Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python312 for openSUSE:Factory checked in at 2026-03-16 15:49:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python312 (Old) and /work/SRC/openSUSE:Factory/.python312.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python312" Mon Mar 16 15:49:23 2026 rev:45 rq:1339367 version:3.12.13 Changes: -------- --- /work/SRC/openSUSE:Factory/python312/python312.changes 2026-03-09 16:13:09.457421876 +0100 +++ /work/SRC/openSUSE:Factory/.python312.new.8177/python312.changes 2026-03-16 15:49:45.147345957 +0100 @@ -1,0 +2,7 @@ +Fri Mar 13 18:20:40 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch + ensuring that `SourcelessFileLoader` uses `io.open_code` when + opening `.pyc` files (bsc#1259240, CVE-2026-2297). + +------------------------------------------------------------------- New: ---- CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ----------(New B)---------- New: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python312.spec ++++++ --- /var/tmp/diff_new_pack.fsWhPw/_old 2026-03-16 15:49:46.951420595 +0100 +++ /var/tmp/diff_new_pack.fsWhPw/_new 2026-03-16 15:49:46.955420760 +0100 @@ -201,6 +201,9 @@ # PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 [email protected] # Reject control characters in poplib Patch58: CVE-2025-15367-poplib-ctrl-chars.patch +# PATCH-FIX-UPSTREAM CVE-2026-2297-SourcelessFileLoader-io_open_code.patch bsc#1259240 [email protected] +# Ensure SourcelessFileLoader uses io.open_code +Patch59: CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ++++++ >From d0f2948ae259ab03cc17c05726e95094167b65fd Mon Sep 17 00:00:00 2001 From: Steve Dower <[email protected]> Date: Wed, 4 Mar 2026 19:55:52 +0000 Subject: [PATCH] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (cherry picked from commit a51b1b512de1d56b3714b65628a2eae2b07e535e) Co-authored-by: Steve Dower <[email protected]> --- Lib/importlib/_bootstrap_external.py | 2 +- .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py index 9b8a8dfc5aae28..6e4a087a10cd57 100644 --- a/Lib/importlib/_bootstrap_external.py +++ b/Lib/importlib/_bootstrap_external.py @@ -1186,7 +1186,7 @@ def get_filename(self, fullname): def get_data(self, path): """Return the data from path as raw bytes.""" - if isinstance(self, (SourceLoader, ExtensionFileLoader)): + if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)): with _io.open_code(str(path)) as file: return file.read() else: diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst new file mode 100644 index 00000000000000..dcdb44d4fae4e5 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst @@ -0,0 +1,2 @@ +Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses +:func:`io.open_code` when opening ``.pyc`` files. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.fsWhPw/_old 2026-03-16 15:49:47.171429697 +0100 +++ /var/tmp/diff_new_pack.fsWhPw/_new 2026-03-16 15:49:47.179430028 +0100 @@ -1,6 +1,6 @@ -mtime: 1773008663 -commit: 53394ceb74e19d745dcf80b4b7e237c4074e50048aeb3db3d4684366cbe30ec2 +mtime: 1773427685 +commit: 264b96e120c2a0e43ed375b9533a6007bf48d58677ae506305d1ee257ed51332 url: https://src.opensuse.org/python-interpreters/python312.git -revision: 53394ceb74e19d745dcf80b4b7e237c4074e50048aeb3db3d4684366cbe30ec2 +revision: 264b96e120c2a0e43ed375b9533a6007bf48d58677ae506305d1ee257ed51332 projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-13 19:48:42.000000000 +0100 @@ -0,0 +1,5 @@ +.osc +*.obscpio +_build.* +.pbuild +python312-3.12.*-build
