From 5d99acba4b6b7aaed68d975e76412c2f9b4fdb00 Mon Sep 17 00:00:00 2001 From: Bo Ren Date: Thu, 15 Jun 2023 13:42:38 +0800 Subject: [PATCH 1/4] python3-3.6.8-51.el8_8.1.src.rpm Signed-off-by: Bo Ren --- 00399-cve-2023-24329.patch | 223 ++++++++++++++++++ 1001-python3-anolis-add-loongarch.patch | 12 - 1002-fix-faulthandler_register-stack.patch | 43 ---- ...-by-value-for-structs-on-loongarch64.patch | 39 --- add-anolis-platform.patch | 12 - dist | 1 - python3.spec | 57 +++-- 7 files changed, 259 insertions(+), 128 deletions(-) create mode 100644 00399-cve-2023-24329.patch delete mode 100644 1001-python3-anolis-add-loongarch.patch delete mode 100644 1002-fix-faulthandler_register-stack.patch delete mode 100644 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch delete mode 100644 add-anolis-platform.patch delete mode 100644 dist diff --git a/00399-cve-2023-24329.patch b/00399-cve-2023-24329.patch new file mode 100644 index 0000000..36bf6e9 --- /dev/null +++ b/00399-cve-2023-24329.patch @@ -0,0 +1,223 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 22 May 2023 03:42:37 -0700 +Subject: [PATCH] 00399: CVE-2023-24329 + +gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) + +`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. + +This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). + +Backported from Python 3.12 + +(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) + +Co-authored-by: Illia Volochii +Co-authored-by: Gregory P. Smith [Google] +--- + Doc/library/urllib.parse.rst | 40 +++++++++++- + Lib/test/test_urlparse.py | 61 ++++++++++++++++++- + Lib/urllib/parse.py | 12 ++++ + ...-03-07-20-59-17.gh-issue-102153.14CLSZ.rst | 3 + + 4 files changed, 113 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2023-03-07-20-59-17.gh-issue-102153.14CLSZ.rst + +diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst +index b717d7cc05..83a7a82089 100644 +--- a/Doc/library/urllib.parse.rst ++++ b/Doc/library/urllib.parse.rst +@@ -126,6 +126,12 @@ or on combining URL components into a URL string. + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is + decomposed before parsing, no error will be raised. + ++ ++ .. warning:: ++ ++ :func:`urlparse` does not perform validation. See :ref:`URL parsing ++ security ` for details. ++ + .. versionchanged:: 3.2 + Added IPv6 URL parsing capabilities. + +@@ -288,8 +294,14 @@ or on combining URL components into a URL string. + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is + decomposed before parsing, no error will be raised. + +- Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline +- ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL. ++ Following some of the `WHATWG spec`_ that updates RFC 3986, leading C0 ++ control and space characters are stripped from the URL. ``\n``, ++ ``\r`` and tab ``\t`` characters are removed from the URL at any position. ++ ++ .. warning:: ++ ++ :func:`urlsplit` does not perform validation. See :ref:`URL parsing ++ security ` for details. + + .. versionchanged:: 3.6 + Out-of-range port numbers now raise :exc:`ValueError`, instead of +@@ -302,6 +314,9 @@ or on combining URL components into a URL string. + .. versionchanged:: 3.6.14 + ASCII newline and tab characters are stripped from the URL. + ++ .. versionchanged:: 3.6.15 ++ Leading WHATWG C0 control and space characters are stripped from the URL. ++ + .. _WHATWG spec: https://url.spec.whatwg.org/#concept-basic-url-parser + + .. function:: urlunsplit(parts) +@@ -371,6 +386,27 @@ or on combining URL components into a URL string. + .. versionchanged:: 3.2 + Result is a structured object rather than a simple 2-tuple. + ++.. _url-parsing-security: ++ ++URL parsing security ++-------------------- ++ ++The :func:`urlsplit` and :func:`urlparse` APIs do not perform **validation** of ++inputs. They may not raise