diff --git a/main/python3/APKBUILD b/main/python3/APKBUILD index 16b4a850255..322748f435a 100644 --- a/main/python3/APKBUILD +++ b/main/python3/APKBUILD @@ -2,9 +2,9 @@ # Contributor: Sheila Aman pkgname=python3 # the python3-tkinter's pkgver needs to be synchronized with this. -pkgver=3.12.5 +pkgver=3.12.6 _basever="${pkgver%.*}" -pkgrel=1 +pkgrel=0 pkgdesc="High-level scripting language" url="https://www.python.org/" arch="all" @@ -46,14 +46,21 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch test_posix-nodev-disable.patch fix-run_fileexflags-test.patch - CVE-2024-8088.patch " options="net" # Required for tests builddir="$srcdir/Python-$pkgver" # secfixes: +# 3.12.6-r0: +# - CVE-2015-2104 +# - CVE-2023-27043 +# - CVE-2024-4032 +# - CVE-2024-6232 +# - CVE-2024-7592 # 3.12.5-r1: # - CVE-2024-8088 +# 3.12.5-r0: +# - CVE-2024-6923 # 3.11.5-r0: # - CVE-2023-40217 # 3.11.1-r0: @@ -252,10 +259,9 @@ pyc2() { } sha512sums=" -7a1c30d798434fe24697bc253f6010d75145e7650f66803328425c8525331b9fa6b63d12a652687582db205f8d4c8279c8f73c338168592481517b063351c921 Python-3.12.5.tar.xz +e658b0d59b5cfdc591d626e8282b9945759f27ee6fbc8bcb8670737db32ffc11fb832dfed9b0e80188fb5f7f3f39fe6dd6191ab7736376453c9e248321e9b063 Python-3.12.6.tar.xz 46dd8230ee2ab66e9c4157c10b2bd9c414fd7f30be0bee73e21a9eea88f63fff362d47828e0fc77ddc59df097b414b21505f8b5f98bc866381115c58ae3f4862 externally-managed ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch 606cf7b3df0c81c90571c6bc65e4f07e065867739fa0d36e9c8e1ad2d6bcd64d265f90c4a7881880fc7e0c85eed94d1f72655a5c70d92ca63e5cc4bd3be8f145 test_posix-nodev-disable.patch 0e1155b1976be46d68fe50161b9644ac272d95c51f44ada51a0fd67a0154df89833752e97cfc85e977b384fca82b58907c30405a103f3a33a1483b9f76ce632f fix-run_fileexflags-test.patch -60a3482b219154312d1ae929ba2b409627c9b08a387e0d7ed4c73e0ff97640a2b8a50eb9d347fb8dda136b7764617464826d14a988af789a1f032ed0badcdaf5 CVE-2024-8088.patch " diff --git a/main/python3/CVE-2024-8088.patch b/main/python3/CVE-2024-8088.patch deleted file mode 100644 index 9d8be7763cb..00000000000 --- a/main/python3/CVE-2024-8088.patch +++ /dev/null @@ -1,123 +0,0 @@ -From ee9f40523d9766f43ddf2c69a4b610dd09668375 Mon Sep 17 00:00:00 2001 -From: "Jason R. Coombs" -Date: Sun, 11 Aug 2024 19:48:50 -0400 -Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906) - -Ported from zipp 3.19.1; ref jaraco/zippGH-119. -(cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932) - -Co-authored-by: Jason R. Coombs ---- - Lib/test/test_zipfile/_path/test_path.py | 17 +++++ - Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++- - ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 + - 3 files changed, 81 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst - -diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py -index 06d5aab69bd6d4..90885dbbe39b92 100644 ---- a/Lib/test/test_zipfile/_path/test_path.py -+++ b/Lib/test/test_zipfile/_path/test_path.py -@@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep): - zipfile.Path(alpharep) - with self.assertRaises(KeyError): - alpharep.getinfo('does-not-exist') -+ -+ def test_malformed_paths(self): -+ """ -+ Path should handle malformed paths. -+ """ -+ data = io.BytesIO() -+ zf = zipfile.ZipFile(data, "w") -+ zf.writestr("/one-slash.txt", b"content") -+ zf.writestr("//two-slash.txt", b"content") -+ zf.writestr("../parent.txt", b"content") -+ zf.filename = '' -+ root = zipfile.Path(zf) -+ assert list(map(str, root.iterdir())) == [ -+ 'one-slash.txt', -+ 'two-slash.txt', -+ 'parent.txt', -+ ] -diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py -index 78c413563bb2b1..42f9fded21198e 100644 ---- a/Lib/zipfile/_path/__init__.py -+++ b/Lib/zipfile/_path/__init__.py -@@ -83,7 +83,69 @@ def __setstate__(self, state): - super().__init__(*args, **kwargs) - - --class CompleteDirs(InitializedState, zipfile.ZipFile): -+class SanitizedNames: -+ """ -+ ZipFile mix-in to ensure names are sanitized. -+ """ -+ -+ def namelist(self): -+ return list(map(self._sanitize, super().namelist())) -+ -+ @staticmethod -+ def _sanitize(name): -+ r""" -+ Ensure a relative path with posix separators and no dot names. -+ -+ Modeled after -+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 -+ but provides consistent cross-platform behavior. -+ -+ >>> san = SanitizedNames._sanitize -+ >>> san('/foo/bar') -+ 'foo/bar' -+ >>> san('//foo.txt') -+ 'foo.txt' -+ >>> san('foo/.././bar.txt') -+ 'foo/bar.txt' -+ >>> san('foo../.bar.txt') -+ 'foo../.bar.txt' -+ >>> san('\\foo\\bar.txt') -+ 'foo/bar.txt' -+ >>> san('D:\\foo.txt') -+ 'D/foo.txt' -+ >>> san('\\\\server\\share\\file.txt') -+ 'server/share/file.txt' -+ >>> san('\\\\?\\GLOBALROOT\\Volume3') -+ '?/GLOBALROOT/Volume3' -+ >>> san('\\\\.\\PhysicalDrive1\\root') -+ 'PhysicalDrive1/root' -+ -+ Retain any trailing slash. -+ >>> san('abc/') -+ 'abc/' -+ -+ Raises a ValueError if the result is empty. -+ >>> san('../..') -+ Traceback (most recent call last): -+ ... -+ ValueError: Empty filename -+ """ -+ -+ def allowed(part): -+ return part and part not in {'..', '.'} -+ -+ # Remove the drive letter. -+ # Don't use ntpath.splitdrive, because that also strips UNC paths -+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) -+ clean = bare.replace('\\', '/') -+ parts = clean.split('/') -+ joined = '/'.join(filter(allowed, parts)) -+ if not joined: -+ raise ValueError("Empty filename") -+ return joined + '/' * name.endswith('/') -+ -+ -+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): - """ - A ZipFile subclass that ensures that implied directories - are always included in the namelist. -diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst -new file mode 100644 -index 00000000000000..1be44c906c4f30 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst -@@ -0,0 +1 @@ -+:class:`zipfile.Path` objects now sanitize names from the zipfile.