Hello community,
here is the log from the commit of package python3 for openSUSE:Leap:15.2
checked in at 2020-03-09 17:59:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/python3 (Old)
and /work/SRC/openSUSE:Leap:15.2/.python3.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3"
Mon Mar 9 17:59:26 2020 rev:56 rq:781318 version:3.6.10
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/python3/python3-base.changes 2020-01-15
15:54:49.835645612 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.python3.new.26092/python3-base.changes
2020-03-09 17:59:28.416642020 +0100
@@ -2 +2 @@
-Mon Dec 2 11:48:00 CET 2019 - Matej Cepl <mc...@suse.com>
+Sat Feb 8 23:29:28 CET 2020 - Matej Cepl <mc...@suse.com>
@@ -4,3 +4,79 @@
-- Stop building qthelp documentation. Recent qhelpgenerator-qt5
- is not compatible with the generated source files.
- Fixes bsc#1158158
+- Add CVE-2019-9674-zip-bomb.patch to improve documentation
+ warning about dangers of zip-bombs and other security problems
+ with zipfile library. (bsc#1162825 CVE-2019-9674)
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+ "Python urrlib allowed an HTTP server to conduct Regular
+ Expression Denial of Service (ReDoS)" (bsc#1162367)
+
+-------------------------------------------------------------------
+Sat Feb 8 22:21:10 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add Requires: libpython%{so_version} == %{version}-%{release}
+ to python3-base to keep both packages always synchronized
+ (bsc#1162224).
+
+-------------------------------------------------------------------
+Tue Jan 28 17:54:50 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add pep538_coerce_legacy_c_locale.patch to coerce locale to
+ C.UTF-8 always (bsc#1162423).
+
+-------------------------------------------------------------------
+Thu Dec 19 16:42:56 CET 2019 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.6.10 (still in line with jsc#SLE-9426,
+ jsc#SLE-9427, bsc#1159035):
+ - Security:
+ - bpo-38945: Newline characters have been escaped when
+ performing uu encoding to prevent them from overflowing
+ into to content section of the encoded file. This prevents
+ malicious or accidental modification of data during the
+ decoding process.
+ - bpo-37228: Due to significant security concerns, the
+ reuse_address parameter of
+ asyncio.loop.create_datagram_endpoint() is no longer
+ supported. This is because of the behavior of SO_REUSEADDR
+ in UDP. For more details, see the documentation for
+ loop.create_datagram_endpoint(). (Contributed by Kyle
+ Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)
+ - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar.
+ Patch by Ben Caller.
+ - bpo-38243: Escape the server title of
+ xmlrpc.server.DocXMLRPCServer when rendering the document
+ page as HTML. (Contributed by Dong-hee Na in bpo-38243.)
+ - bpo-38174: Update vendorized expat library version to
+ 2.2.8, which resolves CVE-2019-15903.
+ - bpo-37461: Fix an infinite loop when parsing specially
+ crafted email headers. Patch by Abhilash Raj.
+ - bpo-34155: Fix parsing of invalid email addresses with more
+ than one @ (e.g. a@b...@c.com.) to not return the part before
+ 2nd @ as valid email address. Patch by maxking & jpic.
+ - Library:
+ - bpo-38216: Allow the rare code that wants to send invalid
+ http requests from the http.client library a way to do so.
+ The fixes for bpo-30458 led to breakage for some projects
+ that were relying on this ability to test their own
+ behavior in the face of bad requests.
+ - bpo-36564: Fix infinite loop in email header folding logic
+ that would be triggered when an email policy’s
+ max_line_length is not long enough to include the required
+ markup and any values in the message. Patch by Paul Ganssle
+- Remove patches included in the upstream tarball:
+ - CVE-2019-16935-xmlrpc-doc-server_title.patch
+ - CVE-2019-16056-email-parse-addr.patch
+- Move idle subpackage build from python3-base to python3 (bsc#1159622).
+ appstream-glib required for packaging introduces considerable
+ extra dependencies and a build loop via rust/librsvg.
+- Correct installation of idle IDE icons:
+ + idle.png is not the target directory
+ + non-GNOME-specific icons belong into icons/hicolor
+- Add required Name key to idle3 desktop file
+
+-------------------------------------------------------------------
+Thu Dec 12 14:17:45 CET 2019 - Matej Cepl <mc...@suse.com>
+
+- Unify all Python 3.6* SLE packages into one (jsc#SLE-9426,
+ jsc#SLE-9427, bsc#1159035)
+ - Patches which were already included upstream:
+ - CVE-2018-1061-DOS-via-regexp-difflib.patch
+ - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
@@ -50,0 +127,14 @@
+Wed Jul 24 17:19:58 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL Apply
+ "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
+ converts shutil._call_external_zip to use subprocess rather
+ than distutils.spawn. [bsc#1109663, CVE-2018-1000802]
+
+-------------------------------------------------------------------
+Wed Jul 24 15:27:24 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add
+ CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623.
+
+-------------------------------------------------------------------
@@ -67,0 +158,6 @@
+Wed Jun 12 16:46:48 UTC 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate
+ files with python3* packages (https://fate.suse.com/327309)
+
+-------------------------------------------------------------------
@@ -137,0 +234,11 @@
+Fri Jun 29 10:24:27 UTC 2018 - mc...@suse.com
+
+- Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent
+ low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS
+ (CVE-2018-1061). Prior to this patch mail server's timestamp was
+ susceptible to catastrophic backtracking on long evil response from
+ the server. Also, it was susceptible to catastrophic backtracking,
+ which was a potential DOS vector.
+ [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060]
+
+-------------------------------------------------------------------
@@ -162,0 +270,9 @@
+-------------------------------------------------------------------
+Tue Mar 13 18:49:34 UTC 2018 - psim...@suse.com
+
+- Apply "python-3.6-CVE-2017-18207.patch" to add a check to
+ Lib/wave.py that verifies that at least one channel is provided.
