From 8b1769199fde171c865a8d15af3f5855a3d8f4d2 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Wed, 27 Aug 2025 09:16:01 +0800 Subject: [PATCH 1/5] [CVE]update to python3-3.6.8-71 to #ICUY7V update to python3-3.6.8-71 for CVE-2025-8194 Project: TC2024080204 Signed-off-by: Jacob Wang --- 00467-tarfile-cve-2025-8194.patch | 215 ++++++++++++++++++ 1001-python3-anolis-add-loongarch.patch | 12 - 1002-fix-faulthandler_register-stack.patch | 43 ---- ...-by-value-for-structs-on-loongarch64.patch | 39 ---- Python-3.6.8-sw.patch | 45 ---- add-anolis-platform.patch | 12 - python3.spec | 40 +--- 7 files changed, 226 insertions(+), 180 deletions(-) create mode 100644 00467-tarfile-cve-2025-8194.patch delete mode 100644 1001-python3-anolis-add-loongarch.patch delete mode 100644 1002-fix-faulthandler_register-stack.patch delete mode 100644 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch delete mode 100644 Python-3.6.8-sw.patch delete mode 100644 add-anolis-platform.patch diff --git a/00467-tarfile-cve-2025-8194.patch b/00467-tarfile-cve-2025-8194.patch new file mode 100644 index 0000000..67850b2 --- /dev/null +++ b/00467-tarfile-cve-2025-8194.patch @@ -0,0 +1,215 @@ +From 738482c8b9a8a8f3ccdb678ad508a86d702a6751 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 11 Aug 2025 13:39:27 +0200 +Subject: [PATCH] 00467: tarfile CVE-2025-8194 + +tarfile now validates archives to ensure member offsets are non-negative (GH-137027) + +Co-authored-by: Gregory P. Smith +--- + Lib/tarfile.py | 3 + + Lib/test/test_tarfile.py | 156 ++++++++++++++++++ + ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 + + 3 files changed, 162 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 7d94b5c..3e03ebf 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1589,6 +1589,9 @@ class TarInfo(object): + """Round up a byte count by BLOCKSIZE and return it, + e.g. _block(834) => 1024. + """ ++ # Only non-negative offsets are allowed ++ if count < 0: ++ raise InvalidHeaderError("invalid offset") + blocks, remainder = divmod(count, BLOCKSIZE) + if remainder: + blocks += 1 +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 01da819..0a7586a 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -43,6 +43,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2") + xzname = os.path.join(TEMPDIR, "testtar.tar.xz") + tmpname = os.path.join(TEMPDIR, "tmp.tar") + dotlessname = os.path.join(TEMPDIR, "testtar") ++SPACE = b" " + + sha256_regtype = ( + "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce" +@@ -4018,6 +4019,161 @@ class TestExtractionFilters(unittest.TestCase): + self.check_trusted_default(tar, tempdir) + + ++class OffsetValidationTests(unittest.TestCase): ++ tarname = tmpname ++ invalid_posix_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, space, null terminator: 8 bytes ++ + b"000755" + SPACE + tarfile.NUL ++ # uid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0011407" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # magic: 6 bytes, version: 2 bytes ++ + tarfile.POSIX_MAGIC ++ # uname: 32 bytes ++ + tarfile.NUL * 32 ++ # gname: 32 bytes ++ + tarfile.NUL * 32 ++ # devmajor, space, null terminator: 8 bytes ++ + tarfile.NUL * 6 + SPACE + tarfile.NUL ++ # devminor, space, null terminator: 8 bytes ++ + tarfile.NUL * 6 + SPACE + tarfile.NUL ++ # prefix: 155 bytes ++ + tarfile.NUL * tarfile.LENGTH_PREFIX ++ # padding: 12 bytes ++ + tarfile.NUL * 12 ++ ) ++ invalid_gnu_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, null terminator: 8 bytes ++ + b"0000755" + tarfile.NUL ++ # uid, null terminator: 8 bytes ++ + b"0000001" + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"0000001" + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0011327" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # magic: 8 bytes ++ + tarfile.GNU_MAGIC ++ # uname: 32 bytes ++ + tarfile.NUL * 32 ++ # gname: 32 bytes ++ + tarfile.NUL * 32 ++ # devmajor, null terminator: 8 bytes ++ + tarfile.NUL * 8 ++ # devminor, null terminator: 