packages/python3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync release 39 from 20.03-LTS-SP3, and fix CVE-2007-4559, fix test_xml_etree error

Browse Source
This commit is contained in:
wangshuo 2024-10-25 16:58:09 +08:00
parent 358ea4752a
commit 5f32441d05
5 changed files with 2907 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Add-loongarch-support.patch Normal file
View File

@ -0,0 +1,61 @@
From b87dad459825a407084c9acde88f42d86139715e Mon Sep 17 00:00:00 2001
From: GuoCe <guoce@kylinos.cn>
Date: Wed, 6 Mar 2024 18:17:32 +0800
Subject: [PATCH] Add loongarch support
---
config.guess | 3 +++
config.sub | 2 ++
configure.ac | 2 ++
3 files changed, 7 insertions(+)
diff --git a/config.guess b/config.guess
index 256083a..33fafea 100755
--- a/config.guess
+++ b/config.guess
@@ -970,6 +970,9 @@ EOF
m68*:Linux:*:*)
echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
exit ;;
+ loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*)
+ echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"
+ exit ;;
mips:Linux:*:* | mips64:Linux:*:*)
eval "$set_cc_for_build"
sed 's/^ //' << EOF > "$dummy.c"
diff --git a/config.sub b/config.sub
index ba37cf9..d971b78 100755
--- a/config.sub
+++ b/config.sub
@@ -265,6 +265,7 @@ case $basic_machine in
| k1om \
| le32 | le64 \
| lm32 \
+ | loongarch32 | loongarch64 | loongarchx32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
| mips | mipsbe | mipseb | mipsel | mipsle \
@@ -394,6 +395,7 @@ case $basic_machine in
| k1om-* \
| le32-* | le64-* \
| lm32-* \
+ | loongarch32 | loongarch64 | loongarchx32 \
| m32c-* | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
diff --git a/configure.ac b/configure.ac
index c2e9fbb..b83fdcf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -779,6 +779,8 @@ cat >> conftest.c <<EOF
hppa-linux-gnu
# elif defined(__ia64__)
ia64-linux-gnu
+# elif defined(__loongarch64)
+ loongarch64-linux-gnu
# elif defined(__m68k__) && !defined(__mcoldfire__)
m68k-linux-gnu
# elif defined(__mips_hard_float) && defined(__mips_isa_rev) && (__mips_isa_rev >=6) && defined(_MIPSEL)
--
2.27.0

2469
backport-3.7-gh-102950-Implement-PEP-706-Filter-for-tarfile.e.patch Normal file
View File

File diff suppressed because it is too large Load Diff

308
backport-3.7-gh-107845-Fix-symlink-handling-for-tarfile.data_.patch Normal file
View File

