Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python313 for openSUSE:Factory
checked in at 2024-08-30 13:32:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python313 (Old)
and /work/SRC/openSUSE:Factory/.python313.new.2698 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python313"
Fri Aug 30 13:32:00 2024 rev:6 rq:1197482 version:3.13.0~rc1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python313/python313.changes 2024-08-10
19:14:00.369244481 +0200
+++ /work/SRC/openSUSE:Factory/.python313.new.2698/python313.changes
2024-08-30 13:33:05.556249469 +0200
@@ -1,0 +2,16 @@
+Thu Aug 29 14:46:39 UTC 2024 - Matej Cepl <mc...@cepl.eu>
+
+- Add gh122136-test_asyncio-kernel-buffer-data.patch fixing
+ gh#python/cpython#122136 (changes in kernel provide different
+ amount of data in the socket buffers).
+- Remove skip_test_abort_clients.patch, which is not needed any
+ more.
+
+-------------------------------------------------------------------
+Wed Aug 28 16:54:34 UTC 2024 - Matej Cepl <mc...@cepl.eu>
+
+- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
+ malformed payload to cause infinite loops in zipfile.Path
+ (bsc#1229704, CVE-2024-8088).
+
+-------------------------------------------------------------------
Old:
----
skip_test_abort_clients.patch
New:
----
CVE-2024-8088-inf-loop-zipfile_Path.patch
gh122136-test_asyncio-kernel-buffer-data.patch
BETA DEBUG BEGIN:
Old: amount of data in the socket buffers).
- Remove skip_test_abort_clients.patch, which is not needed any
more.
BETA DEBUG END:
BETA DEBUG BEGIN:
New:
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
malformed payload to cause infinite loops in zipfile.Path
New:
- Add gh122136-test_asyncio-kernel-buffer-data.patch fixing
gh#python/cpython#122136 (changes in kernel provide different
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python313.spec ++++++
--- /var/tmp/diff_new_pack.9KECVM/_old 2024-08-30 13:33:06.624294242 +0200
+++ /var/tmp/diff_new_pack.9KECVM/_new 2024-08-30 13:33:06.624294242 +0200
@@ -177,15 +177,18 @@
# PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mc...@suse.com
# remove duplicate link targets and make documentation with old Sphinx in SLE
Patch10: fix_configure_rst.patch
-# PATCH-FIX-UPSTREAM skip_test_abort_clients.patch gh#python/cpython#122136
mc...@suse.com
-# Not yet fixed failing test
-Patch11: skip_test_abort_clients.patch
# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780
mc...@suse.com
# prevent email header injection, patch from gh#python/cpython!122608
Patch12: CVE-2024-6923-email-hdr-inject.patch
# PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999
mc...@suse.com
# reproducibility patches
Patch13: bso1227999-reproducible-builds.patch
+# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704
mc...@suse.com
+# avoid denial of service in zipfile
+Patch14: CVE-2024-8088-inf-loop-zipfile_Path.patch
+# PATCH-FIX-UPSTREAM gh122136-test_asyncio-kernel-buffer-data.patch
gh#python/cpython#122136 mc...@suse.com
+# test.test_asyncio.test_server.TestServer2.test_abort_clients fails because
of changes in the kernel
+Patch15: gh122136-test_asyncio-kernel-buffer-data.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
++++++ CVE-2024-8088-inf-loop-zipfile_Path.patch ++++++
---
Lib/test/test_zipfile/_path/test_path.py | 78
++++++++++
Lib/zipfile/_path/__init__.py | 18
++
Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1
Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst | 3
4 files changed, 98 insertions(+), 2 deletions(-)
--- a/Lib/test/test_zipfile/_path/test_path.py
+++ b/Lib/test/test_zipfile/_path/test_path.py
@@ -5,6 +5,7 @@ import pathlib
import pickle
import stat
import sys
+import time
import unittest
import zipfile
import zipfile._path
@@ -577,3 +578,80 @@ class TestPath(unittest.TestCase):
zipfile.Path(alpharep)
with self.assertRaises(KeyError):
alpharep.getinfo('does-not-exist')
+
+ def test_malformed_paths(self):
+ """
+ Path should handle malformed paths gracefully.
+
+ Paths with leading slashes are not visible.
+
+ Paths with dots are treated like regular files.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr("/one-slash.txt", b"content")
+ zf.writestr("//two-slash.txt", b"content")
+ zf.writestr("../parent.txt", b"content")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ assert list(map(str, root.iterdir())) == ['../']
+ assert root.joinpath('..').joinpath('parent.txt').read_bytes() ==
b'content'
+
+ def test_unsupported_names(self):
+ """
+ Path segments with special characters are readable.
+
+ On some platforms or file systems, characters like
+ ``:`` and ``?`` are not allowed, but they are valid
+ in the zip file.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr("path?", b"content")
+ zf.writestr("V: NMS.flac", b"fLaC...")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ contents = root.iterdir()
+ assert next(contents).name == 'path?'
+ assert next(contents).name == 'V: NMS.flac'
+ assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..."
+
+ def test_backslash_not_separator(self):
+ """
+ In a zip file, backslashes are not separators.
