PR#24: Update to 7.3.11 - rpms/pypy3.8

rpms / pypy3.8

#24 Update to 7.3.11

Merged 8 months ago by churchyard. Opened 9 months ago by churchyard.

rpms/ churchyard/pypy3.8 7.3.11 into rawhide

Miro Hrončok • 9 months ago

bfe7808

.gitignore

file modified

		`@@ -18,3 +18,4 @@`
		`/pypy3.8-v7.3.7-src.tar.bz2`
		`/pypy3.8-v7.3.8-src.tar.bz2`
		`/pypy3.8-v7.3.9-src.tar.bz2`
		`+ /pypy3.8-v7.3.11-src.tar.bz2`

382-cve-2015-20107.patch

file removed

-117

		`@@ -1,117 +0,0 @@`
		`- From c3caa02fe5e48e02a2ff2c0f409317022b05d34f Mon Sep 17 00:00:00 2001`
		`- From: Petr Viktorin <encukou@gmail.com>`
		`- Date: Fri, 3 Jun 2022 11:43:35 +0200`
		`- Subject: [PATCH] 00382: CVE-2015-20107`
		`-`
		`- Make mailcap refuse to match unsafe filenames/types/params (GH-91993)`
		`-`
		`- Upstream: https://github.com/python/cpython/issues/68966`
		`-`
		`- Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390`
		`- ---`
		`- lib-python/3/mailcap.py \| 26 ++++++++++++++++++++++++--`
		`- lib-python/3/test/test_mailcap.py \| 8 ++++++--`
		`- 2 files changed, 30 insertions(+), 4 deletions(-)`
		`-`
		`- diff --git a/lib-python/3/mailcap.py b/lib-python/3/mailcap.py`
		`- index ae416a8..444c640 100644`
		`- --- a/lib-python/3/mailcap.py`
		`- +++ b/lib-python/3/mailcap.py`
		`- @@ -2,6 +2,7 @@`
		`-`
		`- import os`
		`- import warnings`
		`- +import re`
		`-`
		`- __all__ = ["getcaps","findmatch"]`
		`-`
		`- @@ -13,6 +14,11 @@ def lineno_sort_key(entry):`
		`- else:`
		`- return 1, 0`
		`-`
		`- +_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search`
		`- +`
		`- +class UnsafeMailcapInput(Warning):`
		`- + """Warning raised when refusing unsafe input"""`
		`- +`
		`-`
		`- # Part 1: top-level interface.`
		`-`
		`- @@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):`
		`- entry to use.`
		`-`
		`- """`
		`- + if _find_unsafe(filename):`
		`- + msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)`
		`- + warnings.warn(msg, UnsafeMailcapInput)`
		`- + return None, None`
		`- entries = lookup(caps, MIMEtype, key)`
		`- # XXX This code should somehow check for the needsterminal flag.`
		`- for e in entries:`
		`- if 'test' in e:`
		`- test = subst(e['test'], filename, plist)`
		`- + if test is None:`
		`- + continue`
		`- if test and os.system(test) != 0:`
		`- continue`
		`- command = subst(e[key], MIMEtype, filename, plist)`
		`- - return command, e`
		`- + if command is not None:`
		`- + return command, e`
		`- return None, None`
		`-`
		`- def lookup(caps, MIMEtype, key=None):`
		`- @@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):`
		`- elif c == 's':`
		`- res = res + filename`
		`- elif c == 't':`
		`- + if _find_unsafe(MIMEtype):`
		`- + msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)`
		`- + warnings.warn(msg, UnsafeMailcapInput)`
		`- + return None`
		`- res = res + MIMEtype`
		`- elif c == '{':`
		`- start = i`
		`- @@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):`
		`- i = i+1`
		`- name = field[start:i]`
		`- i = i+1`
		`- - res = res + findparam(name, plist)`
		`- + param = findparam(name, plist)`
		`- + if _find_unsafe(param):`
		`- + msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)`
		`- + warnings.warn(msg, UnsafeMailcapInput)`
		`- + return None`
		`- + res = res + param`
		`- # XXX To do:`
		`- # %n == number of parts if type is multipart/*`
		`- # %F == list of alternating type and filename for parts`
		`- diff --git a/lib-python/3/test/test_mailcap.py b/lib-python/3/test/test_mailcap.py`
		`- index c08423c..920283d 100644`
		`- --- a/lib-python/3/test/test_mailcap.py`
		`- +++ b/lib-python/3/test/test_mailcap.py`
		`- @@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):`
		`- (["", "audio/*", "foo.txt"], ""),`
		`- (["echo foo", "audio/*", "foo.txt"], "echo foo"),`
		`- (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),`
		`- - (["echo %t", "audio/", "foo.txt"], "echo audio/"),`
		`- + (["echo %t", "audio/*", "foo.txt"], None),`
		`- + (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),`
		`- (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),`
		`- (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),`
		`- (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")`
		`- @@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):`
		`- ('"An audio fragment"', audio_basic_entry)),`
		`- ([c, "audio/*"],`
		`- {"filename": fname},`
		`- - ("/usr/local/bin/showaudio audio/*", audio_entry)),`
		`- + (None, None)),`
		`- + ([c, "audio/wav"],`
		`- + {"filename": fname},`
		`- + ("/usr/local/bin/showaudio audio/wav", audio_entry)),`
		`- ([c, "message/external-body"],`
		`- {"plist": plist},`
		`- ("showexternal /dev/null default john python.org /tmp foo bar", message_entry))`
		`- --`
		`- 2.35.3`
		`-`