+ Prior to this check, attackers could cause a denial of service
+ (divide-by-zero error and application crash) via a crafted wav
+ format audio file. [bsc#1083507, CVE-2017-18207]
+
@@ -178 +294 @@
-- Add python3-sorted_tar.patch (boo#1081750)
+- Add python3-sorted_tar.patch (boo#1081750, bsc#1086001)
@@ -292,0 +409,15 @@
+Wed Mar 1 16:50:48 UTC 2017 - jmate...@suse.com
+
+- FAKE RECORD FROM SLE-12 CHANNEL update to 3.4.6 (bsc#1027282):
+ * fixed potential crash in PyUnicode_AsDecodedObject() in debug build
+ * fixed possible DoS and arbitrary execution in gettext plurals
+ * fix possible use of uninitialized memory in operator.methodcaller
+ * fix possible Py_DECREF on unowned object in _sre
+ * fix possible integer overflow in _csv module
+ * prevent HTTPoxy attack (CVE-2016-1000110)
+ * fix selectors incorrectly retaining invalid fds
+- drop upstreamed python-3.4-CVE-2016-1000110-fix.patch
+- move _elementtree to python3.rpm to match its pyexpat dependency
+ (bsc#1029377)
+
+-------------------------------------------------------------------
@@ -346,0 +478,27 @@
+Sat Aug 6 21:11:02 UTC 2016 - h...@urpla.net
+
+- FAKE RECORD FROM SLE-12 CHANNEL apply fix for CVE-2016-1000110
+ - CGIHandler: sets environmental variable based on user
+ supplied Proxy request header:
+ python-3.4-CVE-2016-1000110-fix.patch (fixes bsc#989523,
+ CVE-2016-1000110)
+- refresh python3-urllib-prefer-lowercase-proxies.patch
+
+-------------------------------------------------------------------
+Sun Jul 3 12:41:08 UTC 2016 - h...@urpla.net
+
+- FAKE RECORD FROM SLE-12 CHANNEL update to 3.4.5
+ check: https://docs.python.org/3.4/whatsnew/changelog.html
+ (fixes bsc#984751, CVE-2016-0772)
+ (fixes bsc#985177, CVE-2016-5636)
+ (fixes bsc#985348, CVE-2016-5699)
+- drop upstreamed werror-declaration-after-statement.patch
+
+-------------------------------------------------------------------
+Tue Jun 14 08:49:18 UTC 2016 - h...@urpla.net
+
+- FAKE RECORD FROM SLE-12 CHANNEL Due to being fixed upstream
+ (differently), removed outdated patch
+ CVE-2014-4650-CGIHTTPServer-traversal.patch (bsc#983582)
+
+-------------------------------------------------------------------
@@ -371,0 +530,7 @@
+Fri Oct 23 13:59:56 UTC 2015 - jmate...@suse.com
+
+- FAKE RECORD FROM SLE-12 CHANNEL Issue #21121: Don't force 3rd
+ party C extensions to be built with -Werror=declaration-after-statement.
+ (werror-declaration-after-statement.patch, bsc#951166)
+
+-------------------------------------------------------------------
@@ -621 +786 @@
- * upstream fix for CVE-2013-4238
+ * upstream fix for CVE-2013-4238 (bnc#834601)
@@ -642,0 +808 @@
+- remove README.txt (bnc#709442)
--- /work/SRC/openSUSE:Leap:15.2/python3/python3-doc.changes 2020-01-15
15:54:49.863645628 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.python3.new.26092/python3-doc.changes
2020-03-09 17:59:28.492642058 +0100
@@ -0,0 +1,259 @@
+-------------------------------------------------------------------
+Sat Feb 8 23:29:28 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2019-9674-zip-bomb.patch to improve documentation
+ warning about dangers of zip-bombs and other security problems
+ with zipfile library. (bsc#1162825 CVE-2019-9674)
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+ "Python urrlib allowed an HTTP server to conduct Regular
+ Expression Denial of Service (ReDoS)" (bsc#1162367)
+
+-------------------------------------------------------------------
+Sat Feb 8 22:21:10 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add Requires: libpython%{so_version} == %{version}-%{release}
+ to python3-base to keep both packages always synchronized
+ (bsc#1162224).
+
+-------------------------------------------------------------------
+Tue Jan 28 17:54:50 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add pep538_coerce_legacy_c_locale.patch to coerce locale to
+ C.UTF-8 always (bsc#1162423).
+
+-------------------------------------------------------------------
+Thu Dec 19 16:42:56 CET 2019 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.6.10 (still in line with jsc#SLE-9426,
+ jsc#SLE-9427, bsc#1159035):
+ - Security:
+ - bpo-38945: Newline characters have been escaped when
+ performing uu encoding to prevent them from overflowing
+ into to content section of the encoded file. This prevents
+ malicious or accidental modification of data during the
+ decoding process.
+ - bpo-37228: Due to significant security concerns, the
+ reuse_address parameter of
+ asyncio.loop.create_datagram_endpoint() is no longer
+ supported. This is because of the behavior of SO_REUSEADDR
+ in UDP. For more details, see the documentation for
+ loop.create_datagram_endpoint(). (Contributed by Kyle
+ Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)
+ - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar.
+ Patch by Ben Caller.
+ - bpo-38243: Escape the server title of
+ xmlrpc.server.DocXMLRPCServer when rendering the document
+ page as HTML. (Contributed by Dong-hee Na in bpo-38243.)
+ - bpo-38174: Update vendorized expat library version to
+ 2.2.8, which resolves CVE-2019-15903.
+ - bpo-37461: Fix an infinite loop when parsing specially
+ crafted email headers. Patch by Abhilash Raj.
+ - bpo-34155: Fix parsing of invalid email addresses with more
+ than one @ (e.g. a@b...@c.com.) to not return the part before
+ 2nd @ as valid email address. Patch by maxking & jpic.
+ - Library:
+ - bpo-38216: Allow the rare code that wants to send invalid
+ http requests from the http.client library a way to do so.
+ The fixes for bpo-30458 led to breakage for some projects
+ that were relying on this ability to test their own
+ behavior in the face of bad requests.
+ - bpo-36564: Fix infinite loop in email header folding logic
+ that would be triggered when an email policy’s
+ max_line_length is not long enough to include the required
+ markup and any values in the message. Patch by Paul Ganssle
+- Remove patches included in the upstream tarball:
+ - CVE-2019-16935-xmlrpc-doc-server_title.patch
+ - CVE-2019-16056-email-parse-addr.patch
+- Move idle subpackage build from python3-base to python3 (bsc#1159622).
+ appstream-glib required for packaging introduces considerable
+ extra dependencies and a build loop via rust/librsvg.
+- Correct installation of idle IDE icons:
+ + idle.png is not the target directory
+ + non-GNOME-specific icons belong into icons/hicolor
+- Add required Name key to idle3 desktop file
+
+-------------------------------------------------------------------
+Thu Dec 12 14:17:45 CET 2019 - Matej Cepl <mc...@suse.com>
+
+- Unify all Python 3.6* SLE packages into one (jsc#SLE-9426,
+ jsc#SLE-9427, bsc#1159035)
+ - Patches which were already included upstream:
+ - CVE-2018-1061-DOS-via-regexp-difflib.patch
+ - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
+
+-------------------------------------------------------------------
+Tue Oct 22 22:26:56 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
+ bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
+ python/Lib/DocXMLRPCServer.py
+
+-------------------------------------------------------------------
+Thu Sep 19 22:58:06 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from
+ bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes
+ bsc#1149792
+- Add bpo36263-Fix_hashlib_scrypt.patch which works around
+ bsc#1151490
+
+-------------------------------------------------------------------
+Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2019-16056-email-parse-addr.patch fixing the email
+ module wrongly parses email addresses [bsc#1149955,
+ CVE-2019-16056]
+
+-------------------------------------------------------------------
+Mon Sep 9 19:37:57 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- jsc#PM-1350 bsc#1149121 Update python3 to the last version of
+ the 3.6 line. This is just a bugfix release with no changes in
+ functionality.
