From 45b39df93f5122e40866f7ec91a777ae37211268 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 28 2023 09:24:16 +0000 Subject: import python3.9-3.9.16-1.el9 --- diff --git a/.gitignore b/.gitignore index c5bf0b1..071ce6d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.9.13.tar.xz +SOURCES/Python-3.9.16.tar.xz diff --git a/.python3.9.metadata b/.python3.9.metadata index 00daee8..bc9973c 100644 --- a/.python3.9.metadata +++ b/.python3.9.metadata @@ -1 +1 @@ -d57e5c8b94fe42e2b403e6eced02b25ed47ca8da SOURCES/Python-3.9.13.tar.xz +19acd6a341e4f2d7ff97c10c2eada258e9898624 SOURCES/Python-3.9.16.tar.xz diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index 84aee1d..d6c0a63 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,55 +1,4 @@ -From 3ccbf41ad18431fcb7e6e83cb4b6bf13c6c22f3e Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 27 Jul 2022 09:19:49 +0200 -Subject: [PATCH] gh-95280: Fix test_get_ciphers on systems without RSA key - exchange (GH-95282) (cherry picked from commit - 565403038b75eb64ea483b2757ba30769246d853) - -Co-authored-by: Christian Heimes ---- - Lib/test/test_ssl.py | 16 ++++++++++++++-- - ...2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst | 2 ++ - 2 files changed, 16 insertions(+), 2 deletions(-) - create mode 100644 Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst - -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 9f364fa4bbb6d..f97227b11bcde 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -1177,8 +1177,20 @@ def test_get_ciphers(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - ctx.set_ciphers('AESGCM') - names = set(d['name'] for d in ctx.get_ciphers()) -- self.assertIn('AES256-GCM-SHA384', names) -- self.assertIn('AES128-GCM-SHA256', names) -+ expected = { -+ 'AES128-GCM-SHA256', -+ 'ECDHE-ECDSA-AES128-GCM-SHA256', -+ 'ECDHE-RSA-AES128-GCM-SHA256', -+ 'DHE-RSA-AES128-GCM-SHA256', -+ 'AES256-GCM-SHA384', -+ 'ECDHE-ECDSA-AES256-GCM-SHA384', -+ 'ECDHE-RSA-AES256-GCM-SHA384', -+ 'DHE-RSA-AES256-GCM-SHA384', -+ } -+ intersection = names.intersection(expected) -+ self.assertGreaterEqual( -+ len(intersection), 2, f"\ngot: {sorted(names)}\nexpected: {sorted(expected)}" -+ ) - - def test_options(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) -diff --git a/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst -new file mode 100644 -index 0000000000000..523d9d5f2f8bf ---- /dev/null -+++ b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst -@@ -0,0 +1,2 @@ -+Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require -+perfect forward secrecy (PFS) ciphers. - - -From 37aa11f4c57e08bd3859c0de1c22f1d5296b6fdc Mon Sep 17 00:00:00 2001 +From a350f1e323977baffc6d709c0dc877c7f3faba73 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 11 Aug 2021 16:51:03 +0200 Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as @@ -122,10 +71,10 @@ index 13482c6..fca1083 100644 PyModule_AddIntConstant(PyObject *m, const char *name, long value) { -- -2.35.3 +2.37.3 -From 3fc28233b7244bb891499a974c3f3cda42454760 Mon Sep 17 00:00:00 2001 +From 500314edea579965f5641d8ebdce8c8899fe2838 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 13 Aug 2021 13:16:43 +0200 Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function @@ -195,10 +144,10 @@ index 4db058c..56dfff9 100644 return m; -- -2.35.3 +2.37.3 -From 309e06621a9a8b8220c8f83d588cc76e1fa2380d Mon Sep 17 00:00:00 2001 +From 76402d145bb24912f92d4013b8464e87b1493b45 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sat, 27 Mar 2021 14:55:03 +0100 Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920, @@ -978,10 +927,10 @@ index 68aa765..4466ec4 100644 -/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/ -- -2.35.3 +2.37.3 -From 2656f4998c17d8a63b5b45462a2dae5b1b3d520f Mon Sep 17 00:00:00 2001 +From 668a5b57d6454ff1a0e5c4db80002321e38cadfd Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL @@ -1188,10 +1137,10 @@ index 4466ec4..54c22b2 100644 -/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/ +/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/ -- -2.35.3 +2.37.3 -From 652264a57ab6564bfe775d88502776df95cd897d Mon Sep 17 00:00:00 2001 +From 1613c11b882e192456592a6adb63f73351f82829 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 1 Aug 2019 17:57:05 +0200 Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake @@ -1236,10 +1185,10 @@ index 510e4b5..b68f2fb 100644 response = connection.recv_bytes(256) # reject large message if response != WELCOME: -- -2.35.3 +2.37.3 -From 4a8637f114196b1ab19435ea64c19c7acf77776c Mon Sep 17 00:00:00 2001 +From c0413586c6fb26bd4b7c4d5c40094ceeffb74612 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode, @@ -1497,10 +1446,10 @@ index 0bec170..479f4b5 100644 )) -- -2.35.3 +2.37.3 -From 165bcd0377075dbac9fa3f988ed5189668597ab6 Mon Sep 17 00:00:00 2001 +From 205bd746c16c7f8ac09251316c62bf78d6c31611 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 29 Jan 2021 14:16:21 +0100 Subject: [PATCH 07/10] Use python's fall back crypto implementations only if @@ -1664,10 +1613,10 @@ index fa4a8d7..ec6c883 100644 def test_pbkdf2_hmac_py(self): self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes) -- -2.35.3 +2.37.3 -From