8 bytes ++ + tarfile.NUL * 8 ++ # padding: 167 bytes ++ + tarfile.NUL * 167 ++ ) ++ invalid_v7_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, space, null terminator: 8 bytes ++ + b"000755" + SPACE + tarfile.NUL ++ # uid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0010070" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # padding: 255 bytes ++ + tarfile.NUL * 255 ++ ) ++ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT) ++ data_block = b"\xff" * tarfile.BLOCKSIZE ++ ++ def _write_buffer(self, buffer): ++ with open(self.tarname, "wb") as f: ++ f.write(buffer) ++ ++ def _get_members(self, ignore_zeros=None): ++ with open(self.tarname, "rb") as f: ++ with tarfile.open( ++ mode="r", fileobj=f, ignore_zeros=ignore_zeros ++ ) as tar: ++ return tar.getmembers() ++ ++ def _assert_raises_read_error_exception(self): ++ with self.assertRaisesRegex( ++ tarfile.ReadError, "file could not be opened successfully" ++ ): ++ self._get_members() ++ ++ def test_invalid_offset_header_validations(self): ++ for tar_format, invalid_header in ( ++ ("posix", self.invalid_posix_header), ++ ("gnu", self.invalid_gnu_header), ++ ("v7", self.invalid_v7_header), ++ ): ++ with self.subTest(format=tar_format): ++ self._write_buffer(invalid_header) ++ self._assert_raises_read_error_exception() ++ ++ def test_early_stop_at_invalid_offset_header(self): ++ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header ++ self._write_buffer(buffer) ++ members = self._get_members() ++ self.assertEqual(len(members), 1) ++ self.assertEqual(members[0].name, "filename") ++ self.assertEqual(members[0].offset, 0) ++ ++ def test_ignore_invalid_archive(self): ++ # 3 invalid headers with their respective data ++ buffer = (self.invalid_gnu_header + self.data_block) * 3 ++ self._write_buffer(buffer) ++ members = self._get_members(ignore_zeros=True) ++ self.assertEqual(len(members), 0) ++ ++ def test_ignore_invalid_offset_headers(self): ++ for first_block, second_block, expected_offset in ( ++ ( ++ (self.valid_gnu_header), ++ (self.invalid_gnu_header + self.data_block), ++ 0, ++ ), ++ ( ++ (self.invalid_gnu_header + self.data_block), ++ (self.valid_gnu_header), ++ 1024, ++ ), ++ ): ++ self._write_buffer(first_block + second_block) ++ members = self._get_members(ignore_zeros=True) ++ self.assertEqual(len(members), 1) ++ self.assertEqual(members[0].name, "filename") ++ self.assertEqual(members[0].offset, expected_offset) ++ ++ + def setUpModule(): + support.unlink(TEMPDIR) + os.makedirs(TEMPDIR) +diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst +new file mode 100644 +index 0000000..342cabb +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst +@@ -0,0 +1,3 @@ ++:mod:`tarfile` now validates archives to ensure member offsets are ++non-negative. (Contributed by Alexander Enrique Urieles Nieto in ++:gh:`130577`.) +-- +2.50.1 + diff --git a/1001-python3-anolis-add-loongarch.patch b/1001-python3-anolis-add-loongarch.patch deleted file mode 100644 index 3a1e801..0000000 --- a/1001-python3-anolis-add-loongarch.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nurp Python-3.6.8.orig/configure.ac Python-3.6.8/configure.ac ---- Python-3.6.8.orig/configure.ac 2021-01-07 07:03:34.660156250 +0000 -+++ Python-3.6.8/configure.ac 2021-01-07 07:04:44.785156250 +0000 -@@ -824,6 +824,8 @@ cat >> conftest.c < -Date: Wed, 14 Aug 2019 23:35:27 +0200 -Subject: [PATCH] bpo-21131: Fix faulthandler.register(chain=True) stack - (GH-15276) - -faulthandler now allocates a dedicated stack of SIGSTKSZ*2 bytes, -instead of just SIGSTKSZ bytes. Calling the previous signal handler -in faulthandler signal handler uses more than SIGSTKSZ bytes of stack -memory on some platforms. ---- - .../next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst | 4 ++++ - Modules/faulthandler.c | 6 +++++- - 2 files changed, 9 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst - -diff --git a/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst -new file mode 