diff --git a/.gitignore b/.gitignore index df4a92f..e5098a3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.9.2.tar.xz +SOURCES/Python-3.9.6.tar.xz diff --git a/.python39.metadata b/.python39.metadata index 2ffe7aa..83b5bfb 100644 --- a/.python39.metadata +++ b/.python39.metadata @@ -1 +1 @@ -110ca5bca7989f9558a54ee6762e6774a4b9644a SOURCES/Python-3.9.2.tar.xz +05826c93a178872958f6685094ee3514e53ba653 SOURCES/Python-3.9.6.tar.xz diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index 24eafad..c8d5e56 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -33,10 +33,10 @@ index 97dfa7ea71..984e587ea0 100644 +_WHEEL_DIR = "/usr/share/python39-wheels/" --_SETUPTOOLS_VERSION = "49.2.1" +-_SETUPTOOLS_VERSION = "56.0.0" +_wheels = {} --_PIP_VERSION = "20.2.3" +-_PIP_VERSION = "21.1.3" +def _get_most_recent_wheel_version(pkg): + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) + _wheels[pkg] = {} diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index 5fdad74..33ebae8 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,4 +1,4 @@ -From 0d4515001c99025c024d773f34d3eb97833d0b5d Mon Sep 17 00:00:00 2001 +From 918e294d56e646e67553550c87b4a9e30cac1f67 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 29 Jan 2021 14:16:21 +0100 Subject: [PATCH 01/13] Use python's fall backs for the crypto it implements @@ -10,7 +10,7 @@ Subject: [PATCH 01/13] Use python's fall backs for the crypto it implements 2 files changed, 76 insertions(+), 119 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 58c340d56e3..1fd80c7d4fd 100644 +index 58c340d..1fd80c7 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -68,8 +68,6 @@ __all__ = __always_supported + ('new', 'algorithms_guaranteed', @@ -260,7 +260,7 @@ index 58c340d56e3..1fd80c7d4fd 100644 +if not get_fips_mode(): + del __py_new diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 86f31a55878..8235505092b 100644 +index 86f31a5..8235505 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -1039,6 +1039,7 @@ class KDFTests(unittest.TestCase): @@ -272,10 +272,10 @@ index 86f31a55878..8235505092b 100644 def test_pbkdf2_hmac_py(self): self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes) -- -2.26.2 +2.31.1 -From 8a174c9a8d4180a5a7b19f4419b98c63b91b13ab Mon Sep 17 00:00:00 2001 +From 93696af7133bf08fd76fb759b24c7f82b90220da Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 Subject: [PATCH 02/13] Disable Python's hash implementations in FIPS mode, @@ -293,7 +293,7 @@ Subject: [PATCH 02/13] Disable Python's hash implementations in FIPS mode, diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h new file mode 100644 -index 00000000000..a726c0d3fbf +index 0000000..a726c0d --- /dev/null +++ b/Include/_hashopenssl.h @@ -0,0 +1,66 @@ @@ -364,7 +364,7 @@ index 00000000000..a726c0d3fbf + +#endif // !Py_HASHOPENSSL_H diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index 7fb1296f8b2..67620afcad2 100644 +index 7fb1296..67620af 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -14,6 +14,7 @@ @@ -394,7 +394,7 @@ index 7fb1296f8b2..67620afcad2 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index ff142c9f3ed..bc67529cb5e 100644 +index ff142c9..bc67529 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -9,6 +9,7 @@ @@ -415,7 +415,7 @@ index ff142c9f3ed..bc67529cb5e 100644 if (m == NULL) return NULL; diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index e3e90d0587b..57c0f3fcbd7 100644 +index e3e90d0..57c0f3f 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -14,6 +14,7 @@ @@ -445,28 +445,28 @@ index e3e90d0587b..57c0f3fcbd7 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index adc86537732..deecc077ef8 100644 +index ff3a1ae..3d788f5 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -16,6 +16,7 @@ +@@ -23,6 +23,7 @@ #include "Python.h" #include "hashlib.h" #include "pystrhex.h" +#include "_hashopenssl.h" - /* EVP is the preferred interface to hashing in OpenSSL */ -@@ -24,9 +25,6 @@ + #include +@@ -30,9 +31,6 @@ #include /* We use the object interface to discover what hashes OpenSSL supports. */ #include --#include "openssl/err.h" +-#include - -#include // FIPS_mode() #ifndef OPENSSL_THREADS # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" -@@ -118,37 +116,6 @@ class _hashlib.HMAC "HMACobject *" "((_hashlibstate *)PyModule_GetState(module)) +@@ -124,37 +122,6 @@ class _hashlib.HMAC "HMACobject *" "((_hashlibstate *)PyModule_GetState(module)) /*[clinic end generated code: output=da39a3ee5e6b4b0d input=7df1bcf6f75cb8ef]*/ @@ -505,7 +505,7 @@ index adc86537732..deecc077ef8 100644 static PyObject * _disabled_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) diff --git a/setup.py b/setup.py -index bd5f7369244..89edbb627fa 100644 +index 04eb6b2..f72d7ca 100644 --- a/setup.py +++ b/setup.py @@ -2306,7 +2306,7 @@ class PyBuildExt(build_ext): @@ -559,10 +559,10 @@ index bd5f7369244..89edbb627fa 100644 - library_dirs=openssl_libdirs, - libraries=openssl_libs, + **self.detect_openssl_args(), - depends=['socketmodule.h', '_ssl/debughelpers.c']) - ) - else: -@@ -2358,9 +2369,7 @@ class PyBuildExt(build_ext): + depends=[ + 'socketmodule.h', + '_ssl/debughelpers.c', +@@ -2363,9 +2374,7 @@ class PyBuildExt(build_ext): self.add(Extension('_hashlib', ['_hashopenssl.c'], depends=['hashlib.h'], @@ -573,7 +573,7 @@ index bd5f7369244..89edbb627fa 100644 def detect_hash_builtins(self): # By default we always compile these even when OpenSSL is available -@@ -2417,6 +2426,7 @@ class PyBuildExt(build_ext): +@@ -2422,6 +2431,7 @@ class PyBuildExt(build_ext): '_blake2/blake2b_impl.c', '_blake2/blake2s_impl.c' ], @@ -582,10 +582,10 @@ index bd5f7369244..89edbb627fa 100644 )) -- -2.26.2 +2.31.1 -From 56171083467bd5798adcb1946cfc0b1d68403755 Mon Sep 17 00:00:00 2001 +From 0b9b72c27e24e159ed3180e9a7a2a9efa24de7e8 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 Subject: [PATCH 03/13] Expose all hashes available to OpenSSL @@ -600,7 +600,7 @@ Subject: [PATCH 03/13] Expose all hashes available to OpenSSL 6 files changed, 158 insertions(+), 12 deletions(-) diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h -index a726c0d3fbf..47ed0030422 100644 +index a726c0d..47ed003 100644 --- a/Include/_hashopenssl.h +++ b/Include/_hashopenssl.h @@ -39,7 +39,7 @@ _setException(PyObject *exc) @@ -636,7 +636,7 @@ index a726c0d3fbf..47ed0030422 100644 #endif // !Py_HASHOPENSSL_H diff --git a/Modules/_blake2/blake2b_impl.c b/Modules/_blake2/blake2b_impl.c -index 67620afcad2..9e125dcbf43 100644 +index 67620af..9e125dc 100644 --- a/Modules/_blake2/blake2b_impl.c +++ b/Modules/_blake2/blake2b_impl.c @@ -97,7 +97,7 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size, @@ -658,7 +658,7 @@ index 67620afcad2..9e125dcbf43 100644 GET_BUFFER_VIEW_OR_ERROUT(data, &buf); diff --git a/Modules/_blake2/blake2module.c b/Modules/_blake2/blake2module.c -index bc67529cb5e..79a9eed5c13 100644 +index bc67529..79a9eed 100644 --- a/Modules/_blake2/blake2module.c +++ b/Modules/_blake2/blake2module.c @@ -58,7 +58,7 @@ PyInit__blake2(void) @@ -671,7 +671,7 @@ index bc67529cb5e..79a9eed5c13 100644 m = PyModule_Create(&blake2_module); if (m == NULL) diff --git a/Modules/_blake2/blake2s_impl.c b/Modules/_blake2/blake2s_impl.c -index 57c0f3fcbd7..b59624d7d98 100644 +index 57c0f3f..b59624d 100644 --- a/Modules/_blake2/blake2s_impl.c +++ b/Modules/_blake2/blake2s_impl.c @@ -97,7 +97,7 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size, @@ -693,10 +693,10 @@ index 57c0f3fcbd7..b59624d7d98 100644 GET_BUFFER_VIEW_OR_ERROUT(data, &buf); diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index deecc077ef8..a805183721b 100644 +index 3d788f5..dc130f6 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -253,6 +253,12 @@ py_digest_by_name(const char *name) +@@ -259,6 +259,12 @@ py_digest_by_name(const char *name) else if (!strcmp(name, "blake2b512")) { digest = EVP_blake2b512(); } @@ -709,7 +709,7 @@ index deecc077ef8..a805183721b 100644 #endif } -@@ -946,6 +952,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, +@@ -952,6 +958,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj, } @@ -751,7 +751,7 @@ index deecc077ef8..a805183721b 100644 #ifdef PY_OPENSSL_HAS_SHA3 /*[clinic input] -@@ -1931,6 +1972,8 @@ static struct PyMethodDef EVP_functions[] = { +@@ -1938,6 +1979,8 @@ static struct PyMethodDef EVP_functions[] = { _HASHLIB_OPENSSL_SHA256_METHODDEF _HASHLIB_OPENSSL_SHA384_METHODDEF _HASHLIB_OPENSSL_SHA512_METHODDEF @@ -761,7 +761,7 @@ index deecc077ef8..a805183721b 100644 _HASHLIB_OPENSSL_SHA3_256_METHODDEF _HASHLIB_OPENSSL_SHA3_384_METHODDEF diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h -index 68aa765e529..2957ae2e135 100644 +index 68aa765..2957ae2 100644 --- a/Modules/clinic/_hashopenssl.c.h +++ b/Modules/clinic/_hashopenssl.c.h @@ -540,6 +540,110 @@ exit: @@ -882,10 +882,10 @@ index 68aa765e529..2957ae2e135 100644 -/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=4f8cc45bf0337f8e input=a9049054013a1b77]*/ -- -2.26.2 +2.31.1 -From e024cae691bffa2d093a63f8e2058331fce94d2a Mon Sep 17 00:00:00 2001 +From 23e9a37ced6523d2e15c97f716d4dcb6605b1b9a Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 18:13:45 +0200 Subject: [PATCH 04/13] Fix tests @@ -895,7 +895,7 @@ Subject: [PATCH 04/13] Fix tests 1 file changed, 5 insertions(+) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 8235505092b..a838bcee2a8 100644 +index 8235505..a838bce 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -354,6 +354,11 @@ class HashLibTestCase(unittest.TestCase): @@ -911,10 +911,10 @@ index 8235505092b..a838bcee2a8 100644 computed = m.hexdigest() if not shake else m.hexdigest(length) self.assertEqual( -- -2.26.2 +2.31.1 -From 3e87bf1c3d32c09a50385d8576b1164cafce4158 Mon Sep 17 00:00:00 2001 +From 20828756a8df0a693b09167d03bf2724bcfddc51 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 15:41:10 +0200 Subject: [PATCH 05/13] Implement hmac.new using new built-in module, @@ -934,7 +934,7 @@ This removes the _hmacopenssl.new function. create mode 100644 Modules/clinic/_hmacopenssl.c.h diff --git a/Lib/hmac.py b/Lib/hmac.py -index 180bc378b52..482e443bfe4 100644 +index 180bc37..482e443 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -14,6 +14,8 @@ else: @@ -1003,7 +1003,7 @@ index 180bc378b52..482e443bfe4 100644 """Create a new hashing object and return it. diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 6daf22ca06f..544ec7cb411 100644 +index 6daf22c..544ec7c 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -322,6 +322,7 @@ class TestVectorsTestCase(unittest.TestCase): @@ -1078,7 +1078,7 @@ index 6daf22ca06f..544ec7cb411 100644 # Testing if the copy has the same digests. diff --git a/Modules/_hmacopenssl.c b/Modules/_hmacopenssl.c new file mode 100644 -index 00000000000..c31d233fbe4 +index 0000000..c31d233 --- /dev/null +++ b/Modules/_hmacopenssl.c @@ -0,0 +1,459 @@ @@ -1543,7 +1543,7 @@ index 00000000000..c31d233fbe4 +} diff --git a/Modules/clinic/_hmacopenssl.c.h b/Modules/clinic/_hmacopenssl.c.h new file mode 100644 -index 00000000000..a2af550838a +index 0000000..a2af550 --- /dev/null +++ b/Modules/clinic/_hmacopenssl.c.h @@ -0,0 +1,104 @@ @@ -1652,10 +1652,10 @@ index 00000000000..a2af550838a +} +/*[clinic end generated code: output=e0c910f3c9ed523e input=a9049054013a1b77]*/ diff --git a/setup.py b/setup.py -index 89edbb627fa..5c2cbd665af 100644 +index f72d7ca..11fca20 100644 --- a/setup.py +++ b/setup.py -@@ -2371,6 +2371,10 @@ class PyBuildExt(build_ext): +@@ -2376,6 +2376,10 @@ class PyBuildExt(build_ext): depends=['hashlib.h'], **self.detect_openssl_args()) ) @@ -1667,10 +1667,10 @@ index 89edbb627fa..5c2cbd665af 100644 # By default we always compile these even when OpenSSL is available # (issue #14693). It's harmless and the object code is tiny -- -2.26.2 +2.31.1 -From a6d7c4268a6e305b1178b633e59dde7b5c8a1069 Mon Sep 17 00:00:00 2001 +From bda4c9de583ee2272812c25d506bea294a54dee8 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 1 Aug 2019 17:57:05 +0200 Subject: [PATCH 06/13] Use a stronger hash in multiprocessing handshake @@ -1682,7 +1682,7 @@ https://bugs.python.org/issue17258 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py -index 510e4b5aba4..b68f2fb837a 100644 +index 510e4b5..b68f2fb 100644 --- a/Lib/multiprocessing/connection.py +++ b/Lib/multiprocessing/connection.py @@ -42,6 +42,10 @@ BUFSIZE = 8192 @@ -1715,10 +1715,10 @@ index 510e4b5aba4..b68f2fb837a 100644 response = connection.recv_bytes(256) # reject large message if response != WELCOME: -- -2.26.2 +2.31.1 -From 86868ca46c47112f771d54a54ee89e2d6c00f56f Mon Sep 17 00:00:00 2001 +From 381d423df59d59f953ed817e1611dd929393dea9 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 Subject: [PATCH 07/13] Add initial tests for various hashes under FIPS mode @@ -1730,7 +1730,7 @@ Subject: [PATCH 07/13] Add initial tests for various hashes under FIPS mode diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py new file mode 100644 -index 00000000000..fe4ea72296e +index 0000000..fe4ea72 --- /dev/null +++ b/Lib/test/test_fips.py @@ -0,0 +1,31 @@ @@ -1766,10 +1766,10 @@ index 00000000000..fe4ea72296e +if __name__ == "__main__": + unittest.main() -- -2.26.2 +2.31.1 -From 5badab85d3fc725b56a19658f1e9b16aeb0ed663 Mon Sep 17 00:00:00 2001 +From 31c0ebb0612e0f058a45058b5c92d1cfa672eca2 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 18:23:57 +0200 Subject: [PATCH 08/13] Make hashlib tests pass in FIPS mode @@ -1779,7 +1779,7 @@ Subject: [PATCH 08/13] Make hashlib tests pass in FIPS mode 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index a838bcee2a8..6f60ad4b8fb 100644 +index a838bce..6f60ad4 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -44,6 +44,12 @@ if builtin_hashes == default_builtin_hashes: @@ -1878,10 +1878,10 @@ index a838bcee2a8..6f60ad4b8fb 100644 self.check( 'md5', -- -2.26.2 +2.31.1 -From 0f7a3094bc4cf691ae0dd093567ceea149e14e8a Mon Sep 17 00:00:00 2001 +From 42e85e3a54a806e9460ae67598f473b4a839d223 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:09:39 +0200 Subject: [PATCH 09/13] Test the usedforsecurity flag @@ -1891,7 +1891,7 @@ Subject: [PATCH 09/13] Test the usedforsecurity flag 1 file changed, 42 insertions(+), 24 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index 6f60ad4b8fb..f306ba33b20 100644 +index 6f60ad4..f306ba3 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -20,6 +20,7 @@ import warnings @@ -2070,10 +2070,10 @@ index 6f60ad4b8fb..f306ba33b20 100644 class KDFTests(unittest.TestCase): -- -2.26.2 +2.31.1 -From 5feafbf68d297e3f4fcafe4cbeff97817c592c53 Mon Sep 17 00:00:00 2001 +From 7ea94845a8c8f5b2081237e69ff41993da1e5a5e Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 Subject: [PATCH 10/13] Don't re-export get_fips_mode from hashlib @@ -2089,7 +2089,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745685 6 files changed, 29 insertions(+), 29 deletions(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 1fd80c7d4fd..6121d251267 100644 +index 1fd80c7..6121d25 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -53,6 +53,8 @@ More condensed: @@ -2169,7 +2169,7 @@ index 1fd80c7d4fd..6121d251267 100644 +if not _hashlib.get_fips_mode(): del __py_new diff --git a/Lib/hmac.py b/Lib/hmac.py -index 482e443bfe4..ff466322d7b 100644 +index 482e443..ff46632 100644 --- a/Lib/hmac.py +++ b/Lib/hmac.py @@ -50,7 +50,7 @@ class HMAC: @@ -2200,7 +2200,7 @@ index 