Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python313 for openSUSE:Factory checked in at 2024-08-30 13:32:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python313 (Old) and /work/SRC/openSUSE:Factory/.python313.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python313" Fri Aug 30 13:32:00 2024 rev:6 rq:1197482 version:3.13.0~rc1 Changes: -------- --- /work/SRC/openSUSE:Factory/python313/python313.changes 2024-08-10 19:14:00.369244481 +0200 +++ /work/SRC/openSUSE:Factory/.python313.new.2698/python313.changes 2024-08-30 13:33:05.556249469 +0200 @@ -1,0 +2,16 @@ +Thu Aug 29 14:46:39 UTC 2024 - Matej Cepl <mcepl@cepl.eu> + +- Add gh122136-test_asyncio-kernel-buffer-data.patch fixing + gh#python/cpython#122136 (changes in kernel provide different + amount of data in the socket buffers). +- Remove skip_test_abort_clients.patch, which is not needed any + more. + +------------------------------------------------------------------- +Wed Aug 28 16:54:34 UTC 2024 - Matej Cepl <mcepl@cepl.eu> + +- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent + malformed payload to cause infinite loops in zipfile.Path + (bsc#1229704, CVE-2024-8088). + +------------------------------------------------------------------- Old: ---- skip_test_abort_clients.patch New: ---- CVE-2024-8088-inf-loop-zipfile_Path.patch gh122136-test_asyncio-kernel-buffer-data.patch BETA DEBUG BEGIN: Old: amount of data in the socket buffers). - Remove skip_test_abort_clients.patch, which is not needed any more. BETA DEBUG END: BETA DEBUG BEGIN: New: - Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent malformed payload to cause infinite loops in zipfile.Path New: - Add gh122136-test_asyncio-kernel-buffer-data.patch fixing gh#python/cpython#122136 (changes in kernel provide different BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python313.spec ++++++ --- /var/tmp/diff_new_pack.9KECVM/_old 2024-08-30 13:33:06.624294242 +0200 +++ /var/tmp/diff_new_pack.9KECVM/_new 2024-08-30 13:33:06.624294242 +0200 @@ -177,15 +177,18 @@ # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mcepl@suse.com # remove duplicate link targets and make documentation with old Sphinx in SLE Patch10: fix_configure_rst.patch -# PATCH-FIX-UPSTREAM skip_test_abort_clients.patch gh#python/cpython#122136 mcepl@suse.com -# Not yet fixed failing test -Patch11: skip_test_abort_clients.patch # PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com # prevent email header injection, patch from gh#python/cpython!122608 Patch12: CVE-2024-6923-email-hdr-inject.patch # PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com # reproducibility patches Patch13: bso1227999-reproducible-builds.patch +# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704 mcepl@suse.com +# avoid denial of service in zipfile +Patch14: CVE-2024-8088-inf-loop-zipfile_Path.patch +# PATCH-FIX-UPSTREAM gh122136-test_asyncio-kernel-buffer-data.patch gh#python/cpython#122136 mcepl@suse.com +# test.test_asyncio.test_server.TestServer2.test_abort_clients fails because of changes in the kernel +Patch15: gh122136-test_asyncio-kernel-buffer-data.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes ++++++ CVE-2024-8088-inf-loop-zipfile_Path.patch ++++++ --- Lib/test/test_zipfile/_path/test_path.py | 78 ++++++++++ Lib/zipfile/_path/__init__.py | 18 ++ Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst | 3 4 files changed, 98 insertions(+), 2 deletions(-) --- a/Lib/test/test_zipfile/_path/test_path.py +++ b/Lib/test/test_zipfile/_path/test_path.py @@ -5,6 +5,7 @@ import pathlib import pickle import stat import sys +import time import unittest import zipfile import zipfile._path @@ -577,3 +578,80 @@ class TestPath(unittest.TestCase): zipfile.Path(alpharep) with self.assertRaises(KeyError): alpharep.getinfo('does-not-exist') + + def test_malformed_paths(self): + """ + Path should handle malformed paths gracefully. + + Paths with leading slashes are not visible. + + Paths with dots are treated like regular files. + """ + data = io.BytesIO() + zf = zipfile.ZipFile(data, "w") + zf.writestr("/one-slash.txt", b"content") + zf.writestr("//two-slash.txt", b"content") + zf.writestr("../parent.txt", b"content") + zf.filename = '' + root = zipfile.Path(zf) + assert list(map(str, root.iterdir())) == ['../'] + assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content' + + def test_unsupported_names(self): + """ + Path segments with special characters are readable. + + On some platforms or file systems, characters like + ``:`` and ``?