386-cve-2021-28861.patch

file removed

-98

		`@@ -1,98 +0,0 @@`
		`- From e42be9b593f1d5e83a947f73058b919395398424 Mon Sep 17 00:00:00 2001`
		`- From: Julian Berman <Julian+Hg@GrayVines.com>`
		`- Date: Fri, 23 Sep 2022 11:30:55 +0200`
		`- Subject: [PATCH] Pull in the http.server vulnerability fix from`
		`- python/cpython#87389`
		`-`
		- Fixes an open redirection vulnerability for paths starting with `//`.
		`-`
		`- Closes: #3812`
		`-`
		`- --HG--`
		`- branch : http_server_vuln_fix`
		`- ---`
		`- lib-python/3/http/server.py \| 7 ++++`
		`- lib-python/3/test/test_httpservers.py \| 49 +++++++++++++++++++++++++++`
		`- 2 files changed, 56 insertions(+)`
		`-`
		`- diff --git a/lib-python/3/http/server.py b/lib-python/3/http/server.py`
		`- index 38f7accad7..39de35458c 100644`
		`- --- a/lib-python/3/http/server.py`
		`- +++ b/lib-python/3/http/server.py`
		`- @@ -332,6 +332,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):`
		`- return False`
		`- self.command, self.path = command, path`
		`-`
		`- + # gh-87389: The purpose of replacing '//' with '/' is to protect`
		`- + # against open redirect attacks possibly triggered if the path starts`
		`- + # with '//' because http clients treat //path as an absolute URI`
		`- + # without scheme (similar to http://path) rather than a path.`
		`- + if self.path.startswith('//'):`
		`- + self.path = '/' + self.path.lstrip('/') # Reduce to a single /`
		`- +`
		`- # Examine the headers and look for a Connection directive.`
		`- try:`
		`- self.headers = http.client.parse_headers(self.rfile,`
		`- diff --git a/lib-python/3/test/test_httpservers.py b/lib-python/3/test/test_httpservers.py`
		`- index c5b833723e..97dae7a7ce 100644`
		`- --- a/lib-python/3/test/test_httpservers.py`
		`- +++ b/lib-python/3/test/test_httpservers.py`
		`- @@ -416,6 +416,55 @@ class SimpleHTTPServerTestCase(BaseTestCase):`
		`- self.check_status_and_reason(response, HTTPStatus.OK,`
		`- data=support.TESTFN_UNDECODABLE)`
		`-`
		`- + def test_get_dir_redirect_location_domain_injection_bug(self):`
		`- + """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.`
		`- +`
		`- + //netloc/ in a Location header is a redirect to a new host.`
		`- + https://github.com/python/cpython/issues/87389`
		`- +`
		`- + This checks that a path resolving to a directory on our server cannot`
		`- + resolve into a redirect to another server.`
		`- + """`
		`- + os.mkdir(os.path.join(self.tempdir, 'existing_directory'))`
		`- + url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'`
		`- + expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash`
		`- + # Canonicalizes to /tmp/tempdir_name/existing_directory which does`
		`- + # exist and is a dir, triggering the 301 redirect logic.`
		`- + response = self.request(url)`
		`- + self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)`
		`- + location = response.getheader('Location')`
		`- + self.assertEqual(location, expected_location, msg='non-attack failed!')`
		`- +`
		`- + # //python.org... multi-slash prefix, no trailing slash`
		`- + attack_url = f'/{url}'`
		`- + response = self.request(attack_url)`
		`- + self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)`
		`- + location = response.getheader('Location')`
		`- + self.assertFalse(location.startswith('//'), msg=location)`
		`- + self.assertEqual(location, expected_location,`
		`- + msg='Expected Location header to start with a single / and '`
		`- + 'end with a / as this is a directory redirect.')`
		`- +`
		`- + # ///python.org... triple-slash prefix, no trailing slash`
		`- + attack3_url = f'//{url}'`
		`- + response = self.request(attack3_url)`
		`- + self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)`
		`- + self.assertEqual(response.getheader('Location'), expected_location)`
		`- +`
		`- + # If the second word in the http request (Request-URI for the http`
		`- + # method) is a full URI, we don't worry about it, as that'll be parsed`
		`- + # and reassembled as a full URI within BaseHTTPRequestHandler.send_head`
		`- + # so no errant scheme-less //netloc//evil.co/ domain mixup can happen.`
		`- + attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}'`
		`- + expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/'`
		`- + response = self.request(attack_scheme_netloc_2slash_url)`
		`- + self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)`
		`- + location = response.getheader('Location')`
		`- + # We're just ensuring that the scheme and domain make it through, if`
		`- + # there are or aren't multiple slashes at the start of the path that`
		`- + # follows that isn't important in this Location: header.`
		`- + self.assertTrue(location.startswith('https://pypi.org/'), msg=location)`
		`- +`
		`- def test_get(self):`
		`- #constructs the path relative to the root directory of the HTTPServer`
		`- response = self.request(self.base_url + '/test')`
		`- --`
		`- GitLab`
		`-`

