PR#100: Rebase to 3.7.3rc1 - rpms/python3

rpms / python3

#100 Rebase to 3.7.3rc1

Closed 5 years ago by churchyard. Opened 5 years ago by churchyard.

rpms/ churchyard/python3 3.7.3rc1 into master

Rebase to 3.7.3rc1

Miro Hrončok • 5 years ago

45a4368

00189-use-rpm-wheels.patch

file modified

+2 -2

		`@@ -16,9 +16,9 @@`

		`+_WHEEL_DIR = "/usr/share/python-wheels/"`

		`- -_SETUPTOOLS_VERSION = "40.6.2"`
		`+ -_SETUPTOOLS_VERSION = "40.8.0"`

		`- -_PIP_VERSION = "18.1"`
		`+ -_PIP_VERSION = "19.0.3"`
		`+def _get_most_recent_wheel_version(pkg):`
		`+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))`
		`+ suffix = "-py2.py3-none-any.whl"`

00317-CVE-2019-5010.patch

file removed

-111

		`@@ -1,111 +0,0 @@`
		`- From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001`
		`- From: Christian Heimes <christian@python.org>`
		`- Date: Tue, 15 Jan 2019 18:16:30 +0100`
		`- Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser`
		`-`
		`- CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did`
		`- not handle CRL distribution points with empty DP or URI correctly. A`
		`- malicious or buggy certificate can result into segfault.`
		`-`
		`- Signed-off-by: Christian Heimes <christian@python.org>`
		`- ---`
		`- Lib/test/talos-2019-0758.pem \| 22 +++++++++++++++++++`
		`- Lib/test/test_ssl.py \| 22 +++++++++++++++++++`
		`- .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst \| 3 +++`
		`- Modules/_ssl.c \| 4 ++++`
		`- 4 files changed, 51 insertions(+)`
		`- create mode 100644 Lib/test/talos-2019-0758.pem`
		`- create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst`
		`-`
		`- diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem`
		`- new file mode 100644`
		`- index 000000000000..13b95a77fd8a`
		`- --- /dev/null`
		`- +++ b/Lib/test/talos-2019-0758.pem`
		`- @@ -0,0 +1,22 @@`
		`- +-----BEGIN CERTIFICATE-----`
		`- +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO`
		`- +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7`
		`- +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh`
		`- +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB`
		`- +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES`
		`- +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD`
		`- +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C`
		`- +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP`
		`- +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF`
		`- +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp`
		`- +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io`
		`- +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7`
		`- +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu`
		`- +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG`
		`- +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p`
		`- +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr`
		`- +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit`
		`- +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV`
		`- +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+`
		`- +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==`
		`- +-----END CERTIFICATE-----`
		`- diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py`
		`- index 7f6b93148f45..1fc657f4d867 100644`
		`- --- a/Lib/test/test_ssl.py`
		`- +++ b/Lib/test/test_ssl.py`
		`- @@ -115,6 +115,7 @@ def data_file(*name):`
		`- BADKEY = data_file("badkey.pem")`
		`- NOKIACERT = data_file("nokia.pem")`
		`- NULLBYTECERT = data_file("nullbytecert.pem")`
		`- +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")`
		`-`
		`- DHFILE = data_file("ffdh3072.pem")`
		`- BYTES_DHFILE = os.fsencode(DHFILE)`
		`- @@ -348,6 +349,27 @@ def test_parse_cert(self):`
		`- self.assertEqual(p['crlDistributionPoints'],`
		`- ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))`
		`-`
		`- + def test_parse_cert_CVE_2019_5010(self):`
		`- + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)`
		`- + if support.verbose:`
		`- + sys.stdout.write("\n" + pprint.pformat(p) + "\n")`
		`- + self.assertEqual(`
		`- + p,`
		`- + {`
		`- + 'issuer': (`
		`- + (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),`
		`- + 'notAfter': 'Jun 14 18:00:58 2028 GMT',`
		`- + 'notBefore': 'Jun 18 18:00:58 2018 GMT',`
		`- + 'serialNumber': '02',`
		`- + 'subject': ((('countryName', 'UK'),),`
		`- + (('commonName',`
		`- + 'codenomicon-vm-2.test.lal.cisco.com'),)),`
		`- + 'subjectAltName': (`
		`- + ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),`
		`- + 'version': 3`
		`- + }`
		`- + )`
		`- +`
		`- def test_parse_cert_CVE_2013_4238(self):`
		`- p = ssl._ssl._test_decode_cert(NULLBYTECERT)`
		`- if support.verbose:`
		`- diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst`
		`- new file mode 100644`
		`- index 000000000000..dffe347eec84`
		`- --- /dev/null`
		`- +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst`
		`- @@ -0,0 +1,3 @@`
		`- +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did`
		`- +not handle CRL distribution points with empty DP or URI correctly. A`
		`- +malicious or buggy certificate can result into segfault.`
		`- diff --git a/Modules/_ssl.c b/Modules/_ssl.c`
		`- index 4e3352d9e661..0e720e268d93 100644`
		`- --- a/Modules/_ssl.c`
		`- +++ b/Modules/_ssl.c`
		`- @@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {`
		`- STACK_OF(GENERAL_NAME) *gns;`
		`-`
		`- dp = sk_DIST_POINT_value(dps, i);`
		`- + if (dp->distpoint == NULL) {`
		`- + /* Ignore empty DP value, CVE-2019-5010 */`
		`- + continue;`
		`- + }`
		`- gns = dp->distpoint->name.fullname;`
		`-`
		`- for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {`

