# # spec file for package python3-base # # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # !!!! # this is the master spec file, but changes should be submitted # against python3, not python3-base # # see PACKAGING-NOTES for details # !!!! Name: python3-base BuildRequires: automake BuildRequires: fdupes BuildRequires: git BuildRequires: libbz2-devel BuildRequires: pkg-config BuildRequires: timezone BuildRequires: xz BuildRequires: xz-devel BuildRequires: zlib-devel URL: http://www.python.org/ Summary: Python3 Interpreter License: Python-2.0 Group: Development/Languages/Python Version: 3.4.10 Release: 0 %define tarversion %{version} %define tarname Python-%{tarversion} # python 3.1 didn't have a separate python-base, so it is wrongly # not a conflict to have python3-3.1 and python3-base > 3.1 Obsoletes: python3 < 3.2 # no Provides, because python3 is obviously provided by package python3 Source0: https://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz Source1: https://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz.asc Source2: python.keyring Source3: baselibs.conf Source4: README.SUSE Source8: macros.python3.py Source9: import_failed.py Source10: import_failed.map # Fixed bundled wheels Source20: setuptools-44.1.1-py2.py3-none-any.whl Source21: pip-20.2.3-py2.py3-none-any.whl # For Patch 34 Source34: recursion.tar # The following files are not used in the build. # They are listed here to work around missing functionality in rpmbuild, # which would otherwise exclude them from distributed src.rpm files. Source100: PACKAGING-NOTES Source101: python3-rpmlintrc Source102: python3-base-rpmlintrc Source103: pre_checkin.sh ### COMMON-PATCH-BEGIN ### # implement "--record-rpm" option for distutils installations Patch01: Python-3.0b1-record-rpm.patch # support lib-vs-lib64 distinction Patch02: Python-3.3.0b2-multilib.patch # PATCH-FIX-UPSTREAM Remove leading spaces in Makefile.pre.in Patch03: spc-tab-Makefile-pre-in.patch # support finding packages in /usr/local, install to /usr/local by default Patch04: python-3.3.0b1-localpath.patch # replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds Patch06: python-3.3.0b1-fix_date_time_compiler.patch # fix wrong include path in curses-panel module Patch07: python-3.3.0b1-curses-panel.patch # Remove /usr/local/bin shebangs Patch08: remove-usr-local-bin-shebangs.patch # Add missing bits for aarch64 in libffi Patch10: ctypes-libffi-aarch64.patch # Disable global and distutils sysconfig comparison test, we deviate from the default depending on optflags Patch12: python-3.3.3-skip-distutils-test_sysconfig_module.patch # Raise timeout value for test_subprocess Patch15: subprocess-raise-timeout.patch # PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 Patch18: python-2.7-libffi-aarch64.patch # PATCH-FIX-UPSTREAM Prefer lowercase proxy environment variables Patch19: python3-urllib-prefer-lowercase-proxies.patch # PATCH-FIX-UPSTREAM python-3.6-CVE-2017-18207.patch psimons@suse.com -- Add check for channels of wav file in Lib/wave.py # Suggested in https://github.com/python/cpython/pull/4437. Patch20: python-3.6-CVE-2017-18207.patch # PATCH-FIX-UPSTREAM https://bugs.python.org/issue30693 Patch21: python-sorted_tar.patch # PATCH-FIX-UPSTREAM CVE-2019-10160-netloc-port-regression.patch bsc#1138459 mcepl@suse.com # Fix regression introduced by fix for CVE-2019-9636 Patch26: CVE-2019-10160-netloc-port-regression.patch # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch bsc#1109663 mcepl@suse.com # Command injection in the shutil module Patch28: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch # PATCH-FIX-UPSTREAM CVE-2019-16056-email-parse-addr.patch bsc#1149955 mcepl@suse.com # bpo#34155 The email module wrongly parses email addresses Patch29: CVE-2019-16056-email-parse-addr.patch # PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com # Fixes Python urrlib allowed an HTTP server