+- The following patches were included in the upstream release as
+ so they can be removed in the package:
+ - CVE-2018-20852-cookie-domain-check.patch
+ - CVE-2019-5010-null-defer-x509-cert-DOS.patch
+ - CVE-2019-10160-netloc-port-regression.patch
+ - CVE-2019-9636-urlsplit-NFKC-norm.patch
+ - CVE-2019-9947-no-ctrl-char-http.patch
+- Patch bpo23395-PyErr_SetInterrupt-signal.patch has been
+ reapplied on the upstream base without changing any
+ functionality.
+- Add patch aarch64-prolong-timeout.patch to fix failing
+ test_utime_current_old test.
+
+-------------------------------------------------------------------
+Wed Jul 24 17:19:58 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL Apply
+ "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
+ converts shutil._call_external_zip to use subprocess rather
+ than distutils.spawn. [bsc#1109663, CVE-2018-1000802]
+
+-------------------------------------------------------------------
+Wed Jul 24 15:27:24 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add
+ CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623.
+
+-------------------------------------------------------------------
+Fri Jul 19 13:28:16 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- boo#1141853 (CVE-2018-20852) add
+ CVE-2018-20852-cookie-domain-check.patch fixing
+ http.cookiejar.DefaultPolicy.domain_return_ok which did not
+ correctly validate the domain: it could be tricked into sending
+ cookies to the wrong server.
+
+-------------------------------------------------------------------
+Wed Jul 3 21:02:00 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
+ which fixes regression introduced by the previous patch.
+ (CVE-2019-10160)
+ Upstream gh#python/cpython#13812
+
+-------------------------------------------------------------------
+Wed Jun 12 16:46:48 UTC 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate
+ files with python3* packages (https://fate.suse.com/327309)
+
+-------------------------------------------------------------------
+Tue Jun 11 16:51:39 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to
+ handle situation when the SIGINT signal is ignored or not handled
+
+-------------------------------------------------------------------
+Tue Apr 30 15:10:12 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.6.8:
+ - bugfixes only
+ - removed patches (subsumed in the upstream tarball):
+ - CVE-2018-20406-pickle_LONG_BINPUT.patch
+ - refreshed patches:
+ - CVE-2019-5010-null-defer-x509-cert-DOS.patch
+ - CVE-2019-9636-urlsplit-NFKC-norm.patch
+ - Python-3.0b1-record-rpm.patch
+ - python-3.3.0b1-fix_date_time_compiler.patch
+ - python-3.3.0b1-test-posix_fadvise.patch
+ - python-3.3.3-skip-distutils-test_sysconfig_module.patch
+ - python-3.6.0-multilib-new.patch
+ - python3-sorted_tar.patch
+ - subprocess-raise-timeout.patch
+ - switch off LTO and PGO optimization (bsc#1133452)
+- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
+ Address the issue by disallowing URL paths with embedded
+ whitespace or control characters through into the underlying
+ http client request. Such potentially malicious header
+ injection URLs now cause a ValueError to be raised.
+
+-------------------------------------------------------------------
+Tue Apr 9 15:15:44 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch
+ Characters in the netloc attribute that decompose under NFKC
++++ 844 more lines (skipped)
++++ between /work/SRC/openSUSE:Leap:15.2/python3/python3-doc.changes
++++ and /work/SRC/openSUSE:Leap:15.2/.python3.new.26092/python3-doc.changes
--- /work/SRC/openSUSE:Leap:15.2/python3/python3.changes 2020-01-15
15:54:49.935645669 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.python3.new.26092/python3.changes
2020-03-09 17:59:28.528642075 +0100
@@ -2 +2,226 @@
-Mon Sep 3 16:39:15 UTC 2018 - Matěj Cepl <mc...@suse.com>
+Sat Feb 8 23:29:28 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2019-9674-zip-bomb.patch to improve documentation
+ warning about dangers of zip-bombs and other security problems
+ with zipfile library. (bsc#1162825 CVE-2019-9674)
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+ "Python urrlib allowed an HTTP server to conduct Regular
+ Expression Denial of Service (ReDoS)" (bsc#1162367)
+
+-------------------------------------------------------------------
+Sat Feb 8 22:21:10 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add Requires: libpython%{so_version} == %{version}-%{release}
+ to python3-base to keep both packages always synchronized
+ (bsc#1162224).
+
+-------------------------------------------------------------------
+Tue Jan 28 17:54:50 CET 2020 - Matej Cepl <mc...@suse.com>
+
+- Add pep538_coerce_legacy_c_locale.patch to coerce locale to
+ C.UTF-8 always (bsc#1162423).
+
+-------------------------------------------------------------------
+Thu Dec 19 16:42:56 CET 2019 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.6.10 (still in line with jsc#SLE-9426,
+ jsc#SLE-9427, bsc#1159035):
+ - Security:
+ - bpo-38945: Newline characters have been escaped when
+ performing uu encoding to prevent them from overflowing
+ into to content section of the encoded file. This prevents
+ malicious or accidental modification of data during the
+ decoding process.
+ - bpo-37228: Due to significant security concerns, the
+ reuse_address parameter of
+ asyncio.loop.create_datagram_endpoint() is no longer
+ supported. This is because of the behavior of SO_REUSEADDR
+ in UDP. For more details, see the documentation for
+ loop.create_datagram_endpoint(). (Contributed by Kyle
+ Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)
+ - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar.
+ Patch by Ben Caller.
+ - bpo-38243: Escape the server title of
+ xmlrpc.server.DocXMLRPCServer when rendering the document
+ page as HTML. (Contributed by Dong-hee Na in bpo-38243.)
+ - bpo-38174: Update vendorized expat library version to
+ 2.2.8, which resolves CVE-2019-15903.
+ - bpo-37461: Fix an infinite loop when parsing specially
+ crafted email headers. Patch by Abhilash Raj.
+ - bpo-34155: Fix parsing of invalid email addresses with more
+ than one @ (e.g. a@b...@c.com.) to not return the part before
+ 2nd @ as valid email address. Patch by maxking & jpic.
+ - Library:
+ - bpo-38216: Allow the rare code that wants to send invalid
+ http requests from the http.client library a way to do so.
