Tags: fedora-python/cpython
Tags
00465: tarfile cves Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 on tarfile The backported fixes do not contain changes for ntpath.py and related tests, because the support for symlinks and junctions were added later in Python 3.9, and it does not make sense to backport them to 3.6 here. The patch is contains the following changes: - python@42deeab fixes symlink handling for tarfile.data_filter - python@9d2c2a8 fixes handling of existing files/symlinks in tarfile - python@00af979 adds a new "strict" argument to realpath() - python@dd8f187 fixes mulriple CVE fixes in the tarfile module - downstream only fixes that makes the changes work and compatible with Python 3.6
00462: Fix PySSL_SetError handling SSL_ERROR_SYSCALL Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and SSL_read_ex(), but did not update handling of the return value. Change error handling so that the return value is not examined. OSError (not EOF) is now returned when retval is 0. This resolves the issue of failing tests when a system is stressed on OpenSSL 3.5. Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
00462: Fix PySSL_SetError handling SSL_ERROR_SYSCALL Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and SSL_read_ex(), but did not update handling of the return value. Change error handling so that the return value is not examined. OSError (not EOF) is now returned when retval is 0. This resolves the issue of failing tests when a system is stressed on OpenSSL 3.5. Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
00452: Properly apply exported CFLAGS for dtrace/systemtap builds When using --with-dtrace the resulting object file could be missing specific CFLAGS exported by the build system due to the systemtap script using specific defaults. Exporting the CC and CFLAGS variables before the dtrace invocation allows us to properly apply CFLAGS exported by the build system even when cross-compiling. Co-authored-by: stratakis <cstratak@redhat.com>
00466: Downstream only: Skip tests not working with older expat version We want to run these tests in Fedora and EPEL 10, but not in EPEL 9, which has too old version of expat. We set the upper bound version in the conditionalized skip to a release available in CentOS Stream 10, which is tested as working.
00466: Downstream only: Skip tests not working with older expat version We want to run these tests in Fedora and EPEL 10, but not in EPEL 9, which has too old version of expat. We set the upper bound version in the conditionalized skip to a release available in CentOS Stream 10, which is tested as working.
00464: Enable PAC and BTI protections for aarch64 Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S The BTI flag must be applied in the assembler sources for this class of attacks to be mitigated on newer aarch64 processors. Upstream PR: https://github.com/python/cpython/pull/130864/files The upstream patch is incomplete but only for the case where frame pointers are not used on 3.13+. Since on Fedora we always compile with frame pointers the BTI/PAC hardware protections can be enabled without losing Perf unwinding.
00461: Downstream only: Install wheel in test venvs when setuptools < 71 This can be removed when Fedora 41 goes EOL (or updates setuptools).
00464: Enable PAC and BTI protections for aarch64 Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S The BTI flag must be applied in the assembler sources for this class of attacks to be mitigated on newer aarch64 processors. Upstream PR: https://github.com/python/cpython/pull/130864/files The upstream patch is incomplete but only for the case where frame pointers are not used on 3.13+. Since on Fedora we always compile with frame pointers the BTI/PAC hardware protections can be enabled without losing Perf unwinding.
00464: Enable PAC and BTI protections for aarch64 Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S The BTI flag must be applied in the assembler sources for this class of attacks to be mitigated on newer aarch64 processors. Upstream PR: https://github.com/python/cpython/pull/130864/files The upstream patch is incomplete but only for the case where frame pointers are not used on 3.13+. Since on Fedora we always compile with frame pointers the BTI/PAC hardware protections can be enabled without losing Perf unwinding.
PreviousNext