482e443bfe4..ff466322d7b 100644 diff --git a/Lib/test/test_fips.py b/Lib/test/test_fips.py -index fe4ea72296e..6b50f8b45d4 100644 +index fe4ea72..6b50f8b 100644 --- a/Lib/test/test_fips.py +++ b/Lib/test/test_fips.py @@ -6,7 +6,7 @@ import hashlib, _hashlib @@ -2222,7 +2222,7 @@ index fe4ea72296e..6b50f8b45d4 100644 self.assertEqual(hashlib.blake2b(b'abc').hexdigest(), _hashlib.openssl_blake2b(b'abc').hexdigest()) self.assertEqual(hashlib.blake2s(b'abc').hexdigest(), _hashlib.openssl_blake2s(b'abc').hexdigest()) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py -index f306ba33b20..03cfb6b2fb4 100644 +index f306ba3..03cfb6b 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -46,7 +46,9 @@ else: @@ -2288,7 +2288,7 @@ index f306ba33b20..03cfb6b2fb4 100644 """Make sure usedforsecurity flag isn't copied to other contexts""" for i in range(3): diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 544ec7cb411..2d4484911c2 100644 +index 544ec7c..2d44849 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -5,6 +5,7 @@ import hashlib @@ -2336,7 +2336,7 @@ index 544ec7cb411..2d4484911c2 100644 def test_properties(self): # deprecated properties diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py -index ed426b05a71..faec6844f9a 100644 +index ed426b0..faec684 100644 --- a/Lib/test/test_urllib2_localnet.py +++ b/Lib/test/test_urllib2_localnet.py @@ -7,6 +7,7 @@ import http.server @@ -2348,10 +2348,10 @@ index ed426b05a71..faec6844f9a 100644 from test import support from test.support import hashlib_helper -- -2.26.2 +2.31.1 -From 3e314b647bc316dda3cef1f611fbac9170ed1030 Mon Sep 17 00:00:00 2001 +From 62c667aed616986e8b6df9883ccebf9326f041ee Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 20 Nov 2019 10:59:25 +0100 Subject: [PATCH 11/13] Use FIPS compliant CSPRNG @@ -2368,7 +2368,7 @@ Signed-off-by: Christian Heimes 4 files changed, 63 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py -index bf1cb5f5112..d3b1d9c8969 100644 +index 35933e9..f67a65d 100644 --- a/Lib/test/test_os.py +++ b/Lib/test/test_os.py @@ -29,6 +29,7 @@ import types @@ -2392,7 +2392,7 @@ index bf1cb5f5112..d3b1d9c8969 100644 def test_getrandom_type(self): data = os.getrandom(16) diff --git a/Makefile.pre.in b/Makefile.pre.in -index f128444b985..3ea348a5461 100644 +index c57fc96..7b94db1 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR @@ -2405,10 +2405,10 @@ index f128444b985..3ea348a5461 100644 CFLAGS_ALIASING=@CFLAGS_ALIASING@ diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c -index 12f72f525f7..d244d264d8a 100644 +index c984e2e..d1b0e39 100644 --- a/Modules/posixmodule.c +++ b/Modules/posixmodule.c -@@ -495,6 +495,9 @@ extern char *ctermid_r(char *); +@@ -502,6 +502,9 @@ extern char *ctermid_r(char *); # define MODNAME "posix" #endif @@ -2418,7 +2418,7 @@ index 12f72f525f7..d244d264d8a 100644 #if defined(__sun) /* Something to implement in autoconf, not present in autoconf 2.69 */ # define HAVE_STRUCT_STAT_ST_FSTYPE 1 -@@ -14171,6 +14174,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags) +@@ -14256,6 +14259,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags) return posix_error(); } @@ -2431,7 +2431,7 @@ index 12f72f525f7..d244d264d8a 100644 if (bytes == NULL) { PyErr_NoMemory(); diff --git a/Python/bootstrap_hash.c b/Python/bootstrap_hash.c -index a212f69870e..6333cd446dc 100644 +index a212f69..6333cd4 100644 --- a/Python/bootstrap_hash.c +++ b/Python/bootstrap_hash.c @@ -429,6 +429,50 @@ dev_urandom_close(void) @@ -2497,10 +2497,10 @@ index a212f69870e..6333cd446dc 100644 return win32_urandom((unsigned char *)buffer, size, raise); #else -- -2.26.2 +2.31.1 -From 16b9a981697b94c348fdc0d73d2d12e12b1b4227 Mon Sep 17 00:00:00 2001 +From 58e51c67ce2afa268e7a44100d4ca9025b54117c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 7 Apr 2020 15:16:45 +0200 Subject: [PATCH 