errors on inputs that other applications consider ++invalid. They may also succeed on some inputs that might not be considered ++URLs elsewhere. Their purpose is for practical functionality rather than ++purity. ++ ++Instead of raising an exception on unusual input, they may instead return some ++component parts as empty strings. Or components may contain more than perhaps ++they should. ++ ++We recommend that users of these APIs where the values may be used anywhere ++with security implications code defensively. Do some verification within your ++code before trusting a returned component part. Does that ``scheme`` make ++sense? Is that a sensible ``path``? Is there anything strange about that ++``hostname``? etc. ++ + .. _parsing-ascii-encoded-bytes: + + Parsing ASCII Encoded Bytes +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 3509278a01..7fd61ffea9 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -660,6 +660,65 @@ class UrlParseTestCase(unittest.TestCase): + self.assertEqual(p.scheme, "https") + self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") + ++ def test_urlsplit_strip_url(self): ++ noise = bytes(range(0, 0x20 + 1)) ++ base_url = "http://User:Pass@www.python.org:080/doc/?query=yes#frag" ++ ++ url = noise.decode("utf-8") + base_url ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.scheme, "http") ++ self.assertEqual(p.netloc, "User:Pass@www.python.org:080") ++ self.assertEqual(p.path, "/doc/") ++ self.assertEqual(p.query, "query=yes") ++ self.assertEqual(p.fragment, "frag") ++ self.assertEqual(p.username, "User") ++ self.assertEqual(p.password, "Pass") ++ self.assertEqual(p.hostname, "www.python.org") ++ self.assertEqual(p.port, 80) ++ self.assertEqual(p.geturl(), base_url) ++ ++ url = noise + base_url.encode("utf-8") ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.scheme, b"http") ++ self.assertEqual(p.netloc, b"User:Pass@www.python.org:080") ++ self.assertEqual(p.path, b"/doc/") ++ self.assertEqual(p.query, b"query=yes") ++ self.assertEqual(p.fragment, b"frag") ++ self.assertEqual(p.username, b"User") ++ self.assertEqual(p.password, b"Pass") ++ self.assertEqual(p.hostname, b"www.python.org") ++ self.assertEqual(p.port, 80) ++ self.assertEqual(p.geturl(), base_url.encode("utf-8")) ++ ++ # Test that trailing space is preserved as some applications rely on ++ # this within query strings. ++ query_spaces_url = "https://www.python.org:88/doc/?query= " ++ p = urllib.parse.urlsplit(noise.decode("utf-8") + query_spaces_url) ++ self.assertEqual(p.scheme, "https") ++ self.assertEqual(p.netloc, "www.python.org:88") ++ self.assertEqual(p.path, "/doc/") ++ self.assertEqual(p.query, "query= ") ++ self.assertEqual(p.port, 88) ++ self.assertEqual(p.geturl(), query_spaces_url) ++ ++ p = urllib.parse.urlsplit("www.pypi.org ") ++ # That "hostname" gets considered a "path" due to the ++ # trailing space and our existing logic... YUCK... ++ # and re-assembles via geturl aka unurlsplit into the original. ++ # django.core.validators.URLValidator (at least through v3.2) relies on ++ # this, for better or worse, to catch it in a ValidationError via its ++ # regular expressions. ++ # Here we test the basic round trip concept of such a trailing space. ++ self.assertEqual(urllib.parse.urlunsplit(p), "www.pypi.org ") ++ ++ # with scheme as cache-key ++ url = "//www.python.org/" ++ scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8") ++ for _ in range(2): ++ p = urllib.parse.urlsplit(url, scheme=scheme) ++ self.assertEqual(p.scheme, "https") ++ self.assertEqual(p.geturl(), "https://www.python.org/") ++ + def test_attributes_bad_port(self): + """Check handling of invalid ports.""" + for bytes in (False, True): +@@ -667,7 +726,7 @@ class UrlParseTestCase(unittest.TestCase): + for port in ("foo", "1.5", "-1", "0x10"): + with