From 6fc14563e2b806f65ee7da3a19716f1a56b401be Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 03 2022 15:01:38 +0000
Subject: import rh-python38-python-3.8.14-1.el7


---

diff --git a/.gitignore b/.gitignore
index cc7a512..623f3a4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/Python-3.8.13.tar.xz
+SOURCES/Python-3.8.14.tar.xz
diff --git a/.rh-python38-python.metadata b/.rh-python38-python.metadata
index 9e639dc..ebf1f2c 100644
--- a/.rh-python38-python.metadata
+++ b/.rh-python38-python.metadata
@@ -1 +1 @@
-fb46587353f092d91caeddb07f82bb66a5115468 SOURCES/Python-3.8.13.tar.xz
+dced5c6d2a402eb79dddf3346210db23990b1ad0 SOURCES/Python-3.8.14.tar.xz
diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch
index 1a764dd..6bf83c2 100644
--- a/SOURCES/00189-use-rpm-wheels.patch
+++ b/SOURCES/00189-use-rpm-wheels.patch
@@ -1,4 +1,4 @@
-From a7146f029f38c7fc25ddfa09529aefbe8035620a Mon Sep 17 00:00:00 2001
+From dddfc63d5991462d214e86514fa06eff0707996a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Wed, 15 Aug 2018 15:36:29 +0200
 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels
@@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
  1 file changed, 26 insertions(+), 10 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index b291e9a..ed17b22 100644
+index 88ddc63..0d02cfa 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,6 +1,7 @@
@@ -53,7 +53,7 @@ index b291e9a..ed17b22 100644
  _PROJECTS = [
      ("setuptools", _SETUPTOOLS_VERSION, "py3"),
      ("pip", _PIP_VERSION, "py3"),
-@@ -99,13 +118,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
+@@ -104,13 +123,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False,
          # additional paths that need added to sys.path
          additional_paths = []
          for project, version, py_tag in _PROJECTS:
@@ -72,5 +72,5 @@ index b291e9a..ed17b22 100644
              additional_paths.append(os.path.join(tmpdir, wheel_name))
  
 -- 
-2.35.1
+2.37.2
 
diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch
index de91016..2a06bfb 100644
--- a/SOURCES/00378-support-expat-2-4-5.patch
+++ b/SOURCES/00378-support-expat-2-4-5.patch
@@ -1,8 +1,8 @@
 diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
-index 06c9107..d7307b4 100644
+index 06c9107..6c3f5a8 100644
 --- a/Lib/test/test_minidom.py
 +++ b/Lib/test/test_minidom.py
-@@ -1149,14 +1149,10 @@ class MinidomTest(unittest.TestCase):
+@@ -1149,14 +1149,11 @@ class MinidomTest(unittest.TestCase):
  
          # Verify that character decoding errors raise exceptions instead
          # of crashing
@@ -14,6 +14,7 @@ index 06c9107..d7307b4 100644
 -        else:
 -            self.assertRaises(UnicodeDecodeError, parseString,
 -                b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
++
 +        self.assertRaises(ExpatError, parseString,
 +                b'<fran\xe7ais></fran\xe7ais>')
 +        self.assertRaises(ExpatError, parseString,
@@ -21,7 +22,7 @@ index 06c9107..d7307b4 100644
  
          doc.unlink()
  
-@@ -1601,10 +1597,7 @@ class MinidomTest(unittest.TestCase):
+@@ -1601,10 +1598,7 @@ class MinidomTest(unittest.TestCase):
          self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
  
      def testExceptionOnSpacesInXMLNSValue(self):
diff --git a/SOURCES/00382-cve-2015-20107.patch b/SOURCES/00382-cve-2015-20107.patch
new file mode 100644
index 0000000..84fda78
--- /dev/null
+++ b/SOURCES/00382-cve-2015-20107.patch
@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Fri, 3 Jun 2022 11:43:35 +0200
+Subject: [PATCH] 00382: CVE-2015-20107
+
+Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+
+Upstream: https://github.com/python/cpython/issues/68966
+
+Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+---
+ Doc/library/mailcap.rst                       | 12 +++++++++
+ Lib/mailcap.py                                | 26 +++++++++++++++++--
+ Lib/test/test_mailcap.py                      |  8 ++++--
+ ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |  4 +++
+ 4 files changed, 46 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
+index bf9639bdac..a75857be62 100644
+--- a/Doc/library/mailcap.rst
++++ b/Doc/library/mailcap.rst
+@@ -54,6 +54,18 @@ standard.  However, mailcap files are supported on most Unix systems.
+    use) to determine whether or not the mailcap line applies.  :func:`findmatch`
+    will automatically check such conditions and skip the entry if the check fails.
+ 
++   .. versionchanged:: 3.11
++
++      To prevent security issues with shell metacharacters (symbols that have
++      special effects in a shell command line), ``findmatch`` will refuse
++      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
++      into the returned command line.
++
++      If a disallowed character appears in *filename*, ``findmatch`` will always
++      return ``(None, None)`` as if no entry was found.
++      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
++      ``findmatch`` will ignore all mailcap entries which use that value.
++      A :mod:`warning <warnings>` will be raised in either case.
+ 
+ .. function:: getcaps()
+ 
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index bd0fc0981c..dcd4b449e8 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+ 
+ import os
+ import warnings
++import re
+ 
+ __all__ = ["getcaps","findmatch"]
+ 
+@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+ 
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+ 
+ # Part 1: top-level interface.
+ 
+@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+ 
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+ 
+ def lookup(caps, MIMEtype, key=None):
+@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index c08423c670..920283d9a2 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000..da81a1f699
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).
diff --git a/SPECS/python.spec b/SPECS/python.spec
index 68777f6..ea84968 100644
--- a/SPECS/python.spec
+++ b/SPECS/python.spec
@@ -20,7 +20,7 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.13
+%global general_version %{pybasever}.14
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@@ -390,6 +390,16 @@ Patch359: 00359-CVE-2021-23336.patch
 # Upstream: https://bugs.python.org/issue46811
 Patch378: 00378-support-expat-2-4-5.patch
 
+# 00382 #
+# CVE-2015-20107
+#
+# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+#
+# Upstream: https://github.com/python/cpython/issues/68966
+#
+# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+Patch382: 00382-cve-2015-20107.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -724,6 +734,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch329 -p1
 %patch359 -p1
 %patch378 -p1
+%patch382 -p1
 
 cat %{PATCH300} | sed -e "s/__SCL_NAME__/%{?scl}/" \
                 | patch -p1
@@ -1707,6 +1718,11 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Fri Sep 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.8.14-1
+- Update to 3.8.14
+- Fixes for CVE-2015-20107, CVE-2020-10735, CVE-2021-28861
+Resolves: rhbz#2125237, rhbz#2125239, rhbz#2125238
+
 * Wed Mar 16 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.8.13-1
 - Update to 3.8.13
 - Fix test suite issues with the latest expat security update