+ The fixes for bpo-30458 led to breakage for some projects
+ that were relying on this ability to test their own
+ behavior in the face of bad requests.
+ - bpo-36564: Fix infinite loop in email header folding logic
+ that would be triggered when an email policy’s
+ max_line_length is not long enough to include the required
+ markup and any values in the message. Patch by Paul Ganssle
+- Remove patches included in the upstream tarball:
+ - CVE-2019-16935-xmlrpc-doc-server_title.patch
+ - CVE-2019-16056-email-parse-addr.patch
+- Move idle subpackage build from python3-base to python3 (bsc#1159622).
+ appstream-glib required for packaging introduces considerable
+ extra dependencies and a build loop via rust/librsvg.
+- Correct installation of idle IDE icons:
+ + idle.png is not the target directory
+ + non-GNOME-specific icons belong into icons/hicolor
+- Add required Name key to idle3 desktop file
+
+-------------------------------------------------------------------
+Thu Dec 12 14:17:45 CET 2019 - Matej Cepl <mc...@suse.com>
+
+- Unify all Python 3.6* SLE packages into one (jsc#SLE-9426,
+ jsc#SLE-9427, bsc#1159035)
+ - Patches which were already included upstream:
+ - CVE-2018-1061-DOS-via-regexp-difflib.patch
+ - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
+
+-------------------------------------------------------------------
+Tue Oct 22 22:26:56 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
+ bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
+ python/Lib/DocXMLRPCServer.py
+
+-------------------------------------------------------------------
+Thu Sep 19 22:58:06 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from
+ bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes
+ bsc#1149792
+- Add bpo36263-Fix_hashlib_scrypt.patch which works around
+ bsc#1151490
+
+-------------------------------------------------------------------
+Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2019-16056-email-parse-addr.patch fixing the email
+ module wrongly parses email addresses [bsc#1149955,
+ CVE-2019-16056]
+
+-------------------------------------------------------------------
+Mon Sep 9 19:37:57 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- jsc#PM-1350 bsc#1149121 Update python3 to the last version of
+ the 3.6 line. This is just a bugfix release with no changes in
+ functionality.
+- The following patches were included in the upstream release as
+ so they can be removed in the package:
+ - CVE-2018-20852-cookie-domain-check.patch
+ - CVE-2019-5010-null-defer-x509-cert-DOS.patch
+ - CVE-2019-10160-netloc-port-regression.patch
+ - CVE-2019-9636-urlsplit-NFKC-norm.patch
+ - CVE-2019-9947-no-ctrl-char-http.patch
+- Patch bpo23395-PyErr_SetInterrupt-signal.patch has been
+ reapplied on the upstream base without changing any
+ functionality.
+- Add patch aarch64-prolong-timeout.patch to fix failing
+ test_utime_current_old test.
+
+-------------------------------------------------------------------
+Wed Jul 24 17:19:58 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL Apply
+ "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
+ converts shutil._call_external_zip to use subprocess rather
+ than distutils.spawn. [bsc#1109663, CVE-2018-1000802]
+
+-------------------------------------------------------------------
+Wed Jul 24 15:27:24 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add
+ CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623.
+
+-------------------------------------------------------------------
+Fri Jul 19 13:28:16 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- boo#1141853 (CVE-2018-20852) add
+ CVE-2018-20852-cookie-domain-check.patch fixing
+ http.cookiejar.DefaultPolicy.domain_return_ok which did not
+ correctly validate the domain: it could be tricked into sending
+ cookies to the wrong server.
+
+-------------------------------------------------------------------
+Wed Jul 3 21:02:00 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
+ which fixes regression introduced by the previous patch.
+ (CVE-2019-10160)
+ Upstream gh#python/cpython#13812
+
+-------------------------------------------------------------------
+Wed Jun 12 16:46:48 UTC 2019 - Matej Cepl <mc...@suse.com>
+
+- FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate
+ files with python3* packages (https://fate.suse.com/327309)
+
+-------------------------------------------------------------------
+Tue Jun 11 16:51:39 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to
+ handle situation when the SIGINT signal is ignored or not handled
+
+-------------------------------------------------------------------
+Tue Apr 30 15:10:12 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.6.8:
+ - bugfixes only
+ - removed patches (subsumed in the upstream tarball):
+ - CVE-2018-20406-pickle_LONG_BINPUT.patch
+ - refreshed patches:
+ - CVE-2019-5010-null-defer-x509-cert-DOS.patch
+ - CVE-2019-9636-urlsplit-NFKC-norm.patch
+ - Python-3.0b1-record-rpm.patch
+ - python-3.3.0b1-fix_date_time_compiler.patch
+ - python-3.3.0b1-test-posix_fadvise.patch
+ - python-3.3.3-skip-distutils-test_sysconfig_module.patch
+ - python-3.6.0-multilib-new.patch
+ - python3-sorted_tar.patch
+ - subprocess-raise-timeout.patch
+ - switch off LTO and PGO optimization (bsc#1133452)
+- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
+ Address the issue by disallowing URL paths with embedded
+ whitespace or control characters through into the underlying
+ http client request. Such potentially malicious header
+ injection URLs now cause a ValueError to be raised.
+
+-------------------------------------------------------------------
+Tue Apr 9 15:15:44 CEST 2019 - Matej Cepl <mc...@suse.com>
+
+- bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch
+ Characters in the netloc attribute that decompose under NFKC
++++ 797 more lines (skipped)
++++ between /work/SRC/openSUSE:Leap:15.2/python3/python3.changes
++++ and /work/SRC/openSUSE:Leap:15.2/.python3.new.26092/python3.changes
Old:
----
CVE-2019-16056-email-parse-addr.patch
CVE-2019-16935-xmlrpc-doc-server_title.patch
Python-3.6.9.tar.xz
Python-3.6.9.tar.xz.asc
New:
----
CVE-2019-9674-zip-bomb.patch
CVE-2020-8492-urllib-ReDoS.patch
Python-3.6.10.tar.xz
Python-3.6.10.tar.xz.asc
idle3.appdata.xml
idle3.desktop
pep538_coerce_legacy_c_locale.patch
python-3.6-CVE-2017-18207.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python3-base.spec ++++++
--- /var/tmp/diff_new_pack.T6qkqA/_old 2020-03-09 17:59:29.448642532 +0100
+++ /var/tmp/diff_new_pack.T6qkqA/_new 2020-03-09 17:59:29.456642535 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python3-base
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -64,7 +64,7 @@
%bcond_with profileopt
%endif
Name: python3-base
-Version: 3.6.9
+Version: 3.6.10
Release: 0
Summary: Python 3 Interpreter and Stdlib Core
License: Python-2.0
@@ -88,6 +88,7 @@
Source103: pre_checkin.sh
Source104: skipped_tests.py
##### REQURES, PROVIDES, OBSOLETES #####
+Requires: libpython%{so_version} == %{version}-%{release}
Requires: python-rpm-macros
Recommends: python3 = %{version}
#Recommends: python3-ensurepip
@@ -141,6 +142,9 @@
Patch02: python-3.6.0-multilib-new.patch
# support finding packages in /usr/local, install to /usr/local by default
Patch04: python-3.3.0b1-localpath.patch
+# PATCH-FEATURE-UPSTREAM pep538_coerce_legacy_c_locale.patch bpo#28180
mc...@suse.com
+# This patches coerces locale to be C.UTF-8 irrespective to the system locale
+Patch05: pep538_coerce_legacy_c_locale.patch
# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible
builds
Patch06: python-3.3.0b1-fix_date_time_compiler.patch
# fix wrong include path in curses-panel module
@@ -151,6 +155,9 @@
Patch12: python-3.3.3-skip-distutils-test_sysconfig_module.patch
# Raise timeout value for test_subprocess
Patch15: subprocess-raise-timeout.patch
+# PATCH-FIX-UPSTREAM python-3.6-CVE-2017-18207.patch psim...@suse.com -- Add
check for channels of wav file in Lib/wave.py
+# Suggested in https://github.com/python/cpython/pull/4437.
