Update to 3.6.12

Removes patches 351, 352 fixing CVEs since they are not necessary anymore.
2020-08-19 11:16:51 +02:00 · 2020-08-19 11:16:51 +02:00 · 1d1c841d30
commit 1d1c841d30
parent 015140f5f3
5 changed files with 11 additions and 164 deletions
--- a/00351-avoid-infinite-loop-in-the-tarfile-module.patch
+++ b/00351-avoid-infinite-loop-in-the-tarfile-module.patch
@ -1,67 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Wed, 15 Jul 2020 05:36:36 -0700
-Subject: [PATCH] 00351: Avoid infinite loop in the tarfile module
-
-Avoid infinite loop when reading specially crafted TAR files using the tarfile module
-(CVE-2019-20907).
-Fixed upstream: https://bugs.python.org/issue39017
---
- Lib/tarfile.py                                    |   2 ++
- Lib/test/recursion.tar                            | Bin 0 -> 516 bytes
- Lib/test/test_tarfile.py                          |   7 +++++++
- .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst      |   1 +
- 4 files changed, 10 insertions(+)
- create mode 100644 Lib/test/recursion.tar
- create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 62d22150f5..2ea47978ff 100755
--- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -1231,6 +1231,8 @@ class TarInfo(object):
- 
-             length, keyword = match.groups()
-             length = int(length)
-+            if length == 0:
-+                raise InvalidHeaderError("invalid header")
-             value = buf[match.end(2) + 1:match.start(1) + length - 1]
- 
-             # Normally, we could just use "utf-8" as the encoding and "strict"
-diff --git a/Lib/test/recursion.tar b/Lib/test/recursion.tar
-new file mode 100644
-index 0000000000000000000000000000000000000000..b8237251964983f54ed1966297e887636cd0c5f4
-GIT binary patch
-literal 516
-zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e
-I1_}|j06>QaCIA2c
-
-literal 0
-HcmV?d00001
-
-diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index 4cd7d5370f..573be812ea 100644
--- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -395,6 +395,13 @@ class CommonReadTest(ReadTest):
-                 with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"):
-                     tar.extractfile(t).read()
- 
-+    def test_length_zero_header(self):
-+        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
-+        # with an exception
-+        with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
-+            with tarfile.open(support.findfile('recursion.tar')) as tar:
-+                pass
-+
- class MiscReadTestBase(CommonReadTest):
-     def requires_name_attribute(self):
-         pass
-diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-new file mode 100644
-index 0000000000..ad26676f8b
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
-@@ -0,0 +1 @@
-+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
--- a/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
+++ b/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
@ -1,70 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
-Date: Wed, 1 Jul 2020 01:00:22 +0530
-Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and
- IPv6Interface
-
-CVE-2020-14422
-The hash() methods of classes IPv4Interface and IPv6Interface had issue
-of generating constant hash values of 32 and 128 respectively causing hash collisions.
-The fix uses the hash() function to generate hash values for the objects
-instead of XOR operation.
-Fixed upstream: https://bugs.python.org/issue41004
---
- Lib/ipaddress.py                                      |  4 ++--
- Lib/test/test_ipaddress.py                            | 11 +++++++++++
- .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst |  1 +
- 3 files changed, 14 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-
-diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
-index 583f02ad54..98492136ca 100644
--- a/Lib/ipaddress.py
-+++ b/Lib/ipaddress.py
-@@ -1418,7 +1418,7 @@ class IPv4Interface(IPv4Address):
-             return False
- 
-     def __hash__(self):
-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
- 
-     __reduce__ = _IPAddressBase.__reduce__
- 
-@@ -2092,7 +2092,7 @@ class IPv6Interface(IPv6Address):
-             return False
- 
-     def __hash__(self):
-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
- 
-     __reduce__ = _IPAddressBase.__reduce__
- 
-diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
-index 1cef4217bc..7de444af4a 100644
--- a/Lib/test/test_ipaddress.py
-+++ b/Lib/test/test_ipaddress.py
-@@ -1990,6 +1990,17 @@ class IpaddrUnitTest(unittest.TestCase):
-                          sixtofouraddr.sixtofour)
-         self.assertFalse(bad_addr.sixtofour)
- 
-+    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
-+    def testV4HashIsNotConstant(self):
-+        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
-+        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
-+        self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
-+
-+    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
-+    def testV6HashIsNotConstant(self):
-+        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
-+        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
-+        self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
- 
- if __name__ == '__main__':
-     unittest.main()
-diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-new file mode 100644
-index 0000000000..f5a9db52ff
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-@@ -0,0 +1 @@
-+CVE-2020-14422: The __hash__() methods of  ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
--- a/00353-Original-names-for-architectures-with-different-name.patch
+++ b/00353-Original-names-for-architectures-with-different-name.patch
@ -25,10 +25,10 @@ a nightmare because it's basically a binary file.
 1 file changed, 29 insertions(+), 2 deletions(-)

 diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
-index 25a3f8c0e0..db4bb4d02d 100644
+index 9feec50842..60632a57bd 100644
 --- a/Lib/importlib/_bootstrap_external.py
 +++ b/Lib/importlib/_bootstrap_external.py
-@@ -1566,7 +1566,7 @@ def _get_supported_file_loaders():
+@@ -1361,7 +1361,7 @@ def _get_supported_file_loaders():
 
