Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python313 for openSUSE:Factory checked in at 2026-03-19 17:58:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python313 (Old) and /work/SRC/openSUSE:Factory/.python313.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python313" Thu Mar 19 17:58:04 2026 rev:38 rq:1341041 version:3.13.12 Changes: -------- --- /work/SRC/openSUSE:Factory/python313/python313.changes 2026-02-18 17:04:31.011443815 +0100 +++ /work/SRC/openSUSE:Factory/.python313.new.8177/python313.changes 2026-03-19 17:58:04.837099858 +0100 @@ -1,0 +2,18 @@ +Wed Mar 18 09:22:58 UTC 2026 - Matej Cepl <[email protected]> + +- Fix changelog + +------------------------------------------------------------------- +Tue Mar 17 14:00:58 UTC 2026 - Markéta Machová <[email protected]> + +- Adapt %suse_version checks to support new %suse_version design for + 16.1 and following (jsc#PED-15850) + +------------------------------------------------------------------- +Fri Mar 13 18:20:40 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch + ensuring that `SourcelessFileLoader` uses `io.open_code` when + opening `.pyc` files (bsc#1259240, CVE-2026-2297). + +------------------------------------------------------------------- @@ -31 +49 @@ - Petr Viktorin in gh-121650). + Petr Viktorin in gh-121650) (bsc#1257181, CVE-2026-1299). New: ---- CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ----------(New B)---------- New: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python313.spec ++++++ --- /var/tmp/diff_new_pack.Vwz3zD/_old 2026-03-19 17:58:07.081192429 +0100 +++ /var/tmp/diff_new_pack.Vwz3zD/_new 2026-03-19 17:58:07.085192594 +0100 @@ -62,7 +62,7 @@ # Only for Tumbleweed # https://en.opensuse.org/openSUSE:Python:Externally_managed -%if 0%{?suse_version} > 1600 +%if 0%{?suse_version} >= 1699 %bcond_without externally_managed %else %bcond_with externally_managed @@ -81,7 +81,7 @@ %endif # No experimental_jit in SLES, there's no clang >=18 -%if 0%{?suse_version} <= 1600 +%if 0%{?suse_version} < 1699 %bcond_with experimental_jit %else # Disable experimental_jit for primary python. @@ -236,6 +236,9 @@ # PATCH-FIX-UPSTREAM pass-test_write_read_limited_history.patch bsc#[0-9]+ [email protected] # Fix readline history truncation when length is reduced Patch48: pass-test_write_read_limited_history.patch +# PATCH-FIX-UPSTREAM CVE-2026-2297-SourcelessFileLoader-io_open_code.patch bsc#1259240 [email protected] +# Ensure SourcelessFileLoader uses io.open_code +Patch49: CVE-2026-2297-SourcelessFileLoader-io_open_code.patch #### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ++++++ >From d8a2f55eab02f10f4d74c28bf0b027ece31aa665 Mon Sep 17 00:00:00 2001 From: Steve Dower <[email protected]> Date: Wed, 4 Mar 2026 19:55:52 +0000 Subject: [PATCH] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (cherry picked from commit a51b1b512de1d56b3714b65628a2eae2b07e535e) Co-authored-by: Steve Dower <[email protected]> --- Lib/importlib/_bootstrap_external.py | 2 +- .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py index 41f538acb03f58..0741f62ee839f4 100644 --- a/Lib/importlib/_bootstrap_external.py +++ b/Lib/importlib/_bootstrap_external.py @@ -1210,7 +1210,7 @@ def get_filename(self, fullname): def get_data(self, path): """Return the data from path as raw bytes.""" - if isinstance(self, (SourceLoader, ExtensionFileLoader)): + if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)): with _io.open_code(str(path)) as file: return file.read() else: diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst new file mode 100644 index 00000000000000..dcdb44d4fae4e5 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst @@ -0,0 +1,2 @@ +Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses +:func:`io.open_code` when opening ``.pyc`` files. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.Vwz3zD/_old 2026-03-19 17:58:07.241199029 +0100 +++ /var/tmp/diff_new_pack.Vwz3zD/_new 2026-03-19 17:58:07.245199194 +0100 @@ -1,6 +1,6 @@ -mtime: 1770676664 -commit: 7116a8594aadbb43353fee937141f07960ec75f85aaa9960c5f92011cb4e42a7 +mtime: 1773872025 +commit: d6de58baa7aba037bb151e70777a09eaa9adb1edafed89b0eb53b695cce8fad5 url: https://src.opensuse.org/python-interpreters/python313.git -revision: 7116a8594aadbb43353fee937141f07960ec75f85aaa9960c5f92011cb4e42a7 +revision: d6de58baa7aba037bb151e70777a09eaa9adb1edafed89b0eb53b695cce8fad5 projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-18 23:15:09.000000000 +0100 @@ -0,0 +1,6 @@ +.osc +*.obscpio +*.osc +_build.* +.pbuild +python313-*-build/
