mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2024-09-20 11:23:16 +00:00
main/python3: security upgrade to 3.12.6
https://www.python.org/downloads/release/python-3126/
This commit is contained in:
parent
eaffc23cee
commit
481c77bf27
2 changed files with 11 additions and 128 deletions
|
@ -2,9 +2,9 @@
|
|||
# Contributor: Sheila Aman <sheila@vulpine.house>
|
||||
pkgname=python3
|
||||
# the python3-tkinter's pkgver needs to be synchronized with this.
|
||||
pkgver=3.12.5
|
||||
pkgver=3.12.6
|
||||
_basever="${pkgver%.*}"
|
||||
pkgrel=1
|
||||
pkgrel=0
|
||||
pkgdesc="High-level scripting language"
|
||||
url="https://www.python.org/"
|
||||
arch="all"
|
||||
|
@ -46,14 +46,21 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
|
|||
musl-find_library.patch
|
||||
test_posix-nodev-disable.patch
|
||||
fix-run_fileexflags-test.patch
|
||||
CVE-2024-8088.patch
|
||||
"
|
||||
options="net" # Required for tests
|
||||
builddir="$srcdir/Python-$pkgver"
|
||||
|
||||
# secfixes:
|
||||
# 3.12.6-r0:
|
||||
# - CVE-2015-2104
|
||||
# - CVE-2023-27043
|
||||
# - CVE-2024-4032
|
||||
# - CVE-2024-6232
|
||||
# - CVE-2024-7592
|
||||
# 3.12.5-r1:
|
||||
# - CVE-2024-8088
|
||||
# 3.12.5-r0:
|
||||
# - CVE-2024-6923
|
||||
# 3.11.5-r0:
|
||||
# - CVE-2023-40217
|
||||
# 3.11.1-r0:
|
||||
|
@ -252,10 +259,9 @@ pyc2() {
|
|||
}
|
||||
|
||||
sha512sums="
|
||||
7a1c30d798434fe24697bc253f6010d75145e7650f66803328425c8525331b9fa6b63d12a652687582db205f8d4c8279c8f73c338168592481517b063351c921 Python-3.12.5.tar.xz
|
||||
e658b0d59b5cfdc591d626e8282b9945759f27ee6fbc8bcb8670737db32ffc11fb832dfed9b0e80188fb5f7f3f39fe6dd6191ab7736376453c9e248321e9b063 Python-3.12.6.tar.xz
|
||||
46dd8230ee2ab66e9c4157c10b2bd9c414fd7f30be0bee73e21a9eea88f63fff362d47828e0fc77ddc59df097b414b21505f8b5f98bc866381115c58ae3f4862 externally-managed
|
||||
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
|
||||
606cf7b3df0c81c90571c6bc65e4f07e065867739fa0d36e9c8e1ad2d6bcd64d265f90c4a7881880fc7e0c85eed94d1f72655a5c70d92ca63e5cc4bd3be8f145 test_posix-nodev-disable.patch
|
||||
0e1155b1976be46d68fe50161b9644ac272d95c51f44ada51a0fd67a0154df89833752e97cfc85e977b384fca82b58907c30405a103f3a33a1483b9f76ce632f fix-run_fileexflags-test.patch
|
||||
60a3482b219154312d1ae929ba2b409627c9b08a387e0d7ed4c73e0ff97640a2b8a50eb9d347fb8dda136b7764617464826d14a988af789a1f032ed0badcdaf5 CVE-2024-8088.patch
|
||||
"
|
||||
|
|
|
@ -1,123 +0,0 @@
|
|||
From ee9f40523d9766f43ddf2c69a4b610dd09668375 Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Sun, 11 Aug 2024 19:48:50 -0400
|
||||
Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906)
|
||||
|
||||
Ported from zipp 3.19.1; ref jaraco/zippGH-119.
|
||||
(cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932)
|
||||
|
||||
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
||||
---
|
||||
Lib/test/test_zipfile/_path/test_path.py | 17 +++++
|
||||
Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++-
|
||||
...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 +
|
||||
3 files changed, 81 insertions(+), 1 deletion(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
|
||||
|
||||
diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
|
||||
index 06d5aab69bd6d4..90885dbbe39b92 100644
|
||||
--- a/Lib/test/test_zipfile/_path/test_path.py
|
||||
+++ b/Lib/test/test_zipfile/_path/test_path.py
|
||||
@@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep):
|
||||
zipfile.Path(alpharep)
|
||||
with self.assertRaises(KeyError):
|
||||
alpharep.getinfo('does-not-exist')
|
||||
+
|
||||
+ def test_malformed_paths(self):
|
||||
+ """
|
||||
+ Path should handle malformed paths.
