Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python312 for openSUSE:Factory checked in at 2026-04-09 16:08:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python312 (Old) and /work/SRC/openSUSE:Factory/.python312.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python312" Thu Apr 9 16:08:50 2026 rev:48 rq:1345203 version:3.12.13 Changes: -------- --- /work/SRC/openSUSE:Factory/python312/python312.changes 2026-04-01 19:52:31.613860909 +0200 +++ /work/SRC/openSUSE:Factory/.python312.new.21863/python312.changes 2026-04-09 16:21:39.078884328 +0200 @@ -1,0 +2,9 @@ +Thu Apr 2 13:55:57 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has + the same security model as open(). The documented limitations + ensure compatibility with non-filesystem loaders; Python + doesn't check that. (bsc#1259989, CVE-2026-3479, + gh#python/cpython#146121). + +------------------------------------------------------------------- New: ---- CVE-2026-3479-pkgutil_get_data.patch ----------(New B)---------- New: - Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has the same security model as open(). The documented limitations ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python312.spec ++++++ --- /var/tmp/diff_new_pack.TcxWNS/_old 2026-04-09 16:21:40.222931270 +0200 +++ /var/tmp/diff_new_pack.TcxWNS/_new 2026-04-09 16:21:40.226931434 +0200 @@ -216,6 +216,9 @@ # PATCH-FIX-UPSTREAM CVE-2026-4519-webbrowser-open-dashes.patch bsc#1260026 [email protected] # reject leading dashes in webbrowser URLs Patch63: CVE-2026-4519-webbrowser-open-dashes.patch +# PATCH-FIX-UPSTREAM CVE-2026-3479-pkgutil_get_data.patch bsc#1259989 [email protected] +# pkgutil.get_data() reject invalid resource arguments +Patch64: CVE-2026-3479-pkgutil_get_data.patch ### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2026-3479-pkgutil_get_data.patch ++++++ >From b99e2bfb8c1b1f61377193d51cf627689ec62606 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Wed, 18 Mar 2026 17:31:01 +0000 Subject: [PATCH] gh-146121: `pkgutil.get_data()` reject invalid resource arguments (GH-146122) (cherry picked from commit bcdf231946b1da8bdfbab4c05539bb0cc964a1c7) Co-authored-by: Stan Ulbrych <[email protected]> --- Doc/library/pkgutil.rst | 25 +++++++++- Lib/pkgutil.py | 3 + Lib/test/test_pkgutil.py | 19 +++++++ Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst | 3 + 4 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst Index: Python-3.12.13/Doc/library/pkgutil.rst =================================================================== --- Python-3.12.13.orig/Doc/library/pkgutil.rst 2026-03-03 13:39:30.000000000 +0100 +++ Python-3.12.13/Doc/library/pkgutil.rst 2026-04-07 23:56:28.234986304 +0200 @@ -191,24 +191,45 @@ :meth:`get_data <importlib.abc.ResourceLoader.get_data>` API. The *package* argument should be the name of a package, in standard module format (``foo.bar``). The *resource* argument should be in the form of a relative - filename, using ``/`` as the path separator. The parent directory name - ``..`` is not allowed, and nor is a rooted name (starting with a ``/``). + filename, using ``/`` as the path separator. The function returns a binary string that is the contents of the specified resource. + This function uses the :term:`loader` method + :func:`~importlib.abc.FileLoader.get_data` + to support modules installed in the filesystem, but also in zip files, + databases, or elsewhere. + For packages located in the filesystem, which have already been imported, this is the rough equivalent of:: d = os.path.dirname(sys.modules[package].