main/python3: security upgrade to 3.12.6

https://www.python.org/downloads/release/python-3126/
2024-09-20 11:23:16 +00:00 · 2024-09-08 01:07:34 +02:00 · 2024-09-08 01:07:34 +02:00 · 481c77bf27
commit 481c77bf27
parent eaffc23cee
2 changed files with 11 additions and 128 deletions
--- a/main/python3/APKBUILD
+++ b/main/python3/APKBUILD
@ -2,9 +2,9 @@
 # Contributor: Sheila Aman <sheila@vulpine.house>
 pkgname=python3
 # the python3-tkinter's pkgver needs to be synchronized with this.
-pkgver=3.12.5
+pkgver=3.12.6
 _basever="${pkgver%.*}"
-pkgrel=1
+pkgrel=0
 pkgdesc="High-level scripting language"
 url="https://www.python.org/"
 arch="all"
@ -46,14 +46,21 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
 	musl-find_library.patch
 	test_posix-nodev-disable.patch
 	fix-run_fileexflags-test.patch
-	CVE-2024-8088.patch
 	"
 options="net" # Required for tests
 builddir="$srcdir/Python-$pkgver"

 # secfixes:
+#   3.12.6-r0:
+#     - CVE-2015-2104
+#     - CVE-2023-27043
+#     - CVE-2024-4032
+#     - CVE-2024-6232
+#     - CVE-2024-7592
 #   3.12.5-r1:
 #     - CVE-2024-8088
+#   3.12.5-r0:
+#     - CVE-2024-6923
 #   3.11.5-r0:
 #     - CVE-2023-40217
 #   3.11.1-r0:
@ -252,10 +259,9 @@ pyc2() {
 }

 sha512sums="
-7a1c30d798434fe24697bc253f6010d75145e7650f66803328425c8525331b9fa6b63d12a652687582db205f8d4c8279c8f73c338168592481517b063351c921  Python-3.12.5.tar.xz
+e658b0d59b5cfdc591d626e8282b9945759f27ee6fbc8bcb8670737db32ffc11fb832dfed9b0e80188fb5f7f3f39fe6dd6191ab7736376453c9e248321e9b063  Python-3.12.6.tar.xz
 46dd8230ee2ab66e9c4157c10b2bd9c414fd7f30be0bee73e21a9eea88f63fff362d47828e0fc77ddc59df097b414b21505f8b5f98bc866381115c58ae3f4862  externally-managed
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
 606cf7b3df0c81c90571c6bc65e4f07e065867739fa0d36e9c8e1ad2d6bcd64d265f90c4a7881880fc7e0c85eed94d1f72655a5c70d92ca63e5cc4bd3be8f145  test_posix-nodev-disable.patch
 0e1155b1976be46d68fe50161b9644ac272d95c51f44ada51a0fd67a0154df89833752e97cfc85e977b384fca82b58907c30405a103f3a33a1483b9f76ce632f  fix-run_fileexflags-test.patch
-60a3482b219154312d1ae929ba2b409627c9b08a387e0d7ed4c73e0ff97640a2b8a50eb9d347fb8dda136b7764617464826d14a988af789a1f032ed0badcdaf5  CVE-2024-8088.patch
 "
--- a/main/python3/CVE-2024-8088.patch
+++ b/main/python3/CVE-2024-8088.patch
@ -1,123 +0,0 @@
-From ee9f40523d9766f43ddf2c69a4b610dd09668375 Mon Sep 17 00:00:00 2001
-From: "Jason R. Coombs" <jaraco@jaraco.com>
-Date: Sun, 11 Aug 2024 19:48:50 -0400
-Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906)
-
-Ported from zipp 3.19.1; ref jaraco/zippGH-119.
-(cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932)
-
-Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
---
- Lib/test/test_zipfile/_path/test_path.py      | 17 +++++
- Lib/zipfile/_path/__init__.py                 | 64 ++++++++++++++++++-
- ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst |  1 +
- 3 files changed, 81 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-
-diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
-index 06d5aab69bd6d4..90885dbbe39b92 100644
--- a/Lib/test/test_zipfile/_path/test_path.py
-+++ b/Lib/test/test_zipfile/_path/test_path.py
-@@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep):
-         zipfile.Path(alpharep)
-         with self.assertRaises(KeyError):
-             alpharep.getinfo('does-not-exist')
-+
-+    def test_malformed_paths(self):
-+        """
-+        Path should handle malformed paths.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr("/one-slash.txt", b"content")
-+        zf.writestr("//two-slash.txt", b"content")
-+        zf.writestr("../parent.txt", b"content")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        assert list(map(str, root.iterdir())) == [
-+            'one-slash.txt',
-+            'two-slash.txt',
-+            'parent.txt',
-+        ]
-diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
-index 78c413563bb2b1..42f9fded21198e 100644
--- a/Lib/zipfile/_path/__init__.py
-+++ b/Lib/zipfile/_path/__init__.py
-@@ -83,7 +83,69 @@ def __setstate__(self, state):
-         super().__init__(*args, **kwargs)
- 
- 
-class CompleteDirs(InitializedState, zipfile.ZipFile):
-+class SanitizedNames:
-+    """
-+    ZipFile mix-in to ensure names are sanitized.
-+    """
-+
-+    def namelist(self):
-+        return list(map(self._sanitize, super().namelist()))
-+
-+    @staticmethod
-+    def _sanitize(name):
-+        r"""
-+        Ensure a relative path with posix separators and no dot names.
-+
-+        Modeled after
-+        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
-+        but provides consistent cross-platform behavior.
-+
-+        >>> san = SanitizedNames._sanitize
-+        >>> san('/foo/bar')
-+        'foo/bar'
-+        >>> san('//foo.txt')
-+        'foo.txt'
-+        >>> san('foo/.././bar.txt')
-+        'foo/bar.txt'
-+        >>> san('foo../.bar.txt')
-+        'foo../.bar.txt'
-+        >>> san('\\foo\\bar.txt')
-+        'foo/bar.txt'
-+        >>> san('D:\\foo.txt')
-+        'D/foo.txt'
-+        >>> san('\\\\server\\share\\file.txt')
-+        'server/share/file.txt'
-+        >>> san('\\\\?\\GLOBALROOT\\Volume3')
-+        '?/GLOBALROOT/Volume3'
-+        >>> san('\\\\.\\PhysicalDrive1\\root')
-+        'PhysicalDrive1/root'
-+
-+        Retain any trailing slash.
-+        >>> san('abc/')
-+        'abc/'
-+
-+        Raises a ValueError if the result is empty.
-+        >>> san('../..')
-+        Traceback (most recent call last):
-+        ...
-+        ValueError: Empty filename
-+        """
-+
-+        def allowed(part):
-+            return part and part not in {'..', '.'}
-+
-+        # Remove the drive letter.
-+        # Don't use ntpath.splitdrive, because that also strips UNC paths
-+        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
-+        clean = bare.replace('\\', '/')
-+        parts = clean.split('/')
-+        joined = '/'.join(filter(allowed, parts))
-+        if not joined:
-+            raise ValueError("Empty filename")
-+        return joined + '/' * name.endswith('/')
-+
-+
-+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
-     """
-     A ZipFile subclass that ensures that implied directories
-     are always included in the namelist.
-diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-new file mode 100644
-index 00000000000000..1be44c906c4f30
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-@@ -0,0 +1 @@
-+:class:`zipfile.Path` objects now sanitize names from the zipfile.