@ -0,0 +1,308 @@
From 4e32d16aa771abb1787e5e9faecb0bec0d639e3c Mon Sep 17 00:00:00 2001
From: wangshuo <wangshuo@kylinos.cn>
Date: Thu, 24 Oct 2024 18:25:51 +0800
Subject: [PATCH 2/3] [3.7] gh-107845: Fix symlink handling for
tarfile.data_filter (GH-107846)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(cherry picked from commit acbd3f9)
https://github.com/python/cpython/commit/acbd3f9c5c5f23e95267714e41236140d84fe962
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>
Refer to:
https://github.com/python/cpython/issues/107845
https://github.com/encukou/cpython/commit/63556bccc21ef6726ad7bc5769c2dbb08cf5910f
https://github.com/encukou/cpython/commit/8e15c2e44cbdbd48522db678ab2519a50f9d41b1
---
Doc/library/tarfile.rst | 5 +
Lib/tarfile.py | 11 +-
Lib/test/test_tarfile.py | 144 +++++++++++++++++-
...-08-10-17-36-22.gh-issue-107845.dABiMJ.rst | 3 +
4 files changed, 154 insertions(+), 9 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2023-08-10-17-36-22.gh-issue-107845.dABiMJ.rst
diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst
index 3f544c3..950e00d 100644
--- a/Doc/library/tarfile.rst
+++ b/Doc/library/tarfile.rst
@@ -715,6 +715,11 @@ A ``TarInfo`` object has the following public data attributes:
Name of the target file name, which is only present in :class:`TarInfo` objects
of type :const:`LNKTYPE` and :const:`SYMTYPE`.
+ For symbolic links (``SYMTYPE``), the *linkname* is relative to the directory
+ that contains the link.
+ For hard links (``LNKTYPE``), the *linkname* is relative to the root of
+ the archive.
+
.. attribute:: TarInfo.uid
diff --git a/Lib/tarfile.py b/Lib/tarfile.py
index 71c5112..9a8d2dd 100755
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -750,7 +750,7 @@ class SpecialFileError(FilterError):
class AbsoluteLinkError(FilterError):
def __init__(self, tarinfo):
self.tarinfo = tarinfo
- super().__init__(f'{tarinfo.name!r} is a symlink to an absolute path')
+ super().__init__(f'{tarinfo.name!r} is a link to an absolute path')
class LinkOutsideDestinationError(FilterError):
def __init__(self, tarinfo, path):
@@ -810,7 +810,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True):
if member.islnk() or member.issym():
if os.path.isabs(member.linkname):
raise AbsoluteLinkError(member)
- target_path = os.path.realpath(os.path.join(dest_path, member.linkname))
+ if member.issym():
+ target_path = os.path.join(dest_path,
+ os.path.dirname(name),
+ member.linkname)
+ else:
+ target_path = os.path.join(dest_path,
+ member.linkname)
+ target_path = os.path.realpath(target_path)
if os.path.commonpath([target_path, dest_path]) != dest_path:
raise LinkOutsideDestinationError(member, target_path)
return new_attrs
diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
index f1aed04..a3db33d 100644
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -2984,10 +2984,12 @@ class ArchiveMaker:
self.bio = None
def add(self, name, *, type=None, symlink_to=None, hardlink_to=None,
- mode=None, **kwargs):
+ mode=None, size=None, **kwargs):
"""Add a member to the test archive. Call within `with`."""
name = str(name)
tarinfo = tarfile.TarInfo(name).replace(**kwargs)
+ if size is not None:
+ tarinfo.size = size
if mode:
tarinfo.mode = _filemode_to_int(mode)
if symlink_to is not None:
@@ -3060,7 +3062,8 @@ class TestExtractionFilters(unittest.TestCase):
raise self.raised_exception
self.assertEqual(self.expected_paths, set())
- def expect_file(self, name, type=None, symlink_to=None, mode=None):
+ def expect_file(self, name, type=None, symlink_to=None, mode=None,
+ size=None):
"""Check a single file. See check_context."""
