microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[AUTO-CHERRYPICK] Upgrade python to 3.9.19: address CVE-2023-6597 and other security concerns - branch main (#8592) 

Co-authored-by: binujp <binujp@gmail.com>
This commit is contained in:
CBL-Mariner-Bot 2024-03-28 14:23:16 -07:00 коммит произвёл GitHub
Родитель d7b8822cb3
Коммит d838a1da58
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
12 изменённых файлов: 36 добавлений и 490 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

110
SPECS/python3/CVE-2015-20107.patch
Просмотреть файл

@ -1,110 +0,0 @@
From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 27 Apr 2022 18:17:33 +0200
Subject: [PATCH] gh-68966: Make mailcap refuse to match unsafe
filenames/types/params
---
Lib/mailcap.py | 26 ++++++++++++++++++++++++--
Lib/test/test_mailcap.py | 8 ++++++--
2 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
index 856b6a55475f..cfb70edc61ec 100644
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
import os
import warnings
+import re
__all__ = ["getcaps","findmatch"]
@@ -19,6 +20,11 @@ def lineno_sort_key(entry):
else:
return 1, 0
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+ """Warning raised when refusing unsafe input"""
+
# Part 1: top-level interface.
@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
entry to use.
"""
+ if _find_unsafe(filename):
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
entries = lookup(caps, MIMEtype, key)
# XXX This code should somehow check for the needsterminal flag.
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]):
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]):
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts
diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
index 97a8fac6e074..2ed367dba78b 100644
--- a/Lib/test/test_mailcap.py
+++ b/Lib/test/test_mailcap.py
@@ -128,7 +128,8 @@ def test_subst(self):
(["", "audio/*", "foo.txt"], ""),
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
+ (["echo %t", "audio/*", "foo.txt"], None),
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -212,7 +213,10 @@ def test_findmatch(self):
('"An audio fragment"', audio_basic_entry)),
([c, "audio/*"],
{"filename": fname},
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
+ (None, None)),
+ ([c, "audio/wav"],
+ {"filename": fname},
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
([c, "message/external-body"],
{"plist": plist},
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))

100
SPECS/python3/CVE-2022-37454.patch
Просмотреть файл

@ -1,100 +0,0 @@
From 915bdf48d9cd7aba43415f72497ec55b73f8e63a Mon Sep 17 00:00:00 2001
From: Theo Buehler <botovq@users.noreply.github.com>
Date: Fri, 21 Oct 2022 21:26:01 +0200
Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module
(GH-98519)
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].
[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
[2]: https://mouha.be/sha-3-buffer-overflow/
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
---
Lib/test/test_hashlib.py | 9 +++++++++
.../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 +
Modules/_sha3/kcp/KeccakSponge.inc | 15 ++++++++-------
3 files changed, 18 insertions(+), 7 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index f845c7a76e7c..bc11a8d8986b 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -497,6 +497,15 @@ def test_case_md5_huge(self, size):
def test_case_md5_uintmax(self, size):
self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
+ def test_sha3_update_overflow(self, size):
+ """Regression test for gh-98517 CVE-2022-37454."""
+ h = hashlib.sha3_224()
+ h.update(b'\x01')
+ h.update(b'\x01'*0xffff_ffff)
+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
+
# use the three examples from Federal Information Processing Standards
# Publication 180-1, Secure Hash Standard, 1995 April 17
# http://www.itl.nist.gov/div897/pubs/fip180-1.htm
diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
new file mode 100644
index 000000000000..2d23a6ad93c7
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
@@ -0,0 +1 @@
+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
index e10739deafa8..cf92e4db4d36 100644
--- a/Modules/_sha3/kcp/KeccakSponge.inc
+++ b/Modules/_sha3/kcp/KeccakSponge.inc
@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
#ifdef SnP_FastLoop_Absorb
/* processing full blocks first */
@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
}
else {
/* normal lane: using the message queue */
-
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
#ifdef KeccakReference
displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
#endif
@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
SnP_Permute(instance->state);
SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
SnP_Permute(instance->state);
instance->byteIOIndex = 0;
}
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
i += partialBlock;
SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);

64
SPECS/python3/CVE-2022-42919.patch
Просмотреть файл

@ -1,64 +0,0 @@
From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Thu, 20 Oct 2022 15:30:09 -0700
Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for
multiprocessing (GH-98501)
Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.
This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.
Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/multiprocessing/connection.py | 5 -----
.../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
2 files changed, 15 insertions(+), 5 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
index 510e4b5aba44..8e2facf92a94 100644
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -73,11 +73,6 @@ def arbitrary_address(family):
if family == 'AF_INET':
return ('localhost', 0)
elif family == 'AF_UNIX':
- # Prefer abstract sockets if possible to avoid problems with the address
- # size. When coding portable applications, some implementations have
- # sun_path as short as 92 bytes in the sockaddr_un struct.
- if util.abstract_sockets_supported:
- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
elif family == 'AF_PIPE':
return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
new file mode 100644
index 000000000000..02d95b570520
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
@@ -0,0 +1,15 @@
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
+unix domain sockets for communication with the *forkserver* process instead of
+the Linux abstract socket namespace. Only code that chooses to use the
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
+
+Abstract sockets have no permissions and could allow any user on the system in
+the same `network namespace
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
+whole system) to inject code into the multiprocessing *forkserver* process.
+This was a potential privilege escalation. Filesystem based socket permissions
+restrict this to the *forkserver* process user as was the default in Python 3.8
+and earlier.
+
+This prevents Linux `CVE-2022-42919
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.

95
SPECS/python3/CVE-2022-45061.patch
Просмотреть файл

@ -1,95 +0,0 @@
From da895b639cdbee774cd4b235a055b04299de3487 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 7 Nov 2022 18:57:10 -0800
Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
(GH-99222)
There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/encodings/idna.py | 32 +++++++++----------
Lib/test/test_codecs.py | 6 ++++
...2-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 ++++
3 files changed, 27 insertions(+), 17 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py
index ea4058512fe3..bf98f513366b 100644
--- a/Lib/encodings/idna.py
+++ b/Lib/encodings/idna.py
@@ -39,23 +39,21 @@ def nameprep(label):
# Check bidi
RandAL = [stringprep.in_table_d1(x) for x in label]
- for c in RandAL:
- if c:
- # There is a RandAL char in the string. Must perform further
- # tests:
- # 1) The characters in section 5.8 MUST be prohibited.
- # This is table C.8, which was already checked
- # 2) If a string contains any RandALCat character, the string
- # MUST NOT contain any LCat character.
- if any(stringprep.in_table_d2(x) for x in label):
- raise UnicodeError("Violation of BIDI requirement 2")
-
- # 3) If a string contains any RandALCat character, a
- # RandALCat character MUST be the first character of the
- # string, and a RandALCat character MUST be the last
- # character of the string.
- if not RandAL[0] or not RandAL[-1]:
- raise UnicodeError("Violation of BIDI requirement 3")
+ if any(RandAL):
+ # There is a RandAL char in the string. Must perform further
+ # tests:
+ # 1) The characters in section 5.8 MUST be prohibited.
+ # This is table C.8, which was already checked
+ # 2) If a string contains any RandALCat character, the string
+ # MUST NOT contain any LCat character.
+ if any(stringprep.in_table_d2(x) for x in label):
+ raise UnicodeError("Violation of BIDI requirement 2")
+ # 3) If a string contains any RandALCat character, a
+ # RandALCat character MUST be the first character of the
+ # string, and a RandALCat character MUST be the last
+ # character of the string.
+ if not RandAL[0] or not RandAL[-1]:
+ raise UnicodeError("Violation of BIDI requirement 3")
return label
diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py
index fc50e70df24b..3520cc00a1a4 100644
--- a/Lib/test/test_codecs.py
+++ b/Lib/test/test_codecs.py
@@ -1532,6 +1532,12 @@ def test_builtin_encode(self):
self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
+ def test_builtin_decode_length_limit(self):
+ with self.assertRaisesRegex(UnicodeError, "too long"):
+ (b"xn--016c"+b"a"*1100).decode("idna")
+ with self.assertRaisesRegex(UnicodeError, "too long"):
+ (b"xn--016c"+b"a"*70).decode("idna")
+
def test_stream(self):
r = codecs.getreader("idna")(io.BytesIO(b"abc"))
r.read(3)
diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
new file mode 100644
index 000000000000..5185fac2e29d
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
@@ -0,0 +1,6 @@
+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
+related name resolution functions no longer involves a quadratic algorithm.
+This prevents a potential CPU denial of service if an out-of-spec excessive
+length hostname involving bidirectional characters were decoded. Some protocols
+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
+to supply such a name.

78
SPECS/python3/CVE-2023-24329.patch
Просмотреть файл

@ -1,78 +0,0 @@
From 141aadcb6e6c1c8ecc850847049002fed4475030 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Date: Sat, 12 Nov 2022 15:43:33 -0500
Subject: [PATCH 1/2] Modify upstream patch to work with CBL-Mariner for
CVE-2023-24329. Modified by Amrita Kohli <amritakohli@microsoft.com>
---
Lib/test/test_urlparse.py | 18 ++++++++++++++++++
Lib/urllib/parse.py | 2 +-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 31943f3..f42ed9b 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase):
with self.assertRaises(ValueError):
p.port
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if url.isascii():
+ url = url.encode("ascii")
+ else:
+ continue
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index b7965fe..bd59852 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and url[0].isascii() and url[0].isalpha():
for c in url[:i]:
if c not in scheme_chars:
break
--
2.34.1
From de2b58d3b30095440a30fcb72d595b434b351532 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Date: Sat, 12 Nov 2022 15:46:31 -0500
Subject: [PATCH 2/2] gh-99418: Prevent urllib.parse.urlparse from accepting
schemes that don't begin with an alphabetical ASCII character.
---
.../next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
1 file changed, 2 insertions(+)
create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
new file mode 100644
index 0000000..0a06e7c
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--
2.34.1

2
SPECS/python3/python3.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"Python-3.9.14.tar.xz": "651304d216c8203fe0adf1a80af472d8e92c3b0e0a7892222ae4d9f3ae4debcf"
"Python-3.9.19.tar.xz": "d4892cd1618f6458cb851208c030df1482779609d0f3939991bd38184f8c679e"
}
}

21
SPECS/python3/python3.spec
Просмотреть файл

@ -6,13 +6,13 @@
%global majmin 3.9
%global majmin_nodots 39
# See Lib/ensurepip/__init__.py in Source0 for these version numbers
%global pip_version 22.0.4
%global pip_version 23.0.1
%global setuptools_version 58.1.0
Summary: A high-level scripting language
Name: python3
Version: 3.9.14
Release: 8%{?dist}
Version: 3.9.19
Release: 1%{?dist}
License: PSF
Vendor: Microsoft Corporation
Distribution: Mariner
@ -20,13 +20,8 @@ Group: System Environment/Programming
URL: https://www.python.org/
Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.tar.xz
Patch0: cgi3.patch
Patch1: CVE-2015-20107.patch
# Backport https://github.com/python/cpython/commit/069fefdaf42490f1e00243614fb5f3d5d2614b81 from 3.10 to 3.9
Patch2: 0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch
Patch3: CVE-2022-37454.patch
Patch4: CVE-2022-45061.patch
Patch5: CVE-2022-42919.patch
Patch6: CVE-2023-24329.patch
Patch1: 0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch
# Patch for setuptools, resolved in 65.5.1
Patch1000: CVE-2022-40897.patch
@ -165,11 +160,6 @@ The test package contains all regression tests for Python as well as the modules
# We use the CI to validate the toolchain manifests, which means we need to parse this .spec file
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%build
# Remove GCC specs and build environment linker scripts
@ -323,6 +313,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
%{_libdir}/python%{majmin}/test/*
%changelog
* Fri Mar 22 2024 Binu Philip <bphilip@microsoft.com> - 3.9.19-1
- Upgrade to python 3.9.19 for CVE-2023-6597 and other security fixes
* Wed Oct 11 2023 Amrita Kohli <amritakohli@microsoft.com> - 3.9.14-8
- Patch for CVE-2023-24329

