From 1fb3c04b752501b90fca0c90b67d0fa1050909e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 5 Feb 2019 01:40:25 +0100 Subject: [PATCH] Update to 3.8.0a1 Uses tilde for prerelease information, https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_versioning_prereleases_with_tilde Patches rebased: 111, 132 Patches merged upstream: 155, 170 (differently), 317 /usr/bin/pyvenv is no more --- 00111-no-static-lib.patch | 22 +- 00132-add-rpmbuild-hooks-to-unittest.patch | 36 +-- 00155-avoid-ctypes-thunks.patch | 15 - 00170-gc-assertions.patch | 311 --------------------- 00317-CVE-2019-5010.patch | 111 -------- python3.spec | 51 ++-- sources | 2 +- 7 files changed, 48 insertions(+), 500 deletions(-) delete mode 100644 00155-avoid-ctypes-thunks.patch delete mode 100644 00170-gc-assertions.patch delete mode 100644 00317-CVE-2019-5010.patch diff --git a/00111-no-static-lib.patch b/00111-no-static-lib.patch index 4cce364..3d667e9 100644 --- a/00111-no-static-lib.patch +++ b/00111-no-static-lib.patch @@ -1,17 +1,17 @@ diff --git a/Makefile.pre.in b/Makefile.pre.in -index 0db0dd0..bd8f769 100644 +index f8ff1ce..f297d05 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -574,7 +574,7 @@ clinic: check-clean-src $(srcdir)/Modules/_blake2/blake2s_impl.c +@@ -573,7 +573,7 @@ clinic: check-clean-src $(srcdir)/Modules/_blake2/blake2s_impl.c $(PYTHON_FOR_REGEN) $(srcdir)/Tools/clinic/clinic.py --make --srcdir $(srcdir) # Build the interpreter -$(BUILDPYTHON): Programs/python.o $(LIBRARY) $(LDLIBRARY) $(PY3LIBRARY) +$(BUILDPYTHON): Programs/python.o $(LDLIBRARY) $(PY3LIBRARY) - $(LINKCC) $(PY_CORE_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/python.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) + $(LINKCC) $(PY_CORE_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/python.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) platform: $(BUILDPYTHON) pybuilddir.txt -@@ -622,12 +622,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o +@@ -621,12 +621,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build @@ -21,19 +21,19 @@ index 0db0dd0..bd8f769 100644 - -rm -f $@ - $(AR) $(ARFLAGS) $@ $(LIBRARY_OBJS) - - libpython$(LDVERSION).so: $(LIBRARY_OBJS) + libpython$(LDVERSION).so: $(LIBRARY_OBJS) $(DTRACE_OBJS) if test $(INSTSONAME) != $(LDLIBRARY); then \ - $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ -@@ -715,7 +709,7 @@ Modules/Setup: $(srcdir)/Modules/Setup.dist - echo "-----------------------------------------------"; \ - fi + $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM); \ +@@ -704,7 +698,7 @@ Makefile Modules/config.c: Makefile.pre \ + @echo "The Makefile was updated, you may need to re-run make." + -Programs/_testembed: Programs/_testembed.o $(LIBRARY) $(LDLIBRARY) $(PY3LIBRARY) +Programs/_testembed: Programs/_testembed.o $(LDLIBRARY) $(PY3LIBRARY) - $(LINKCC) $(PY_CORE_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/_testembed.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) + $(LINKCC) $(PY_CORE_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/_testembed.