if self.raised_exception:
raise self.raised_exception
@@ -3094,6 +3097,8 @@ class TestExtractionFilters(unittest.TestCase):
self.assertTrue(path.is_fifo())
else:
raise NotImplementedError(type)
+ if size is not None:
+ self.assertEqual(path.stat().st_size, size)
for parent in path.parents:
self.expected_paths.discard(parent)
@@ -3139,8 +3144,15 @@ class TestExtractionFilters(unittest.TestCase):
# Test interplaying symlinks
# Inspired by 'dirsymlink2a' in jwilk/traversal-archives
with ArchiveMaker() as arc:
+
+ # `current` links to `.` which is both:
+ # - the destination directory
+ # - `current` itself
arc.add('current', symlink_to='.')
+
+ # effectively points to ./../
arc.add('parent', symlink_to='current/..')
+
arc.add('parent/evil')
if support.can_symlink():
@@ -3181,9 +3193,46 @@ class TestExtractionFilters(unittest.TestCase):
def test_parent_symlink2(self):
# Test interplaying symlinks
# Inspired by 'dirsymlink2b' in jwilk/traversal-archives
+
+ # Posix and Windows have different pathname resolution:
+ # either symlink or a '..' component resolve first.
+ # Let's see which we are on.
+ if support.can_symlink():
+ testpath = os.path.join(TEMPDIR, 'resolution_test')
+ os.mkdir(testpath)
+
+ # testpath/current links to `.` which is all of:
+ # - `testpath`
+ # - `testpath/current`
+ # - `testpath/current/current`
+ # - etc.
+ os.symlink('.', os.path.join(testpath, 'current'))
+
+ # we'll test where `testpath/current/../file` ends up
+ with open(os.path.join(testpath, 'current', '..', 'file'), 'w'):
+ pass
+
+ if os.path.exists(os.path.join(testpath, 'file')):
+ # Windows collapses 'current\..' to '.' first, leaving
+ # 'testpath\file'
+ dotdot_resolves_early = True
+ elif os.path.exists(os.path.join(testpath, '..', 'file')):
+ # Posix resolves 'current' to '.' first, leaving
+ # 'testpath/../file'
+ dotdot_resolves_early = False
+ else:
+ raise AssertionError('Could not determine link resolution')
+
with ArchiveMaker() as arc:
+
+ # `current` links to `.` which is both the destination directory
+ # and `current` itself
arc.add('current', symlink_to='.')
+
+ # `current/parent` is also available as `./parent`,
+ # and effectively points to `./../`
arc.add('current/parent', symlink_to='..')
+
arc.add('parent/evil')
with self.check_context(arc.open(), 'fully_trusted'):
@@ -3197,6 +3246,7 @@ class TestExtractionFilters(unittest.TestCase):
with self.check_context(arc.open(), 'tar'):
if support.can_symlink():
+ # Fail when extracting a file outside destination
self.expect_exception(
tarfile.OutsideDestinationError,
"'parent/evil' would be extracted to "
@@ -3207,10 +3257,24 @@ class TestExtractionFilters(unittest.TestCase):
self.expect_file('parent/evil')
with self.check_context(arc.open(), 'data'):
- self.expect_exception(
- tarfile.LinkOutsideDestinationError,
- """'current/parent' would link to ['"].*['"], """
- + "which is outside the destination")
+ if support.can_symlink():
+ if dotdot_resolves_early:
+ # Fail when extracting a file outside destination
+ self.expect_exception(
+ tarfile.OutsideDestinationError,
+ "'parent/evil' would be extracted to "
+ + """['"].*evil['"], which is outside """
+ + "the destination")
+ else:
+ # Fail as soon as we have a symlink outside the destination
+ self.expect_exception(
+ tarfile.LinkOutsideDestinationError,
+ "'current/parent' would link to "
+ + """['"].*outerdir['"], which is outside """
+ + "the destination")
+ else:
+ self.expect_file('current/')
+ self.expect_file('parent/evil')
def test_absolute_symlink(self):
# Test symlink to an absolute path
@@ -3239,11 +3303,29 @@ class TestExtractionFilters(unittest.TestCase):
with self.check_context(arc.open(), 'data'):
self.expect_exception(
tarfile.AbsoluteLinkError,
- "'parent' is a symlink to an absolute path")
+ "'parent' is a link to an absolute path")
+
+ def test_absolute_hardlink(self):
+ # Test hardlink to an absolute path
+ # Inspired by 'dirsymlink' in https://github.com/jwilk/traversal-archives
+ with ArchiveMaker() as arc:
+ arc.add('parent', hardlink_to=self.outerdir / 'foo')
+
+ with self.check_context(arc.open(), 'fully_trusted'):
+ self.expect_exception(KeyError, ".*foo. not found")
+
+ with self.check_context(arc.open(), 'tar'):
+ self.expect_exception(KeyError, ".*foo. not found")
+
+ with self.check_context(arc.open(), 'data'):
+ self.expect_exception(
+ tarfile.AbsoluteLinkError,
+ "'parent' is a link to an absolute path")
def test_sly_relative0(self):
# Inspired by 'relative0' in jwilk/traversal-archives
with ArchiveMaker() as arc:
+ # points to `../../tmp/moo`
arc.add('../moo', symlink_to='..//tmp/moo')
try:
@@ -3293,6 +3375,54 @@ class TestExtractionFilters(unittest.TestCase):
+ """['"].*moo['"], which is outside the """
+ "destination")
+ def test_deep_symlink(self):
+ # Test that symlinks and hardlinks inside a directory
+ # point to the correct file (`target` of size 3).
+ # If links aren't supported we get a copy of the file.
+ with ArchiveMaker() as arc:
+ arc.add('targetdir/target', size=3)
+ # a hardlink's linkname is relative to the archive
+ arc.add('linkdir/hardlink', hardlink_to=os.path.join(
+ 'targetdir', 'target'))
+ # a symlink's linkname is relative to the link's directory
+ arc.add('linkdir/symlink', symlink_to=os.path.join(
+ '..', 'targetdir', 'target'))
+
+ for filter in 'tar', 'data', 'fully_trusted':
+ with self.check_context(arc.open(), filter):
+ self.expect_file('targetdir/target', size=3)
+ self.expect_file('linkdir/hardlink', size=3)
+ if support.can_symlink():
+ self.expect_file('linkdir/symlink', size=3,
+ symlink_to='../targetdir/target')
+ else:
+ self.expect_file('linkdir/symlink', size=3)
+
+ def test_chains(self):
+ # Test chaining of symlinks/hardlinks.
+ # Symlinks are created before the files they point to.
+ with ArchiveMaker() as arc:
+ arc.add('linkdir/symlink', symlink_to='hardlink')
+ arc.add('symlink2', symlink_to=os.path.join(
+ 'linkdir', 'hardlink2'))
+ arc.add('targetdir/target', size=3)
+ arc.add('linkdir/hardlink', hardlink_to='targetdir/target')
+ arc.add('linkdir/hardlink2', hardlink_to='linkdir/symlink')
+
+ for filter in 'tar', 'data', 'fully_trusted':
+ with self.check_context(arc.open(), filter):
+ self.expect_file('targetdir/target', size=3)
+ self.expect_file('linkdir/hardlink', size=3)
+ self.expect_file('linkdir/hardlink2', size=3)
+ if support.can_symlink():
+ self.expect_file('linkdir/symlink', size=3,
+ symlink_to='hardlink')
+ self.expect_file('symlink2', size=3,
+ symlink_to='linkdir/hardlink2')
+ else:
+ self.expect_file('linkdir/symlink', size=3)
+ self.expect_file('symlink2', size=3)
+
def test_modes(self):
# Test how file modes are extracted
# (Note that the modes are ignored on platforms without working chmod)
diff --git a/Misc/NEWS.d/next/Library/2023-08-10-17-36-22.gh-issue-107845.dABiMJ.rst b/Misc/NEWS.d/next/Library/2023-08-10-17-36-22.gh-issue-107845.dABiMJ.rst
new file mode 100644
index 0000000..32c1fb9
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2023-08-10-17-36-22.gh-issue-107845.dABiMJ.rst
@@ -0,0 +1,3 @@
+:func:`tarfile.data_filter` now takes the location of symlinks into account
+when determining their target, so it will no longer reject some valid
+tarballs with ``LinkOutsideDestinationError``.
--
2.33.0