00320-CVE-2019-9636.patch

file removed

-150

		`@@ -1,150 +0,0 @@`
		`- From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001`
		`- From: Steve Dower <steve.dower@microsoft.com>`
		`- Date: Thu, 7 Mar 2019 09:08:18 -0800`
		`- Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize`
		`- to separators (GH-12201)`
		`-`
		`- ---`
		`- Doc/library/urllib.parse.rst \| 18 +++++++++++++++`
		`- Lib/test/test_urlparse.py \| 23 +++++++++++++++++++`
		`- Lib/urllib/parse.py \| 17 ++++++++++++++`
		`- .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst \| 3 +++`
		`- 4 files changed, 61 insertions(+)`
		`- create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst`
		`-`
		`- diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst`
		`- index 0c8f0f607314..b565e1edd321 100644`
		`- --- a/Doc/library/urllib.parse.rst`
		`- +++ b/Doc/library/urllib.parse.rst`
		`- @@ -124,6 +124,11 @@ or on combining URL components into a URL string.`
		- Unmatched square brackets in the :attr:`netloc` attribute will raise a
		- :exc:`ValueError`.
		`-`
		- + Characters in the :attr:`netloc` attribute that decompose under NFKC
		- + normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
		- + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
		`- + decomposed before parsing, no error will be raised.`
		`- +`
		`- .. versionchanged:: 3.2`
		`- Added IPv6 URL parsing capabilities.`
		`-`
		`- @@ -136,6 +141,10 @@ or on combining URL components into a URL string.`
		- Out-of-range port numbers now raise :exc:`ValueError`, instead of
		- returning :const:`None`.
		`-`
		`- + .. versionchanged:: 3.7.3`
		`- + Characters that affect netloc parsing under NFKC normalization will`
		- + now raise :exc:`ValueError`.
		`- +`
		`-`
		`- .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)`
		`-`
		`- @@ -257,10 +266,19 @@ or on combining URL components into a URL string.`
		- Unmatched square brackets in the :attr:`netloc` attribute will raise a
		- :exc:`ValueError`.
		`-`
		- + Characters in the :attr:`netloc` attribute that decompose under NFKC
		- + normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
		- + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
		`- + decomposed before parsing, no error will be raised.`
		`- +`
		`- .. versionchanged:: 3.6`
		- Out-of-range port numbers now raise :exc:`ValueError`, instead of
		- returning :const:`None`.
		`-`
		`- + .. versionchanged:: 3.7.3`
		`- + Characters that affect netloc parsing under NFKC normalization will`
		- + now raise :exc:`ValueError`.
		`- +`
		`-`
		`- .. function:: urlunsplit(parts)`
		`-`
		`- diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py`
		`- index be50b47603aa..e6638aee2244 100644`
		`- --- a/Lib/test/test_urlparse.py`
		`- +++ b/Lib/test/test_urlparse.py`
		`- @@ -1,3 +1,5 @@`
		`- +import sys`
		`- +import unicodedata`
		`- import unittest`
		`- import urllib.parse`
		`-`
		`- @@ -984,6 +986,27 @@ def test_all(self):`
		`- expected.append(name)`
		`- self.assertCountEqual(urllib.parse.__all__, expected)`
		`-`
		`- + def test_urlsplit_normalization(self):`
		`- + # Certain characters should never occur in the netloc,`
		`- + # including under normalization.`
		`- + # Ensure that ALL of them are detected and cause an error`
		`- + illegal_chars = '/:#?@'`
		`- + hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}`
		`- + denorm_chars = [`
