Update to 7.3.12

.gitignore

@@ -22,3 +22,4 @@
 /pypy3.9-v7.3.8-src.tar.bz2
 /pypy3.9-v7.3.9-src.tar.bz2
 /pypy3.9-v7.3.11-src.tar.bz2
+/pypy3.9-v7.3.12-src.tar.bz2

189-use-rpm-wheels.patch

@@ -37,7 +37,7 @@ index e510cc7..8b736b8 100644
  
 -__all__ = ["version", "bootstrap"]
 -_SETUPTOOLS_VERSION = "58.1.0"
--_PIP_VERSION = "22.0.4"
+-_PIP_VERSION = "23.0.1"
  _PROJECTS = [
      ("setuptools", _SETUPTOOLS_VERSION, "py3"),
      ("pip", _PIP_VERSION, "py3"),

399-cve-2023-24329.patch

@@ -1,140 +0,0 @@
-From c18699b668c9f1e1a239f94748c9ac059ab9baff Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 22 May 2023 03:42:37 -0700
-Subject: [PATCH] 00399: CVE-2023-24329
-
-gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
-
-`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
-
-This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
-
-(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
-
-Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
-Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
----
- lib-python/3/test/test_urlparse.py | 61 +++++++++++++++++++++++++++++-
- lib-python/3/urllib/parse.py       | 12 ++++++
- 2 files changed, 72 insertions(+), 1 deletion(-)
-
-diff --git a/lib-python/3/test/test_urlparse.py b/lib-python/3/test/test_urlparse.py
-index 31943f3..574da5b 100644
---- a/lib-python/3/test/test_urlparse.py
-+++ b/lib-python/3/test/test_urlparse.py
-@@ -649,6 +649,65 @@ class UrlParseTestCase(unittest.TestCase):
-             self.assertEqual(p.scheme, "http")
-             self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
- 
-+    def test_urlsplit_strip_url(self):
-+        noise = bytes(range(0, 0x20 + 1))
-+        base_url = "http://User:Pass@www.python.org:080/doc/?query=yes#frag"
-+
-+        url = noise.decode("utf-8") + base_url
-+        p = urllib.parse.urlsplit(url)
-+        self.assertEqual(p.scheme, "http")
-+        self.assertEqual(p.netloc, "User:Pass@www.python.org:080")
-+        self.assertEqual(p.path, "/doc/")
-+        self.assertEqual(p.query, "query=yes")
-+        self.assertEqual(p.fragment, "frag")
-+        self.assertEqual(p.username, "User")
-+        self.assertEqual(p.password, "Pass")
-+        self.assertEqual(p.hostname, "www.python.org")
-+        self.assertEqual(p.port, 80)
-+        self.assertEqual(p.geturl(), base_url)
-+
-+        url = noise + base_url.encode("utf-8")
-+        p = urllib.parse.urlsplit(url)
-+        self.assertEqual(p.scheme, b"http")
-+        self.assertEqual(p.netloc, b"User:Pass@www.python.org:080")
-+        self.assertEqual(p.path, b"/doc/")
-+        self.assertEqual(p.query, b"query=yes")
-+        self.assertEqual(p.fragment, b"frag")
-+        self.assertEqual(p.username, b"User")
-+        self.assertEqual(p.password, b"Pass")
-+        self.assertEqual(p.hostname, b"www.python.org")
-+        self.assertEqual(p.port, 80)
-+        self.assertEqual(p.geturl(), base_url.encode("utf-8"))
-+
-+        # Test that trailing space is preserved as some applications rely on
-+        # this within query strings.
-+        query_spaces_url = "https://www.python.org:88/doc/?query=    "
-+        p = urllib.parse.urlsplit(noise.decode("utf-8") + query_spaces_url)
-+        self.assertEqual(p.scheme, "https")
-+        self.assertEqual(p.netloc, "www.python.org:88")
-+        self.assertEqual(p.path, "/doc/")
-+        self.assertEqual(p.query, "query=    ")
