch43: old-libexpat.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -449,7 +446,6 @@ other applications. %endif %patch -P 42 -p1 %patch -P 43 -p1 -%patch -P 44 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac