From d838a1da58eb87ba9ede59e1d04d15394b4b9d7f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 28 Mar 2024 14:23:16 -0700 Subject: [PATCH] [AUTO-CHERRYPICK] Upgrade python to 3.9.19: address CVE-2023-6597 and other security concerns - branch main (#8592) Co-authored-by: binujp --- SPECS/python3/CVE-2015-20107.patch | 110 ------------------ SPECS/python3/CVE-2022-37454.patch | 100 ---------------- SPECS/python3/CVE-2022-42919.patch | 64 ---------- SPECS/python3/CVE-2022-45061.patch | 95 --------------- SPECS/python3/CVE-2023-24329.patch | 78 ------------- SPECS/python3/python3.signatures.json | 2 +- SPECS/python3/python3.spec | 21 ++-- cgmanifest.json | 4 +- .../manifests/package/pkggen_core_aarch64.txt | 8 +- .../manifests/package/pkggen_core_x86_64.txt | 8 +- .../manifests/package/toolchain_aarch64.txt | 18 +-- .../manifests/package/toolchain_x86_64.txt | 18 +-- 12 files changed, 36 insertions(+), 490 deletions(-) delete mode 100644 SPECS/python3/CVE-2015-20107.patch delete mode 100644 SPECS/python3/CVE-2022-37454.patch delete mode 100644 SPECS/python3/CVE-2022-42919.patch delete mode 100644 SPECS/python3/CVE-2022-45061.patch delete mode 100644 SPECS/python3/CVE-2023-24329.patch diff --git a/SPECS/python3/CVE-2015-20107.patch b/SPECS/python3/CVE-2015-20107.patch deleted file mode 100644 index df72b1579d..0000000000 --- a/SPECS/python3/CVE-2015-20107.patch +++ /dev/null @@ -1,110 +0,0 @@ -From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Wed, 27 Apr 2022 18:17:33 +0200 -Subject: [PATCH] gh-68966: Make mailcap refuse to match unsafe - filenames/types/params - ---- - Lib/mailcap.py | 26 ++++++++++++++++++++++++-- - Lib/test/test_mailcap.py | 8 ++++++-- - 2 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/Lib/mailcap.py b/Lib/mailcap.py -index 856b6a55475f..cfb70edc61ec 100644 ---- a/Lib/mailcap.py -+++ b/Lib/mailcap.py -@@ -2,6 +2,7 @@ - - import os - import warnings -+import re - - __all__ = ["getcaps","findmatch"] - -@@ -19,6 +20,11 @@ def lineno_sort_key(entry): - else: - return 1, 0 - -+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search -+ -+class UnsafeMailcapInput(Warning): -+ """Warning raised when refusing unsafe input""" -+ - - # Part 1: top-level interface. - -@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): - entry to use. - - """ -+ if _find_unsafe(filename): -+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None, None - entries = lookup(caps, MIMEtype, key) - # XXX This code should somehow check for the needsterminal flag. - for e in entries: - if 'test' in e: - test = subst(e['test'], filename, plist) -+ if test is None: -+ continue - if test and os.system(test) != 0: - continue - command = subst(e[key], MIMEtype, filename, plist) -- return command, e -+ if command is not None: -+ return command, e - return None, None - - def lookup(caps, MIMEtype, key=None): -@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]): - elif c == 's': - res = res + filename - elif c == 't': -+ if _find_unsafe(MIMEtype): -+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None - res = res + MIMEtype - elif c == '{': - start = i -@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]): - i = i+1 - name = field[start:i] - i = i+1 -- res = res + findparam(name, plist) -+ param = findparam(name, plist) -+ if _find_unsafe(param): -+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None -+ res = res + param - # XXX To do: - # %n == number of parts if type is multipart/* - # %F == list of alternating type and filename for parts -diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py -index 97a8fac6e074..2ed367dba78b 100644 ---- a/Lib/test/test_mailcap.py -+++ b/Lib/test/test_mailcap.py -@@ -128,7 +128,8 @@ def test_subst(self): - (["", "audio/*", "foo.txt"], ""), - (["echo foo", "audio/*", "foo.txt"], "echo foo"), - (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), -- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), -+ (["echo %t", "audio/*", "foo.txt"], None), -+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), - (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), - (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), - (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") -@@ -212,7 +213,10 @@ def test_findmatch(self): - ('"An audio fragment"', audio_basic_entry)), - ([c, "audio/*"], - {"filename": fname}, -- ("/usr/local/bin/showaudio audio/*", audio_entry)), -+ (None, None)), -+ ([c, "audio/wav"], -+ {"filename": fname}, -+ ("/usr/local/bin/showaudio audio/wav", audio_entry)), - ([c, "message/external-body"], - {"plist": plist}, - ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) diff --git a/SPECS/python3/CVE-2022-37454.patch b/SPECS/python3/CVE-2022-37454.patch deleted file mode 100644 index 1cde1454d7..0000000000 --- a/SPECS/python3/CVE-2022-37454.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 915bdf48d9cd7aba43415f72497ec55b73f8e63a Mon Sep 17 00:00:00 2001 -From: Theo Buehler -Date: Fri, 21 Oct 2022 21:26:01 +0200 -Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module - (GH-98519) - -This is a port of the applicable part of XKCP's fix [1] for -CVE-2022-37454 and avoids the segmentation fault and the infinite -loop in the test cases published in [2]. - -[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a -[2]: https://mouha.be/sha-3-buffer-overflow/ - -Regression test added by: Gregory P. Smith [Google LLC] -(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) - -Co-authored-by: Theo Buehler ---- - Lib/test/test_hashlib.py | 9 +++++++++ - .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 + - Modules/_sha3/kcp/KeccakSponge.inc | 15 ++++++++------- - 3 files changed, 18 insertions(+), 7 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst - -diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index f845c7a76e7c..bc11a8d8986b 100644 ---- a/Lib/test/test_hashlib.py -+++ b/Lib/test/test_hashlib.py -@@ -497,6 +497,15 @@ def test_case_md5_huge(self, size): - def test_case_md5_uintmax(self, size): - self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') - -+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') -+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) -+ def test_sha3_update_overflow(self, size): -+ """Regression test for gh-98517 CVE-2022-37454.""" -+ h = hashlib.sha3_224() -+ h.update(b'\x01') -+ h.update(b'\x01'*0xffff_ffff) -+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') -+ - # use the three examples from Federal Information Processing Standards - # Publication 180-1, Secure Hash Standard, 1995 April 17 - # http://www.itl.nist.gov/div897/pubs/fip180-1.htm -diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst -new file mode 100644 -index 000000000000..2d23a6ad93c7 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst -@@ -0,0 +1 @@ -+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). -diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc -index e10739deafa8..cf92e4db4d36 100644 ---- a/Modules/_sha3/kcp/KeccakSponge.inc -+++ b/Modules/_sha3/kcp/KeccakSponge.inc -@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - -@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - } - else { - /* normal lane: using the message queue */ -- -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); diff --git a/SPECS/python3/CVE-2022-42919.patch b/SPECS/python3/CVE-2022-42919.patch deleted file mode 100644 index 0e67857009..0000000000 --- a/SPECS/python3/CVE-2022-42919.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001 -From: "Gregory P. Smith" -Date: Thu, 20 Oct 2022 15:30:09 -0700 -Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for - multiprocessing (GH-98501) - -Linux abstract sockets are insecure as they lack any form of filesystem -permissions so their use allows anyone on the system to inject code into -the process. - -This removes the default preference for abstract sockets in -multiprocessing introduced in Python 3.9+ via -https://github.com/python/cpython/pull/18866 while fixing -https://github.com/python/cpython/issues/84031. - -Explicit use of an abstract socket by a user now generates a -RuntimeWarning. If we choose to keep this warning, it should be -backported to the 3.7 and 3.8 branches. -(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) - -Co-authored-by: Gregory P. Smith ---- - Lib/multiprocessing/connection.py | 5 ----- - .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++ - 2 files changed, 15 insertions(+), 5 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst - -diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py -index 510e4b5aba44..8e2facf92a94 100644 ---- a/Lib/multiprocessing/connection.py -+++ b/Lib/multiprocessing/connection.py -@@ -73,11 +73,6 @@ def arbitrary_address(family): - if family == 'AF_INET': - return ('localhost', 0) - elif family == 'AF_UNIX': -- # Prefer abstract sockets if possible to avoid problems with the address -- # size. When coding portable applications, some implementations have -- # sun_path as short as 92 bytes in the sockaddr_un struct. -- if util.abstract_sockets_supported: -- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}" - return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir()) - elif family == 'AF_PIPE': - return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' % -diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst -new file mode 100644 -index 000000000000..02d95b570520 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst -@@ -0,0 +1,15 @@ -+On Linux the :mod:`multiprocessing` module returns to using filesystem backed -+unix domain sockets for communication with the *forkserver* process instead of -+the Linux abstract socket namespace. Only code that chooses to use the -+:ref:`"forkserver" start method ` is affected. -+ -+Abstract sockets have no permissions and could allow any user on the system in -+the same `network namespace -+`_ (often the -+whole system) to inject code into the multiprocessing *forkserver* process. -+This was a potential privilege escalation. Filesystem based socket permissions -+restrict this to the *forkserver* process user as was the default in Python 3.8 -+and earlier. -+ -+This prevents Linux `CVE-2022-42919 -+`_. diff --git a/SPECS/python3/CVE-2022-45061.patch b/SPECS/python3/CVE-2022-45061.patch deleted file mode 100644 index 7b906fbf57..0000000000 --- a/SPECS/python3/CVE-2022-45061.patch +++ /dev/null @@ -1,95 +0,0 @@ -From da895b639cdbee774cd4b235a055b04299de3487 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 7 Nov 2022 18:57:10 -0800 -Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) - (GH-99222) - -There was an unnecessary quadratic loop in idna decoding. This restores -the behavior to linear. - -(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) - -(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) - -Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> -Co-authored-by: Gregory P. Smith ---- - Lib/encodings/idna.py | 32 +++++++++---------- - Lib/test/test_codecs.py | 6 ++++ - ...2-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 ++++ - 3 files changed, 27 insertions(+), 17 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst - -diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py -index ea4058512fe3..bf98f513366b 100644 ---- a/Lib/encodings/idna.py -+++ b/Lib/encodings/idna.py -@@ -39,23 +39,21 @@ def nameprep(label): - - # Check bidi - RandAL = [stringprep.in_table_d1(x) for x in label] -- for c in RandAL: -- if c: -- # There is a RandAL char in the string. Must perform further -- # tests: -- # 1) The characters in section 5.8 MUST be prohibited. -- # This is table C.8, which was already checked -- # 2) If a string contains any RandALCat character, the string -- # MUST NOT contain any LCat character. -- if any(stringprep.in_table_d2(x) for x in label): -- raise UnicodeError("Violation of BIDI requirement 2") -- -- # 3) If a string contains any RandALCat character, a -- # RandALCat character MUST be the first character of the -- # string, and a RandALCat character MUST be the last -- # character of the string. -- if not RandAL[0] or not RandAL[-1]: -- raise UnicodeError("Violation of BIDI requirement 3") -+ if any(RandAL): -+ # There is a RandAL char in the string. Must perform further -+ # tests: -+ # 1) The characters in section 5.8 MUST be prohibited. -+ # This is table C.8, which was already checked -+ # 2) If a string contains any RandALCat character, the string -+ # MUST NOT contain any LCat character. -+ if any(stringprep.in_table_d2(x) for x in label): -+ raise UnicodeError("Violation of BIDI requirement 2") -+ # 3) If a string contains any RandALCat character, a -+ # RandALCat character MUST be the first character of the -+ # string, and a RandALCat character MUST be the last -+ # character of the string. -+ if not RandAL[0] or not RandAL[-1]: -+ raise UnicodeError("Violation of BIDI requirement 3") - - return label - -diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py -index fc50e70df24b..3520cc00a1a4 100644 ---- a/Lib/test/test_codecs.py -+++ b/Lib/test/test_codecs.py -@@ -1532,6 +1532,12 @@ def test_builtin_encode(self): - self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org") - self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.") - -+ def test_builtin_decode_length_limit(self): -+ with self.assertRaisesRegex(UnicodeError, "too long"): -+ (b"xn--016c"+b"a"*1100).decode("idna") -+ with self.assertRaisesRegex(UnicodeError, "too long"): -+ (b"xn--016c"+b"a"*70).decode("idna") -+ - def test_stream(self): - r = codecs.getreader("idna")(io.BytesIO(b"abc")) - r.read(3) -diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst -new file mode 100644 -index 000000000000..5185fac2e29d ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst -@@ -0,0 +1,6 @@ -+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` -+related name resolution functions no longer involves a quadratic algorithm. -+This prevents a potential CPU denial of service if an out-of-spec excessive -+length hostname involving bidirectional characters were decoded. Some protocols -+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker -+to supply such a name. diff --git a/SPECS/python3/CVE-2023-24329.patch b/SPECS/python3/CVE-2023-24329.patch deleted file mode 100644 index da1efcb366..0000000000 --- a/SPECS/python3/CVE-2023-24329.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 141aadcb6e6c1c8ecc850847049002fed4475030 Mon Sep 17 00:00:00 2001 -From: Ben Kallus -Date: Sat, 12 Nov 2022 15:43:33 -0500 -Subject: [PATCH 1/2] Modify upstream patch to work with CBL-Mariner for - CVE-2023-24329. Modified by Amrita Kohli - ---- - Lib/test/test_urlparse.py | 18 ++++++++++++++++++ - Lib/urllib/parse.py | 2 +- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py -index 31943f3..f42ed9b 100644 ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase): - with self.assertRaises(ValueError): - p.port - -+ def test_attributes_bad_scheme(self): -+ """Check handling of invalid schemes.""" -+ for bytes in (False, True): -+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): -+ for scheme in (".", "+", "-", "0", "http&", "६http"): -+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): -+ url = scheme + "://www.example.net" -+ if bytes: -+ if url.isascii(): -+ url = url.encode("ascii") -+ else: -+ continue -+ p = parse(url) -+ if bytes: -+ self.assertEqual(p.scheme, b"") -+ else: -+ self.assertEqual(p.scheme, "") -+ - def test_attributes_without_netloc(self): - # This example is straight from RFC 3261. It looks like it - # should allow the username, hostname, and port to be filled -diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py -index b7965fe..bd59852 100644 ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True): - clear_cache() - netloc = query = fragment = '' - i = url.find(':') -- if i > 0: -+ if i > 0 and url[0].isascii() and url[0].isalpha(): - for c in url[:i]: - if c not in scheme_chars: - break --- -2.34.1 - - -From de2b58d3b30095440a30fcb72d595b434b351532 Mon Sep 17 00:00:00 2001 -From: Ben Kallus -Date: Sat, 12 Nov 2022 15:46:31 -0500 -Subject: [PATCH 2/2] gh-99418: Prevent urllib.parse.urlparse from accepting - schemes that don't begin with an alphabetical ASCII character. - ---- - .../next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ - 1 file changed, 2 insertions(+) - create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst - -diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst -new file mode 100644 -index 0000000..0a06e7c ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst -@@ -0,0 +1,2 @@ -+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin -+with a digit, a plus sign, or a minus sign to be parsed incorrectly. --- -2.34.1 diff --git a/SPECS/python3/python3.signatures.json b/SPECS/python3/python3.signatures.json index fa4af474ac..f367c9e135 100644 --- a/SPECS/python3/python3.signatures.json +++ b/SPECS/python3/python3.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "Python-3.9.14.tar.xz": "651304d216c8203fe0adf1a80af472d8e92c3b0e0a7892222ae4d9f3ae4debcf" + "Python-3.9.19.tar.xz": "d4892cd1618f6458cb851208c030df1482779609d0f3939991bd38184f8c679e" } } diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 89083e664f..2250968c9f 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -6,13 +6,13 @@ %global majmin 3.9 %global majmin_nodots 39 # See Lib/ensurepip/__init__.py in Source0 for these version numbers -%global pip_version 22.0.4 +%global pip_version 23.0.1 %global setuptools_version 58.1.0 Summary: A high-level scripting language Name: python3 -Version: 3.9.14 -Release: 8%{?dist} +Version: 3.9.19 +Release: 1%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -20,13 +20,8 @@ Group: System Environment/Programming URL: https://www.python.org/ Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.tar.xz Patch0: cgi3.patch -Patch1: CVE-2015-20107.patch # Backport https://github.com/python/cpython/commit/069fefdaf42490f1e00243614fb5f3d5d2614b81 from 3.10 to 3.9 -Patch2: 0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch -Patch3: CVE-2022-37454.patch -Patch4: CVE-2022-45061.patch -Patch5: CVE-2022-42919.patch -Patch6: CVE-2023-24329.patch +Patch1: 0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch # Patch for setuptools, resolved in 65.5.1 Patch1000: CVE-2022-40897.patch @@ -165,11 +160,6 @@ The test package contains all regression tests for Python as well as the modules # We use the CI to validate the toolchain manifests, which means we need to parse this .spec file %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build # Remove GCC specs and build environment linker scripts @@ -323,6 +313,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Fri Mar 22 2024 Binu Philip - 3.9.19-1 +- Upgrade to python 3.9.19 for CVE-2023-6597 and other security fixes + * Wed Oct 11 2023 Amrita Kohli - 3.9.14-8 - Patch for CVE-2023-24329 diff --git a/cgmanifest.json b/cgmanifest.json index 84e370ba07..45863a556e 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -25134,8 +25134,8 @@ "type": "other", "other": { "name": "python3", - "version": "3.9.14", - "downloadUrl": "https://www.python.org/ftp/python/3.9.14/Python-3.9.14.tar.xz" + "version": "3.9.19", + "downloadUrl": "https://www.python.org/ftp/python/3.9.19/Python-3.9.19.tar.xz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 04fc297147..5d79aef795 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-15.cm2.noarch.rpm ca-certificates-2.0.0-15.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm unzip-6.0-20.cm2.aarch64.rpm -python3-3.9.14-8.cm2.aarch64.rpm -python3-devel-3.9.14-8.cm2.aarch64.rpm -python3-libs-3.9.14-8.cm2.aarch64.rpm -python3-setuptools-3.9.14-8.cm2.noarch.rpm +python3-3.9.19-1.cm2.aarch64.rpm +python3-devel-3.9.19-1.cm2.aarch64.rpm +python3-libs-3.9.19-1.cm2.aarch64.rpm +python3-setuptools-3.9.19-1.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm which-2.21-8.cm2.aarch64.rpm libselinux-3.2-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 88af938e33..b85c49b3c7 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-15.cm2.noarch.rpm ca-certificates-2.0.0-15.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm unzip-6.0-20.cm2.x86_64.rpm -python3-3.9.14-8.cm2.x86_64.rpm -python3-devel-3.9.14-8.cm2.x86_64.rpm -python3-libs-3.9.14-8.cm2.x86_64.rpm -python3-setuptools-3.9.14-8.cm2.noarch.rpm +python3-3.9.19-1.cm2.x86_64.rpm +python3-devel-3.9.19-1.cm2.x86_64.rpm +python3-libs-3.9.19-1.cm2.x86_64.rpm +python3-setuptools-3.9.19-1.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm which-2.21-8.cm2.x86_64.rpm libselinux-3.2-1.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ca98f27468..c8d189c02b 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm procps-ng-lang-3.3.17-2.cm2.aarch64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm -python3-3.9.14-8.cm2.aarch64.rpm +python3-3.9.19-1.cm2.aarch64.rpm python3-audit-3.0.6-8.cm2.aarch64.rpm python3-cracklib-2.9.7-5.cm2.aarch64.rpm -python3-curses-3.9.14-8.cm2.aarch64.rpm +python3-curses-3.9.19-1.cm2.aarch64.rpm python3-Cython-0.29.33-2.cm2.aarch64.rpm -python3-debuginfo-3.9.14-8.cm2.aarch64.rpm -python3-devel-3.9.14-8.cm2.aarch64.rpm +python3-debuginfo-3.9.19-1.cm2.aarch64.rpm +python3-devel-3.9.19-1.cm2.aarch64.rpm python3-gpg-1.16.0-2.cm2.aarch64.rpm python3-jinja2-3.0.3-3.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm -python3-libs-3.9.14-8.cm2.aarch64.rpm +python3-libs-3.9.19-1.cm2.aarch64.rpm python3-libxml2-2.10.4-2.cm2.aarch64.rpm python3-lxml-4.9.1-1.cm2.aarch64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.aarch64.rpm python3-newt-0.52.21-5.cm2.aarch64.rpm -python3-pip-3.9.14-8.cm2.noarch.rpm +python3-pip-3.9.19-1.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-4.cm2.aarch64.rpm -python3-setuptools-3.9.14-8.cm2.noarch.rpm -python3-test-3.9.14-8.cm2.aarch64.rpm -python3-tools-3.9.14-8.cm2.aarch64.rpm +python3-setuptools-3.9.19-1.cm2.noarch.rpm +python3-test-3.9.19-1.cm2.aarch64.rpm +python3-tools-3.9.19-1.cm2.aarch64.rpm readline-8.1-1.cm2.aarch64.rpm readline-debuginfo-8.1-1.cm2.aarch64.rpm readline-devel-8.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index f38a52550a..0e5a9aaa7f 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm procps-ng-lang-3.3.17-2.cm2.x86_64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm -python3-3.9.14-8.cm2.x86_64.rpm +python3-3.9.19-1.cm2.x86_64.rpm python3-audit-3.0.6-8.cm2.x86_64.rpm python3-cracklib-2.9.7-5.cm2.x86_64.rpm -python3-curses-3.9.14-8.cm2.x86_64.rpm +python3-curses-3.9.19-1.cm2.x86_64.rpm python3-Cython-0.29.33-2.cm2.x86_64.rpm -python3-debuginfo-3.9.14-8.cm2.x86_64.rpm -python3-devel-3.9.14-8.cm2.x86_64.rpm +python3-debuginfo-3.9.19-1.cm2.x86_64.rpm +python3-devel-3.9.19-1.cm2.x86_64.rpm python3-gpg-1.16.0-2.cm2.x86_64.rpm python3-jinja2-3.0.3-3.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm -python3-libs-3.9.14-8.cm2.x86_64.rpm +python3-libs-3.9.19-1.cm2.x86_64.rpm python3-libxml2-2.10.4-2.cm2.x86_64.rpm python3-lxml-4.9.1-1.cm2.x86_64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.x86_64.rpm python3-newt-0.52.21-5.cm2.x86_64.rpm -python3-pip-3.9.14-8.cm2.noarch.rpm +python3-pip-3.9.19-1.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-4.cm2.x86_64.rpm -python3-setuptools-3.9.14-8.cm2.noarch.rpm -python3-test-3.9.14-8.cm2.x86_64.rpm -python3-tools-3.9.14-8.cm2.x86_64.rpm +python3-setuptools-3.9.19-1.cm2.noarch.rpm +python3-test-3.9.19-1.cm2.x86_64.rpm +python3-tools-3.9.19-1.cm2.x86_64.rpm readline-8.1-1.cm2.x86_64.rpm readline-debuginfo-8.1-1.cm2.x86_64.rpm readline-devel-8.1-1.cm2.x86_64.rpm