import python3.11-3.11.4-3.el8

a8972146 · Rocky Automation · 648e1972 · a8972146 · a8972146 · a8972146
Commit a8972146 authored 1 year ago by Rocky Automation
--- a/.python3.11.checksum
+++ b/.python3.11.checksum
+Direct Git Import
--- a/.python3.11.metadata
+++ b/.python3.11.metadata
-7eb14fecbf60824d10c22a9057584c3a142c2866f4af6caa2525c10c8bcb24e6e7afb32a44a0e118df0a2b2543d578c3b422ffd4a5fa317dfe6ea371cc7ee1ee SOURCES/Python-3.11.4.tar.xz
-8ee82bf116b2cc7407e260eccf53e7fee4d7497165d0b9c3e59931c73f3b419bc0299b459eee9544a6e51e323ff0a6aa07827efd89f9c320b54556feeea04a78 SOURCES/Python-3.11.4.tar.xz.asc
+2f0e409df2ab57aa9fc4cbddfb976af44e4e55bf6f619eee6bc5c2297264a7f6 SOURCES/Python-3.11.4.tar.xz
--- a/SOURCES/00397-tarfile-filter.patch
+++ b/SOURCES/00397-tarfile-filter.patch
-From 363474312808642b23840a26b4e812051a551e48 Mon Sep 17 00:00:00 2001
+From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 9 Aug 2023 20:23:03 +0200
+Subject: [PATCH] Fix symlink handling for tarfile.data_filter
+
+---
+ Doc/library/tarfile.rst  |  5 +++++
+ Lib/tarfile.py           |  9 ++++++++-
+ Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++--
+ 3 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst
+index 00f3070324e..e0511bfeb64 100644
+--- a/Doc/library/tarfile.rst
+++ b/Doc/library/tarfile.rst
+@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes:
+    Name of the target file name, which is only present in :class:`TarInfo` objects
+    of type :const:`LNKTYPE` and :const:`SYMTYPE`.
+ 
+   For symbolic links (``SYMTYPE``), the linkname is relative to the directory
+   that contains the link.
+   For hard links (``LNKTYPE``), the linkname is relative to the root of
+   the archive.
+
+ 
+ .. attribute:: TarInfo.uid
+    :type: int
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index df4e41f7a0d..d62323715b4 100755
+--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
+@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True):
+         if member.islnk() or member.issym():
+             if os.path.isabs(member.linkname):
+                 raise AbsoluteLinkError(member)
+-            target_path = os.path.realpath(os.path.join(dest_path, member.linkname))
+            if member.issym():
+                target_path = os.path.join(dest_path,
+                                           os.path.dirname(name),
+                                           member.linkname)
+            else:
+                target_path = os.path.join(dest_path,
+                                           member.linkname)
+            target_path = os.path.realpath(target_path)
+             if os.path.commonpath([target_path, dest_path]) != dest_path:
+                 raise LinkOutsideDestinationError(member, target_path)
+     return new_attrs
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 2eda7fc4cea..79fc35c2895 100644
+--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
+@@ -3337,10 +3337,12 @@ def __exit__(self, *exc):
+         self.bio = None
+ 
+     def add(self, name, *, type=None, symlink_to=None, hardlink_to=None,
+-            mode=None, **kwargs):
+            mode=None, size=None, **kwargs):
+         """Add a member to the test archive. Call within `with`."""
+         name = str(name)
+         tarinfo = tarfile.TarInfo(name).replace(**kwargs)
+        if size is not None:
+            tarinfo.size = size
+         if mode:
+             tarinfo.mode = _filemode_to_int(mode)
+         if symlink_to is not None:
+@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter):
+                 raise self.raised_exception
+             self.assertEqual(self.expected_paths, set())
+ 
+-    def expect_file(self, name, type=None, symlink_to=None, mode=None):
+    def expect_file(self, name, type=None, symlink_to=None, mode=None,
+                    size=None):
+         """Check a single file. See check_context."""
+         if self.raised_exception:
+             raise self.raised_exception
+@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None):
+             self.assertTrue(path.is_fifo())
+         else:
+             raise NotImplementedError(type)
+        if size is not None:
+            self.assertEqual(path.stat().st_size, size)
+         for parent in path.parents:
+             self.expected_paths.discard(parent)
+ 
+@@ -3649,6 +3654,22 @@ def test_sly_relative2(self):
+                     + """['"].*moo['"], which is outside the """
+                     + "destination")
+ 
+    def test_deep_symlink(self):
+        with ArchiveMaker() as arc:
+            arc.add('targetdir/target', size=3)
+            arc.add('linkdir/hardlink', hardlink_to='targetdir/target')
+            arc.add('linkdir/symlink', symlink_to='../targetdir/target')
+
+        for filter in 'tar', 'data', 'fully_trusted':
+            with self.check_context(arc.open(), filter):
+                self.expect_file('targetdir/target', size=3)
+                self.expect_file('linkdir/hardlink', size=3)
+                if os_helper.can_symlink():
+                    self.expect_file('linkdir/symlink', size=3,
+                                     symlink_to='../targetdir/target')
+                else:
+                    self.expect_file('linkdir/symlink', size=3)
+
+     def test_modes(self):
+         # Test how file modes are extracted
+         # (Note that the modes are ignored on platforms without working chmod)
+-- 
+2.41.0
+
+From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Mon, 6 Mar 2023 17:24:24 +0100
 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction

--- a/SOURCES/Python-3.11.4.tar.xz.asc
+++ b/SOURCES/Python-3.11.4.tar.xz.asc
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/sHIACgkQ/+h0BBaL
+2EfQDQ//eFWvcQ5ijhVd3r5lp7NTNUPK6xKR2iqzpNWlN2Z4QkGJ2+IworBaZoGA
+tzmbT0j0LB9ZQ+ba3xnqXGXD8Ky+fHLg8GV5yshPlH/bD7tPuHtfDRxNcWplEVSS
+MbMuLjAYavTIHhYEz/Rpx4jvZTI5lwplVqj9WxNI/8tNrL5M2bsCtv+IB6brohiw
+rUOUlT/KDkZbrGfB1Fe033Ep8hay5MkKjhgr7O1dU7zMuDRG+HRsCYGs7a5x6KhH
+3QNTEp+GEIAKEsip5nR7vl5KqL02lHa5sf36SV2wjRTwO+IhgV7lvtJEwOD12oE5
+c+TCQMFbmBXg2vVmNBN/Lwftw1SwT/+orFX6V4U93jq6QNUo4GvPqum6YzuayGYc
+/JM4MNziqmfdNW2YjEHPPfzti3f40eTapys97YufOrmYjM2NY0Fs+kAErvyxiWqi
+guVQtaZIYeLl/9KWqQ0F/Apy1N+fVDuWBkZlizwHrUsGips4Rp7Bh/iCrDdOj+1D
+gRCio7+KvdtzHavZPZnU5dcpUiXZgsDzOTI138IyYaEtVUS59ELkA2qxI1yCb5mk
+eLVG1L7r/J2tIaTcguQppp5Z+62UDTArlUbnRxda0buzA2r1aFiQCTMwp+kTRegw
+T9Ht/CT/D4vpMdmSQTun9MkKifcK+2uGfSsS7Lz4fSWjQLqg36k=
+=zSfJ
+-----END PGP SIGNATURE-----
--- a/SPECS/python3.11.spec
+++ b/SPECS/python3.11.spec
@@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python


@@ -359,8 +359,12 @@ Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-g
 Patch378: 00378-support-expat-2-4-5.patch

 # 00397 #
-# Add Red Hat configuration for tarfile extraction (CVE-2007-4559, PEP-706)
-# See KB for documentation:
+# Filters for tarfile extraction (CVE-2007-4559, PEP-706)
+# First patch fixes determination of symlink targets, which were treated
+# as relative to the root of the archive,
+# rather than the directory containing the symlink.
+# Not yet upstream as of this writing.
+# The second patch is Red Hat configuration, see KB for documentation:
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch

@@ -1805,6 +1809,10 @@ fi
 # ======================================================

 %changelog
+* Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.11.4-3
+- Fix symlink handling in the fix for CVE-2023-24329
+Resolves: rhbz#263261
+
 * Fri Jun 30 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.11.4-2
 - Security fix for CVE-2007-4559
 Resolves: rhbz#263261