From 6d0197fab7fb5e12fd579f64f22612df95ac69e7 Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Mon, 5 Feb 2024 14:48:33 +0800 Subject: [PATCH] Initialize for python --- .gitignore | 1 + .python.metadata | 1 + CVE-2015-20107-mailcap-unsafe-filenames.patch | 98 ++ CVE-2017-18207.patch | 22 + CVE-2019-20907_tarfile-inf-loop.patch | 42 + CVE-2019-5010-null-defer-x509-cert-DOS.patch | 58 + CVE-2019-9674-zip-bomb.patch | 69 + CVE-2020-26116-httplib-header-injection.patch | 77 + CVE-2020-8492-urllib-ReDoS.patch | 35 + CVE-2021-23336-only-amp-as-query-sep.patch | 389 +++++ CVE-2021-28861-double-slash-path.patch | 76 + CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch | 172 ++ CVE-2021-3733-fix-ReDoS-in-request.patch | 15 + ...ne-reading-after-a-HTTP-100-Continue.patch | 26 + CVE-2021-4189-ftplib-trust-PASV-resp.patch | 135 ++ ...22-0391-urllib_parse-newline-parsing.patch | 169 ++ CVE-2022-45061-DoS-by-IDNA-decode.patch | 88 + CVE-2022-48565-plistlib-XML-vulns.patch | 80 + ...2-48566-compare_digest-more-constant.patch | 35 + CVE-2023-24329-blank-URL-bypass.patch | 84 + CVE-2023-40217-avoid-ssl-pre-close.patch | 330 ++++ PygmentsBridge-trime_doctest_flags.patch | 28 + README.SUSE | 21 + ...-F00251-change-user-install-location.patch | 40 + bpo34990-2038-problem-compileall.patch | 142 ++ bpo36160-init-sysconfig_vars.patch | 29 + bpo36302-sort-module-sources.patch | 13 + configure_PYTHON_FOR_REGEN.patch | 11 + do-not-use-non-ascii-in-test_ssl.patch | 15 + idle.appdata.xml | 35 + idle.desktop | 12 + openssl-111-middlebox-compat.patch | 30 + openssl-111-ssl_options.patch | 21 + python-2.5.1-sqlite.patch | 12 + python-2.6-gettext-plurals.patch | 14 + python-2.6b3-curses-panel.patch | 11 + python-2.7-dirs.patch | 11 + python-2.7-libffi-aarch64.patch | 13 + ...-2.7.17-switch-off-failing-SSL-tests.patch | 25 + python-2.7.2-fix_date_time_compiler.patch | 18 + python-2.7.4-canonicalize2.patch | 85 + python-2.7.5-multilib.patch | 436 +++++ ...sles-disable-verification-by-default.patch | 25 + python-2.7.9-ssl_ca_path.patch | 19 + python-bsddb6.patch | 395 +++++ python-bundle-lang.patch | 23 + python-distutils-rpm-8.patch | 82 + python-skip_random_failing_tests.patch | 50 + python-sorted_tar.patch | 21 + python.changes | 1514 +++++++++++++++++ python.spec | 623 +++++++ recursion.tar | Bin 0 -> 516 bytes remove-static-libpython.patch | 53 + reproducible.patch | 15 + skip_unverified_test.patch | 19 + sle_tls_checks_policy.py | 4 + sparc_longdouble.patch | 21 + sphinx-update-removed-function.patch | 40 + 58 files changed, 5928 insertions(+) create mode 100644 .gitignore create mode 100644 .python.metadata create mode 100644 CVE-2015-20107-mailcap-unsafe-filenames.patch create mode 100644 CVE-2017-18207.patch create mode 100644 CVE-2019-20907_tarfile-inf-loop.patch create mode 100644 CVE-2019-5010-null-defer-x509-cert-DOS.patch create mode 100644 CVE-2019-9674-zip-bomb.patch create mode 100644 CVE-2020-26116-httplib-header-injection.patch create mode 100644 CVE-2020-8492-urllib-ReDoS.patch create mode 100644 CVE-2021-23336-only-amp-as-query-sep.patch create mode 100644 CVE-2021-28861-double-slash-path.patch create mode 100644 CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch create mode 100644 CVE-2021-3733-fix-ReDoS-in-request.patch create mode 100644 CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch create mode 100644 CVE-2021-4189-ftplib-trust-PASV-resp.patch create mode 100644 CVE-2022-0391-urllib_parse-newline-parsing.patch create mode 100644 CVE-2022-45061-DoS-by-IDNA-decode.patch create mode 100644 CVE-2022-48565-plistlib-XML-vulns.patch create mode 100644 CVE-2022-48566-compare_digest-more-constant.patch create mode 100644 CVE-2023-24329-blank-URL-bypass.patch create mode 100644 CVE-2023-40217-avoid-ssl-pre-close.patch create mode 100644 PygmentsBridge-trime_doctest_flags.patch create mode 100644 README.SUSE create mode 100644 adapted-from-F00251-change-user-install-location.patch create mode 100644 bpo34990-2038-problem-compileall.patch create mode 100644 bpo36160-init-sysconfig_vars.patch create mode 100644 bpo36302-sort-module-sources.patch create mode 100644 configure_PYTHON_FOR_REGEN.patch create mode 100644 do-not-use-non-ascii-in-test_ssl.patch create mode 100644 idle.appdata.xml create mode 100644 idle.desktop create mode 100644 openssl-111-middlebox-compat.patch create mode 100644 openssl-111-ssl_options.patch create mode 100644 python-2.5.1-sqlite.patch create mode 100644 python-2.6-gettext-plurals.patch create mode 100644 python-2.6b3-curses-panel.patch create mode 100644 python-2.7-dirs.patch create mode 100644 python-2.7-libffi-aarch64.patch create mode 100644 python-2.7.17-switch-off-failing-SSL-tests.patch create mode 100644 python-2.7.2-fix_date_time_compiler.patch create mode 100644 python-2.7.4-canonicalize2.patch create mode 100644 python-2.7.5-multilib.patch create mode 100644 python-2.7.9-sles-disable-verification-by-default.patch create mode 100644 python-2.7.9-ssl_ca_path.patch create mode 100644 python-bsddb6.patch create mode 100644 python-bundle-lang.patch create mode 100644 python-distutils-rpm-8.patch create mode 100644 python-skip_random_failing_tests.patch create mode 100644 python-sorted_tar.patch create mode 100644 python.changes create mode 100644 python.spec create mode 100644 recursion.tar create mode 100644 remove-static-libpython.patch create mode 100644 reproducible.patch create mode 100644 skip_unverified_test.patch create mode 100644 sle_tls_checks_policy.py create mode 100644 sparc_longdouble.patch create mode 100644 sphinx-update-removed-function.patch diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0da537c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +Python-2.7.18.tar.xz diff --git a/.python.metadata b/.python.metadata new file mode 100644 index 0000000..1fd4611 --- /dev/null +++ b/.python.metadata @@ -0,0 +1 @@ +cfbd3c771d680101ad126910657417e8b8895d39ee38e856569afc9b57b22ec8 Python-2.7.18.tar.xz diff --git a/CVE-2015-20107-mailcap-unsafe-filenames.patch b/CVE-2015-20107-mailcap-unsafe-filenames.patch new file mode 100644 index 0000000..6a62040 --- /dev/null +++ b/CVE-2015-20107-mailcap-unsafe-filenames.patch @@ -0,0 +1,98 @@ +--- + Doc/library/mailcap.rst | 13 +++++++++++++ + Lib/mailcap.py | 28 ++++++++++++++++++++++++++-- + 2 files changed, 39 insertions(+), 2 deletions(-) + +--- a/Doc/library/mailcap.rst ++++ b/Doc/library/mailcap.rst +@@ -55,6 +55,19 @@ standard. However, mailcap files are su + will automatically check such conditions and skip the entry if the check fails. + + ++.. versionchanged:: 3.11 ++ ++ To prevent security issues with shell metacharacters (symbols that have ++ special effects in a shell command line), ``findmatch`` will refuse ++ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` ++ into the returned command line. ++ ++ If a disallowed character appears in *filename*, ``findmatch`` will always ++ return ``(None, None)`` as if no entry was found. ++ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), ++ ``findmatch`` will ignore all mailcap entries which use that value. ++ A :mod:`warning ` will be raised in either case. ++ + .. function:: getcaps() + + Returns a dictionary mapping MIME types to a list of mailcap file entries. This +--- a/Lib/mailcap.py ++++ b/Lib/mailcap.py +@@ -1,9 +1,17 @@ + """Mailcap file handling. See RFC 1524.""" + + import os ++import warnings ++import re + + __all__ = ["getcaps","findmatch"] + ++_find_unsafe = re.compile(ur'[^\xa1-\U0010FFFF\w@+=:,./-]').search ++ ++class UnsafeMailcapInput(Warning): ++ """Warning raised when refusing unsafe input""" ++ ++ + # Part 1: top-level interface. + + def getcaps(): +@@ -18,6 +26,10 @@ def getcaps(): + """ + caps = {} + for mailcap in listmailcapfiles(): ++ if _find_unsafe(mailcap): ++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (mailcap,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None, None + try: + fp = open(mailcap, 'r') + except IOError: +@@ -149,10 +161,13 @@ def findmatch(caps, MIMEtype, key='view' + for e in entries: + if 'test' in e: + test = subst(e['test'], filename, plist) ++ if test is None: ++ continue + if test and os.system(test) != 0: + continue + command = subst(e[key], MIMEtype, filename, plist) +- return command, e ++ if command is not None: ++ return command, e + return None, None + + def lookup(caps, MIMEtype, key=None): +@@ -184,6 +199,10 @@ def subst(field, MIMEtype, filename, pli + elif c == 's': + res = res + filename + elif c == 't': ++ if _find_unsafe(MIMEtype): ++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None + res = res + MIMEtype + elif c == '{': + start = i +@@ -191,7 +210,12 @@ def subst(field, MIMEtype, filename, pli + i = i+1 + name = field[start:i] + i = i+1 +- res = res + findparam(name, plist) ++ param = findparam(name, plist) ++ if _find_unsafe(param): ++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None ++ res = res + param + # XXX To do: + # %n == number of parts if type is multipart/* + # %F == list of alternating type and filename for parts diff --git a/CVE-2017-18207.patch b/CVE-2017-18207.patch new file mode 100644 index 0000000..aac7383 --- /dev/null +++ b/CVE-2017-18207.patch @@ -0,0 +1,22 @@ +From ae0ed14794ced2c51c822fc6f0d3ca92064619dd Mon Sep 17 00:00:00 2001 +From: BT123 +Date: Fri, 17 Nov 2017 16:45:45 +0800 +Subject: [PATCH] bug in wave.py + +--- + Lib/wave.py | 2 ++ + 1 file changed, 2 insertions(+) + +Index: Python-2.7.13/Lib/wave.py +=================================================================== +--- Python-2.7.13.orig/Lib/wave.py 2018-06-07 17:00:25.370728844 +0000 ++++ Python-2.7.13/Lib/wave.py 2018-06-07 17:02:51.768202800 +0000 +@@ -272,6 +272,8 @@ class Wave_read: + self._sampwidth = (sampwidth + 7) // 8 + else: + raise Error, 'unknown format: %r' % (wFormatTag,) ++ if self._nchannels == 0: ++ raise Error, "The audio file in wav format should have at least one channel!" + self._framesize = self._nchannels * self._sampwidth + self._comptype = 'NONE' + self._compname = 'not compressed' diff --git a/CVE-2019-20907_tarfile-inf-loop.patch b/CVE-2019-20907_tarfile-inf-loop.patch new file mode 100644 index 0000000..8b75d69 --- /dev/null +++ b/CVE-2019-20907_tarfile-inf-loop.patch @@ -0,0 +1,42 @@ +From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001 +From: Rajarishi Devarajan +Date: Sun, 12 Jul 2020 23:47:42 +0200 +Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module + +Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop +--- + Lib/tarfile.py | 2 ++ + Lib/test/test_tarfile.py | 5 +++++ + Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + + 3 files changed, 8 insertions(+) + create mode 100644 Lib/test/recursion.tar + +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1400,6 +1400,8 @@ class TarInfo(object): + + length, keyword = match.groups() + length = int(length) ++ if length == 0: ++ raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + keyword = keyword.decode("utf8") +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -321,6 +321,11 @@ class CommonReadTest(ReadTest): + with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"): + tar.extractfile(t).read() + ++ def test_length_zero_header(self): ++ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail ++ # with an exception ++ self.assertRaises(tarfile.ReadError, tarfile.open, test_support.findfile('recursion.tar')) ++ + + class MiscReadTest(CommonReadTest): + taropen = tarfile.TarFile.taropen +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +@@ -0,0 +1 @@ ++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). diff --git a/CVE-2019-5010-null-defer-x509-cert-DOS.patch b/CVE-2019-5010-null-defer-x509-cert-DOS.patch new file mode 100644 index 0000000..51b534c --- /dev/null +++ b/CVE-2019-5010-null-defer-x509-cert-DOS.patch @@ -0,0 +1,58 @@ +From 280917872027ee991416d2623fc16ff1eed48f50 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 15 Jan 2019 23:47:42 +0100 +Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) + +Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL +distribution points with empty DP or URI correctly. A malicious or buggy +certificate can result into segfault. + +Signed-off-by: Christian Heimes + +https://bugs.python.org/issue35746 +(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) + +Co-authored-by: Christian Heimes +--- + Lib/test/test_ssl.py | 21 ++++++++++ + Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 + + 2 files changed, 24 insertions(+) + create mode 100644 Lib/test/talos-2019-0758.pem + create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst + +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -287,6 +287,27 @@ class BasicSocketTests(unittest.TestCase + } + ) + ++ def test_parse_cert_CVE_2019_5010(self): ++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) ++ if support.verbose: ++ sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ self.assertEqual( ++ p, ++ { ++ 'issuer': ( ++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), ++ 'notAfter': 'Jun 14 18:00:58 2028 GMT', ++ 'notBefore': 'Jun 18 18:00:58 2018 GMT', ++ 'serialNumber': '02', ++ 'subject': ((('countryName', 'UK'),), ++ (('commonName', ++ 'codenomicon-vm-2.test.lal.cisco.com'),)), ++ 'subjectAltName': ( ++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), ++ 'version': 3 ++ } ++ ) ++ + def test_parse_cert_CVE_2013_4238(self): + p = ssl._ssl._test_decode_cert(NULLBYTECERT) + if support.verbose: +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +@@ -0,0 +1,3 @@ ++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did ++not handle CRL distribution points with empty DP or URI correctly. A ++malicious or buggy certificate can result into segfault. diff --git a/CVE-2019-9674-zip-bomb.patch b/CVE-2019-9674-zip-bomb.patch new file mode 100644 index 0000000..54ff344 --- /dev/null +++ b/CVE-2019-9674-zip-bomb.patch @@ -0,0 +1,69 @@ +From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001 +From: nick sung +Date: Fri, 17 May 2019 15:45:31 +0800 +Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). +--- + Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -553,5 +553,47 @@ Command-line options + + Test whether the zipfile is valid or not. + ++Decompression pitfalls ++---------------------- + ++The extraction in zipfile module might fail due to some pitfalls ++listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum ++/ ZIP format or unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause ++decompression failed. Such as allowable characters in the ++directory entries, length of the file name, length of the ++pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) apply ++to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C ++or killing the decompression process may result in incomplete ++decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors can cause unexpected ++decompression results. For example, when extracting the same ++archive twice, it overwrites files without asking. ++ ++ ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT +--- /dev/null ++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +@@ -0,0 +1 @@ ++Add decompression pitfalls to zipfile module documentation. +\ No newline at end of file diff --git a/CVE-2020-26116-httplib-header-injection.patch b/CVE-2020-26116-httplib-header-injection.patch new file mode 100644 index 0000000..d7cadf3 --- /dev/null +++ b/CVE-2020-26116-httplib-header-injection.patch @@ -0,0 +1,77 @@ +--- + Lib/httplib.py | 15 +++++++++++++++ + Lib/test/test_httplib.py | 22 +++++++++++++++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} + + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + class HTTPMessage(mimetools.Message): + + def addheader(self, key, value): +@@ -940,6 +944,8 @@ class HTTPConnection: + else: + raise CannotSendRequest() + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1179,6 +1185,15 @@ class HTTPConnection: + response.close() + raise + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ "method can't contain control characters. %r (found at " ++ "least %r)" % (method, match.group())) ++ + + class HTTP: + "Compatibility class with httplib.py from 1.5." +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -1007,10 +1007,30 @@ class TunnelTests(TestCase): + self.assertTrue('Host: destination.com' in conn.sock.data) + + ++class HttpMethodTests(TestCase): ++ def test_invalid_method_names(self): ++ methods = ( ++ 'GET\r', ++ 'POST\n', ++ 'PUT\n\r', ++ 'POST\nValue', ++ 'POST\nHOST:abc', ++ 'GET\nrHost:abc\n', ++ 'POST\rRemainder:\r', ++ 'GET\rHOST:\n', ++ '\nPUT' ++ ) ++ ++ for method in methods: ++ conn = httplib.HTTPConnection('example.com') ++ conn.sock = FakeSocket(None) ++ self.assertRaises(ValueError, conn.request, method=method, url="/") ++ ++ + @test_support.reap_threads + def test_main(verbose=None): + test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, +- HTTPTest, HTTPSTest, SourceAddressTest, ++ HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest, + TunnelTests) + + if __name__ == '__main__': diff --git a/CVE-2020-8492-urllib-ReDoS.patch b/CVE-2020-8492-urllib-ReDoS.patch new file mode 100644 index 0000000..e694351 --- /dev/null +++ b/CVE-2020-8492-urllib-ReDoS.patch @@ -0,0 +1,35 @@ +From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Thu, 30 Jan 2020 16:13:03 +0100 +Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex + +The AbstractBasicAuthHandler class of the urllib.request module uses +an inefficient regular expression which can be exploited by an +attacker to cause a denial of service. Fix the regex to prevent the +catastrophic backtracking. + +Vulnerability reported by Matt Schwager. +--- + Lib/urllib2.py | 2 +- + Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst + +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -0,0 +1,4 @@ ++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++:mod:`urllib.request` module uses an inefficient regular expression which can ++be exploited by an attacker to cause a denial of service. Fix the regex to ++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, diff --git a/CVE-2021-23336-only-amp-as-query-sep.patch b/CVE-2021-23336-only-amp-as-query-sep.patch new file mode 100644 index 0000000..524601d --- /dev/null +++ b/CVE-2021-23336-only-amp-as-query-sep.patch @@ -0,0 +1,389 @@ +From 5c17dfc5d70ce88be99bc5769b91ce79d7a90d61 Mon Sep 17 00:00:00 2001 +From: Senthil Kumaran +Date: Mon, 15 Feb 2021 11:16:43 -0800 +Subject: [PATCH] [3.6] bpo-42967: only use '&' as a query string separator + (GH-24297) (GH-24532) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +bpo-42967: [security] Address a web cache-poisoning issue reported in +urllib.parse.parse_qsl(). + +urllib.parse will only us "&" as query string separator by default +instead of both ";" and "&" as allowed in earlier versions. An optional +argument seperator with default value "&" is added to specify the +separator. + +Co-authored-by: Éric Araujo +Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> +Co-authored-by: Adam Goldschmidt +--- + Doc/library/cgi.rst | 8 ++- + Doc/library/urllib.parse.rst | 22 +++++- + Doc/whatsnew/3.6.rst | 13 ++++ + Lib/cgi.py | 17 +++-- + Lib/test/test_cgi.py | 29 ++++++-- + Lib/test/test_urlparse.py | 68 +++++++++++++------ + Lib/urllib/parse.py | 19 ++++-- + .../2021-02-14-15-59-16.bpo-42967.YApqDS.rst | 1 + + 8 files changed, 134 insertions(+), 43 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst + +--- a/Doc/library/cgi.rst ++++ b/Doc/library/cgi.rst +@@ -287,10 +287,11 @@ algorithms implemented in this module in + + .. function:: parse(fp[, environ[, keep_blank_values[, strict_parsing]]]) + +- Parse a query in the environment or from a file (the file defaults to +- ``sys.stdin`` and environment defaults to ``os.environ``). The *keep_blank_values* and *strict_parsing* parameters are +- passed to :func:`urlparse.parse_qs` unchanged. +- ++ Parse a query in the environment or from a file (the file ++ defaults to ``sys.stdin`` and environment defaults to ++ ``os.environ``). The *keep_blank_values*, *strict_parsing*, ++ and *separator* parameters are passed to ++ :func:`urlparse.parse_qs` unchanged. + + .. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) + +@@ -316,6 +317,9 @@ algorithms implemented in this module in + Note that this does not parse nested multipart parts --- use + :class:`FieldStorage` for that. + ++ .. versionchanged:: 3.6.13 ++ Added the *separator* parameter. ++ + + .. function:: parse_header(string) + +--- a/Lib/cgi.py ++++ b/Lib/cgi.py +@@ -121,7 +121,8 @@ log = initlog # The current lo + # 0 ==> unlimited input + maxlen = 0 + +-def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): ++def parse(fp=None, environ=os.environ, keep_blank_values=0, ++ strict_parsing=0, separator='&'): + """Parse a query in the environment or from a file (default stdin) + + Arguments, all optional: +@@ -140,6 +141,9 @@ def parse(fp=None, environ=os.environ, k + strict_parsing: flag indicating what to do with parsing errors. + If false (the default), errors are silently ignored. + If true, errors raise a ValueError exception. ++ ++ separator: str. The symbol to use for separating the query arguments. ++ Defaults to &. + """ + if fp is None: + fp = sys.stdin +@@ -171,7 +175,8 @@ def parse(fp=None, environ=os.environ, k + else: + qs = "" + environ['QUERY_STRING'] = qs # XXX Shouldn't, really +- return urlparse.parse_qs(qs, keep_blank_values, strict_parsing) ++ return urlparse.parse_qs(qs, keep_blank_values, strict_parsing, ++ separator=separator) + + + # parse query string function called from urlparse, +@@ -395,7 +400,7 @@ class FieldStorage: + + def __init__(self, fp=None, headers=None, outerboundary="", + environ=os.environ, keep_blank_values=0, strict_parsing=0, +- max_num_fields=None): ++ max_num_fields=None, separator='&'): + """Constructor. Read multipart/* until last part. + + Arguments, all optional: +@@ -430,6 +435,7 @@ class FieldStorage: + self.keep_blank_values = keep_blank_values + self.strict_parsing = strict_parsing + self.max_num_fields = max_num_fields ++ self.separator = separator + if 'REQUEST_METHOD' in environ: + method = environ['REQUEST_METHOD'].upper() + self.qs_on_post = None +@@ -613,7 +619,9 @@ class FieldStorage: + if self.qs_on_post: + qs += '&' + self.qs_on_post + query = urlparse.parse_qsl(qs, self.keep_blank_values, +- self.strict_parsing, self.max_num_fields) ++ self.strict_parsing, ++ self.max_num_fields, ++ separator=self.separator) + self.list = [MiniFieldStorage(key, value) for key, value in query] + self.skip_lines() + +@@ -629,7 +637,8 @@ class FieldStorage: + query = urlparse.parse_qsl(self.qs_on_post, + self.keep_blank_values, + self.strict_parsing, +- self.max_num_fields) ++ self.max_num_fields, ++ self.separator) + self.list.extend(MiniFieldStorage(key, value) + for key, value in query) + FieldStorageClass = None +@@ -642,7 +651,8 @@ class FieldStorage: + klass = self.FieldStorageClass or self.__class__ + part = klass(self.fp, {}, ib, + environ, keep_blank_values, strict_parsing, +- max_num_fields) ++ max_num_fields, ++ self.separator) + + # Throw first part away + while not part.done: +--- a/Lib/test/test_cgi.py ++++ b/Lib/test/test_cgi.py +@@ -61,12 +61,9 @@ parse_strict_test_cases = [ + ("", ValueError("bad query field: ''")), + ("&", ValueError("bad query field: ''")), + ("&&", ValueError("bad query field: ''")), +- (";", ValueError("bad query field: ''")), +- (";&;", ValueError("bad query field: ''")), + # Should the next few really be valid? + ("=", {}), + ("=&=", {}), +- ("=;=", {}), + # This rest seem to make sense + ("=a", {'': ['a']}), + ("&=a", ValueError("bad query field: ''")), +@@ -81,8 +78,6 @@ parse_strict_test_cases = [ + ("a=a+b&b=b+c", {'a': ['a b'], 'b': ['b c']}), + ("a=a+b&a=b+a", {'a': ['a b', 'b a']}), + ("x=1&y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), +- ("x=1;y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), +- ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), + ("Hbc5161168c542333633315dee1182227:key_store_seqid=400006&cuyer=r&view=bustomer&order_id=0bb2e248638833d48cb7fed300000f1b&expire=964546263&lobale=en-US&kid=130003.300038&ss=env", + {'Hbc5161168c542333633315dee1182227:key_store_seqid': ['400006'], + 'cuyer': ['r'], +@@ -188,6 +183,30 @@ class CgiTests(unittest.TestCase): + self.assertEqual(expect[k], v) + self.assertItemsEqual(expect.values(), d.values()) + ++ def test_separator(self): ++ parse_semicolon = [ ++ ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}), ++ ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), ++ (";", ValueError("bad query field: ''")), ++ (";;", ValueError("bad query field: ''")), ++ ("=;a", ValueError("bad query field: 'a'")), ++ (";b=a", ValueError("bad query field: ''")), ++ ("b;=a", ValueError("bad query field: 'b'")), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=a+b;a=b+a", {'a': ['a b', 'b a']}), ++ ] ++ for orig, expect in parse_semicolon: ++ env = {'QUERY_STRING': orig} ++ fs = cgi.FieldStorage(separator=';', environ=env) ++ if isinstance(expect, dict): ++ for key in expect.keys(): ++ expect_val = expect[key] ++ self.assertIn(key, fs) ++ if len(expect_val) > 1: ++ self.assertEqual(fs.getvalue(key), expect_val) ++ else: ++ self.assertEqual(fs.getvalue(key), expect_val[0]) ++ + def test_log(self): + cgi.log("Testing") + +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -24,16 +24,10 @@ parse_qsl_test_cases = [ + ("&a=b", [('a', 'b')]), + ("a=a+b&b=b+c", [('a', 'a b'), ('b', 'b c')]), + ("a=1&a=2", [('a', '1'), ('a', '2')]), +- (";", []), +- (";;", []), +- (";a=b", [('a', 'b')]), +- ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]), +- ("a=1;a=2", [('a', '1'), ('a', '2')]), +- (b";", []), +- (b";;", []), +- (b";a=b", [(b'a', b'b')]), +- (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), +- (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]), ++ (";a=b", [(';a', 'b')]), ++ ("a=a+b;b=b+c", [('a', 'a b;b=b c')]), ++ (b";a=b", [(b';a', b'b')]), ++ (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]), + ] + + parse_qs_test_cases = [ +@@ -57,16 +51,10 @@ parse_qs_test_cases = [ + (b"&a=b", {b'a': [b'b']}), + (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), + (b"a=1&a=2", {b'a': [b'1', b'2']}), +- (";", {}), +- (";;", {}), +- (";a=b", {'a': ['b']}), +- ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), +- ("a=1;a=2", {'a': ['1', '2']}), +- (b";", {}), +- (b";;", {}), +- (b";a=b", {b'a': [b'b']}), +- (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), +- (b"a=1;a=2", {b'a': [b'1', b'2']}), ++ (";a=b", {';a': ['b']}), ++ ("a=a+b;b=b+c", {'a': ['a b;b=b c']}), ++ (b";a=b", {b';a': [b'b']}), ++ (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}), + ] + + class UrlParseTestCase(unittest.TestCase): +@@ -665,6 +653,43 @@ class UrlParseTestCase(unittest.TestCase + "under NFKC normalization") + self.assertIsInstance(cm.exception.args[0], str) + ++ def test_parse_qs_separator(self): ++ parse_qs_semicolon_cases = [ ++ (";", {}), ++ (";;", {}), ++ (";a=b", {'a': ['b']}), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=1;a=2", {'a': ['1', '2']}), ++ (b";", {}), ++ (b";;", {}), ++ (b";a=b", {b'a': [b'b']}), ++ (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), ++ (b"a=1;a=2", {b'a': [b'1', b'2']}), ++ ] ++ for orig, expect in parse_qs_semicolon_cases: ++ result = urlparse.parse_qs(orig, separator=';') ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ ++ ++ def test_parse_qsl_separator(self): ++ parse_qsl_semicolon_cases = [ ++ (";", []), ++ (";;", []), ++ (";a=b", [('a', 'b')]), ++ ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]), ++ ("a=1;a=2", [('a', '1'), ('a', '2')]), ++ (b";", []), ++ (b";;", []), ++ (b";a=b", [(b'a', b'b')]), ++ (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), ++ (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]), ++ ] ++ for orig, expect in parse_qsl_semicolon_cases: ++ result = urlparse.parse_qsl(orig, separator=';') ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ ++ ++ + def test_main(): + test_support.run_unittest(UrlParseTestCase) + +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst +@@ -0,0 +1 @@ ++Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator. +--- a/Lib/test/test_urllib2.py ++++ b/Lib/test/test_urllib2.py +@@ -1331,7 +1331,7 @@ class MiscTests(unittest.TestCase, FakeH + # level 'def urlopen()' function defined in this... (quite ugly) + # test suite. They use different url opening codepaths. Plain + # urlopen uses FancyURLOpener which goes via a codepath that +- # calls urllib.parse.quote() on the URL which makes all of the ++ # calls urlparse.quote() on the URL which makes all of the + # above attempts at injection within the url _path_ safe. + escaped_char_repr = repr(char).replace('\\', r'\\') + InvalidURL = httplib.InvalidURL +@@ -1354,7 +1354,7 @@ class MiscTests(unittest.TestCase, FakeH + # level 'def urlopen()' function defined in this... (quite ugly) + # test suite. They use different url opening codepaths. Plain + # urlopen uses FancyURLOpener which goes via a codepath that +- # calls urllib.parse.quote() on the URL which makes all of the ++ # calls urlparse.quote() on the URL which makes all of the + # above attempts at injection within the url _path_ safe. + InvalidURL = httplib.InvalidURL + with self.assertRaisesRegexp(InvalidURL, +--- a/Misc/NEWS ++++ b/Misc/NEWS +@@ -4246,7 +4246,7 @@ Library + - bpo-18167: cgi.FieldStorage no longer fails to handle multipart/form-data + when \r\n appears at end of 65535 bytes without other newlines. + +-- bpo-17403: urllib.parse.robotparser normalizes the urls before adding to ++- bpo-17403: urlparse.robotparser normalizes the urls before adding to + ruleline. This helps in handling certain types invalid urls in a + conservative manner. Patch contributed by Mher Movsisyan. + +@@ -8271,7 +8271,7 @@ Core and Builtins + Library + ------- + +-- bpo-7904: Changes to urllib.parse.urlsplit to handle schemes as defined by ++- bpo-7904: Changes to urlparse.urlsplit to handle schemes as defined by + RFC3986. Anything before :// is considered a scheme and is followed by an + authority (or netloc) and by '/' led path, which is optional. + +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -382,7 +382,8 @@ def unquote(s): + append(item) + return ''.join(res) + +-def parse_qs(qs, keep_blank_values=0, strict_parsing=0, max_num_fields=None): ++def parse_qs(qs, keep_blank_values=0, strict_parsing=0, ++ max_num_fields=None, separator='&'): + """Parse a query given as a string argument. + + Arguments: +@@ -402,17 +403,21 @@ def parse_qs(qs, keep_blank_values=0, st + + max_num_fields: int. If set, then throws a ValueError if there + are more than n fields read by parse_qsl(). ++ ++ separator: str. The symbol to use for separating the query arguments. ++ Defaults to &. + """ + dict = {} + for name, value in parse_qsl(qs, keep_blank_values, strict_parsing, +- max_num_fields): ++ max_num_fields, separator=separator): + if name in dict: + dict[name].append(value) + else: + dict[name] = [value] + return dict + +-def parse_qsl(qs, keep_blank_values=0, strict_parsing=0, max_num_fields=None): ++def parse_qsl(qs, keep_blank_values=0, strict_parsing=0, ++ max_num_fields=None, separator='&'): + """Parse a query given as a string argument. + + Arguments: +@@ -432,17 +437,23 @@ def parse_qsl(qs, keep_blank_values=0, s + max_num_fields: int. If set, then throws a ValueError if there + are more than n fields read by parse_qsl(). + ++ separator: str. The symbol to use for separating the query arguments. ++ Defaults to &. ++ + Returns a list, as G-d intended. + """ + # If max_num_fields is defined then check that the number of fields + # is less than max_num_fields. This prevents a memory exhaustion DOS + # attack via post bodies with many fields. ++ if not separator or (not isinstance(separator, (str, bytes))): ++ raise ValueError("Separator must be of type string or bytes.") ++ + if max_num_fields is not None: +- num_fields = 1 + qs.count('&') + qs.count(';') ++ num_fields = 1 + qs.count(separator) + if max_num_fields < num_fields: + raise ValueError('Max number of fields exceeded') + +- pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')] ++ pairs = [s1 for s1 in qs.split(separator)] + r = [] + for name_value in pairs: + if not name_value and not strict_parsing: diff --git a/CVE-2021-28861-double-slash-path.patch b/CVE-2021-28861-double-slash-path.patch new file mode 100644 index 0000000..ee4137e --- /dev/null +++ b/CVE-2021-28861-double-slash-path.patch @@ -0,0 +1,76 @@ +Index: Python-2.7.18/Lib/BaseHTTPServer.py +=================================================================== +--- Python-2.7.18.orig/Lib/BaseHTTPServer.py ++++ Python-2.7.18/Lib/BaseHTTPServer.py +@@ -287,6 +287,14 @@ class BaseHTTPRequestHandler(SocketServe + return False + self.command, self.path, self.request_version = command, path, version + ++ # CVE-2021-28861: The purpose of replacing '//' with '/' is to ++ # protect against open redirect attacks possibly triggered if the ++ # path starts with '//' because http clients treat //path as an ++ # absolute URI without scheme (similar to http://path) rather than ++ # a path. ++ if self.path.startswith('//'): ++ self.path = '/' + self.path.lstrip('/') # Reduce to a single / ++ + # Examine the headers and look for a Connection directive + self.headers = self.MessageClass(self.rfile, 0) + +Index: Python-2.7.18/Lib/test/test_httpservers.py +=================================================================== +--- Python-2.7.18.orig/Lib/test/test_httpservers.py ++++ Python-2.7.18/Lib/test/test_httpservers.py +@@ -417,6 +417,52 @@ class SimpleHTTPServerTestCase(BaseTestC + self.assertEqual(response.getheader("Location"), + self.tempdir_name + "/?hi=1") + ++ def test_get_dir_redirect_location_domain_injection_bug(self): ++ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. ++ //netloc/ in a Location header is a redirect to a new host. ++ https://github.com/python/cpython/issues/87389 ++ This checks that a path resolving to a directory on our server cannot ++ resolve into a redirect to another server. ++ """ ++ os.mkdir(os.path.join(self.tempdir, 'existing_directory')) ++ url = '/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../' + self.tempdir_name + '/existing_directory' ++ expected_location = url + '/' # /python.org.../ single slash single prefix, trailing slash ++ # Canonicalizes to /tmp/tempdir_name/existing_directory which does ++ # exist and is a dir, triggering the 301 redirect logic. ++ response = self.request(url) ++ self.check_status_and_reason(response, 301) ++ location = response.getheader('Location') ++ self.assertEqual(location, expected_location, msg='non-attack failed!') ++ ++ # //python.org... multi-slash prefix, no trailing slash ++ attack_url = '/' + url ++ response = self.request(attack_url) ++ self.check_status_and_reason(response, 301) ++ location = response.getheader('Location') ++ self.assertFalse(location.startswith('//'), msg=location) ++ self.assertEqual(location, expected_location, ++ msg='Expected Location header to start with a single / and ' ++ 'end with a / as this is a directory redirect.') ++ # ///python.org... triple-slash prefix, no trailing slash ++ attack3_url = '//' + url ++ response = self.request(attack3_url) ++ self.check_status_and_reason(response, 301) ++ self.assertEqual(response.getheader('Location'), expected_location) ++ ++ # If the second word in the http request (Request-URI for the http ++ # method) is a full URI, we don't worry about it, as that'll be parsed ++ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head ++ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen. ++ attack_scheme_netloc_2slash_url = 'https://pypi.org/' + url ++ expected_scheme_netloc_location = attack_scheme_netloc_2slash_url + '/' ++ response = self.request(attack_scheme_netloc_2slash_url) ++ self.check_status_and_reason(response, 301) ++ location = response.getheader('Location') ++ # We're just ensuring that the scheme and domain make it through, if ++ # there are or aren't multiple slashes at the start of the path that ++ # follows that isn't important in this Location: header. ++ self.assertTrue(location.startswith('https://pypi.org/'), msg=location) ++ + + cgi_file1 = """\ + #!%s diff --git a/CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch b/CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch new file mode 100644 index 0000000..54670dc --- /dev/null +++ b/CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch @@ -0,0 +1,172 @@ +From 34df10a9a16b38d54421eeeaf73ec89828563be7 Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 18 Jan 2021 15:11:46 -0600 +Subject: [PATCH] [3.6] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24250) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 +++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 55 +++++++------------ + 3 files changed, 66 insertions(+), 34 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -1,4 +1,6 @@ +-import unittest, sys ++import platform ++import sys ++import unittest + from ctypes.test import need_symbol + import test.support + +@@ -206,6 +208,50 @@ class SimpleTypesTestCase(unittest.TestC + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param('a')), "") ++ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^$") ++ if platform.architecture()[0].startswith("64"): ++ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -460,50 +460,44 @@ PyCArg_dealloc(PyCArgObject *self) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + +-#ifdef HAVE_LONG_LONG ++#if defined(HAVE_LONG_LONG) && defined(LLONG_MAX) + case 'q': + case 'Q': +- sprintf(buffer, +- "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + #endif + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + + case 'c': +- sprintf(buffer, "", +- self->tag, self->value.c); +- break; ++ return PyUnicode_FromFormat("", ++ self->tag, self->value.c); + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -512,16 +506,13 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); +- break; + + default: +- sprintf(buffer, "", +- self->tag, self); +- break; ++ return PyUnicode_FromFormat("", ++ (unsigned char)self->tag, (void *)self); + } +- return PyString_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/CVE-2021-3733-fix-ReDoS-in-request.patch b/CVE-2021-3733-fix-ReDoS-in-request.patch new file mode 100644 index 0000000..3a06fa5 --- /dev/null +++ b/CVE-2021-3733-fix-ReDoS-in-request.patch @@ -0,0 +1,15 @@ +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +@@ -0,0 +1 @@ ++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. diff --git a/CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch b/CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch new file mode 100644 index 0000000..ebefd53 --- /dev/null +++ b/CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch @@ -0,0 +1,26 @@ +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -449,6 +449,7 @@ class HTTPResponse: + if status != CONTINUE: + break + # skip the header from the 100 response ++ header_count = 0 + while True: + skip = self.fp.readline(_MAXLINE + 1) + if len(skip) > _MAXLINE: +@@ -458,6 +459,10 @@ class HTTPResponse: + break + if self.debuglevel > 0: + print "header:", skip ++ # CVE-2021-3737: Fix infinitely reading potential HTTP headers on a 100 Continue status response from the server ++ header_count += 1 ++ if header_count > _MAXHEADERS: ++ raise HTTPException("got more than %d headers" % _MAXHEADERS) + + self.status = status + self.reason = reason.strip() +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst +@@ -0,0 +1,2 @@ ++mod:`http.client` now avoids infinitely reading potential HTTP headers after a ++``100 Continue`` status response from the server. diff --git a/CVE-2021-4189-ftplib-trust-PASV-resp.patch b/CVE-2021-4189-ftplib-trust-PASV-resp.patch new file mode 100644 index 0000000..0cfd2f6 --- /dev/null +++ b/CVE-2021-4189-ftplib-trust-PASV-resp.patch @@ -0,0 +1,135 @@ +commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e +Author: Gregory P. Smith +Date: Mon Mar 15 11:39:31 2021 -0700 + + bpo-43285 Make ftplib not trust the PASV response. (GH-24838) + + bpo-43285: Make ftplib not trust the PASV response. + + The IPv4 address value returned from the server in response to the PASV command + should not be trusted. This prevents a malicious FTP server from using the + response to probe IPv4 address and port combinations on the client network. + + Instead of using the returned address, we use the IP address we're + already connected to. This is the strategy other ftp clients adopted, + and matches the only strategy available for the modern IPv6 EPSV command + where the server response must return a port number and nothing else. + + For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address` + attribute on your `ftplib.FTP` instance to True. + +--- + Doc/whatsnew/2.7.rst | 10 +++ + Lib/ftplib.py | 11 +++- + Lib/test/test_ftplib.py | 27 +++++++++- + Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst | 8 ++ + 4 files changed, 53 insertions(+), 3 deletions(-) + +--- a/Doc/whatsnew/2.7.rst ++++ b/Doc/whatsnew/2.7.rst +@@ -166,6 +166,16 @@ The ``unittest`` module also automatical + when running tests. + + ++Post-EOS fixes ++============== ++ ++A security fix alters the :class:`ftplib.FTP` behavior to not trust the ++IPv4 address sent from the remote server when setting up a passive data ++channel. We reuse the ftp server IP address instead. For unusual code ++requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` ++attribute on your FTP instance to ``True``. (See :issue:`43285`) ++ ++ + Python 3.1 Features + ======================= + +--- a/Lib/ftplib.py ++++ b/Lib/ftplib.py +@@ -107,7 +107,9 @@ class FTP: + sock = None + file = None + welcome = None +- passiveserver = 1 ++ passiveserver = True ++ # Disables https://bugs.python.org/issue43285 security if set to True. ++ trust_server_pasv_ipv4_address = False + + # Initialization method (called by class instantiation). + # Initialize host to localhost, port to standard ftp port +@@ -310,8 +312,13 @@ class FTP: + return sock + + def makepasv(self): ++ """Internal: Does the PASV or EPSV handshake -> (address, port)""" + if self.af == socket.AF_INET: +- host, port = parse227(self.sendcmd('PASV')) ++ untrusted_host, port = parse227(self.sendcmd('PASV')) ++ if self.trust_server_pasv_ipv4_address: ++ host = untrusted_host ++ else: ++ host = self.sock.getpeername()[0] + else: + host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername()) + return host, port +--- a/Lib/test/test_ftplib.py ++++ b/Lib/test/test_ftplib.py +@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha + self.rest = None + self.next_retr_data = RETR_DATA + self.push('220 welcome') ++ # We use this as the string IPv4 address to direct the client ++ # to in response to a PASV command. To test security behavior. ++ # https://bugs.python.org/issue43285/. ++ self.fake_pasv_server_ip = '252.253.254.255' + + def collect_incoming_data(self, data): + self.in_buffer.append(data) +@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha + sock.bind((self.socket.getsockname()[0], 0)) + sock.listen(5) + sock.settimeout(10) +- ip, port = sock.getsockname()[:2] ++ port = sock.getsockname()[1] ++ ip = self.fake_pasv_server_ip + ip = ip.replace('.', ',') + p1, p2 = divmod(port, 256) + self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2)) +@@ -577,6 +582,26 @@ class TestFTPClass(TestCase): + # IPv4 is in use, just make sure send_epsv has not been used + self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv') + ++ def test_makepasv_issue43285_security_disabled(self): ++ """Test the opt-in to the old vulnerable behavior.""" ++ self.client.trust_server_pasv_ipv4_address = True ++ bad_host, port = self.client.makepasv() ++ self.assertEqual( ++ bad_host, self.server.handler_instance.fake_pasv_server_ip) ++ # Opening and closing a connection keeps the dummy server happy ++ # instead of timing out on accept. ++ socket.create_connection((self.client.sock.getpeername()[0], port), ++ timeout=TIMEOUT).close() ++ ++ def test_makepasv_issue43285_security_enabled_default(self): ++ self.assertFalse(self.client.trust_server_pasv_ipv4_address) ++ trusted_host, port = self.client.makepasv() ++ self.assertNotEqual( ++ trusted_host, self.server.handler_instance.fake_pasv_server_ip) ++ # Opening and closing a connection keeps the dummy server happy ++ # instead of timing out on accept. ++ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close() ++ + def test_line_too_long(self): + self.assertRaises(ftplib.Error, self.client.sendcmd, + 'x' * self.client.maxline * 2) +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst +@@ -0,0 +1,8 @@ ++:mod:`ftplib` no longer trusts the IP address value returned from the server ++in response to the PASV command by default. This prevents a malicious FTP ++server from using the response to probe IPv4 address and port combinations ++on the client network. ++ ++Code that requires the former vulnerable behavior may set a ++``trust_server_pasv_ipv4_address`` attribute on their ++:class:`ftplib.FTP` instances to ``True`` to re-enable it. diff --git a/CVE-2022-0391-urllib_parse-newline-parsing.patch b/CVE-2022-0391-urllib_parse-newline-parsing.patch new file mode 100644 index 0000000..25f859d --- /dev/null +++ b/CVE-2022-0391-urllib_parse-newline-parsing.patch @@ -0,0 +1,169 @@ +--- + Doc/library/urlparse.rst | 14 ++ + Doc/whatsnew/2.7.rst | 7 + + Lib/test/test_urlparse.py | 49 ++++++++++ + Lib/urlparse.py | 12 ++ + Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst | 6 + + 5 files changed, 88 insertions(+) + +--- a/Doc/library/urlparse.rst ++++ b/Doc/library/urlparse.rst +@@ -248,6 +248,10 @@ The :mod:`urlparse` module defines the f + decomposed before parsing, or is not a Unicode string, no error will be + raised. + ++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII ++ newline ``\n``, ``\r`` and tab ``\t`` characters are stripped ++ from the URL. ++ + .. versionadded:: 2.2 + + .. versionchanged:: 2.5 +@@ -257,6 +261,10 @@ The :mod:`urlparse` module defines the f + Characters that affect netloc parsing under NFKC normalization will + now raise :exc:`ValueError`. + ++ .. versionchanged:: 3.6.14 ++ ASCII newline and tab characters are stripped from the URL. ++ ++.. _WHATWG spec: https://url.spec.whatwg.org/#concept-basic-url-parser + + .. function:: urlunsplit(parts) + +@@ -308,6 +316,11 @@ The :mod:`urlparse` module defines the f + + .. seealso:: + ++ `WHATWG`_ - URL Living standard ++ Working Group for the URL Standard that defines URLs, ++ domains, IP addresses, the application/x-www-form-urlencoded format, ++ and their API. ++ + :rfc:`3986` - Uniform Resource Identifiers + This is the current standard (STD66). Any changes to urlparse module + should conform to this. Certain deviations could be observed, which are +@@ -332,6 +345,7 @@ The :mod:`urlparse` module defines the f + :rfc:`1738` - Uniform Resource Locators (URL) + This specifies the formal syntax and semantics of absolute URLs. + ++.. _WHATWG: https://url.spec.whatwg.org/ + + .. _urlparse-result-object: + +--- a/Doc/whatsnew/2.7.rst ++++ b/Doc/whatsnew/2.7.rst +@@ -175,6 +175,13 @@ channel. We reuse the ftp server IP add + requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` + attribute on your FTP instance to ``True``. (See :issue:`43285`) + ++The presence of newline or tab characters in parts of a URL allows for some ++forms of attacks. Following the WHATWG specification that updates RFC 3986, ++ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the ++URL by the parser :func:`urlparse` preventing such attacks. The removal ++characters are controlled by a new module level variable ++``urlparse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) ++ + + Python 3.1 Features + ======================= +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -492,6 +492,55 @@ class UrlParseTestCase(unittest.TestCase + p = urlparse.urlsplit(url) + self.assertEqual(p.port, None) + ++ def test_urlsplit_remove_unsafe_bytes(self): ++ # Remove ASCII tabs and newlines from input, for http common case scenario. ++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.scheme, "http") ++ self.assertEqual(p.netloc, "www.python.org") ++ self.assertEqual(p.path, "/javascript:alert('msg')/") ++ self.assertEqual(p.query, "query=something") ++ self.assertEqual(p.fragment, "fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, "www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario. ++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.scheme, b"http") ++ self.assertEqual(p.netloc, b"www.python.org") ++ self.assertEqual(p.path, b"/javascript:alert('msg')/") ++ self.assertEqual(p.query, b"query=something") ++ self.assertEqual(p.fragment, b"fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, b"www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # any scheme ++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, any scheme. ++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Unsafe bytes is not returned from urlparse cache. ++ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme ++ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ scheme = "htt\nps" ++ for _ in range(2): ++ p = urlparse.urlsplit(url, scheme=scheme) ++ self.assertEqual(p.scheme, "https") ++ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ + def test_issue14072(self): + p1 = urlparse.urlsplit('tel:+31-641044153') + self.assertEqual(p1.scheme, 'tel') +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -62,6 +62,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvw + '0123456789' + '+-.') + ++# Unsafe bytes to be removed per WHATWG spec ++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] ++ + MAX_CACHE_SIZE = 20 + _parse_cache = {} + +@@ -184,12 +187,21 @@ def _checknetloc(netloc): + "under NFKC normalization" + % netloc) + ++ ++def _remove_unsafe_bytes_from_url(url): ++ for b in _UNSAFE_URL_BYTES_TO_REMOVE: ++ url = url.replace(b, "") ++ return url ++ ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# + Return a 5-tuple: (scheme, netloc, path, query, fragment). + Note that we don't break the components up in smaller bits + (e.g. netloc is a single string) and we don't expand % escapes.""" ++ url = _remove_unsafe_bytes_from_url(url) ++ scheme = _remove_unsafe_bytes_from_url(scheme) + allow_fragments = bool(allow_fragments) + key = url, scheme, allow_fragments, type(url), type(scheme) + cached = _parse_cache.get(key, None) +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst +@@ -0,0 +1,6 @@ ++The presence of newline or tab characters in parts of a URL could allow ++some forms of attacks. ++ ++Following the controlling specification for URLs defined by WHATWG ++:func:`urlparse` now removes ASCII newlines and tabs from URLs, ++preventing such attacks. diff --git a/CVE-2022-45061-DoS-by-IDNA-decode.patch b/CVE-2022-45061-DoS-by-IDNA-decode.patch new file mode 100644 index 0000000..f527a54 --- /dev/null +++ b/CVE-2022-45061-DoS-by-IDNA-decode.patch @@ -0,0 +1,88 @@ +From fa792ddee55dc02c6392842c8194a464339f6f1b Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 7 Nov 2022 18:57:10 -0800 +Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) + (GH-99222) + +There was an unnecessary quadratic loop in idna decoding. This restores +the behavior to linear. + +(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) + +(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) + +Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> +Co-authored-by: Gregory P. Smith +--- + Lib/encodings/idna.py | 32 ++++------ + Lib/test/test_codecs.py | 6 + + Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 + + 3 files changed, 27 insertions(+), 17 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst + +--- a/Lib/encodings/idna.py ++++ b/Lib/encodings/idna.py +@@ -39,23 +39,21 @@ def nameprep(label): + + # Check bidi + RandAL = map(stringprep.in_table_d1, label) +- for c in RandAL: +- if c: +- # There is a RandAL char in the string. Must perform further +- # tests: +- # 1) The characters in section 5.8 MUST be prohibited. +- # This is table C.8, which was already checked +- # 2) If a string contains any RandALCat character, the string +- # MUST NOT contain any LCat character. +- if filter(stringprep.in_table_d2, label): +- raise UnicodeError("Violation of BIDI requirement 2") +- +- # 3) If a string contains any RandALCat character, a +- # RandALCat character MUST be the first character of the +- # string, and a RandALCat character MUST be the last +- # character of the string. +- if not RandAL[0] or not RandAL[-1]: +- raise UnicodeError("Violation of BIDI requirement 3") ++ if any(RandAL): ++ # There is a RandAL char in the string. Must perform further ++ # tests: ++ # 1) The characters in section 5.8 MUST be prohibited. ++ # This is table C.8, which was already checked ++ # 2) If a string contains any RandALCat character, the string ++ # MUST NOT contain any LCat character. ++ if any(stringprep.in_table_d2(x) for x in label): ++ raise UnicodeError("Violation of BIDI requirement 2") ++ # 3) If a string contains any RandALCat character, a ++ # RandALCat character MUST be the first character of the ++ # string, and a RandALCat character MUST be the last ++ # character of the string. ++ if not RandAL[0] or not RandAL[-1]: ++ raise UnicodeError("Violation of BIDI requirement 3") + + return label + +--- a/Lib/test/test_codecs.py ++++ b/Lib/test/test_codecs.py +@@ -1318,6 +1318,12 @@ class IDNACodecTest(unittest.TestCase): + self.assertEqual(u"pyth\xf6n.org".encode("idna"), "xn--pythn-mua.org") + self.assertEqual(u"pyth\xf6n.org.".encode("idna"), "xn--pythn-mua.org.") + ++ def test_builtin_decode_length_limit(self): ++ with self.assertRaisesRegexp(UnicodeError, "too long"): ++ (b"xn--016c"+b"a"*1100).decode("idna") ++ with self.assertRaisesRegexp(UnicodeError, "too long"): ++ (b"xn--016c"+b"a"*70).decode("idna") ++ + def test_stream(self): + import StringIO + r = codecs.getreader("idna")(StringIO.StringIO("abc")) +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +@@ -0,0 +1,6 @@ ++The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` ++related name resolution functions no longer involves a quadratic algorithm. ++This prevents a potential CPU denial of service if an out-of-spec excessive ++length hostname involving bidirectional characters were decoded. Some protocols ++such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker ++to supply such a name. diff --git a/CVE-2022-48565-plistlib-XML-vulns.patch b/CVE-2022-48565-plistlib-XML-vulns.patch new file mode 100644 index 0000000..ec6e23d --- /dev/null +++ b/CVE-2022-48565-plistlib-XML-vulns.patch @@ -0,0 +1,80 @@ +From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001 +From: Ned Deily +Date: Mon, 19 Oct 2020 22:36:27 -0400 +Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files + (GH-22760) (GH-22801) + +Co-authored-by: Ronald Oussoren +(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc) + +Co-authored-by: Ned Deily +--- + Lib/plistlib.py | 10 +++++ + Lib/test/test_plistlib.py | 19 ++++++++++ + Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 + + 3 files changed, 32 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst + +--- a/Lib/plistlib.py ++++ b/Lib/plistlib.py +@@ -403,9 +403,19 @@ class PlistParser: + parser.StartElementHandler = self.handleBeginElement + parser.EndElementHandler = self.handleEndElement + parser.CharacterDataHandler = self.handleData ++ parser.EntityDeclHandler = self.handle_entity_decl + parser.ParseFile(fileobj) + return self.root + ++ def handle_entity_decl(self, entity_name, is_parameter_entity, value, ++ base, system_id, public_id, notation_name): ++ # Reject plist files with entity declarations to avoid XML ++ # vulnerabilies in expat. Regular plist files don't contain ++ # those declerations, and Apple's plutil tool does not accept ++ # them either. ++ raise ValueError( ++ "XML entity declarations are not supported in plist files") ++ + def handleBeginElement(self, element, attrs): + self.data = [] + handler = getattr(self, "begin_" + element, None) +--- a/Lib/test/test_plistlib.py ++++ b/Lib/test/test_plistlib.py +@@ -86,6 +86,19 @@ TESTDATA = """ + """.replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs + ++XML_PLIST_WITH_ENTITY=b'''\ ++ ++ ++ ]> ++ ++ ++ A ++ &entity; ++ ++ ++''' ++ + + class TestPlistlib(unittest.TestCase): + +@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase): + self.assertEqual(test1, result1) + self.assertEqual(test2, result2) + ++ def test_xml_plist_with_entity_decl(self): ++ with self.assertRaisesRegexp(ValueError, ++ "XML entity declarations are not supported"): ++ plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY) ++ ++ + + def test_main(): + test_support.run_unittest(TestPlistlib) +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst +@@ -0,0 +1,3 @@ ++The :mod:`plistlib` module no longer accepts entity declarations in XML ++plist files to avoid XML vulnerabilities. This should not affect users as ++entity declarations are not used in regular plist files. diff --git a/CVE-2022-48566-compare_digest-more-constant.patch b/CVE-2022-48566-compare_digest-more-constant.patch new file mode 100644 index 0000000..fb4701f --- /dev/null +++ b/CVE-2022-48566-compare_digest-more-constant.patch @@ -0,0 +1,35 @@ +From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 14 Dec 2020 09:04:57 -0800 +Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438) + (GH-23767) + +The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization. + +(This is change GH-1 from https://bugs.python.org/issue40791 .) +(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28) + +Co-authored-by: Devin Jeanpierre +--- + Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | 1 + + Modules/operator.