     Each item is a tuple (loader, suffixes).
     """
@ -37,7 +37,7 @@ index 25a3f8c0e0..db4bb4d02d 100644
     source = SourceFileLoader, SOURCE_SUFFIXES
     bytecode = SourcelessFileLoader, BYTECODE_SUFFIXES
     return [extensions, source, bytecode]
-@@ -1622,7 +1622,7 @@ def _setup(_bootstrap_module):
+@@ -1428,7 +1428,7 @@ def _setup(_bootstrap_module):
 
     # Constants
     setattr(self_module, '_relax_case', _make_relax_case())
@ -46,7 +46,7 @@ index 25a3f8c0e0..db4bb4d02d 100644
     if builtin_os == 'nt':
         SOURCE_SUFFIXES.append('.pyw')
         if '_d.pyd' in EXTENSION_SUFFIXES:
-@@ -1635,3 +1635,30 @@ def _install(_bootstrap_module):
+@@ -1441,3 +1441,30 @@ def _install(_bootstrap_module):
     supported_loaders = _get_supported_file_loaders()
     sys.path_hooks.extend([FileFinder.path_hook(*supported_loaders)])
     sys.meta_path.append(PathFinder)
--- a/python3.6.spec
+++ b/python3.6.spec
@ -13,11 +13,11 @@ URL: https://www.python.org/

 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.11
+%global general_version %{pybasever}.12
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 5%{?dist}
+Release: 1%{?dist}
 License: Python


@ -389,25 +389,6 @@ Patch294: 00294-define-TLS-cipher-suite-on-build-time.patch
 # https://github.com/python/cpython/commit/ac827edc493d3ac3f5b9b0cc353df1d4b418a9aa
 Patch343: 00343-faulthandler-gcc10.patch

-# 00351 # 62210578a7157342bd7cbf426f8934da31773c4d
-# Avoid infinite loop in the tarfile module
-#
-# Avoid infinite loop when reading specially crafted TAR files using the tarfile module
-# (CVE-2019-20907).
-# Fixed upstream: https://bugs.python.org/issue39017
-Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch
-
-# 00352 # 5253c417a23b3658fa115d2c72fa54b20293a31c
-# Resolve hash collisions for IPv4Interface and IPv6Interface
-#
-# CVE-2020-14422
-# The hash() methods of classes IPv4Interface and IPv6Interface had issue
-# of generating constant hash values of 32 and 128 respectively causing hash collisions.
-# The fix uses the hash() function to generate hash values for the objects
-# instead of XOR operation.
-# Fixed upstream: https://bugs.python.org/issue41004
-Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
-
 # 00353 # f3c11e227c715450b3c1e945a5004e84cce41a58
 # Original names for architectures with different names downstream
 #
@ -1597,6 +1578,9 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Wed Aug 19 2020 Tomas Hrnciar <thrnciar@redhat.com> - 3.6.12-1
+- Update to 3.6.12
+
 * Wed Aug 12 2020 Petr Viktorin <pviktori@redhat.com> - 3.6.11-5
 - In sys.version and initial REPL message, list the source commit as "default"

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (Python-3.6.11.tar.xz) = c76969a6602e095641ba5fd0999a47cf0187eb26559ba9a6e80fe401b8928f6cd9eabd963f615f7c667e48f56603f2508d2b5692c83ea8da1e21292131fb11d6
-SHA512 (Python-3.6.11.tar.xz.asc) = 917c64dc5d980c4b138315a4edaa48f23b684dfc662389b29536ac11a584e61e1c7d334d8b7b3ccbb6d1c814c1c75259ea2711fa5d2a8a67794d417cd8687ddf
+SHA512 (Python-3.6.12.tar.xz) = 1462801f3f6626a853097d34ccdca9838c4c5bd81ecc3abc751003f5f2f8d36eecdaa4130ef4218de351c5586093c11669639a34492668fbc5a2a4a241f4a070
+SHA512 (Python-3.6.12.tar.xz.asc) = 91d9ce0c471359f6aa3d5d5dcad7316ec6ed173f895a51e72b1853dc422fda57a00411c88fdc40a8e21888d964136b0b032e15b215c3b6c62ffc82bddc580860