to conduct Regular # Expression Denial of Service (ReDoS) Patch30: CVE-2020-8492-urllib-ReDoS.patch # PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com # Improve documentation warning against the possible zip bombs Patch31: CVE-2019-9674-zip-bomb.patch # PATCH-FIX-SLE skip-failing-tests.patch mcepl@suse.com # test_write_filtered_python_package just wants to fail, and I have no idea why. Patch32: skip-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 bpo#30458 # avoid CRLF injenction; Patch33: CVE-2019-9947-no-ctrl-char-http.patch # PATCH-FIX-UPSTREAM CVE-2019-18348-CRLF_injection_via_host_part.patch bsc#1155094 bpo#38576 # disallow control characters in hostnames in httplib # DEPENDS on PATCH32 Patch34: CVE-2019-18348-CRLF_injection_via_host_part.patch # PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com # avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) # REQUIRES SOURCE 34 Patch35: CVE-2019-20907_tarfile-inf-loop.patch # PATCH-FIX-UPSTREAM bpo37614-race_test_docxmlrpc_srv_setup.patch bpo#27614 mcepl@suse.com # avoid race in test_docxmlrpc (REQUIRED for Patch #36) Patch36: bpo37614-race_test_docxmlrpc_srv_setup.patch # PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com # XSS vulnerability in the documentation XML-RPC server in server_title field Patch37: CVE-2019-16935-xmlrpc-doc-server_title.patch # PATCH-FIX-UPSTREAM CVE-2020-14422-ipaddress-hash-collision.patch bsc#1173274 mcepl@suse.com # oversimplicstic computation of hash values leads to conflicts and potential for DOS Patch38: CVE-2020-14422-ipaddress-hash-collision.patch # PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 bpo#39603 # Fixes httplib to disallow control characters in method to avoid header # injection, equivalent of Patch33 and Patch34 for method of URL (GET, POST, etc.) Patch39: CVE-2020-26116-httplib-header-injection.patch # Update SSL certificates due to certificates shipped with the package expiring Patch40: update-ssl-certs.patch # PATCH-FIX-UPSTREAM CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com # buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution Patch41: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#1182379 mcepl@suse.com # urlparse only use '&' as a query string separator Patch42: CVE-2021-23336-only-amp-as-query-sep.patch # PATCH-FIX-UPSTREAM CVE-2020-27619-no-eval-http-content.patch bsc#1182207 mcepl@suse.com # No longer call eval() on content received via HTTP in the CJK codec tests Patch43: CVE-2020-27619-no-eval-http-content.patch # PATCH-FIX-UPSTREAM CVE-2021-3737-infinite-loop-on-100-Continue.patch bsc#1189241 mcepl@suse.com # avoid DoS via infinitely reading potential HTTP headers after a 100 Continue status response from the server Patch44: CVE-2021-3737-infinite-loop-on-100-Continue.patch # PATCH-FIX-UPSTREAM CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch bsc#1189287 mcepl@suse.com # Fix ReDoS in urllib AbstractBasicAuthHandler (bpo#43075) Patch45: CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch # PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com # Make ftplib not trust the PASV response. (gh#python/cpython#24838) Patch46: CVE-2021-4189-ftplib-trust-PASV-resp.patch # PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com # whole long discussion is on bpo#43882 # fix for santization URLs containing ASCII newline and tabs in urllib.parse Patch47: CVE-2022-0391-urllib_parse-newline-parsing.patch # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com # avoid the command injection in the mailcap module. Patch48: CVE-2015-20107-mailcap-unsafe-filenames.patch # PATCH-FIX-UPSTREAM bpo-46623-skip-zlib-s390x.patch gh#python/cpython#90781 mcepl@suse.com # skip two tests failing on s390x Patch49: bpo-46623-skip-zlib-s390x.patch # PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 # Coerce // to / in Lib/http/server.py Patch50: CVE-2021-28861-double-slash-path.patch # PATCH-FIX-UPSTREAM CVE-2020-10735-DoS-no-limit-int-size.patch bsc#1203125 mcepl@suse.com # unlimited size of integers allows DoS by excessively long processing of large numbers # >> n = 10**(10**7) ; s = str(n) # Originally by Victor Stinner of Red Hat # https://github.com/fedora-python/cpython/commit/31cfb692dc5d Patch51: CVE-2020-10735-DoS-no-limit-int-size.patch # PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com # Avoid DoS by decoding IDNA for too long domain names Patch52: CVE-2022-45061-DoS-by-IDNA-decode.patch # PATCH-FIX-UPSTREAM CVE-2022-40899-ReDos-cookiejar.patch, bsc#1206673 gh#python/cpython#17157 daniel.garcia@suse.com Patch53: CVE-2022-40899-ReDos-cookiejar.patch # PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com # blocklist bypass via the urllib.parse component when supplying # a URL that starts with blank characters Patch54: CVE-2023-24329-blank-URL-bypass.patch # PATCH-FIX-UPSTREAM bpo-44434-libgcc_s-for-pthread_cancel.patch bsc#1203355 mcepl@suse.com # don't run PyThread_exit_thread() when you don't have to Patch55: bpo-44434-libgcc_s-for-pthread_cancel.patch # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com # Patch for gh#python/cpython#98086 Patch56: 99366-patch.dict-can-decorate-async.patch # PATCH-FIX-OPENSUSE stack_overflow_test_endless_recursion.patch bpo#12051 mcepl@suse.com # test_endless_recursion.patch has a tendency to overflow a stack Patch57: stack_overflow_test_endless_recursion.patch # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com # Detect email address parsing errors and return empty tuple to # indicate the parsing error (old API) Patch58: CVE-2023-27043-email-parsing-errors.patch # PATCH-FIX-UPSTREAM CVE-2022-48564-DoS-read_ints-plistlib.patch bsc#1214677 mcepl@suse.com # Prevent DoS when processing malformed Apple Property List files in binary format Patch59: CVE-2022-48564-DoS-read_ints-plistlib.patch # PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com # Reject entity declarations in plists Patch60: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch61: CVE-2022-48566-compare_digest-more-constant.patch # PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com # tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930) Patch62: CVE-2023-6597-TempDir-cleaning-symlink.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch bsc#1214692 daniel.garcia@suse.com # backport from upstream patch gh#python/cpython#108315 Patch63: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2023-52425-libexpat-2.6.0-backport.patch bsc#1219559 mcepl@suse.com # Make Python compatible with the new libexpat library. Patch64: CVE-2023-52425-libexpat-2.6.0-backport.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). Patch65: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # PATCH-FIX-UPSTREAM CVE-2024-4032-private-IP-addrs.patch bsc#1226448 mcepl@suse.com # rearranging definition of private v global IP addresses Patch66: CVE-2024-4032-private-IP-addrs.patch # PATCH-FEATURE-UPSTREAM bpo24211-RFC6532-supp-email.patch mcepl@suse.com # one more compatibility patch Patch67: bpo24211-RFC6532-supp-email.patch # PATCH-FEATURE-UPSTREAM bpo27240-rewrite_email_hdr_fold.patch mcepl@suse.com # Rewrite the email header folding algorithm to make the code compatible with 3.6.4+ Patch68: bpo27240-rewrite_email_hdr_fold.patch Patch69: bpo20098-email-mangle_from-policy.patch # PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com # encode newlines in headers, and verify headers are sound Patch70: CVE-2024-6923-email-hdr-inject.patch # PATCH-FIX-UPSTREAM CVE-2024-7592-quad-complex-cookies.patch bsc#1229596 mcepl@suse.com # Fix quadratic complexity in parsing "-quoted cookie values with backslashes by http.cookies Patch72: CVE-2024-7592-quad-complex-cookies.patch # PATCH-FIX-UPSTREAM CVE-2024-9287-venv_path_unquoted.patch gh#python/cpython#124651 mcepl@suse.com # venv should properly