On Thu, Jul 02, 2026 at 04:45:32PM +0100, Stuart Henderson wrote:
> ok?

ok kmos

Sorry for the delay. I've been melting the past couple of
days :)

--Kurt

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/lang/python/3/Makefile,v
> diff -u -p -r1.25 Makefile
> --- Makefile  15 Apr 2026 15:57:02 -0000      1.25
> +++ Makefile  2 Jul 2026 15:45:12 -0000
> @@ -3,7 +3,7 @@
>  # requirement of the PSF license, if it constitutes a change to
>  # Python itself.
>  
> -FULL_VERSION =               3.13.13
> +FULL_VERSION =               3.13.14
>  SHARED_LIBS =                python3.13 0.0
>  VERSION_SPEC =               >=3.13,<3.14
>  PORTROACH =          limit:^3\.13
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/lang/python/3/distinfo,v
> diff -u -p -r1.11 distinfo
> --- distinfo  14 Apr 2026 10:51:23 -0000      1.11
> +++ distinfo  2 Jul 2026 15:45:12 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (Python-3.13.13.tgz) = +c3nsOLsgWXXMm4qD1nqJobOnQxhfbuz1mp+VNMbdLk=
> -SIZE (Python-3.13.13.tgz) = 29842908
> +SHA256 (Python-3.13.14.tgz) = WuU1o2rw68pvyhduy4GX9ducHLjI8M0SzfF4cEbbH0E=
> +SIZE (Python-3.13.14.tgz) = 29914816
> Index: files/CHANGES.OpenBSD
> ===================================================================
> RCS file: /cvs/ports/lang/python/3/files/CHANGES.OpenBSD,v
> diff -u -p -r1.6 CHANGES.OpenBSD
> --- files/CHANGES.OpenBSD     14 Apr 2026 10:51:23 -0000      1.6
> +++ files/CHANGES.OpenBSD     2 Jul 2026 15:45:12 -0000
> @@ -24,7 +24,5 @@ which results in loading an incorrect ve
>  
>  8.  Work around expat_config.h missing from base.
>  
> -9.  Cherry-pick fixes for CVE-2026-4519, CVE-2026-6100.
> -
>  These changes are available in the OpenBSD CVS repository
>  <http://www.openbsd.org/anoncvs.html> in ports/lang/python/3.
> Index: patches/patch-Lib_test_test_webbrowser_py
> ===================================================================
> RCS file: patches/patch-Lib_test_test_webbrowser_py
> diff -N patches/patch-Lib_test_test_webbrowser_py
> --- patches/patch-Lib_test_test_webbrowser_py 14 Apr 2026 10:51:23 -0000      
> 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,26 +0,0 @@
> -Fix fix for CVE 2026-4519
> -
> -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
> -the dash-prefix safety check.
> -
> -https://github.com/python/cpython/pull/148517
> -
> -Index: Lib/test/test_webbrowser.py
> ---- Lib/test/test_webbrowser.py.orig
> -+++ Lib/test/test_webbrowser.py
> -@@ -118,6 +118,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.Tes
> -                        arguments=[URL],
> -                        kw=dict(new=999))
> - 
> -+    def test_reject_action_dash_prefixes(self):
> -+        browser = self.browser_class(name=CMD_NAME)
> -+        with self.assertRaises(ValueError):
> -+            browser.open('%action--incognito')
> -+        # new=1: action is "--new-window", so "%action" itself expands to
> -+        # a dash-prefixed flag even with no dash in the original URL.
> -+        with self.assertRaises(ValueError):
> -+            browser.open('%action', new=1)
> -+
> - 
> - class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
> - 
> Index: patches/patch-Lib_webbrowser_py
> ===================================================================
> RCS file: patches/patch-Lib_webbrowser_py
> diff -N patches/patch-Lib_webbrowser_py
> --- patches/patch-Lib_webbrowser_py   14 Apr 2026 10:51:23 -0000      1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,28 +0,0 @@
> -Fix fix for CVE 2026-4519
> -
> -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
> -the dash-prefix safety check.
> -
> -https://github.com/python/cpython/pull/148517