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) ############################################################################ -@@ -1483,17 +1477,6 @@ libainstall: @DEF_MAKE_RULE@ python-config +@@ -1545,17 +1539,6 @@ libainstall: @DEF_MAKE_RULE@ python-config else true; \ fi; \ done diff --git a/00132-add-rpmbuild-hooks-to-unittest.patch b/00132-add-rpmbuild-hooks-to-unittest.patch index 77dc6ec..b187c6a 100644 --- a/00132-add-rpmbuild-hooks-to-unittest.patch +++ b/00132-add-rpmbuild-hooks-to-unittest.patch @@ -1,6 +1,20 @@ -diff -up Python-3.2.2/Lib/unittest/case.py.add-rpmbuild-hooks-to-unittest Python-3.2.2/Lib/unittest/case.py ---- Python-3.2.2/Lib/unittest/case.py.add-rpmbuild-hooks-to-unittest 2011-09-03 12:16:44.000000000 -0400 -+++ Python-3.2.2/Lib/unittest/case.py 2011-09-09 06:35:16.365568382 -0400 +diff --git a/Lib/unittest/__init__.py b/Lib/unittest/__init__.py +index 5ff1bf3..4d63954 100644 +--- a/Lib/unittest/__init__.py ++++ b/Lib/unittest/__init__.py +@@ -58,7 +58,7 @@ __unittest = True + + from .result import TestResult + from .case import (addModuleCleanup, TestCase, FunctionTestCase, SkipTest, skip, +- skipIf, skipUnless, expectedFailure) ++ skipIf, skipUnless, expectedFailure, _skipInRpmBuild) + from .suite import BaseTestSuite, TestSuite + from .loader import (TestLoader, defaultTestLoader, makeSuite, getTestCaseNames, + findTestCases) +diff --git a/Lib/unittest/case.py b/Lib/unittest/case.py +index a157ae8..64f912c 100644 +--- a/Lib/unittest/case.py ++++ b/Lib/unittest/case.py @@ -3,6 +3,7 @@ import sys import functools @@ -9,7 +23,8 @@ diff -up Python-3.2.2/Lib/unittest/case.py.add-rpmbuild-hooks-to-unittest Python import logging import pprint import re -@@ -101,5 +102,21 @@ def expectedFailure(func): +@@ -158,6 +159,22 @@ class _BaseTestCaseContext: + msg = self.test_case._formatMessage(self.msg, standardMsg) raise self.test_case.failureException(msg) +# Non-standard/downstream-only hooks for handling issues with specific test @@ -31,16 +46,3 @@ diff -up Python-3.2.2/Lib/unittest/case.py.add-rpmbuild-hooks-to-unittest Python class _AssertRaisesBaseContext(_BaseTestCaseContext): def __init__(self, expected, test_case, expected_regex=None): -diff -up Python-3.2.2/Lib/unittest/__init__.py.add-rpmbuild-hooks-to-unittest Python-3.2.2/Lib/unittest/__init__.py ---- Python-3.2.2/Lib/unittest/__init__.py.add-rpmbuild-hooks-to-unittest 2011-09-03 12:16:44.000000000 -0400 -+++ Python-3.2.2/Lib/unittest/__init__.py 2011-09-09 06:35:16.366568382 -0400 -@@ -57,7 +57,8 @@ __unittest = True - - from .result import TestResult - from .case import (TestCase, FunctionTestCase, SkipTest, skip, skipIf, -- skipUnless, expectedFailure) -+ skipUnless, expectedFailure, -+ _skipInRpmBuild) - from .suite import BaseTestSuite, TestSuite - from .loader import (TestLoader, defaultTestLoader, makeSuite, getTestCaseNames, - findTestCases) diff --git a/00155-avoid-ctypes-thunks.patch b/00155-avoid-ctypes-thunks.patch deleted file mode 100644 index f03890e..0000000 --- a/00155-avoid-ctypes-thunks.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up Python-3.2.3/Lib/ctypes/__init__.py.rhbz814391 Python-3.2.3/Lib/ctypes/__init__.py ---- Python-3.2.3/Lib/ctypes/__init__.py.rhbz814391 2012-04-20 15:12:49.017867692 -0400 -+++ Python-3.2.3/Lib/ctypes/__init__.py 2012-04-20 15:15:09.501111408 -0400 -@@ -275,11 +275,6 @@ def _reset_cache(): - # _SimpleCData.c_char_p_from_param - POINTER(c_char).from_param = c_char_p.from_param - _pointer_type_cache[None] = c_void_p -- # XXX for whatever reasons, creating the first instance of a callback -- # function is needed for the unittests on Win64 to succeed. This MAY -- # be a compiler bug, since the problem occurs only when _ctypes is -- # compiled with the MS SDK compiler. Or an uninitialized variable? -- CFUNCTYPE(c_int)(lambda: None) - - def create_unicode_buffer(init, size=None): - """create_unicode_buffer(aString) -> character