f4383a6e0be8b75db2380fdcf0174b09709b613f Mon Sep 17 00:00:00 2001 +From 016e7dbfd92bd24b5f7cb613786fb99456ca6069 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with @@ -1823,10 +1772,10 @@ index ec6c883..0fd036f 100644 class KDFTests(unittest.TestCase): -- -2.35.3 +2.37.3 -From 5ecf11d53225bbe04e35970a834bcc90cd944391 Mon Sep 17 00:00:00 2001 +From 7c7a3260746d06d5f319944dc40d51f7642d92dc Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode @@ -1940,10 +1889,10 @@ index adf52ad..41e6a14 100644 def test_realcopy_old(self): # Testing if the copy method created a real copy. -- -2.35.3 +2.37.3 -From 532ce8649bf743c029aa5ddb25d74604d9798da9 Mon Sep 17 00:00:00 2001 +From 0db6e1bad3663006fe9352819bbbb53bfc5637be Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 25 Aug 2021 16:44:43 +0200 Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode @@ -1986,15 +1935,13 @@ index bba3642..02db901 100644 return PycInvalidationMode.CHECKED_HASH else: diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py -index 86ac8f0..dc042f7 100644 +index 6dc0813..b9d5f9a 100644 --- a/Lib/test/support/__init__.py +++ b/Lib/test/support/__init__.py -@@ -3294,3 +3294,17 @@ def clear_ignored_deprecations(*tokens: object) -> None: - if warnings.filters != new_filters: - warnings.filters[:] = new_filters +@@ -3296,6 +3296,20 @@ def clear_ignored_deprecations(*tokens: object) -> None: warnings._filters_mutated() -+ -+ + + +def fails_in_fips_mode(expected_error): + import _hashlib + if _hashlib.get_fips_mode(): @@ -2007,6 +1954,11 @@ index 86ac8f0..dc042f7 100644 + def _decorator(func): + return func + return _decorator ++ ++ + @contextlib.contextmanager + def adjust_int_max_str_digits(max_digits): + """Temporarily change the integer string conversion length limit.""" diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py index 7cb1370..61df232 100644 --- a/Lib/test/test_cmd_line_script.py @@ -2222,5 +2174,5 @@ index 8358d70..1b7fb85 100644 uint64_t x; char data[sizeof(uint64_t)]; -- -2.35.3 +2.37.3 diff --git a/SOURCES/00382-cve-2015-20107.patch b/SOURCES/00382-cve-2015-20107.patch deleted file mode 100644 index 619f636..0000000 --- a/SOURCES/00382-cve-2015-20107.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Fri, 3 Jun 2022 11:43:35 +0200 -Subject: [PATCH] 00382: CVE-2015-20107 - -Make mailcap refuse to match unsafe filenames/types/params (GH-91993) - -Upstream: https://github.com/python/cpython/issues/68966 - -Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 ---- - Doc/library/mailcap.rst | 12 +++++++++ - Lib/mailcap.py | 26 +++++++++++++++++-- - Lib/test/test_mailcap.py | 8 ++++-- - ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++ - 4 files changed, 46 insertions(+), 4 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst - -diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst -index a22b5b9c9e..7aa3380fec 100644 ---- a/Doc/library/mailcap.rst -+++ b/Doc/library/mailcap.rst -@@ -60,6 +60,18 @@ standard. However, mailcap files are supported on most Unix systems. - use) to determine whether or not the mailcap line applies. :func:`findmatch` - will automatically check such conditions and skip the entry if the check fails. - -+ .. versionchanged:: 3.11 -+ -+ To prevent security issues with shell metacharacters (symbols that have -+ special effects in a shell command line), ``findmatch`` will refuse -+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` -+ into the returned command line. -+ -+ If a disallowed character appears in *filename*, ``findmatch`` will always -+ return ``(None, None)`` as if no entry was found. -+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), -+ ``findmatch`` will ignore all mailcap entries which use that value. -+ A :mod:`warning ` will be raised in either case. - - .. function:: getcaps() - -diff --git a/Lib/mailcap.py b/Lib/mailcap.py -index ae416a8e9f..444c6408b5 100644 ---- a/Lib/mailcap.py -+++ b/Lib/mailcap.py -@@ -2,6 +2,7 @@ - - import os - import warnings -+import re - - __all__ = ["getcaps","findmatch"] - -@@ -13,6 +14,11 @@ def lineno_sort_key(entry): - else: - return 1, 0 - -+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search -+ -+class UnsafeMailcapInput(Warning): -+ """Warning raised when refusing unsafe input""" -+ - - # Part 1: top-level interface. - -@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): - entry to use. - - """ -+ if _find_unsafe(filename): -+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None, None - entries = lookup(caps, MIMEtype, key) - # XXX This code should somehow check for the needsterminal flag. - for e in entries: - if 'test' in e: - test = subst(e['test'], filename, plist) -+ if test is None: -+ continue - if test and os.system(test) != 0: - continue - command = subst(e[key], MIMEtype, filename, plist) -- return command, e -+ if command is not None: -+ return command, e - return None, None - - def lookup(caps, MIMEtype, key=None): -@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]): - elif c == 's': - res = res + filename - elif c == 't': -+ if _find_unsafe(MIMEtype): -+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None - res = res + MIMEtype - elif c == '{': - start = i -@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]): - i = i+1 - name = field[start:i] - i = i+1 -- res = res + findparam(name, plist) -+ param = findparam(name, plist) -+ if _find_unsafe(param): -+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None -+ res = res + param - # XXX To do: - # %n == number of parts if type is multipart/* - # %F == list of alternating type and filename for parts -diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py -index c08423c670..920283d9a2 100644 ---- a/Lib/test/test_mailcap.py -+++ b/Lib/test/test_mailcap.py -@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase): - (["", "audio/*", "foo.txt"], ""), - (["echo foo", "audio/*", "foo.txt"], "echo foo"), - (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), -- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), -+ (["echo %t", "audio/*", "foo.txt"], None), -+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), - (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), - (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), - (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") -@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase): - ('"An audio fragment"', audio_basic_entry)), - ([c, "audio/*"], - {"filename": fname}, -- ("/usr/local/bin/showaudio audio/*", audio_entry)), -+ (None, None)), -+ ([c, "audio/wav"], -+ {"filename": fname}, -+ ("/usr/local/bin/showaudio audio/wav", audio_entry)), - ([c, "message/external-body"], - {"plist": plist}, - ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) -diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst -new file mode 100644 -index 0000000000..da81a1f699 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst -@@ -0,0 +1,4 @@ -+The deprecated mailcap module now refuses to inject unsafe text (filenames, -+MIME types, parameters) into shell commands. Instead of using such text, it -+will warn and act as if a match was not found (or for test commands, as if -+the test failed). diff --git a/SOURCES/Python-3.9.13.tar.xz.asc b/SOURCES/Python-3.9.13.tar.xz.asc deleted file mode 100644 index bbd8653..0000000 --- a/SOURCES/Python-3.9.13.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl -BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g -lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+ -uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW -oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS -3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN -7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs -1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X -ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3 -YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z -hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4 -sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc= -=RYbS ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.9.16.tar.xz.asc b/SOURCES/Python-3.9.16.tar.xz.asc new file mode 100644 index 0000000..5a093c6 --- /dev/null +++ b/SOURCES/Python-3.9.16.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl +BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD +rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL +257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV +si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr +fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO +HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3 +4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi +TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC +GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5 +JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2 +U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E= +=dXB5 +-----END PGP SIGNATURE----- diff --git a/SPECS/python3.9.spec b/SPECS/python3.9.spec index 57e7008..93924f2 100644 --- a/SPECS/python3.9.spec +++ b/SPECS/python3.9.spec @@ -13,11 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.13 +%global general_version %{pybasever}.16 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 3%{?dist} +Release: 1%{?dist} License: Python @@ -399,16 +399,6 @@ Patch329: 00329-fips.patch # a nightmare because it's basically a binary file. Patch353: 00353-architecture-names-upstream-downstream.patch -# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985 -# CVE-2015-20107 -# -# Make mailcap refuse to match unsafe filenames/types/params (GH-91993) -# -# Upstream: https://github.com/python/cpython/issues/68966 -# -# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 -Patch382: 00382-cve-2015-20107.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1810,6 +1800,16 @@ CheckPython optimized # ====================================================== %changelog +* Thu Dec 08 2022 Charalampos Stratakis - 3.9.16-1 +- Update to 3.9.16 +- Security fixes for CVE-2022-42919 and CVE-2022-45061 +Resolves: rhbz#2138705, rhbz#2144072 + +* Wed Sep 21 2022 Charalampos Stratakis - 3.9.14-1 +- Update to 3.9.14 +- Security fixes for CVE-2020-10735 and CVE-2021-28861 +Resolves: rhbz#2120642, rhbz#1834423, rhbz#2128249 + * Mon Jul 25 2022 Lumír Balhar - 3.9.13-3 - Fix test_get_ciphers in test_ssl.py for FIPS mode Resolves: rhbz#2058233