> -Index: Lib/webbrowser.py
> ---- Lib/webbrowser.py.orig
> -+++ Lib/webbrowser.py
> -@@ -275,7 +275,6 @@ class UnixBrowser(BaseBrowser):
> - 
> -     def open(self, url, new=0, autoraise=True):
> -         sys.audit("webbrowser.open", url)
> --        self._check_url(url)
> -         if new == 0:
> -             action = self.remote_action
> -         elif new == 1:
> -@@ -289,7 +288,9 @@ class UnixBrowser(BaseBrowser):
> -             raise Error("Bad 'new' parameter to open(); "
> -                         f"expected 0, 1, or 2, got {new}")
> - 
> --        args = [arg.replace("%s", url).replace("%action", action)
> -+        self._check_url(url.replace("%action", action))
> -+
> -+        args = [arg.replace("%action", action).replace("%s", url)
> -                 for arg in self.remote_args]
> -         args = [arg for arg in args if arg]
> -         success = self._invoke(args, True, autoraise, url)
> Index: patches/patch-Modules__bz2module_c
> ===================================================================
> RCS file: patches/patch-Modules__bz2module_c
> diff -N patches/patch-Modules__bz2module_c
> --- patches/patch-Modules__bz2module_c        14 Apr 2026 10:51:23 -0000      
> 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,21 +0,0 @@
> -CVE-2026-6100:
> -
> -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
> -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
> -when memory allocation fails with :exc:`MemoryError`, which could let a
> -subsequent :meth:`!decompress` call read or write through a stale pointer to
> -the already-released caller buffer.
> -
> -https://github.com/python/cpython/pull/148479
> -
> -Index: Modules/_bz2module.c
> ---- Modules/_bz2module.c.orig
> -+++ Modules/_bz2module.c
> -@@ -589,6 +589,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len,
> -     return result;
> - 
> - error:
> -+    bzs->next_in = NULL;
> -     Py_XDECREF(result);
> -     return NULL;
> - }
> Index: patches/patch-Modules__lzmamodule_c
> ===================================================================
> RCS file: patches/patch-Modules__lzmamodule_c
> diff -N patches/patch-Modules__lzmamodule_c
> --- patches/patch-Modules__lzmamodule_c       14 Apr 2026 10:51:23 -0000      
> 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,21 +0,0 @@
> -CVE-2026-6100:
> -
> -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
> -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
> -when memory allocation fails with :exc:`MemoryError`, which could let a
> -subsequent :meth:`!decompress` call read or write through a stale pointer to
> -the already-released caller buffer.
> -
> -https://github.com/python/cpython/pull/148479
> -
> -Index: Modules/_lzmamodule.c
> ---- Modules/_lzmamodule.c.orig
> -+++ Modules/_lzmamodule.c
> -@@ -1112,6 +1112,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len,
> -     return result;
> - 
> - error:
> -+    lzs->next_in = NULL;
> -     Py_XDECREF(result);
> -     return NULL;
> - }
> Index: patches/patch-Modules_zlibmodule_c
> ===================================================================
> RCS file: patches/patch-Modules_zlibmodule_c
> diff -N patches/patch-Modules_zlibmodule_c
> --- patches/patch-Modules_zlibmodule_c        14 Apr 2026 10:51:23 -0000      
> 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,21 +0,0 @@
> -CVE-2026-6100:
> -
> -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
> -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
> -when memory allocation fails with :exc:`MemoryError`, which could let a
> -subsequent :meth:`!decompress` call read or write through a stale pointer to
> -the already-released caller buffer.
> -
