From 55938e8e42e100bf6ea7ada91ff7dffaf822b3ce Mon Sep 17 00:00:00 2001
From: qhw01063182 <qhw01063182@alibaba-inc.com>
Date: Fri, 29 Aug 2025 18:03:05 +0800
Subject: [PATCH 1/2]  [CVE] update to python3.11-3.11.13-2

Signed-off-by: qhw01063182 <qhw01063182@alibaba-inc.com>
---
 00467-CVE-2025-8194.patch      | 216 +++++++++++++++++++++++++++++++++
 1000-add-anolis-platform.patch |  26 ----
 1001-support-loongarch64.patch |  26 ----
 python3.11.spec                |  25 ++--
 4 files changed, 228 insertions(+), 65 deletions(-)
 create mode 100644 00467-CVE-2025-8194.patch
 delete mode 100644 1000-add-anolis-platform.patch
 delete mode 100644 1001-support-loongarch64.patch

diff --git a/00467-CVE-2025-8194.patch b/00467-CVE-2025-8194.patch
new file mode 100644
index 0000000..a41afef
--- /dev/null
+++ b/00467-CVE-2025-8194.patch
@@ -0,0 +1,216 @@
+From b4ec17488eedec36d3c05fec127df71c0071f6cb Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 19 Aug 2025 20:00:46 +0200
+Subject: [PATCH] [3.11] gh-130577: tarfile now validates archives to ensure
+ member offsets are non-negative (GH-137027) (#137172)
+
+gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
+(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38)
+
+Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/tarfile.py                                |   3 +
+ Lib/test/test_tarfile.py                      | 156 ++++++++++++++++++
+ ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst |   3 +
+ 3 files changed, 162 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 2423e14bc540d8..c04c576ea22d2d 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1614,6 +1614,9 @@ def _block(self, count):
+         """Round up a byte count by BLOCKSIZE and return it,
+            e.g. _block(834) => 1024.
+         """
++        # Only non-negative offsets are allowed
++        if count < 0:
++            raise InvalidHeaderError("invalid offset")
+         blocks, remainder = divmod(count, BLOCKSIZE)
+         if remainder:
+             blocks += 1
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 7377acdf398622..366aac781df1e7 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -50,6 +50,7 @@ def sha256sum(data):
+ xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
+ tmpname = os.path.join(TEMPDIR, "tmp.tar")
+ dotlessname = os.path.join(TEMPDIR, "testtar")
++SPACE = b" "
+ 
+ sha256_regtype = (
+     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
+@@ -4386,6 +4387,161 @@ def extractall(self, ar):
+         ar.extractall(self.testdir, filter='fully_trusted')
+ 
+ 
++class OffsetValidationTests(unittest.TestCase):
++    tarname = tmpname
++    invalid_posix_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011407" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 6 bytes, version: 2 bytes
++        + tarfile.POSIX_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # devminor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # prefix: 155 bytes
++        + tarfile.NUL * tarfile.LENGTH_PREFIX
++        # padding: 12 bytes
++        + tarfile.NUL * 12
++    )
++    invalid_gnu_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, null terminator: 8 bytes
++        + b"0000755" + tarfile.NUL
++        # uid, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011327" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 8 bytes
++        + tarfile.GNU_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # devminor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # padding: 167 bytes
++        + tarfile.NUL * 167
++    )
++    invalid_v7_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0010070" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # padding: 255 bytes
++        + tarfile.NUL * 255
++    )
++    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
++    data_block = b"\xff" * tarfile.BLOCKSIZE
++
++    def _write_buffer(self, buffer):
++        with open(self.tarname, "wb") as f:
++            f.write(buffer)
++
++    def _get_members(self, ignore_zeros=None):
++        with open(self.tarname, "rb") as f:
++            with tarfile.open(
++                mode="r", fileobj=f, ignore_zeros=ignore_zeros
++            ) as tar:
++                return tar.getmembers()
++
++    def _assert_raises_read_error_exception(self):
++        with self.assertRaisesRegex(
++            tarfile.ReadError, "file could not be opened successfully"
++        ):
++            self._get_members()
++