quote path names provided when creating a venv Patch73: CVE-2024-9287-venv_path_unquoted.patch # PATCH-FIX-UPSTREAM CVE-2024-11168-validation-IPv6-addrs.patch bsc#1233307 mcepl@suse.com # properly validate IPv6 and IPvFuture addresses Patch74: CVE-2024-11168-validation-IPv6-addrs.patch # PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com # functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets Patch75: CVE-2025-0938-sq-brackets-domain-names.patch # PATCH-FEATURE-SUSE functools-cached_property.patch mcepl@suse.com # Add functools.cached_property port from 3.8 Patch76: functools-cached_property.patch # PATCH-FEATURE-UPSTREAM ipaddress-update-pr60.patch gh#phihag/ipaddress!60 mcepl@suse.com # update ipaddress to 3.8 equivalent Patch77: ipaddress-update-pr60.patch # PATCH-FIX-UPSTREAM gh-128840_parse-IPv6-with-emb-IPv4.patch bsc#1244401 mcepl@suse.com # protect against unrully IPv4-in-IPv6 addresses Patch78: gh-128840_parse-IPv6-with-emb-IPv4.patch # PATCH-FIX-UPSTREAM locale-test_float_with_commad.patch mcepl@suse.com # decode byte strings in localeconv() for consistent output Patch79: locale-test_float_with_commad.patch # PATCH-FIX-UPSTREAM CVE-2025-6069-quad-complex-HTMLParser.patch bsc#1244705 mcepl@suse.com # avoid worst case quadratic complexity when processing malformed inputs with HTMLParser Patch82: CVE-2025-6069-quad-complex-HTMLParser.patch # PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com # Check consistency of the zip64 end of central directory record Patch84: CVE-2025-8291-consistency-zip64.patch # PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com # Avoid potential quadratic complexity vulnerabilities in path modules Patch85: CVE-2025-6075-expandvars-perf-degrad.patch # PATCH-FIX-SLE Modules_Setup.patch mcepl@suse.com # Create Modules/Setup, so that we can modify it later Patch86: Modules_Setup.patch # PATCH-FIX-SLE time module must be statically linked Patch87: time-static.patch # PATCH-FIX-SLE skip test_threads_join_2 on s390 Patch88: s390-build.patch # PATCH-FIX-UPSTREAM CVE-2025-13836-http-resp-cont-len.patch bsc#1254400 mcepl@suse.com # Avoid loading possibly compromised length of HTTP response Patch89: CVE-2025-13836-http-resp-cont-len.patch # PATCH-FIX-UPSTREAM CVE-2025-12084-minidom-quad-search.patch bsc#1254997 mcepl@suse.com # prevent quadratic behavior in node ID cache clearing Patch90: CVE-2025-12084-minidom-quad-search.patch # PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com # protect against OOM when loading malicious content Patch91: CVE-2025-13837-plistlib-mailicious-length.patch # PATCH-FIX-UPSTREAM lchmod-non-support.patch mcepl@suse.com # add @requires_lchmod operator for skipping tests on platforms # were changing the mode of symbolic links is supported (which it # isn’t in SLE-12, apparently). Patch92: lchmod-non-support.patch # PATCH-FIX-UPSTREAM CVE-2024-6232-ReDOS-backtrack-tarfile.patch bsc#1230227 mcepl@suse.com # preventing ReDos via excessive backtracking while parsing header values in tarfile Patch93: CVE-2024-6232-ReDOS-backtrack-tarfile.patch # PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com # Implement PEP-706 to filter outcome of the tarball extracing Patch94: CVE-2007-4559-filter-tarfile_extractall.patch # PATCH-FIX-UPSTREAM CVE-2025-4435-normalize-lnk-trgts-tarfile.patch bsc#1244061 mcepl@suse.com # this patch makes things totally awesome Patch95: CVE-2025-4435-normalize-lnk-trgts-tarfile.patch # PATCH-FIX-UPSTREAM CVE-2025-8194-tarfile-no-neg-offsets.patch bsc#1247249 mcepl@suse.com # tarfile now validates archives to ensure member offsets are non-negative Patch96: CVE-2025-8194-tarfile-no-neg-offsets.patch # PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com # this patch makes things totally awesome Patch97: CVE-2025-11468-email-hdr-fold-comment.patch # PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 mcepl@suse.com # rejects