`` are not allowed, but they are valid + in the zip file. + """ + data = io.BytesIO() + zf = zipfile.ZipFile(data, "w") + zf.writestr("path?", b"content") + zf.writestr("V: NMS.flac", b"fLaC...") + zf.filename = '' + root = zipfile.Path(zf) + contents = root.iterdir() + assert next(contents).name == 'path?' + assert next(contents).name == 'V: NMS.flac' + assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..." + + def test_backslash_not_separator(self): + """ + In a zip file, backslashes are not separators. + """ + data = io.BytesIO() + zf = zipfile.ZipFile(data, "w") + zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content") + zf.filename = '' + root = zipfile.Path(zf) + (first,) = root.iterdir() + assert not first.is_dir() + assert first.name == 'foo\\bar' + + +class DirtyZipInfo(zipfile.ZipInfo): + """ + Bypass name sanitization. + """ + + def __init__(self, filename, *args, **kwargs): + super().__init__(filename, *args, **kwargs) + self.filename = filename + + @classmethod + def for_name(cls, name, archive): + """ + Construct the same way that ZipFile.writestr does. + + TODO: extract this functionality and re-use + """ + self = cls(filename=name, date_time=time.localtime(time.time())[:6]) + self.compress_type = archive.compression + self.compress_level = archive.compresslevel + if self.filename.endswith('/'): # pragma: no cover + self.external_attr = 0o40775 << 16 # drwxrwxr-x + self.external_attr |= 0x10 # MS-DOS directory flag + else: + self.external_attr = 0o600 << 16 # ?rw------- + return self --- a/Lib/zipfile/_path/__init__.py +++ b/Lib/zipfile/_path/__init__.py @@ -1,3 +1,12 @@ +""" +A Path-like interface for zipfiles. + +This codebase is shared between zipfile.Path in the stdlib +and zipp in PyPI. See +https://github.com/python/importlib_metadata/wiki/Development-Methodology +for more detail. +""" + import io import posixpath import zipfile @@ -36,7 +45,7 @@ def _parents(path): def _ancestry(path): """ Given a path with elements separated by - posixpath.sep, generate all elements of that path + posixpath.sep, generate all elements of that path. >>> list(_ancestry('b/d')) ['b/d', 'b'] @@ -48,9 +57,14 @@ def _ancestry(path): ['b'] >>> list(_ancestry('')) [] + + Multiple separators are treated like a single. + + >>> list(_ancestry('//b//d///f//')) + ['//b//d///f', '//b//d', '//b'] """ path = path.rstrip(posixpath.sep) - while path and path != posixpath.sep: + while path.rstrip(posixpath.sep): yield path path, tail = posixpath.split(path) --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst @@ -0,0 +1 @@ +:class:`zipfile.Path` objects now sanitize names from the zipfile. --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst @@ -0,0 +1,3 @@ +Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` +causing infinite loops (gh-122905) without breaking contents using +legitimate characters. ++++++ gh122136-test_asyncio-kernel-buffer-data.patch ++++++ From 235fbc05dcbca5cb5f7f0cd836317b8426e33243 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <encukou@gmail.com> Date: Wed, 28 Aug 2024 22:36:42 +0200 Subject: [PATCH] gh-122136: test_asyncio: Don't fail if the kernel buffers more data than advertised (GH-123423) (cherry picked from commit b379f1b26c1e89c8e9160b4dede61b980cc77be6) Co-authored-by: Petr Viktorin <encukou@gmail.com> --- Lib/test/test_asyncio/test_server.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/Lib/test/test_asyncio/test_server.py b/Lib/test/test_asyncio/test_server.py index 4ca8a166a0f1a1..60a40cc8349fed 100644 --- a/Lib/test/test_asyncio/test_server.py +++ b/Lib/test/test_asyncio/test_server.py @@ -227,7 +227,7 @@ async def serve(rd, wr): (s_rd, s_wr) = await fut - # Limit the socket buffers so we can reliably overfill them + # Limit the socket buffers so we can more reliably overfill them s_sock = s_wr.get_extra_info('socket') s_sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 65536) c_sock = c_wr.get_extra_info('socket') @@ -242,10 +242,18 @@ async def serve(rd, wr): await asyncio.sleep(0) # Get the writer in a waiting state by sending data until the - # socket buffers are full on both server and client sockets and - # the kernel stops accepting more data - s_wr.write(b'a' * c_sock.getsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF)) - s_wr.write(b'a' * s_sock.getsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF)) + # kernel stops accepting more data in the send buffer. + # gh-122136: getsockopt() does not reliably report the buffer size + # available for message content. + # We loop until we start filling up the asyncio buffer. + # To avoid an infinite loop we cap at 10 times the expected value + c_bufsize = c_sock.getsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF) + s_bufsize = s_sock.getsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF) + for i in range(10): + s_wr.write(b'a' * c_bufsize) + s_wr.write(b'a' * s_bufsize) + if s_wr.transport.get_write_buffer_size() > 0: + break self.assertNotEqual(s_wr.transport.get_write_buffer_size(), 0) task = asyncio.create_task(srv.wait_closed())