Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2023-06-22 23:24:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310" Thu Jun 22 23:24:50 2023 rev:32 rq:1094243 version:3.10.11 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2023-05-30 22:02:07.578898517 +0200 +++ /work/SRC/openSUSE:Factory/.python310.new.15902/python310.changes 2023-06-22 23:24:56.369668004 +0200 @@ -2 +2 @@ -Sun Apr 30 18:19:01 UTC 2023 - Matej Cepl <mc...@suse.com> +Tue Jun 20 21:39:58 UTC 2023 - Matej Cepl <mc...@suse.com> @@ -4 +4,2 @@ -- Why in the world we download from HTTP? +- Add bpo-37596-make-set-marshalling.patch making marshalling of + `set` and `frozenset` deterministic (bsc#1211765). New: ---- bpo-37596-make-set-marshalling.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.Yj9Ovz/_old 2023-06-22 23:24:57.485665171 +0200 +++ /var/tmp/diff_new_pack.Yj9Ovz/_new 2023-06-22 23:24:57.485665171 +0200 @@ -173,6 +173,9 @@ # PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mc...@suse.com # PEP 706 â Filter for tarfile.extractall Patch38: CVE-2007-4559-filter-tarfile_extractall.patch +# PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mc...@suse.com +# Make `set` and `frozenset` marshalling deterministic +Patch39: bpo-37596-make-set-marshalling.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -432,7 +435,6 @@ %prep %setup -q -n %{tarname} %patch02 -p1 - %patch06 -p1 %patch07 -p1 %patch08 -p1 @@ -447,6 +449,7 @@ %patch36 -p1 %patch37 -p1 %patch38 -p1 +%patch39 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2007-4559-filter-tarfile_extractall.patch ++++++ ++++ 757 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/python310/CVE-2007-4559-filter-tarfile_extractall.patch ++++ and /work/SRC/openSUSE:Factory/.python310.new.15902/CVE-2007-4559-filter-tarfile_extractall.patch ++++++ bpo-37596-make-set-marshalling.patch ++++++ >From 33d95c6facdfda3c8c0feffa7a99184e4abc2f63 Mon Sep 17 00:00:00 2001 From: Brandt Bucher <bra...@python.org> Date: Wed, 25 Aug 2021 04:14:34 -0700 Subject: [PATCH] bpo-37596: Make `set` and `frozenset` marshalling deterministic (GH-27926) --- Lib/test/test_marshal.py | 26 ++++++++ Misc/NEWS.d/next/Library/2021-08-23-21-39-59.bpo-37596.ojRcwB.rst | 2 Python/marshal.c | 32 ++++++++++ 3 files changed, 60 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2021-08-23-21-39-59.bpo-37596.ojRcwB.rst --- a/Lib/test/test_marshal.py +++ b/Lib/test/test_marshal.py @@ -1,5 +1,6 @@ from test import support from test.support import os_helper +from test.support.script_helper import assert_python_ok import array import io import marshal @@ -318,6 +319,31 @@ class BugsTestCase(unittest.TestCase): for i in range(len(data)): self.assertRaises(EOFError, marshal.loads, data[0: i]) + def test_deterministic_sets(self): + # bpo-37596: To support reproducible builds, sets and frozensets need to + # have their elements serialized in a consistent order (even when they + # have been scrambled by hash randomization): + for kind in ("set", "frozenset"): + for elements in ( + "float('nan'), b'a', b'b', b'c', 'x', 'y', 'z'", + # Also test for bad interactions with backreferencing: + "('string', 1), ('string', 2), ('string', 3)", + ): + s = f"{kind}([{elements}])" + with self.subTest(s): + # First, make sure that our test case still has different + # orders under hash seeds 0 and 1. If this check fails, we + # need to update this test with different elements: + args = ["-c", f"print({s})"] + _, repr_0, _ = assert_python_ok(*args, PYTHONHASHSEED="0") + _, repr_1, _ = assert_python_ok(*args, PYTHONHASHSEED="1") + self.assertNotEqual(repr_0, repr_1) + # Then, perform the actual test: + args = ["-c", f"import marshal; print(marshal.dumps({s}))"] + _, dump_0, _ = assert_python_ok(*args, PYTHONHASHSEED="0") + _, dump_1, _ = assert_python_ok(*args, PYTHONHASHSEED="1") + self.assertEqual(dump_0, dump_1) + LARGE_SIZE = 2**31 pointer_size = 8 if sys.maxsize > 0xFFFFFFFF else 4 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2021-08-23-21-39-59.bpo-37596.ojRcwB.rst @@ -0,0 +1,2 @@ +Ensure that :class:`set` and :class:`frozenset` objects are always +:mod:`marshalled <marshal>` reproducibly. --- a/Python/marshal.c +++ b/Python/marshal.c @@ -502,9 +502,41 @@ w_complex_object(PyObject *v, char flag, W_TYPE(TYPE_SET, p); n = PySet_GET_SIZE(v); W_SIZE(n, p); + // bpo-37596: To support reproducible builds, sets and frozensets need + // to have their elements serialized in a consistent order (even when + // they have been scrambled by hash randomization). To ensure this, we + // use an order equivalent to sorted(v, key=marshal.dumps): + PyObject *pairs = PyList_New(0); + if (pairs == NULL) { + p->error = WFERR_NOMEMORY; + return; + } while (_PySet_NextEntry(v, &pos, &value, &hash)) { + PyObject *dump = PyMarshal_WriteObjectToString(value, p->version); + if (dump == NULL) { + p->error = WFERR_UNMARSHALLABLE; + goto anyset_done; + } + PyObject *pair = PyTuple_Pack(2, dump, value); + Py_DECREF(dump); + if (pair == NULL || PyList_Append(pairs, pair)) { + p->error = WFERR_NOMEMORY; + Py_XDECREF(pair); + goto anyset_done; + } + Py_DECREF(pair); + } + if (PyList_Sort(pairs)) { + p->error = WFERR_NOMEMORY; + goto anyset_done; + } + for (Py_ssize_t i = 0; i < n; i++) { + PyObject *pair = PyList_GET_ITEM(pairs, i); + value = PyTuple_GET_ITEM(pair, 1); w_object(value, p); } + anyset_done: + Py_DECREF(pairs); } else if (PyCode_Check(v)) { PyCodeObject *co = (PyCodeObject *)v;