From 2f6418a91b88dd64a41ebc47cc035222fb1e1cab Mon Sep 17 00:00:00 2001 From: liuxiaoping Date: Thu, 17 Nov 2022 11:37:02 +0800 Subject: [PATCH 1/3] update to python39-3.9.7-2.module+el8.6.0+17199+26869780.src.rpm --- 00378-support-expat-2-4-5.patch | 98 +++++++++++++++++++ 00391-cve-2022-42919.patch | 64 ++++++++++++ 10000-python-anolis-rebrand.patch | 23 ----- 10001-anolis-python-support-loongarch64.patch | 25 ----- python39.spec | 54 +++++++--- 5 files changed, 205 insertions(+), 59 deletions(-) create mode 100644 00378-support-expat-2-4-5.patch create mode 100644 00391-cve-2022-42919.patch delete mode 100644 10000-python-anolis-rebrand.patch delete mode 100644 10001-anolis-python-support-loongarch64.patch diff --git a/00378-support-expat-2-4-5.patch b/00378-support-expat-2-4-5.patch new file mode 100644 index 0000000..4b1e441 --- /dev/null +++ b/00378-support-expat-2-4-5.patch @@ -0,0 +1,98 @@ +From a5b78c6f1c802f6023bd4d7a248dc83be1eef6a3 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 21 Feb 2022 15:48:32 +0100 +Subject: [PATCH] 00378: Support expat 2.4.5 + +Curly brackets were never allowed in namespace URIs +according to RFC 3986, and so-called namespace-validating +XML parsers have the right to reject them a invalid URIs. + +libexpat >=2.4.5 has become strcter in that regard due to +related security issues; with ET.XML instantiating a +namespace-aware parser under the hood, this test has no +future in CPython. + +References: +- https://datatracker.ietf.org/doc/html/rfc3968 +- https://www.w3.org/TR/xml-names/ + +Also, test_minidom.py: Support Expat >=2.4.5 + +Upstream: https://bugs.python.org/issue46811 + +Co-authored-by: Sebastian Pipping +--- + Lib/test/test_minidom.py | 12 +++++++++--- + Lib/test/test_xml_etree.py | 6 ------ + .../Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 + + 3 files changed, 10 insertions(+), 9 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst + +diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py +index d55e25e..e947382 100644 +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -5,10 +5,12 @@ import pickle + from test import support + import unittest + ++import pyexpat + import xml.dom.minidom + + from xml.dom.minidom import parse, Node, Document, parseString + from xml.dom.minidom import getDOMImplementation ++from xml.parsers.expat import ExpatError + + + tstfile = support.findfile("test.xml", subdir="xmltestdata") +@@ -1156,8 +1158,10 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- self.assertRaises(UnicodeDecodeError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') ++ self.assertRaises(ExpatError, parseString, ++ b'') ++ self.assertRaises(ExpatError, parseString, ++ b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() + +@@ -1602,7 +1606,9 @@ class MinidomTest(unittest.TestCase): + self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) + + def testExceptionOnSpacesInXMLNSValue(self): +- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'): ++ context = self.assertRaisesRegex(ExpatError, 'syntax error') ++ ++ with context: + parseString('') + + def testDocRemoveChild(self): +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index b01709e..acaa519 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1668,12 +1668,6 @@ class BugsTest(unittest.TestCase): + b"\n" + b'tãg') + +- def test_issue3151(self): +- e = ET.XML('') +- self.assertEqual(e.tag, '{${stuff}}localname') +- t = ET.ElementTree(e) +- self.assertEqual(ET.tostring(e), b'') +- + def test_issue6565(self): + elem = ET.XML("") + self.assertEqual(summarize_list(elem), ['tag']) +diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst +new file mode 100644 +index 0000000..6969bd1 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst +@@ -0,0 +1 @@ ++Make test suite support Expat >=2.4.5 +-- +2.35.1 + diff --git a/00391-cve-2022-42919.patch b/00391-cve-2022-42919.patch new file mode 100644 index 0000000..0e67857 --- /dev/null +++ b/00391-cve-2022-42919.patch @@ -0,0 +1,64 @@ +From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001 +From: "Gregory P. Smith" +Date: Thu, 20 Oct 2022 15:30:09 -0700 +Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for + multiprocessing (GH-98501) + +Linux abstract sockets are insecure as they lack any form of filesystem +permissions so their use allows anyone on the system to inject code into +the process. + +This removes the default preference for abstract sockets in +multiprocessing introduced in Python 3.9+ via +https://github.com/python/cpython/pull/18866 while fixing +https://github.com/python/cpython/issues/84031. + +Explicit use of an abstract socket by a user now generates a +RuntimeWarning. If we choose to keep this warning, it should be +backported to the 3.7 and 3.8 branches. +(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) + +Co-authored-by: Gregory P. Smith +--- + Lib/multiprocessing/connection.py | 5 ----- + .