+Patch20: python-3.6-CVE-2017-18207.patch
# PATCH-FIX-UPSTREAM bmwiedem...@suse.de --
https://github.com/python/cpython/pull/296
Patch21: 0001-allow-for-reproducible-builds-of-python-packages.patch
# PATCH-FEATURE-OPENSUSE order files for compilation until the underlying
cause of bsc#1049186 is resolved
@@ -165,9 +172,6 @@
# PATCH-FIX-OPENSUSE aarch64-prolong-timeout.patch bsc#1149121 mc...@suse.com
# Our buildbots are apparently too busy on aarch64 to make time right
Patch30: aarch64-prolong-timeout.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16056-email-parse-addr.patch bsc#1149955
mc...@suse.com
-# bpo#34155 The email module wrongly parses email addresses
-Patch31: CVE-2019-16056-email-parse-addr.patch
# PATCH-FIX-UPSTREAM bpo-36576-skip_tests_for_OpenSSL-111.patch bsc#1149792
mc...@suse.com
# Skip tests failing with OpenSSL 1.1.1
Patch32: bpo-36576-skip_tests_for_OpenSSL-111.patch
@@ -175,9 +179,13 @@
# There is a regression in OpenSSL, which causes bpo#36263, and until it
# is fixed in OpenSSL, we need to protect against it.
Patch33: bpo36263-Fix_hashlib_scrypt.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238
mc...@suse.com
-# XSS vulnerability in the documentation XML-RPC server in server_title field
-Patch34: CVE-2019-16935-xmlrpc-doc-server_title.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367
mc...@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch34: CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mc...@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch35: CVE-2019-9674-zip-bomb.patch
### COMMON-PATCH-END ###
%description
@@ -204,18 +212,6 @@
A number of scripts that are useful for building, testing or extending Python,
and a set of demonstration programs.
-%package -n python3-idle
-Summary: An Integrated Development Environment for Python
-Group: Development/Languages/Python
-Requires: %{name} = %{version}
-Requires: python3-tk
-
-%description -n python3-idle
-IDLE is a Tkinter based integrated development environment for Python.
-It features a multi-window text editor with multiple undo, Python
-colorizing, and many other things, as well as a Python shell window and
-a debugger.
-
%package -n python3-devel
Summary: Include Files and Libraries Mandatory for Building Python
Modules
Group: Development/Languages/Python
@@ -263,11 +259,13 @@
%patch01 -p1
%patch02 -p1
%patch04
+%patch05 -p1
%patch06 -p1
%patch07
%patch09 -p1
%patch12 -p1
%patch15 -p1
+%patch20 -p1
%patch21 -p1
%patch22 -p1
%ifarch ppc ppc64 ppc64le
@@ -276,10 +274,10 @@
%patch24 -p1
%patch29 -p1
%patch30 -p1
-%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
+%patch35 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -355,7 +353,7 @@
mkdir -p
%{buildroot}%{_prefix}/lib/python%{python_version}/site-packages/__pycache__
# cleanup parts that don't belong
-for dir in curses dbm sqlite3 tkinter; do
+for dir in curses dbm sqlite3 tkinter idlelib; do
find %{buildroot}%{sitedir}/$dir/* -maxdepth 0 -name "test" -o -exec rm
-rf {} ";"
done
# rm $RPM_BUILD_ROOT%{dynlib pyexpat}
@@ -366,6 +364,9 @@
# link shared library instead of static library that tools expect
ln -s ../../libpython%{python_abi}.so
%{buildroot}%{_libdir}/python%{python_version}/config-%{python_abi}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}/libpython%{python_abi}.so
+# delete idle3, which has to many packaging dependencies for base
+rm %{buildroot}%{_bindir}/idle3*
+
# replace duplicate .pyo/.pyc with hardlinks
%fdupes %{buildroot}/%{sitedir}
@@ -392,16 +393,6 @@
# install devel files to /config
#cp Makefile Makefile.pre.in Makefile.pre
$RPM_BUILD_ROOT%{sitedir}/config-%{python_abi}/
-# move idle config into /etc
-install -d -m 755 %{buildroot}%{_sysconfdir}/idle3
-(
- cd %{buildroot}/%{sitedir}/idlelib/
- for file in *.def ; do
- mv $file %{buildroot}%{_sysconfdir}/idle3/
- ln -sf %{_sysconfdir}/idle3/$file %{buildroot}/%{sitedir}/idlelib/
- done
-)
-
# RPM macros
mkdir -p %{buildroot}%{_sysconfdir}/rpm
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/rpm # macros.python3
@@ -441,19 +432,6 @@
%attr(755, root, root)%{_bindir}/2to3-%{python_version}
%doc %{_docdir}/%{name}/Tools
-%files -n python3-idle
-%defattr(644, root, root, 755)
-%{sitedir}/idlelib
-%dir %{_sysconfdir}/idle3
-%config %{_sysconfdir}/idle3/*
-%doc Lib/idlelib/NEWS.txt
-%doc Lib/idlelib/README.txt
-%doc Lib/idlelib/TODO.txt
-%doc Lib/idlelib/extend.txt
-%doc Lib/idlelib/ChangeLog
-%{_bindir}/idle3
-%attr(755, root, root) %{_bindir}/idle%{python_version}
-
%files -n python3-devel
%defattr(644, root, root, 755)
%{_libdir}/libpython%{python_abi}.so
++++++ python3-doc.spec ++++++
--- /var/tmp/diff_new_pack.T6qkqA/_old 2020-03-09 17:59:29.476642546 +0100
+++ /var/tmp/diff_new_pack.T6qkqA/_new 2020-03-09 17:59:29.476642546 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python3-doc
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -52,13 +52,14 @@
### COMMON-DEF-END ###
#
Name: python3-doc
-Version: 3.6.9
+Version: 3.6.10
Release: 0
Summary: Additional Package Documentation for Python 3
License: Python-2.0
Group: Documentation/HTML
URL: http://www.python.org/
Source0:
http://www.python.org/ftp/python/%{tarversion}/%{tarname}.tar.xz
+BuildRequires: libqt5-qttools
BuildRequires: python3-Sphinx >= 1.2
BuildRequires: xz
Enhances: python3 = %{python_version}
@@ -71,6 +72,9 @@
Patch02: python-3.6.0-multilib-new.patch
# support finding packages in /usr/local, install to /usr/local by default
Patch04: python-3.3.0b1-localpath.patch
+# PATCH-FEATURE-UPSTREAM pep538_coerce_legacy_c_locale.patch bpo#28180
mc...@suse.com
+# This patches coerces locale to be C.UTF-8 irrespective to the system locale
+Patch05: pep538_coerce_legacy_c_locale.patch
# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible
builds
Patch06: python-3.3.0b1-fix_date_time_compiler.patch
# fix wrong include path in curses-panel module
@@ -81,6 +85,9 @@
Patch12: python-3.3.3-skip-distutils-test_sysconfig_module.patch
# Raise timeout value for test_subprocess
Patch15: subprocess-raise-timeout.patch
+# PATCH-FIX-UPSTREAM python-3.6-CVE-2017-18207.patch psim...@suse.com -- Add
check for channels of wav file in Lib/wave.py
+# Suggested in https://github.com/python/cpython/pull/4437.
