Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python311 for openSUSE:Factory checked in at 2026-03-17 19:02:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python311 (Old) and /work/SRC/openSUSE:Factory/.python311.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python311" Tue Mar 17 19:02:50 2026 rev:65 rq:1339368 version:3.11.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python311/python311.changes 2026-03-10 17:46:51.727569808 +0100 +++ /work/SRC/openSUSE:Factory/.python311.new.8177/python311.changes 2026-03-17 19:04:11.871926549 +0100 @@ -1,0 +2,7 @@ +Fri Mar 13 18:20:40 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch + ensuring that `SourcelessFileLoader` uses `io.open_code` when + opening `.pyc` files (bsc#1259240, CVE-2026-2297). + +------------------------------------------------------------------- New: ---- CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ----------(New B)---------- New: - Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ensuring that `SourcelessFileLoader` uses `io.open_code` when ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python311.spec ++++++ --- /var/tmp/diff_new_pack.qfTU2Y/_old 2026-03-17 19:04:13.055975618 +0100 +++ /var/tmp/diff_new_pack.qfTU2Y/_new 2026-03-17 19:04:13.055975618 +0100 @@ -197,6 +197,9 @@ # PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 [email protected] # Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346 Patch36: CVE-2025-12781-b64decode-alt-chars.patch +# PATCH-FIX-UPSTREAM CVE-2026-2297-SourcelessFileLoader-io_open_code.patch bsc#1259240 [email protected] +# Ensure SourcelessFileLoader uses io.open_code +Patch37: CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2026-2297-SourcelessFileLoader-io_open_code.patch ++++++ >From f2f8c864616950bd1d47c3171b8c1cc13e789eb0 Mon Sep 17 00:00:00 2001 From: Steve Dower <[email protected]> Date: Wed, 4 Mar 2026 19:55:52 +0000 Subject: [PATCH 1/2] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (cherry picked from commit a51b1b512de1d56b3714b65628a2eae2b07e535e) Co-authored-by: Steve Dower <[email protected]> --- Lib/importlib/_bootstrap_external.py | 2 +- .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py index e53f6acf38fc64..588da3c7ad1517 100644 --- a/Lib/importlib/_bootstrap_external.py +++ b/Lib/importlib/_bootstrap_external.py @@ -1126,7 +1126,7 @@ def get_filename(self, fullname): def get_data(self, path): """Return the data from path as raw bytes.""" - if isinstance(self, (SourceLoader, ExtensionFileLoader)): + if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)): with _io.open_code(str(path)) as file: return file.read() else: diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst new file mode 100644 index 00000000000000..dcdb44d4fae4e5 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst @@ -0,0 +1,2 @@ +Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses +:func:`io.open_code` when opening ``.pyc`` files. >From 8754167e89691c33f840a55b69217617cd70dccf Mon Sep 17 00:00:00 2001 From: Steve Dower <[email protected]> Date: Wed, 4 Mar 2026 19:59:52 +0000 Subject: [PATCH 2/2] Fix docs reference --- .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst index dcdb44d4fae4e5..edeb9e640c2732 100644 --- a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst +++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst @@ -1,2 +1,2 @@ -Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses +Fixes CVE-2026-2297 by ensuring that ``SourcelessFileLoader`` uses :func:`io.open_code` when opening ``.pyc`` files. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.qfTU2Y/_old 2026-03-17 19:04:13.191981254 +0100 +++ /var/tmp/diff_new_pack.qfTU2Y/_new 2026-03-17 19:04:13.195981420 +0100 @@ -1,6 +1,6 @@ -mtime: 1773012376 -commit: d7ebe637040a7e6c1bfcffabb6db9df0a7a1929436fd74800abe4cf637e26fb5 +mtime: 1773430428 +commit: aa2e2453b7ad3d536b3a0076a8c0e352571114da4d90654280c4d5b57ce511ce url: https://src.opensuse.org/python-interpreters/python311.git -revision: d7ebe637040a7e6c1bfcffabb6db9df0a7a1929436fd74800abe4cf637e26fb5 +revision: aa2e2453b7ad3d536b3a0076a8c0e352571114da4d90654280c4d5b57ce511ce projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ --- old/.gitignore 2026-03-09 00:26:32.000000000 +0100 +++ new/.gitignore 2026-03-13 20:34:04.000000000 +0100 @@ -1 +1,8 @@ .osc +*.obscpio +*.osc +_build.* +.pbuild +*.orig +*.rej +python311-*-build/ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-13 20:34:04.000000000 +0100 @@ -0,0 +1,8 @@ +.osc +*.obscpio +*.osc +_build.* +.pbuild +*.orig +*.rej +python311-*-build/
