Control: tag 1070133 +patch
Control: tag 1070135 +patch
Here's a debdiff against what's already in 3.11.2-6+deb12u1 in
-proposed-updates
--
Steve McIntyre, Cambridge, UK.st...@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"
diff -Nru python3.11-3.11.2/debian/changelog python3.11-3.11.2/debian/changelog
--- python3.11-3.11.2/debian/changelog 2024-03-02 20:28:50.0 +
+++ python3.11-3.11.2/debian/changelog 2024-04-26 16:10:48.0 +0100
@@ -1,3 +1,14 @@
+python3.11 (3.11.2-6+deb12u2) bookworm; urgency=medium
+
+ * Apply upstream security fix for CVE-2024-0450
+Protect zipfile from "quoted-overlap" zipbomb.
+Closes: #1070133
+ * Apply and tweak upstream security fix for CVE-2023-6597
+tempfile.TemporaryDirectory: fix symlink bug in cleanup
+Closes: #1070135
+
+ -- Steve McIntyre Fri, 26 Apr 2024 16:10:48 +0100
+
python3.11 (3.11.2-6+deb12u1) bookworm; urgency=medium
[ Anders Kaseorg ]
diff -Nru python3.11-3.11.2/debian/patches/CVE-2023-6597.patch
python3.11-3.11.2/debian/patches/CVE-2023-6597.patch
--- python3.11-3.11.2/debian/patches/CVE-2023-6597.patch1970-01-01
01:00:00.0 +0100
+++ python3.11-3.11.2/debian/patches/CVE-2023-6597.patch2024-04-26
16:10:48.0 +0100
@@ -0,0 +1,202 @@
+commit 5585334d772b253a01a6730e8202ffb1607c3d25
+Author: Serhiy Storchaka
+Date: Thu Dec 7 18:37:10 2023 +0200
+
+[3.11] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup
(GH-99930) (GH-112839)
+
+(cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d)
+
+Co-authored-by: Søren Løvborg
+
+diff --git a/Lib/tempfile.py b/Lib/tempfile.py
+index aace11fa7b..f59a63a7b4 100644
+--- a/Lib/tempfile.py
b/Lib/tempfile.py
+@@ -270,6 +270,22 @@ def _mkstemp_inner(dir, pre, suf, flags, output_type):
+ raise FileExistsError(_errno.EEXIST,
+ "No usable temporary file name found")
+
++def _dont_follow_symlinks(func, path, *args):
++# Pass follow_symlinks=False, unless not supported on this platform.
++if func in _os.supports_follow_symlinks:
++func(path, *args, follow_symlinks=False)
++elif _os.name == 'nt' or not _os.path.islink(path):
++func(path, *args)
++
++def _resetperms(path):
++try:
++chflags = _os.chflags
++except AttributeError:
++pass
++else:
++_dont_follow_symlinks(chflags, path, 0)
++_dont_follow_symlinks(_os.chmod, path, 0o700)
++
+
+ # User visible interfaces.
+
+@@ -863,17 +879,10 @@ def __init__(self, suffix=None, prefix=None, dir=None,
+ def _rmtree(cls, name, ignore_errors=False):
+ def onerror(func, path, exc_info):
+ if issubclass(exc_info[0], PermissionError):
+-def resetperms(path):
+-try:
+-_os.chflags(path, 0)
+-except AttributeError:
+-pass
+-_os.chmod(path, 0o700)
+-
+ try:
+ if path != name:
+-resetperms(_os.path.dirname(path))
+-resetperms(path)
++_resetperms(_os.path.dirname(path))
++_resetperms(path)
+
+ try:
+ _os.unlink(path)
+diff --git a/Lib/test/test_tempfile.py b/Lib/test/test_tempfile.py
+index 1242ec7e3c..675edc8de9 100644
+--- a/Lib/test/test_tempfile.py
b/Lib/test/test_tempfile.py
+@@ -1565,6 +1565,103 @@ def test_cleanup_with_symlink_to_a_directory(self):
+ "were deleted")
+ d2.cleanup()
+
++@os_helper.skip_unless_symlink
++def test_cleanup_with_symlink_modes(self):
++# cleanup() should not follow symlinks when fixing mode bits (#91133)
++with self.do_create(recurse=0) as d2:
++file1 = os.path.join(d2, 'file1')
++open(file1, 'wb').close()
++dir1 = os.path.join(d2, 'dir1')
++os.mkdir(dir1)
++for mode in range(8):
++mode <<= 6
++with self.subTest(mode=format(mode, '03o')):
++def test(target, target_is_directory):
++d1 = self.do_create(recurse=0)
++symlink = os.path.join(d1.name, 'symlink')
++os.symlink(target, symlink,
++target_is_directory=target_is_directory)
++try:
++os.chmod(symlink, mode, follow_symlinks=False)
++except NotImplementedError:
++pass
++try:
++os.chmod(symlink, mode)
++except FileNotFoundError:
