Security fix for CVE-2024-0450 and CVE-2023-6597

2024-04-24 22:11:14 +02:00 · 2024-04-24 22:11:14 +02:00 · ce66491a8a
commit ce66491a8a
parent c1a44dfbbd
3 changed files with 632 additions and 1 deletions
--- a/python3.6.spec
+++ b/python3.6.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 29%{?dist}
+Release: 30%{?dist}
 # Python is Python
 # pip MIT is and bundles:
 #   appdirs: MIT
@ -697,6 +697,25 @@ Patch422: 00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
 # bpo-33377: Add triplets for mips-r6 and riscv
 Patch423: 00423-bpo-33377-add-triplets-for-mips-r6-and-riscv.patch

+# 00426 # 05ddec93394a09199c3bbb2d71a4a2566fd50332
+# CVE-2023-6597
+#
+# Combines Two fixes for tempfile.TemporaryDirectory:
+# https://github.com/python/cpython/commit/e9b51c0ad81da1da11ae65840ac8b50a8521373c
+# https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a
+Patch426: 00426-cve-2023-6597.patch
+
+# 00427 # 37c3b42b8931ed4eca0272bf53086eb28ca8544e
+# ZipExtFile tell and seek, CVE-2024-0450
+#
+# Backport of seek and tell methods for ZipExtFile makes it
+# possible to backport the fix for CVE-2024-0450.
+#
+# Combines:
+# https://github.com/python/cpython/commit/066df4fd454d6ff9be66e80b2a65995b10af174f
+# https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
+Patch427: 00427-zipextfile-tell-and-seek-cve-2024-0450.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1960,6 +1979,9 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Wed Apr 24 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.15-30
+- Security fix for CVE-2024-0450 and CVE-2023-6597
+
 * Mon Mar 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-29
 - Support OpenSSL 3
 - Fixes: rhbz#2254550