33
backport-3.7-gh-115133-Fix-test_xml_etree-error-with-expat-ve.patch Normal file
View File

@ -0,0 +1,33 @@
From b6a790412ccacd9b90486fdb86e29f2e49c8fa6c Mon Sep 17 00:00:00 2001
From: wangshuo <wangshuo@kylinos.cn>
Date: Fri, 25 Oct 2024 10:13:37 +0800
Subject: [PATCH 3/3] [3.7] gh-115133: Fix test_xml_etree error with expat
versions that fix CVE-2023-52425
Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425.
According to the upstream solution, chunk_size=22 is the smallest value
that can pass the tests.
See https://github.com/python/cpython/issues/115133
---
Lib/test/test_xml_etree.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
index 5ba0de8..7b225ad 100644
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1060,7 +1060,9 @@ class XMLPullParserTest(unittest.TestCase):
expected)
def test_simple_xml(self):
- for chunk_size in (None, 1, 5):
+ # Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425.
+ # See https://github.com/python/cpython/issues/115133
+ for chunk_size in (None, 22, 25):
with self.subTest(chunk_size=chunk_size):
parser = ET.XMLPullParser()
self.assert_event_tags(parser, [])
--
2.33.0

40
python3.spec
View File

@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
URL: https://www.python.org/ URL: https://www.python.org/
Version: 3.7.9 Version: 3.7.9
Release: 38 Release: 40
License: Python-2.0 License: Python-2.0
%global branchversion 3.7 %global branchversion 3.7
@ -73,7 +73,9 @@ BuildRequires: tcl-devel
BuildRequires: tix-devel BuildRequires: tix-devel
BuildRequires: tk-devel BuildRequires: tk-devel
%ifnarch loongarch64
BuildRequires: valgrind-devel BuildRequires: valgrind-devel
%endif
BuildRequires: xz-devel BuildRequires: xz-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -179,6 +181,14 @@ Patch9002: fix-CVE-2023-24329.patch
Patch9003: backport-Fix-parsing-errors-in-email-_parseaddr.py.patch Patch9003: backport-Fix-parsing-errors-in-email-_parseaddr.py.patch
Patch9004: backport-Revert-fixes-for-CVE-2023-27043.patch Patch9004: backport-Revert-fixes-for-CVE-2023-27043.patch
Patch9005: backport-CVE-2023-27043.patch Patch9005: backport-CVE-2023-27043.patch
Patch9006: Add-loongarch-support.patch
# fix CVE-2007-4559
Patch9007: backport-3.7-gh-102950-Implement-PEP-706-Filter-for-tarfile.e.patch
Patch9008: backport-3.7-gh-107845-Fix-symlink-handling-for-tarfile.data_.patch
# fix test error
Patch9009: backport-3.7-gh-115133-Fix-test_xml_etree-error-with-expat-ve.patch
Provides: python%{branchversion} = %{version}-%{release} Provides: python%{branchversion} = %{version}-%{release}
Provides: python(abi) = %{branchversion} Provides: python(abi) = %{branchversion}
@ -342,6 +352,11 @@ rm Lib/ensurepip/_bundled/*.whl
%patch9003 -p1 %patch9003 -p1
%patch9004 -p1 %patch9004 -p1
%patch9005 -p1 %patch9005 -p1
%patch9006 -p1
%patch9007 -p1
%patch9008 -p1
%patch9009 -p1
sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
rm configure pyconfig.h.in rm configure pyconfig.h.in
@ -387,7 +402,9 @@ pushd ${DebugBuildDir}
--enable-loadable-sqlite-extensions \ --enable-loadable-sqlite-extensions \
--with-dtrace \ --with-dtrace \
--with-ssl-default-suites=openssl \ --with-ssl-default-suites=openssl \
%ifnarch loongarch64
--with-valgrind \ --with-valgrind \
%endif
--without-ensurepip \ --without-ensurepip \
--with-pydebug --with-pydebug
@ -411,7 +428,9 @@ pushd ${OptimizedBuildDir}
--enable-loadable-sqlite-extensions \ --enable-loadable-sqlite-extensions \
--with-dtrace \ --with-dtrace \
--with-ssl-default-suites=openssl \ --with-ssl-default-suites=openssl \
%ifnarch loongarch64
--with-valgrind \ --with-valgrind \
%endif
--without-ensurepip \ --without-ensurepip \
%{optimizations_flag} %{optimizations_flag}
@ -943,20 +962,33 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Tue Mar 05 GuoCe <guoce@kylinos.cn> - 3.7.9-38 * Fri Oct 25 2024 wangshuo <wangshuo@kylinos.cn> - 3.7.9-40
- Type:CVE
- CVE:CVE-2007-4559
- SUG:NA
- DESC:Patch9007-9008, fix CVE-2007-4559
- Patch9009, fix test_xml_etree error with expat versions that fix CVE-2023-52425
* Wed Mar 06 2024 GuoCe <guoce@kylinos.cn> - 3.7.9-39
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: add loongarch64 support and disable valgrind-devel for loongarch64
* Tue Mar 05 2024 GuoCe <guoce@kylinos.cn> - 3.7.9-38
- Type:CVE - Type:CVE
- CVE:CVE-2023-27043 - CVE:CVE-2023-27043
- SUG:NA - SUG:NA
- DESC:fix CVE-2023-27043 - DESC:fix CVE-2023-27043
* Fri Mar 01 GuoCe <guoce@kylinos.cn> - 3.7.9-37 * Fri Mar 01 2024 GuoCe <guoce@kylinos.cn> - 3.7.9-37
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA
- DESC:Modify the spec file to synchronize the version information of - DESC:Modify the spec file to synchronize the version information of
CHANGLOG and VERSION. CHANGLOG and VERSION.
* Tue Sep 19 zhuofeng <zhuofeng2@huawei.com> - 3.7.9-36 * Tue Sep 19 2023 zhuofeng <zhuofeng2@huawei.com> - 3.7.9-36
- Type:CVE - Type:CVE
- CVE:CVE-2023-40217 - CVE:CVE-2023-40217
- SUG:NA - SUG:NA