-+        self.assertEqual(p.port, 88)
-+        self.assertEqual(p.geturl(), query_spaces_url)
-+
-+        p = urllib.parse.urlsplit("www.pypi.org ")
-+        # That "hostname" gets considered a "path" due to the
-+        # trailing space and our existing logic...  YUCK...
-+        # and re-assembles via geturl aka unurlsplit into the original.
-+        # django.core.validators.URLValidator (at least through v3.2) relies on
-+        # this, for better or worse, to catch it in a ValidationError via its
-+        # regular expressions.
-+        # Here we test the basic round trip concept of such a trailing space.
-+        self.assertEqual(urllib.parse.urlunsplit(p), "www.pypi.org ")
-+
-+        # with scheme as cache-key
-+        url = "//www.python.org/"
-+        scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8")
-+        for _ in range(2):
-+            p = urllib.parse.urlsplit(url, scheme=scheme)
-+            self.assertEqual(p.scheme, "https")
-+            self.assertEqual(p.geturl(), "https://www.python.org/")
-+
-     def test_attributes_bad_port(self):
-         """Check handling of invalid ports."""
-         for bytes in (False, True):
-@@ -656,7 +715,7 @@ class UrlParseTestCase(unittest.TestCase):
-                 for port in ("foo", "1.5", "-1", "0x10"):
-                     with self.subTest(bytes=bytes, parse=parse, port=port):
-                         netloc = "www.example.net:" + port
--                        url = "http://" + netloc
-+                        url = "http://" + netloc + "/"
-                         if bytes:
-                             netloc = netloc.encode("ascii")
-                             url = url.encode("ascii")
-diff --git a/lib-python/3/urllib/parse.py b/lib-python/3/urllib/parse.py
-index bd26813..f5d3662 100644
---- a/lib-python/3/urllib/parse.py
-+++ b/lib-python/3/urllib/parse.py
-@@ -25,6 +25,10 @@ currently not entirely compliant with this RFC due to defacto
- scenarios for parsing, and for backward compatibility purposes, some
- parsing quirks from older RFCs are retained. The testcases in
- test_urlparse.py provides a good indicator of parsing behavior.
-+
-+The WHATWG URL Parser spec should also be considered.  We are not compliant with
-+it either due to existing user code API behavior expectations (Hyrum's Law).
-+It serves as a useful guide when making changes.
- """
- 
- import re
-@@ -78,6 +82,10 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz'
-                 '0123456789'
-                 '+-.')
- 
-+# Leading and trailing C0 control and space to be stripped per WHATWG spec.
-+# == "".join([chr(i) for i in range(0, 0x20 + 1)])
-+_WHATWG_C0_CONTROL_OR_SPACE = '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f '
-+
- # Unsafe bytes to be removed per WHATWG spec
- _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
- 
-@@ -456,6 +464,10 @@ def urlsplit(url, scheme='', allow_fragments=True):
-     """
- 
-     url, scheme, _coerce_result = _coerce_args(url, scheme)
-+    # Only lstrip url as some applications rely on preserving trailing space.
-+    # (https://url.spec.whatwg.org/#concept-basic-url-parser would strip both)
-+    url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE)
-+    scheme = scheme.strip(_WHATWG_C0_CONTROL_OR_SPACE)
- 
-     for b in _UNSAFE_URL_BYTES_TO_REMOVE:
-         url = url.replace(b, "")
--- 
-2.40.1
-