++    def test_invalid_offset_header_validations(self):
++        for tar_format, invalid_header in (
++            ("posix", self.invalid_posix_header),
++            ("gnu", self.invalid_gnu_header),
++            ("v7", self.invalid_v7_header),
++        ):
++            with self.subTest(format=tar_format):
++                self._write_buffer(invalid_header)
++                self._assert_raises_read_error_exception()
++
++    def test_early_stop_at_invalid_offset_header(self):
++        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
++        self._write_buffer(buffer)
++        members = self._get_members()
++        self.assertEqual(len(members), 1)
++        self.assertEqual(members[0].name, "filename")
++        self.assertEqual(members[0].offset, 0)
++
++    def test_ignore_invalid_archive(self):
++        # 3 invalid headers with their respective data
++        buffer = (self.invalid_gnu_header + self.data_block) * 3
++        self._write_buffer(buffer)
++        members = self._get_members(ignore_zeros=True)
++        self.assertEqual(len(members), 0)
++
++    def test_ignore_invalid_offset_headers(self):
++        for first_block, second_block, expected_offset in (
++            (
++                (self.valid_gnu_header),
++                (self.invalid_gnu_header + self.data_block),
++                0,
++            ),
++            (
++                (self.invalid_gnu_header + self.data_block),
++                (self.valid_gnu_header),
++                1024,
++            ),
++        ):
++            self._write_buffer(first_block + second_block)
++            members = self._get_members(ignore_zeros=True)
++            self.assertEqual(len(members), 1)
++            self.assertEqual(members[0].name, "filename")
++            self.assertEqual(members[0].offset, expected_offset)
++
++
+ def setUpModule():
+     os_helper.unlink(TEMPDIR)
+     os.makedirs(TEMPDIR)
+diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+new file mode 100644
+index 00000000000000..342cabbc865dc4
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+@@ -0,0 +1,3 @@
++:mod:`tarfile` now validates archives to ensure member offsets are
++non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
++:gh:`130577`.)
diff --git a/1000-add-anolis-platform.patch b/1000-add-anolis-platform.patch
deleted file mode 100644
index 83605e1..0000000
--- a/1000-add-anolis-platform.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 9cb4b626aa0cad11a407daa52ba56d5b2857d69f Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 14 Oct 2024 17:29:28 +0800
-Subject: [PATCH] add anolis platform
-
-Signed-off-by: rpm-build <rpm-build>
----
- Doc/library/gettext.rst | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Doc/library/gettext.rst b/Doc/library/gettext.rst
-index 41beac3..52b1d9d 100644
---- a/Doc/library/gettext.rst
-+++ b/Doc/library/gettext.rst
-@@ -636,7 +636,7 @@ implementations, and valuable experience to the creation of this module:
- 
- .. rubric:: Footnotes
- 
--.. [#] The default locale directory is system dependent; for example, on Red Hat Linux
-+.. [#] The default locale directory is system dependent; for example, on Anolis OS
-    it is :file:`/usr/share/locale`, but on Solaris it is :file:`/usr/lib/locale`.
-    The :mod:`!gettext` module does not try to support these system dependent
-    defaults; instead its default is :file:`{sys.base_prefix}/share/locale` (see
--- 
-2.43.5
-
diff --git a/1001-support-loongarch64.patch b/1001-support-loongarch64.patch
deleted file mode 100644
index ed9381e..0000000
--- a/1001-support-loongarch64.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From fc76a1d9be245be9fedaacd96faa5ef4ebda3cbb Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Fri, 13 Sep 2024 13:29:09 +0800
-Subject: [PATCH 2/2] support loongarch64
-
-Signed-off-by: rpm-build <rpm-build>
----
- configure.ac | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 861f7a0..132fc5f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1040,6 +1040,8 @@ cat > conftest.c <<EOF
- #  else
- #   error unknown platform triplet
- #  endif
-+# elif defined(__loongarch64)
-+        loongarch64-linux-gnu
- # else
- #   error unknown platform triplet
- # endif
--- 
-2.43.0
-
diff --git a/python3.11.spec b/python3.11.spec
index 2dca4fc..25f1b7c 100644
--- a/python3.11.spec
+++ b/python3.11.spec
@@ -1,4 +1,3 @@
-%define anolis_release .0.1
 %global __python3 /usr/bin/python3.11
 %global python3_pkgversion 3.11
 