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst + +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst +@@ -0,0 +1 @@ ++Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely. +\ No newline at end of file +--- a/Modules/operator.c ++++ b/Modules/operator.c +@@ -259,7 +259,7 @@ _tscmp(const unsigned char *a, const uns + volatile const unsigned char *left; + volatile const unsigned char *right; + Py_ssize_t i; +- unsigned char result; ++ volatile unsigned char result; + + /* loop count depends on length of b */ + length = len_b; diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch new file mode 100644 index 0000000..372be24 --- /dev/null +++ b/CVE-2023-24329-blank-URL-bypass.patch @@ -0,0 +1,84 @@ +--- + Lib/test/test_urlparse.py | 21 ++++++++++ + Lib/urlparse.py | 9 +++- + Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2 + 3 files changed, 30 insertions(+), 2 deletions(-) + +Index: Python-2.7.18/Lib/test/test_urlparse.py +=================================================================== +--- Python-2.7.18.orig/Lib/test/test_urlparse.py ++++ Python-2.7.18/Lib/test/test_urlparse.py +@@ -1,4 +1,5 @@ + from test import test_support ++from urlparse import isascii + import sys + import unicodedata + import unittest +@@ -592,6 +593,26 @@ class UrlParseTestCase(unittest.TestCase + self.assertEqual(p.netloc, "www.example.net:foo") + self.assertRaises(ValueError, lambda: p.port) + ++ def do_attributes_bad_scheme(self, bytes, parse, scheme): ++ url = scheme + "://www.example.net" ++ if bytes: ++ if isascii(url): ++ url = url.encode("ascii") ++ else: ++ return ++ p = parse(url) ++ if bytes: ++ self.assertEqual(p.scheme, b"") ++ else: ++ self.assertEqual(p.scheme, "") ++ ++ def test_attributes_bad_scheme(self): ++ """Check handling of invalid schemes.""" ++ for bytes in (False, True): ++ for parse in (urlparse.urlsplit, urlparse.urlparse): ++ for scheme in (".", "+", "-", "0", "http&"): ++ self.do_attributes_bad_scheme(bytes, parse, scheme) ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +Index: Python-2.7.18/Lib/urlparse.py +=================================================================== +--- Python-2.7.18.orig/Lib/urlparse.py ++++ Python-2.7.18/Lib/urlparse.py +@@ -31,7 +31,8 @@ test_urlparse.py provides a good indicat + import re + + __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag", +- "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"] ++ "urlsplit", "urlunsplit", "parse_qs", "parse_qsl", ++ "isascii"] + + # A classification of schemes ('' means apply by default) + uses_relative = ['ftp', 'http', 'gopher', 'nntp', 'imap', +@@ -68,6 +69,10 @@ _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r + MAX_CACHE_SIZE = 20 + _parse_cache = {} + ++# Py3k shim ++def isascii(word): ++ return all([ord(c) < 128 for c in word]) ++ + def clear_cache(): + """Clear the parse cache.""" + _parse_cache.clear() +@@ -211,7 +216,7 @@ def urlsplit(url, scheme='', allow_fragm + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and isascii(url[0]) and url[0].isalpha(): + if url[:i] == 'http': # optimize the common case + scheme = url[:i].lower() + url = url[i+1:] +Index: Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs +=================================================================== +--- /dev/null ++++ Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs +@@ -0,0 +1,2 @@ ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. diff --git a/CVE-2023-40217-avoid-ssl-pre-close.patch b/CVE-2023-40217-avoid-ssl-pre-close.patch new file mode 100644 index 0000000..b601f88 --- /dev/null +++ b/CVE-2023-40217-avoid-ssl-pre-close.patch @@ -0,0 +1,330 @@ +From f0c1e55dfd28970196768a6997a6dc0eab0f5259 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Langa?= +Date: Tue, 22 Aug 2023 17:39:17 +0200 +Subject: [PATCH] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl + pre-close flaw +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake +and included protections (like certificate verification) and treating sent +unencrypted data as if it were post-handshake TLS encrypted data. + +The vulnerability is caused when a socket is connected, data is sent by the +malicious peer and stored in a buffer, and then the malicious peer closes the +socket within a small timing window before the other peers’ TLS handshake can +begin. After this sequence of events the closed socket will not immediately +attempt a TLS handshake due to not being connected but will also allow the +buffered data to be read as if a successful TLS handshake had occurred. + +Co-Authored-By: Gregory P. Smith [Google LLC] +--- + Lib/ssl.py | 31 ++- + Lib/test/test_ssl.py | 215 ++++++++++++++++++ + ...-08-22-17-39-12.gh-issue-108310.fVM3sg.rst | 7 + + 3 files changed, 252 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2023-08-22-17-39-12.gh-issue-108310.fVM3sg.rst + +Index: Python-2.7.18/Lib/ssl.py +=================================================================== +--- Python-2.7.18.orig/Lib/ssl.py ++++ Python-2.7.18/Lib/ssl.py +@@ -576,10 +576,13 @@ class SSLSocket(socket): + "in client mode") + if self._context.check_hostname and not server_hostname: + raise ValueError("check_hostname requires server_hostname") ++ self._closed = False ++ self._sslobj = None + self.server_side = server_side + self.server_hostname = server_hostname + self.do_handshake_on_connect = do_handshake_on_connect + self.suppress_ragged_eofs = suppress_ragged_eofs ++ sock_timeout = sock.gettimeout() + + # See if we are connected + try: +@@ -588,11 +591,38 @@ class SSLSocket(socket): + if e.errno != errno.ENOTCONN: + raise + connected = False ++ blocking = self.gettimeout() == 0 ++ self.setblocking(False) ++ try: ++ # We are not connected so this is not supposed to block, but ++ # testing revealed otherwise on macOS and Windows so we do ++ # the non-blocking dance regardless. Our raise when any data ++ # is found means consuming the data is harmless. ++ notconn_pre_handshake_data = self.recv(1) ++ except socket_error as e: ++ # EINVAL occurs for recv(1) on non-connected on unix sockets. ++ if e.errno not in (errno.ENOTCONN, errno.EINVAL): ++ raise ++ notconn_pre_handshake_data = b'' ++ self.setblocking(blocking) ++ if notconn_pre_handshake_data: ++ # This prevents pending data sent to the socket before it was ++ # closed from escaping to the caller who could otherwise ++ # presume it came through a successful TLS connection. ++ reason = "Closed before TLS handshake with data in recv buffer." ++ notconn_pre_handshake_data_error = SSLError(e.errno, reason) ++ # Add the SSLError attributes that _ssl.c always adds. ++ notconn_pre_handshake_data_error.reason = reason ++ notconn_pre_handshake_data_error.library = None ++ try: ++ self.close() ++ except socket_error: ++ pass ++ raise notconn_pre_handshake_data_error + else: + connected = True + +- self._closed = False +- self._sslobj = None ++ self.settimeout(sock_timeout) # Must come after setblocking() calls. + self._connected = connected + if connected: + # create the SSL object +Index: Python-2.7.18/Lib/test/test_ssl.py +=================================================================== +--- Python-2.7.18.orig/Lib/test/test_ssl.py ++++ Python-2.7.18/Lib/test/test_ssl.py +@@ -20,6 +20,8 @@ import traceback + import weakref + import platform + import re ++import struct ++import httplib + import functools + from contextlib import closing + +@@ -3262,6 +3264,217 @@ else: + self.assertRaises(ValueError, s.write, b'hello') + + ++def set_socket_so_linger_on_with_zero_timeout(sock): ++ sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) ++ ++ ++class TestPreHandshakeClose(unittest.TestCase): ++ """Verify behavior of close sockets with received data before to the handshake. ++ """ ++ ++ class SingleConnectionTestServerThread(threading.Thread): ++ ++ def __init__(self, name=None, call_after_accept=None): ++ self.call_after_accept = call_after_accept ++ self.received_data = b'' # set by .run() ++ self.wrap_error = None # set by .run() ++ self.listener = None # set by .start() ++ self.port = None # set by .start() ++ super().__init__(name=name) ++ ++ def __enter__(self): ++ self.start() ++ return self ++ ++ def __exit__(self, *args): ++ try: ++ if self.listener: ++ self.listener.close() ++ except OSError: ++ pass ++ self.join() ++ self.wrap_error = None # avoid dangling references ++ ++ def start(self): ++ self.ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ++ self.ssl_ctx.verify_mode = ssl.CERT_REQUIRED ++ self.ssl_ctx.load_verify_locations(cafile=ONLYCERT) ++ self.ssl_ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY) ++ self.listener = socket.socket() ++ self.port = support.bind_port(self.listener) ++ self.listener.settimeout(2.0) ++ self.listener.listen(1) ++ super().start() ++ ++ def run(self): ++ conn, address = self.listener.accept() ++ self.listener.close() ++ with conn: ++ if self.call_after_accept(conn): ++ return ++ try: ++ tls_socket = self.ssl_ctx.wrap_socket(conn, server_side=True) ++ except OSError as err: # ssl.SSLError inherits from OSError ++ self.wrap_error = err ++ else: ++ try: ++ self.received_data = tls_socket.recv(400) ++ except OSError: ++ pass # closed, protocol error, etc. ++ ++ def non_linux_skip_if_other_okay_error(self, err): ++ if sys.platform == "linux": ++ return # Expect the full test setup to always work on Linux. ++ if (isinstance(err, ConnectionResetError) or ++ (isinstance(err, OSError) and err.errno == errno.EINVAL) or ++ re.search('wrong.version.number', getattr(err, "reason", ""), re.I)): ++ # On Windows the TCP RST leads to a ConnectionResetError ++ # (ECONNRESET) which Linux doesn't appear to surface to userspace. ++ # If wrap_socket() winds up on the "if connected:" path and doing ++ # the actual wrapping... we get an SSLError from OpenSSL. Typically ++ # WRONG_VERSION_NUMBER. While appropriate, neither is the scenario ++ # we're specifically trying to test. The way this test is written ++ # is known to work on Linux. We'll skip it anywhere else that it ++ # does not present as doing so. ++ self.skipTest("Could not recreate conditions on %s: %s" % (sys.platform, err)) ++ # If maintaining this conditional winds up being a problem. ++ # just turn this into an unconditional skip anything but Linux. ++ # The important thing is that our CI has the logic covered. ++ ++ def test_preauth_data_to_tls_server(self): ++ server_accept_called = threading.Event() ++ ready_for_server_wrap_socket = threading.Event() ++ ++ def call_after_accept(unused): ++ server_accept_called.set() ++ if not ready_for_server_wrap_socket.wait(2.0): ++ raise RuntimeError("wrap_socket event never set, test may fail.") ++ return False # Tell the server thread to continue. ++ ++ server = self.SingleConnectionTestServerThread( ++ call_after_accept=call_after_accept, ++ name="preauth_data_to_tls_server") ++ server.__enter__() # starts it ++ self.addCleanup(server.__exit__) # ... & unittest.TestCase stops it. ++ ++ with socket.socket() as client: ++ client.connect(server.listener.getsockname()) ++ # This forces an immediate connection close via RST on .close(). ++ set_socket_so_linger_on_with_zero_timeout(client) ++ client.setblocking(False) ++ ++ server_accept_called.wait() ++ client.send(b"DELETE /data HTTP/1.0\r\n\r\n") ++ client.close() # RST ++ ++ ready_for_server_wrap_socket.set() ++ server.join() ++ wrap_error = server.wrap_error ++ self.assertEqual(b"", server.received_data) ++ self.assertIsInstance(wrap_error, OSError) # All platforms. ++ self.non_linux_skip_if_other_okay_error(wrap_error) ++ self.assertIsInstance(wrap_error, ssl.SSLError) ++ self.assertIn("before TLS handshake with data", wrap_error.args[1]) ++ self.assertIn("before TLS handshake with data", wrap_error.reason) ++ self.assertNotEqual(0, wrap_error.args[0]) ++ self.assertIsNone(wrap_error.library, msg="attr must exist") ++ ++ def test_preauth_data_to_tls_client(self): ++ client_can_continue_with_wrap_socket = threading.Event() ++ ++ def call_after_accept(conn_to_client): ++ # This forces an immediate connection close via RST on .close(). ++ set_socket_so_linger_on_with_zero_timeout(conn_to_client) ++ conn_to_client.send( ++ b"HTTP/1.0 307 Temporary Redirect\r\n" ++ b"Location: https://example.com/someone-elses-server\r\n" ++ b"\r\n") ++ conn_to_client.close() # RST ++ client_can_continue_with_wrap_socket.set() ++ return True # Tell the server to stop. ++ ++ server = self.SingleConnectionTestServerThread( ++ call_after_accept=call_after_accept, ++ name="preauth_data_to_tls_client") ++ server.__enter__() # starts it ++ self.addCleanup(server.__exit__) # ... & unittest.TestCase stops it. ++ ++ # Redundant; call_after_accept sets SO_LINGER on the accepted conn. ++ set_socket_so_linger_on_with_zero_timeout(server.listener) ++ ++ with socket.socket() as client: ++ client.connect(server.listener.getsockname()) ++ if not client_can_continue_with_wrap_socket.wait(2.0): ++ self.fail("test server took too long.") ++ ssl_ctx = ssl.create_default_context() ++ try: ++ tls_client = ssl_ctx.wrap_socket( ++ client, server_hostname="localhost") ++ except OSError as err: # SSLError inherits from OSError ++ wrap_error = err ++ received_data = b"" ++ else: ++ wrap_error = None ++ received_data = tls_client.recv(400) ++ tls_client.close() ++ ++ server.join() ++ self.assertEqual(b"", received_data) ++ self.assertIsInstance(wrap_error, OSError) # All platforms. ++ self.non_linux_skip_if_other_okay_error(wrap_error) ++ self.assertIsInstance(wrap_error, ssl.SSLError) ++ self.assertIn("before TLS handshake with data", wrap_error.args[1]) ++ self.assertIn("before TLS handshake with data", wrap_error.reason) ++ self.assertNotEqual(0, wrap_error.args[0]) ++ self.assertIsNone(wrap_error.library, msg="attr must exist") ++ ++ def test_https_client_non_tls_response_ignored(self): ++ ++ server_responding = threading.Event() ++ ++ class SynchronizedHTTPSConnection(httplib.HTTPSConnection): ++ def connect(self): ++ httplib.HTTPConnection.connect(self) ++ # Wait for our fault injection server to have done its thing. ++ if not server_responding.wait(1.0) and support.verbose: ++ sys.stdout.write("server_responding event never set.") ++ self.sock = self._context.wrap_socket( ++ self.sock, server_hostname=self.host) ++ ++ def call_after_accept(conn_to_client): ++ # This forces an immediate connection close via RST on .close(). ++ set_socket_so_linger_on_with_zero_timeout(conn_to_client) ++ conn_to_client.send( ++ b"HTTP/1.0 402 Payment Required\r\n" ++ b"\r\n") ++ conn_to_client.close() # RST ++ server_responding.set() ++ return True # Tell the server to stop. ++ ++ server = self.SingleConnectionTestServerThread( ++ call_after_accept=call_after_accept, ++ name="non_tls_http_RST_responder") ++ server.__enter__() # starts it ++ self.addCleanup(server.__exit__) # ... & unittest.TestCase stops it. ++ # Redundant; call_after_accept sets SO_LINGER on the accepted conn. ++ set_socket_so_linger_on_with_zero_timeout(server.listener) ++ ++ connection = SynchronizedHTTPSConnection( ++ "localhost", ++ port=server.port, ++ context=ssl.create_default_context(), ++ timeout=2.0, ++ ) ++ # There are lots of reasons this raises as desired, long before this ++ # test was added. Sending the request requires a successful TLS wrapped ++ # socket; that fails if the connection is broken. It may seem pointless ++ # to test this. It serves as an illustration of something that we never ++ # want to happen... properly not happening. ++ with self.assertRaises(OSError) as err_ctx: ++ connection.request("HEAD", "/test", headers={"Host": "localhost"}) ++ response = connection.getresponse() ++ ++ + def test_main(verbose=False): + if support.verbose: + plats = { +Index: Python-2.7.18/Misc/NEWS.d/next/Security/2023-08-22-17-39-12.gh-issue-108310.fVM3sg.rst +=================================================================== +--- /dev/null ++++ Python-2.7.18/Misc/NEWS.d/next/Security/2023-08-22-17-39-12.gh-issue-108310.fVM3sg.rst +@@ -0,0 +1,7 @@ ++Fixed an issue where instances of :class:`ssl.SSLSocket` were vulnerable to ++a bypass of the TLS handshake and included protections (like certificate ++verification) and treating sent unencrypted data as if it were ++post-handshake TLS encrypted data. Security issue reported as ++`CVE-2023-40217 ++`_ by ++Aapo Oksman. Patch by Gregory P. Smith. diff --git a/PygmentsBridge-trime_doctest_flags.patch b/PygmentsBridge-trime_doctest_flags.patch new file mode 100644 index 0000000..0dbdea4 --- /dev/null +++ b/PygmentsBridge-trime_doctest_flags.patch @@ -0,0 +1,28 @@ +--- + Doc/tools/extensions/pyspecific.py | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/Doc/tools/extensions/pyspecific.py ++++ b/Doc/tools/extensions/pyspecific.py +@@ -31,14 +31,17 @@ Body.enum.converters['loweralpha'] = \ + # doctest docs themselves + orig_visit_literal_block = HTMLTranslator.visit_literal_block + def new_visit_literal_block(self, node): ++ old_trim_doctest_flags = None + meta = self.builder.env.metadata[self.builder.current_docname] +- old_trim_doctest_flags = self.highlighter.trim_doctest_flags +- if 'keepdoctest' in meta: +- self.highlighter.trim_doctest_flags = False ++ if hasattr(self.highlighter, 'trim_doctest_flags'): ++ old_trim_doctest_flags = self.highlighter.trim_doctest_flags ++ if 'keepdoctest' in meta: ++ self.highlighter.trim_doctest_flags = False + try: + orig_visit_literal_block(self, node) + finally: +- self.highlighter.trim_doctest_flags = old_trim_doctest_flags ++ if old_trim_doctest_flags is not None: ++ self.highlighter.trim_doctest_flags = old_trim_doctest_flags + + HTMLTranslator.visit_literal_block = new_visit_literal_block + diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..e4ef2c8 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,21 @@ +Python in SUSE +============== + +* Documentation * + +You can find documentation in seprarate packages: python-doc and +python-doc-pdf. These contan following documents: + + Tutorial, What's New in Python, Global Module Index, Library Reference, + Macintosh Module Reference, Installing Python Modules, Distributing Python + Modules, Language Reference, Extending and Embedding, Python/C API, + Documenting Python + +The python-doc package constains many text files from source tarball. + + +* Interactive mode * + +Interactive mode is by default enhanced with of history and command completion. +If you don't like these features, you can unset PYTHONSTARTUP variable in your +.profile or disable it system wide in /etc/profile.d/python.sh. diff --git a/adapted-from-F00251-change-user-install-location.patch b/adapted-from-F00251-change-user-install-location.patch new file mode 100644 index 0000000..92309d2 --- /dev/null +++ b/adapted-from-F00251-change-user-install-location.patch @@ -0,0 +1,40 @@ +Index: Python-2.7.17/Lib/distutils/command/install.py +=================================================================== +--- Python-2.7.17.orig/Lib/distutils/command/install.py ++++ Python-2.7.17/Lib/distutils/command/install.py +@@ -431,8 +431,18 @@ class install (Command): + raise DistutilsOptionError, \ + "must not supply exec-prefix without prefix" + +- self.prefix = os.path.normpath(sys.prefix) +- self.exec_prefix = os.path.normpath(sys.exec_prefix) ++ # self.prefix is set to sys.prefix + /local/ ++ # if neither RPM build nor virtual environment is ++ # detected to make pip and distutils install packages ++ # into the separate location. ++ if (not hasattr(sys, 'real_prefix') and ++ 'RPM_BUILD_ROOT' not in os.environ): ++ addition = "/local" ++ else: ++ addition = "" ++ ++ self.prefix = os.path.normpath(sys.prefix) + addition ++ self.exec_prefix = os.path.normpath(sys.exec_prefix) + addition + + else: + if self.exec_prefix is None: +Index: Python-2.7.17/Lib/site.py +=================================================================== +--- Python-2.7.17.orig/Lib/site.py ++++ Python-2.7.17/Lib/site.py +@@ -291,6 +291,10 @@ def getsitepackages(): + sitepackages = [] + seen = set() + ++ # '/usr/local' is included in PREFIXES if RPM build is not detected ++ # to make packages installed into this location visible. ++ if ENABLE_USER_SITE and 'RPM_BUILD_ROOT' not in os.environ: ++ PREFIXES.insert(0, "/usr/local") + for prefix in PREFIXES: + if not prefix or prefix in seen: + continue diff --git a/bpo34990-2038-problem-compileall.patch b/bpo34990-2038-problem-compileall.patch new file mode 100644 index 0000000..5765be8 --- /dev/null +++ b/bpo34990-2038-problem-compileall.patch @@ -0,0 +1,142 @@ +From 9d3b6b2472f7c7ef841e652825de652bc8af85d7 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 24 Aug 2021 08:07:31 -0700 +Subject: [PATCH] [3.9] bpo-34990: Treat the pyc header's mtime in compileall + as an unsigned int (GH-19708) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(cherry picked from commit bb21e28fd08f894ceff2405544a2f257d42b1354) + +Co-authored-by: Ammar Askar +Co-authored-by: Stéphane Wirtel + +ported to python-2.7 by Bernhard M. Wiedemann + +diff --git a/Lib/compileall.py b/Lib/compileall.py +index 5cfa8be..193147e 100644 +--- a/Lib/compileall.py ++++ b/Lib/compileall.py +@@ -85,7 +85,7 @@ def compile_file(fullname, ddir=None, force=0, rx=None, quiet=0): + if not force: + try: + mtime = int(os.stat(fullname).st_mtime) +- expect = struct.pack('<4sl', imp.get_magic(), mtime) ++ expect = struct.pack('<4sL', imp.get_magic(), mtime & 0xFFFFFFFF) + cfile = fullname + (__debug__ and 'c' or 'o') + with open(cfile, 'rb') as chandle: + actual = chandle.read(8) +diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py +index d3a26db..0907f59 100644 +--- a/Lib/test/test_compileall.py ++++ b/Lib/test/test_compileall.py +@@ -28,7 +28,7 @@ class CompileallTests(unittest.TestCase): + with open(self.bc_path, 'rb') as file: + data = file.read(8) + mtime = int(os.stat(self.source_path).st_mtime) +- compare = struct.pack('<4sl', imp.get_magic(), mtime) ++ compare = struct.pack('<4sL', imp.get_magic(), mtime & 0xFFFFFFFF) + return data, compare + + @unittest.skipUnless(hasattr(os, 'stat'), 'test needs os.stat()') +@@ -48,7 +48,7 @@ class CompileallTests(unittest.TestCase): + + def test_mtime(self): + # Test a change in mtime leads to a new .pyc. +- self.recreation_check(struct.pack('<4sl', imp.get_magic(), 1)) ++ self.recreation_check(struct.pack('<4sL', imp.get_magic(), 1)) + + def test_magic_number(self): + # Test a change in mtime leads to a new .pyc. +diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py +index a66738a..e333582 100644 +--- a/Lib/test/test_zipimport.py ++++ b/Lib/test/test_zipimport.py +@@ -27,13 +27,7 @@ raise_src = 'def do_raise(): raise TypeError\n' + + def make_pyc(co, mtime): + data = marshal.dumps(co) +- if type(mtime) is type(0.0): +- # Mac mtimes need a bit of special casing +- if mtime < 0x7fffffff: +- mtime = int(mtime) +- else: +- mtime = int(-0x100000000L + long(mtime)) +- pyc = imp.get_magic() + struct.pack(" +Date: 2022-09-13 + +More y2038 fixes that are only needed for python2.7 + +diff --git a/Lib/compiler/pycodegen.py b/Lib/compiler/pycodegen.py +index 6515945..21d52bb 100644 +--- a/Lib/compiler/pycodegen.py ++++ b/Lib/compiler/pycodegen.py +@@ -128,7 +128,7 @@ class Module(AbstractCompileMode): + # to indicate the type of the value. simplest way to get the + # same effect is to call marshal and then skip the code. + mtime = os.path.getmtime(self.filename) +- mtime = struct.pack(' +Date: Fri, 1 Mar 2019 21:44:24 +0300 +Subject: [PATCH] Fix AttributeError on sysconfig._CONFIG_VARS.clear() if + test_site is run separately + +--- + Lib/test/test_site.py | 4 +++- + .../next/Tests/2019-03-01-21-45-13.bpo-36160.4JjrqB.rst | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Tests/2019-03-01-21-45-13.bpo-36160.4JjrqB.rst + +--- a/Lib/test/test_site.py ++++ b/Lib/test/test_site.py +@@ -47,6 +47,9 @@ def setUpModule(): + else: + raise + ++ # sysconfig._CONFIG_VARS is None until the first call to this function ++ sysconfig.get_config_vars() ++ + + def tearDownModule(): + sys.path[:] = OLD_SYS_PATH +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2019-03-01-21-45-13.bpo-36160.4JjrqB.rst +@@ -0,0 +1,2 @@ ++Fix AttributeError on sysconfig._CONFIG_VARS.clear() if test_site is run ++separately diff --git a/bpo36302-sort-module-sources.patch b/bpo36302-sort-module-sources.patch new file mode 100644 index 0000000..99cda23 --- /dev/null +++ b/bpo36302-sort-module-sources.patch @@ -0,0 +1,13 @@ +diff --git a/Lib/distutils/command/build_ext.py b/Lib/distutils/command/build_ext.py +index 86a85c1..66bf0c2 100644 +--- a/Lib/distutils/command/build_ext.py ++++ b/Lib/distutils/command/build_ext.py +@@ -455,7 +455,7 @@ class build_ext (Command): + ("in 'ext_modules' option (extension '%s'), " + + "'sources' must be present and must be " + + "a list of source filenames") % ext.name +- sources = list(sources) ++ sources = sorted(sources) + + ext_path = self.get_ext_fullpath(ext.name) + depends = sources + ext.depends diff --git a/configure_PYTHON_FOR_REGEN.patch b/configure_PYTHON_FOR_REGEN.patch new file mode 100644 index 0000000..4544e19 --- /dev/null +++ b/configure_PYTHON_FOR_REGEN.patch @@ -0,0 +1,11 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -19,7 +19,7 @@ AC_SUBST(host) + # pybuilddir.txt will be created by --generate-posix-vars in the Makefile + rm -f pybuilddir.txt + +-AC_CHECK_PROGS(PYTHON_FOR_REGEN, python$PACKAGE_VERSION python3 python, python3) ++AC_CHECK_PROGS(PYTHON_FOR_REGEN, python$PACKAGE_VERSION python python2, python) + AC_SUBST(PYTHON_FOR_REGEN) + + if test "$cross_compiling" = yes; then diff --git a/do-not-use-non-ascii-in-test_ssl.patch b/do-not-use-non-ascii-in-test_ssl.patch new file mode 100644 index 0000000..4119f6b --- /dev/null +++ b/do-not-use-non-ascii-in-test_ssl.patch @@ -0,0 +1,15 @@ +--- + Lib/test/test_ssl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -1052,7 +1052,7 @@ class ContextTests(unittest.TestCase): + + + def test_load_dh_params(self): +- filename = u'dhpäräm.pem' ++ filename = u'dhparam.pem' + fs_encoding = sys.getfilesystemencoding() + try: + filename.encode(fs_encoding) diff --git a/idle.appdata.xml b/idle.appdata.xml new file mode 100644 index 0000000..77d7744 --- /dev/null +++ b/idle.appdata.xml @@ -0,0 +1,35 @@ + + + + + idle.desktop + IDLE + CC0 + Python-2.0 + Python Integrated Development and Learning Environment + +

+ IDLE is Python’s Integrated Development and Learning Environment. + The GUI is uniform between Windows, Unix, and Mac OS X. + IDLE provides an easy way to start writing, running, and debugging + Python code. +

+

+ IDLE is written in pure Python, and uses the tkinter GUI toolkit. + It provides: +

+
    +
  • a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,
    • +
  • a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,
    • +
  • search within any window, replace within editor windows, and search through multiple files (grep),
    • +
  • a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.