12/13] Pass kwargs (like usedforsecurity) through __hash_new @@ -2510,7 +2510,7 @@ Subject: [PATCH 12/13] Pass kwargs (like usedforsecurity) through __hash_new 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/hashlib.py b/Lib/hashlib.py -index 6121d251267..00794adffc1 100644 +index 6121d25..00794ad 100644 --- a/Lib/hashlib.py +++ b/Lib/hashlib.py @@ -171,7 +171,7 @@ def __hash_new(name, data=b'', **kwargs): @@ -2523,10 +2523,10 @@ index 6121d251267..00794adffc1 100644 try: -- -2.26.2 +2.31.1 -From 48fb6366a0fcb95c8565be35495b25a23dc03896 Mon Sep 17 00:00:00 2001 +From ea7b14d45e9a41182ca2411ad6730a9987ec49f1 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 19:57:16 +0200 Subject: [PATCH 13/13] Skip the test_with_digestmod_no_default under FIPS @@ -2538,7 +2538,7 @@ the digestmod parameter misuse under FIPS mode. 1 file changed, 13 insertions(+) diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py -index 2d4484911c2..e0a5b6a053b 100644 +index 2d44849..e0a5b6a 100644 --- a/Lib/test/test_hmac.py +++ b/Lib/test/test_hmac.py @@ -347,6 +347,7 @@ class TestVectorsTestCase(unittest.TestCase): @@ -2569,5 +2569,5 @@ index 2d4484911c2..e0a5b6a053b 100644 class ConstructorTestCase(unittest.TestCase): -- -2.26.2 +2.31.1 diff --git a/SOURCES/00360-CVE-2021-3426.patch b/SOURCES/00360-CVE-2021-3426.patch deleted file mode 100644 index d5580dc..0000000 --- a/SOURCES/00360-CVE-2021-3426.patch +++ /dev/null @@ -1,100 +0,0 @@ -From ed753d94856213ae9fc028195f670e66a24e2334 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 29 Mar 2021 06:08:00 -0700 -Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2021-3426: Remove the "getfile" feature of the pydoc module which -could be abused to read arbitrary files on the disk (directory -traversal vulnerability). Moreover, even source code of Python -modules can contain sensitive data like passwords. Vulnerability -reported by David Schwörer. -(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) - -Co-authored-by: Victor Stinner ---- - Lib/pydoc.py | 18 ------------------ - Lib/test/test_pydoc.py | 6 ------ - .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++ - 3 files changed, 4 insertions(+), 24 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst - -diff --git a/Lib/pydoc.py b/Lib/pydoc.py -index 35ef3ebdc688e6..ffa4b62c1f17b7 100755 ---- a/Lib/pydoc.py -+++ b/Lib/pydoc.py -@@ -2457,9 +2457,6 @@ def page(self, title, contents): - %s%s
%s
- ''' % (title, css_link, html_navbar(), contents) - -- def filelink(self, url, path): -- return '%s' % (url, path) -- - - html = _HTMLDoc() - -@@ -2545,19 +2542,6 @@ def bltinlink(name): - 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) - return 'Search Results', contents - -- def html_getfile(path): -- """Get and display a source file listing safely.""" -- path = urllib.parse.unquote(path) -- with tokenize.open(path) as fp: -- lines = html.escape(fp.read()) -- body = '
%s
' % lines -- heading = html.heading( -- 'File Listing', -- '#ffffff', '#7799ee') -- contents = heading + html.bigsection( -- 'File: %s' % path, '#ffffff', '#ee77aa', body) -- return 'getfile %s' % path, contents -- - def html_topics(): - """Index of topic texts available.""" - -@@ -2649,8 +2633,6 @@ def get_html_page(url): - op, _, url = url.partition('=') - if op == "search?key": - title, content = html_search(url) -- elif op == "getfile?key": -- title, content = html_getfile(url) - elif op == "topic?key": - # try topics first, then objects. - try: -diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py -index ffabb7f1b94072..0bbdc42c635be4 100644 ---- a/Lib/test/test_pydoc.py -+++ b/Lib/test/test_pydoc.py -@@ -1374,18 +1374,12 @@ def test_url_requests(self): - ("topic?key=def", "Pydoc: KEYWORD def"), - ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), - ("foobar", "Pydoc: Error - foobar"), -- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), - ] - - with self.restrict_walk_packages(): - for url, title in requests: - self.call_url_handler(url, title) - -- path = string.