control characters in http cookies. Patch98: CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch # PATCH-FIX-UPSTREAM CVE-2026-0865-wsgiref-ctrl-chars.patch bsc#1257042 mcepl@suse.com # Reject control characters in wsgiref.headers.Headers Patch99: CVE-2026-0865-wsgiref-ctrl-chars.patch # PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com # Reject control characters in wsgiref.headers.Headers Patch100: CVE-2025-15366-imap-ctrl-chars.patch # PATCH-FIX-UPSTREAM CVE-2025-15282-urllib-ctrl-chars.patch bsc#1257046 mcepl@suse.com # Reject control characters in urllib Patch101: CVE-2025-15282-urllib-ctrl-chars.patch # PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com # Reject control characters in poplib Patch102: CVE-2025-15367-poplib-ctrl-chars.patch # PATCH-FIX-UPSTREAM CVE-2026-3644-cookies-Morsel-update-II.patch bsc#1259734 mcepl@suse.com # Reject control characters in http.cookies.Morsel.update() and http.cookies.BaseCookie.js_output Patch103: CVE-2026-3644-cookies-Morsel-update-II.patch # PATCH-FIX-UPSTREAM CVE-2026-4224-expat-unbound-C-recursion.patch bsc#1259735 mcepl@suse.com # Avoid unbound C recursion in conv_content_model Patch104: CVE-2026-4224-expat-unbound-C-recursion.patch # PATCH-FIX-UPSTREAM CVE-2025-13462-tarinfo-header-parse.patch bsc#1259611 mcepl@suse.com # Skip TarInfo DIRTYPE normalization during GNU long name handling Patch105: CVE-2025-13462-tarinfo-header-parse.patch # PATCH-FIX-UPSTREAM CVE-2026-4519-webbrowser-open-dashes.patch bsc#1260026 mcepl@suse.com # reject leading dashes in webbrowser URLs Patch106: CVE-2026-4519-webbrowser-open-dashes.patch # PATCH-FIX-UPSTREAM CVE-2026-3479-pkgutil_get_data.patch bsc#1259989 mcepl@suse.com # pkgutil.get_data() reject invalid resource arguments Patch107: CVE-2026-3479-pkgutil_get_data.patch # PATCH-FIX-UPSTREAM CVE-2026-3446-base64-padding.patch bsc#1261970 mcepl@suse.com # Do not ignore excess Base64 data after the first padded quad Patch108: CVE-2026-3446-base64-padding.patch # PATCH-FIX-UPSTREAM CVE-2026-6100-use-after-free-decompression.patch bsc#1262098 mcepl@suse.com # NULL dangling pointer to avoid use-after-free error Patch109: CVE-2026-6100-use-after-free-decompression.patch # PATCH-FIX-UPSTREAM CVE-2026-4786-webbrowser-open-action.patch bsc#1262319 mcepl@suse.com # Fix webbrowser %action substitution bypass of dash-prefix check Patch110: CVE-2026-4786-webbrowser-open-action.patch # PATCH-FIX-UPSTREAM CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch bsc#1261969 mcepl@suse.com # Reject CR/LF in HTTP tunnel request headers Patch111: CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch # PATCH-FIX-UPSTREAM CVE-2026-6019-Morsel-js_output.patch bsc#1262654 mcepl@suse.com # Base64-encode cookie values embedded in JS Patch112: CVE-2026-6019-Morsel-js_output.patch ### COMMON-PATCH-END ### BuildRoot: %{_tmppath}/%{name}-%{version}-build ### COMMON-DEF-BEGIN ### # the versions are autogenerated from pre_checkin.sh # based on the current source tarball %define python_version 3.4 %define python_version_abitag 34 %define python_version_soname 3_4 %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build # see PEP 3149 %define abi_kind m # python ABI version - used in some file names %define python_abi %{python_version}%{abi_kind} # soname ABI tag defined in PEP 3149 %define abi_tag %{python_version_abitag}%{abi_kind} %define so_version %{python_version_soname}%{abi_kind}1_0 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}.so ### COMMON-DEF-END ### Requires: libpython%{so_version} == %{version}-%{release} %description Python 3 is an interpreted, object-oriented programming language, and is often compared to Tcl, Perl, Scheme, or Java. You can find an overview of Python in the documentation and tutorials included in the python-doc (HTML) or python-doc-pdf (PDF) packages. If you want to install third party modules using distutils, you need to