    • +
+ + https://docs.python.org/2.7/library/idle.html + + http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png + http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png + http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png + + zbyszek@in.waw.pl + diff --git a/idle.desktop b/idle.desktop new file mode 100644 index 0000000..ec73f81 --- /dev/null +++ b/idle.desktop @@ -0,0 +1,12 @@ +[Desktop Entry] +Version=1.0 +Name=IDLE +GenericName=Python IDE +Comment=Python 2.7 Integrated Development and Learning Environment +Exec=idle %F +TryExec=idle +Terminal=false +Type=Application +Icon=idle +Categories=Development;IDE; +MimeType=text/x-python; diff --git a/openssl-111-middlebox-compat.patch b/openssl-111-middlebox-compat.patch new file mode 100644 index 0000000..1f93dd2 --- /dev/null +++ b/openssl-111-middlebox-compat.patch @@ -0,0 +1,30 @@ +From 4fa35e8b1ebb2a8e88ba7c4c9cd2a17b35638ee6 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Fri, 28 Sep 2018 16:34:16 +0100 +Subject: [PATCH] bpo-34834: Fix test_ssl.test_options to account for + OP_ENABLE_MIDDLEBOX_COMPAT. + +Signed-off-by: Dimitri John Ledkov + +https://bugs.python.org/issue34834 +--- + Lib/test/test_ssl.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -838,8 +838,12 @@ class ContextTests(unittest.TestCase): + default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) + # SSLContext also enables these by default + default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | +- OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | +- OP_ENABLE_MIDDLEBOX_COMPAT) ++ ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) ++ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): ++ # define MIDDLEBOX constant, as python2.7 does not know about it ++ # but it is used by default. ++ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L ++ default |= OP_ENABLE_MIDDLEBOX_COMPAT + self.assertEqual(default, ctx.options) + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) diff --git a/openssl-111-ssl_options.patch b/openssl-111-ssl_options.patch new file mode 100644 index 0000000..e2e4834 --- /dev/null +++ b/openssl-111-ssl_options.patch @@ -0,0 +1,21 @@ +--- + Lib/test/test_ssl.py | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -838,12 +838,8 @@ class ContextTests(unittest.TestCase): + default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) + # SSLContext also enables these by default + default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | +- ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE) +- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): +- # define MIDDLEBOX constant, as python2.7 does not know about it +- # but it is used by default. +- OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L +- default |= OP_ENABLE_MIDDLEBOX_COMPAT ++ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | ++ OP_ENABLE_MIDDLEBOX_COMPAT) + self.assertEqual(default, ctx.options) + ctx.options |= ssl.OP_NO_TLSv1 + self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) diff --git a/python-2.5.1-sqlite.patch b/python-2.5.1-sqlite.patch new file mode 100644 index 0000000..48fad70 --- /dev/null +++ b/python-2.5.1-sqlite.patch @@ -0,0 +1,12 @@ +--- a/Modules/_sqlite/cursor.c ++++ b/Modules/_sqlite/cursor.c +@@ -829,6 +829,9 @@ PyObject* pysqlite_cursor_executescript( + goto error; + } + ++ if (! statement) ++ break; ++ + /* execute statement, and ignore results of SELECT statements */ + rc = SQLITE_ROW; + while (rc == SQLITE_ROW) { diff --git a/python-2.6-gettext-plurals.patch b/python-2.6-gettext-plurals.patch new file mode 100644 index 0000000..45d458d --- /dev/null +++ b/python-2.6-gettext-plurals.patch @@ -0,0 +1,14 @@ +--- a/Lib/gettext.py ++++ b/Lib/gettext.py +@@ -387,8 +387,9 @@ class GNUTranslations(NullTranslations): + self._charset = v.split('charset=')[1] + elif k == 'plural-forms': + v = v.split(';') +- plural = v[1].split('plural=')[1] +- self.plural = c2py(plural) ++ if len(v) > 1: ++ plural = v[1].split('plural=')[1] ++ self.plural = c2py(plural) + # Note: we unconditionally convert both msgids and msgstrs to + # Unicode using the character encoding specified in the charset + # parameter of the Content-Type header. The gettext documentation diff --git a/python-2.6b3-curses-panel.patch b/python-2.6b3-curses-panel.patch new file mode 100644 index 0000000..37418a7 --- /dev/null +++ b/python-2.6b3-curses-panel.patch @@ -0,0 +1,11 @@ +--- a/Modules/_curses_panel.c ++++ b/Modules/_curses_panel.c +@@ -14,7 +14,7 @@ + + #include "py_curses.h" + +-#include ++#include + + static PyObject *PyCursesError; + diff --git a/python-2.7-dirs.patch b/python-2.7-dirs.patch new file mode 100644 index 0000000..272e004 --- /dev/null +++ b/python-2.7-dirs.patch @@ -0,0 +1,11 @@ +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -110,7 +110,7 @@ LIBDIR= @libdir@ + MANDIR= @mandir@ + INCLUDEDIR= @includedir@ + CONFINCLUDEDIR= $(exec_prefix)/include +-SCRIPTDIR= $(prefix)/lib ++SCRIPTDIR= @libdir@ + + # Detailed destination directories + BINLIBDEST= $(LIBDIR)/python$(VERSION) diff --git a/python-2.7-libffi-aarch64.patch b/python-2.7-libffi-aarch64.patch new file mode 100644 index 0000000..86f2b51 --- /dev/null +++ b/python-2.7-libffi-aarch64.patch @@ -0,0 +1,13 @@ +Index: Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c +=================================================================== +--- Python-2.7.9.orig/Modules/_ctypes/libffi/src/aarch64/ffi.c ++++ Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c +@@ -728,7 +728,7 @@ aarch64_prep_args (struct call_context * + state.ngrn = N_X_ARG_REG; + + memcpy (allocate_to_stack (&state, stack, ty->alignment, +- ty->size), ecif->avalue + i, ty->size); ++ ty->size), ecif->avalue[i], ty->size); + } + break; + diff --git a/python-2.7.17-switch-off-failing-SSL-tests.patch b/python-2.7.17-switch-off-failing-SSL-tests.patch new file mode 100644 index 0000000..a388fa7 --- /dev/null +++ b/python-2.7.17-switch-off-failing-SSL-tests.patch @@ -0,0 +1,25 @@ +--- + Lib/test/test_ssl.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -152,9 +152,7 @@ def skip_if_broken_ubuntu_ssl(func): + try: + ssl.SSLContext(ssl.PROTOCOL_SSLv2) + except ssl.SSLError: +- if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and +- platform.linux_distribution() == ('debian', 'squeeze/sid', '')): +- raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour") ++ raise unittest.SkipTest("Test fails on SLE-12") + return func(*args, **kwargs) + return f + else: +@@ -1280,6 +1278,7 @@ class ContextTests(unittest.TestCase): + self.assertEqual(ctx.verify_mode, ssl.CERT_NONE) + self._assert_context_options(ctx) + ++ @unittest.skip("Test fails on SLE-12") + def test__https_verify_certificates(self): + # Unit test to check the contect factory mapping + # The factories themselves are tested above diff --git a/python-2.7.2-fix_date_time_compiler.patch b/python-2.7.2-fix_date_time_compiler.patch new file mode 100644 index 0000000..894dee1 --- /dev/null +++ b/python-2.7.2-fix_date_time_compiler.patch @@ -0,0 +1,18 @@ +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -647,8 +647,15 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ + -DGITVERSION="\"`LC_ALL=C $(GITVERSION)`\"" \ + -DGITTAG="\"`LC_ALL=C $(GITTAG)`\"" \ + -DGITBRANCH="\"`LC_ALL=C $(GITBRANCH)`\"" \ ++ -DDATE="\"`LC_ALL=C date -u -r Makefile.pre.in +"%b %d %Y"`\"" \ ++ -DTIME="\"`LC_ALL=C date -u -r Makefile.pre.in +"%T"`\"" \ + -o $@ $(srcdir)/Modules/getbuildinfo.c + ++Python/getcompiler.o: $(srcdir)/Python/getcompiler.c Makefile ++ $(CC) -c $(PY_CFLAGS) \ ++ -DCOMPILER='"[GCC]"' \ ++ -o $@ $(srcdir)/Python/getcompiler.c ++ + Modules/getpath.o: $(srcdir)/Modules/getpath.c Makefile + $(CC) -c $(PY_CFLAGS) -DPYTHONPATH='"$(PYTHONPATH)"' \ + -DPREFIX='"$(prefix)"' \ diff --git a/python-2.7.4-canonicalize2.patch b/python-2.7.4-canonicalize2.patch new file mode 100644 index 0000000..22840bf --- /dev/null +++ b/python-2.7.4-canonicalize2.patch @@ -0,0 +1,85 @@ +--- + Python/sysmodule.c | 26 +++++++++++++++++++------- + configure.ac | 2 +- + pyconfig.h.in | 3 +++ + 3 files changed, 23 insertions(+), 8 deletions(-) + +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c +@@ -1638,7 +1638,20 @@ PySys_SetArgvEx(int argc, char **argv, i + char *p = NULL; + Py_ssize_t n = 0; + PyObject *a; +-#ifdef HAVE_READLINK ++#ifdef HAVE_CANONICALIZE_FILE_NAME ++ int errnum; ++ ++ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { ++ argv0 = canonicalize_file_name(argv0); ++ if (argv0 == NULL) argv0 = strdup(argv[0]); ++ } ++#elif defined(HAVE_REALPATH) ++ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { ++ if (realpath(argv0, fullpath)) { ++ argv0 = fullpath; ++ } ++ } ++#elif defined(HAVE_READLINK) + char link[MAXPATHLEN+1]; + char argv0copy[2*MAXPATHLEN+1]; + int nr = 0; +@@ -1665,7 +1678,8 @@ PySys_SetArgvEx(int argc, char **argv, i + } + } + } +-#endif /* HAVE_READLINK */ ++#endif /* resolve method selection */ ++ + #if SEP == '\\' /* Special case for MS filename syntax */ + if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { + char *q; +@@ -1694,11 +1708,6 @@ PySys_SetArgvEx(int argc, char **argv, i + } + #else /* All other filename syntaxes */ + if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { +-#if defined(HAVE_REALPATH) +- if (realpath(argv0, fullpath)) { +- argv0 = fullpath; +- } +-#endif + p = strrchr(argv0, SEP); + } + if (p != NULL) { +@@ -1716,6 +1725,9 @@ PySys_SetArgvEx(int argc, char **argv, i + a = PyString_FromStringAndSize(argv0, n); + if (a == NULL) + Py_FatalError("no mem for sys.path insertion"); ++#ifdef HAVE_CANONICALIZE_FILE_NAME ++ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) free(argv0); ++#endif /* HAVE_CANONICALIZE_FILE_NAME */ + if (PyList_Insert(path, 0, a) < 0) + Py_FatalError("sys.path.insert(0) failed"); + Py_DECREF(a); +--- a/configure.ac ++++ b/configure.ac +@@ -3165,7 +3165,7 @@ AC_CHECK_FUNCS(alarm setitimer getitimer + getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \ + initgroups kill killpg lchown lstat mkfifo mknod mktime mmap \ + mremap nice pathconf pause plock poll pthread_init \ +- putenv readlink realpath \ ++ putenv readlink realpath canonicalize_file_name \ + select sem_open sem_timedwait sem_getvalue sem_unlink setegid seteuid \ + setgid \ + setlocale setregid setreuid setsid setpgid setpgrp setuid setvbuf snprintf \ +--- a/pyconfig.h.in ++++ b/pyconfig.h.in +@@ -109,6 +109,9 @@ + /* Define to 1 if you have the 'chflags' function. */ + #undef HAVE_CHFLAGS + ++/* Define to 1 if you have the `canonicalize_file_name' function. */ ++#undef HAVE_CANONICALIZE_FILE_NAME ++ + /* Define to 1 if you have the `chown' function. */ + #undef HAVE_CHOWN + diff --git a/python-2.7.5-multilib.patch b/python-2.7.5-multilib.patch new file mode 100644 index 0000000..5ff270d --- /dev/null +++ b/python-2.7.5-multilib.patch @@ -0,0 +1,436 @@ +--- + Include/pythonrun.h | 2 + + Lib/distutils/command/install.py | 4 ++- + Lib/distutils/sysconfig.py | 7 ++++-- + Lib/pydoc.py | 2 - + Lib/site.py | 40 +++++++++++++++++++++++++++------------ + Lib/sysconfig.py | 12 +++++------ + Lib/test/test_dl.py | 5 ++-- + Lib/test/test_site.py | 16 +++++++++++---- + Lib/trace.py | 4 +-- + Makefile.pre.in | 5 +++- + Modules/getpath.c | 4 ++- + Python/getplatform.c | 20 +++++++++++++++++++ + Python/sysmodule.c | 4 +++ + configure.ac | 35 ++++++++++++++++++++++++++++++++++ + setup.py | 15 ++++++-------- + 15 files changed, 135 insertions(+), 40 deletions(-) + +--- a/Include/pythonrun.h ++++ b/Include/pythonrun.h +@@ -108,6 +108,8 @@ PyAPI_FUNC(char *) Py_GetPath(void); + /* In their own files */ + PyAPI_FUNC(const char *) Py_GetVersion(void); + PyAPI_FUNC(const char *) Py_GetPlatform(void); ++PyAPI_FUNC(const char *) Py_GetArch(void); ++PyAPI_FUNC(const char *) Py_GetLib(void); + PyAPI_FUNC(const char *) Py_GetCopyright(void); + PyAPI_FUNC(const char *) Py_GetCompiler(void); + PyAPI_FUNC(const char *) Py_GetBuildInfo(void); +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py +@@ -22,6 +22,8 @@ from site import USER_BASE + from site import USER_SITE + + ++libname = sys.lib ++ + if sys.version < "2.2": + WINDOWS_SCHEME = { + 'purelib': '$base', +@@ -42,7 +44,7 @@ else: + INSTALL_SCHEMES = { + 'unix_prefix': { + 'purelib': '$base/lib/python$py_version_short/site-packages', +- 'platlib': '$platbase/lib/python$py_version_short/site-packages', ++ 'platlib': '$platbase/'+libname+'/python$py_version_short/site-packages', + 'headers': '$base/include/python$py_version_short/$dist_name', + 'scripts': '$base/bin', + 'data' : '$base', +--- a/Lib/distutils/sysconfig.py ++++ b/Lib/distutils/sysconfig.py +@@ -129,8 +129,11 @@ def get_python_lib(plat_specific=0, stan + prefix = plat_specific and EXEC_PREFIX or PREFIX + + if os.name == "posix": +- libpython = os.path.join(prefix, +- "lib", "python" + get_python_version()) ++ if plat_specific or standard_lib: ++ lib = sys.lib ++ else: ++ lib = "lib" ++ libpython = os.path.join(prefix, lib, "python" + get_python_version()) + if standard_lib: + return libpython + else: +--- a/Lib/pydoc.py ++++ b/Lib/pydoc.py +@@ -375,7 +375,7 @@ class Doc: + docmodule = docclass = docroutine = docother = docproperty = docdata = fail + + def getdocloc(self, object, +- basedir=os.path.join(sys.exec_prefix, "lib", ++ basedir=os.path.join(sys.exec_prefix, sys.lib, + "python"+sys.version[0:3])): + """Return the location of module docs or None""" + +--- a/Lib/site.py ++++ b/Lib/site.py +@@ -231,29 +231,38 @@ def getuserbase(): + USER_BASE = get_config_var('userbase') + return USER_BASE + +-def getusersitepackages(): ++def getusersitepackages(lib_kind = 'purelib'): + """Returns the user-specific site-packages directory path. + + If the global variable ``USER_SITE`` is not initialized yet, this + function will also set it. + """ ++ ++ set_user_site = (lib_kind == 'purelib') ++ + global USER_SITE + user_base = getuserbase() # this will also set USER_BASE + +- if USER_SITE is not None: ++ if USER_SITE is not None and set_user_site: + return USER_SITE + + from sysconfig import get_path + import os + ++ user_site = None ++ + if sys.platform == 'darwin': + from sysconfig import get_config_var + if get_config_var('PYTHONFRAMEWORK'): +- USER_SITE = get_path('purelib', 'osx_framework_user') +- return USER_SITE ++ user_site = get_path(lib_kind, 'osx_framework_user') + +- USER_SITE = get_path('purelib', '%s_user' % os.name) +- return USER_SITE ++ if user_site is None: ++ user_site = get_path(lib_kind, '%s_user' % os.name) ++ ++ if set_user_site: ++ USER_SITE = user_site ++ ++ return user_site + + def addusersitepackages(known_paths): + """Add a per user site-package to sys.path +@@ -263,10 +272,12 @@ def addusersitepackages(known_paths): + """ + # get the per user site-package path + # this call will also make sure USER_BASE and USER_SITE are set +- user_site = getusersitepackages() ++ for kind in ('purelib', 'platlib'): ++ user_site = getusersitepackages(kind) ++ ++ if ENABLE_USER_SITE and os.path.isdir(user_site): ++ addsitedir(user_site, known_paths) + +- if ENABLE_USER_SITE and os.path.isdir(user_site): +- addsitedir(user_site, known_paths) + return known_paths + + def getsitepackages(): +@@ -288,13 +299,18 @@ def getsitepackages(): + if sys.platform in ('os2emx', 'riscos'): + sitepackages.append(os.path.join(prefix, "Lib", "site-packages")) + elif os.sep == '/': +- sitepackages.append(os.path.join(prefix, "lib", ++ sitepackages.append(os.path.join(prefix, sys.lib, + "python" + sys.version[:3], + "site-packages")) +- sitepackages.append(os.path.join(prefix, "lib", "site-python")) ++ sitepackages.append(os.path.join(prefix, sys.lib, "site-python")) ++ if sys.lib != "lib": ++ sitepackages.append(os.path.join(prefix, "lib", ++ "python" + sys.version[:3], ++ "site-packages")) ++ sitepackages.append(os.path.join(prefix, "lib", "site-python")) + else: + sitepackages.append(prefix) +- sitepackages.append(os.path.join(prefix, "lib", "site-packages")) ++ sitepackages.append(os.path.join(prefix, sys.lib, "site-packages")) + return sitepackages + + def addsitepackages(known_paths): +--- a/Lib/sysconfig.py ++++ b/Lib/sysconfig.py +@@ -7,10 +7,10 @@ from os.path import pardir, realpath + + _INSTALL_SCHEMES = { + 'posix_prefix': { +- 'stdlib': '{base}/lib/python{py_version_short}', +- 'platstdlib': '{platbase}/lib/python{py_version_short}', ++ 'stdlib': '{base}/'+sys.lib+'/python{py_version_short}', ++ 'platstdlib': '{platbase}/'+sys.lib+'/python{py_version_short}', + 'purelib': '{base}/lib/python{py_version_short}/site-packages', +- 'platlib': '{platbase}/lib/python{py_version_short}/site-packages', ++ 'platlib': '{platbase}/'+sys.lib+'/python{py_version_short}/site-packages', + 'include': '{base}/include/python{py_version_short}', + 'platinclude': '{platbase}/include/python{py_version_short}', + 'scripts': '{base}/bin', +@@ -65,10 +65,10 @@ _INSTALL_SCHEMES = { + 'data' : '{userbase}', + }, + 'posix_user': { +- 'stdlib': '{userbase}/lib/python{py_version_short}', +- 'platstdlib': '{userbase}/lib/python{py_version_short}', ++ 'stdlib': '{userbase}/'+sys.lib+'/python{py_version_short}', ++ 'platstdlib': '{userbase}/'+sys.lib+'/python{py_version_short}', + 'purelib': '{userbase}/lib/python{py_version_short}/site-packages', +- 'platlib': '{userbase}/lib/python{py_version_short}/site-packages', ++ 'platlib': '{userbase}/'+sys.lib+'/python{py_version_short}/site-packages', + 'include': '{userbase}/include/python{py_version_short}', + 'scripts': '{userbase}/bin', + 'data' : '{userbase}', +--- a/Lib/test/test_dl.py ++++ b/Lib/test/test_dl.py +@@ -4,10 +4,11 @@ + import unittest + from test.test_support import verbose, import_module + dl = import_module('dl', deprecated=True) ++import sys + + sharedlibs = [ +- ('/usr/lib/libc.so', 'getpid'), +- ('/lib/libc.so.6', 'getpid'), ++ ('/usr/'+sys.lib+'/libc.so', 'getpid'), ++ ('/'+sys.lib+'/libc.so.6', 'getpid'), + ('/usr/bin/cygwin1.dll', 'getpid'), + ('/usr/lib/libc.dylib', 'getpid'), + ] +--- a/Lib/test/test_site.py ++++ b/Lib/test/test_site.py +@@ -254,12 +254,16 @@ class HelperFunctionsTests(unittest.Test + self.assertEqual(dirs[0], wanted) + elif os.sep == '/': + # OS X, Linux, FreeBSD, etc +- self.assertEqual(len(dirs), 2) + wanted = os.path.join('xoxo', 'lib', 'python' + sys.version[:3], + 'site-packages') +- self.assertEqual(dirs[0], wanted) ++ self.assertTrue(wanted in dirs) + wanted = os.path.join('xoxo', 'lib', 'site-python') +- self.assertEqual(dirs[1], wanted) ++ self.assertTrue(wanted in dirs) ++ wanted = os.path.join('xoxo', sys.lib, 'python' + sys.version[:3], ++ 'site-packages') ++ self.assertTrue(wanted in dirs) ++ wanted = os.path.join('xoxo', sys.lib, 'site-python') ++ self.assertTrue(wanted in dirs) + else: + # other platforms + self.assertEqual(len(dirs), 2) +@@ -305,7 +309,11 @@ class HelperFunctionsTests(unittest.Test + known_paths = set() + site.addusersitepackages(known_paths) + +- self.assertEqual(fake_isdir.arg, user_site) ++ # value of user_site cannot be used for comparison, because ++ # the following assert mistakenly assumes 'platlib' and ++ # 'purelib' directories are same. ++ self.assertEqual(fake_isdir.arg, ++ site.getusersitepackages('platlib')) + self.assertFalse(known_paths) + + +--- a/Lib/trace.py ++++ b/Lib/trace.py +@@ -754,10 +754,10 @@ def main(argv=None): + # should I also call expanduser? (after all, could use $HOME) + + s = s.replace("$prefix", +- os.path.join(sys.prefix, "lib", ++ os.path.join(sys.prefix, sys.lib, + "python" + sys.version[:3])) + s = s.replace("$exec_prefix", +- os.path.join(sys.exec_prefix, "lib", ++ os.path.join(sys.exec_prefix, sys.lib, + "python" + sys.version[:3])) + s = os.path.normpath(s) + ignore_dirs.append(s) +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -91,6 +91,8 @@ PY_CFLAGS= $(CFLAGS) $(CPPFLAGS) $(CFLAG + + # Machine-dependent subdirectories + MACHDEP= @MACHDEP@ ++LIB= @LIB@ ++ARCH= @ARCH@ + + # Multiarch directory (may be empty) + MULTIARCH= @MULTIARCH@ +@@ -653,6 +655,7 @@ Modules/getpath.o: $(srcdir)/Modules/get + -DEXEC_PREFIX='"$(exec_prefix)"' \ + -DVERSION='"$(VERSION)"' \ + -DVPATH='"$(VPATH)"' \ ++ -DARCH='"$(ARCH)"' -DLIB='"$(LIB)"' \ + -o $@ $(srcdir)/Modules/getpath.c + + Modules/python.o: $(srcdir)/Modules/python.c +@@ -701,7 +704,7 @@ regen-ast: + Python/compile.o Python/symtable.o Python/ast.o: $(srcdir)/Include/graminit.h $(srcdir)/Include/Python-ast.h + + Python/getplatform.o: $(srcdir)/Python/getplatform.c +- $(CC) -c $(PY_CFLAGS) -DPLATFORM='"$(MACHDEP)"' -o $@ $(srcdir)/Python/getplatform.c ++ $(CC) -c $(PY_CFLAGS) -DPLATFORM='"$(MACHDEP)"' -DARCH='"$(ARCH)"' -DLIB='"$(LIB)"' -o $@ $(srcdir)/Python/getplatform.c + + Python/importdl.o: $(srcdir)/Python/importdl.c + $(CC) -c $(PY_CFLAGS) -I$(DLINCLDIR) -o $@ $(srcdir)/Python/importdl.c +--- a/Modules/getpath.c ++++ b/Modules/getpath.c +@@ -100,6 +100,8 @@ + #error "PREFIX, EXEC_PREFIX, VERSION, and VPATH must be constant defined" + #endif + ++#define LIB_PYTHON LIB "/python" VERSION ++ + #ifndef LANDMARK + #define LANDMARK "os.py" + #endif +@@ -108,7 +110,7 @@ static char prefix[MAXPATHLEN+1]; + static char exec_prefix[MAXPATHLEN+1]; + static char progpath[MAXPATHLEN+1]; + static char *module_search_path = NULL; +-static char lib_python[] = "lib/python" VERSION; ++static char lib_python[] = LIB_PYTHON; + + static void + reduce(char *dir) +--- a/Python/getplatform.c ++++ b/Python/getplatform.c +@@ -10,3 +10,23 @@ Py_GetPlatform(void) + { + return PLATFORM; + } ++ ++#ifndef ARCH ++#define ARCH "unknown" ++#endif ++ ++const char * ++Py_GetArch(void) ++{ ++ return ARCH; ++} ++ ++#ifndef LIB ++#define LIB "lib" ++#endif ++ ++const char * ++Py_GetLib(void) ++{ ++ return LIB; ++} +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c +@@ -1437,6 +1437,10 @@ _PySys_Init(void) + PyString_FromString(Py_GetCopyright())); + SET_SYS_FROM_STRING("platform", + PyString_FromString(Py_GetPlatform())); ++ SET_SYS_FROM_STRING("arch", ++ PyString_FromString(Py_GetArch())); ++ SET_SYS_FROM_STRING("lib", ++ PyString_FromString(Py_GetLib())); + SET_SYS_FROM_STRING("executable", + PyString_FromString(Py_GetProgramFullPath())); + SET_SYS_FROM_STRING("prefix", +--- a/configure.ac ++++ b/configure.ac +@@ -773,6 +773,41 @@ SunOS*) + ;; + esac + ++AC_SUBST(ARCH) ++AC_MSG_CHECKING(ARCH) ++ARCH=`uname -m` ++case $ARCH in ++i?86) ARCH=i386;; ++esac ++AC_MSG_RESULT($ARCH) ++ ++AC_SUBST(LIB) ++AC_MSG_CHECKING(LIB) ++case $ac_sys_system in ++Linux*) ++ # Test if the compiler is 64bit ++ echo 'int i;' > conftest.$ac_ext ++ python_cv_cc_64bit_output=no ++ if AC_TRY_EVAL(ac_compile); then ++ case `/usr/bin/file conftest.$ac_objext` in ++ *"ELF 64"*) ++ python_cv_cc_64bit_output=yes ++ ;; ++ esac ++ fi ++ rm -rf conftest* ++ ;; ++esac ++ ++case $ARCH:$python_cv_cc_64bit_output in ++aarch64:yes | ppc64:yes | ppc64le:yes | powerpc64:yes | riscv64:yes | s390x:yes | sparc64:yes | x86_64:yes) ++ LIB="lib64" ++ ;; ++*:*) ++ LIB="lib" ++ ;; ++esac ++AC_MSG_RESULT($LIB) + + AC_SUBST(LIBRARY) + AC_MSG_CHECKING(LIBRARY) +--- a/setup.py ++++ b/setup.py +@@ -502,7 +502,7 @@ class PyBuildExt(build_ext): + def detect_modules(self): + # Ensure that /usr/local is always used + if not cross_compiling: +- add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib') ++ add_dir_to_list(self.compiler.library_dirs, '/usr/local/' + sys.lib) + add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') + if cross_compiling: + self.add_gcc_paths() +@@ -828,11 +828,11 @@ class PyBuildExt(build_ext): + elif curses_library: + readline_libs.append(curses_library) + elif self.compiler.find_library_file(lib_dirs + +- ['/usr/lib/termcap'], ++ ['/usr/'+sys.lib+'/termcap'], + 'termcap'): + readline_libs.append('termcap') + exts.append( Extension('readline', ['readline.c'], +- library_dirs=['/usr/lib/termcap'], ++ library_dirs=['/usr/'+sys.lib+'/termcap'], + extra_link_args=readline_extra_link_args, + libraries=readline_libs) ) + else: +@@ -1979,18 +1979,17 @@ class PyBuildExt(build_ext): + # Check for various platform-specific directories + if host_platform == 'sunos5': + include_dirs.append('/usr/openwin/include') +- added_lib_dirs.append('/usr/openwin/lib') ++ added_lib_dirs.append('/usr/openwin/' + sys.lib) + elif os.path.exists('/usr/X11R6/include'): + include_dirs.append('/usr/X11R6/include') +- added_lib_dirs.append('/usr/X11R6/lib64') +- added_lib_dirs.append('/usr/X11R6/lib') ++ added_lib_dirs.append('/usr/X11R6/' + sys.lib) + elif os.path.exists('/usr/X11R5/include'): + include_dirs.append('/usr/X11R5/include') +- added_lib_dirs.append('/usr/X11R5/lib') ++ added_lib_dirs.append('/usr/X11R5/' + sys.lib) + else: + # Assume default location for X11 + include_dirs.append('/usr/X11/include') +- added_lib_dirs.append('/usr/X11/lib') ++ added_lib_dirs.append('/usr/X11/' + sys.lib) + + # If Cygwin, then verify that X is installed before proceeding + if host_platform == 'cygwin': diff --git a/python-2.7.9-sles-disable-verification-by-default.patch b/python-2.7.9-sles-disable-verification-by-default.patch new file mode 100644 index 0000000..fdb6ec9 --- /dev/null +++ b/python-2.7.9-sles-disable-verification-by-default.patch @@ -0,0 +1,25 @@ +--- + Lib/ssl.py | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -497,7 +497,17 @@ def _get_https_context_factory(): + return _create_unverified_context + return create_default_context + +-_create_default_https_context = _get_https_context_factory() ++try: ++ # load the TLS checks policy from separate package ++ import sle_tls_checks_policy as policy ++ if policy.get_policy: ++ _create_default_https_context = policy.get_policy() ++ else: ++ # empty policy file means simply enable strict verification ++ _create_default_https_context = _get_https_context_factory() ++except ImportError: ++ # policy not present, disable verification for backwards compatibility ++ _create_default_https_context = _create_unverified_context + + # PEP 493: "private" API to configure HTTPS defaults without monkeypatching + def _https_verify_certificates(enable=True): diff --git a/python-2.7.9-ssl_ca_path.patch b/python-2.7.9-ssl_ca_path.patch new file mode 100644 index 0000000..30a322e --- /dev/null +++ b/python-2.7.9-ssl_ca_path.patch @@ -0,0 +1,19 @@ +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -537,7 +537,15 @@ class SSLSocket(socket): + self._context = SSLContext(ssl_version) + self._context.verify_mode = cert_reqs + if ca_certs: +- self._context.load_verify_locations(ca_certs) ++ capath = None ++ cafile = None ++ if os.path.isdir(ca_certs): ++ capath = ca_certs ++ else: ++ cafile = ca_certs ++ self._context.load_verify_locations(cafile=cafile, capath=capath) ++ elif cert_reqs != CERT_NONE: ++ self._context.set_default_verify_paths() + if certfile: + self._context.load_cert_chain(certfile, keyfile) + if npn_protocols: diff --git a/python-bsddb6.patch b/python-bsddb6.patch new file mode 100644 index 0000000..1b756ac --- /dev/null +++ b/python-bsddb6.patch @@ -0,0 +1,395 @@ +From: Jan Engelhardt +Date: 2013-07-06 16:07:31.146616589 +0200 + +This patch was partially autogenerated: + - copying python-bsddb3-6.0.0 sources into the python-2.7.5 tree + - creating a diff -w against the unmodified python-2.7.5 + - stripped all hunks that pertained to module renaming + - manually added db6 searching to setup.py + +--- + Lib/bsddb/test/test_all.py | 15 +++-- + Lib/bsddb/test/test_misc.py | 5 + + Lib/bsddb/test/test_replication.py | 25 +------- + Modules/_bsddb.c | 108 +++++++++++++++++++++++++++++++++---- + Modules/bsddb.h | 2 + setup.py | 4 + + 6 files changed, 118 insertions(+), 41 deletions(-) + +--- a/Lib/bsddb/test/test_all.py ++++ b/Lib/bsddb/test/test_all.py +@@ -74,8 +74,9 @@ if sys.version_info[0] >= 3 : + key = key.decode(charset) + return (key, value.decode(charset)) + +- def __next__(self) : +- v = getattr(self._dbcursor, "next")() ++ def __next__(self, flags=0, dlen=-1, doff=-1) : ++ v = getattr(self._dbcursor, "next")(flags=flags, dlen=dlen, ++ doff=doff) + return self._fix(v) + + next = __next__ +@@ -128,8 +129,8 @@ if sys.version_info[0] >= 3 : + v = self._dbcursor.current(flags=flags, dlen=dlen, doff=doff) + return