self.subTest(bytes=bytes, parse=parse, port=port): + netloc = "www.example.net:" + port +- url = "http://" + netloc ++ url = "http://" + netloc + "/" + if bytes: + netloc = netloc.encode("ascii") + url = url.encode("ascii") +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index ac6e7a9cee..717e990997 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -25,6 +25,10 @@ currently not entirely compliant with this RFC due to defacto + scenarios for parsing, and for backward compatibility purposes, some + parsing quirks from older RFCs are retained. The testcases in + test_urlparse.py provides a good indicator of parsing behavior. ++ ++The WHATWG URL Parser spec should also be considered. We are not compliant with ++it either due to existing user code API behavior expectations (Hyrum's Law). ++It serves as a useful guide when making changes. + """ + + import re +@@ -76,6 +80,10 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz' + '0123456789' + '+-.') + ++# Leading and trailing C0 control and space to be stripped per WHATWG spec. ++# == "".join([chr(i) for i in range(0, 0x20 + 1)]) ++_WHATWG_C0_CONTROL_OR_SPACE = '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f ' ++ + # Unsafe bytes to be removed per WHATWG spec + _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] + +@@ -426,6 +434,10 @@ def urlsplit(url, scheme='', allow_fragments=True): + url, scheme, _coerce_result = _coerce_args(url, scheme) + url = _remove_unsafe_bytes_from_url(url) + scheme = _remove_unsafe_bytes_from_url(scheme) ++ # Only lstrip url as some applications rely on preserving trailing space. ++ # (https://url.spec.whatwg.org/#concept-basic-url-parser would strip both) ++ url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE) ++ scheme = scheme.strip(_WHATWG_C0_CONTROL_OR_SPACE) + allow_fragments = bool(allow_fragments) + key = url, scheme, allow_fragments, type(url), type(scheme) + cached = _parse_cache.get(key, None) +diff --git a/Misc/NEWS.d/next/Security/2023-03-07-20-59-17.gh-issue-102153.14CLSZ.rst b/Misc/NEWS.d/next/Security/2023-03-07-20-59-17.gh-issue-102153.14CLSZ.rst +new file mode 100644 +index 0000000000..e57ac4ed3a +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2023-03-07-20-59-17.gh-issue-102153.14CLSZ.rst +@@ -0,0 +1,3 @@ ++:func:`urllib.parse.urlsplit` now strips leading C0 control and space ++characters following the specification for URLs defined by WHATWG in ++response to CVE-2023-24329. Patch by Illia Volochii. diff --git a/1001-python3-anolis-add-loongarch.patch b/1001-python3-anolis-add-loongarch.patch deleted file mode 100644 index 3a1e801..0000000 --- a/1001-python3-anolis-add-loongarch.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nurp Python-3.6.8.orig/configure.ac Python-3.6.8/configure.ac ---- Python-3.6.8.orig/configure.ac 2021-01-07 07:03:34.660156250 +0000 -+++ Python-3.6.8/configure.ac 2021-01-07 07:04:44.785156250 +0000 -@@ -824,6 +824,8 @@ cat >> conftest.c < -Date: Wed, 14 Aug 2019 23:35:27 +0200 -Subject: [PATCH] bpo-21131: Fix faulthandler.register(chain=True) stack - (GH-15276) - -faulthandler now allocates a dedicated stack of SIGSTKSZ*2 bytes, -instead of just SIGSTKSZ bytes. Calling the previous signal handler -in faulthandler signal handler uses more than SIGSTKSZ bytes of stack -memory on some platforms. ---- - .../next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst | 4 ++++ - Modules/faulthandler.c | 6 +++++- - 2 files changed, 9 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst - -diff --git a/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst -new file mode 100644 -index 000000000000..d330aca1c17d ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst -@@ -0,0 +1,4 @@ -+Fix ``faulthandler.register(chain=True)`` stack. faulthandler now allocates a -+dedicated stack of ``SIGSTKSZ*2`` bytes, instead