install python-devel package. Authors: -------- Guido van Rossum %package -n python3-tools Requires: %{name} = %{version} Summary: Python Utility and Demonstration Scripts Group: Development/Languages/Python Obsoletes: python3-demo < %{version} Provides: python3-demo = %{version} %description -n python3-tools A number of scripts that are useful for building, testing or extending Python, and a set of demonstration programs. %package -n python3-devel Requires: %{name} = %{version} Provides: python3-2to3 = %{version} Obsoletes: python3-2to3 < %{version} Summary: Include Files and Libraries Mandatory for Building Python Modules Group: Development/Languages/Python %description -n python3-devel The Python programming language's interpreter can be extended with dynamically loaded extensions and can be embedded in other programs. This package contains header files, a static library, and development tools for building Python modules, extending the Python interpreter or embedding Python in applications. This also includes the Python distutils, which were in the Python package up to version 2.2.2. %package -n python3-testsuite Requires: python3 = %{version} Requires: python3-tk = %{version} Summary: Unit tests for Python and its standard library Group: Development/Languages/Python %description -n python3-testsuite Unit tests that are useful for verifying integrity and functionality of the installed Python interpreter and standard library. They are a documented part of stdlib, as a module 'test'. %package -n libpython%{so_version} Summary: Python Interpreter shared library Group: Development/Languages/Python %description -n libpython%{so_version} Python is an interpreted, object-oriented programming language, and is often compared to Tcl, Perl, Scheme, or Java. You can find an overview of Python in the documentation and tutorials included in the python-doc (HTML) or python-doc-pdf (PDF) packages. This package contains libpython3.2 shared library for embedding in other applications. %prep %autosetup -p1 -n %{tarname} ### COMMON-PREP-BEGIN ### cp Modules/Setup.dist Modules/Setup # For patch 34 cp -v %{SOURCE34} Lib/test/recursion.tar ### COMMON-PREP-END ### # Replace bundled wheels with the updates ones rm -v Lib/ensurepip/_bundled/*.whl cp -v %{SOURCE20} %{SOURCE21} Lib/ensurepip/_bundled/ STVER=$(basename %{SOURCE20}|cut -d- -f2) PIPVER=$(basename %{SOURCE21}|cut -d- -f2) sed -E -i -e "s/^(\s*_SETUPTOOLS_VERSION\s+=\s+)\"[0-9.]+\"/\1\"${STVER}\"/" \ -e "s/^(\s*_PIP_VERSION\s+=\s+)\"[0-9.]+\"/\1\"${PIPVER}\"/" \ Lib/ensurepip/__init__.py %build # use rpm_opt_flags export OPT="%{optflags} -fwrapv -DOPENSSL_LOAD_CONF" touch -r %{S:0} Makefile.pre.in autoreconf -fi # prevent make from trying to rebuild asdl stuff, which requires existing python installation touch Parser/asdl* Python/Python-ast.c Include/Python-ast.h # prevent makeopcodetargets touch -r Python/opcode_targets.h Lib/opcode.py Python/makeopcodetargets.py %if 0%{?sles_version} || 0%{?suse_version} <= 1220 sed -e 's/-fprofile-correction//' -i Makefile.pre.in %endif ./configure \ --prefix=%{_prefix} \ --libdir=%{_libdir} \ --mandir=%{_mandir} \ --docdir=%{_docdir}/python \ --enable-ipv6 \ --with-fpectl \ --enable-shared \ --with-ensurepip=no %if 0%{?do_profiling} target=profile-opt %else target=all %endif LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH \ make %{?