array diff --git a/00170-gc-assertions.patch b/00170-gc-assertions.patch deleted file mode 100644 index fb3ad85..0000000 --- a/00170-gc-assertions.patch +++ /dev/null @@ -1,311 +0,0 @@ -diff --git a/Include/object.h b/Include/object.h -index c772dea..5729797 100644 ---- a/Include/object.h -+++ b/Include/object.h -@@ -1098,6 +1098,49 @@ PyAPI_FUNC(void) - _PyObject_DebugTypeStats(FILE *out); - #endif /* ifndef Py_LIMITED_API */ - -+/* -+ Define a pair of assertion macros. -+ -+ These work like the regular C assert(), in that they will abort the -+ process with a message on stderr if the given condition fails to hold, -+ but compile away to nothing if NDEBUG is defined. -+ -+ However, before aborting, Python will also try to call _PyObject_Dump() on -+ the given object. This may be of use when investigating bugs in which a -+ particular object is corrupt (e.g. buggy a tp_visit method in an extension -+ module breaking the garbage collector), to help locate the broken objects. -+ -+ The WITH_MSG variant allows you to supply an additional message that Python -+ will attempt to print to stderr, after the object dump. -+*/ -+#ifdef NDEBUG -+/* No debugging: compile away the assertions: */ -+#define PyObject_ASSERT_WITH_MSG(obj, expr, msg) ((void)0) -+#else -+/* With debugging: generate checks: */ -+#define PyObject_ASSERT_WITH_MSG(obj, expr, msg) \ -+ ((expr) \ -+ ? (void)(0) \ -+ : _PyObject_AssertFailed((obj), \ -+ (msg), \ -+ (__STRING(expr)), \ -+ (__FILE__), \ -+ (__LINE__), \ -+ (__PRETTY_FUNCTION__))) -+#endif -+ -+#define PyObject_ASSERT(obj, expr) \ -+ PyObject_ASSERT_WITH_MSG(obj, expr, NULL) -+ -+/* -+ Declare and define the entrypoint even when NDEBUG is defined, to avoid -+ causing compiler/linker errors when building extensions without NDEBUG -+ against a Python built with NDEBUG defined -+*/ -+PyAPI_FUNC(void) _PyObject_AssertFailed(PyObject *, const char *, -+ const char *, const char *, int, -+ const char *); -+ - #ifdef __cplusplus - } - #endif -diff --git a/Lib/test/test_gc.py b/Lib/test/test_gc.py -index 8d806db..dc8bb16 100644 ---- a/Lib/test/test_gc.py -+++ b/Lib/test/test_gc.py -@@ -1,10 +1,12 @@ - import unittest - from test.support import (verbose, refcount_test, run_unittest, - strip_python_stderr, cpython_only, start_threads, -- temp_dir, requires_type_collecting, TESTFN, unlink) -+ temp_dir, requires_type_collecting, TESTFN, unlink, -+ import_module) - from test.support.script_helper import assert_python_ok, make_script - - import sys -+import sysconfig - import time - import gc - import weakref -@@ -46,6 +48,8 @@ class GC_Detector(object): - # gc collects it. - self.wr = weakref.ref(C1055820(666), it_happened) - -+BUILD_WITH_NDEBUG = ('-DNDEBUG' in sysconfig.get_config_vars()['PY_CFLAGS']) -+ - @with_tp_del - class Uncollectable(object): - """Create a reference cycle with multiple __del__ methods. -@@ -878,6 +882,50 @@ class GCCallbackTests(unittest.TestCase): - self.assertEqual(len(gc.garbage), 0) - - -+ @unittest.skipIf(BUILD_WITH_NDEBUG, -+ 'built with -NDEBUG') -+ def test_refcount_errors(self): -+ self.preclean() -+ # Verify the "handling" of objects with broken refcounts -+ import_module("ctypes") #skip if not supported -+ -+ import subprocess -+ code = '''if 1: -+ a = [] -+ b = [a] -+ -+ # Simulate the refcount of "a" being too low (compared to the -+ # references held on it by live data), but keeping it above zero -+ # (to avoid deallocating it): -+ import ctypes -+ ctypes.pythonapi.Py_DecRef(ctypes.py_object(a)) -+ -+ # The garbage collector should now have a fatal error when it reaches -+ # the broken object: -+ import gc -+ gc.collect() -+ ''' -+ p = subprocess.Popen([sys.executable, "-c", code], -+ stdout=subprocess.PIPE, -+ stderr=subprocess.PIPE) -+ stdout, stderr = p.communicate() -+ p.stdout.close() -+ p.stderr.close() -+ # Verify that stderr has a useful error message: -+ self.assertRegex(stderr, -+ b'Modules/gcmodule.c:[0-9]+: visit_decref: Assertion "\(\(gc\)->gc.gc_refs >> \(1\)\) != 0" failed.') -+ self.assertRegex(stderr, -+ b'refcount was too small') -+ self.assertRegex(stderr, -+ b'object : \[\]') -+ self.assertRegex(stderr, -+ b'type : list') -+ self.assertRegex(stderr, -+ b'refcount: 1') -+ self.assertRegex(stderr, -+ b'address : 0x[0-9a-f]+') -+ -+ - class GCTogglingTests(unittest.TestCase): - def setUp(self): - gc.enable() -diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c -index 4d701cb..388dd78 100644 ---- a/Modules/gcmodule.c -+++ b/Modules/gcmodule.c -@@ -239,7 +239,8 @@ update_refs(PyGC_Head *containers) - { - PyGC_Head *gc = containers->gc.gc_next; - for (; gc != containers; gc = gc->gc.gc_next) { -- assert(_PyGCHead_REFS(gc) == GC_REACHABLE); -+ PyObject_ASSERT(FROM_GC(gc), -+ _PyGCHead_REFS(gc) == GC_REACHABLE); - _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc))); - /* Python's cyclic gc should never see an incoming refcount - * of 0: if something decref'ed to 0, it should have been -@@ -259,7 +260,8 @@ update_refs(PyGC_Head *containers) - * so serious that maybe this should be a release-build - * check instead of an assert? - */ -- assert(_PyGCHead_REFS(gc) != 0); -+ PyObject_ASSERT(FROM_GC(gc), -+ _PyGCHead_REFS(gc) != 0); - } - } - -@@ -274,7 +276,9 @@ visit_decref(PyObject *op, void *data) - * generation being collected, which can be recognized - * because only they have positive gc_refs. - */ -- assert(_PyGCHead_REFS(gc) != 0); /* else refcount was too small */ -+ PyObject_ASSERT_WITH_MSG(FROM_GC(gc), -+ _PyGCHead_REFS(gc) != 0, -+ "refcount was too small"); /* else refcount was too small */ - if (_PyGCHead_REFS(gc) > 0) - _PyGCHead_DECREF(gc); - } -@@ -334,9 +338,10 @@ visit_reachable(PyObject *op, PyGC_Head *reachable) - * If gc_refs == GC_UNTRACKED, it must be ignored. - */ - else { -- assert(gc_refs > 0 -- || gc_refs == GC_REACHABLE -- || gc_refs == GC_UNTRACKED); -+ PyObject_ASSERT(FROM_GC(gc), -+ gc_refs > 0 -+ || gc_refs == GC_REACHABLE -+ || gc_refs == GC_UNTRACKED); - } - } - return 0; -@@ -378,7 +383,7 @@ move_unreachable(PyGC_Head *young, PyGC_Head *unreachable) - */ - PyObject *op = FROM_GC(gc); - traverseproc traverse = Py_TYPE(op)->tp_traverse; -- assert(_PyGCHead_REFS(gc) > 0); -+ PyObject_ASSERT(op, _PyGCHead_REFS(gc) > 0); - _PyGCHead_SET_REFS(gc, GC_REACHABLE); - (void) traverse(op, - (visitproc)visit_reachable, -@@ -441,7 +446,7 @@ move_legacy_finalizers(PyGC_Head *unreachable, PyGC_Head *finalizers) - for (gc = unreachable->gc.gc_next; gc != unreachable; gc = next) { - PyObject *op = FROM_GC(gc); - -- assert(IS_TENTATIVELY_UNREACHABLE(op)); -+ PyObject_ASSERT(op, IS_TENTATIVELY_UNREACHABLE(op)); - next = gc->gc.gc_next; - - if (has_legacy_finalizer(op)) { -@@ -517,7 +522,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - PyWeakReference **wrlist; - - op = FROM_GC(gc); -- assert(IS_TENTATIVELY_UNREACHABLE(op)); -+ PyObject_ASSERT(op, IS_TENTATIVELY_UNREACHABLE(op)); - next = gc->gc.gc_next; - - if (! PyType_SUPPORTS_WEAKREFS(Py_TYPE(op))) -@@ -538,9 +543,9 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - * the callback pointer intact. Obscure: it also - * changes *wrlist. - */ -- assert(wr->wr_object == op); -+ PyObject_ASSERT(wr->wr_object, wr->wr_object == op); - _PyWeakref_ClearRef(wr); -- assert(wr->wr_object == Py_None); -+ PyObject_ASSERT(wr->wr_object, wr->wr_object == Py_None); - if (wr->wr_callback == NULL) - continue; /* no callback */ - -@@ -574,7 +579,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - */ - if (IS_TENTATIVELY_UNREACHABLE(wr)) - continue; -- assert(IS_REACHABLE(wr)); -+ PyObject_ASSERT(op, IS_REACHABLE(wr)); - - /* Create a new reference so that wr can't go away - * before we can process it again. -@@ -583,7 +588,8 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - - /* Move wr to wrcb_to_call, for the next pass. */ - wrasgc = AS_GC(wr); -- assert(wrasgc != next); /* wrasgc is reachable, but -+ PyObject_ASSERT(op, wrasgc != next); -+ /* wrasgc is reachable, but - next isn't, so they can't - be the same */ - gc_list_move(wrasgc, &wrcb_to_call); -@@ -599,11 +605,11 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) - - gc = wrcb_to_call.gc.gc_next; - op = FROM_GC(gc); -- assert(IS_REACHABLE(op)); -- assert(PyWeakref_Check(op)); -+ PyObject_ASSERT(op, IS_REACHABLE(op)); -+ PyObject_ASSERT(op, PyWeakref_Check(op)); - wr = (PyWeakReference *)op; - callback = wr->wr_callback; -- assert(callback != NULL); -+ PyObject_ASSERT(op, callback != NULL); - - /* copy-paste of weakrefobject.c's handle_callback() */ - temp = PyObject_CallFunctionObjArgs(callback, wr, NULL); -@@ -717,12 +723,14 @@ check_garbage(PyGC_Head *collectable) - for (gc = collectable->gc.gc_next; gc != collectable; - gc = gc->gc.gc_next) { - _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc))); -- assert(_PyGCHead_REFS(gc) != 0); -+ PyObject_ASSERT(FROM_GC(gc), -+ _PyGCHead_REFS(gc) != 0); - } - subtract_refs(collectable); - for (gc = collectable->gc.gc_next; gc != collectable; - gc = gc->gc.gc_next) { -- assert(_PyGCHead_REFS(gc) >= 0); -+ PyObject_ASSERT(FROM_GC(gc), -+ _PyGCHead_REFS(gc) >= 0); - if (_PyGCHead_REFS(gc) != 0) - return -1; - } -diff --git a/Objects/object.c b/Objects/object.c -index 220aa90..f6c7161 100644 ---- a/Objects/object.c -+++ b/Objects/object.c -@@ -2177,6 +2177,35 @@ _PyTrash_thread_destroy_chain(void) - --tstate->trash_delete_nesting; - } - -+PyAPI_FUNC(void) -+_PyObject_AssertFailed(PyObject *obj, const char *msg, const char *expr, -+ const char *file, int line, const char *function) -+{ -+ fprintf(stderr, -+ "%s:%d: %s: Assertion \"%s\" failed.\n", -+ file, line, function, expr); -+ if (msg) { -+ fprintf(stderr, "%s\n", msg); -+ } -+ -+ fflush(stderr); -+ -+ if (obj) { -+ /* This might succeed or fail, but we're about to abort, so at least -+ try to provide any extra info we can: */ -+ _PyObject_Dump(obj); -+ } -+ else { -+ fprintf(stderr, "NULL object\n"); -+ } -+ -+ fflush(stdout); -+ fflush(stderr); -+ -+ /* Terminate the process: */ -+ abort(); -+} -+ - #ifndef Py_TRACE_REFS - /* For Py_LIMITED_API, we need an out-of-line version of _Py_Dealloc. - Define this here, so we can undefine the macro. */ diff --git a/00317-CVE-2019-5010.patch b/00317-CVE-2019-5010.patch deleted file mode 100644 index 62e931e..0000000 --- a/00317-CVE-2019-5010.patch +++ /dev/null @@ -1,111 +0,0 @@ -From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 15 Jan 2019 18:16:30 +0100 -Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser - -CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did -not handle CRL distribution points with empty DP or URI correctly. A -malicious or buggy certificate can result into segfault. - -Signed-off-by: Christian Heimes ---- - Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ - Lib/test/test_ssl.py | 22 +++++++++++++++++++ - .