Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python310 for openSUSE:Factory
checked in at 2023-03-05 20:07:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python310 (Old)
and /work/SRC/openSUSE:Factory/.python310.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310"
Sun Mar 5 20:07:48 2023 rev:29 rq:1068979 version:3.10.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/python310/python310.changes 2023-02-22
15:21:09.569715962 +0100
+++ /work/SRC/openSUSE:Factory/.python310.new.31432/python310.changes
2023-03-05 20:07:49.588656905 +0100
@@ -1,0 +2,10 @@
+Wed Mar 1 20:59:04 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.10.10:
+ Bug fixes and regressions handling, no change of behaviour and
+ no security bugs fixed.
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+ bsc#1208471) blocklists bypass via the urllib.parse component
+ when supplying a URL that starts with blank characters
+
+-------------------------------------------------------------------
Old:
----
Python-3.10.9.tar.xz
Python-3.10.9.tar.xz.asc
New:
----
CVE-2023-24329-blank-URL-bypass.patch
Python-3.10.10.tar.xz
Python-3.10.10.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python310.spec ++++++
--- /var/tmp/diff_new_pack.60wzwI/_old 2023-03-05 20:07:50.672661915 +0100
+++ /var/tmp/diff_new_pack.60wzwI/_new 2023-03-05 20:07:50.676661934 +0100
@@ -103,7 +103,7 @@
%define dynlib()
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
-Version: 3.10.9
+Version: 3.10.10
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -166,6 +166,10 @@
# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
Patch36: support-expat-CVE-2022-25236-patched.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471
mc...@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch37: CVE-2023-24329-blank-URL-bypass.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -438,6 +442,7 @@
%endif
%patch35 -p1
%patch36 -p1
+%patch37 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -633,7 +638,7 @@
_posixsubprocess _queue _random resource select _ssl _socket spwd \
_statistics _struct syslog termios _testbuffer _testimportmultiple \
_testmultiphase unicodedata zlib _ctypes_test _testinternalcapi _testcapi \
- xxlimited xxlimited_35 \
+ _testclinic xxlimited xxlimited_35 \
_xxtestfuzz _xxsubinterpreters _elementtree pyexpat _md5 _sha1 \
_sha256 _sha512 _blake2 _sha3 _uuid _zoneinfo
do
@@ -882,6 +887,7 @@
%{dynlib _ctypes_test}
%{dynlib _testbuffer}
%{dynlib _testcapi}
+%{dynlib _testclinic}
%{dynlib _testinternalcapi}
%{dynlib _testimportmultiple}
%{dynlib _testmultiphase}
++++++ CVE-2023-24329-blank-URL-bypass.patch ++++++
>From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus...@dartmouth.edu>
Date: Sat, 12 Nov 2022 15:43:33 -0500
Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
schemes that don't begin with an alphabetical ASCII character.
---
Lib/test/test_urlparse.py | 18
++++++++++
Lib/urllib/parse.py | 2 -
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 +
3 files changed, 21 insertions(+), 1 deletion(-)
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
with self.assertRaises(ValueError):
p.port
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if url.isascii():
+ url = url.encode("ascii")
+ else:
+ continue
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and url[0].isascii() and url[0].isalpha():
for c in url[:i]:
if c not in scheme_chars:
break
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
++++++ Python-3.10.9.tar.xz -> Python-3.10.10.tar.xz ++++++
/work/SRC/openSUSE:Factory/python310/Python-3.10.9.tar.xz
/work/SRC/openSUSE:Factory/.python310.new.31432/Python-3.10.10.tar.xz differ:
char 27, line 1
++++++ fix_configure_rst.patch ++++++
--- /var/tmp/diff_new_pack.60wzwI/_old 2023-03-05 20:07:50.820662599 +0100
+++ /var/tmp/diff_new_pack.60wzwI/_new 2023-03-05 20:07:50.824662618 +0100
@@ -29,7 +29,7 @@
Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS
+++ b/Misc/NEWS
-@@ -3254,7 +3254,7 @@ C API
+@@ -3422,7 +3422,7 @@ C API
-----
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