_smp_mflags} -j 1 $target %check export LANG=en_US.utf-8 # SUSE's gdb breaks test_gdb by producing spurious output (zypper suggestions) # test_socket fails because of name resolution failure, that is expected EXCLUDE="test_gdb test_socket" %ifarch %arm # test_multiprocessing_forkserver is racy EXCLUDE="$EXCLUDE test_multiprocessing_forkserver" %endif %ifarch ppc ppc64 ppc64le # exclue test_faulthandler due to bnc#831629 EXCLUDE="$EXCLUDE test_faulthandler" %endif # some tests break in QEMU %if 0%{?qemu_user_space_build} > 0 EXCLUDE="$EXCLUDE test_multiprocessing_fork test_multiprocessing_forkserver test_multiprocessing_main_handling test_multiprocessing_spawn test_threading test_threadedtempfile test_io test_posix test_ioctl test_mmap test_openpty test_pty test_monotonic_settime test_clock_settime test_time test_subprocess test_asyncore test_asyncio test_send_at_certain_offset test_send_whole_file test_os test_faulthandler" # qemu bug (siginterrupt handling) EXCLUDE="$EXCLUDE test_signal" %endif # gh#python/cpython#81350 %if 0%{?suse_version} <= 1500 EXCLUDE="$EXCLUDE test_capi" %endif %ifarch aarch64 EXCLUDE="$EXCLUDE test_faulthandler" %endif # on x86_64, SLE_11_SP2 only, extreme gamma function values (close to negative # integers) fail. Is probably a bug/imperfection in -lm # disabling this for all SLE, unless someone knows how to test for SP level? %ifarch x86_64 %if 0%{?sles_version} == 11 EXCLUDE="$EXCLUDE test_math" %endif %endif # This test (part of test_uuid) requires real network interfaces # so that ifconfig output has "HWaddr ". Some kvm instances # done have any such interface breaking teh uuid module. EXCLUDE="$EXCLUDE test_uuid" # Exclude test_tools, test_venv and test_ensurepip which indirectly require ssl EXCLUDE="$EXCLUDE test_tools test_venv test_ensurepip" # Exclude more tests that require ssl EXCLUDE="$EXCLUDE test_urllib test_urllib2 test_urllib2net" # Limit virtual memory to avoid spurious failures if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then ulimit -v 10000000 || : fi make test TESTOPTS="-u none -x $EXCLUDE" # use network, be verbose: #make test TESTOPTS="-l -u network -v" %install make \ OPT="%{optflags} -fPIC" \ DESTDIR=$RPM_BUILD_ROOT \ install # remove .a find ${RPM_BUILD_ROOT} -name "*.a" -exec rm {} ";" # install "site-packages" and __pycache__ for third parties install -d -m 755 ${RPM_BUILD_ROOT}%{sitedir}/site-packages install -d -m 755 ${RPM_BUILD_ROOT}%{sitedir}/site-packages/__pycache__ # and their 32bit counterparts explicitly mkdir -p ${RPM_BUILD_ROOT}/usr/lib/python%{python_version}/site-packages/__pycache__ # cleanup parts that don't belong for dir in curses dbm ensurepip sqlite3 tkinter xml xmlrpc idlelib; do find $RPM_BUILD_ROOT%{sitedir}/$dir/* -maxdepth 0 -name "test" -o -exec rm -rf {} ";" done rm $RPM_BUILD_ROOT%{dynlib _elementtree} rm $RPM_BUILD_ROOT%{dynlib pyexpat} # overwrite the copied binary with a link ln -sf python%{python_version} ${RPM_BUILD_ROOT}%{_bindir}/python3 # delete idle3, which has to many packaging dependencies for base rm %{buildroot}%{_bindir}/idle3* # replace duplicate .pyo/.pyc with hardlinks %fdupes $RPM_BUILD_ROOT/%{sitedir} # documentation export PDOCS=${RPM_BUILD_ROOT}%{_docdir}/%{name} install -d -m 755 $PDOCS install -c -m 644 %{S:4} $PDOCS/ install -c -m 644 LICENSE $PDOCS/ install -c -m 644 README $PDOCS/ # tools for x in `find Tools/ \( -not -name Makefile \) -print | sort` ; do test -d $x && ( install -c -m 755 -d $PDOCS/$x ) \ || ( install -c -m 644 $x $PDOCS/$x ) done # clean up the bat files find $PDOCS -name "*.bat" -exec rm {} ";" # install devel files to /config #cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%%{sitedir}/config-%%{python_abi}/ # Remove -IVendor/ from python-config boo#1231795 sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config # RPM macros mkdir -p $RPM_BUILD_ROOT/etc/rpm LD_LIBRARY_PATH=. ./python %{S:8} > $RPM_BUILD_ROOT/etc/rpm/macros.python3 # macros.python3.py # import_failed hooks FAILDIR=$RPM_BUILD_ROOT/%{sitedir}/_import_failed mkdir $FAILDIR install -m 644 %{S:9} %{S:10} $FAILDIR # import_failed.