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++ + 2 files changed, 15 insertions(+), 5 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst + +diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py +index 510e4b5aba44..8e2facf92a94 100644 +--- a/Lib/multiprocessing/connection.py ++++ b/Lib/multiprocessing/connection.py +@@ -73,11 +73,6 @@ def arbitrary_address(family): + if family == 'AF_INET': + return ('localhost', 0) + elif family == 'AF_UNIX': +- # Prefer abstract sockets if possible to avoid problems with the address +- # size. When coding portable applications, some implementations have +- # sun_path as short as 92 bytes in the sockaddr_un struct. +- if util.abstract_sockets_supported: +- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}" + return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir()) + elif family == 'AF_PIPE': + return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' % +diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst +new file mode 100644 +index 000000000000..02d95b570520 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst +@@ -0,0 +1,15 @@ ++On Linux the :mod:`multiprocessing` module returns to using filesystem backed ++unix domain sockets for communication with the *forkserver* process instead of ++the Linux abstract socket namespace. Only code that chooses to use the ++:ref:`"forkserver" start method ` is affected. ++ ++Abstract sockets have no permissions and could allow any user on the system in ++the same `network namespace ++`_ (often the ++whole system) to inject code into the multiprocessing *forkserver* process. ++This was a potential privilege escalation. Filesystem based socket permissions ++restrict this to the *forkserver* process user as was the default in Python 3.8 ++and earlier. ++ ++This prevents Linux `CVE-2022-42919 ++`_. diff --git a/10000-python-anolis-rebrand.patch b/10000-python-anolis-rebrand.patch deleted file mode 100644 index 5a05a1d..0000000 --- a/10000-python-anolis-rebrand.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 03b5ffe43421cab1ba3b7417483ab343181ca9bd Mon Sep 17 00:00:00 2001 -From: zhangbinchen -Date: Tue, 16 Mar 2021 11:30:43 +0800 -Subject: [PATCH] rebrand : rebrand txt use anolis - -Signed-off-by: zhangbinchen ---- -Doc/library/gettext.rst | 1 +- -1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/Doc/library/gettext.rst b/Doc/library/gettext.rst -index ec2c128..2e3d220 100644 ---- a/Doc/library/gettext.rst -+++ b/Doc/library/gettext.rst -@@ -721,7 +721,7 @@ implementations, and valuable experience to the creation of this module: - - .. rubric:: Footnotes - --.. [#] The default locale directory is system dependent; for example, on RedHat Linux -+.. [#] The default locale directory is system dependent; for example, on Anolis Os - it is :file:`/usr/share/locale`, but on Solaris it is :file:`/usr/lib/locale`. - The :mod:`gettext` module does not try to support these system dependent - defaults; instead its default is :file:`{sys.base_prefix}/share/locale` (see diff --git a/10001-anolis-python-support-loongarch64.patch b/10001-anolis-python-support-loongarch64.patch deleted file mode 100644 index b908772..0000000 --- a/10001-anolis-python-support-loongarch64.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0a6a336b825f243a17e010bc52dfd622d504baa6 Mon Sep 17 00:00:00 2001 -From: Liwei Ge -Date: Tue, 9 Nov 2021 21:19:22 +0800 -Subject: [PATCH] support loongarch64 build - -Signed-off-by: Liwei Ge ---- - configure.ac | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 972287a..1ae24cd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -845,6 +845,8 @@ cat >> conftest.c <=2.4.5 has become strcter in that regard due to +# related security issues; with ET.XML instantiating a +# namespace-aware parser under the hood, this test has no +# future in CPython. +# +# References: +# - https://datatracker.ietf.org/doc/html/rfc3968 +# - https://www.w3.org/TR/xml-names/ +# +# Also, test_minidom.py: Support Expat >=2.4.5 +# +# The patch has diverged from upstream as the python test +# suite was relying on checking the expat version, whereas +# in RHEL fixes get backported instead of rebasing packages. +# +# Upstream: https://bugs.python.org/issue46811 +Patch378: 00378-support-expat-2-4-5.patch + +# 00391 # +# CVE-2022-42919 +# +# Local privilege escalation via the multiprocessing forkserver start method. +# +# Upstream: https://github.com/python/cpython/issues/97514 +# +# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2138705 +Patch391: 00391-cve-2022-42919.