self._fix(v) + +- def first(self) : +- v = self._dbcursor.first() ++ def first(self, flags=0, dlen=-1, doff=-1) : ++ v = self._dbcursor.first(flags=flags, dlen=dlen, doff=doff) + return self._fix(v) + + def pget(self, key=None, data=None, flags=0) : +@@ -489,7 +490,11 @@ def print_versions(): + print 'py module: %s' % getattr(bsddb, "__file"+suffix) + print 'extension module: %s' % getattr(bsddb, "__file"+suffix) + +- print 'python version: %s' % sys.version ++ print 'Test working dir: %s' % get_test_path_prefix() ++ import platform ++ print 'python version: %s %s' % \ ++ (sys.version.replace("\r", "").replace("\n", ""), \ ++ platform.architecture()[0]) + print 'My pid: %s' % os.getpid() + print '-=' * 38 + +--- a/Lib/bsddb/test/test_misc.py ++++ b/Lib/bsddb/test/test_misc.py +@@ -46,8 +46,9 @@ class MiscTestCase(unittest.TestCase): + d[repr(i)] = repr(100*i) + db.close() + db = hashopen(self.filename) +- rp = repr(db) +- self.assertEqual(rp, repr(d)) ++ rp = repr(sorted(db.items())) ++ rd = repr(sorted(d.items())) ++ self.assertEqual(rp, rd) + db.close() + + # http://sourceforge.net/tracker/index.php?func=detail&aid=1708868&group_id=13900&atid=313900 +--- a/Lib/bsddb/test/test_replication.py ++++ b/Lib/bsddb/test/test_replication.py +@@ -165,21 +165,10 @@ class DBReplicationManager(DBReplication + # is not generated if the master has no new transactions. + # This is solved in BDB 4.6 (#15542). + import time +- timeout = time.time()+60 ++ timeout = time.time()+10 + while (time.time()timeout: +- import sys +- print >> sys.stderr, ("XXX: timeout happened before" +- "startup was confirmed - see issue 3892") +- startup_timeout = True ++ self.assertTrue(time.time()=timeout and startup_timeout: +- self.skipTest("replication test skipped due to random failure, " +- "see issue 3892") + self.assertLess(time.time(), timeout) + self.assertEqual("123", v) + +@@ -375,7 +356,7 @@ class DBBaseReplication(DBReplication) : + # is not generated if the master has no new transactions. + # This is solved in BDB 4.6 (#15542). + import time +- timeout = time.time()+60 ++ timeout = time.time()+10 + while (time.time()= 0x02050000) ++#define NUMBER_FromUnsignedLong PyInt_FromSize_t ++#endif + #endif + + #ifdef WITH_THREAD +@@ -853,6 +857,18 @@ static void _addIntToDict(PyObject* dict + Py_XDECREF(v); + } + ++#if (DBVER >= 60) && (PY_VERSION_HEX >= 0x02050000) ++/* add an unsigned integer to a dictionary using the given name as a key */ ++static void _addUnsignedIntToDict(PyObject* dict, char *name, unsigned int value) ++{ ++ PyObject* v = NUMBER_FromUnsignedLong((unsigned long) value); ++ if (!v || PyDict_SetItemString(dict, name, v)) ++ PyErr_Clear(); ++ ++ Py_XDECREF(v); ++} ++#endif ++ + /* The same, when the value is a time_t */ + static void _addTimeTToDict(PyObject* dict, char *name, time_t value) + { +@@ -2677,13 +2693,21 @@ _default_cmp(const DBT *leftKey, + static int + _db_compareCallback(DB* db, + const DBT *leftKey, +- const DBT *rightKey) ++ const DBT *rightKey ++#if (DBVER >= 60) ++ , size_t *locp ++#endif ++ ) + { + int res = 0; + PyObject *args; + PyObject *result = NULL; + DBObject *self = (DBObject *)db->app_private; + ++# if (DBVER >= 60) ++ locp = NULL; /* As required by documentation */ ++#endif ++ + if (self == NULL || self->btCompareCallback == NULL) { + MYDB_BEGIN_BLOCK_THREADS; + PyErr_SetString(PyExc_TypeError, +@@ -2791,13 +2815,21 @@ DB_set_bt_compare(DBObject* self, PyObje + static int + _db_dupCompareCallback(DB* db, + const DBT *leftKey, +- const DBT *rightKey) ++ const DBT *rightKey ++#if (DBVER >= 60) ++ , size_t *locp ++#endif ++ ) + { + int res = 0; + PyObject *args; + PyObject *result = NULL; + DBObject *self = (DBObject *)db->app_private; + ++#if (DBVER >= 60) ++ locp = NULL; /* As required by documentation */ ++#endif ++ + if (self == NULL || self->dupCompareCallback == NULL) { + MYDB_BEGIN_BLOCK_THREADS; + PyErr_SetString(PyExc_TypeError, +@@ -3576,13 +3608,14 @@ Py_ssize_t DB_length(PyObject* _self) + err = self->db->stat(self->db, /*txnid*/ NULL, &sp, 0); + MYDB_END_ALLOW_THREADS; + ++ if (makeDBError(err)) { ++ return -1; ++ } ++ + /* All the stat structures have matching fields upto the ndata field, + so we can use any of them for the type cast */ + size = ((DB_BTREE_STAT*)sp)->bt_ndata; + +- if (err) +- return -1; +- + free(sp); + return size; + } +@@ -8420,12 +8453,22 @@ static PyObject* + DBSequence_get(DBSequenceObject* self, PyObject* args, PyObject* kwargs) + { + int err, flags = 0; ++#if (DBVER >= 60) ++ unsigned ++#endif + int delta = 1; + db_seq_t value; + PyObject *txnobj = NULL; + DB_TXN *txn = NULL; + static char* kwnames[] = {"delta", "txn", "flags", NULL }; +- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|iOi:get", kwnames, &delta, &txnobj, &flags)) ++ ++ if (!PyArg_ParseTupleAndKeywords(args, kwargs, ++#if (DBVER >=60) ++ "|IOi:get", ++#else ++ "|iOi:get", ++#endif ++ kwnames, &delta, &txnobj, &flags)) + return NULL; + CHECK_SEQUENCE_NOT_CLOSED(self) + +@@ -8555,8 +8598,19 @@ DBSequence_remove(DBSequenceObject* self + static PyObject* + DBSequence_set_cachesize(DBSequenceObject* self, PyObject* args) + { +- int err, size; +- if (!PyArg_ParseTuple(args,"i:set_cachesize", &size)) ++ int err; ++#if (DBVER >= 60) ++ unsigned ++#endif ++ int size; ++ ++ if (!PyArg_ParseTuple(args, ++#if (DBVER >= 60) ++ "I:set_cachesize", ++#else ++ "i:set_cachesize", ++#endif ++ &size)) + return NULL; + CHECK_SEQUENCE_NOT_CLOSED(self) + +@@ -8571,7 +8625,11 @@ DBSequence_set_cachesize(DBSequenceObjec + static PyObject* + DBSequence_get_cachesize(DBSequenceObject* self) + { +- int err, size; ++ int err; ++#if (DBVER >= 60) ++ unsigned ++#endif ++ int size; + + CHECK_SEQUENCE_NOT_CLOSED(self) + +@@ -8700,6 +8758,9 @@ DBSequence_stat(DBSequenceObject* self, + + + #define MAKE_INT_ENTRY(name) _addIntToDict(dict_stat, #name, sp->st_##name) ++#if (DBVER >= 60) && (PY_VERSION_HEX >= 0x02050000) ++#define MAKE_UNSIGNED_INT_ENTRY(name) _addUnsignedIntToDict(dict_stat, #name, sp->st_##name) ++#endif + #define MAKE_LONG_LONG_ENTRY(name) _addDb_seq_tToDict(dict_stat, #name, sp->st_##name) + + MAKE_INT_ENTRY(wait); +@@ -8709,10 +8770,15 @@ DBSequence_stat(DBSequenceObject* self, + MAKE_LONG_LONG_ENTRY(last_value); + MAKE_LONG_LONG_ENTRY(min); + MAKE_LONG_LONG_ENTRY(max); ++#if (DBVER >= 60) && (PY_VERSION_HEX >= 0x02050000) ++ MAKE_UNSIGNED_INT_ENTRY(cache_size); ++#else + MAKE_INT_ENTRY(cache_size); ++#endif + MAKE_INT_ENTRY(flags); + + #undef MAKE_INT_ENTRY ++#undef MAKE_UNSIGNED_INT_ENTRY + #undef MAKE_LONG_LONG_ENTRY + + free(sp); +@@ -9014,7 +9080,7 @@ static PyMethodDef DBEnv_methods[] = { + {"txn_recover", (PyCFunction)DBEnv_txn_recover, METH_NOARGS}, + #if (DBVER < 48) + {"set_rpc_server", (PyCFunction)DBEnv_set_rpc_server, +- METH_VARARGS|METH_KEYWORDS}, ++ METH_VARARGS||METH_KEYWORDS}, + #endif + {"set_mp_max_openfd", (PyCFunction)DBEnv_set_mp_max_openfd, METH_VARARGS}, + {"get_mp_max_openfd", (PyCFunction)DBEnv_get_mp_max_openfd, METH_NOARGS}, +@@ -9986,6 +10052,10 @@ PyMODINIT_FUNC PyInit__bsddb(void) / + ADD_INT(d, DB_LOG_ZERO); + #endif + ++#if (DBVER >= 60) ++ ADD_INT(d, DB_LOG_BLOB); ++#endif ++ + #if (DBVER >= 44) + ADD_INT(d, DB_DSYNC_DB); + #endif +@@ -10046,6 +10116,10 @@ PyMODINIT_FUNC PyInit__bsddb(void) / + ADD_INT(d, DB_EVENT_REG_PANIC); + #endif + ++#if (DBVER >= 60) ++ ADD_INT(d, DB_EVENT_REP_AUTOTAKEOVER_FAILED); ++#endif ++ + #if (DBVER >=52) + ADD_INT(d, DB_EVENT_REP_SITE_ADDED); + ADD_INT(d, DB_EVENT_REP_SITE_REMOVED); +@@ -10150,6 +10224,20 @@ PyMODINIT_FUNC PyInit__bsddb(void) / + ADD_INT(d, DB_REP_CONF_INMEM); + #endif + ++#if (DBVER >= 60) ++ ADD_INT(d, DB_REPMGR_ISVIEW); ++#endif ++ ++#if (DBVER >= 60) ++ ADD_INT(d, DB_DBT_BLOB); ++#endif ++ ++#if (DBVER >= 60) ++ ADD_INT(d, DB_STREAM_READ); ++ ADD_INT(d, DB_STREAM_WRITE); ++ ADD_INT(d, DB_STREAM_SYNC_WRITE); ++#endif ++ + ADD_INT(d, DB_TIMEOUT); + + #if (DBVER >= 50) +--- a/Modules/bsddb.h ++++ b/Modules/bsddb.h +@@ -110,7 +110,7 @@ + #error "eek! DBVER can't handle minor versions > 9" + #endif + +-#define PY_BSDDB_VERSION "5.3.0" ++#define PY_BSDDB_VERSION "6.0.0" + + /* Python object definitions */ + +--- a/setup.py ++++ b/setup.py +@@ -951,7 +951,7 @@ class PyBuildExt(build_ext): + # a release. Most open source OSes come with one or more + # versions of BerkeleyDB already installed. + +- max_db_ver = (5, 3) ++ max_db_ver = (6, 0) + min_db_ver = (4, 3) + db_setup_debug = False # verbose debug prints from this script? + +@@ -991,6 +991,7 @@ class PyBuildExt(build_ext): + # construct a list of paths to look for the header file in on + # top of the normal inc_dirs. + db_inc_paths = [ ++ '/usr/include/db6', + '/usr/include/db4', + '/usr/local/include/db4', + '/opt/sfw/include/db4', +@@ -1030,6 +1031,7 @@ class PyBuildExt(build_ext): + for dn in inc_dirs: + std_variants.append(os.path.join(dn, 'db3')) + std_variants.append(os.path.join(dn, 'db4')) ++ std_variants.append(os.path.join(dn, 'db6')) + for x in gen_db_minor_ver_nums(4): + std_variants.append(os.path.join(dn, "db4%d"%x)) + std_variants.append(os.path.join(dn, "db4.%d"%x)) diff --git a/python-bundle-lang.patch b/python-bundle-lang.patch new file mode 100644 index 0000000..c8da2d1 --- /dev/null +++ b/python-bundle-lang.patch @@ -0,0 +1,23 @@ +Index: Python-2.7.13/Lib/gettext.py +=================================================================== +--- Python-2.7.13.orig/Lib/gettext.py ++++ Python-2.7.13/Lib/gettext.py +@@ -58,6 +58,7 @@ __all__ = ['NullTranslations', 'GNUTrans + ] + + _default_localedir = os.path.join(sys.prefix, 'share', 'locale') ++_default_bundlelocaledir = os.path.join(sys.prefix, 'share', 'locale-bundle') + + # Expression parsing for plural form selection. + # +@@ -496,6 +497,10 @@ class GNUTranslations(NullTranslations): + + # Locate a .mo file using the gettext strategy + def find(domain, localedir=None, languages=None, all=0): ++ if localedir in [None, _default_localedir]: ++ bundle = find(domain, localedir=_default_bundlelocaledir, languages=languages, all=all) ++ if bundle: ++ return bundle + # Get some reasonable defaults for arguments that were not supplied + if localedir is None: + localedir = _default_localedir diff --git a/python-distutils-rpm-8.patch b/python-distutils-rpm-8.patch new file mode 100644 index 0000000..8062f8a --- /dev/null +++ b/python-distutils-rpm-8.patch @@ -0,0 +1,82 @@ +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py +@@ -154,6 +154,8 @@ + + ('record=', None, + "filename in which to record list of installed files"), ++ ('record-rpm=', None, ++ "filename in which to record list of installed files and directories suitable as filelist for rpm"), + ] + + boolean_options = ['compile', 'force', 'skip-build', 'user'] +@@ -229,6 +231,7 @@ + #self.install_info = None + + self.record = None ++ self.record_rpm = None + + + # -- Option finalizing methods ------------------------------------- +@@ -578,12 +581,61 @@ + self.create_path_file() + + # write list of installed files, if requested. +- if self.record: ++ if self.record or self.record_rpm: + outputs = self.get_outputs() + if self.root: # strip any package prefix + root_len = len(self.root) + for counter in xrange(len(outputs)): + outputs[counter] = outputs[counter][root_len:] ++ if self.record_rpm: # add directories ++ self.record = self.record_rpm ++ dirs = [] ++ # directories to reject: ++ rejectdirs = [ ++ '/etc', ++ '/', ++ '', ++ self.prefix, ++ self.exec_prefix, ++ self.install_base, ++ self.install_platbase, ++ self.install_purelib, ++ self.install_platlib, ++ self.install_headers[:len(self.install_headers) - len(self.distribution.get_name()) - 1], ++ self.install_libbase, ++ self.install_scripts, ++ self.install_data, ++ os.path.join(self.install_data, 'share'), ++ os.path.join(self.install_data, 'share', 'doc'), ++ ] ++ # directories whose childs reject: ++ rejectdirs2 = [ ++ os.path.join(self.install_data, 'share', 'man'), ++ ] ++ # directories whose grandsons reject: ++ rejectdirs3 = [ ++ os.path.join(self.install_data, 'share', 'man'), ++ os.path.join(self.install_data, 'share', 'locale'), ++ ] ++ for counter in xrange(len(rejectdirs)): ++ if len(rejectdirs[counter]) > root_len: ++ rejectdirs[counter] = rejectdirs[counter][root_len:] ++ for counter in xrange(len(rejectdirs2)): ++ if len(rejectdirs2[counter]) > root_len: ++ rejectdirs2[counter] = rejectdirs2[counter][root_len:] ++ for counter in xrange(len(rejectdirs3)): ++ if len(rejectdirs3[counter]) > root_len: ++ rejectdirs3[counter] = rejectdirs3[counter][root_len:] ++ for counter in xrange(len(outputs)): ++ directory = os.path.dirname(outputs[counter]) ++ while directory not in rejectdirs and \ ++ os.path.dirname(directory) not in rejectdirs2 and \ ++ os.path.dirname(os.path.dirname(directory)) not in rejectdirs3: ++ dirname = '%dir ' + directory ++ if dirname not in dirs: ++ dirs.append(dirname) ++ directory = os.path.dirname(directory) ++ outputs += dirs + self.execute(write_file, + (self.record, outputs), + "writing list of installed files to '%s'" % diff --git a/python-skip_random_failing_tests.patch b/python-skip_random_failing_tests.patch new file mode 100644 index 0000000..d66cbda --- /dev/null +++ b/python-skip_random_failing_tests.patch @@ -0,0 +1,50 @@ +--- + Lib/test/test_multiprocessing.py | 1 + + Lib/test/test_subprocess.py | 1 + + Lib/test/test_telnetlib.py | 2 ++ + 3 files changed, 4 insertions(+) + +Index: Python-2.7.14/Lib/test/test_subprocess.py +=================================================================== +--- Python-2.7.14.orig/Lib/test/test_subprocess.py ++++ Python-2.7.14/Lib/test/test_subprocess.py +@@ -654,6 +654,7 @@ class ProcessTestCase(BaseTestCase): + 'ab ""') + + ++ @unittest.skip("transient failure on PowerPC") + def test_poll(self): + p = subprocess.Popen([sys.executable, + "-c", "import time; time.sleep(1)"]) +Index: Python-2.7.14/Lib/test/test_telnetlib.py +=================================================================== +--- Python-2.7.14.orig/Lib/test/test_telnetlib.py ++++ Python-2.7.14/Lib/test/test_telnetlib.py +@@ -134,6 +134,7 @@ class ReadTests(TestCase): + data = telnet.read_until('match') + self.assertEqual(data, ''.join(want[:-2])) + ++ @unittest.skip("transient failure on PowerPC") + def test_read_until_B(self): + # test the timeout - it does NOT raise socket.timeout + want = ['hello', self.block_long, 'not seen', EOF_sigil] +@@ -420,6 +421,7 @@ class ExpectTests(TestCase): + (_,_,data) = telnet.expect(['match']) + self.assertEqual(data, ''.join(want[:-2])) + ++ @unittest.skip("transient failure on PowerPC") + def test_expect_B(self): + # test the timeout - it does NOT raise socket.timeout + want = ['hello', self.block_long, 'not seen', EOF_sigil] +Index: Python-2.7.14/Lib/test/test_multiprocessing.py +=================================================================== +--- Python-2.7.14.orig/Lib/test/test_multiprocessing.py ++++ Python-2.7.14/Lib/test/test_multiprocessing.py +@@ -1219,6 +1219,7 @@ class _TestPool(BaseTestCase): + self.assertEqual(get(), 49) + self.assertTimingAlmostEqual(get.elapsed, TIMEOUT1) + ++ @unittest.skip("transient failure on PowerPC") + def test_async_timeout(self): + res = self.pool.apply_async(sqr, (6, TIMEOUT2 + 1.0)) + get = TimingWrapper(res.get) diff --git a/python-sorted_tar.patch b/python-sorted_tar.patch new file mode 100644 index 0000000..40f72a2 --- /dev/null +++ b/python-sorted_tar.patch @@ -0,0 +1,21 @@ +commit 6936e36efcc0a75c7d5e67b949c9749d61fa5ead +Author: Bernhard M. Wiedemann +Date: Sun Jun 18 03:50:25 2017 +0200 + + tarfile: sort directory listing + + to generate tar files in a more reproducible way + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index adf91d5382..36f6ed7167 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -2027,7 +2027,7 @@ class TarFile(object): + elif tarinfo.isdir(): + self.addfile(tarinfo) + if recursive: +- for f in os.listdir(name): ++ for f in sorted(os.listdir(name)): + self.add(os.path.join(name, f), os.path.join(arcname, f), + recursive, exclude, filter) + diff --git a/python.changes b/python.changes new file mode 100644 index 0000000..c59778e --- /dev/null +++ b/python.changes @@ -0,0 +1,1514 @@ +* Sat Sep 30 2023 mcepl@suse.com +- (bsc#1214691, CVE-2022-48566) Add + CVE-2022-48566-compare_digest-more-constant.patch to make + compare_digest more constant-time. +- Allow nis.so for SLE-12. +* Thu Sep 14 2023 mcepl@suse.com +- (bsc#1214685, CVE-2022-48565) Add + CVE-2022-48565-plistlib-XML-vulns.patch (from + gh#python/cpython#86217) reject XML entity declarations in + plist files. +- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and + Revert-gh105127-left-tests.patch (as per discussion on + bsc#1210638). +* Tue Sep 12 2023 daniel.garcia@suse.com +- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing + gh#python/cpython#108310, backport from upstream patch + gh#python/cpython#108315 + (bsc#1214692, CVE-2023-40217) +* Thu Aug 3 2023 mcepl@suse.com +- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! +- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) + partially reverting CVE-2023-27043-email-parsing-errors.patch, + because of the regression in gh#python/cpython#106669. +* Tue Jul 11 2023 mcepl@suse.com +- (bsc#1210638, CVE-2023-27043) Add + CVE-2023-27043-email-parsing-errors.patch, which detects email + address parsing errors and returns empty tuple to indicate the + parsing error (old API). +* Wed Jun 7 2023 mcepl@suse.com +- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch. +* Tue May 30 2023 schwab@suse.de +- python-2.7.5-multilib.patch: Update for riscv64 +- Don't fail if _ctypes or dl extension was not built +* Mon May 29 2023 mcepl@suse.com +- The condition around libnsl-devel BuildRequires is NOT + switching off NIS support on SLE < 15, support for NIS used to + be in the glibc itself. Partial revert of sr#1061583. +* Wed May 24 2023 mcepl@suse.com +- Add PygmentsBridge-trime_doctest_flags.patch to allow build of + the documentation even with the current Sphinx. (SUSE-ONLY + PATCH, DO NOT SEND UPSTREAM!) +* Wed Mar 8 2023 mcepl@suse.com +- Enable --with-system-ffi for non-standard architectures. +* Mon Mar 6 2023 mcepl@suse.com +- SLE-12 builds nis.so as well. +* Wed Mar 1 2023 mcepl@suse.com +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters +* Fri Jan 27 2023 kukuk@suse.com +- Disable NIS for new products, it's deprecated and gets removed +* Thu Jan 19 2023 mcepl@suse.com +- Add skip_unverified_test.patch because apparently switching off + SSL verification doesn't work on older SLE. +* Tue Nov 22 2022 mcepl@suse.com +- Restore python-2.7.9-sles-disable-verification-by-default.patch + for SLE-12. +* Wed Nov 9 2022 mcepl@suse.com +- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid + CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding + extremely long domain names. +* Tue Sep 13 2022 bwiedemann@suse.com +- Add bpo34990-2038-problem-compileall.patch making compileall.py + compliant with year 2038 (bsc#1202666, gh#python/cpython#79171), + backport of fix to Python 2.7. +* Wed Sep 7 2022 steven.kowalik@suse.com +- Add patch CVE-2021-28861-double-slash-path.patch: + * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server + when an URI path starts with //. (bsc#1202624, CVE-2021-28861) +* Thu Jun 9 2022 mcepl@suse.com +- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid + CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the + command injection in the mailcap module. +* Tue May 24 2022 mliska@suse.cz +- Filter out executable-stack error that is triggered for i586 + target. +* Sat Feb 26 2022 mcepl@suse.com +- Update bundled pip wheel to the latest SLE version patched + against bsc#1186819 (CVE-2021-3572). +- Recover again proper value of %%python2_package_prefix + (bsc#1175619). +* Fri Feb 18 2022 mcepl@suse.com +- BuildRequire rpm-build-python: The provider to inject python(abi) + has been moved there. rpm-build pulls rpm-build-python + automatically in when building anything against python3-base, but + this implies that the initial build of python3-base does not + trigger the automatic installation. +* Fri Feb 18 2022 mcepl@suse.com +- Older SLE versions should use old OpenSSL. +* Wed Feb 9 2022 mcepl@suse.com +- Add CVE-2022-0391-urllib_parse-newline-parsing.patch + (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs + containing ASCII newline and tabs in urlparse. +* Sun Feb 6 2022 mcepl@suse.com +- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, + bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib + not trust the PASV response. +* Mon Dec 6 2021 dmueller@suse.com +- build against openssl 1.1.x (incompatible with openssl 3.0x) + for now. +* Tue Nov 2 2021 meissner@suse.com +- on sle12, python2 modules will still be called python-xxxx until EOL, + for newer SLE versions they will be python2-xxxx +* Fri Oct 15 2021 dimstar@opensuse.org +- BuildRequire rpm-build-python: The provider to inject python(abi) + has been moved there. rpm-build pulls rpm-build-python + automatically in when building anything against python3-base, but + this implies that the initial build of python3-base does not + trigger the automatic installation. +* Tue Sep 21 2021 mcepl@suse.com +- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 + (CVE-2019-20907, bpo#39017) avoiding possible infinite loop + in specifically crafted tarball. + Add recursion.tar as a testing tarball for the patch. +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). +- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 + (CVE-2020-26116, bpo#39603) no longer allowing special characters in + the method parameter of HTTPConnection.putrequest in httplib, stopping + injection of headers. Such characters now raise ValueError. +* Thu Aug 26 2021 qydwhotmail@gmail.com +- Renamed patch for assigned CVE: + * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -> + CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch + (boo#1189241, CVE-2021-3737) +* Mon Aug 23 2021 qydwhotmail@gmail.com +- Renamed patch for assigned CVE: + * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch + (boo#1189287, CVE-2021-3733) +- Fix python-doc build (bpo#35293): + * sphinx-update-removed-function.patch +- Update documentation formatting for Sphinx 3.0 (bpo#40204). +* Tue Aug 10 2021 qydwhotmail@gmail.com +- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in + request (bpo#43075, boo#1189287). +- Add missing security announcement to + bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. +* Mon Aug 9 2021 qydwhotmail@gmail.com +- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch + which fixes http client infinite line reading (DoS) after a http + 100 (bpo#44022, boo#1189241). +* Fri Jul 16 2021 mcepl@suse.com +- Modify Lib/ensurepip/__init__.py to contain the same version + numbers as are in reality the ones in the bundled wheels + (bsc#1187668). +* Fri Feb 26 2021 mcepl@suse.com +- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids + use of semicolon as a query string separator (bpo#42967, + bsc#1182379, CVE-2021-23336). +* Mon Jan 25 2021 mcepl@suse.com +- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing + bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in + _ctypes/callproc.c, which may lead to remote code execution. +* Tue Jan 5 2021 mcepl@suse.com +- (bsc#1180125) We really don't Require python-rpm-macros package. + Unnecessary dependency. +* Sat May 30 2020 mcepl@suse.com +- Add patch configure_PYTHON_FOR_REGEN.patch which makes + configure.ac to consider the correct version of + PYTHON_FO_REGEN (bsc#1078326). +* Mon Apr 27 2020 mcepl@suse.com +- Use python3-Sphinx on anything more recent than SLE-15 (inclusive). +* Thu Apr 23 2020 mcepl@suse.com +- Update to 2.7.18, final release of Python 2. Ever.: + - Newline characters have been escaped when performing uu + encoding to prevent them from overflowing into to content + section of the encoded file. This prevents malicious or + accidental modification of data during the decoding process. + - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben + Caller. + - Fixed line numbers and column offsets for AST nodes for calls + without arguments in decorators. + - bsc#1155094 (CVE-2019-18348) Disallow control characters in + hostnames in http.client. Such potentially malicious header + injection URLs now cause a InvalidURL to be raised. + - Fix urllib.urlretrieve failing on subsequent ftp transfers + from the same host. + - Fix problems identified by GCC's -Wstringop-truncation + warning. + - AddRefActCtx() was needlessly being checked for failure in + PC/dl_nt.c. + - Prevent failure of test_relative_path in test_py_compile on + macOS Catalina. + - Fixed possible leak in `PyArg_Parse` and similar + functions for format units "es#" and "et#" when the macro + `PY_SSIZE_T_CLEAN` is not defined. +- Remove upstreamed patches: + - CVE-2019-18348-CRLF_injection_via_host_part.patch + - python-2.7.14-CVE-2017-1000158.patch + - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch + - CVE-2018-1061-DOS-via-regexp-difflib.patch + - CVE-2019-10160-netloc-port-regression.patch + - CVE-2019-16056-email-parse-addr.patch +* Sat Feb 8 2020 mcepl@suse.com +- Add CVE-2019-9674-zip-bomb.patch to improve documentation + warning about dangers of zip-bombs and other security problems + with zipfile library. (bsc#1162825 CVE-2019-9674) +* Sat Feb 8 2020 mcepl@suse.com +- Change to Requires: libpython%%{so_version} == %%{version}-%%{release} + to python-base to keep both packages always synchronized (add + %%{so_version}) (bsc#1162224). +* Thu Feb 6 2020 mcepl@suse.com +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) +* Mon Feb 3 2020 tchvatal@suse.com +- Provide python-testsuite from devel subkg to ease py2->py3 + dependencies +* Mon Jan 27 2020 mcepl@suse.com +- Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch + off tests coliding with the combination of modern Python and + ancient OpenSSL on SLE-12. +* Fri Jan 10 2020 mcepl@suse.com +- libnsl is required only on more recent SLEs and openSUSE, older + glibc supported NIS on its own. +* Thu Jan 2 2020 tchvatal@suse.com +- Add provides in gdbm subpackage to provide dbm symbols. This + allows us to use %%%%{python_module dbm} as a dependency and have + it properly resolved for both python2 and python3 +* Thu Dec 19 2019 dimstar@opensuse.org +- Drop appstream-glib BuildRequires and no longer call + appstream-util validate-relax: eliminate a build cycle between + as-glib and python. The only thing would would gain by calling + as-uril is catching if upstream breaks the appdata.xml file in a + future release. Considering py2 is dying, chances for a new + release, let alone one breaking the xml file, are slim. +* Wed Dec 11 2019 mcepl@suse.com +- Unify packages among openSUSE:Factory and SLE versions. + (bsc#1159035) ; add missing records to this changelog. +- Add idle.desktop and idle.appdata.xml to provide IDLE in menus + (bsc#1153830) +* Wed Dec 4 2019 mcepl@suse.com +- Add python2_split_startup Provide to make it possible to + conflict older packages by shared-python-startup. +* Fri Nov 22 2019 mcepl@suse.com +- Move /etc/pythonstart script to shared-python-startup + package. +* Tue Nov 5 2019 mcepl@suse.com +- Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from + bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes + bsc#1149792 +* Tue Nov 5 2019 steven.kowalik@suse.com +- Add adapted-from-F00251-change-user-install-location.patch fixing + pip/distutils to install into /usr/local. +* Thu Oct 24 2019 mcepl@suse.com +- Update to 2.7.17: + - a bug fix release in the Python 2.7.x series. It is expected + to be the penultimate release for Python 2.7. +- Removed patches included upstream: + - CVE-2018-20852-cookie-domain-check.patch + - CVE-2019-16935-xmlrpc-doc-server_title.patch + - CVE-2019-9636-netloc-no-decompose-characters.patch + - CVE-2019-9947-no-ctrl-char-http.patch + - CVE-2019-9948-avoid_local-file.patch + - python-2.7.14-CVE-2018-1000030-1.patch + - python-2.7.14-CVE-2018-1000030-2.patch +- Renamed