From f413542aefa4462267094c16065bbdaba6207469 Mon Sep 17 00:00:00 2001 From: lzq11122 Date: Thu, 10 Jul 2025 01:16:04 -0400 Subject: [PATCH] Add patch to fix CVE-2024-8088 --- 1008-fix-CVE-2024-8088.patch | 145 +++++++++++++++++++++++++++++++++++ python3.spec | 9 ++- 2 files changed, 152 insertions(+), 2 deletions(-) create mode 100644 1008-fix-CVE-2024-8088.patch diff --git a/1008-fix-CVE-2024-8088.patch b/1008-fix-CVE-2024-8088.patch new file mode 100644 index 0000000..72cf107 --- /dev/null +++ b/1008-fix-CVE-2024-8088.patch @@ -0,0 +1,145 @@ +From a012256c25a773475c9389cfb8c109d7b7317eb3 Mon Sep 17 00:00:00 2001 +From: lzq11122 +Date: Thu, 10 Jul 2025 01:10:41 -0400 +Subject: [PATCH 1/1] fix CVE-2024-8088 + +--- + Lib/test/test_zipfile.py | 76 ++++++++++++++++++++++++++++++++++++++++ + Lib/zipfile.py | 11 ++++-- + 2 files changed, 84 insertions(+), 3 deletions(-) + +diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py +index c8e0159..d0025e2 100644 +--- a/Lib/test/test_zipfile.py ++++ b/Lib/test/test_zipfile.py +@@ -3512,6 +3512,82 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf: + zipfile.Path(zf) + zf.extractall(source_path.parent) + ++ def test_malformed_paths(self): ++ """ ++ Path should handle malformed paths gracefully. ++ ++ Paths with leading slashes are not visible. ++ ++ Paths with dots are treated like regular files. ++ """ ++ data = io.BytesIO() ++ zf = zipfile.ZipFile(data, "w") ++ zf.writestr("/one-slash.txt", b"content") ++ zf.writestr("//two-slash.txt", b"content") ++ zf.writestr("../parent.txt", b"content") ++ zf.filename = '' ++ root = zipfile.Path(zf) ++ assert list(map(str, root.iterdir())) == ['../'] ++ assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content' ++ ++ def test_unsupported_names(self): ++ """ ++ Path segments with special characters are readable. ++ ++ On some platforms or file systems, characters like ++ ``:`` and ``?`` are not allowed, but they are valid ++ in the zip file. ++ """ ++ data = io.BytesIO() ++ zf = zipfile.ZipFile(data, "w") ++ zf.writestr("path?", b"content") ++ zf.writestr("V: NMS.flac", b"fLaC...") ++ zf.filename = '' ++ root = zipfile.Path(zf) ++ contents = root.iterdir() ++ assert next(contents).name == 'path?' ++ assert next(contents).name == 'V: NMS.flac' ++ assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..." ++ ++ def test_backslash_not_separator(self): ++ """ ++ In a zip file, backslashes are not separators. ++ """ ++ data = io.BytesIO() ++ zf = zipfile.ZipFile(data, "w") ++ zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content") ++ zf.filename = '' ++ root = zipfile.Path(zf) ++ (first,) = root.iterdir() ++ assert not first.is_dir() ++ assert first.name == 'foo\\bar' ++ ++ ++class DirtyZipInfo(zipfile.ZipInfo): ++ """ ++ Bypass name sanitization. ++ """ ++ ++ def __init__(self, filename, *args, **kwargs): ++ super().__init__(filename, *args, **kwargs) ++ self.filename = filename ++ ++ @classmethod ++ def for_name(cls, name, archive): ++ """ ++ Construct the same way that ZipFile.writestr does. ++ ++ TODO: extract this functionality and re-use ++ """ ++ self = cls(filename=name, date_time=time.localtime(time.time())[:6]) ++ self.compress_type = archive.compression ++ self.compress_level = archive.compresslevel ++ if self.filename.endswith('/'): # pragma: no cover ++ self.external_attr = 0o40775 << 16 # drwxrwxr-x ++ self.external_attr |= 0x10 # MS-DOS directory flag ++ else: ++ self.external_attr = 0o600 << 16 # ?rw------- ++ return self + + class EncodedMetadataTests(unittest.TestCase): + file_names = ['\u4e00', '\u4e8c', '\u4e09'] # Han 'one', 'two', 'three' +diff --git a/Lib/zipfile.py b/Lib/zipfile.py +index 6189db5..49d0ad3 100644 +--- a/Lib/zipfile.py ++++ b/Lib/zipfile.py +@@ -9,6 +9,7 @@ import io + import itertools + import os + import posixpath ++import re + import shutil + import stat + import struct +@@ -2192,7 +2193,7 @@ def _parents(path): + def _ancestry(path): + """ + Given a path with elements separated by +- posixpath.sep, generate all elements of that path ++ posixpath.sep, generate all elements of that path. + + >>> list(_ancestry('b/d')) + ['b/d', 'b'] +@@ -2204,9 +2205,14 @@ def _ancestry(path): + ['b'] + >>> list(_ancestry('')) + [] ++ ++ Multiple separators are treated like a single. ++ ++ >>> list(_ancestry('//b//d///f//')) ++ ['//b//d///f', '//b//d', '//b'] + """ + path = path.rstrip(posixpath.sep) +- while path and path != posixpath.sep: ++ while path.rstrip(posixpath.sep): + yield path + path, tail = posixpath.split(path) + +@@ -2222,7 +2228,6 @@ def _difference(minuend, subtrahend): + """ + return itertools.filterfalse(set(subtrahend).__contains__, minuend) + +- + class CompleteDirs(ZipFile): + """ + A ZipFile subclass that ensures that implied directories +-- +2.41.0 + diff --git a/python3.spec b/python3.spec index b46e15c..9f81953 100644 --- a/python3.spec +++ b/python3.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %global pybasever 3.11 # pybasever without the dot: @@ -245,7 +245,9 @@ Patch1005: fix-cve-2025-0938.patch Patch1006: 0001-add-sw_64-support.patch # https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d Patch1007: fix-CVE-2024-0397.patch - +# https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e +# https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798 +Patch1008: 1008-fix-CVE-2024-8088.patch # ========================================== # Descriptions, and metadata for subpackages # ========================================== @@ -1517,6 +1519,9 @@ CheckPython optimized # ====================================================== %changelog +* Thu Jul 10 2025 mgb01105731 - 3.11.6-6 +- Add patch to fix CVE-2024-8088 + * Tue Jun 10 2025 wenxin - 3.11.6-5 - Fix CVE-2024-0397 -- Gitee