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -403,10 +437,7 @@ Patch353: 00353-architecture-names-upstream-downstream.patch # The patches are stored and rebased at: # # https://github.com/fedora-python/cpython -# Add by Anolis -Patch10000: 10000-python-anolis-rebrand.patch -Patch10001: 10001-anolis-python-support-loongarch64.patch -# End + # ========================================== # Descriptions, and metadata for subpackages @@ -801,8 +832,8 @@ rm Lib/ensurepip/_bundled/*.whl %apply_patch -q %{PATCH328} %apply_patch -q %{PATCH329} %apply_patch -q %{PATCH353} -%apply_patch -q %{PATCH10000} -%apply_patch -q %{PATCH10001} +%apply_patch -q %{PATCH378} +%apply_patch -q %{PATCH391} # Remove all exe files to ensure we are not shipping prebuilt binaries # note that those are only used to create Microsoft Windows installers @@ -1971,9 +2002,10 @@ fi # ====================================================== %changelog -* Tue Apr 19 2022 zhangbinchen - 3.9.7-1.0.1 -- Rebrand for Anolis OS(Binchen Zhang) -- Support loongarch64 platform(Liwei Ge) +* Mon Nov 07 2022 Lumír Balhar - 3.9.7-2 +- Fix for CVE-2022-42919 +- Fix the test suite support for Expat >= 2.4.5 +Resolves: rhbz#2138705 * Tue Sep 07 2021 Charalampos Stratakis - 3.9.7-1 - Update to 3.9.7 -- Gitee From 4b1bdb224f5ab41805fbba6a12910baa1cdcd37b Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Fri, 17 Dec 2021 06:34:35 +0000 Subject: [PATCH 2/3] rebrand : rebrand for anolis --- 10000-python-anolis-rebrand.patch | 23 +++++++++++++++++++++++ python39.spec | 11 +++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 10000-python-anolis-rebrand.patch diff --git a/10000-python-anolis-rebrand.patch b/10000-python-anolis-rebrand.patch new file mode 100644 index 0000000..5a05a1d --- /dev/null +++ b/10000-python-anolis-rebrand.patch @@ -0,0 +1,23 @@ +From 03b5ffe43421cab1ba3b7417483ab343181ca9bd Mon Sep 17 00:00:00 2001 +From: zhangbinchen +Date: Tue, 16 Mar 2021 11:30:43 +0800 +Subject: [PATCH] rebrand : rebrand txt use anolis + +Signed-off-by: zhangbinchen +--- +Doc/library/gettext.rst | 1 +- +1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/Doc/library/gettext.rst b/Doc/library/gettext.rst +index ec2c128..2e3d220 100644 +--- a/Doc/library/gettext.rst ++++ b/Doc/library/gettext.rst +@@ -721,7 +721,7 @@ implementations, and valuable experience to the creation of this module: + + .. rubric:: Footnotes + +-.. [#] The default locale directory is system dependent; for example, on RedHat Linux ++.. [#] The default locale directory is system dependent; for example, on Anolis Os + it is :file:`/usr/share/locale`, but on Solaris it is :file:`/usr/lib/locale`. + The :mod:`gettext` module does not try to support these system dependent + defaults; instead its default is :file:`{sys.base_prefix}/share/locale` (see diff --git a/python39.spec b/python39.spec index c0b526d..bd14063 100644 --- a/python39.spec +++ b/python39.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # ================== # Top-level metadata # ================== @@ -17,7 +18,7 @@ URL: https://www.python.org/ #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 2%{anolis_release}%{?dist} License: Python # Exclude i686 arch. Due to a modularity issue it's being added to the @@ -437,7 +438,9 @@ Patch391: 00391-cve-2022-42919.patch # The patches are stored and rebased at: # # https://github.com/fedora-python/cpython - +# Add by Anolis +Patch10000: 10000-python-anolis-rebrand.patch +# End # ========================================== # Descriptions, and metadata for subpackages @@ -834,6 +837,7 @@ rm Lib/ensurepip/_bundled/*.whl %apply_patch -q %{PATCH353} %apply_patch -q %{PATCH378} %apply_patch -q %{PATCH391} +%apply_patch -q %{PATCH10000} # Remove all exe files to ensure we are not shipping prebuilt binaries # note that those are only used to create Microsoft Windows installers @@ -2002,6 +2006,9 @@ fi # ====================================================== %changelog +* Thu Nov 17 2022 zhangbinchen - 3.9.7-2.0.1 +- Rebrand for Anolis OS + * Mon Nov 07 2022 Lumír Balhar - 3.9.7-2 - Fix for CVE-2022-42919 - Fix the test suite support for Expat >= 2.4.5 -- Gitee From 2ce5c02901c5a0e7ca7eeee30dd2361781c17245 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Wed, 10 Nov 2021 20:23:02 +0800 Subject: [PATCH 3/3] build: support loongarch64 platform Signed-off-by: Liwei Ge --- 10001-anolis-python-support-loongarch64.patch | 25 +++++++++++++++++++ python39.spec | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 10001-anolis-python-support-loongarch64.patch diff --git a/10001-anolis-python-support-loongarch64.patch b/10001-anolis-python-support-loongarch64.patch new file mode 100644 index 0000000..b908772 --- /dev/null +++ b/10001-anolis-python-support-loongarch64.patch @@ -0,0 +1,25 @@ +From 0a6a336b825f243a17e010bc52dfd622d504baa6 Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Tue, 9 Nov 2021 21:19:22 +0800 +Subject: [PATCH] support loongarch64 build + +Signed-off-by: Liwei Ge +--- + configure.ac | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 972287a..1ae24cd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -845,6 +845,8 @@ cat >> conftest.c < - 3.9.7-2.0.1 - Rebrand for Anolis OS +- Support loongarch64 platform(Liwei Ge) * Mon Nov 07 2022 Lumír Balhar - 3.9.7-2 - Fix for CVE-2022-42919 -- Gitee