of just ``SIGSTKSZ`` bytes. -+Calling the previous signal handler in faulthandler signal handler uses more -+than ``SIGSTKSZ`` bytes of stack memory on some platforms. -diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c -index 2331051f7907..5dbbcad057e6 100644 ---- a/Modules/faulthandler.c -+++ b/Modules/faulthandler.c -@@ -1325,7 +1325,11 @@ _PyFaulthandler_Init(int enable) - * be able to allocate memory on the stack, even on a stack overflow. If it - * fails, ignore the error. */ - stack.ss_flags = 0; -- stack.ss_size = SIGSTKSZ; -+ /* bpo-21131: allocate dedicated stack of SIGSTKSZ*2 bytes, instead of just -+ SIGSTKSZ bytes. Calling the previous signal handler in faulthandler -+ signal handler uses more than SIGSTKSZ bytes of stack memory on some -+ platforms. */ -+ stack.ss_size = SIGSTKSZ * 2; - stack.ss_sp = PyMem_Malloc(stack.ss_size); - if (stack.ss_sp != NULL) { - err = sigaltstack(&stack, &old_stack); diff --git a/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch b/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch deleted file mode 100644 index 2b3cd0d..0000000 --- a/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 52b9fb9288eaec8d1b9eaa756c4079ed7e5baf5f Mon Sep 17 00:00:00 2001 -From: Liwei Ge -Date: Wed, 28 Sep 2022 17:50:16 +0800 -Subject: [PATCH] ctypes: pass by value for structs on loongarch64 - ---- - Lib/test/test_sysconfig.py | 2 +- - Modules/_ctypes/callproc.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py -index 90e6719..384fe39 100644 ---- a/Lib/test/test_sysconfig.py -+++ b/Lib/test/test_sysconfig.py -@@ -407,7 +407,7 @@ class TestSysConfig(unittest.TestCase): - import platform, re - machine = platform.machine() - suffix = sysconfig.get_config_var('EXT_SUFFIX') -- if re.match('(aarch64|arm|mips|ppc|powerpc|s390|sparc)', machine): -+ if re.match('(aarch64|arm|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): - self.assertTrue('linux' in suffix, suffix) - if re.match('(i[3-6]86|x86_64)$', machine): - if ctypes.sizeof(ctypes.c_char_p()) == 4: -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index 2bb289b..7b3577f 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -1050,7 +1050,7 @@ GetComError(HRESULT errcode, GUID *riid, IUnknown *pIunk) - #endif - - #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \ -- defined(__aarch64__) -+ defined(__aarch64__) || defined(__loongarch__) - #define CTYPES_PASS_BY_REF_HACK - #define POW2(x) (((x & ~(x - 1)) == x) ? x : 0) - #define IS_PASS_BY_REF(x) (x > 8 || !POW2(x)) --- -2.27.0 - diff --git a/add-anolis-platform.patch b/add-anolis-platform.patch deleted file mode 100644 index 9952007..0000000 --- a/add-anolis-platform.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nur Python-3.6.8/Lib/platform.py Python-3.6.8.new/Lib/platform.py ---- Python-3.6.8/Lib/platform.py 2018-12-24 05:37:14.000000000 +0800 -+++ Python-3.6.8.new/Lib/platform.py 2020-11-26 11:18:27.345369745 +0800 -@@ -297,7 +297,7 @@ - # and http://www.die.net/doc/linux/man/man1/lsb_release.1.html - - _supported_dists = ( -- 'SuSE', 'debian', 'fedora', 'redhat', 'centos', -+ 'SuSE', 'debian', 'fedora', 'redhat', 'centos', 'anolis', - 'mandrake', 'mandriva', 'rocks', 'slackware', 'yellowdog', 'gentoo', - 'UnitedLinux', 'turbolinux', 'arch', 'mageia') - diff --git a/dist b/dist deleted file mode 100644 index 535c690..0000000 --- a/dist +++ /dev/null @@ -1 +0,0 @@ -an8_7 diff --git a/python3.spec b/python3.spec index 73e136e..136bb55 100644 --- a/python3.spec +++ b/python3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.2 # ================== # Top-level metadata # ================== @@ -15,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 48%{anolis_release}%{?dist}.1 +Release: 51%{?dist}.1 License: Python @@ -766,6 +765,18 @@ Patch387: 00387-cve-2020-10735-prevent-dos-by-very-large-int.patch # the behavior to linear. Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch +# 00399 # +# CVE-2023-24329 +# +# gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) +# +# `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. +# +# This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%%20any%%20leading%%20and%%20trailing%%20C0%%20control%%20or%%20space%%20from%%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). +# +# Backported from Python 3.12 +Patch399: 00399-cve-2023-24329.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -775,12 +786,6 @@ Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decode # # https://fedoraproject.org/wiki/SIGs/Python/PythonPatches -# add anolis platform dist -Patch1000: add-anolis-platform.patch - -Patch1001: 1001-python3-anolis-add-loongarch.patch -Patch1002: 1002-fix-faulthandler_register-stack.patch -Patch1003: 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1117,11 +1122,7 @@ git apply %{PATCH351} %patch386 -p1 %patch387 -p1 %patch394 -p1 - -%patch1000 -p1 -%patch1001 -p1 -%patch1002 -p1 -%patch1003 -p1 +%patch399 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -1279,6 +1280,7 @@ mkdir -p %{buildroot}$DirHoldingGdbPy %global _pyconfig64_h pyconfig-64.h %global _pyconfig_h pyconfig-%{wordsize}.h + # Use a common function to do an install for all our configurations: InstallPython() { @@ -1496,6 +1498,11 @@ touch %{buildroot}%{_bindir}/unversioned-python touch %{buildroot}%{_bindir}/idle3 touch %{buildroot}%{_mandir}/man1/python.1.gz +# Strip the LTO bytecode from python.o +# Based on the fedora brp-strip-lto scriptlet +# https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/9dd5528cf9805ebfe31cff04fe7828ad06a6023f/f/brp-strip-lto +find %{buildroot} -type f -name 'python.o' -print0 | xargs -0 \ +bash -c "strip -p -R .gnu.lto_* -R .gnu.debuglto_* -N __gnu_lto_v1 \"\$@\"" ARG0 # ====================================================== # Checks for packaging issues @@ -2047,18 +2054,26 @@ fi # ====================================================== %changelog -* Mon May 22 2023 zhangbinchen - 3.6.8-48.0.2.1 -- Add Anolis platform cherry-pick [9a96461] -- Support Loongarch for python3 -- Fix testcase fails on loongarch64 +* Wed May 31 2023 Charalampos Stratakis - 3.6.8-51.1 +- Security fix for CVE-2023-24329 +Resolves: rhbz#2173917 + +* Tue Jan 24 2023 Charalampos Stratakis - 3.6.8-51 +- Properly strip the LTO bytecode from python.o +Resolves: rhbz#2137707 + +* Wed Dec 21 2022 Charalampos Stratakis - 3.6.8-50 +- Security fix for CVE-2022-45061 +- Strip the LTO bytecode from python.o +Resolves: rhbz#2144072, rhbz#2137707 -* Wed Dec 21 2022 Charalampos Stratakis - 3.6.8-48.1 -- Security fixes for CVE-2020-10735, CVE-2021-28861 and CVE-2022-45061 -Resolves: rhbz#1834423, rhbz#2120642, rhbz#2144072 +* Tue Oct 25 2022 Charalampos Stratakis - 3.6.8-49 +- Security fixes for CVE-2020-10735 and CVE-2021-28861 +Resolves: rhbz#1834423, rhbz#2120642 * Thu Oct 20 2022 Charalampos Stratakis - 3.6.8-48 - Release bump -Resolves: rhbz#2136436 +Resolves: rhbz#2136435 * Tue Jun 14 2022 Charalampos Stratakis - 3.6.8-47 - Security fix for CVE-2015-20107 -- Gitee From e606a32e9974586565c329c521dfe03ba3afbd6f Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:46:55 +0800 Subject: [PATCH 2/4] rebrand: add anolis platform distribution --- add-anolis-platform.patch | 12 ++++++++++++ python3.spec | 10 +++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 add-anolis-platform.patch diff --git a/add-anolis-platform.patch b/add-anolis-platform.patch new file mode 100644 index 0000000..9952007 --- /dev/null +++ b/add-anolis-platform.patch @@ -0,0 +1,12 @@ +diff -Nur Python-3.6.8/Lib/platform.py Python-3.6.8.new/Lib/platform.py +--- Python-3.6.8/Lib/platform.py 2018-12-24 05:37:14.000000000 +0800 ++++ Python-3.6.8.new/Lib/platform.py 2020-11-26 11:18:27.345369745 +0800 +@@ -297,7 +297,7 @@ + # and http://www.die.net/doc/linux/man/man1/lsb_release.1.html + + _supported_dists = ( +- 'SuSE', 'debian', 'fedora', 'redhat', 'centos', ++ 'SuSE', 'debian', 'fedora', 'redhat', 'centos', 'anolis', + 'mandrake', 'mandriva', 'rocks', 'slackware', 'yellowdog', 'gentoo', + 'UnitedLinux', 'turbolinux', 'arch', 'mageia') + diff --git a/python3.spec b/python3.spec index 136bb55..f6b8f5e 100644 --- a/python3.spec +++ b/python3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # ================== # Top-level metadata # ================== @@ -14,7 +15,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 51%{?dist}.1 +Release: 51%{anolis_release}%{?dist}.1 License: Python @@ -786,6 +787,8 @@ Patch399: 00399-cve-2023-24329.patch # # https://fedoraproject.org/wiki/SIGs/Python/PythonPatches +# add anolis platform dist +Patch1000: add-anolis-platform.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1124,6 +1127,8 @@ git apply %{PATCH351} %patch394 -p1 %patch399 -p1 +%patch1000 -p1 + # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) rm configure pyconfig.h.in @@ -2054,6 +2059,9 @@ fi # ====================================================== %changelog +* Thu Jun 15 2023 zhangbinchen - 3.6.8-51.0.1.1 +- Add Anolis platform cherry-pick [9a96461] + * Wed May 31 2023 Charalampos Stratakis - 3.6.8-51.1 - Security fix for CVE-2023-24329 Resolves: rhbz#2173917 -- Gitee From 3ed32f363c7a9cbfc3e0ea88871b10ea22051a58 Mon Sep 17 00:00:00 2001 From: songmingliang Date: Thu, 5 May 2022 15:48:46 +0800 Subject: [PATCH 3/4] add loongarch support Signed-off-by: songmingliang --- 1001-python3-anolis-add-loongarch.patch | 12 ++++++++++++ python3.spec | 4 ++++ 2 files changed, 16 insertions(+) create mode 100644 1001-python3-anolis-add-loongarch.patch diff --git a/1001-python3-anolis-add-loongarch.patch b/1001-python3-anolis-add-loongarch.patch new file mode 100644 index 0000000..3a1e801 --- /dev/null +++ b/1001-python3-anolis-add-loongarch.patch @@ -0,0 +1,12 @@ +diff -Nurp Python-3.6.8.orig/configure.ac Python-3.6.8/configure.ac +--- Python-3.6.8.orig/configure.ac 2021-01-07 07:03:34.660156250 +0000 ++++ Python-3.6.8/configure.ac 2021-01-07 07:04:44.785156250 +0000 +@@ -824,6 +824,8 @@ cat >> conftest.c < - 3.6.8-51.0.1.1 - Add Anolis platform cherry-pick [9a96461] +- Support Loongarch for python3 * Wed May 31 2023 Charalampos Stratakis - 3.6.8-51.1 - Security fix for CVE-2023-24329 -- Gitee From e3cf9b7dfe989133ee3136692b125a63e580cf87 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Wed, 28 Sep 2022 17:56:54 +0800 Subject: [PATCH 4/4] build: fix testcase failure with loongarch64 https://bugzilla.openanolis.cn/show_bug.cgi?id=2295 --- 1002-fix-faulthandler_register-stack.patch | 43 +++++++++++++++++++ ...-by-value-for-structs-on-loongarch64.patch | 39 +++++++++++++++++ python3.spec | 5 +++ 3 files changed, 87 insertions(+) create mode 100644 1002-fix-faulthandler_register-stack.patch create mode 100644 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch diff --git a/1002-fix-faulthandler_register-stack.patch b/1002-fix-faulthandler_register-stack.patch new file mode 100644 index 0000000..13b7090 --- /dev/null +++ b/1002-fix-faulthandler_register-stack.patch @@ -0,0 +1,43 @@ +From ef158444cbe271d08d40c374316d3a2ffd6dea76 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Wed, 14 Aug 2019 23:35:27 +0200 +Subject: [PATCH] bpo-21131: Fix faulthandler.register(chain=True) stack + (GH-15276) + +faulthandler now allocates a dedicated stack of SIGSTKSZ*2 bytes, +instead of just SIGSTKSZ bytes. Calling the previous signal handler +in faulthandler signal handler uses more than SIGSTKSZ bytes of stack +memory on some platforms. +--- + .../next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst | 4 ++++ + Modules/faulthandler.c | 6 +++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst + +diff --git a/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst +new file mode 100644 +index 000000000000..d330aca1c17d +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst +@@ -0,0 +1,4 @@ ++Fix ``faulthandler.register(chain=True)`` stack. faulthandler now allocates a ++dedicated stack of ``SIGSTKSZ*2`` bytes, instead of just ``SIGSTKSZ`` bytes. ++Calling the previous signal handler in faulthandler signal handler uses more ++than ``SIGSTKSZ`` bytes of stack memory on some platforms. +diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c +index 2331051f7907..5dbbcad057e6 100644 +--- a/Modules/faulthandler.c ++++ b/Modules/faulthandler.c +@@ -1325,7 +1325,11 @@ _PyFaulthandler_Init(int enable) + * be able to allocate memory on the stack, even on a stack overflow. If it + * fails, ignore the error. */ + stack.ss_flags = 0; +- stack.ss_size = SIGSTKSZ; ++ /* bpo-21131: allocate dedicated stack of SIGSTKSZ*2 bytes, instead of just ++ SIGSTKSZ bytes. Calling the previous signal handler in faulthandler ++ signal handler uses more than SIGSTKSZ bytes of stack memory on some ++ platforms. */ ++ stack.ss_size = SIGSTKSZ * 2; + stack.ss_sp = PyMem_Malloc(stack.ss_size); + if (stack.ss_sp != NULL) { + err = sigaltstack(&stack, &old_stack); diff --git a/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch b/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch new file mode 100644 index 0000000..2b3cd0d --- /dev/null +++ b/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch @@ -0,0 +1,39 @@ +From 52b9fb9288eaec8d1b9eaa756c4079ed7e5baf5f Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Wed, 28 Sep 2022 17:50:16 +0800 +Subject: [PATCH] ctypes: pass by value for structs on loongarch64 + +--- + Lib/test/test_sysconfig.py | 2 +- + Modules/_ctypes/callproc.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py +index 90e6719..384fe39 100644 +--- a/Lib/test/test_sysconfig.py ++++ b/Lib/test/test_sysconfig.py +@@ -407,7 +407,7 @@ class TestSysConfig(unittest.TestCase): + import platform, re + machine = platform.machine() + suffix = sysconfig.get_config_var('EXT_SUFFIX') +- if re.match('(aarch64|arm|mips|ppc|powerpc|s390|sparc)', machine): ++ if re.match('(aarch64|arm|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): + self.assertTrue('linux' in suffix, suffix) + if re.match('(i[3-6]86|x86_64)$', machine): + if ctypes.sizeof(ctypes.c_char_p()) == 4: +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index 2bb289b..7b3577f 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -1050,7 +1050,7 @@ GetComError(HRESULT errcode, GUID *riid, IUnknown *pIunk) + #endif + + #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \ +- defined(__aarch64__) ++ defined(__aarch64__) || defined(__loongarch__) + #define CTYPES_PASS_BY_REF_HACK + #define POW2(x) (((x & ~(x - 1)) == x) ? x : 0) + #define IS_PASS_BY_REF(x) (x > 8 || !POW2(x)) +-- +2.27.0 + diff --git a/python3.spec b/python3.spec index 8a4e77f..e6fa602 100644 --- a/python3.spec +++ b/python3.spec @@ -791,6 +791,8 @@ Patch399: 00399-cve-2023-24329.patch Patch1000: add-anolis-platform.patch Patch1001: 1001-python3-anolis-add-loongarch.patch +Patch1002: 1002-fix-faulthandler_register-stack.patch +Patch1003: 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1131,6 +1133,8 @@ git apply %{PATCH351} %patch1000 -p1 %patch1001 -p1 +%patch1002 -p1 +%patch1003 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2065,6 +2069,7 @@ fi * Thu Jun 15 2023 zhangbinchen - 3.6.8-51.0.1.1 - Add Anolis platform cherry-pick [9a96461] - Support Loongarch for python3 +- Fix testcase fails on loongarch64 * Wed May 31 2023 Charalampos Stratakis - 3.6.8-51.1 - Security fix for CVE-2023-24329 -- Gitee