__file__ -- title = "Pydoc: getfile " + path -- url = "getfile?key=" + path -- self.call_url_handler(url, title) -- - - class TestHelper(unittest.TestCase): - def test_keywords(self): -diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst -new file mode 100644 -index 00000000000000..4b42dd05305a83 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst -@@ -0,0 +1,4 @@ -+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which -+could be abused to read arbitrary files on the disk (directory traversal -+vulnerability). Moreover, even source code of Python modules can contain -+sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/SOURCES/Python-3.9.2.tar.xz.asc b/SOURCES/Python-3.9.2.tar.xz.asc deleted file mode 100644 index 23a63c9..0000000 --- a/SOURCES/Python-3.9.2.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmAvyCoACgkQsmmV4xAl -BWhP7g//XBDQxNrjEaLSBfGy8tGbNPqlrBAOWsuH02JzvRXnr2gBX2m8TfaUSAnq -8Kzafrpsfw0+7LFoPfrp+YwUO5k2WprovW9Iw+LoUM0d5DABL/gXKwVb0j9i8nRj -uaPLzX9SRnCQQPfYQW/5wRFIm+/aqz4fx93k3Gw0AfeYh9Ka1pUJOCxCvihS47+E -dUeoC6S8SUDrm5lPLj8t1uVVtp8W7GpGMwF5Zn31ThrlUA4V/dTMmqSUXCaAI9Ii -zXditd26EfySKSxps+VQgL7GB778XcIYxlnMYzoqd6SD/pCQgagpFP2nZ1zdZ0/g -qpwgeGE2SK++w8iiOs2Q59tisREU7PHNVtpdILhw9Me892mwxIjl8wDMTZHY8vvU -6OZRI9G8UktpkEcT9FeFgwna2T3T16rEVbrzpteeDLFgqUpt84yXD+pd5W/Oozaj -sfbd7lCFBcdzCQIKa+DGDuJKFPExu8oqGg7Zq25wxLvkNosmHXny9NylE1VIJ5ad -WHadwBeFSFCR7faplO8s+hO/BmT5PcEwIXrz/xVqwf28o/0im63llkE6WUCRW4MU -x/S5uWjB/HSDw2NHLRRc0bLabl30mMCf7J/EkVmm9dsIpmXhn6SLC9YCYjJtIjC7 -ChSQs+U8MgEnwk/un/DELIRUtu+rQZ1GkQnJ4tooaYJlYr/m7Ww= -=s/wm ------END PGP SIGNATURE----- diff --git a/SOURCES/Python-3.9.6.tar.xz.asc b/SOURCES/Python-3.9.6.tar.xz.asc new file mode 100644 index 0000000..1bec6b8 --- /dev/null +++ b/SOURCES/Python-3.9.6.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmDZkQMACgkQsmmV4xAl +BWj09RAAoAJZTivNUSuw9H4UBr5Y7O/y09t2SoSDnyQTv8OWXhFh6uSQQvUah8oh +BtyfIHHJrPK+h6oX5mNmFcuv0GVKpmn5yuIYExeMBvG78mqSybYuQuHqWISEK5Vt +NUt0ZBbOzQyqidO2Q++kRf+zfrc5BK5SZ/iCaT8fTcxISs/GuKmG2R/SoRzjYDNa +XSqJi0/3jH/hSS/XIhKzDRzlkSemOCBuGeBi8rLCEtLE1faeeMYBB/StLzs8lkpb +VIZ26jMN5BDtT2Srm2tJk3Yze3I4jSvhkDLVS3gWd5IKH0jrFFoGwswXuc8V6aLP +tt87artPasOhLvEBy7y/1c3MZw+WOsZS5ogKrfI2QSMbuXT4HMOyFnrb7zz3nsKy +wtwRP0I03P1KbI0RrM4LQj1r05RSvMSSJsbslIThL274Fh44/xanNgIM1xyf1Ios +GiKkfo9xkkwB2/et2WJd9M4MfWcLiGvkRoFGxyon5uoNDrIaZaQF8JWZeXctIyDP +MbdoLQod7PevKnr+XNxZNN1JVQ1uatghuTtXQcZ34WWkSGxb1zf+uh2ghayEKSeC +nOhk2/j3CDHh5j+9oYqmDi1yvQGLucVIhu7cc2mFk6nljROzOu5Ga7M1+XSv7RNe +cB0N1XRmpD075HEPHDmV7HSQc9A3B6fdDa5bHgyDBML7flIj5Vs= +=j4X2 +-----END PGP SIGNATURE----- diff --git a/SPECS/python39.spec b/SPECS/python39.spec index cb79b73..d482147 100644 --- a/SPECS/python39.spec +++ b/SPECS/python39.spec @@ -13,11 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.2 +%global general_version %{pybasever}.6 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 1%{?dist} License: Python # Exclude i686 arch. Due to a modularity issue it's being added to the @@ -164,6 +164,13 @@ ExcludeArch: i686 # foo/__pycache__/bar.cpython-%%{pyshortver}.opt-2.pyc %global bytecode_suffixes .cpython-%{pyshortver}*.pyc +# libmpdec (mpdecimal package in Fedora) is tightly coupled with the +# decimal module. We keep it bundled as to avoid incompatibilities +# with the packaged version. +# The version information can be found at Modules/_decimal/libmpdec/mpdecimal.h +# defined as MPD_VERSION. +%global libmpdec_version 2.5.0 + # Python's configure script defines SOVERSION, and this is used in the Makefile # to determine INSTSONAME, the name of the libpython DSO: # LDLIBRARY='libpython$(VERSION).so' @@ -300,7 +307,7 @@ Patch1: 00001-rpath.patch # See https://bugzilla.redhat.com/show_bug.cgi?id=556092 Patch111: 00111-no-static-lib.patch -# 00189 # 7c07eec60735bd65bda7d8e821d34718497cba27 +# 00189 # 4242864a6a12f1f4cf9fd63a6699a73f35261aa3 # Instead of bundled wheels, use our RPM packaged wheels # # We keep them in /usr/share/python-wheels @@ -312,8 +319,8 @@ Patch189: 00189-use-rpm-wheels.patch # The versions are written in Lib/ensurepip/__init__.py, this patch removes them. # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly. # In such cases, the patch needs to be amended and the versions updated here: -%global pip_version 20.2.3 -%global setuptools_version 49.2.1 +%global pip_version 21.1.3 +%global setuptools_version 56.0.0 # 00251 # 2eabd04356402d488060bc8fe316ad13fc8a3356 # Change user install location @@ -383,12 +390,6 @@ Patch329: 00329-fips.patch # a nightmare because it's basically a binary file. Patch353: 00353-architecture-names-upstream-downstream.patch -# 00360 # -# CVE-2021-3426: information disclosure via pydoc -# Upstream: https://bugs.python.org/issue42988 -# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913 -Patch360: 00360-CVE-2021-3426.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -526,6 +527,11 @@ Requires: python3 == %{version}-%{release} Provides: python = %{version}-%{release} # This also save us an explicit conflict for older python3 builds +# Also provide the name of the Ubuntu package with the same function, +# to be nice to people who temporarily forgot which distro they're on. +# C.f. https://packages.ubuntu.com/hirsute/all/python-is-python3/filelist +Provides: python-is-python3 = %{version}-%{release} + %description -n python-unversioned-command This package contains /usr/bin/python - the "python" command that runs Python 3. @@ -543,6 +549,10 @@ Provides: bundled(python3dist(pip)) = %{pip_version} Provides: bundled(python3dist(setuptools)) = %{setuptools_version} %endif +# Provides for the bundled libmpdec +Provides: bundled(mpdecimal) = %{libmpdec_version} +Provides: bundled(libmpdec) = %{libmpdec_version} + # There are files in the standard library that have python shebang. # We've filtered the automatic requirement out so libs are installable without # the main package. This however makes it pulled in by default. @@ -726,6 +736,10 @@ Provides: bundled(python3dist(pip)) = %{pip_version} Provides: bundled(python3dist(setuptools)) = %{setuptools_version} %endif +# Provides for the bundled libmpdec +Provides: bundled(mpdecimal) = %{libmpdec_version} +Provides: bundled(libmpdec) = %{libmpdec_version} + # The zoneinfo module needs tzdata Requires: tzdata @@ -777,7 +791,6 @@ rm Lib/ensurepip/_bundled/*.whl %apply_patch -q %{PATCH328} %apply_patch -q %{PATCH329} %apply_patch -q %{PATCH353} -%apply_patch -q %{PATCH360} # Remove all exe files to ensure we are not shipping prebuilt binaries # note that those are only used to create Microsoft Windows installers @@ -1251,6 +1264,11 @@ for Module in %{buildroot}/%{dynload_dir}/*.so ; do esac done +# Verify that the bundled libmpdec version python was compiled with, is the same version we have virtual +# provides for in the SPEC. +test "$(LD_LIBRARY_PATH=$(pwd)/build/optimized $(pwd)/build/optimized/python -c 'import decimal; print(decimal.__libmpdec_version__)')" = \ + "%{libmpdec_version}" + # ====================================================== # Running the upstream test suite @@ -1941,6 +1959,11 @@ fi # ====================================================== %changelog +* Tue Jul 27 2021 Charalampos Stratakis - 3.9.6-1 +- Update to 3.9.6 +- Fix CVE-2021-29921: Improper input validation of octal strings in the ipaddress module +Resolves: rhbz#1957458 + * Fri Apr 30 2021 Charalampos Stratakis - 3.9.2-2 - Security fix for CVE-2021-3426: information disclosure via pydoc Resolves: rhbz#1935913