Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2022-10-28 19:28:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310" Fri Oct 28 19:28:30 2022 rev:23 rq:1031406 version:3.10.8 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2022-09-21 14:38:57.797177688 +0200 +++ /work/SRC/openSUSE:Factory/.python310.new.2275/python310.changes 2022-10-28 19:28:32.146332077 +0200 @@ -1,0 +2,118 @@ +Fri Oct 21 10:14:03 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Add 98437-sphinx.locale._-as-gettext-in-pyspecific.patch to + allow building of documentation with the latest Sphinx 5.3.0 + (gh#python/cpython#98366). + +------------------------------------------------------------------- +Wed Oct 19 07:12:23 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Update to 3.10.8: + - Fix multiplying a list by an integer (list *= int): detect + the integer overflow when the new allocated length is close + to the maximum size. + - Fix a shell code injection vulnerability in the + get-remote-certificate.py example script. The script no + longer uses a shell to run openssl commands. (originally + filed as CVE-2022-37460, later withdrawn) + - Fix command line parsing: reject -X int_max_str_digits option + with no value (invalid) when the PYTHONINTMAXSTRDIGITS + environment variable is set to a valid limit. + - When ValueError is raised if an integer is larger than the + limit, mention the sys.set_int_max_str_digits() function in + the error message. + - The deprecated mailcap module now refuses to inject unsafe + text (filenames, MIME types, parameters) into shell + commands. Instead of using such text, it will warn and act + as if a match was not found (or for test commands, as if the + test failed). + - os.sched_yield() now release the GIL while calling + sched_yield(2). + - Bugfix: PyFunction_GetAnnotations() should return a borrowed + reference. It was returning a new reference. + - Fixed a missing incref/decref pair in + Exception.__setstate__(). + - Fix overly-broad source position information for chained + comparisons used as branching conditions. + - Fix undefined behaviour in _testcapimodule.c. + - At Python exit, sometimes a thread holding the GIL can + wait forever for a thread (usually a daemon thread) which + requested to drop the GIL, whereas the thread already + exited. To fix the race condition, the thread which requested + the GIL drop now resets its request before exiting. + - Fix a possible assertion failure, fatal error, or SystemError + if a line tracing event raises an exception while opcode + tracing is enabled. + - Fix undefined behaviour in C code of null pointer arithmetic. + - Do not expose KeyWrapper in _functools. + - When loading a file with invalid UTF-8 inside a multi-line + string, a correct SyntaxError is emitted. + - Disable incorrect pickling of the C implemented classmethod + descriptors. + - Fix AttributeError missing name and obj attributes in . + object.__getattribute__() bpo-42316: Document some places . + where an assignment expression needs parentheses . + - Wrap network errors consistently in urllib FTP support, so + the test suite doesn???t fail when a network is available but + the public internet is not reachable. + - Fixes AttributeError when subprocess.check_output() is used + with argument input=None and either of the arguments encoding + or errors are used. + - Avoid spurious tracebacks from asyncio when default executor + cleanup is delayed until after the event loop is closed (e.g. + as the result of a keyboard interrupt). + - Avoid a crash in the C version of + asyncio.Future.remove_done_callback() when an evil argument + is passed. + - Remove tokenize.NL check from tabnanny. + - Make Semaphore run faster. + - Fix generation of the default name of + tkinter.Checkbutton. Previously, checkbuttons in different + parent widgets could have the same short name and share + the same state if arguments ???name??? and ???variable??? are not + specified. Now they are globally unique. + - Update bundled libexpat to 2.4.9 + - Fix race condition in asyncio where process_exited() called + before the pipe_data_received() leading to inconsistent + output. + - Fixed check in multiprocessing.resource_tracker that + guarantees that the length of a write to a pipe is not + greater than PIPE_BUF. + - Corrected type annotation for dataclass attribute + pstats.FunctionProfile.ncalls to be str. + - Fix the faulthandler implementation of + faulthandler.register(signal, chain=True) if the sigaction() + function is not available: don???t call the previous signal + handler if it???s NULL. + - In inspect, fix overeager replacement of ???typing.??? in + formatting annotations. + - Fix asyncio.streams.StreamReaderProtocol to keep a strong + reference to the created task, so that it???s not garbage + collected + - Fix handling compiler warnings (SyntaxWarning and + DeprecationWarning) in codeop.compile_command() when checking + for incomplete input. Previously it emitted