|
||||
+ """
|
||||
+ data = io.BytesIO()
|
||||
+ zf = zipfile.ZipFile(data, "w")
|
||||
+ zf.writestr("/one-slash.txt", b"content")
|
||||
+ zf.writestr("//two-slash.txt", b"content")
|
||||
+ zf.writestr("../parent.txt", b"content")
|
||||
+ zf.filename = ''
|
||||
+ root = zipfile.Path(zf)
|
||||
+ assert list(map(str, root.iterdir())) == [
|
||||
+ 'one-slash.txt',
|
||||
+ 'two-slash.txt',
|
||||
+ 'parent.txt',
|
||||
+ ]
|
||||
diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
|
||||
index 78c413563bb2b1..42f9fded21198e 100644
|
||||
--- a/Lib/zipfile/_path/__init__.py
|
||||
+++ b/Lib/zipfile/_path/__init__.py
|
||||
@@ -83,7 +83,69 @@ def __setstate__(self, state):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
|
||||
-class CompleteDirs(InitializedState, zipfile.ZipFile):
|
||||
+class SanitizedNames:
|
||||
+ """
|
||||
+ ZipFile mix-in to ensure names are sanitized.
|
||||
+ """
|
||||
+
|
||||
+ def namelist(self):
|
||||
+ return list(map(self._sanitize, super().namelist()))
|
||||
+
|
||||
+ @staticmethod
|
||||
+ def _sanitize(name):
|
||||
+ r"""
|
||||
+ Ensure a relative path with posix separators and no dot names.
|
||||
+
|
||||
+ Modeled after
|
||||
+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
|
||||
+ but provides consistent cross-platform behavior.
|
||||
+
|
||||
+ >>> san = SanitizedNames._sanitize
|
||||
+ >>> san('/foo/bar')
|
||||
+ 'foo/bar'
|
||||
+ >>> san('//foo.txt')
|
||||
+ 'foo.txt'
|
||||
+ >>> san('foo/.././bar.txt')
|
||||
+ 'foo/bar.txt'
|
||||
+ >>> san('foo../.bar.txt')
|
||||
+ 'foo../.bar.txt'
|
||||
+ >>> san('\\foo\\bar.txt')
|
||||
+ 'foo/bar.txt'
|
||||
+ >>> san('D:\\foo.txt')
|
||||
+ 'D/foo.txt'
|
||||
+ >>> san('\\\\server\\share\\file.txt')
|
||||
+ 'server/share/file.txt'
|
||||
+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
|
||||
+ '?/GLOBALROOT/Volume3'
|
||||
+ >>> san('\\\\.\\PhysicalDrive1\\root')
|
||||
+ 'PhysicalDrive1/root'
|
||||
+
|
||||
+ Retain any trailing slash.
|
||||
+ >>> san('abc/')
|
||||
+ 'abc/'
|
||||
+
|
||||
+ Raises a ValueError if the result is empty.
|
||||
+ >>> san('../..')
|
||||
+ Traceback (most recent call last):
|
||||
+ ...
|
||||
+ ValueError: Empty filename
|
||||
+ """
|
||||
+
|
||||
+ def allowed(part):
|
||||
+ return part and part not in {'..', '.'}
|
||||
+
|
||||
+ # Remove the drive letter.
|
||||
+ # Don't use ntpath.splitdrive, because that also strips UNC paths
|
||||
+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
|
||||
+ clean = bare.replace('\\', '/')
|
||||
+ parts = clean.split('/')
|
||||
+ joined = '/'.join(filter(allowed, parts))
|
||||
+ if not joined:
|
||||
+ raise ValueError("Empty filename")
|
||||
+ return joined + '/' * name.endswith('/')
|
||||
+
|
||||
+
|
||||
+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
|
||||
"""
|
||||
A ZipFile subclass that ensures that implied directories
|
||||
are always included in the namelist.
|
||||
diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
|
||||
new file mode 100644
|
||||
index 00000000000000..1be44c906c4f30
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
|
||||
@@ -0,0 +1 @@
|
||||
+:class:`zipfile.Path` objects now sanitize names from the zipfile.
|
Loading…
Reference in a new issue