+Patch20: python-3.6-CVE-2017-18207.patch
# PATCH-FIX-UPSTREAM bmwiedem...@suse.de --
https://github.com/python/cpython/pull/296
Patch21: 0001-allow-for-reproducible-builds-of-python-packages.patch
# PATCH-FEATURE-OPENSUSE order files for compilation until the underlying
cause of bsc#1049186 is resolved
@@ -95,9 +102,6 @@
# PATCH-FIX-OPENSUSE aarch64-prolong-timeout.patch bsc#1149121 mc...@suse.com
# Our buildbots are apparently too busy on aarch64 to make time right
Patch30: aarch64-prolong-timeout.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16056-email-parse-addr.patch bsc#1149955
mc...@suse.com
-# bpo#34155 The email module wrongly parses email addresses
-Patch31: CVE-2019-16056-email-parse-addr.patch
# PATCH-FIX-UPSTREAM bpo-36576-skip_tests_for_OpenSSL-111.patch bsc#1149792
mc...@suse.com
# Skip tests failing with OpenSSL 1.1.1
Patch32: bpo-36576-skip_tests_for_OpenSSL-111.patch
@@ -105,6 +109,13 @@
# There is a regression in OpenSSL, which causes bpo#36263, and until it
# is fixed in OpenSSL, we need to protect against it.
Patch33: bpo36263-Fix_hashlib_scrypt.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367
mc...@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch34: CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mc...@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch35: CVE-2019-9674-zip-bomb.patch
### COMMON-PATCH-END ###
%description
@@ -120,11 +131,13 @@
%patch01 -p1
%patch02 -p1
%patch04
+%patch05 -p1
%patch06 -p1
%patch07
%patch09 -p1
%patch12 -p1
%patch15 -p1
+%patch20 -p1
%patch21 -p1
%patch22 -p1
%ifarch ppc ppc64 ppc64le
@@ -133,9 +146,10 @@
%patch24 -p1
%patch29 -p1
%patch30 -p1
-%patch31 -p1
%patch32 -p1
%patch33 -p1
+%patch34 -p1
+%patch35 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -165,6 +179,9 @@
cd Doc
sed -i "s/^today = .*/today = '$TODAY_DATE'/" conf.py
make -j1 html
+# create a .qch file that can be used in QtAssistant or KDevelop
+sphinx-build -a -b qthelp . build/qthelp
+qhelpgenerator-qt5 build/qthelp/Python.qhp -o build/qthelp/Python.qch
%install
export PDOCS=%{buildroot}%{_docdir}/python3
@@ -172,6 +189,7 @@
# generated docs
rm Doc/build/html/.buildinfo
cp -r Doc/build/html $PDOCS
+install -m 644 Doc/build/qthelp/Python.qch $PDOCS
# misc
install -d -m 755 $PDOCS/Misc
rm Misc/README.AIX
@@ -184,5 +202,6 @@
%dir %{_docdir}/python3
%doc %{_docdir}/python3/Misc
%doc %{_docdir}/python3/html
+%doc %{_docdir}/python3/Python.qch
%changelog
++++++ python3.spec ++++++
--- /var/tmp/diff_new_pack.T6qkqA/_old 2020-03-09 17:59:29.496642556 +0100
+++ /var/tmp/diff_new_pack.T6qkqA/_new 2020-03-09 17:59:29.496642556 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python3
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -57,7 +57,7 @@
### COMMON-DEF-END ###
#
Name: python3
-Version: 3.6.9
+Version: 3.6.10
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -65,6 +65,8 @@
URL: http://www.python.org/
Source0: http://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz
Source1:
http://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz.asc
+Source20: idle3.desktop
+Source21: idle3.appdata.xml
BuildRequires: automake
BuildRequires: fdupes
BuildRequires: gcc-c++
@@ -86,6 +88,9 @@
BuildRequires: tk-devel
BuildRequires: xz
BuildRequires: pkgconfig(x11)
+# required for idle3 (.desktop and .appdata.xml files)
+# BuildRequires: appstream-glib
+BuildRequires: update-desktop-files
Requires: python3-base = %{version}
Recommends: python3-curses
Recommends: python3-dbm
@@ -104,6 +109,9 @@
Patch02: python-3.6.0-multilib-new.patch
# support finding packages in /usr/local, install to /usr/local by default
Patch04: python-3.3.0b1-localpath.patch
+# PATCH-FEATURE-UPSTREAM pep538_coerce_legacy_c_locale.patch bpo#28180
mc...@suse.com
+# This patches coerces locale to be C.UTF-8 irrespective to the system locale
+Patch05: pep538_coerce_legacy_c_locale.patch
# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible
builds
Patch06: python-3.3.0b1-fix_date_time_compiler.patch
# fix wrong include path in curses-panel module
@@ -114,6 +122,9 @@
Patch12: python-3.3.3-skip-distutils-test_sysconfig_module.patch
# Raise timeout value for test_subprocess
Patch15: subprocess-raise-timeout.patch
+# PATCH-FIX-UPSTREAM python-3.6-CVE-2017-18207.patch psim...@suse.com -- Add
check for channels of wav file in Lib/wave.py
+# Suggested in https://github.com/python/cpython/pull/4437.
