Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2024-11-03 07:16:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.2020 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python310" Sun Nov 3 07:16:58 2024 rev:51 rq:1220124 version:3.10.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2024-10-25 19:19:45.506916344 +0200 +++ /work/SRC/openSUSE:Factory/.python310.new.2020/python310.changes 2024-11-03 07:16:59.874415304 +0100 @@ -1,0 +2,6 @@ +Fri Nov 1 21:38:45 UTC 2024 - Matej Cepl <mcepl@cepl.eu> + +- Update CVE-2024-9287-venv_path_unquoted.patch according to the + upstream PR gh#python/cpython!126301. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ CVE-2024-9287-venv_path_unquoted.patch ++++++ --- /var/tmp/diff_new_pack.NHBX1v/_old 2024-11-03 07:17:01.218470843 +0100 +++ /var/tmp/diff_new_pack.NHBX1v/_new 2024-11-03 07:17:01.222471007 +0100 @@ -1,32 +1,31 @@ -From b6a3bbd155c558cdcda482629073e492437db3d0 Mon Sep 17 00:00:00 2001 -From: y5c4l3 <y5c4l3@proton.me> -Date: Sat, 28 Sep 2024 02:09:07 +0800 -Subject: [PATCH] Quote template strings in `venv` activation scripts +From 21139b45039a72e8346bdc32d498345ef174ba92 Mon Sep 17 00:00:00 2001 +From: Victor Stinner <vstinner@python.org> +Date: Fri, 1 Nov 2024 14:11:47 +0100 +Subject: [PATCH] [3.11] gh-124651: Quote template strings in `venv` activation + scripts (GH-124712) (GH-126185) (#126269) -This patch properly quotes template strings in `venv` activation -scripts. This mitigates potential command injection. - -Signed-off-by: y5c4l3 <y5c4l3@proton.me> +(cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97) --- Lib/test/test_venv.py | 81 ++++++++++ Lib/venv/__init__.py | 42 ++++- - Lib/venv/scripts/common/activate | 6 + Lib/venv/scripts/common/activate | 8 Lib/venv/scripts/nt/activate.bat | 6 - Lib/venv/scripts/posix/activate.csh | 6 + Lib/venv/scripts/posix/activate.csh | 8 + Lib/venv/scripts/posix/activate.fish | 8 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst | 1 - 6 files changed, 128 insertions(+), 14 deletions(-) + 7 files changed, 134 insertions(+), 20 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst --- a/Lib/test/test_venv.py +++ b/Lib/test/test_venv.py -@@ -10,6 +10,7 @@ import ensurepip - import os - import os.path - import re -+import shlex - import shutil - import struct +@@ -15,6 +15,7 @@ import struct import subprocess + import sys + import tempfile ++import shlex + from test.support import (captured_stdout, captured_stderr, requires_zlib, + skip_if_broken_multiprocessing_synchronize) + from test.support.os_helper import (can_symlink, EnvironmentVarGuard, rmtree) @@ -85,6 +86,10 @@ class BaseTest(unittest.TestCase): result = f.read() return result @@ -178,14 +177,14 @@ return text def install_scripts(self, context, path): -@@ -409,6 +440,7 @@ class EnvBuilder: +@@ -408,6 +439,7 @@ class EnvBuilder: + with open(srcfile, 'rb') as f: data = f.read() if not srcfile.endswith(('.exe', '.pdb')): ++ context.script_path = srcfile try: -+ context.script_path = srcfile data = data.decode('utf-8') data = self.replace_variables(data, context) - data = data.encode('utf-8') --- a/Lib/venv/scripts/common/activate +++ b/Lib/venv/scripts/common/activate @@ -38,11 +38,11 @@ deactivate () { @@ -202,15 +201,18 @@ export PATH # unset PYTHONHOME if set -@@ -55,7 +55,7 @@ fi +@@ -55,9 +55,9 @@ fi if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then _OLD_VIRTUAL_PS1="${PS1:-}" - PS1="__VENV_PROMPT__${PS1:-}" + PS1=__VENV_PROMPT__"${PS1:-}" export PS1 - VIRTUAL_ENV_PROMPT="__VENV_PROMPT__" +- VIRTUAL_ENV_PROMPT="__VENV_PROMPT__" ++ VIRTUAL_ENV_PROMPT=__VENV_PROMPT__ export VIRTUAL_ENV_PROMPT + fi + --- a/Lib/venv/scripts/nt/activate.bat +++ b/Lib/venv/scripts/nt/activate.bat @@ -8,7 +8,7 @@ if defined _OLD_CODEPAGE ( @@ -222,27 +224,20 @@ if not defined PROMPT set PROMPT=$P$G -@@ -16,7 +16,7 @@ if defined _OLD_VIRTUAL_PROMPT set PROMP - if defined _OLD_VIRTUAL_PYTHONHOME set PYTHONHOME=%_OLD_VIRTUAL_PYTHONHOME% - - set _OLD_VIRTUAL_PROMPT=%PROMPT% --set PROMPT=__VENV_PROMPT__%PROMPT% -+set "PROMPT=__VENV_PROMPT__%PROMPT%" - - if defined PYTHONHOME set _OLD_VIRTUAL_PYTHONHOME=%PYTHONHOME% - set PYTHONHOME= -@@ -24,7 +24,7 @@ set PYTHONHOME= +@@ -24,8 +24,8 @@ set PYTHONHOME= if defined _OLD_VIRTUAL_PATH set PATH=%_OLD_VIRTUAL_PATH% if not defined _OLD_VIRTUAL_PATH set _OLD_VIRTUAL_PATH=%PATH% -set PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH% +-set VIRTUAL_ENV_PROMPT=__VENV_PROMPT__ +set "PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH%" - set VIRTUAL_ENV_PROMPT=__VENV_PROMPT__ ++set "VIRTUAL_ENV_PROMPT=__VENV_PROMPT__" :END + if defined _OLD_CODEPAGE ( --- a/Lib/venv/scripts/posix/activate.csh +++ b/Lib/venv/scripts/posix/activate.csh -@@ -8,16 +8,16 @@ alias deactivate 'test $?_OLD_VIRTUAL_PA +@@ -8,17 +8,17 @@ alias deactivate 'test $?_OLD_VIRTUAL_PA # Unset irrelevant variables. deactivate nondestructive @@ -258,10 +253,43 @@ if (! "$?VIRTUAL_ENV_DISABLE_PROMPT") then - set prompt = "__VENV_PROMPT__$prompt" +- setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__" + set prompt = __VENV_PROMPT__"$prompt" - setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__" ++ setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__ endif + alias pydoc python -m pydoc +--- a/Lib/venv/scripts/posix/activate.fish ++++ b/Lib/venv/scripts/posix/activate.fish +@@ -33,10 +33,10 @@ end + # Unset irrelevant variables. + deactivate nondestructive + +-set -gx VIRTUAL_ENV "__VENV_DIR__" ++set -gx VIRTUAL_ENV __VENV_DIR__ + + set -gx _OLD_VIRTUAL_PATH $PATH +-set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH ++set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH + + # Unset PYTHONHOME if set. + if set -q PYTHONHOME +@@ -56,7 +56,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT" + set -l old_status $status + + # Output the venv prompt; color taken from the blue of the Python logo. +- printf "%s%s%s" (set_color 4B8BBE) "__VENV_PROMPT__" (set_color normal) ++ printf "%s%s%s" (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal) + + # Restore the return status of the previous command. + echo "exit $old_status" | . +@@ -65,5 +65,5 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT" + end + + set -gx _OLD_FISH_PROMPT_OVERRIDE "$VIRTUAL_ENV" +- set -gx VIRTUAL_ENV_PROMPT "__VENV_PROMPT__" ++ set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__ + end --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst @@ -0,0 +1 @@