pypy3.8.spec

file modified

+5 -18

		`@@ -1,13 +1,13 @@`
		`%global basever 7.3`
		`%global pyversion 3.8`
		`Name: pypy%{pyversion}`
		`- Version: %{basever}.9`
		`+ Version: %{basever}.11`
		`# The Python version is included in Release to workaround debuginfo conflicts`
		`# and make pypy versions with otherwise the same version-release always sorted`
		`# by Python version as well.`
		`# This potentially allows tags like Obsoletes: pypy3 < %%{version}-%%{release}.`
		`# https://bugzilla.redhat.com/2053880`
		`- %global baserelease 5`
		`+ %global baserelease 1`
		`Release: %{baserelease}.%{pyversion}%{?dist}`
		`Summary: Python %{pyversion} implementation with a Just-In-Time compiler`

		`@@ -179,22 +179,6 @@`
		`# We conditionally apply this, but we use autosetup, so we use Source here`
		`Source189: 189-use-rpm-wheels.patch`

		`- # 00382 #`
		`- # CVE-2015-20107`
		`- #`
		`- # Make mailcap refuse to match unsafe filenames/types/params (GH-91993)`
		`- #`
		`- # Upstream: https://github.com/python/cpython/issues/68966`
		`- #`
		`- # Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390`
		`- Patch382: 382-cve-2015-20107.patch`
		`-`
		`- # 00386 #`
		`- # CVE-2021-28861: open redirection in http.server`
		`- # Upstream: https://foss.heptapod.net/pypy/pypy/-/commit/e42be9b593f1d5e83a947f73058b919395398424.patch`
		`- # Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2120642`
		`- Patch386: 386-cve-2021-28861.patch`
		`-`
		`# Build-time requirements:`

		`# pypy's can be rebuilt using itself, rather than with CPython; doing so`
		`@@ -902,6 +886,9 @@`


		`%changelog`
		`+ * Fri Dec 30 2022 Miro Hrončok <mhroncok@redhat.com> - 7.3.11-1.3.8`
		`+ - Update to 7.3.11`
		`+`
		`* Mon Oct 10 2022 Lumír Balhar <lbalhar@redhat.com> - 7.3.9-5.3.8`
		`- Backport fix for CVE-2021-28861`
		`Resolves: rhbz#2120788`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (pypy3.8-v7.3.9-src.tar.bz2) = 2d1f1c0eda08344332fb983a1cd4e76391eb95197519d151d28ff7e6d3a337bc584908eed523a2f26aee0f62e61650353fada1a0d96d57dd197b2f349e033609`
		`+ SHA512 (pypy3.8-v7.3.11-src.tar.bz2) = 54b27602bc3fecbf6ab9adf46a64b8428693e4f70e4b8ca1af6532d2a72f5333426787a76c0d783e53ed7be7864a9f5db0cce9e11751c5b967a31a911623f0a2`