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ - Modules/_ssl.c | 4 ++++ - 4 files changed, 51 insertions(+) - create mode 100644 Lib/test/talos-2019-0758.pem - create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst - -diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem -new file mode 100644 -index 000000000000..13b95a77fd8a ---- /dev/null -+++ b/Lib/test/talos-2019-0758.pem -@@ -0,0 +1,22 @@ -+-----BEGIN CERTIFICATE----- -+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO -+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 -+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh -+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB -+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES -+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD -+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C -+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP -+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF -+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp -+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io -+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 -+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu -+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG -+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p -+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr -+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit -+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV -+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ -+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== -+-----END CERTIFICATE----- -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 7f6b93148f45..1fc657f4d867 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -115,6 +115,7 @@ def data_file(*name): - BADKEY = data_file("badkey.pem") - NOKIACERT = data_file("nokia.pem") - NULLBYTECERT = data_file("nullbytecert.pem") -+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") - - DHFILE = data_file("ffdh3072.pem") - BYTES_DHFILE = os.fsencode(DHFILE) -@@ -348,6 +349,27 @@ def test_parse_cert(self): - self.assertEqual(p['crlDistributionPoints'], - ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) - -+ def test_parse_cert_CVE_2019_5010(self): -+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) -+ if support.verbose: -+ sys.stdout.write("\n" + pprint.pformat(p) + "\n") -+ self.assertEqual( -+ p, -+ { -+ 'issuer': ( -+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), -+ 'notAfter': 'Jun 14 18:00:58 2028 GMT', -+ 'notBefore': 'Jun 18 18:00:58 2018 GMT', -+ 'serialNumber': '02', -+ 'subject': ((('countryName', 'UK'),), -+ (('commonName', -+ 'codenomicon-vm-2.test.lal.cisco.com'),)), -+ 'subjectAltName': ( -+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), -+ 'version': 3 -+ } -+ ) -+ - def test_parse_cert_CVE_2013_4238(self): - p = ssl._ssl._test_decode_cert(NULLBYTECERT) - if support.verbose: -diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -new file mode 100644 -index 000000000000..dffe347eec84 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -@@ -0,0 +1,3 @@ -+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did -+not handle CRL distribution points with empty DP or URI correctly. A -+malicious or buggy certificate can result into segfault. -diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index 4e3352d9e661..0e720e268d93 100644 ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) { - STACK_OF(GENERAL_NAME) *gns; - - dp = sk_DIST_POINT_value(dps, i); -+ if (dp->distpoint == NULL) { -+ /* Ignore empty DP value, CVE-2019-5010 */ -+ continue; -+ } - gns = dp->distpoint->name.fullname; - - for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { diff --git a/python3.spec b/python3.spec index b910bd2..ca2d3e3 100644 --- a/python3.spec +++ b/python3.spec @@ -2,10 +2,10 @@ # Top-level metadata # ================== -%global pybasever 3.7 +%global pybasever 3.8 # pybasever without the dot: -%global pyshortver 37 +%global pyshortver 38 Name: python3 Summary: Interpreter of the Python programming language @@ -13,8 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -Version: %{pybasever}.2 -Release: 5%{?dist} +%global general_version %{pybasever}.0 +%global prerel a1 +%global upstream_version %{general_version}%{?prerel} +Version: %{general_version}%{?prerel:~%{prerel}} +Release: 1%{?dist} License: Python @@ -197,7 +200,7 @@ BuildRequires: python-pip-wheel # Source code and patches # ======================= -Source: https://www.python.org/ftp/python/%{version}/Python-%{version}%{?prerel}.tar.xz +Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz # A simple script to check timestamps of bytecode files # Run in check section with Python that is currently being built @@ -242,13 +245,6 @@ Patch111: 00111-no-static-lib.patch # these unittest hooks in their own "check" phases) Patch132: 00132-add-rpmbuild-hooks-to-unittest.patch -# 00155 # -# Avoid allocating thunks in ctypes unless absolutely necessary, to avoid -# generating SELinux denials on "import ctypes" and "import uuid" when -# embedding Python within httpd -# See https://bugzilla.redhat.com/show_bug.cgi?id=814391 -Patch155: 00155-avoid-ctypes-thunks.patch - # 00160 # # Python 3.3 added os.SEEK_DATA and os.SEEK_HOLE, which may be present in the # header files in the build chroot, but may not be supported in the running @@ -263,16 +259,6 @@ Patch160: 00160-disable-test_fs_holes-in-rpm-build.patch # Not yet sent upstream Patch163: 00163-disable-parts-of-test_socket-in-rpm-build.patch -# 00170 # -# In debug builds, try to print repr() when a C-level assert fails in the -# garbage collector (typically indicating a reference-counting error -# somewhere else e.g in an extension module) -# The new macros/functions within gcmodule.c are hidden to avoid exposing -# them within the extension API. -# Sent upstream: http://bugs.python.org/issue9263 -# See https://bugzilla.redhat.com/show_bug.cgi?id=614680 -Patch170: 00170-gc-assertions.patch - # 00178 # # Don't duplicate various FLAGS in sysconfig values # http://bugs.python.org/issue17679 @@ -305,11 +291,6 @@ Patch274: 00274-fix-arch-names.patch # So we mark the command as unsupported - and the tests are skipped Patch316: 00316-mark-bdist_wininst-unsupported.patch -# 00317 # -# Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser -# Fixed upstream https://bugs.python.org/issue35746 -Patch317: 00317-CVE-2019-5010.