		`- + c for c in map(chr, range(128, sys.maxunicode))`
		`- + if (hex_chars & set(unicodedata.decomposition(c).split()))`
		`- + and c not in illegal_chars`
		`- + ]`
		`- + # Sanity check that we found at least one such character`
		`- + self.assertIn('\u2100', denorm_chars)`
		`- + self.assertIn('\uFF03', denorm_chars)`
		`- +`
		`- + for scheme in ["http", "https", "ftp"]:`
		`- + for c in denorm_chars:`
		`- + url = "{}://netloc{}false.netloc/path".format(scheme, c)`
		`- + with self.subTest(url=url, char='{:04X}'.format(ord(c))):`
		`- + with self.assertRaises(ValueError):`
		`- + urllib.parse.urlsplit(url)`
		`-`
		`- class Utility_Tests(unittest.TestCase):`
		`- """Testcase to test the various utility functions in the urllib."""`
		`- diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py`
		`- index f691ab74f87f..39c5d6a80824 100644`
		`- --- a/Lib/urllib/parse.py`
		`- +++ b/Lib/urllib/parse.py`
		`- @@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):`
		`- delim = min(delim, wdelim) # use earliest delim position`
		`- return url[start:delim], url[delim:] # return (domain, rest)`
		`-`
		`- +def _checknetloc(netloc):`
		`- + if not netloc or netloc.isascii():`
		`- + return`
		`- + # looking for characters like \u2100 that expand to 'a/c'`
		`- + # IDNA uses NFKC equivalence, so normalize for this check`
		`- + import unicodedata`
		`- + netloc2 = unicodedata.normalize('NFKC', netloc)`
		`- + if netloc == netloc2:`
		`- + return`
		`- + _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay`
		`- + for c in '/?#@:':`
		`- + if c in netloc2:`
		`- + raise ValueError("netloc '" + netloc2 + "' contains invalid " +`
		`- + "characters under NFKC normalization")`
		`- +`
		`- def urlsplit(url, scheme='', allow_fragments=True):`
		`- """Parse a URL into 5 components:`
		`- <scheme>://<netloc>/<path>?<query>#<fragment>`
		`- @@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True):`
		`- url, fragment = url.split('#', 1)`
		`- if '?' in url:`
		`- url, query = url.split('?', 1)`
		`- + _checknetloc(netloc)`
		`- v = SplitResult('http', netloc, url, query, fragment)`
		`- _parse_cache[key] = v`
		`- return _coerce_result(v)`
		`- @@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True):`
		`- url, fragment = url.split('#', 1)`
		`- if '?' in url:`
		`- url, query = url.split('?', 1)`
		`- + _checknetloc(netloc)`
		`- v = SplitResult(scheme, netloc, url, query, fragment)`
		`- _parse_cache[key] = v`
		`- return _coerce_result(v)`
		`- diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst`
		`- new file mode 100644`
		`- index 000000000000..5546394157f9`
		`- --- /dev/null`
		`- +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst`
		`- @@ -0,0 +1,3 @@`
		`- +Changes urlsplit() to raise ValueError when the URL contains characters that`
		`- +decompose under IDNA encoding (NFKC-normalization) into characters that`
		`- +affect how the URL is parsed.`

python3.spec

file modified

+14 -20

		`@@ -13,8 +13,11 @@`

		`# WARNING When rebasing to a new Python version,`
		`# remember to update the python3-docs package as well`
		`- Version: %{pybasever}.2`
		`- Release: 8%{?dist}`
		`+ %global general_version %{pybasever}.3`
		`+ %global prerel rc1`
		`+ %global upstream_version %{general_version}%{?prerel}`
		`+ Version: %{general_version}%{?prerel:~%{prerel}}`
		`+ Release: 1%{?dist}`
		`License: Python`