+ """
+ data = io.BytesIO()
+ zf = zipfile.ZipFile(data, "w")
+ zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content")
+ zf.filename = ''
+ root = zipfile.Path(zf)
+ (first,) = root.iterdir()
+ assert not first.is_dir()
+ assert first.name == 'foo\\bar'
+
+
+class DirtyZipInfo(zipfile.ZipInfo):
+ """
+ Bypass name sanitization.
+ """
+
+ def __init__(self, filename, *args, **kwargs):
+ super().__init__(filename, *args, **kwargs)
+ self.filename = filename
+
+ @classmethod
+ def for_name(cls, name, archive):
+ """
+ Construct the same way that ZipFile.writestr does.
+
+ TODO: extract this functionality and re-use
+ """
+ self = cls(filename=name, date_time=time.localtime(time.time())[:6])
+ self.compress_type = archive.compression
+ self.compress_level = archive.compresslevel
+ if self.filename.endswith('/'): # pragma: no cover
+ self.external_attr = 0o40775 << 16 # drwxrwxr-x
+ self.external_attr |= 0x10 # MS-DOS directory flag
+ else:
+ self.external_attr = 0o600 << 16 # ?rw-------
+ return self
--- a/Lib/zipfile/_path/__init__.py
+++ b/Lib/zipfile/_path/__init__.py
@@ -1,3 +1,12 @@
+"""
+A Path-like interface for zipfiles.
+
+This codebase is shared between zipfile.Path in the stdlib
+and zipp in PyPI. See
+https://github.com/python/importlib_metadata/wiki/Development-Methodology
+for more detail.
+"""
+
import io
import posixpath
import zipfile
@@ -36,7 +45,7 @@ def _parents(path):
def _ancestry(path):
"""
Given a path with elements separated by
- posixpath.sep, generate all elements of that path
+ posixpath.sep, generate all elements of that path.
>>> list(_ancestry('b/d'))
['b/d', 'b']
@@ -48,9 +57,14 @@ def _ancestry(path):
['b']
>>> list(_ancestry(''))
[]
+
+ Multiple separators are treated like a single.
+
+ >>> list(_ancestry('//b//d///f//'))
+ ['//b//d///f', '//b//d', '//b']
"""
path = path.rstrip(posixpath.sep)
- while path and path != posixpath.sep:
+ while path.rstrip(posixpath.sep):
yield path
path, tail = posixpath.split(path)
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
@@ -0,0 +1 @@
+:class:`zipfile.Path` objects now sanitize names from the zipfile.
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst
@@ -0,0 +1,3 @@
+Applied a more surgical fix for malformed payloads in :class:`zipfile.Path`
+causing infinite loops (gh-122905) without breaking contents using
+legitimate characters.
++++++ gh122136-test_asyncio-kernel-buffer-data.patch ++++++
>From 235fbc05dcbca5cb5f7f0cd836317b8426e33243 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encu...@gmail.com>
Date: Wed, 28 Aug 2024 22:36:42 +0200
Subject: [PATCH] gh-122136: test_asyncio: Don't fail if the kernel buffers
more data than advertised (GH-123423) (cherry picked from commit
b379f1b26c1e89c8e9160b4dede61b980cc77be6)
Co-authored-by: Petr Viktorin <encu...@gmail.com>
---
Lib/test/test_asyncio/test_server.py | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/Lib/test/test_asyncio/test_server.py
b/Lib/test/test_asyncio/test_server.py
index 4ca8a166a0f1a1..60a40cc8349fed 100644
--- a/Lib/test/test_asyncio/test_server.py
+++ b/Lib/test/test_asyncio/test_server.py
@@ -227,7 +227,7 @@ async def serve(rd, wr):
(s_rd, s_wr) = await fut
- # Limit the socket buffers so we can reliably overfill them
+ # Limit the socket buffers so we can more reliably overfill them
s_sock = s_wr.get_extra_info('socket')
s_sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 65536)
c_sock = c_wr.get_extra_info('socket')
@@ -242,10 +242,18 @@ async def serve(rd, wr):
await asyncio.sleep(0)
# Get the writer in a waiting state by sending data until the
- # socket buffers are full on both server and client sockets and
- # the kernel stops accepting more data
- s_wr.write(b'a' * c_sock.getsockopt(socket.SOL_SOCKET,
socket.SO_RCVBUF))
- s_wr.write(b'a' * s_sock.getsockopt(socket.SOL_SOCKET,
socket.SO_SNDBUF))
+ # kernel stops accepting more data in the send buffer.
+ # gh-122136: getsockopt() does not reliably report the buffer size
+ # available for message content.
+ # We loop until we start filling up the asyncio buffer.
+ # To avoid an infinite loop we cap at 10 times the expected value
+ c_bufsize = c_sock.getsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF)
+ s_bufsize = s_sock.getsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF)
+ for i in range(10):
+ s_wr.write(b'a' * c_bufsize)
+ s_wr.write(b'a' * s_bufsize)
+ if s_wr.transport.get_write_buffer_size() > 0:
+ break
self.assertNotEqual(s_wr.transport.get_write_buffer_size(), 0)
task = asyncio.create_task(srv.wait_closed())