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -580,7 +561,7 @@ version once Python %{pybasever} is stable. # ====================================================== %prep -%setup -q -n Python-%{version}%{?prerel} +%setup -q -n Python-%{upstream_version} # Remove all exe files to ensure we are not shipping prebuilt binaries # note that those are only used to create Microsoft Windows installers # and that functionality is broken on Linux anyway @@ -599,10 +580,8 @@ rm -r Modules/expat %endif %patch111 -p1 %patch132 -p1 -%patch155 -p1 %patch160 -p1 %patch163 -p1 -%patch170 -p1 %patch178 -p1 %if %{with rpmwheels} @@ -614,7 +593,6 @@ rm Lib/ensurepip/_bundled/*.whl %patch251 -p1 %patch274 -p1 %patch316 -p1 -%patch317 -p1 # Remove files that should be generated by the build @@ -942,7 +920,6 @@ rm %{buildroot}%{_bindir}/pygettext3.py rm %{buildroot}%{_bindir}/msgfmt3.py rm %{buildroot}%{_bindir}/idle3 rm %{buildroot}%{_bindir}/python3-* -rm %{buildroot}%{_bindir}/pyvenv rm %{buildroot}%{_bindir}/2to3 rm %{buildroot}%{_libdir}/libpython3.so rm %{buildroot}%{_mandir}/man1/python3.1* @@ -1048,14 +1025,12 @@ CheckPython optimized %if %{without flatpackage} %{_bindir}/pydoc* %{_bindir}/python3 -%{_bindir}/pyvenv %else %{_bindir}/pydoc%{pybasever} %endif %{_bindir}/python%{pybasever} %{_bindir}/python%{pybasever}m -%{_bindir}/pyvenv-%{pybasever} %{_mandir}/*/* @@ -1186,6 +1161,7 @@ CheckPython optimized %{dynload_dir}/nis.%{SOABI_optimized}.so %{dynload_dir}/ossaudiodev.%{SOABI_optimized}.so %{dynload_dir}/parser.%{SOABI_optimized}.so +%{dynload_dir}/_posixshmem.%{SOABI_optimized}.so %{dynload_dir}/pyexpat.%{SOABI_optimized}.so %{dynload_dir}/readline.%{SOABI_optimized}.so %{dynload_dir}/resource.%{SOABI_optimized}.so @@ -1197,6 +1173,7 @@ CheckPython optimized %{dynload_dir}/unicodedata.%{SOABI_optimized}.so %{dynload_dir}/_uuid.%{SOABI_optimized}.so %{dynload_dir}/xxlimited.%{SOABI_optimized}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so %{dynload_dir}/zlib.%{SOABI_optimized}.so %dir %{pylibdir}/site-packages/ @@ -1301,6 +1278,7 @@ CheckPython optimized %endif %{_includedir}/python%{LDVERSION_optimized}/*.h %{_includedir}/python%{LDVERSION_optimized}/internal/ +%{_includedir}/python%{LDVERSION_optimized}/cpython/ %doc Misc/README.valgrind Misc/valgrind-python.supp Misc/gdbinit %if %{without flatpackage} @@ -1457,6 +1435,7 @@ CheckPython optimized %{dynload_dir}/nis.%{SOABI_debug}.so %{dynload_dir}/ossaudiodev.%{SOABI_debug}.so %{dynload_dir}/parser.%{SOABI_debug}.so +%{dynload_dir}/_posixshmem.%{SOABI_debug}.so %{dynload_dir}/pyexpat.%{SOABI_debug}.so %{dynload_dir}/readline.%{SOABI_debug}.so %{dynload_dir}/resource.%{SOABI_debug}.so @@ -1467,6 +1446,7 @@ CheckPython optimized %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so %{dynload_dir}/unicodedata.%{SOABI_debug}.so %{dynload_dir}/_uuid.%{SOABI_debug}.so +%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so %{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so %{dynload_dir}/zlib.%{SOABI_debug}.so @@ -1521,6 +1501,9 @@ CheckPython optimized # ====================================================== %changelog +* Tue Feb 05 2019 Miro HronĨok - 3.8.0~a1-1 +- Update to 3.8.0a1 + * Sat Feb 02 2019 Fedora Release Engineering - 3.7.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index 64dca46..8f72af4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (Python-3.7.2.tar.xz) = 6cd2d6d8455558783b99d55985cd7b22d67b98f41a09b4fdd96f680a630a4e035220d2b903f8c59ed513aa5ffe6730fa947ddb55bb72ce36f0e945ef8af5d971 +SHA512 (Python-3.8.0a1.tar.xz) = 81e0aea4cf37f432d72464579f1b97db574496fa7105c7b2e02caed2e27d95288f21605666e80b60a01c66afb115714004b4a219b31ce21c8f732828b70b24e2