Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python314 for openSUSE:Factory checked in at 2026-03-22 14:12:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python314 (Old) and /work/SRC/openSUSE:Factory/.python314.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python314" Sun Mar 22 14:12:00 2026 rev:34 rq:1341600 version:3.14.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python314/python314.changes 2026-03-05 17:29:10.061497370 +0100 +++ /work/SRC/openSUSE:Factory/.python314.new.8177/python314.changes 2026-03-22 14:13:07.871724720 +0100 @@ -1,0 +2,7 @@ +Fri Mar 13 18:20:40 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch + ensuring that `SourcelessFileLoader` uses `io.open_code` when + opening `.pyc` files (bsc#1259240, CVE-2026-2297). + +------------------------------------------------------------------- New: ---- CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ----------(New B)---------- New: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python314.spec ++++++ --- /var/tmp/diff_new_pack.h2G6xu/_old 2026-03-22 14:13:08.839764526 +0100 +++ /var/tmp/diff_new_pack.h2G6xu/_new 2026-03-22 14:13:08.839764526 +0100 @@ -238,6 +238,9 @@ # PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 [email protected] # Reject control characters in poplib Patch51: CVE-2025-15367-poplib-ctrl-chars.patch +# PATCH-FIX-UPSTREAM CVE-2026-2297-SourcelessFileLoader-io_open_code.patch bsc#1259240 [email protected] +# Ensure SourcelessFileLoader uses io.open_code +Patch52: CVE-2026-2297-SourcelessFileLoader-io_open_code.patch #### Python 3.14 END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ++++++ >From 4ce6b1be9c5c81ce46f23140603b5de7d6b7812d Mon Sep 17 00:00:00 2001 From: Steve Dower <[email protected]> Date: Wed, 4 Mar 2026 19:55:52 +0000 Subject: [PATCH] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (cherry picked from commit a51b1b512de1d56b3714b65628a2eae2b07e535e) Co-authored-by: Steve Dower <[email protected]> --- Lib/importlib/_bootstrap_external.py | 2 +- Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst Index: Python-3.14.3/Lib/importlib/_bootstrap_external.py =================================================================== --- Python-3.14.3.orig/Lib/importlib/_bootstrap_external.py 2026-03-13 19:20:04.870121875 +0100 +++ Python-3.14.3/Lib/importlib/_bootstrap_external.py 2026-03-13 19:20:11.591272163 +0100 @@ -946,7 +946,7 @@ def get_data(self, path): """Return the data from path as raw bytes.""" - if isinstance(self, (SourceLoader, ExtensionFileLoader)): + if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)): with _io.open_code(str(path)) as file: return file.read() else: Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst 2026-03-13 19:20:11.591522695 +0100 @@ -0,0 +1,2 @@ +Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses +:func:`io.open_code` when opening ``.pyc`` files. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.h2G6xu/_old 2026-03-22 14:13:08.975770118 +0100 +++ /var/tmp/diff_new_pack.h2G6xu/_new 2026-03-22 14:13:08.979770283 +0100 @@ -1,6 +1,6 @@ -mtime: 1772629393 -commit: 17ea692e8ed65461d189ee6efbbc4e8d0e765b02abace4ef24d93c95c5b51465 +mtime: 1773426578 +commit: 73dfe9303e9ff663b2dfe791fe4ba2d75cc0b90e43a32c3a3f81cb031a2c58c3 url: https://src.opensuse.org/python-interpreters/python314.git -revision: 17ea692e8ed65461d189ee6efbbc4e8d0e765b02abace4ef24d93c95c5b51465 +revision: 73dfe9303e9ff663b2dfe791fe4ba2d75cc0b90e43a32c3a3f81cb031a2c58c3 projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-16 14:37:41.000000000 +0100 @@ -0,0 +1,6 @@ +.osc +*.obscpio +_build.* +.pbuild +*.orig +python314-*-build/