> -https://github.com/python/cpython/pull/148479
> -
> -Index: Modules/zlibmodule.c
> ---- Modules/zlibmodule.c.orig
> -+++ Modules/zlibmodule.c
> -@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
> -     return result;
> - 
> - error:
> -+    self->zst.next_in = NULL;
> -     Py_XDECREF(result);
> -     return NULL;
> - }
> Index: patches/patch-configure_ac
> ===================================================================
> RCS file: /cvs/ports/lang/python/3/patches/patch-configure_ac,v
> diff -u -p -r1.5 patch-configure_ac
> --- patches/patch-configure_ac        14 Apr 2026 10:51:23 -0000      1.5
> +++ patches/patch-configure_ac        2 Jul 2026 15:45:12 -0000
> @@ -49,7 +49,7 @@ Index: configure.ac
>       # Any changes made here should be reflected in the GCC+Darwin case below
>       PGO_PROF_GEN_FLAG="-fprofile-instr-generate"
>       PGO_PROF_USE_FLAG="-fprofile-instr-use=\"\$(shell 
> pwd)/code.profclangd\""
> -@@ -4369,11 +4370,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available.
> +@@ -4391,11 +4392,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available.
>   dnl
>   found_tcltk=no
>   for _QUERY in \
> Index: pkg/PLIST-main
> ===================================================================
> RCS file: /cvs/ports/lang/python/3/pkg/PLIST-main,v
> diff -u -p -r1.17 PLIST-main
> --- pkg/PLIST-main    14 Apr 2026 10:51:23 -0000      1.17
> +++ pkg/PLIST-main    2 Jul 2026 15:45:12 -0000
> @@ -1809,7 +1809,7 @@ lib/python3.13/ensurepip/__pycache__/_un
>  lib/python3.13/ensurepip/__pycache__/_uninstall.cpython-313.opt-2.pyc
>  lib/python3.13/ensurepip/__pycache__/_uninstall.cpython-313.pyc
>  lib/python3.13/ensurepip/_bundled/
> -lib/python3.13/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl
> +lib/python3.13/ensurepip/_bundled/pip-26.1.2-py3-none-any.whl
>  lib/python3.13/ensurepip/_uninstall.py
>  lib/python3.13/enum.py
>  lib/python3.13/filecmp.py
> Index: pkg/PLIST-tests
> ===================================================================
> RCS file: /cvs/ports/lang/python/3/pkg/PLIST-tests,v
> diff -u -p -r1.12 PLIST-tests
> --- pkg/PLIST-tests   14 Apr 2026 10:51:23 -0000      1.12
> +++ pkg/PLIST-tests   2 Jul 2026 15:45:12 -0000
> @@ -2284,6 +2284,9 @@ lib/python3.13/test/test_capi/__pycache_
>  lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.opt-1.pyc
>  lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.opt-2.pyc
>  lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.pyc
> +lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.opt-1.pyc
> +lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.opt-2.pyc
> +lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.pyc
>  lib/python3.13/test/test_capi/check_config.py
>  lib/python3.13/test/test_capi/test_abstract.py
>  lib/python3.13/test/test_capi/test_bytearray.py
> @@ -2316,6 +2319,7 @@ lib/python3.13/test/test_capi/test_time.
>  lib/python3.13/test/test_capi/test_tuple.py
>  lib/python3.13/test/test_capi/test_unicode.py
>  lib/python3.13/test/test_capi/test_watchers.py
> +lib/python3.13/test/test_capi/test_weakref.py
>  lib/python3.13/test/test_cext/
>  lib/python3.13/test/test_cext/__init__.py
>  lib/python3.13/test/test_cext/__pycache__/
> @@ -3797,6 +3801,7 @@ lib/python3.13/test/test_json/__pycache_
>  lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.opt-1.pyc
>  lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.opt-2.pyc
>  lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.pyc
> +lib/python3.13/test/test_json/json_lines.jsonl
>  lib/python3.13/test/test_json/test_decode.py
>  lib/python3.13/test/test_json/test_default.py
>  lib/python3.13/test/test_json/test_dump.py

Reply via email to