remove-static-libpython.diff and python-bsddb6.diff to + remove-static-libpython.patch and python-bsddb6.patch to unify + filenames. +* Tue Oct 8 2019 mcepl@suse.com +- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing + bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in + python/Lib/DocXMLRPCServer.py +* Wed Sep 25 2019 bwiedemann@suse.com +- Add bpo36302-sort-module-sources.patch (boo#1041090) +* Mon Sep 16 2019 mcepl@suse.com +- Add CVE-2019-16056-email-parse-addr.patch fixing the email + module wrongly parses email addresses [bsc#1149955, + CVE-2019-16056] +* Thu Jul 25 2019 mcepl@suse.com +- boo#1141853 (CVE-2018-20852) add + CVE-2018-20852-cookie-domain-check.patch fixing + http.cookiejar.DefaultPolicy.domain_return_ok which did not + correctly validate the domain: it could be tricked into sending + cookies to the wrong server. +* Fri Jul 19 2019 tchvatal@suse.com +- Skip test_urllib2_localnet that randomly fails in OBS +* Wed Jul 3 2019 mcepl@suse.com +- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch + which fixes regression introduced by the previous patch. + (CVE-2019-10160) + Upstream gh#python/cpython#13812 +* Wed May 29 2019 mliska@suse.cz +- Set _lto_cflags to nil as it will prevent to propage LTO + for Python modules that are built in a separate package. +* Thu May 2 2019 mcepl@suse.com +- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch + Address the issue by disallowing URL paths with embedded + whitespace or control characters through into the underlying + http client request. Such potentially malicious header + injection URLs now cause a ValueError to be raised. +* Mon Apr 8 2019 mcepl@suse.com +- bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch + removing unnecessary (and potentially harmful) URL scheme + local-file://. +* Mon Apr 8 2019 mcepl@suse.com +- bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch + Characters in the netloc attribute that decompose under NFKC + normalization (as used by the IDNA encoding) into any of ``/``, + ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the + URL is decomposed before parsing, or is not a Unicode string, + no error will be raised (CVE-2019-9636). + Upstream commits e37ef41 and 507bd8c. +* Thu Apr 4 2019 mcepl@suse.com +- (bsc#1111793) Update to 2.7.16: + * bugfix-only release: complete list of changes on + https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst + * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch + which are fully included in the tarball. + * Updated patches to apply cleanly: + CVE-2019-5010-null-defer-x509-cert-DOS.patch + bpo36160-init-sysconfig_vars.patch + do-not-use-non-ascii-in-test_ssl.patch + openssl-111-middlebox-compat.patch + openssl-111-ssl_options.patch + python-2.5.1-sqlite.patch + python-2.6-gettext-plurals.patch + python-2.7-dirs.patch + python-2.7.2-fix_date_time_compiler.patch + python-2.7.4-canonicalize2.patch + python-2.7.5-multilib.patch + python-2.7.9-ssl_ca_path.patch + python-bsddb6.diff + remove-static-libpython.patch + * Update python-2.7.5-multilib.patch to pass with new platlib + regime. +* Fri Jan 25 2019 mcepl@suse.com +- bsc#1109847 (CVE-2018-14647): add + CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing + bpo-34623. +* Fri Jan 25 2019 mcepl@suse.com +- bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch + PyWeakref_NewProxy@Objects/weakrefobject.c creates new isntance + of PyWeakReference struct and does not intialize wr_prev and + wr_next of new isntance. These pointers can have garbage and + point to random memory locations. + Python should not crash while destroying the isntance created + in the same interpreter function. As per my understanding, both + wr_prev and wr_next of PyWeakReference instance should be + initialized to NULL to avoid segfault. +* Sat Jan 19 2019 mcepl@suse.com +- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch + fixing bpo-35746 (CVE-2019-5010). + An exploitable denial-of-service vulnerability exists in the + X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. + A specially crafted X509 certificate can cause a NULL pointer + dereference, resulting in a denial of service. An attacker can + initiate or accept TLS connections using crafted certificates + to trigger this vulnerability. +* Wed Dec 19 2018 toddrme2178@gmail.com +- Use upstream-recommended %%{_rpmconfigdir}/macros.d directory + for the rpm macros. +* Fri Oct 26 2018 tchvatal@suse.com +- Add patch openssl-111.patch to work with openssl-1.1.1 + (bsc#1113755) +* Tue Sep 25 2018 mcepl@suse.com +- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which + converts shutil._call_external_zip to use subprocess rather than + distutils.spawn. [bsc#1109663, CVE-2018-1000802] +* Fri Jun 29 2018 mcepl@suse.com +- Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent + low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS + (CVE-2018-1061). Prior to this patch mail server's timestamp was + susceptible to catastrophic backtracking on long evil response from + the server. Also, it was susceptible to catastrophic backtracking, + which was a potential DOS vector. + [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] +* Thu Jun 7 2018 psimons@suse.com +- Apply "CVE-2017-18207.patch" to add a check to Lib/wave.py that + verifies that at least one channel is provided. Prior to this + check, attackers could cause a denial of service (divide-by-zero + error and application crash) via a crafted wav format audio file. + [bsc#1083507, CVE-2017-18207] +* Tue May 29 2018 mcepl@suse.com +- Apply "python-sorted_tar.patch" (bsc#1086001, boo#1081750) + sort tarfile output directory listing +* Mon May 21 2018 michael@stroeder.com +- update to 2.7.15 + * dozens of bugfixes, see NEWS for details +- removed obsolete patches: + * python-ncurses-6.0-accessors.patch + * python-fix-shebang.patch + * gcc8-miscompilation-fix.patch +- add patch from upstream: + * do-not-use-non-ascii-in-test_ssl.patch +* Fri Apr 6 2018 mliska@suse.cz +- Add gcc8-miscompilation-fix.patch (boo#1084650). +* Tue Mar 13 2018 psimons@suse.com +- Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer + overflows in PyString_DecodeEscape that could have resulted in + heap-based buffer overflow attacks and possible arbitrary code + execution. [bsc#1068664, CVE-2017-1000158] +* Mon Feb 5 2018 normand@linux.vnet.ibm.com +- exclude test_socket & test_subprocess for PowerPC boo#1078485 + (same ref as previous change) +* Fri Feb 2 2018 normand@linux.vnet.ibm.com +- Add python-skip_random_failing_tests.patch bypass boo#1078485 + and exclude many tests for PowerPC +* Tue Jan 30 2018 tchvatal@suse.com +- Add patch python-fix-shebang.patch to fix bsc#1078326 +* Fri Dec 22 2017 jmatejek@suse.com +- exclude test_regrtest for s390, where it does not segfault as it should + (fixes bsc#1073269) +- fix segfault while creating weakref - bsc#1073748, bpo#29347 + (this is actually fixed by the 2.7.14 update; mentioning this for purposes + of bugfix tracking) +* Mon Nov 20 2017 jmatejek@suse.com +- update to 2.7.14 + * dozens of bugfixes, see NEWS for details + * fixed possible integer overflow in PyString_DecodeEscape (CVE-2017-1000158, bsc#1068664) + * fixed segfaults with dict mutated during search + * fixed possible free-after-use problems with buffer objects with custom indexing + * fixed urllib.splithost to correctly parse fragments (bpo-30500) +- drop upstreamed python-2.7.13-overflow_check.patch +- drop unneeded python-2.7.12-makeopcode.patch +- drop upstreamed 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch +- Apply "python-2.7.14-CVE-2018-1000030-1.patch" and + "python-2.7.14-CVE-2018-1000030-2.patch" to remedy a bug that + would crash the Python interpreter when multiple threads used the + same I/O stream concurrently. This issue is not classified as a + security vulnerability due to the fact that an attacker must be + able to run code, however in some situations -- such as function + as a service -- this vulnerability can potentially be used by an + attacker to violate a trust boundary. [bsc#1079300, + CVE-2018-1000030] +* Thu Nov 2 2017 mpluskal@suse.com +- Call python2 instead of python in macros +* Thu Sep 14 2017 vcizek@suse.com +- Fix test broken with OpenSSL 1.1 (bsc#1042670) + * add 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch +* Mon Aug 28 2017 jmatejek@suse.com +- drop SUSE_ASNEEDED=0 as it is not needed anymore +* Thu Aug 17 2017 kukuk@suse.de +- Add libnsl-devel build requires for glibc obsoleting libnsl +* Mon May 15 2017 jmatejek@suse.com +- obsolete/provide python-argparse and provide python2-argparse, + because the argparse module is available from python 2.7 up +* Tue Feb 28 2017 jmatejek@suse.com +- SLE package update (bsc#1027282) +- refresh python-2.7.5-multilib.patch +- dropped upstreamed patches: + python-fix-short-dh.patch + python-2.7.7-mhlib-linkcount.patch + python-2.7-urllib2-localnet-ssl.patch + CVE-2016-0772-smtplib-starttls.patch + CVE-2016-5699-http-header-injection.patch + CVE-2016-5636-zipimporter-overflow.patch + python-2.7-httpoxy.patch +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. + (dimstar@opensuse.org) +* Fri Feb 24 2017 bwiedemann@suse.com +- Add reproducible.patch to allow reproducible builds of various + python packages like python-amqp + Upstream: https://github.com/python/cpython/pull/296 +* Tue Jan 3 2017 jmatejek@suse.com +- update to 2.7.13 + * dozens of bugfixes, see NEWS for details + * updated cipher lists for openssl wrapper, support openssl >= 1.1.0 + * properly fix HTTPoxy (CVE-2016-1000110) + * profile-opt build now applies PGO to modules as well +- update python-2.7.10-overflow_check.patch + with python-2.7.13-overflow_check.patch, incorporating upstream changes + (bnc#964182) +- add "-fwrapv" to optflags explicitly because upstream code still + relies on it in many places +* Fri Dec 2 2016 jmatejek@suse.com +- provide python2-* symbols, for support of new packages built as + python2-foo +- rename macros.python to macros.python2 accordingly +- require python-rpm-macros package, drop macro definitions from + macros.python2 +* Mon Sep 26 2016 jmatejek@suse.com +- initial packaging of `python27` side-by-side variant (fate#321075, bsc#997436) +- renamed `python` to `python27` in package names and requires +- removed Provides and Obsoletes clauses +- dropped SLE12-only patch python-2.7.9-sles-disable-verification-by-default.patch, + companion sle_tls_checks_policy.py file and the python-strict-tls-checks subpackage +- dropped profile files +- removed /usr/bin/python and /usr/bin/python2, along with other unversioned + aliases +- rewrote macros file to enable stand-alone packages depending on py2.7 +- re-included downloaded version of HTML documentation +* Thu Jun 30 2016 jmatejek@suse.com +- update to 2.7.12 + * dozens of bugfixes, see NEWS for details + * fixes multiple security issues: + CVE-2016-0772 TLS stripping attack on smtplib (bsc#984751) + CVE-2016-5636 zipimporter heap overflow (bsc#985177) + CVE-2016-5699 httplib header injection (bsc#985348) + (this one is actually fixed since 2.7.10) +- removed upstreamed python-2.7.7-mhlib-linkcount.patch +- refreshed multilib patch +- python-2.7.12-makeopcode.patch - run newly-built python interpreter + to make opcodes, in order not to require pre-built python +- update LD_LIBRARY_PATH to use $PWD instead of "." because the test + process escapes to its own directory +- modify shebang-fixing scriptlet to ignore makeopcodetargets.py +* Fri Jun 17 2016 jmatejek@suse.com +- CVE-2016-0772-smtplib-starttls.patch: + smtplib vulnerability opens startTLS stripping attack + (CVE-2016-0772, bsc#984751) +- CVE-2016-5636-zipimporter-overflow.patch: + heap overflow when importing malformed zip files + (CVE-2016-5636, bsc#985177) +- CVE-2016-5699-http-header-injection.patch: + incorrect validation of HTTP headers allow header injection + (CVE-2016-5699, bsc#985348) +- python-2.7-httpoxy.patch: + HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY + when REQUEST_METHOD is also set + (CVE-2016-1000110, bsc#989523) +* Fri Jan 29 2016 rguenther@suse.com +- Add python-2.7.10-overflow_check.patch to fix broken overflow checks. + [bnc#964182] +* Mon Sep 14 2015 jmatejek@suse.com +- copy strict-tls-checks subpackage from SLE to retain future compatibility + (not built in openSUSE) +- do this properly to fix bnc#945401 +- update SLE check to exclude Leap which also has version 1315, + just to be sure +* Wed Sep 9 2015 dimstar@opensuse.org +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. +* Thu Aug 13 2015 jmatejek@suse.com +- add missing ssl.pyc and ssl.pyo to package +- implement python-strict-tls-checks subpackage + * when present, Python will perform TLS certificate checking by default. + it is possible to remove the package to turn off the checks + for compatibility with legacy scripts. + * as discussed in fate#318300 + * this is not built for openSUSE, but retained here in case we want + to build the package for a SLE system +* Mon Jun 29 2015 meissner@suse.com +- python-fix-short-dh.patch: Bump DH parameters to 2048 bit + to fix logjam security issue. bsc#935856 +* Wed Jun 10 2015 dmueller@suse.com +- add __python2 compatibility macro (used by Fedora) (fate#318838) +* Sun May 24 2015 michael@stroeder.com +- update to 2.7.10 +- removed obsolete python-2.7-urllib2-localnet-ssl.patch +* Tue May 19 2015 schwab@suse.de +- Reenable test_posix on aarch64 +* Sun Dec 21 2014 schwab@suse.de +- python-2.7.4-aarch64.patch: Remove obsolete patch +- python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for + aarch64 +* Fri Dec 12 2014 jmatejek@suse.com +- update to 2.7.9 + * contains full backport of ssl module from Python 3.4 (PEP466) + * HTTPS certificate validation enabled by default (PEP476) + * SSLv3 disabled by default (bnc#901715) + * backported ensurepip module (PEP477) + * fixes several missing CVEs from last release: CVE-2013-1752, + CVE-2013-1753 + * dozens of minor bugfixes +- dropped upstreamed patches: python-2.7.6-poplib.patch, + smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch +- dropped patch python-2.7.3-ssl_ca_path.patch because we don't need it + with ssl module from Python 3 +- libffi was upgraded upstream, seems to contain our changes, + so dropping libffi-ppc64le.diff as well +- python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional + "import ssl" from test_urllib2_localnet that caused it to fail without ssl +* Wed Oct 22 2014 dmueller@suse.com +- skip test_thread in qemu_linux_user mode +* Wed Oct 1 2014 jmatejek@suse.com +- CVE-2014-7185-buffer-wraparound.patch: potential wraparound/overflow + in buffer() + (CVE-2014-7185, bnc#898572) +* Tue Sep 30 2014 jmatejek@suse.com +- update to 2.7.8 + * bugfix-only release, dozens of bugs fixed + * fixes CVE-2014-4650 directory traversal in CGIHTTPServer + * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer() +- dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch +- dropped upstreamed CVE-2014-7185-buffer-wraparound.patch +* Wed Jul 23 2014 jmatejek@suse.com +- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file + disclosure and directory traversal through URL-encoded characters + (CVE-2014-4650, bnc#885882) +- python-2.7.7-mhlib-linkcount.patch: remove link count optimizations + that are incorrect on btrfs (and possibly other filesystems) +* Fri Jun 20 2014 jmatejek@suse.com +- update to 2.7.7 + * bugfix-only release, over a hundred bugs fixed + * backported hmac.compare_digest from python3, first step of PEP 466 +- drop upstreamed patches: + * CVE-2014-1912-recvfrom_into.patch + * python-2.7.4-no-REUSEPORT.patch + * python-2.7.6-bdist-rpm.patch + * python-2.7.6-imaplib.patch + * python-2.7.6-sqlite-3.8.4-tests.patch +- refresh patches: + * python-2.7.3-ssl_ca_path.patch + * python-2.7.4-canonicalize2.patch + * xmlrpc_gzip_27.patch +- added python keyring and signature for the main tarball +* Sat Mar 15 2014 schwab@suse.de +- Use profile-opt only when profiling is enabled +- python-2.7.2-disable-tests-in-test_io.patch: removed, no longer needed +- update testsuite exclusion list: + * test_signal and test_posix fail due to qemu bugs +* Fri Mar 14 2014 andreas.stieger@gmx.de +- Fix build with SQLite 3.8.4 [bnc#867887], fixing SQLite tests, + adding python-2.7.6-sqlite-3.8.4-tests.patch +* Mon Feb 10 2014 jmatejek@suse.com +- added patches for CVE-2013-1752 (bnc#856836) issues that are + missing in 2.7.6: + python-2.7.6-imaplib.patch + python-2.7.6-poplib.patch + smtplib_maxline-2.7.patch +- CVE-2013-1753 (bnc#856835) gzip decompression bomb in xmlrpc client: + xmlrpc_gzip_27.patch +- python-2.7.6-bdist-rpm.patch: fix broken "setup.py bdist_rpm" command + (bnc#857470, issue18045) +- multilib patch: add "~/.local/lib64" paths to search path + (bnc#637176) +- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow + in socket.recvfrom_into (CVE-2014-1912, bnc#863741) +* Tue Dec 10 2013 uweigand@de.ibm.com +- Add Obsoletes/Provides for python-ctypes. +* Sat Dec 7 2013 matz@suse.de +- Ignore uuid testcase in the testsuite, it relies on unreliable + ifconfig output. +* Tue Dec 3 2013 mls@suse.de +- adapt python-2.7.5-multilib.patch for ppc64le +* Tue Dec 3 2013 dvaleev@suse.com +- adjust %%files for ppc64le +* Tue Dec 3 2013 matz@suse.de +- Support for ppc64le in _ctypes libffi copy. +- added patches: + * libffi-ppc64le.diff +* Tue Dec 3 2013 adrian@suse.de +- add ppc64le rules +- avoid errors from source-validator +* Thu Nov 21 2013 jmatejek@suse.com +- update to 2.7.6 + * bugfix-only release + * SSL-related fixes + * upstream fix for CVE-2013-4238 + * upstream fixes for CVE-2013-1752 +- removed upstreamed patch CVE-2013-4238_py27.patch +- reintroduce audioop.so as the problems with it seem to be fixed + (bnc#831442) +* Thu Oct 10 2013 dmueller@suse.com +- exclude test_mmap under qemu_linux_user - emulation fails here + as the tests mmap address conflicts with qemu +* Mon Aug 26 2013 lnussel@suse.de +- update python-2.7.3-ssl_ca_path.patch patch to load default verify locations + if no ca_certs file is specified (bnc#827982, bnc#836739) +* Fri Aug 16 2013 jmatejek@suse.com +- handle NULL bytes in certain fields of SSL certificates + (CVE-2013-4238, bnc#834601) +* Tue Jul 9 2013 jengelh@inai.de +- Add python-bsddb6.diff to support building against libdb-6.0 +* Sat Jul 6 2013 coolo@suse.com +- have python-devel require python: + http://lists.opensuse.org/opensuse-factory/2013-06/msg00622.html +* Sun Jun 30 2013 schwab@suse.de +- Disable test_multiprocessing in QEmu build +* Wed Jun 5 2013 schwab@suse.de +- Disable test_asyncore in QEmu build +- Reenable testsuite on arm +* Thu May 30 2013 jmatejek@suse.com +- python-2.7.4-aarch64.patch: add missing bits of aarch64 support +- python-2.7.4-no-REUSEPORT.patch: disable test of + missing kernel functionality +- drop unnecessary patch: python-2.7.1-distutils_test_path.patch +- switch to xz archive +* Tue May 28 2013 speilicke@suse.com +- Update to version 2.7.5: + + bugfix-only release + + fixes several important regressions introduced in 2.7.4 + + Issue #15535: Fixed regression in the pickling of named tuples by + removing the __dict__ property introduced in 2.7.4. + + Issue #17857: Prevent build failures with pre-3.5.0 versions of sqlite3, + such as was shipped with Centos 5 and Mac OS X 10.4. + + Issue #17703: Fix a regression where an illegal use of Py_DECREF() after + interpreter finalization can cause a crash. + + Issue #16447: Fixed potential segmentation fault when setting __name__ on a + class. + + Issue #17610: Don't rely on non-standard behavior of the C qsort() function. 12 + See http://hg.python.org/cpython/file/ab05e7dd2788/Misc/NEWS for more +- Drop upstreamed patches: + + python-2.7.3-fix-dbm-64bit-bigendian.patch + + python-test_structmembers.patch +- Rebased other patches +* Mon May 13 2013 dmueller@suse.com +- add aarch64 to the list of 64-bit platforms +* Thu May 9 2013 jmatejek@suse.com +- update to 2.7.4 + * bugfix-only release +- drop upstreamed patches: + pypirc-secure.diff + python-2.7.3-multiprocessing-join.patch + ctypes-libffi-aarch64.patch +- drop python-2.7rc2-configure.patch as it doesn't seem necessary anymore +* Fri Apr 5 2013 idonmez@suse.com +- Add Source URL, see https://en.opensuse.org/SourceUrls +* Wed Feb 27 2013 schwab@suse.de +- Add aarch64 to the list of lib64 platforms +* Mon Feb 25 2013 jmatejek@suse.com +- fix pythonstart failing on $HOME-less users (bnc#804978) +* Sat Feb 9 2013 schwab@suse.de +- Add ctypes-libffi-aarch64.patch: import aarch64 support for libffi in + _ctypes module +* Fri Feb 8 2013 jmatejek@suse.com +- multiprocessing: thread joining itself (bnc#747794) +- gettext: fix cases where no bundle is found (bnc#794139) +* Thu Oct 25 2012 coolo@suse.com +- add explicit buildrequire on libbz2-devel +* Mon Oct 15 2012 coolo@suse.com +- buildrequire explicitly netcfg for the test suite +* Mon Oct 8 2012 jmatejek@suse.com +- remove distutils.cfg (bnc#658604) + * this changes default prefix for distutils to /usr + * see ML for details: + http://lists.opensuse.org/opensuse-packaging/2012-09/msg00254.html +* Fri Aug 3 2012 dimstar@opensuse.org +- Add python-bundle-lang.patch: gettext: If bindtextdomain is + instructed to look in the default location of translations, we + check additionally in locale-bundle. Fixes issues like bnc#617751 +* Tue Jul 31 2012 jmatejek@suse.com +- all subpackages require python-base=%%{version}-%%{release} explicitly + (fixes bnc#766778 bug and similar that might arise in the future) +* Tue Jun 26 2012 dvaleev@suse.com +- Fix failing test_dbm on ppc64 +* Thu May 17 2012 jfunk@funktronics.ca +- Support directory-based certificate stores with the ca_certs parameter of SSL + functions [bnc#761501] +* Sat Apr 14 2012 dmueller@suse.com +- update to 2.7.3: + * no change +- remove static libpython.a from build to avoid packages + linking it statically +* Wed Mar 28 2012 jmatejek@suse.com +- update to 2.7.3rc2 + * fixes several security issues: + * CVE-2012-0845, bnc#747125 + * CVE-2012-1150, bnc#751718 + * CVE-2011-4944, bnc#754447 + * CVE-2011-3389 +- fix for insecure .pypirc (CVE-2011-4944, bnc#754447) + !!important!! +- disabled test_unicode which segfaults on 64bits. + this should not happen, revisit in next RC! + !!important!! +* Thu Feb 16 2012 dvaleev@suse.com +- skip broken test_io test on ppc +* Mon Dec 12 2011 toddrme2178@gmail.com +- Exclude /usr/bin/2to3 to prevent conflicts with python3-2to3 +* Thu Dec 8 2011 jmatejek@suse.com +- %%python_version now correctly refers to %%tarversion +* Mon Nov 28 2011 saschpe@suse.de +- Spec file cleanup: + * Run spec-cleaner + * Remove outdated %%clean section, AutoReqProv and authors from descr. +- Fix license to Python-2.0 (also SPDX style) +* Fri Sep 30 2011 adrian@suse.de +- fix build for arm by removing an old hack for arm, bz2.so is built now +* Fri Sep 16 2011 jmatejek@suse.com +- dropped newslist.py from demos because of bad license + (bnc#718009) +* Fri Aug 19 2011 dmueller@suse.de +- update to 2.7.2: + * Bug fix only release, see + http://hg.python.org/cpython/raw-file/eb3c9b74884c/Misc/NEWS + for details +- introduce a pre_checkin.sh file that synchronizes + patches between python and python-base +- rediff patches for 2.7.2 +- replace kernel3 patch with the upstream solution +* Fri Jul 22 2011 idonmez@novell.com +- Copy Lib/plat-linux2 to Lix/plat-linux3 so that DLFCN module + is also available for linux3 systems bnc#707667 +* Sun Jul 10 2011 ro@suse.de +- fix build on factory: setup reports linux3 not linux2 now, + adapt checks +* Tue May 31 2011 jmatejek@novell.com +- added explicit requires to libpython-%%version-%%release + to prevent bugs like bnc#697251 reappearing +* Tue May 24 2011 jmatejek@novell.com +- update to 2.7.1 + * bugfix-only release, see NEWS for details +- refreshed patches, dropped the upstreamed ones +- dropped acrequire patch, replacing it with build-time sed +- improved fix to bnc#673071 by defining the constants + only for files that require it (as is done in python3) +* Mon May 2 2011 jmatejek@novell.com +- fixed a security flaw where malicious sites could redirect + Python application from http to a local file + (CVE-2011-1521, bnc#682554) +- fixed race condition in Makefile which randomly failed + parallel builds ( http://bugs.python.org/issue10013 ) +* Thu Feb 17 2011 pth@suse.de +- Prefix DATE and TIME with PY_BUILD_ and COMPILER with PYTHON_ as + to not break external code (bnc#673071). +* Mon Jan 17 2011 coolo@novell.com +- provide pyxml to avoid touching tons of packages +* Thu Nov 18 2010 coolo@novell.com +- add patch from http://psf.upfronthosting.co.za/roundup/tracker/issue9960 + to fix build on ppc64 +* Fri Oct 1 2010 jmatejek@novell.com +- moved unittest to python-base (it is a testing framework, not a + testsuite, so it clearly belongs into stdlib) +- fixed smtpd.py DoS (bnc#638233, CVE probably not assigned) +* Tue Sep 21 2010 coolo@novell.com +- fix baselibs.conf +* Thu Aug 26 2010 suse-tux@gmx.de +- fix for urllib2 (http://bugs.python.org/issue9639) +* Thu Aug 26 2010 jmatejek@novell.com +- fixed distutils test +- dropped autoconf version requirement (it builds just fine with other versions) +* Thu Aug 26 2010 jmatejek@novell.com +- update to version 2.7 + * improved handling of numeric types + * deprecation warnings are now silent by default + * new argparse module for command line arguments + * many new features, see http://docs.python.org/dev/whatsnew/2.7.html + for complete list + * ** 2.7 is supposed to be the last version from the 2.x series, + so its (upstream) maintenance period will probably be longer than usual. + However, upstream development now focuses on 3.x series. +- cleaned up spec and patches +* Fri Jul 2 2010 jengelh@medozas.de +- add patch from http://bugs.python.org/issue6029 +- use %%_smp_mflags +* Mon May 17 2010 matejcik@suse.cz +- dropped audioop.so because of security vulnerabilities + (bnc#603255) +* Wed Apr 7 2010 matejcik@suse.cz +- update to 2.6.5 (rpm version 2.6.5) +- patched test_distutils to work +* Thu Mar 11 2010 matejcik@suse.cz +- update to 2.6.5rc2 (rpm version is 2.6.4.92) + * bugfix-only release +- removed fwrapv patch - no longer needed +- removed expat patches (this version also fixes expat vulnerabilities + from bnc#581765 ) +- removed readline spacing patch - no longer needed +- removed https_proxy patch - no longer needed +- removed test_distutils patch - no longer needed +- disabled test_distutils because of spurious failure, + * TODO reenable at release +* Thu Feb 4 2010 matejcik@suse.cz +- removed precompiled exe files (as noted in bnc#577032) +* Fri Jan 29 2010 matejcik@suse.cz +- enabled ipv6 in configure (bnc#572673) +* Wed Dec 23 2009 aj@suse.de +- Apply patches with fuzz=0 +* Mon Dec 14 2009 jengelh@medozas.de +- add baselibs.conf as source +* Wed Nov 4 2009 matejcik@suse.cz +- readline shouldn't append space after completion (bnc#551715, + python bug 5833) +* Wed Oct 28 2009 crrodriguez@opensuse.org +- python-devel Requires glibc-devel +* Fri Sep 4 2009 matejcik@suse.cz +- fixed potential DoS in python's copy of expat (bnc#534721) +- added patch for potential SSL hangup during handshake (bnc#525295) +* Sun Aug 2 2009 jansimon.moeller@opensuse.org +- fix files section for ARM, as bz2.so isn't built on ARM. +* Fri Jul 31 2009 matejcik@suse.cz +- added /usr/lib/python2.6{,/site-packages} to the package even if + it is on lib64 arch +- added %%python_sitelib and %%python_sitearch for fedora compatibility +* Thu Jul 30 2009 matejcik@suse.cz +- fixed test in test_distutils suite that would generate a warning + when the log threshold was set too low by preceding tests +* Wed Jul 29 2009 matejcik@suse.cz +- support noarch python packages (modified multilib patch + to differentiate between purelib and platlib, added /usr/lib + to search path in all cases +* Thu Jul 16 2009 coolo@novell.com +- disable as-needed to fix build +* Mon Apr 27 2009 matejcik@suse.cz +- update to 2.6.2 + * bugfix-only release for 2.6 series +* Fri Feb 6 2009 matejcik@suse.cz +- excluded pyconfig.h