@@ -21,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{anolis_release}%{?dist}
+Release: 2%{?dist}
 License: Python
 
 
@@ -71,12 +70,7 @@ License: Python
 %bcond_without optimizations
 
 # Run the test suite in %%check
-# label: fails for i686 for some reason.
-%ifarch %{ix86}
-%bcond_with tests
-%else
 %bcond_without tests
-%endif
 
 # Extra build for debugging the interpreter or C-API extensions
 # (the -debug subpackages)
@@ -404,6 +398,14 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # Downstream only.
 Patch422: 00422-fix-expat-tests.patch
 
+# 00467 #
+# CVE-2025-8194
+#
+# tarfile now validates archives to ensure member offsets are non-negative.
+#
+# Upstream issue: https://github.com/python/cpython/issues/130577
+Patch467: 00467-CVE-2025-8194.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -417,9 +419,6 @@ Patch422: 00422-fix-expat-tests.patch
 #
 #     https://github.com/fedora-python/cpython
 
-# Rebrand for Anolis OS
-Patch1000: 1000-add-anolis-platform.patch
-Patch1001: 1001-support-loongarch64.patch
 
 # ==========================================
 # Descriptions, and metadata for subpackages
@@ -1864,9 +1863,9 @@ fi
 # ======================================================
 
 %changelog
-* Wed Jul 16 2025 <rb01097748@alibaba-inc.com> - 3.11.13-1.0.1
-- Rebrand for Anolis OS
-- Support loongarch64 platform
+* Thu Aug 21 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-2
+- Security fix for CVE-2025-8194
+Resolves: RHEL-106338
 
 * Wed Jun 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.11.13-1
 - Update to 3.11.13
-- 
Gitee


From ea4103589b2aa141608b2edc28216d2f29c0d3e2 Mon Sep 17 00:00:00 2001
From: Bo Ren <rb01097748@alibaba-inc.com>
Date: Fri, 13 Sep 2024 13:34:25 +0800
Subject: [PATCH 2/2] Rebrand for Anolis OS and support loongarch64

Signed-off-by: Bo Ren <rb01097748@alibaba-inc.com>
---
 1000-add-anolis-platform.patch | 26 ++++++++++++++++++++++++++
 1001-support-loongarch64.patch | 26 ++++++++++++++++++++++++++
 python3.11.spec                | 10 +++++++++-
 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 1000-add-anolis-platform.patch
 create mode 100644 1001-support-loongarch64.patch

diff --git a/1000-add-anolis-platform.patch b/1000-add-anolis-platform.patch
new file mode 100644
index 0000000..83605e1
--- /dev/null
+++ b/1000-add-anolis-platform.patch
@@ -0,0 +1,26 @@
+From 9cb4b626aa0cad11a407daa52ba56d5b2857d69f Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 14 Oct 2024 17:29:28 +0800
+Subject: [PATCH] add anolis platform
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ Doc/library/gettext.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Doc/library/gettext.rst b/Doc/library/gettext.rst
+index 41beac3..52b1d9d 100644
+--- a/Doc/library/gettext.rst
++++ b/Doc/library/gettext.rst
+@@ -636,7 +636,7 @@ implementations, and valuable experience to the creation of this module:
+ 
+ .. rubric:: Footnotes
+ 
+-.. [#] The default locale directory is system dependent; for example, on Red Hat Linux
++.. [#] The default locale directory is system dependent; for example, on Anolis OS
+    it is :file:`/usr/share/locale`, but on Solaris it is :file:`/usr/lib/locale`.
+    The :mod:`!gettext` module does not try to support these system dependent
+    defaults; instead its default is :file:`{sys.base_prefix}/share/locale` (see
+-- 
+2.43.5
+
diff --git a/1001-support-loongarch64.patch b/1001-support-loongarch64.patch
new file mode 100644
index 0000000..ed9381e
--- /dev/null
+++ b/1001-support-loongarch64.patch
@@ -0,0 +1,26 @@
+From fc76a1d9be245be9fedaacd96faa5ef4ebda3cbb Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 13 Sep 2024 13:29:09 +0800
+Subject: [PATCH 2/2] support loongarch64
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ configure.ac | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 861f7a0..132fc5f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1040,6 +1040,8 @@ cat > conftest.c <<EOF
+ #  else
+ #   error unknown platform triplet
+ #  endif
++# elif defined(__loongarch64)
++        loongarch64-linux-gnu
+ # else
+ #   error unknown platform triplet
+ # endif
+-- 
+2.43.0
+
diff --git a/python3.11.spec b/python3.11.spec
index 25f1b7c..b92ddb5 100644
--- a/python3.11.spec
+++ b/python3.11.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 %global __python3 /usr/bin/python3.11
 %global python3_pkgversion 3.11
 
@@ -20,7 +21,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 2%{anolis_release}%{?dist}
 License: Python
 
 
@@ -419,6 +420,9 @@ Patch467: 00467-CVE-2025-8194.patch
 #
 #     https://github.com/fedora-python/cpython
 
+# Rebrand for Anolis OS
+Patch1000: 1000-add-anolis-platform.patch
+Patch1001: 1001-support-loongarch64.patch
 
 # ==========================================
 # Descriptions, and metadata for subpackages
@@ -1863,6 +1867,10 @@ fi
 # ======================================================
 
 %changelog
+* Fri Aug 29 2025 <rb01097748@alibaba-inc.com> - 3.11.13-2.0.1
+- Rebrand for Anolis OS
+- Support loongarch64 platform
+
 * Thu Aug 21 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-2
 - Security fix for CVE-2025-8194
 Resolves: RHEL-106338
-- 
Gitee