		`@@ -198,7 +201,7 @@`
		`# Source code and patches`
		`# =======================`

		`- Source: https://www.python.org/ftp/python/%{version}/Python-%{version}%{?prerel}.tar.xz`
		`+ Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz`

		`# A simple script to check timestamps of bytecode files`
		`# Run in check section with Python that is currently being built`
		`@@ -300,16 +303,6 @@`
		`# So we mark the command as unsupported - and the tests are skipped`
		`Patch316: 00316-mark-bdist_wininst-unsupported.patch`

		`- # 00317 #`
		`- # Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser`
		`- # Fixed upstream https://bugs.python.org/issue35746`
		`- Patch317: 00317-CVE-2019-5010.patch`
		`-`
		`- # 00320 #`
		`- # Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization`
		`- # Fixed upstream https://bugs.python.org/issue36216`
		`- Patch320: 00320-CVE-2019-9636.patch`
		`-`
		`# (New patches go here ^^^)`
		`#`
		`# When adding new patches to "python" and "python3" in Fedora, EL, etc.,`
		`@@ -397,8 +390,8 @@`
		`Requires: python-setuptools-wheel`
		`Requires: python-pip-wheel`
		`%else`
		`- Provides: bundled(python3-pip) = 18.1`
		`- Provides: bundled(python3-setuptools) = 40.6.2`
		`+ Provides: bundled(python3-pip) = 19.0.3`
		`+ Provides: bundled(python3-setuptools) = 40.8.0`
		`%endif`

		`# There are files in the standard library that have python shebang.`
		`@@ -552,8 +545,8 @@`
		`Requires: python-setuptools-wheel`
		`Requires: python-pip-wheel`
		`%else`
		`- Provides: bundled(python3-pip) = 18.1`
		`- Provides: bundled(python3-setuptools) = 40.6.2`
		`+ Provides: bundled(python3-pip) = 19.0.3`
		`+ Provides: bundled(python3-setuptools) = 40.8.0`
		`%endif`

		`# The description for the flat package`
		`@@ -572,7 +565,7 @@`
		`# ======================================================`

		`%prep`
		`- %setup -q -n Python-%{version}%{?prerel}`
		`+ %setup -q -n Python-%{upstream_version}`
		`# Remove all exe files to ensure we are not shipping prebuilt binaries`
		`# note that those are only used to create Microsoft Windows installers`
		`# and that functionality is broken on Linux anyway`
		`@@ -605,8 +598,6 @@`
		`%patch251 -p1`
		`%patch274 -p1`
		`%patch316 -p1`
		`- %patch317 -p1`
		`- %patch320 -p1`


		`# Remove files that should be generated by the build`
		`@@ -1527,6 +1518,9 @@`
		`# ======================================================`

		`%changelog`
		`+ * Thu Mar 21 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.3~rc1-1`
		`+ - Update to 3.7.3rc1`
		`+`
		`* Thu Mar 14 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.2-8`
		`- Security fix for CVE-2019-9636 (#1688543, #1688546)`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (Python-3.7.2.tar.xz) = 6cd2d6d8455558783b99d55985cd7b22d67b98f41a09b4fdd96f680a630a4e035220d2b903f8c59ed513aa5ffe6730fa947ddb55bb72ce36f0e945ef8af5d971`
		`+ SHA512 (Python-3.7.3rc1.tar.xz) = a0266a414f5a5828587e43e95fad494be2b0ac4563faefc26ef3f36fb19abb8cfe9b845e4ffec7652ac3ce17b7f47d2b89cd2032017d0f607a9fe4a5f08c4da7`