+Patch20: python-3.6-CVE-2017-18207.patch
# PATCH-FIX-UPSTREAM bmwiedem...@suse.de --
https://github.com/python/cpython/pull/296
Patch21: 0001-allow-for-reproducible-builds-of-python-packages.patch
# PATCH-FEATURE-OPENSUSE order files for compilation until the underlying
cause of bsc#1049186 is resolved
@@ -128,9 +139,6 @@
# PATCH-FIX-OPENSUSE aarch64-prolong-timeout.patch bsc#1149121 mc...@suse.com
# Our buildbots are apparently too busy on aarch64 to make time right
Patch30: aarch64-prolong-timeout.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16056-email-parse-addr.patch bsc#1149955
mc...@suse.com
-# bpo#34155 The email module wrongly parses email addresses
-Patch31: CVE-2019-16056-email-parse-addr.patch
# PATCH-FIX-UPSTREAM bpo-36576-skip_tests_for_OpenSSL-111.patch bsc#1149792
mc...@suse.com
# Skip tests failing with OpenSSL 1.1.1
Patch32: bpo-36576-skip_tests_for_OpenSSL-111.patch
@@ -138,6 +146,13 @@
# There is a regression in OpenSSL, which causes bpo#36263, and until it
# is fixed in OpenSSL, we need to protect against it.
Patch33: bpo36263-Fix_hashlib_scrypt.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367
mc...@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch34: CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mc...@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch35: CVE-2019-9674-zip-bomb.patch
### COMMON-PATCH-END ###
%description
@@ -181,17 +196,31 @@
An easy to use interface for Unix DBM databases, and more specifically,
the GNU implementation GDBM.
+%package idle
+Summary: An Integrated Development Environment for Python
+Group: Development/Languages/Python
+Requires: %{name} = %{version}
+Requires: python3-tk
+
+%description idle
+IDLE is a Tkinter based integrated development environment for Python.
+It features a multi-window text editor with multiple undo, Python
+colorizing, and many other things, as well as a Python shell window and
+a debugger.
+
%prep
%setup -q -n %{tarname}
### COMMON-PREP-BEGIN ###
%patch01 -p1
%patch02 -p1
%patch04
+%patch05 -p1
%patch06 -p1
%patch07
%patch09 -p1
%patch12 -p1
%patch15 -p1
+%patch20 -p1
%patch21 -p1
%patch22 -p1
%ifarch ppc ppc64 ppc64le
@@ -200,9 +229,10 @@
%patch24 -p1
%patch29 -p1
%patch30 -p1
-%patch31 -p1
%patch32 -p1
%patch33 -p1
+%patch34 -p1
+%patch35 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -300,7 +330,7 @@
# clean out stuff that is in python-base and subpackages
-rm %{buildroot}%{_bindir}/*
+find %{buildroot}%{_bindir} -mindepth 1 -not -name "*idle3*" -print -delete
rm %{buildroot}%{_libdir}/lib*
rm -r %{buildroot}%{_libdir}/pkgconfig
rm -r %{buildroot}%{_mandir}/*
@@ -316,7 +346,7 @@
asyncio ctypes collections concurrent distutils email encodings \
ensurepip html http \
importlib json logging multiprocessing pydoc_data unittest \
- urllib venv wsgiref lib2to3 test idlelib turtledemo \
+ urllib venv wsgiref lib2to3 test turtledemo \
xml xmlrpc
do
rm -r %{buildroot}%{sitedir}/$module
@@ -335,6 +365,30 @@
eval rm "%{buildroot}%{sitedir}/lib-dynload/$library.*"
done
+# Idle is not packaged in base due to the appstream-glib dependency
+# move idle config into /etc
+install -d -m 755 %{buildroot}%{_sysconfdir}/idle3
+(
+ cd %{buildroot}/%{sitedir}/idlelib/
+ for file in *.def ; do
+ mv $file %{buildroot}%{_sysconfdir}/idle3/
+ ln -sf %{_sysconfdir}/idle3/$file %{buildroot}/%{sitedir}/idlelib/
+ done
+)
+
+# install idle icons
+for size in 16 32 48 ; do
+ install -m 644 -D Lib/idlelib/Icons/idle_${size}.png \
+ %{buildroot}%{_datadir}/icons/hicolor/${size}x${size}/apps/idle.png
+done
+
+# install idle desktop file
+install -m 644 -D -t %{buildroot}%{_datadir}/applications %{SOURCE20}
+%suse_update_desktop_file idle3
+
+install -m 644 -D -t %{buildroot}%{_datadir}/metainfo %{SOURCE21}
+# appstream-util validate-relax --nonet
%{buildroot}%{_datadir}/metainfo/idle3.appdata.xml
+
%fdupes %{buildroot}/%{_libdir}/python%{python_version}
%files tk
@@ -364,4 +418,25 @@
%{dynlib readline}
%{dynlib _sqlite3}
+%files idle
+%defattr(644, root, root, 755)
+%{sitedir}/idlelib
+%dir %{_sysconfdir}/idle3
+%config %{_sysconfdir}/idle3/*
+%doc Lib/idlelib/NEWS.txt
+%doc Lib/idlelib/README.txt
+%doc Lib/idlelib/TODO.txt
+%doc Lib/idlelib/extend.txt
+%doc Lib/idlelib/ChangeLog
+%{_bindir}/idle3
+%{_datadir}/applications/idle3.desktop
+%{_datadir}/metainfo/idle3.appdata.xml
+%{_datadir}/icons/hicolor/*/apps/idle.png
+%dir %{_datadir}/icons/hicolor
+%dir %{_datadir}/icons/hicolor/16x16
+%dir %{_datadir}/icons/hicolor/32x32
+%dir %{_datadir}/icons/hicolor/48x48
+%dir %{_datadir}/icons/hicolor/*/apps
+%attr(755, root, root) %{_bindir}/idle%{python_version}
+
%changelog
++++++ CVE-2019-9674-zip-bomb.patch ++++++
>From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001
From: nick sung <sungboss2...@gmail.com>
Date: Fri, 17 May 2019 15:45:31 +0800
Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation
We saw vulnerability warning description (including zip bomb) in
Doc/library/xml.rst file.
This gave us the idea of documentation improvement.