warnings and + raised a SyntaxError. Now it always returns None for + incomplete input without emitting any warnings. + - Fixed flickering of the turtle window when the tracer is + turned off. + - Allow asyncio.StreamWriter.drain() to be awaited concurrently + by multiple tasks. + - Fix broken asyncio.Semaphore when acquire is cancelled. + - Fix ast.unparse() when ImportFrom.level is None + - Improve performance of urllib.request.getproxies_environment + when there are many environment variables + - Fix ! in c domain ref target syntax via a conf.py patch, so + it works as intended to disable ref target resolution. + - Clarified the conflicting advice given in the ast + documentation about ast.literal_eval() being ???safe??? for use + on untrusted input while at the same time warning that it + can crash the process. The latter statement is true and is + deemed unfixable without a large amount of work unsuitable + for a bugfix. So we keep the warning and no longer claim that + literal_eval is safe. + - Update tutorial introduction output to use 3.10+ SyntaxError + invalid range. +- Remove upstreamed test-int-timing.patch. + +------------------------------------------------------------------- Old: ---- Python-3.10.7.tar.xz Python-3.10.7.tar.xz.asc test-int-timing.patch New: ---- 98437-sphinx.locale._-as-gettext-in-pyspecific.patch Python-3.10.8.tar.xz Python-3.10.8.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.sNFFkY/_old 2022-10-28 19:28:34.390343330 +0200 +++ /var/tmp/diff_new_pack.sNFFkY/_new 2022-10-28 19:28:34.450343631 +0200 @@ -67,7 +67,7 @@ %define tarversion %{version} %endif # We don't process beta signs well -%define folderversion 3.10.7 +%define folderversion %{tarversion} %define tarname Python-%{tarversion} %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149 @@ -103,7 +103,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.10.7 +Version: 3.10.8 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -169,8 +169,9 @@ # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mc...@suse.com # avoid the command injection in the mailcap module. Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch -# PATCH-FIX-UPSTREAM gh-96710: Make the test timing more lenient for the int/str DoS regression test. (#96717) -Patch38: test-int-timing.patch +# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mc...@suse.com +# this patch makes things totally awesome +Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes ++++++ 98437-sphinx.locale._-as-gettext-in-pyspecific.patch ++++++ >From 5775f51691d7d64fb676586e008b41261ce64ac2 Mon Sep 17 00:00:00 2001 From: "Matt.Wang" <mattwan...@gmail.com> Date: Wed, 19 Oct 2022 14:49:08 +0800 Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for backward-compatibility in pyspecific.py [why] spinix 5.3 changed locale.translators from a defaultdict(gettext.NullTranslations) to a dict, which leads to failure of pyspecific.py. Use sphinx.locale._ as gettext to fix the issue. --- Doc/tools/extensions/pyspecific.py | 8 ++++---- Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) --- a/Doc/tools/extensions/pyspecific.py +++ b/Doc/tools/extensions/pyspecific.py @@ -26,7 +26,7 @@ try: from sphinx.errors import NoUri except ImportError: from sphinx.environment import NoUri -from sphinx.locale import translators +from sphinx.locale import _ as sphinx_gettext from sphinx.util import status_iterator, logging from sphinx.util.nodes import split_explicit_title from sphinx.writers.text import TextWriter, TextTranslator @@ -109,7 +109,7 @@ class ImplementationDetail(Directive): def run(self): self.assert_has_content() pnode = nodes.compound(classes=['impl-detail']) - label = translators['sphinx'].gettext(self.label_text) + label = sphinx_gettext(self.label_text) content = self.content add_text = nodes.strong(label, label) self.state.nested_parse(content, self.content_offset, pnode) @@ -203,7 +203,7 @@ class AuditEvent(Directive): else: args = [] - label = translators['sphinx'].gettext(self._label[min(2, len(args))]) + label = sphinx_gettext(self._label[min(2, len(args))]) text = label.format(name="``{}``".format(name), args=", ".join("``{}``".format(a) for a in args if a)) @@ -382,7 +382,7 @@ class DeprecatedRemoved(Directive): else: label = self._removed_label - label = translators['sphinx'].gettext(label) + label = sphinx_gettext(label) text = label.format(deprecated=self.arguments[0], removed=self.arguments[1]) if len(self.arguments) == 3: inodes, messages = self.state.inline_text(self.arguments[2], --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst @@ -0,0 +1 @@ +Use sphinx.locale._ as the gettext function in pyspecific.py. ++++++ CVE-2015-20107-mailcap-unsafe-filenames.patch ++++++ --- /var/tmp/diff_new_pack.sNFFkY/_old 2022-10-28 19:28:34.626344514 +0200 +++ /var/tmp/diff_new_pack.sNFFkY/_new 2022-10-28 19:28:34.662344695 +0200 @@ -5,17 +5,16 @@ filenames/types/params --- - Doc/library/mailcap.rst | 12 ++++ - Lib/mailcap.py | 26 +++++++++- - Lib/test/test_mailcap.py | 8 ++- - Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 + - 4 files changed, 46 insertions(+), 4 deletions(-) + Doc/library/mailcap.rst | 12 ++++++++++ + Lib/mailcap.py | 5 ++++ + Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++ + 3 files changed, 21 insertions(+) --- a/Doc/library/mailcap.rst +++ b/Doc/library/mailcap.rst -@@ -60,6 +60,18 @@ standard. However, mailcap files are su - use) to determine whether or not the mailcap line applies. :func:`findmatch` - will automatically check such conditions and skip the entry if the check fails. +@@ -27,6 +27,18 @@ The mailcap format is documented in :rfc + Mechanism For Multimedia Mail Format Information", but is not an internet + standard. However, mailcap files are supported on most Unix systems. + .. versionchanged:: 3.11 + @@ -30,21 +29,13 @@ + ``findmatch`` will ignore all mailcap entries which use that value. + A :mod:`warning <warnings>` will be raised in either case. - .. function:: getcaps() + .. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[]) --- a/Lib/mailcap.py +++ b/Lib/mailcap.py -@@ -2,6 +2,7 @@ - - import os - import warnings -+import re - - __all__ = ["getcaps","findmatch"] - -@@ -13,6 +14,11 @@ def lineno_sort_key(entry): - else: - return 1, 0 +@@ -19,6 +19,11 @@ _find_unsafe = re.compile(r'[^\xa1-\U001 + class UnsafeMailcapInput(Warning): + """Warning raised when refusing unsafe input""" +_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search + @@ -54,79 +45,6 @@ # Part 1: top-level interface. -@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view' - entry to use. - - """ -+ if _find_unsafe(filename): -+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None, None - entries = lookup(caps, MIMEtype, key) - # XXX This code should somehow check for the needsterminal flag. - for e in entries: - if 'test' in e: - test = subst(e['test'], filename, plist) -+ if test is None: -+ continue - if test and os.system(test) != 0: - continue - command = subst(e[key], MIMEtype, filename, plist) -- return command, e -+ if command is not None: -+ return command, e - return None, None - - def lookup(caps, MIMEtype, key=None): -@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli - elif c == 's': - res = res + filename - elif c == 't': -+ if _find_unsafe(MIMEtype): -+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None - res = res + MIMEtype - elif c == '{': - start = i -@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli - i = i+1 - name = field[start:i] - i = i+1 -- res = res + findparam(name, plist) -+ param = findparam(name, plist) -+ if _find_unsafe(param): -+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None -+ res = res + param - # XXX To do: - # %n == number of parts if type is multipart/* - # %F == list of alternating type and filename for parts ---- a/Lib/test/test_mailcap.py -+++ b/Lib/test/test_mailcap.py -@@ -123,7 +123,8 @@ class HelperFunctionTest(unittest.TestCa - (["", "audio/*", "foo.txt"], ""), - (["echo foo", "audio/*", "foo.txt"], "echo foo"), - (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), -- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), -+ (["echo %t", "audio/*", "foo.txt"], None), -+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), - (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), - (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), - (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") -@@ -207,7 +208,10 @@ class FindmatchTest(unittest.TestCase): - ('"An audio fragment"', audio_basic_entry)), - ([c, "audio/*"], - {"filename": fname}, -- ("/usr/local/bin/showaudio audio/*", audio_entry)), -+ (None, None)), -+ ([c, "audio/wav"], -+ {"filename": fname}, -+ ("/usr/local/bin/showaudio audio/wav", audio_entry)), - ([c, "message/external-body"], - {"plist": plist}, - ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst @@ -0,0 +1,4 @@ ++++++ Python-3.10.7.tar.xz -> Python-3.10.8.tar.xz ++++++ /work/SRC/openSUSE:Factory/python310/Python-3.10.7.tar.xz /work/SRC/openSUSE:Factory/.python310.new.2275/Python-3.10.8.tar.xz differ: char 27, line 1 ++++++ fix_configure_rst.patch ++++++ --- /var/tmp/diff_new_pack.sNFFkY/_old 2022-10-28 19:28:34.858345677 +0200 +++ /var/tmp/diff_new_pack.sNFFkY/_new 2022-10-28 19:28:34.862345697 +0200 @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -2783,7 +2783,7 @@ C API +@@ -2979,7 +2979,7 @@ C API ----- - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name ++++++ subprocess-raise-timeout.patch ++++++ --- /var/tmp/diff_new_pack.sNFFkY/_old 2022-10-28 19:28:34.994346359 +0200 +++ /var/tmp/diff_new_pack.sNFFkY/_new 2022-10-28 19:28:34.998346379 +0200 @@ -4,7 +4,7 @@ --- a/Lib/test/test_subprocess.py +++ b/Lib/test/test_subprocess.py -@@ -261,7 +261,8 @@ class ProcessTestCase(BaseTestCase): +@@ -267,7 +267,8 @@ class ProcessTestCase(BaseTestCase): "time.sleep(3600)"], # Some heavily loaded buildbots (sparc Debian 3.x) require # this much time to start and print.