4
cgmanifest.json
Просмотреть файл

@ -25134,8 +25134,8 @@
"type": "other",
"other": {
"name": "python3",
"version": "3.9.14",
"downloadUrl": "https://www.python.org/ftp/python/3.9.14/Python-3.9.14.tar.xz"
"version": "3.9.19",
"downloadUrl": "https://www.python.org/ftp/python/3.9.19/Python-3.9.19.tar.xz"
}
}
},

8
toolkit/resources/manifests/package/pkggen_core_aarch64.txt
Просмотреть файл

@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-15.cm2.noarch.rpm
ca-certificates-2.0.0-15.cm2.noarch.rpm
dwz-0.14-2.cm2.aarch64.rpm
unzip-6.0-20.cm2.aarch64.rpm
python3-3.9.14-8.cm2.aarch64.rpm
python3-devel-3.9.14-8.cm2.aarch64.rpm
python3-libs-3.9.14-8.cm2.aarch64.rpm
python3-setuptools-3.9.14-8.cm2.noarch.rpm
python3-3.9.19-1.cm2.aarch64.rpm
python3-devel-3.9.19-1.cm2.aarch64.rpm
python3-libs-3.9.19-1.cm2.aarch64.rpm
python3-setuptools-3.9.19-1.cm2.noarch.rpm
python3-pygments-2.4.2-7.cm2.noarch.rpm
which-2.21-8.cm2.aarch64.rpm
libselinux-3.2-1.cm2.aarch64.rpm

8
toolkit/resources/manifests/package/pkggen_core_x86_64.txt
Просмотреть файл

@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-15.cm2.noarch.rpm
ca-certificates-2.0.0-15.cm2.noarch.rpm
dwz-0.14-2.cm2.x86_64.rpm
unzip-6.0-20.cm2.x86_64.rpm
python3-3.9.14-8.cm2.x86_64.rpm
python3-devel-3.9.14-8.cm2.x86_64.rpm
python3-libs-3.9.14-8.cm2.x86_64.rpm
python3-setuptools-3.9.14-8.cm2.noarch.rpm
python3-3.9.19-1.cm2.x86_64.rpm
python3-devel-3.9.19-1.cm2.x86_64.rpm
python3-libs-3.9.19-1.cm2.x86_64.rpm
python3-setuptools-3.9.19-1.cm2.noarch.rpm
python3-pygments-2.4.2-7.cm2.noarch.rpm
which-2.21-8.cm2.x86_64.rpm
libselinux-3.2-1.cm2.x86_64.rpm