So, we moved a little bit forward :P
And the doc patch can be found (pr).
---
Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst
@@ -706,5 +706,47 @@ Command-line options
Test whether the zipfile is valid or not.
+Decompression pitfalls
+----------------------
+The extraction in zipfile module might fail due to some pitfalls
+listed below.
+
+From file itself
+~~~~~~~~~~~~~~~~
+
+Decompression may fail due to incorrect password / CRC checksum
+/ ZIP format or unsupported compression method / decryption.
+
+File System limitations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Exceeding limitations on different file systems can cause
+decompression failed. Such as allowable characters in the
+directory entries, length of the file name, length of the
+pathname, size of a single file, and number of files, etc.
+
+Resources limitations
+~~~~~~~~~~~~~~~~~~~~~
+
+The lack of memory or disk volume would lead to decompression
+failed. For example, decompression bombs (aka `ZIP bomb`_) apply
+to zipfile library that can cause disk volume exhaustion.
+
+Interruption
+~~~~~~~~~~~~
+
+Interruption during the decompression, such as pressing control-C
+or killing the decompression process may result in incomplete
+decompression of the archive.
+
+Default behaviors of extraction
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Not knowing the default extraction behaviors can cause unexpected
+decompression results. For example, when extracting the same
+archive twice, it overwrites files without asking.
+
+
+.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
.. _PKZIP Application Note:
https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
@@ -0,0 +1 @@
+Add decompression pitfalls to zipfile module documentation.
\ No newline at end of file
++++++ CVE-2020-8492-urllib-ReDoS.patch ++++++
>From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstin...@python.org>
Date: Thu, 30 Jan 2020 16:13:03 +0100
Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking.
Vulnerability reported by Matt Schwager.
---
Lib/urllib2.py | 2 +-
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
create mode 100644
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
@@ -0,0 +1,4 @@
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of
the
+:mod:`urllib.request` module uses an inefficient regular expression which can
+be exploited by an attacker to cause a denial of service. Fix the regex to
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -945,7 +945,7 @@ class AbstractBasicAuthHandler:
# allow for double- and single-quoted realm values
# (single quotes are a violation of the RFC, but appear in the wild)
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
'realm=(["\']?)([^"\']*)\\2', re.I)
# XXX could pre-emptively send auth info already accepted (RFC 2617,
++++++ Python-3.6.9.tar.xz -> Python-3.6.10.tar.xz ++++++
/work/SRC/openSUSE:Leap:15.2/python3/Python-3.6.9.tar.xz
/work/SRC/openSUSE:Leap:15.2/.python3.new.26092/Python-3.6.10.tar.xz differ:
char 27, line 1
++++++ idle3.appdata.xml ++++++
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2017 Zbigniew Jędrzejewski-Szmek -->
<application>
<id type="desktop">idle3.desktop</id>
<name>IDLE3</name>
<metadata_licence>CC0</metadata_licence>
<project_license>Python-2.0</project_license>
<summary>Python 3 Integrated Development and Learning Environment</summary>
<description>
<p>
IDLE is Python’s Integrated Development and Learning Environment.
The GUI is uniform between Windows, Unix, and Mac OS X.
IDLE provides an easy way to start writing, running, and debugging
Python code.
</p>
<p>
IDLE is written in pure Python, and uses the tkinter GUI toolkit.
It provides:
</p>
<ul>
<li>a Python shell window (interactive interpreter) with colorizing of
code input, output, and error messages,</li>
<li>a multi-window text editor with multiple undo, Python colorizing,
smart indent, call tips, auto completion, and other features,</li>
<li>search within any window, replace within editor windows, and search
through multiple files (grep),</li>
<li>a debugger with persistent breakpoints, stepping, and viewing of
global and local namespaces.</li>
</ul>
</description>
<url type="homepage">https://docs.python.org/3/library/idle.html</url>
<screenshots>
<screenshot
type="default">http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</screenshot>
<screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</screenshot>
<screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</screenshot>
</screenshots>
<update_contact>zbys...@in.waw.pl</update_contact>
</application>
++++++ idle3.desktop ++++++
[Desktop Entry]
Version=1.0
Name=IDLE 3
GenericName=Python 3 IDE
Comment=Python 3 Integrated Development and Learning Environment
Exec=idle3 %F
TryExec=idle3
Terminal=false
Type=Application
Icon=idle
Categories=Development;IDE;
MimeType=text/x-python;
++++++ import_failed.map ++++++
--- /var/tmp/diff_new_pack.T6qkqA/_old 2020-03-09 17:59:29.628642621 +0100
+++ /var/tmp/diff_new_pack.T6qkqA/_new 2020-03-09 17:59:29.632642624 +0100
@@ -1,7 +1,7 @@
python3-tools: turtledemo
-python3-idle: idlelib
python3-testsuite: test _ctypes_test _testbuffer _testcapi _testimportmultiple
_testmultiphase xxlimited
python3-tk: tkinter _tkinter
python3-curses: curses _curses _curses_panel
python3-dbm: dbm _dbm _gdbm
python3: sqlite3 readline _sqlite3
+python3-idle: idlelib
++++++ pep538_coerce_legacy_c_locale.patch ++++++
++++ 901 lines (skipped)
++++++ pre_checkin.sh ++++++
--- /var/tmp/diff_new_pack.T6qkqA/_old 2020-03-09 17:59:29.660642637 +0100
+++ /var/tmp/diff_new_pack.T6qkqA/_new 2020-03-09 17:59:29.660642637 +0100
@@ -129,3 +129,7 @@
# run test inclusion check
python3 skipped_tests.py
+
+# I really don't to keep all three *.changes files separate
+cp python3-base.changes python3.changes
+cp python3-base.changes python3-doc.changes
++++++ python-3.6-CVE-2017-18207.patch ++++++
>From ae0ed14794ced2c51c822fc6f0d3ca92064619dd Mon Sep 17 00:00:00 2001
From: BT123 <abcdyzh...@163.com>
Date: Fri, 17 Nov 2017 16:45:45 +0800
Subject: [PATCH] bug in wave.py
---
Lib/wave.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Lib/wave.py b/Lib/wave.py
index cf94d5af72b4..6db5a2e9cc96 100644
--- a/Lib/wave.py
+++ b/Lib/wave.py
@@ -259,6 +259,8 @@ def _read_fmt_chunk(self, chunk):
self._sampwidth = (sampwidth + 7) // 8
else:
raise Error('unknown format: %r' % (wFormatTag,))
+ if self._nchannels == 0:
+ raise ValueError("The audio file in wav format should have at
least one channel!")
self._framesize = self._nchannels * self._sampwidth
self._comptype = 'NONE'
self._compname = 'not compressed'