pypy3.9.spec

@@ -1,5 +1,5 @@
 %global basever 7.3
-%global micro 11
+%global micro 12
 #global pre ...
 %global pyversion 3.9
 Name:           pypy%{pyversion}
@@ -10,7 +10,7 @@ Version:        %{basever}.%{micro}%{?pre:~%{pre}}
 # by Python version as well.
 # This potentially allows tags like Obsoletes: pypy3 < %%{version}-%%{release}.
 # https://bugzilla.redhat.com/2053880
-%global baserelease 5
+%global baserelease 1
 Release:        %{baserelease}.%{pyversion}%{?dist}
 Summary:        Python %{pyversion} implementation with a Just-In-Time compiler
 
@@ -120,16 +120,6 @@ Patch9: 009-add-libxcrypt-support.patch
 # We conditionally apply this, but we use autosetup, so we use Source here
 Source189: 189-use-rpm-wheels.patch
 
-# 00399 #
-# CVE-2023-24329
-#
-# gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
-#
-# `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
-#
-# This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%%20any%%20leading%%20and%%20trailing%%20C0%%20control%%20or%%20space%%20from%%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
-Patch399: 399-cve-2023-24329.patch
-
 # Build-time requirements:
 
 # pypy's can be rebuilt using pypy2, rather than with CPython 2; doing so
@@ -263,7 +253,7 @@ Obsoletes: pypy3.8-libs < 7.3.11-20
 Requires: python-setuptools-wheel
 Requires: python-pip-wheel
 %else
-Provides: bundled(python3dist(pip)) = 22.0.4
+Provides: bundled(python3dist(pip)) = 23.0.1
 Provides: bundled(python3dist(setuptools)) = 58.1.0
 %endif
 
@@ -274,7 +264,7 @@ Provides: bundled(libmpdec) = %{libmpdec_version}
 }
 
 # Find the version in lib_pypy/cffi.dist-info/METADATA
-Provides: bundled(python3dist(cffi)) = 1.15.0
+Provides: bundled(python3dist(cffi)) = 1.15.1
 
 # Find the version in lib_pypy/cffi/_pycparser/__init__.py
 Provides: bundled(python3dist(pycparser)) = 2.21
@@ -285,8 +275,8 @@ Provides: bundled(python3dist(ply)) = 3.9
 # Find the version in lib_pypy/_cffi_ssl/cryptography/__about__.py
 Provides: bundled(python3dist(cryptography)) = 2.7
 
-# Find the version in lib_pypy/hpy.dist-info/METADATA
-Provides: bundled(python3dist(hpy)) = 0.0.3
+# Find the version in lib_pypy/hpy-XXX.dist-info/METADATA
+Provides: bundled(python3dist(hpy)) = 0.0.4~~dev179+g9b5d200
 
 %description libs
 Libraries required by the various PyPy implementations of Python %{pyversion}.
@@ -796,7 +786,7 @@ CheckPyPy pypy%{pyversion}-c
 %license %{pypylibdir}/_cffi_ssl/LICENSE
 %license %{pypylibdir}/cffi.dist-info/LICENSE
 %license %{pypylibdir}/cffi/_pycparser/ply/LICENSE
-%license %{pypylibdir}/hpy.dist-info/LICENSE
+%license %{pypylibdir}/hpy-*.dist-info/LICENSE
 %{pypylibdir}/
 %if %{with rpmwheels}
 %exclude %{pypylibdir}/ensurepip/_bundled
@@ -815,7 +805,7 @@ CheckPyPy pypy%{pyversion}-c
 %exclude %{pypylibdir}/_ctypes_test.*
 %exclude %{pypylibdir}/_pypy_testcapi.*
 %exclude %{pypylibdir}/_test*
-%exclude %{pypylibdir}/__pycache__/_ctypes_test.*
+%exclude %{pypylibdir}/__pycache__/_ctypes_test*
 %exclude %{pypylibdir}/__pycache__/_pypy_testcapi.*
 %exclude %{pypylibdir}/__pycache__/_test*
 %exclude %{pypylibdir}/test/
@@ -835,7 +825,7 @@ CheckPyPy pypy%{pyversion}-c
 %{pypylibdir}/_ctypes_test.*
 %{pypylibdir}/_pypy_testcapi.*
 %{pypylibdir}/_test*
-%{pypylibdir}/__pycache__/_ctypes_test.*
+%{pypylibdir}/__pycache__/_ctypes_test*
 %{pypylibdir}/__pycache__/_pypy_testcapi.*
 %{pypylibdir}/__pycache__/_test*
 %{pypylibdir}/test/
@@ -860,6 +850,10 @@ CheckPyPy pypy%{pyversion}-c
 
 
 %changelog
+* Wed Jul 26 2023 Miro Hrončok <mhroncok@redhat.com> - 7.3.12-1.3.9
+- Update to 7.3.12
+- Fixes: rhbz#2203423
+
 * Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.11-5.3.9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (pypy3.9-v7.3.11-src.tar.bz2) = 33c978ffbeeb39453028d1d1646ccfdace062ce48a5d939245bea41643038dd3687e80e34f88fa0622bcb175d7dd78f75cbe36b24229c8052f09d2d17dcdfd8c
+SHA512 (pypy3.9-v7.3.12-src.tar.bz2) = 8e819a1ec3f3ce7fc5f901fb554660288a57e2a4834a3da35c1a57faf88ef4129240628a58334d2e0c2b1dda412da5d85ec943abe8046c0ce5d0cd0a0f7fc42a