18
toolkit/resources/manifests/package/toolchain_aarch64.txt
Просмотреть файл

@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
python3-3.9.14-8.cm2.aarch64.rpm
python3-3.9.19-1.cm2.aarch64.rpm
python3-audit-3.0.6-8.cm2.aarch64.rpm
python3-cracklib-2.9.7-5.cm2.aarch64.rpm
python3-curses-3.9.14-8.cm2.aarch64.rpm
python3-curses-3.9.19-1.cm2.aarch64.rpm
python3-Cython-0.29.33-2.cm2.aarch64.rpm
python3-debuginfo-3.9.14-8.cm2.aarch64.rpm
python3-devel-3.9.14-8.cm2.aarch64.rpm
python3-debuginfo-3.9.19-1.cm2.aarch64.rpm
python3-devel-3.9.19-1.cm2.aarch64.rpm
python3-gpg-1.16.0-2.cm2.aarch64.rpm
python3-jinja2-3.0.3-3.cm2.noarch.rpm
python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
python3-libs-3.9.14-8.cm2.aarch64.rpm
python3-libs-3.9.19-1.cm2.aarch64.rpm
python3-libxml2-2.10.4-2.cm2.aarch64.rpm
python3-lxml-4.9.1-1.cm2.aarch64.rpm
python3-magic-5.40-2.cm2.noarch.rpm
python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
python3-newt-0.52.21-5.cm2.aarch64.rpm
python3-pip-3.9.14-8.cm2.noarch.rpm
python3-pip-3.9.19-1.cm2.noarch.rpm
python3-pygments-2.4.2-7.cm2.noarch.rpm
python3-rpm-4.18.0-4.cm2.aarch64.rpm
python3-setuptools-3.9.14-8.cm2.noarch.rpm
python3-test-3.9.14-8.cm2.aarch64.rpm
python3-tools-3.9.14-8.cm2.aarch64.rpm
python3-setuptools-3.9.19-1.cm2.noarch.rpm
python3-test-3.9.19-1.cm2.aarch64.rpm
python3-tools-3.9.19-1.cm2.aarch64.rpm
readline-8.1-1.cm2.aarch64.rpm
readline-debuginfo-8.1-1.cm2.aarch64.rpm
readline-devel-8.1-1.cm2.aarch64.rpm

18
toolkit/resources/manifests/package/toolchain_x86_64.txt
Просмотреть файл

@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
python3-3.9.14-8.cm2.x86_64.rpm
python3-3.9.19-1.cm2.x86_64.rpm
python3-audit-3.0.6-8.cm2.x86_64.rpm
python3-cracklib-2.9.7-5.cm2.x86_64.rpm
python3-curses-3.9.14-8.cm2.x86_64.rpm
python3-curses-3.9.19-1.cm2.x86_64.rpm
python3-Cython-0.29.33-2.cm2.x86_64.rpm
python3-debuginfo-3.9.14-8.cm2.x86_64.rpm
python3-devel-3.9.14-8.cm2.x86_64.rpm
python3-debuginfo-3.9.19-1.cm2.x86_64.rpm
python3-devel-3.9.19-1.cm2.x86_64.rpm
python3-gpg-1.16.0-2.cm2.x86_64.rpm
python3-jinja2-3.0.3-3.cm2.noarch.rpm
python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
python3-libs-3.9.14-8.cm2.x86_64.rpm
python3-libs-3.9.19-1.cm2.x86_64.rpm
python3-libxml2-2.10.4-2.cm2.x86_64.rpm
python3-lxml-4.9.1-1.cm2.x86_64.rpm
python3-magic-5.40-2.cm2.noarch.rpm
python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
python3-newt-0.52.21-5.cm2.x86_64.rpm
python3-pip-3.9.14-8.cm2.noarch.rpm
python3-pip-3.9.19-1.cm2.noarch.rpm
python3-pygments-2.4.2-7.cm2.noarch.rpm
python3-rpm-4.18.0-4.cm2.x86_64.rpm
python3-setuptools-3.9.14-8.cm2.noarch.rpm
python3-test-3.9.14-8.cm2.x86_64.rpm
python3-tools-3.9.14-8.cm2.x86_64.rpm
python3-setuptools-3.9.19-1.cm2.noarch.rpm
python3-test-3.9.19-1.cm2.x86_64.rpm
python3-tools-3.9.19-1.cm2.x86_64.rpm
readline-8.1-1.cm2.x86_64.rpm
readline-debuginfo-8.1-1.cm2.x86_64.rpm
readline-devel-8.1-1.cm2.x86_64.rpm