Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python311 for openSUSE:Factory checked in at 2026-04-15 16:03:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python311 (Old) and /work/SRC/openSUSE:Factory/.python311.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python311" Wed Apr 15 16:03:03 2026 rev:68 rq:1345247 version:3.11.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python311/python311.changes 2026-04-01 19:50:29.612777499 +0200 +++ /work/SRC/openSUSE:Factory/.python311.new.21863/python311.changes 2026-04-15 16:03:11.951616173 +0200 @@ -1,0 +2,9 @@ +Thu Apr 2 13:55:57 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has + the same security model as open(). The documented limitations + ensure compatibility with non-filesystem loaders; Python + doesn't check that. (bsc#1259989, CVE-2026-3479, + gh#python/cpython#146121). + +------------------------------------------------------------------- New: ---- CVE-2026-3479-pkgutil_get_data.patch ----------(New B)---------- New: - Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has the same security model as open(). The documented limitations ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python311.spec ++++++ --- /var/tmp/diff_new_pack.HWFVjF/_old 2026-04-15 16:03:13.367674386 +0200 +++ /var/tmp/diff_new_pack.HWFVjF/_new 2026-04-15 16:03:13.367674386 +0200 @@ -212,6 +212,9 @@ # PATCH-FIX-UPSTREAM CVE-2026-4519-webbrowser-open-dashes.patch bsc#1260026 [email protected] # reject leading dashes in webbrowser URLs Patch41: CVE-2026-4519-webbrowser-open-dashes.patch +# PATCH-FIX-UPSTREAM CVE-2026-3479-pkgutil_get_data.patch bsc#1259989 [email protected] +# pkgutil.get_data() reject invalid resource arguments +Patch42: CVE-2026-3479-pkgutil_get_data.patch ### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2026-3479-pkgutil_get_data.patch ++++++ >From b99e2bfb8c1b1f61377193d51cf627689ec62606 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Wed, 18 Mar 2026 17:31:01 +0000 Subject: [PATCH] gh-146121: `pkgutil.get_data()` reject invalid resource arguments (GH-146122) (cherry picked from commit bcdf231946b1da8bdfbab4c05539bb0cc964a1c7) Co-authored-by: Stan Ulbrych <[email protected]> --- Doc/library/pkgutil.rst | 25 +++++++++- Lib/pkgutil.py | 3 + Lib/test/test_pkgutil.py | 19 +++++++ Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst | 3 + 4 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst Index: Python-3.11.15/Doc/library/pkgutil.rst =================================================================== --- Python-3.11.15.orig/Doc/library/pkgutil.rst 2026-03-03 01:52:57.000000000 +0100 +++ Python-3.11.15/Doc/library/pkgutil.rst 2026-04-07 23:54:25.683593310 +0200 @@ -210,24 +210,45 @@ :meth:`get_data <importlib.abc.ResourceLoader.get_data>` API. The *package* argument should be the name of a package, in standard module format (``foo.bar``). The *resource* argument should be in the form of a relative - filename, using ``/`` as the path separator. The parent directory name - ``..`` is not allowed, and nor is a rooted name (starting with a ``/``). + filename, using ``/`` as the path separator. The function returns a binary string that is the contents of the specified resource. + This function uses the :term:`loader` method + :func:`~importlib.abc.FileLoader.get_data` + to support modules installed in the filesystem, but also in zip files, + databases, or elsewhere. + For packages located in the filesystem, which have already been imported, this is the rough equivalent of:: d = os.path.dirname(sys.modules[package].__file__) data = open(os.path.join(d, resource), 'rb').read() + Like the :func:`open` function, :func:`!get_data` can follow parent + directories (``../``) and absolute paths (starting with ``/`` or ``C:/``, + for example). + + .. warning:: + + This function is intended for trusted input. + It does not verify that *resource* "belongs" to *package*. + + If you use a user-provided *resource* path, consider verifying it. + For example, require an alphanumeric filename with a known extension, or + install and check a list of known resources. + If the package cannot be located or loaded, or it uses a :term:`loader` which does not support :meth:`get_data <importlib.abc.ResourceLoader.get_data>`, then ``None`` is returned. In particular, the :term:`loader` for :term:`namespace packages <namespace package>` does not support :meth:`get_data <importlib.abc.ResourceLoader.get_data>`. + .. seealso:: + + The :mod:`importlib.resources` module provides structured access to + module resources. .. function:: resolve_name(name) Index: Python-3.11.15/Lib/pkgutil.py =================================================================== --- Python-3.11.15.orig/Lib/pkgutil.py 2026-04-07 23:53:58.146333246 +0200 +++ Python-3.11.15/Lib/pkgutil.py 2026-04-07 23:54:08.040565252 +0200 @@ -635,6 +635,9 @@ # signature - an os.path format "filename" starting with the dirname of # the package's __file__ parts = resource.split('/') + if os.path.isabs(resource) or '..' in parts: + raise ValueError("resource must be a relative path with no " + "parent directory components") parts.insert(0, os.path.dirname(mod.__file__)) resource_name = os.path.join(*parts) return loader.get_data(resource_name) Index: Python-3.11.15/Lib/test/test_pkgutil.py =================================================================== --- Python-3.11.15.orig/Lib/test/test_pkgutil.py 2026-04-07 23:53:59.611666163 +0200 +++ Python-3.11.15/Lib/test/test_pkgutil.py 2026-04-07 23:54:08.040985714 +0200 @@ -57,6 +57,25 @@ del sys.modules[pkg] + def test_getdata_path_traversal(self): + pkg = 'test_getdata_traversal' + + # Make a package with some resources + package_dir = os.path.join(self.dirname, pkg) + os.mkdir(package_dir) + # Empty init.py + f = open(os.path.join(package_dir, '__init__.py'), "wb") + f.close() + + with self.assertRaises(ValueError): + pkgutil.get_data(pkg, '../../../etc/passwd') + with self.assertRaises(ValueError): + pkgutil.get_data(pkg, 'sub/../../../etc/passwd') + with self.assertRaises(ValueError): + pkgutil.get_data(pkg, os.path.abspath('/etc/passwd')) + + del sys.modules[pkg] + def test_getdata_zipfile(self): zip = 'test_getdata_zipfile.zip' pkg = 'test_getdata_zipfile' Index: Python-3.11.15/Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.11.15/Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst 2026-04-07 23:54:08.041272515 +0200 @@ -0,0 +1,3 @@ +:func:`pkgutil.get_data` now raises rejects *resource* arguments containing the +parent directory components or that is an absolute path. +This addresses :cve:`2026-3479`. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.HWFVjF/_old 2026-04-15 16:03:13.571682772 +0200 +++ /var/tmp/diff_new_pack.HWFVjF/_new 2026-04-15 16:03:13.583683266 +0200 @@ -1,6 +1,6 @@ -mtime: 1774638546 -commit: 7ed16c509b9850281cbce11cfd1c8edab9d2058b22c13955d08fa58960874da2 +mtime: 1775598908 +commit: 74faae37ad8780b94fb71dd3921b3e672ecda40ae693a97c1dcdcfce5bf3b46e url: https://src.opensuse.org/python-interpreters/python311.git -revision: 7ed16c509b9850281cbce11cfd1c8edab9d2058b22c13955d08fa58960874da2 +revision: 74faae37ad8780b94fb71dd3921b3e672ecda40ae693a97c1dcdcfce5bf3b46e projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-07 23:55:30.000000000 +0200 @@ -0,0 +1,7 @@ +_build.* +*.obscpio +*.osc +.osc +.pbuild +python311-*-build/ +*.rej