and Makefile and Setup from -devel subpackage + to prevent file conflicts of python-base and python-devel +* Thu Jan 15 2009 matejcik@suse.cz +- fixed gettext.py problem with empty plurals line (bnc#462375) +* Wed Jan 7 2009 olh@suse.de +- obsolete old -XXbit packages (bnc#437293) +* Mon Dec 15 2008 matejcik@suse.cz +- removed bsddb directory from python-base, reenabled in python + ( bnc#441088 ) +* Mon Oct 20 2008 matejcik@suse.cz +- added libpython and python-base to baselibs.conf (bnc#432677) +- disabled test_smtplib for ia64 so that the package actually + gets built (bnc#436966) +* Thu Oct 9 2008 matejcik@suse.cz +- update to 2.6 final (version name is 2.6.0 to make upgrade from + 2.6rc2 possible) +- replaced site.py hack with a .pth file to do the same thing + (cleaner solution that doesn't mess up documented behavior + and also fixes virtualenv, bnc#430761) +- enabled profile optimized build +- fixed %%py_requires macro (bnc#346490) +- provide %%name = 2.6 +* Fri Sep 19 2008 matejcik@suse.cz +- moved tests to %%check section +- update to 2.6rc2, removing the last remaining security patch +- included patch for https proxy support that resolves bnc#214983 + (in a proper way) and bnc#298378 +- included fix for socket.ssl() behavior regression, fixing + bnc#426563 +* Wed Sep 17 2008 matejcik@suse.cz +- included /etc/rpm/macros.python to fix the split-caused breakage +* Tue Sep 16 2008 matejcik@suse.cz +- applied bug-no-proxy patch from python#3879, which should improve + backwards compatibility (important i.e. for bzr) +- moved python-xml to a subpackage of this (brings no additional + dependencies, so it can as well stay) +- moved Makefile and pyconfig.h to python-base, removing the need + to have python-devel for installation +- improved compatibility with older distros for 11.0 +- moved ssl.py and sqlite3 module to python package - they won't work + without their respective binary modules anyway +* Mon Sep 15 2008 matejcik@suse.cz +- updated to 2.6rc1 - bugfix-only pre-stable release +- renamed python-base-devel to python-devel as it should be +- removed macros from libpython package name +* Fri Sep 12 2008 matejcik@suse.cz +- moved python-devel to a subpackage of this +- created libpython subpackage +- moved essential files from -devel to -base, so that distutils + should now be able to install without -devel package +* Fri Sep 12 2008 matejcik@suse.cz +- split package, as per fate#305065 +- moved python-devel to be a subpackage of python-base +- minor fixes & packaging cleanups +* Wed Sep 10 2008 matejcik@suse.cz +- fixed misapplied ssl-compat patch (caused segfaults when + opening SSL connections, bnc#425138 ) +* Wed Sep 3 2008 matejcik@suse.cz +- updated to 2.6beta3 from BETA dist, summary of changes follows: + * patches update/cleanup + * removed failing tests (test_unicode, test_urllib2), those will + be reworked later to not fail + * fixed ncurses/panel.h include + * removed most security fixes, as they are already included in + this version + * removed imageop/rgbimg + (reasons: they only work in 32bit environment anyway, are + deprecated by upstream and have inherent security problems) + * fixed pythonstart script to trim history after 10000 lines + (bnc#399190) +- 2.6beta3 is mostly stable release of the 2.6 series, + package will be updated to 2.6 final as soon as it comes out + (in the beginning of October) +* Wed Jul 30 2008 matejcik@suse.cz +- security fixes for issues mentioned in bnc#406051: + * CVE-2008-2315 - multiple integer overflows in basic types + * CVE-2008-2316 - partial hashing of huge data with hashlib + * CVE-2008-3142 - multiple buffer oveflows in unicode processing + * CVE-2008-3144 - possible integer over/underflow in mysnprintf + * buffer overflows in expandtabs() method (afaik no CVE assigned) +- also mentioned CVE-2008-3143 is already fixed in python 2.5.2 +* Mon Jun 30 2008 schwab@suse.de +- Work around autoheader bug. +* Fri Jun 13 2008 schwab@suse.de +- Fix configure script. +* Thu Apr 24 2008 matejcik@suse.cz +- proper path for html documentation from python-doc, + help text mentioning python-doc package in pydoc + (bnc#380942) +* Wed Apr 16 2008 matejcik@suse.cz +- PyString_FromStringAndSize now checks size parameter + (bnc#379534, CVE-2008-1721) +* Tue Apr 15 2008 adrian@suse.de +- disable DNS lookup test when running in build service. + The XEN build hosts have no network. +* Thu Apr 10 2008 ro@suse.de +- added baselibs.conf file to build xxbit packages + for multilib support +* Mon Apr 7 2008 schwab@suse.de +- Limit virtual memory to avoid spurious testsuite failures. +* Mon Mar 10 2008 matejcik@suse.cz +- bnc#367853 turned out to be invalid, upstream is already on to + the real problem +- forcing -fwrapv to compiler flags until upstream has a solution +* Wed Feb 27 2008 matejcik@suse.cz +- update to 2.5.2 + - bugfix-only release, over 100 bugs fixed +- removed hppa patch (already included) +- disabled test_str until gcc issue bnc#367853 is resolved +* Tue Nov 13 2007 matejcik@suse.cz +- patched a bug in sqlite module that would cause segfault on + call to executescript() + - > TODO return and improve the patch +* Mon Sep 3 2007 matejcik@suse.cz +- replaced fdupes oneliner with %%fdupes macro +- added /usr/bin/python2 symlink (#307097) +- obsoletes python-elementtree and python-sqlite (#301182) + (obsoletes, but doesn't provide - the modules that obsolete those + packages are renamed and dependent packages need to be changed) +* Fri Aug 24 2007 bg@suse.de +- fix build on hppa +* Fri Aug 3 2007 jmatejek@suse.cz +- replaced duplicate files with hardlinks +* Fri Jul 27 2007 jmatejek@suse.cz +- removed emacs python-mode and dependency on emacs +* Fri Jun 8 2007 jmatejek@suse.cz +- revisited & explained failing tests +- applied EINTR recovery patch (#278622) +- experimental replacement of shebang strings, + removing dependency on /usr/bin/env +* Thu May 24 2007 jmatejek@suse.cz +- update to 2.5.1 + - bugfix only release, over 150 bugs fixed + - fixes off-by-one memory leak in _localemodule.c + (#276889, CVE-2007-2052) +- unnecessary patches removed, minor build cleanup +- warns when attempting to use https proxy (#214983) +* Mon May 21 2007 ro@suse.de +- make setup.py accept db-4.5 +* Thu Mar 29 2007 aj@suse.de +- Add ncurses-devel to BuildRequires. +* Sat Mar 24 2007 aj@suse.de +- Add libbz2-devel to BuildRequires. +* Fri Mar 23 2007 rguenther@suse.de +- add gdbm-devel BuildRequires +* Mon Jan 8 2007 cthiel@suse.de +- fix sqlite3 support (#228733) +* Tue Sep 19 2006 jmatejek@suse.cz +- update to 2.5 final, going into STABLE dist +- issue with lib/python/config is not caused by dirs patch +* Wed Sep 13 2006 jmatejek@suse.cz +- update to 2.5c2 + - 2.5 final is expected next week +- removed testfiles.tar.bz2 from package due to copyright issues + (see #204867). Reminder: enable urlfetch or put it back (or both, + using Nosource) +* Tue Sep 5 2006 jmatejek@suse.cz +- update to 2.5c1 +- many new features, see http://www.python.org/dev/peps/pep-0356/ +- 64bit indices issue will require changes of modules, see + http://www.python.org/dev/peps/pep-0353/ for transition guidelines +- non-backwards-compatible changes, see + http://docs.python.org/dev/whatsnew/section-other.html + (this link is expected to die, so just search for "what's new in 2.5") +- open issues in build process: + - sed'ing out /usr/local/bin/python from files causes build to fail + if not filtered by grep (see %%prep section) - might be a bug in sed + - 2.3.3-dirs patch + --enable-shared + --libdir breaks build, + because "-L/usr/lib*/python2.5/config" is added instead of "-L." + Workaround in 2.5c1-dirs-fix, should be replaced soon + - test_file fails in autobuild, but is OK when building manually + - test_nis fails in autobuild, probably due to a misconfiguration + on autobuild servers + - it might be good to create python-sqlite3 subpackage +* Mon Apr 24 2006 jmatejek@suse.cz +- update to 2.4.3 + - no big changes, bugfix-only release (about 50 bugs fixed) +* Wed Mar 15 2006 jmatejek@suse.cz +- moved -doc and -doc-pdf into separate noarch specfile +* Mon Feb 27 2006 jmatejek@suse.cz +- implemented /usr/local path schemes for bug #149809 + - python now recognizes packages in /usr/local/lib/python2.4 + - distutils install by default into /usr/local/lib/python2.4/site-packages + - on 64bit systems that is of course lib64 +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Sat Jan 14 2006 kukuk@suse.de +- Add gmp-devel to nfb +* Mon Nov 28 2005 jmatejek@suse.cz +- reenabled optimization on ppc64 +* Fri Nov 11 2005 nadvornik@suse.cz +- fixed another bug in canonicalize patch [#133267] +* Wed Oct 5 2005 jmatejek@suse.cz +- update to 2.4.2 +- additional fixes to canonicalize patch, restored interactive mode +* Mon Sep 26 2005 jmatejek@suse.cz +- replaced the previous patch with a new one + - it now tries to use canonical_file_name(), falling back to realpath() + and eventually readlink + - canonical_file_name() branch now sets the buffer length +* Fri Sep 23 2005 jmatejek@suse.cz +- fixed to build with gcc's new buffer overflow checking + - added patch from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169046 +* Fri Apr 22 2005 schwab@suse.de +- Always enable SSL bug workarounds. +* Tue Apr 5 2005 mcihar@suse.cz +- update to 2.4.1 +* Thu Mar 24 2005 uli@suse.de +- fixed to build on ARM +* Tue Mar 1 2005 mcihar@suse.cz +- skip some test on ia64 for now +* Tue Feb 8 2005 mcihar@suse.cz +- mark configuration files as %%config +* Tue Feb 1 2005 mcihar@suse.cz +- fix vulnerability in SimpleXMLRPCServer (bug #50321, CAN-2005-0089) +* Tue Dec 28 2004 mcihar@suse.cz +- disable bsddb tests, it fails probably on all 64-bit +* Thu Dec 23 2004 mcihar@suse.cz +- make lib64 installation also work on others than x86_64 +* Mon Dec 20 2004 mcihar@suse.de +- fixed build on ppc64 + - update multiarch patch + - do not test bsddb internals + - remove optimalisation from flags, it breaks at least math +* Mon Dec 20 2004 mcihar@suse.cz +- added extra files needed for some tests (codecmaps and unicode normalisation) +- enabled bsddb tests +- reenabled test_shelve, as it works now +* Thu Dec 16 2004 mcihar@suse.cz +- update db 4.3 patch +- fix bdist_rpm when spec file generates more than one rpm +* Tue Dec 14 2004 bg@suse.de +- disable tests for hppa +* Mon Dec 6 2004 mcihar@suse.cz +- fix bsddb module for current bsddb +- improved readline detection +* Fri Dec 3 2004 mcihar@suse.cz +- updated documentation to 2.4 +* Wed Dec 1 2004 mcihar@suse.cz +- don't use wctype functions from glibc, it breaks at some situations +- enable tests during compilation, removing currently known failures +* Tue Nov 30 2004 mcihar@suse.cz +- update to 2.4 final +* Wed Nov 24 2004 mcihar@suse.cz +- yet another ignore list update, ignore man and locale dirs +* Wed Nov 24 2004 mcihar@suse.cz +- ignore /etc and avoid infinite loop while generating directory list +* Wed Nov 24 2004 mcihar@suse.cz +- ignore one more directories in file list generating +- handle correctly headers path in file list generating +- handle extra_dir in file list generating +- use same way as mandrake to support lib64, at least it's a bit cleaner + solution than we had, so we now also have sys.lib +- audioop is now enabled on 64-bit +* Tue Nov 23 2004 mcihar@suse.cz +- updated to 2.4c1 (2.4 release candidate 1) +- dropped python-mpz package as it was dropped by upstream +- completely rewritten and much simplified rpm file list generation, if you + have problems with new version, please drop me a note +- install also /etc/profile.d/python.csh +* Tue Aug 24 2004 mcihar@suse.cz +- updated README.SUSE +- added startup script, which enables saving of history and completion + for interactive usage +* Thu May 27 2004 mcihar@suse.cz +- update to 2.3.4 final (no changes from rc 1) +* Wed May 19 2004 mcihar@suse.cz +- update to 2.3.4 release candidate 1 (obsoletes some patches taken from cvs) +- forcing of large file support is not needed (for quite a long time) +- updated README.SUSE +* Tue Mar 16 2004 mcihar@suse.cz +- included some fixes from cvs: + - fix possible segfault in bsddb + - urllib2 supports non-anonymous ftp and absolute paths + - fixed GC problems in PyWeakref_NewRef +* Thu Mar 11 2004 mcihar@suse.cz +- fix readline with utf-8 (bug #34302) +* Wed Mar 3 2004 mcihar@suse.cz +- obsoletes python21 +* Thu Feb 26 2004 mcihar@suse.cz +- all subpackages depend on current python version +* Thu Feb 19 2004 mcihar@suse.cz +- fix Lib/email/Charset.py for use in some locales +- fix format string in zipimport module +- use system readline +- add more IPV6 socket options +- use sed instead of perl for replacing +- include LICENSE +* Sat Jan 10 2004 adrian@suse.de +- build as user +* Mon Jan 5 2004 mcihar@suse.cz +- updated to 2.3.3 (final) +- call %%{run_ldconfig} in post and postun +- libpython.2.3.so symlink moved to devel package (bug #33779) +* Fri Dec 12 2003 mcihar@suse.cz +- updated to 2.3.3 (release candidate 1) +* Tue Nov 18 2003 mcihar@suse.cz +- use wchar_t functions from libc, this reduces size of interpreter +* Mon Oct 27 2003 kukuk@suse.de +- Remove useless Requires +- Remove not used packages from neededforbuild +* Fri Oct 3 2003 mcihar@suse.cz +- updated to 2.3.2 + - A bug in autoconf that broke building on HP/UX systems is fixed. + - A bug in the Python configure script that meant os.fsync() was + never available is fixed. +* Thu Oct 2 2003 mcihar@suse.cz +- force use of directories passed to configure script (-dirs.patch), bug #31947 +* Mon Sep 29 2003 mcihar@suse.cz +- updated to 2.3.1, most of changes were alredy included in -cvs.patch +- not so verbose untaring +* Thu Sep 11 2003 mcihar@suse.cz +- included fixes from cvs (branch release23-maint), this fixes some + memory leaks and other bugs (-cvs.patch) +- nicer output from pydoc (-pydoc.patch) +- cleaned up configure parameters +- compiling with -Wall +* Wed Sep 10 2003 mcihar@suse.cz +- build as shared +* Wed Sep 3 2003 mcihar@suse.cz +- python now obsoletes python-nothreads (bug #29907) +* Thu Aug 14 2003 mcihar@suse.cz +- fixed symlinks to configuration files +- cleaned up spec file +* Wed Aug 6 2003 mcihar@suse.cz +- updated lib64 patch +* Tue Aug 5 2003 mcihar@suse.cz +- updated to final 2.3, some highlights: + * Python 2.3 is about 20-30%% faster than Python 2.2.3 + * Brand new IDLE + * Some new or upgraded built-ins, includes better support for + unicode, new bool type... + * Lots of upgraded or new modules and packages. + * PYTHONINSPECT variabale that can cause python to behave as it + was executed with -i parameter. +* Mon Jul 28 2003 ro@suse.de +- added tk-devel to neededforbuild +* Thu Jun 26 2003 mcihar@suse.cz +- updated to cvs snapshot, mostly because of finally correct DESTDIR + support, to avoid buildroot leftovers +* Tue Jun 24 2003 mcihar@suse.cz +- better excluding site-packages from generated dirlist +* Tue Jun 17 2003 mcihar@suse.cz +- ignore site-packages and share directories for filelists +- include install dir if not site-packages in filelists +* Tue Jun 17 2003 mcihar@suse.cz +- better handle mutliple level of install directories when + generating %%dir entries +* Mon Jun 16 2003 mcihar@suse.cz +- one more distutils patch update: + * fix generating of dirs in chrooted installs for install_data + * don't include directory for install_scripts +* Mon Jun 16 2003 mcihar@suse.cz +- updated patch to work around problems with self defined get_outputs +* Mon Jun 16 2003 mcihar@suse.cz +- modified distutils to allow generating complete file list for rpm + (including directories with %%dir macro), to use this use + - -record-rpm= instead of --record= +* Thu Jun 5 2003 mcihar@suse.cz +- move documentation where it was in 2.2 versions +- fixed permissions for some scripts in devel package +* Thu May 29 2003 mcihar@suse.cz +- cleaned up specfile +- make executable only files that should be +* Mon May 19 2003 mcihar@suse.cz +- removed .cvsignore files +* Tue Apr 29 2003 mcihar@suse.cz +- updated lib64 patch +* Mon Apr 28 2003 mcihar@suse.cz +- updated to 2.3b1, some highlights: + - sum() builtin, adds a sequence of numbers, beats reduce(). + - csv module, reads comma-separated-value files (and more). + - timeit module, times code snippets. + - os.walk(), a generator slated to replace os.path.walk(). + - platform module, by Marc-Andre Lemburg, returns detailed platform + information. +* Thu Apr 10 2003 mcihar@suse.cz +- added DEFS to config/Makefile as it was in 2.2 +* Wed Apr 2 2003 mcihar@suse.cz +- updated lib64 patch +- fixed list of built modules for 64-bit arches +* Tue Apr 1 2003 mcihar@suse.cz +- updated to python 2.3 alpha 2 + - updated many builtins and modules + - new modules: bsddb, bz2, datetime, logging, optparse, sets, + textwrap, zipimport, + - some general things have changed: + - Hex/oct literals prefixed with a minus sign were handled + inconsistently. + - Package index and metadata for distutils. + - Encoding declarations - you can put a comment of the form + "# -*- coding: -*-" in the first or second line of a Python + source file to indicate the encoding (e.g. utf-8). + - Import from zipfiles. + - see Misc/NEWS in documentation or python website - + http://python.org/2.3/highlights.html for more details +- moved distutils into -devel package +- cleaned up specfile +* Tue Apr 1 2003 mcihar@suse.cz +- removed RPM_BUILD_ROOT leftovers (bug #25963) +* Thu Mar 6 2003 kukuk@suse.de +- Provide/Obsolete python-tkinter +* Tue Jan 28 2003 mcihar@suse.cz +- idle symlink corrected for lib64 +- fixed LIBDEST path for distutils, closes #22322 +* Fri Jan 10 2003 mcihar@suse.cz +- fixed distutils for lib64 +* Wed Dec 18 2002 mcihar@suse.cz +- improved blt detection for tkinter +- build with detected version of tix +- enabled SIGFPE catching +- enabled signal module +- enabled C++ support +* Fri Nov 29 2002 mcihar@suse.cz +- enabled ipv6 support +- no apache is needed for building +- python-nothreads is not built anymore as is seems that mod_python + works correctly woth python 2.2.2 and threads +- Makefile also copied to config directory in rpm +* Wed Nov 27 2002 adrian@suse.de +- Makefile.pre* to config directory + (following the official spec file change) +* Fri Nov 8 2002 mcihar@suse.cz +- fixed bad source number for suse-start-python-mode.el +* Thu Nov 7 2002 mcihar@suse.cz +- fixed %%files section for idle on lib64 arches +* Wed Nov 6 2002 mcihar@suse.cz +- included python-mode.el for emacs +- idle moved from demos to separate package +- merged tk and tkinter +* Wed Oct 30 2002 mcihar@suse.cz +- removed not needed l2h and tetex from neededforbuild +* Wed Oct 30 2002 ro@suse.de +- changed neededforbuild to +* Wed Oct 23 2002 mcihar@suse.cz +- updated to 2.2.2 (bugfix release) +- moved python-korean into separate source package +* Tue Sep 17 2002 ro@suse.de +- removed bogus self-provides +* Tue Sep 10 2002 kukuk@suse.de +- Add provides for correct update +* Thu Sep 5 2002 ro@suse.de +- remove l2h from neededforbuild (apparently no longer used) +* Wed Aug 14 2002 ro@suse.de +- no fpectl.so on alpha +* Tue Aug 13 2002 uli@suse.de +- rediffed lib64 patch +* Thu Aug 8 2002 vinil@suse.de +- new version 2.2.1 +- new version of Korean codes 2.0.5 + and splitted to standalone package 'python-korean' +- get rid of Makefile.pre.in +- clean part added to spec +* Sun Jul 28 2002 kukuk@suse.de +- removed termcap and tetex from neededforbuild (not used) +* Fri Jul 26 2002 adrian@suse.de +- fix neededforbuild +* Tue Jun 11 2002 meissner@suse.de +- add ppc64 to list of 64bit archs that don't compile 3 of the plugins. +* Tue Jun 4 2002 stepan@suse.de +- change more locations of lib to %%{_lib} on platforms + that need it. +- change Makefile to use install -d instead of mkdir + to solve trouble when installing in buildroots. +* Mon Jun 3 2002 stepan@suse.de +- Change config/Makefile and config/Makefile.pre.in + to use %%_lib instead of lib (fixes i.e. zope) +* Fri May 17 2002 sf@suse.de +- changed site.py to detect the correct location (is needed at least for + postresql to build +- it still needs to be corrected, as only 64-bit excutable shlibs + have to reside in */lib64 +* Wed May 15 2002 coolo@suse.de +- fixing file list for s390x +* Tue May 14 2002 ro@suse.de +- use libdir +- try to get this working with lib64 +* Mon May 6 2002 schwab@suse.de +- Build python library with -fPIC, for inclusion in shared library. +* Wed Apr 17 2002 schwab@suse.de +- Fix detection of readline library (use -lncurses instead of -ltermcap). +* Sat Mar 23 2002 ro@suse.de +- changed neededforbuild to +* Thu Jan 31 2002 ro@suse.de +- changed neededforbuild to +* Wed Jan 9 2002 rvasice@suse.cz +- used correct Makefile.pre.in +* Wed Jan 9 2002 rvasice@suse.cz +- added Makefile.pre.in to enable build other python packages +* Mon Jan 7 2002 rvasice@suse.cz +- update to version 2.2 +- recreated modules list +* Mon Dec 17 2001 ro@suse.de +- fixed for gmp-4.x +* Mon Sep 3 2001 rvasice@suse.cz +- added patch for Large File Support +* Mon Aug 27 2001 rvasice@suse.cz +- removed conflicting file /etc/susehelp.d/pythonhtml.conf from + subpackage python-doc +* Fri Aug 17 2001 schwab@suse.de +- Compile python library with -fPIC to allow inclusion in shared + libraries. +- Fix configure check for rl_completion_matches. +- Replace use of config.guess by %%ifarch. +* Mon Aug 13 2001 ro@suse.de +- added regex module (needed for yodl) +- filelist probably needs re-check +* Mon Jul 30 2001 rvasice@suse.cz +- fix /usr/local path +* Fri Jul 27 2001 rvasice@suse.cz +- update to version 2.1.1 +* Tue May 8 2001 mfabian@suse.de +- bzip2 sources +* Fri Apr 13 2001 kukuk@suse.de +- fix build with new readline library +* Wed Apr 11 2001 utuerk@suse.de +- added pythonhtml.conf for susehelp +* Fri Feb 23 2001 ro@suse.de +- changed neededforbuild to +* Thu Feb 22 2001 ro@suse.de +- added readline/readline-devel to neededforbuild (split from bash) +* Mon Jan 22 2001 kukuk@suse.de +- Use -fPIC +* Tue Jan 16 2001 schwab@suse.de +- Compile python library with -fpic so that it can be included in a + shared library (for mod_python). +* Mon Jan 15 2001 mt@suse.de +- added uc-kr codec, thanks to Hwang, SangJin +* Sun Dec 31 2000 schwab@suse.de +- Fix filelist for ia64. +* Mon Dec 18 2000 mt@suse.de +- added sub-package python-nothreads for mod_python apache-module +- added Obsoletes for old 8.3 packages names +* Wed Dec 6 2000 mt@suse.de +- cleaned up pythons tk dependencies +* Thu Nov 30 2000 ro@suse.de +- fixed tix-link +* Wed Nov 29 2000 ro@suse.de +- changed neededforbuild to +* Mon Nov 27 2000 mt@suse.de +- changed libnetpb to libnetpbm in neededforbuild +- changed file-list in python-devel +* Thu Nov 23 2000 mt@suse.de +- added openssl-devel to neededforbuild +* Wed Nov 22 2000 mt@suse.de +- removed site-packages from Setup.in patch +- python-64bit.patch should be used on all 64bit platforms +* Sun Nov 19 2000 mt@suse.de +- updated to BeOpen-Python-2.0 +* Fri Oct 27 2000 kukuk@suse.de +- Use long filenames +- Fix some paths +- Include +* Wed Jul 5 2000 mt@suse.de +- added anydbm (whichdb.py) patch from www.tummy.com +* Sat May 27 2000 kukuk@suse.de +- Use libtk8.3.so and libtcl8.3.so +* Thu May 4 2000 kukuk@suse.de +- Fix filelist for new doc dir +* Mon Mar 13 2000 ro@suse.de +- fixed filelist for alpha +* Wed Mar 1 2000 werner@suse.de +- Fix config.guess selection +* Wed Feb 16 2000 uli@suse.de +- passing MANDIR to "make install libinstall" (seems like it gets + lost somewhere) +* Tue Feb 15 2000 ro@suse.de +- man to /usr/share using macro +* Tue Feb 15 2000 mt@suse.de +- stripped the python binary +* Mon Oct 11 1999 max@suse.de +- ready for the new Tcl/Tk packages +* Mon Sep 27 1999 bs@suse.de +- fixed requirements for sub packages +* Mon Sep 20 1999 ro@suse.de +- added python_image_lib as requires to pyth_tk and as provides to pyth_tkl +* Mon Sep 13 1999 bs@suse.de +- ran old prepare_spec on spec file to switch to new prepare_spec. +* Mon Jun 7 1999 mt@suse.de +- disabled pyth_dvi module in spec-file +* Wed May 26 1999 ro@suse.de +- added libpng to neededforbuild +* Wed May 26 1999 ro@suse.de +- added blt to neededforbuild +* Tue May 25 1999 mt@suse.de +- new version 1.5.2 +- splited into sub-packages: pyth_doc, pyth_ps, pyth_pdf, + pyth_dvi, pyth_dmo, pyth_tk, pyth_tkl, pyth_cur, pythgdbm + to have better base-package compatibility to andrich.net. +* Thu Mar 18 1999 ro@suse.de +- don't set POSIXLY_CORRECT for second patch +* Mon Jan 18 1999 ro@suse.de +- added automake to neededforbuild +- alpha-fix: don't mix up dec-osf with linux-alpha +* Tue Dec 1 1998 mt@suse.de +- removed TkInter into a separate package - pyth_tk - to make it + possible to replace it with a PIL based TkInter (Python Imaging + Lib) and better package dependecies (not each app needs TkInter) +- removed Makefile.Linux - all build is done from spec file now +- more /usr/local path fixes +* Fri Nov 6 1998 ro@suse.de +- added automake to neededforbuild +- configure with threads +* Thu Nov 5 1998 ro@suse.de +- use db_185.h only for glibc-2.1 +* Wed Sep 23 1998 ro@suse.de +- two hacks to compile for glibc: + Modules/bsddbmodule.c include db_185.h for glibc + Modules/mpzmodule.c gmp-mparam.h dont exist for glibc / use define +* Sun Aug 23 1998 ke@suse.de +- Compress PostScript docu. +* Mon Aug 17 1998 mt@suse.de +- linked readline- and curses-modules with ncurses +* Fri Aug 7 1998 mt@suse.de +- python modules - file permissions changed (-x) +* Sat Jul 11 1998 bs@suse.de +- fixed neededforbuild +* Wed Jul 8 1998 mt@suse.de +- new revision 1.5.1 +- docu in a separate package (pyth_doc) +- Tkinter uses tk8.0/tcl8.0 now +- first attempt to make it "alpha ready" (spec- & dif-file) +* Mon Mar 2 1998 ro@suse.de +- fixed dependency to /usr/local/bin/python +* Mon Feb 9 1998 ro@suse.de +- added some in neededforbuild +* Wed Feb 4 1998 mt@suse.de +- new Version 1.5 with more features, html documentation and new modules +* Mon Sep 15 1997 mt@suse.de +- added support for readline and (shared) modules: tkinter, dbm, gdbm, + syslog, ncurses, ... - see /usr/lib/python1.4/config/Setup for details +* Thu Jun 5 1997 mt@suse.de +- new Version 1.4 +- a symlink (python -> python1.4) will be used instead of a hardlink diff --git a/python.spec b/python.spec new file mode 100644 index 0000000..8ed7190 --- /dev/null +++ b/python.spec @@ -0,0 +1,623 @@ +# +# spec file for package python +# +# Copyright (c) 2022-2023 ZhuningOS +# + +Name: python +Version: 2.7.18 +Release: 150000.57.1 +Summary: Python Interpreter +License: Python-2.0 +Group: Development/Languages/Python +URL: https://www.python.org/ +%define tarversion %{version} +%define tarname Python-%{tarversion} +Source0: https://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz +Source1: README.SUSE +Source8: sle_tls_checks_policy.py +#Source11: testfiles.tar.bz2 +Source50: idle.appdata.xml +Source51: idle.desktop +# issues with copyrighted Unicode testing files +# For Patch 66 +Source66: recursion.tar + +# !!!!!!!!!!!!!! +# do not add or edit patches here. please edit python-base.spec +# instead and run pre_checkin.sh +# !!!!!!!!!!!!!! +# COMMON-PATCH-BEGIN +Patch1: python-2.7-dirs.patch +Patch2: python-distutils-rpm-8.patch +Patch3: python-2.7.5-multilib.patch +Patch4: python-2.5.1-sqlite.patch +Patch5: python-2.7.4-canonicalize2.patch +Patch7: python-2.6-gettext-plurals.patch +Patch8: python-2.6b3-curses-panel.patch +Patch10: sparc_longdouble.patch +Patch13: python-2.7.2-fix_date_time_compiler.patch +Patch17: remove-static-libpython.patch +# PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. +Patch20: python-bundle-lang.patch +# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 +Patch22: python-2.7-libffi-aarch64.patch +Patch24: python-bsddb6.patch +# PATCH-FIX-UPSTREAM accept directory-based CA paths as well +Patch33: python-2.7.9-ssl_ca_path.patch +# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients +Patch34: python-2.7.9-sles-disable-verification-by-default.patch +# PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py +Patch35: do-not-use-non-ascii-in-test_ssl.patch +# PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly +Patch38: reproducible.patch +# bypass boo#1078485 random failing tests +Patch40: python-skip_random_failing_tests.patch +# PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 +Patch41: python-sorted_tar.patch +# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834) +Patch47: openssl-111-middlebox-compat.patch +# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE +Patch48: openssl-111-ssl_options.patch +# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com +# gh#python/cpython#11569 +# Fix segfault in ssl's cert parser +Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com +# Initialize sysconfig variables in test_site. +Patch50: bpo36160-init-sysconfig_vars.patch +# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com +# Add check for channels of wav file in Lib/wave.py +Patch51: CVE-2017-18207.patch +# PATCH-FIX-UPSTREAM gh#python/cpython#12341 +Patch55: bpo36302-sort-module-sources.patch +# Fix installation in /usr/local (boo#1071941), adapted from Fedora +# https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch +# Set values of prefix and exec_prefix in distutils install command +# to /usr/local if executable is /usr/bin/python* and RPM build +# is not detected to make pip and distutils install into separate location +Patch56: adapted-from-F00251-change-user-install-location.patch +# Switch couple of tests failing on acient SLE-12 +Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch +# PATCH-FIX-UPSTREAM configure_PYTHON_FOR_REGEN.patch bsc#1078326 mcepl@suse.com +# PYTHON_FOR_REGEN value is set very weird upstream +Patch60: configure_PYTHON_FOR_REGEN.patch +# PATCH-FIX-SLE CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com +# buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution +Patch61: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch +# PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com +# this patch makes things totally awesome +Patch62: CVE-2021-23336-only-amp-as-query-sep.patch +# PATCH-FIX-UPSTREAM CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM CVE-2021-3733-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build +Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch +# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com +# Make ftplib not trust the PASV response. (gh#python/cpython#24838) +Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch +# PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com +# whole long discussion is on bpo#43882 +# fix for santization URLs containing ASCII newline and tabs in urllib.parse +Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch +# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com +# avoid the command injection in the mailcap module. +Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch +# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 +# Coerce // to / in Lib/BaseHTTPServer.py +Patch71: CVE-2021-28861-double-slash-path.patch +Patch72: bpo34990-2038-problem-compileall.patch +# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com +# Avoid DoS by decoding IDNA for too long domain names +Patch73: CVE-2022-45061-DoS-by-IDNA-decode.patch +# PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com +# switching verification off on the old SLE doesn't work +Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch +# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com +# Build documentation even without PygmentsBridge.trim_doctest_flags +Patch76: PygmentsBridge-trime_doctest_flags.patch +# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com +# # Detect email address parsing errors and return empty tuple to +# # indicate the parsing error (old API) +# Patch77: CVE-2023-27043-email-parsing-errors.patch +# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com +# Reject entity declarations in plists +Patch78: CVE-2022-48565-plistlib-XML-vulns.patch +# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 +Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch +# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com +# Make compare_digest more constant-time +Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# COMMON-PATCH-END +BuildRequires: automake +BuildRequires: db-devel +BuildRequires: fdupes +BuildRequires: gdbm-devel +BuildRequires: gmp-devel +BuildRequires: libbz2-devel +# This is NOT switching off NIS support on SLE < 15, +# support for NIS used to be in the glibc itself +%if 0%{?suse_version} >= 1500 && 0%{?suse_version} < 1599 +BuildRequires: libnsl-devel +%endif +%if 0%{?suse_version} >= 1500 +BuildRequires: libopenssl-1_1-devel +%else +BuildRequires: libopenssl-devel +%endif +BuildRequires: ncurses-devel +BuildRequires: readline-devel +BuildRequires: sqlite-devel +BuildRequires: tk-devel +BuildRequires: xz +BuildRequires: pkgconfig(x11) +# for %%{_datadir}/application and %%{_datadir}/mime/packages +BuildRequires: filesystem +BuildRequires: update-desktop-files +# for %%{_datadir}/icons/hicolor directories +BuildRequires: hicolor-icon-theme +%define python_version %(echo %{tarversion} | head -c 3) +%define idle_name idle +Requires: python-base = %{version} +%if %{suse_version} == 1315 && !0%{?is_opensuse} +Recommends: python-strict-tls-check +%endif +Provides: %{name} = %{python_version} +Provides: python2 = %{version} +# To make older versions of this package to conflict with +# shared-python-startup I need a symbol to conflict with +Provides: python2_split_startup +Obsoletes: python-elementtree +Obsoletes: python-nothreads +Obsoletes: python-sqlite +Obsoletes: python21 +# bug437293 +%ifarch ppc64 +Obsoletes: python-64bit +%endif +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +Python is an interpreted, object-oriented programming language, and is +often compared to Tcl, Perl, Scheme, or Java. You can find an overview +of Python in the documentation and tutorials included in the python-doc +(HTML) or python-doc-pdf (PDF) packages. + +If you want to install third party modules using distutils, you need to +install python-devel package. + +%package idle +Summary: An Integrated Development Environment for Python +Group: Development/Languages/Python +Requires: python-base = %{version} +Requires: python-tk +Provides: python2-idle = %{version} + +%description idle +IDLE is a Tkinter based integrated development environment for Python. +It features a multi-window text editor with multiple undo, Python +colorizing, and many other things, as well as a Python shell window and +a debugger. + +%package demo +Summary: Python Demonstration Scripts +Group: Development/Languages/Python +Requires: python-base = %{version} +Provides: pyth_dmo +Obsoletes: pyth_dmo +Provides: python2-demo = %{version} + +%description demo +Various demonstrations of what you can do with Python and a number of +programs that are useful for building or extending Python. + +%package tk +Summary: TkInter - Python Tk Interface +Group: Development/Libraries/Python +Requires: python-base = %{version} +Provides: pyth_tk +Provides: pyth_tkl +Provides: python-tkinter +Provides: python_tkinter_lib +#%ifarch %ix86 +#Provides: _tkinter.so +#%endif +Obsoletes: pyth_tk +Obsoletes: pyth_tkl +Obsoletes: python-tkinter +Provides: python2-tk = %{version} + +%description tk +Python interface to Tk. Tk is the GUI toolkit that comes with Tcl. + +%package curses +Summary: Python Interface to the (N)Curses Library +Group: Development/Libraries/Python +Requires: python-base = %{version} +Obsoletes: pyth_cur +Provides: pyth_cur +Provides: python2-curses = %{version} + +%description curses +An easy to use interface to the (n)curses CUI library. CUI stands for +Console User Interface. + +%package gdbm +Summary: Python Interface to the GDBM Library +Group: Development/Libraries/Python +Requires: python-base = %{version} +Obsoletes: pygdmod +Provides: pygdmod +Provides: python2-gdbm = %{version} +# Compat to allow BR on python_module dbm and have it properly +# pull in gdbm on py2 and dbm on py3 +Provides: python-dbm = %{version} +Provides: python2-dbm = %{version} + +%description gdbm +An easy to use interface for GDBM databases. GDBM is the GNU +implementation of the standard Unix DBM databases. + +%if %{suse_version} == 1315 && !0%{?is_opensuse} +%package strict-tls-check +Summary: Enable secure verification of TLS certificates +Group: Development/Libraries/Python +Requires: %{name} = %{version} +Supplements: %{name} + +%description strict-tls-check +When this package is present, Python performs strict verification of +TLS certificates, including hostname check, by default. This is +the preferred secure setting. + +It is distributed as a separate package, because this behavior +can cause verification errors in improperly written legacy scripts +that rely on earlier non-verification behavior. +%endif + +%prep +%setup -q -n %{tarname} +# COMMON-PREP-BEGIN +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch7 -p1 +%patch8 -p1 +%patch10 -p1 +%patch13 -p1 +%patch17 -p1 +%patch20 -p1 +%patch22 -p1 +%patch24 -p1 +%patch33 -p1 +%if %{suse_version} < 1500 && !0%{?is_opensuse} +%patch34 -p1 +%endif +%patch35 -p1 +%patch38 -p1 +%ifarch ppc ppc64 ppc64le +%patch40 -p1 +%endif +%patch41 -p1 +%if %{suse_version} >= 1500 || (0%{?sle_version} && 0%{?sle_version} >= 120400) +%patch47 -p1 +%patch48 -p1 +%endif +# SLE-12 needs to skip more +%if %{suse_version} == 1315 +%patch57 -p1 +%endif +%patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch55 -p1 +%patch56 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch68 -p1 +%patch69 -p1 +%patch70 -p1 +%patch71 -p1 +%patch72 -p1 +%patch73 -p1 +%if 0%{?sle_version} && 0%{?sle_version} < 150000 +%patch74 -p1 +%endif +%patch75 -p1 +%patch76 -p1 +# %%patch77 -p1 +%patch78 -p1 +%patch79 -p1 +%patch80 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar + +# drop Autoconf version requirement +sed -i 's/^version_required/dnl version_required/' configure.ac +# COMMON-PREP-END + +%if %{suse_version} == 1315 && !0%{?is_opensuse} +cp %{SOURCE8} Lib/ +%endif + +%build +%define _lto_cflags %{nil} +export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv" + +autoreconf -f -i . # Modules/_ctypes/libffi +# prevent make from trying to rebuild asdl stuff, which requires existing +# python installation +touch Parser/asdl* Python/Python-ast.c Include/Python-ast.h + +%configure \ + --docdir=%{_docdir}/python \ + --enable-ipv6 \ + --with-fpectl \ + --enable-shared \ + --enable-unicode=ucs4 + +LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH \ + make %{?_smp_mflags} + +%check +# on hppa, the threading of glibc is quite broken. The tests just stop +# at some point, and the machine does not build anything more until a +# timeout several hours later. +%ifnarch hppa +# Limit virtual memory to avoid spurious failures +if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then + ulimit -v 10000000 || : +fi +LIST="test_urllib test_ssl test_hashlib test_hmac test_unicodedata test_tarfile test_sqlite test_tcl test_dbm test_anydbm test_dumbdbm test_gdbm test_whichdb test_tk test_ttk_textonly test_bsddb test_bsddb3 test_readline" +make test TESTOPTS="-w $LIST" TESTPYTHONOPTS="-R" +%endif + +%install +# replace rest of /usr/local/bin/python or /usr/bin/python2.x with /usr/bin/python +find . -name '*.py' -type f | grep -vE "^./Parser/|^./Python/" \ + | xargs grep -lE '^#! *(/usr/.*bin/(env +)?)?python' \ + | xargs sed -r -i -e '1s@^#![[:space:]]*(/usr/(local/)?bin/(env +)?)?python([0-9]+\.[0-9]+)?@#!/usr/bin/python@' +# the grep inbetween makes it much faster +######################################## +# install it +######################################## +%make_install OPT="%{optflags} -fPIC" +######################################## +# some cleanups +######################################## +# remove hard links and replace them with symlinks +for dir in bin include %{_lib} ; do + rm -f %{buildroot}/%{_prefix}/$dir/python + ln -s python%{python_version} %{buildroot}/%{_prefix}/$dir/python +done +# kill imageop.so, it's insecure +rm -f %{buildroot}/%{_libdir}/python%{python_version}/lib-dynload/imageop.so +#cleanup for -base +rm %{buildroot}%{_bindir}/python%{python_version} +rm %{buildroot}%{_bindir}/python2 +rm %{buildroot}%{_bindir}/python +rm %{buildroot}%{_bindir}/smtpd.py +rm %{buildroot}%{_bindir}/pydoc +rm %{buildroot}%{_bindir}/2to3 +rm %{buildroot}%{_mandir}/man1/python* +rm %{buildroot}%{_libdir}/libpython*.so.* +rm %{buildroot}%{_libdir}/python +find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 \ + ! \( -name "ssl.py*" -o -name "sle_tls_checks_policy.py*" \) \ + -exec rm {} ";" +rm %{buildroot}%{_bindir}/python%{python_version}-config +rm %{buildroot}%{_bindir}/python2-config +rm %{buildroot}%{_bindir}/python-config +rm %{buildroot}%{_libdir}/pkgconfig/* +rm -r %{buildroot}%{_includedir}/python +rm -r %{buildroot}%{_includedir}/python%{python_version} +rm -r %{buildroot}%{_libdir}/python%{python_version}/compiler +rm -r %{buildroot}%{_libdir}/python%{python_version}/config +rm -r %{buildroot}%{_libdir}/python%{python_version}/ctypes +rm -r %{buildroot}%{_libdir}/python%{python_version}/distutils +rm -r %{buildroot}%{_libdir}/python%{python_version}/email +rm -r %{buildroot}%{_libdir}/python%{python_version}/encodings +rm -r %{buildroot}%{_libdir}/python%{python_version}/ensurepip +rm -r %{buildroot}%{_libdir}/python%{python_version}/hotshot +rm -r %{buildroot}%{_libdir}/python%{python_version}/importlib +rm -r %{buildroot}%{_libdir}/python%{python_version}/json +rm -r %{buildroot}%{_libdir}/python%{python_version}/lib2to3 +rm -r %{buildroot}%{_libdir}/python%{python_version}/logging +rm -r %{buildroot}%{_libdir}/python%{python_version}/multiprocessing +rm -r %{buildroot}%{_libdir}/python%{python_version}/plat-* +rm -r %{buildroot}%{_libdir}/python%{python_version}/pydoc_data +rm -r %{buildroot}%{_libdir}/python%{python_version}/test +rm -r %{buildroot}%{_libdir}/python%{python_version}/unittest +rm -r %{buildroot}%{_libdir}/python%{python_version}/wsgiref +rm -r %{buildroot}%{_libdir}/python%{python_version}/xml +rm %{buildroot}%{_libdir}/libpython%{python_version}.so +rm %{buildroot}%{_libdir}/python%{python_version}/site-packages/README +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_bisect.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_csv.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_collections.so +rm -f %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_ctypes.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_ctypes_test.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_elementtree.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_functools.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_heapq.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_hotshot.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_io.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_json.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_locale.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_lsprof.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_multiprocessing.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_random.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_socket.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_struct.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_testcapi.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/array.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/binascii.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/bz2.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/cPickle.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/cStringIO.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/cmath.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/crypt.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/datetime.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/fcntl.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/future_builtins.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/grp.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/itertools.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/linuxaudiodev.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/math.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/mmap.so +rm -f %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/nis.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/operator.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/ossaudiodev.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/parser.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/pyexpat.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/resource.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/select.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/spwd.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/strop.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/syslog.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/termios.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/time.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/unicodedata.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/zlib.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_codecs*.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/_multibytecodec.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/audioop.so +rm -f %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/dl.so +rm %{buildroot}%{_libdir}/python%{python_version}/lib-dynload/Python-%{tarversion}-py%{python_version}.egg-info +# replace duplicate .pyo/.pyc with hardlinks +%fdupes %{buildroot}/%{_libdir}/python%{python_version} +######################################## +# documentation +######################################## +export PDOCS=%{buildroot}%{_docdir}/%{name} +install -d -m 755 $PDOCS +install -c -m 644 %{SOURCE1} $PDOCS/ +install -c -m 644 LICENSE $PDOCS/ +install -c -m 644 README $PDOCS/ +######################################## +# tools and demos +######################################## +find Tools/ Demo/ -type d \( -regex ".*/.cvsignore" \) -exec rm -f \{\} \; +for x in `find Tools/ Demo/ \( -not -name Makefile \) -print | sort` ; do + test -d $x && ( install -c -m 755 -d $PDOCS/$x ) \ + || ( install -c -m 644 $x $PDOCS/$x ) +done +######################################## +# idle +######################################## +# move idle config into /etc +install -d -m755 %{buildroot}%{_sysconfdir}/%{idle_name} +( + cd %{buildroot}/%{_libdir}/python%{python_version}/idlelib/ + for file in *.def ; do + mv $file %{buildroot}%{_sysconfdir}/%{idle_name}/ + ln -sf /etc/%{idle_name}/$file %{buildroot}/%{_libdir}/python%{python_version}/idlelib/ + done +) + +# Install .desktop, mime and appdata files from upstream tarball +%if 0%{?suse_version} >= 1500 +install -Dm0644 %{SOURCE50} %{buildroot}/%{_datadir}/mime/packages/idle.appdata.xml +%endif +install -D -m 0644 Lib/idlelib/Icons/idle_16.png %{buildroot}%{_datadir}/icons/hicolor/16x16/apps/idle.png +install -D -m 0644 Lib/idlelib/Icons/idle_32.png %{buildroot}%{_datadir}/icons/hicolor/32x32/apps/idle.png +install -D -m 0644 Lib/idlelib/Icons/idle_48.png %{buildroot}%{_datadir}/icons/hicolor/48x48/apps/idle.png +desktop-file-install --dir=%{buildroot}%{_datadir}/applications %{SOURCE51} + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files idle +%defattr(644, root, root, 755) +%dir %{_sysconfdir}/%{idle_name} +%config %{_sysconfdir}/%{idle_name}/* +%doc Lib/idlelib/NEWS.txt +%doc Lib/idlelib/README.txt +%doc Lib/idlelib/TODO.txt +%doc Lib/idlelib/extend.txt +%doc Lib/idlelib/ChangeLog +%{_libdir}/python%{python_version}/idlelib +%attr(755, root, root) %{_bindir}/%{idle_name} +%if 0%{?suse_version} >= 1500 +%{_datadir}/mime/packages/idle.appdata.xml +%endif +%{_datadir}/applications/idle.desktop +%{_datadir}/icons/hicolor/*/apps/idle.png + +%files demo +%defattr(644, root, root, 755) +%doc %{_docdir}/%{name}/Demo +%doc %{_docdir}/%{name}/Tools + +%files tk +%defattr(644, root, root, 755) +%{_libdir}/python%{python_version}/lib-tk/ +%{_libdir}/python%{python_version}/lib-dynload/_tkinter.so + +%files curses +%defattr(644, root, root, 755) +%{_libdir}/python%{python_version}/curses +%{_libdir}/python%{python_version}/lib-dynload/_curses.so +%{_libdir}/python%{python_version}/lib-dynload/_curses_panel.so + +%files gdbm +%defattr(644, root, root, 755) +%{_libdir}/python%{python_version}/lib-dynload/gdbm.so +%{_libdir}/python%{python_version}/lib-dynload/dbm.so + +%if %{suse_version} == 1315 && !0%{?is_opensuse} +%files strict-tls-check +%defattr(644, root, root, 755) +%{_libdir}/python%{python_version}/sle_tls_checks_policy.py* +%endif + +%files +%defattr(644, root, root, 755) +%dir %{_docdir}/%{name} +%doc %{_docdir}/%{name}/README +%doc %{_docdir}/%{name}/LICENSE +%doc %{_docdir}/%{name}/README.SUSE +%dir %{_libdir}/python%{python_version} +%{_libdir}/python%{python_version}/ssl.py* +%{_libdir}/python%{python_version}/bsddb +%{_libdir}/python%{python_version}/sqlite3 +%dir %{_libdir}/python%{python_version}/lib-dynload +%{_libdir}/python%{python_version}/lib-dynload/_bsddb.so +%{_libdir}/python%{python_version}/lib-dynload/_hashlib.so +%{_libdir}/python%{python_version}/lib-dynload/_sqlite3.so +%{_libdir}/python%{python_version}/lib-dynload/_ssl.so +%{_libdir}/python%{python_version}/lib-dynload/readline.so + +%changelog diff --git a/recursion.tar b/recursion.tar new file mode 100644 index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4 GIT binary patch literal 516 zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e I1_}|j06>QaCIA2c literal 0 HcmV?d00001 diff --git a/remove-static-libpython.patch b/remove-static-libpython.patch new file mode 100644 index 0000000..8a4e6c0 --- /dev/null +++ b/remove-static-libpython.patch @@ -0,0 +1,53 @@ +--- + Makefile.pre.in | 26 +------------------------- + 1 file changed, 1 insertion(+), 25 deletions(-) + +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -488,7 +488,7 @@ coverage-report: regen-grammar + + + # Build the interpreter +-$(BUILDPYTHON): Modules/python.o $(LIBRARY) $(LDLIBRARY) ++$(BUILDPYTHON): Modules/python.o $(LDLIBRARY) + $(LINKCC) $(LDFLAGS) $(LINKFORSHARED) -o $@ \ + Modules/python.o \ + $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) +@@ -529,18 +529,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.tx + _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ + $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build + +-# Build static library +-# avoid long command lines, same as LIBRARY_OBJS +-$(LIBRARY): $(LIBRARY_OBJS) +- -rm -f $@ +- $(AR) $(ARFLAGS) $@ Modules/getbuildinfo.o +- $(AR) $(ARFLAGS) $@ $(PARSER_OBJS) +- $(AR) $(ARFLAGS) $@ $(OBJECT_OBJS) +- $(AR) $(ARFLAGS) $@ $(PYTHON_OBJS) +- $(AR) $(ARFLAGS) $@ $(MODULE_OBJS) $(SIGNAL_OBJS) +- $(AR) $(ARFLAGS) $@ $(MODOBJS) +- $(RANLIB) $@ +- + libpython$(VERSION).so: $(LIBRARY_OBJS) + if test $(INSTSONAME) != $(LDLIBRARY); then \ + $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ +@@ -1226,18 +1214,6 @@ libainstall: @DEF_MAKE_RULE@ python-conf + else true; \ + fi; \ + done +- @if test -d $(LIBRARY); then :; else \ +- if test "$(PYTHONFRAMEWORKDIR)" = no-framework; then \ +- if test "$(SO)" = .dll; then \ +- $(INSTALL_DATA) $(LDLIBRARY) $(DESTDIR)$(LIBPL) ; \ +- else \ +- $(INSTALL_DATA) $(LIBRARY) $(DESTDIR)$(LIBPL)/$(LIBRARY) ; \ +- $(RANLIB) $(DESTDIR)$(LIBPL)/$(LIBRARY) ; \ +- fi; \ +- else \ +- echo Skip install of $(LIBRARY) - use make frameworkinstall; \ +- fi; \ +- fi + $(INSTALL_DATA) Modules/config.c $(DESTDIR)$(LIBPL)/config.c + $(INSTALL_DATA) Modules/python.o $(DESTDIR)$(LIBPL)/python.o + $(INSTALL_DATA) $(srcdir)/Modules/config.c.in $(DESTDIR)$(LIBPL)/config.c.in diff --git a/reproducible.patch b/reproducible.patch new file mode 100644 index 0000000..834991f --- /dev/null +++ b/reproducible.patch @@ -0,0 +1,15 @@ +Index: Python-2.7.13/Lib/py_compile.py +=================================================================== +--- Python-2.7.13.orig/Lib/py_compile.py ++++ Python-2.7.13/Lib/py_compile.py +@@ -108,6 +108,10 @@ def compile(file, cfile=None, dfile=None + timestamp = long(os.fstat(f.fileno()).st_mtime) + except AttributeError: + timestamp = long(os.stat(file).st_mtime) ++ sde = os.environ.get('SOURCE_DATE_EPOCH') ++ if sde and timestamp > int(sde): ++ timestamp = int(sde) ++ os.utime(file, (timestamp, timestamp)) + codestring = f.read() + try: + codeobject = __builtin__.compile(codestring, dfile or file,'exec') diff --git a/skip_unverified_test.patch b/skip_unverified_test.patch new file mode 100644 index 0000000..ae5f28c --- /dev/null +++ b/skip_unverified_test.patch @@ -0,0 +1,19 @@ +--- + Lib/test/test_ssl.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -1344,9 +1344,9 @@ class ContextTests(unittest.TestCase): + extra_env = {} + # Omitting it leaves verification on + assert_python_ok("-c", https_is_verified, **extra_env) +- # Setting it to zero turns verification off +- extra_env[ssl._https_verify_envvar] = "0" +- assert_python_ok("-c", https_is_not_verified, **extra_env) ++ ## # Setting it to zero turns verification off ++ ## extra_env[ssl._https_verify_envvar] = "0" ++ ## assert_python_ok("-c", https_is_not_verified, **extra_env) + # Any other value should also leave it on + for setting in ("", "1", "enabled", "foo"): + extra_env[ssl._https_verify_envvar] = setting diff --git a/sle_tls_checks_policy.py b/sle_tls_checks_policy.py new file mode 100644 index 0000000..61a372e --- /dev/null +++ b/sle_tls_checks_policy.py @@ -0,0 +1,4 @@ +import ssl + +def get_policy(): + return ssl.create_default_context diff --git a/sparc_longdouble.patch b/sparc_longdouble.patch new file mode 100644 index 0000000..6bcef4e --- /dev/null +++ b/sparc_longdouble.patch @@ -0,0 +1,21 @@ +Python ticket 6029 + +==== //tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c#1 - /home/build/clifford/gpdb/tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c ==== +--- + Modules/_ctypes/libffi/src/sparc/ffi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Modules/_ctypes/libffi/src/sparc/ffi.c ++++ b/Modules/_ctypes/libffi/src/sparc/ffi.c +@@ -652,6 +652,11 @@ + } + else + { ++#if FFI_TYPE_LONGDOUBLE != FFI_TYPE_DOUBLE ++ /* SparcV9 long double is 16-byte aligned; skip arg if necessary */ ++ if (arg_types[i]->type == FFI_TYPE_LONGDOUBLE && (argn & 1)) ++ argn++; ++#endif + /* Right-justify. */ + argn += ALIGN(arg_types[i]->size, FFI_SIZEOF_ARG) / FFI_SIZEOF_ARG; + diff --git a/sphinx-update-removed-function.patch b/sphinx-update-removed-function.patch new file mode 100644 index 0000000..c5ebaba --- /dev/null +++ b/sphinx-update-removed-function.patch @@ -0,0 +1,40 @@ +--- a/Doc/tools/extensions/pyspecific.py ++++ b/Doc/tools/extensions/pyspecific.py +@@ -103,7 +103,11 @@ class ImplementationDetail(Directive): + # Support for documenting decorators + + from sphinx import addnodes +-from sphinx.domains.python import PyModulelevel, PyClassmember ++try: ++ from sphinx.domains.python import PyFunction, PyMethod ++except ImportError: ++ from sphinx.domains.python import PyClassmember as PyMethod ++ from sphinx.domains.python import PyModulelevel as PyFunction + + class PyDecoratorMixin(object): + def handle_signature(self, sig, signode): +@@ -114,16 +118,16 @@ class PyDecoratorMixin(object): + def needs_arglist(self): + return False + +-class PyDecoratorFunction(PyDecoratorMixin, PyModulelevel): ++class PyDecoratorFunction(PyDecoratorMixin, PyFunction): + def run(self): + # a decorator function is a function after all + self.name = 'py:function' +- return PyModulelevel.run(self) ++ return PyFunction.run(self) + +-class PyDecoratorMethod(PyDecoratorMixin, PyClassmember): ++class PyDecoratorMethod(PyDecoratorMixin, PyMethod): + def run(self): + self.name = 'py:method' +- return PyClassmember.run(self) ++ return PyMethod.run(self) + + + # Support for building "topic help" for pydoc +--- /dev/null ++++ b/Misc/NEWS.d/next/Documentation/2020-09-12-17-37-13.bpo-35293._cOwPD.rst +@@ -0,0 +1 @@ ++Fix RemovedInSphinx40Warning when building the documentation. Patch by Dong-hee Na.