diff --git a/.gitignore b/.gitignore index 47eb58c..cc7a512 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.8.11.tar.xz +SOURCES/Python-3.8.13.tar.xz diff --git a/.rh-python38-python.metadata b/.rh-python38-python.metadata index 3ec451b..9e639dc 100644 --- a/.rh-python38-python.metadata +++ b/.rh-python38-python.metadata @@ -1 +1 @@ -1561060627fd171de19c53eb374cd92d2f297bff SOURCES/Python-3.8.11.tar.xz +fb46587353f092d91caeddb07f82bb66a5115468 SOURCES/Python-3.8.13.tar.xz diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index 498c727..1a764dd 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -1,4 +1,4 @@ -From 91c30b058ad9ab85debef8ffc058656c689fd1ac Mon Sep 17 00:00:00 2001 +From a7146f029f38c7fc25ddfa09529aefbe8035620a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 15 Aug 2018 15:36:29 +0200 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels @@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels Downstream only: upstream bundles We might eventually pursuit upstream support, but it's low prio --- - Lib/ensurepip/__init__.py | 33 +++++++++++++++++++++++---------- - 1 file changed, 23 insertions(+), 10 deletions(-) + Lib/ensurepip/__init__.py | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index 597a1ef..9206d11 100644 +index b291e9a..ed17b22 100644 --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py @@ -1,6 +1,7 @@ @@ -24,14 +24,15 @@ index 597a1ef..9206d11 100644 import sys import runpy import tempfile -@@ -9,9 +10,24 @@ import subprocess +@@ -9,8 +10,26 @@ import subprocess __all__ = ["version", "bootstrap"] - + _PACKAGE_NAMES = ('setuptools', 'pip') -_SETUPTOOLS_VERSION = "56.0.0" +-_PIP_VERSION = "22.0.4" ++ +_WHEEL_DIR = "/opt/rh/rh-python38/root/usr/share/python38-wheels/" - --_PIP_VERSION = "21.1.1" ++ +_wheels = {} + +def _get_most_recent_wheel_version(pkg): @@ -48,10 +49,11 @@ index 597a1ef..9206d11 100644 +_SETUPTOOLS_VERSION = _get_most_recent_wheel_version("setuptools") + +_PIP_VERSION = _get_most_recent_wheel_version("pip") - ++ _PROJECTS = [ ("setuptools", _SETUPTOOLS_VERSION, "py3"), -@@ -101,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, + ("pip", _PIP_VERSION, "py3"), +@@ -99,13 +118,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, # additional paths that need added to sys.path additional_paths = [] for project, version, py_tag in _PROJECTS: @@ -70,5 +72,5 @@ index 597a1ef..9206d11 100644 additional_paths.append(os.path.join(tmpdir, wheel_name)) -- -2.31.1 +2.35.1 diff --git a/SOURCES/00365-CVE-2021-29921.patch b/SOURCES/00365-CVE-2021-29921.patch deleted file mode 100644 index b3f8176..0000000 --- a/SOURCES/00365-CVE-2021-29921.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst -index 2cdfddb..d464d2a 100644 ---- a/Doc/library/ipaddress.rst -+++ b/Doc/library/ipaddress.rst -@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are - 1. A string in decimal-dot notation, consisting of four decimal integers in - the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each - integer represents an octet (byte) in the address. Leading zeroes are -- tolerated only for values less than 8 (as there is no ambiguity -- between the decimal and octal interpretations of such strings). -+ not tolerated to prevent confusion with octal notation. - 2. An integer that fits into 32 bits. - 3. An integer packed into a :class:`bytes` object of length 4 (most - significant octet first). -diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py -index 28b7b61..d351f07 100644 ---- a/Lib/ipaddress.py -+++ b/Lib/ipaddress.py -@@ -1173,6 +1173,11 @@ class _BaseV4: - if len(octet_str) > 3: - msg = "At most 3 characters permitted in %r" - raise ValueError(msg % octet_str) -+ # Handle leading zeros as strict as glibc's inet_pton() -+ # See security bug bpo-36384 -+ if octet_str != '0' and octet_str[0] == '0': -+ msg = "Leading zeros are not permitted in %r" -+ raise ValueError(msg % octet_str) - # Convert to integer (we know digits are legal) - octet_int = int(octet_str, 10) - if octet_int > 255: -diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py -index 2f1c5b6..1297b83 100644 ---- a/Lib/test/test_ipaddress.py -+++ b/Lib/test/test_ipaddress.py -@@ -97,10 +97,23 @@ class CommonTestMixin: - class CommonTestMixin_v4(CommonTestMixin): - - def test_leading_zeros(self): -- self.assertInstancesEqual("000.000.000.000", "0.0.0.0") -- self.assertInstancesEqual("192.168.000.001", "192.168.0.1") -- self.assertInstancesEqual("016.016.016.016", "16.16.16.16") -- self.assertInstancesEqual("001.000.008.016", "1.0.8.16") -+ # bpo-36384: no leading zeros to avoid ambiguity with octal notation -+ msg = "Leading zeros are not permitted in '\d+'" -+ addresses = [ -+ "000.000.000.000", -+ "192.168.000.001", -+ "016.016.016.016", -+ "192.168.000.001", -+ "001.000.008.016", -+ "01.2.3.40", -+ "1.02.3.40", -+ "1.2.03.40", -+ "1.2.3.040", -+ ] -+ for address in addresses: -+ with self.subTest(address=address): -+ with self.assertAddressError(msg): -+ self.factory(address) - - def test_int(self): - self.assertInstancesEqual(0, "0.0.0.0") diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch new file mode 100644 index 0000000..de91016 --- /dev/null +++ b/SOURCES/00378-support-expat-2-4-5.patch @@ -0,0 +1,35 @@ +diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py +index 06c9107..d7307b4 100644 +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -1149,14 +1149,10 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- if pyexpat.version_info >= (2, 4, 5): +- self.assertRaises(ExpatError, parseString, +- b'') +- self.assertRaises(ExpatError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') +- else: +- self.assertRaises(UnicodeDecodeError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') ++ self.assertRaises(ExpatError, parseString, ++ b'') ++ self.assertRaises(ExpatError, parseString, ++ b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() + +@@ -1601,10 +1597,7 @@ class MinidomTest(unittest.TestCase): + self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) + + def testExceptionOnSpacesInXMLNSValue(self): +- if pyexpat.version_info >= (2, 4, 5): +- context = self.assertRaisesRegex(ExpatError, 'syntax error') +- else: +- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') ++ context = self.assertRaisesRegex(ExpatError, 'syntax error') + + with context: + parseString('') diff --git a/SPECS/python.spec b/SPECS/python.spec index 72478b9..68777f6 100644 --- a/SPECS/python.spec +++ b/SPECS/python.spec @@ -20,11 +20,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.11 +%global general_version %{pybasever}.13 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 1%{?dist} License: Python # ================================== @@ -379,11 +379,16 @@ Patch329: 00329-fips.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 Patch359: 00359-CVE-2021-23336.patch -# 00365 # -# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module -# Upstream: https://bugs.python.org/issue36384 -# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458 -Patch365: 00365-CVE-2021-29921.patch +# 00378 # +# Support expat 2.4.5 +# +# This patch modifies the upstream code as to not account +# for the version specific expat assertions, since in RHEL +# we provide security fixes through backports and not a +# version upgrade. +# +# Upstream: https://bugs.python.org/issue46811 +Patch378: 00378-support-expat-2-4-5.patch # (New patches go here ^^^) # @@ -718,7 +723,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch328 -p1 %patch329 -p1 %patch359 -p1 -%patch365 -p1 +%patch378 -p1 cat %{PATCH300} | sed -e "s/__SCL_NAME__/%{?scl}/" \ | patch -p1 @@ -1702,6 +1707,11 @@ CheckPython optimized # ====================================================== %changelog +* Wed Mar 16 2022 Charalampos Stratakis - 3.8.13-1 +- Update to 3.8.13 +- Fix test suite issues with the latest expat security update +Resolves: rhbz#2068592 + * Thu Jul 22 2021 Charalampos Stratakis - 3.8.11-2 - Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated Resolves: rhbz#1957458