* LD_LIBRARY_PATH=. ./python -c "from py_compile import compile; compile('$FAILDIR/import_failed.py', dfile='%{sitedir}/_import_failed/import_failed.py')" LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAILDIR/import_failed.py', dfile='%{sitedir}/_import_failed/import_failed.py')" ( cd $FAILDIR while read package modules; do for module in $modules; do ln import_failed.py $module.py pushd __pycache__ for i in import_failed*; do ln $i "$module${i#import_failed}" done popd done done < %{S:10} ) echo %{sitedir}/_import_failed > $RPM_BUILD_ROOT/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth %clean rm -rf $RPM_BUILD_ROOT %post -n libpython%{so_version} -p /sbin/ldconfig %postun -n libpython%{so_version} -p /sbin/ldconfig %files -n libpython%{so_version} %defattr(-,root,root,-) %{_libdir}/libpython%{python_abi}.so.* %files -n python3-tools %defattr(-,root,root,-) %{sitedir}/turtledemo %doc %{_docdir}/%{name}/Tools %files -n python3-devel %defattr(-,root,root,-) %{_libdir}/libpython%{python_abi}.so %{_libdir}/libpython3.so %{_libdir}/pkgconfig/* %{_prefix}/include/python%{python_abi} %exclude %{_prefix}/include/python%{python_abi}/pyconfig.h %{_bindir}/python%{python_abi}-config %{_bindir}/python%{python_version}-config %{_bindir}/python3-config %{_bindir}/2to3 %{_bindir}/2to3-%{python_version} %files -n python3-testsuite %defattr(-,root,root,-) %{sitedir}/test %{sitedir}/*/test %{dynlib _ctypes_test} %{dynlib _testbuffer} %{dynlib _testcapi} %{dynlib _testimportmultiple} %{dynlib xxlimited} # workaround for missing packages %dir %{sitedir}/sqlite3 %dir %{sitedir}/tkinter %files %defattr(-,root,root,-) # docs %dir %{_docdir}/%{name} %doc %{_docdir}/%{name}/README %doc %{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/README.SUSE %doc %{_mandir}/man1/python3.1* %doc %{_mandir}/man1/python%{python_version}.1* # license text, not a doc because the code can use it at run-time %{sitedir}/LICENSE.txt # makefile etc %{sitedir}/config-%{python_abi} /etc/rpm/macros.python3 %{_prefix}/include/python%{python_abi}/pyconfig.h # binary parts %dir %{sitedir}/lib-dynload #%%{sitedir}/lib-dynload/Python-%%{tarversion}-py%%{python_version}.egg-info %{dynlib array} %{dynlib audioop} %{dynlib binascii} %{dynlib _bisect} %{dynlib _bz2} %{dynlib cmath} %{dynlib _codecs_cn} %{dynlib _codecs_hk} %{dynlib _codecs_iso2022} %{dynlib _codecs_jp} %{dynlib _codecs_kr} %{dynlib _codecs_tw} %{dynlib _crypt} %{dynlib _csv} %{dynlib _ctypes} %{dynlib _datetime} %{dynlib _decimal} %{dynlib fcntl} %{dynlib grp} %{dynlib _heapq} %{dynlib _json} %{dynlib _lsprof} %{dynlib _lzma} %{dynlib math} %{dynlib mmap} %{dynlib _multibytecodec} %{dynlib _multiprocessing} %{dynlib nis} %{dynlib ossaudiodev} %{dynlib _opcode} %{dynlib parser} %{dynlib _pickle} %{dynlib _posixsubprocess} %{dynlib _random} %{dynlib resource} %{dynlib select} %{dynlib _socket} %{dynlib spwd} %{dynlib _struct} %{dynlib syslog} %{dynlib termios} # %%{dynlib time} %{dynlib unicodedata} %{dynlib zlib} # hashlib fallback modules %{dynlib _md5} %{dynlib _sha1} %{dynlib _sha256} %{dynlib _sha512} # python parts %dir /usr/lib/python%{python_version} %dir /usr/lib/python%{python_version}/site-packages %dir /usr/lib/python%{python_version}/site-packages/__pycache__ %dir %{sitedir} %dir %{sitedir}/site-packages %dir %{sitedir}/site-packages/__pycache__ %exclude %{sitedir}/*/test %{sitedir}/*.py %{sitedir}/asyncio %{sitedir}/ctypes %{sitedir}/collections %{sitedir}/concurrent %{sitedir}/distutils %{sitedir}/email %{sitedir}/encodings %{sitedir}/html %{sitedir}/http %{sitedir}/importlib %{sitedir}/json %{sitedir}/lib2to3 %{sitedir}/logging %{sitedir}/multiprocessing %{sitedir}/plat-* %{sitedir}/pydoc_data %{sitedir}/unittest %{sitedir}/urllib %{sitedir}/venv %{sitedir}/wsgiref %{sitedir}/site-packages/README %{sitedir}/__pycache__ # import-failed hooks %{sitedir}/_import_failed %{sitedir}/site-packages/zzzz-import-failed-hooks.pth # symlinks %{_bindir}/pyvenv %{_bindir}/python3 %{_bindir}/pydoc3 # executables %attr(755, root, root) %{_bindir}/pydoc%{python_version} %attr(755, root, root) %{_bindir}/python%{python_abi} %attr(755, root, root) %{_bindir}/python%{python_version} %attr(755, root, root) %{_bindir}/pyvenv-%{python_version} %changelog