__file__) data = open(os.path.join(d, resource), 'rb').read() + Like the :func:`open` function, :func:`!get_data` can follow parent + directories (``../``) and absolute paths (starting with ``/`` or ``C:/``, + for example). + + .. warning:: + + This function is intended for trusted input. + It does not verify that *resource* "belongs" to *package*. + + If you use a user-provided *resource* path, consider verifying it. + For example, require an alphanumeric filename with a known extension, or + install and check a list of known resources. + If the package cannot be located or loaded, or it uses a :term:`loader` which does not support :meth:`get_data <importlib.abc.ResourceLoader.get_data>`, then ``None`` is returned. In particular, the :term:`loader` for :term:`namespace packages <namespace package>` does not support :meth:`get_data <importlib.abc.ResourceLoader.get_data>`. + .. seealso:: + + The :mod:`importlib.resources` module provides structured access to + module resources. .. function:: resolve_name(name) Index: Python-3.12.13/Lib/pkgutil.py =================================================================== --- Python-3.12.13.orig/Lib/pkgutil.py 2026-04-07 23:56:05.837708559 +0200 +++ Python-3.12.13/Lib/pkgutil.py 2026-04-07 23:56:17.522189128 +0200 @@ -448,6 +448,9 @@ # signature - an os.path format "filename" starting with the dirname of # the package's __file__ parts = resource.split('/') + if os.path.isabs(resource) or '..' in parts: + raise ValueError("resource must be a relative path with no " + "parent directory components") parts.insert(0, os.path.dirname(mod.__file__)) resource_name = os.path.join(*parts) return loader.get_data(resource_name) Index: Python-3.12.13/Lib/test/test_pkgutil.py =================================================================== --- Python-3.12.13.orig/Lib/test/test_pkgutil.py 2026-04-07 23:56:07.533481940 +0200 +++ Python-3.12.13/Lib/test/test_pkgutil.py 2026-04-07 23:56:17.522457624 +0200 @@ -61,6 +61,25 @@ del sys.modules[pkg] + def test_getdata_path_traversal(self): + pkg = 'test_getdata_traversal' + + # Make a package with some resources + package_dir = os.path.join(self.dirname, pkg) + os.mkdir(package_dir) + # Empty init.py + f = open(os.path.join(package_dir, '__init__.py'), "wb") + f.close() + + with self.assertRaises(ValueError): + pkgutil.get_data(pkg, '../../../etc/passwd') + with self.assertRaises(ValueError): + pkgutil.get_data(pkg, 'sub/../../../etc/passwd') + with self.assertRaises(ValueError): + pkgutil.get_data(pkg, os.path.abspath('/etc/passwd')) + + del sys.modules[pkg] + def test_getdata_zipfile(self): zip = 'test_getdata_zipfile.zip' pkg = 'test_getdata_zipfile' Index: Python-3.12.13/Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.12.13/Misc/NEWS.d/next/Security/2026-03-16-18-07-00.gh-issue-146121.vRbdro.rst 2026-04-07 23:56:17.522707896 +0200 @@ -0,0 +1,3 @@ +:func:`pkgutil.get_data` now raises rejects *resource* arguments containing the +parent directory components or that is an absolute path. +This addresses :cve:`2026-3479`. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.TcxWNS/_old 2026-04-09 16:21:40.398938492 +0200 +++ /var/tmp/diff_new_pack.TcxWNS/_new 2026-04-09 16:21:40.402938656 +0200 @@ -1,6 +1,6 @@ -mtime: 1774638495 -commit: 728d2eeb5ff26c6b39b0ed4b240254dbbbfc4d9869cb9fa899363dbf1dfadf80 +mtime: 1775599364 +commit: 3ee6958228363d684b7ec3e5ba178218792f15c4e524732fbe618a0e2d72e74a url: https://src.opensuse.org/python-interpreters/python312.git -revision: 728d2eeb5ff26c6b39b0ed4b240254dbbbfc4d9869cb9fa899363dbf1dfadf80 +revision: 3ee6958228363d684b7ec3e5ba178218792f15c4e524732fbe618a0e2d72e74a projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-08 00:03:11.000000000 +0200 @@ -0,0 +1,6 @@ +_build.* +*.obscpio +*.osc +.osc +.pbuild +python312-3.12.*-build