100644 -index 000000000000..d330aca1c17d ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst -@@ -0,0 +1,4 @@ -+Fix ``faulthandler.register(chain=True)`` stack. faulthandler now allocates a -+dedicated stack of ``SIGSTKSZ*2`` bytes, instead of just ``SIGSTKSZ`` bytes. -+Calling the previous signal handler in faulthandler signal handler uses more -+than ``SIGSTKSZ`` bytes of stack memory on some platforms. -diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c -index 2331051f7907..5dbbcad057e6 100644 ---- a/Modules/faulthandler.c -+++ b/Modules/faulthandler.c -@@ -1325,7 +1325,11 @@ _PyFaulthandler_Init(int enable) - * be able to allocate memory on the stack, even on a stack overflow. If it - * fails, ignore the error. */ - stack.ss_flags = 0; -- stack.ss_size = SIGSTKSZ; -+ /* bpo-21131: allocate dedicated stack of SIGSTKSZ*2 bytes, instead of just -+ SIGSTKSZ bytes. Calling the previous signal handler in faulthandler -+ signal handler uses more than SIGSTKSZ bytes of stack memory on some -+ platforms. */ -+ stack.ss_size = SIGSTKSZ * 2; - stack.ss_sp = PyMem_Malloc(stack.ss_size); - if (stack.ss_sp != NULL) { - err = sigaltstack(&stack, &old_stack); diff --git a/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch b/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch deleted file mode 100644 index 2b3cd0d..0000000 --- a/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 52b9fb9288eaec8d1b9eaa756c4079ed7e5baf5f Mon Sep 17 00:00:00 2001 -From: Liwei Ge -Date: Wed, 28 Sep 2022 17:50:16 +0800 -Subject: [PATCH] ctypes: pass by value for structs on loongarch64 - ---- - Lib/test/test_sysconfig.py | 2 +- - Modules/_ctypes/callproc.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py -index 90e6719..384fe39 100644 ---- a/Lib/test/test_sysconfig.py -+++ b/Lib/test/test_sysconfig.py -@@ -407,7 +407,7 @@ class TestSysConfig(unittest.TestCase): - import platform, re - machine = platform.machine() - suffix = sysconfig.get_config_var('EXT_SUFFIX') -- if re.match('(aarch64|arm|mips|ppc|powerpc|s390|sparc)', machine): -+ if re.match('(aarch64|arm|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): - self.assertTrue('linux' in suffix, suffix) - if re.match('(i[3-6]86|x86_64)$', machine): - if ctypes.sizeof(ctypes.c_char_p()) == 4: -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index 2bb289b..7b3577f 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -1050,7 +1050,7 @@ GetComError(HRESULT errcode, GUID *riid, IUnknown *pIunk) - #endif - - #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \ -- defined(__aarch64__) -+ defined(__aarch64__) || defined(__loongarch__) - #define CTYPES_PASS_BY_REF_HACK - #define POW2(x) (((x & ~(x - 1)) == x) ? x : 0) - #define IS_PASS_BY_REF(x) (x > 8 || !POW2(x)) --- -2.27.0 - diff --git a/Python-3.6.8-sw.patch b/Python-3.6.8-sw.patch deleted file mode 100644 index 1925652..0000000 --- a/Python-3.6.8-sw.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -Naur Python-3.6.8.org/configure.ac Python-3.6.8.sw/configure.ac ---- Python-3.6.8.org/configure.ac 2023-05-17 15:31:40.509671581 +0800 -+++ Python-3.6.8.sw/configure.ac 2023-05-17 15:33:36.428751614 +0800 -@@ -784,6 +784,8 @@ - # else - aarch64_be-linux-gnu - # endif -+# elif defined(__sw_64__) -+ sw_64-linux-gnu - # elif defined(__alpha__) - alpha-linux-gnu - # elif defined(__ARM_EABI__) && defined(__ARM_PCS_VFP) -@@ -1808,7 +1810,7 @@ - # support. Without this, treatment of subnormals doesn't follow - # the standard. - case $host in -- alpha*) -+ alpha* | sw_64* ) - BASECFLAGS="$BASECFLAGS -mieee" - ;; - esac -diff -Naur Python-3.6.8.org/Lib/test/test_sysconfig.py Python-3.6.8.sw/Lib/test/test_sysconfig.py ---- Python-3.6.8.org/Lib/test/test_sysconfig.py 2023-05-17 15:31:40.495671088 +0800 -+++ Python-3.6.8.sw/Lib/test/test_sysconfig.py 2023-05-17 15:34:19.362262761 +0800 -@@ -407,7 +407,7 @@ - import platform, re - machine = platform.machine() - suffix = sysconfig.get_config_var('EXT_SUFFIX') -- if re.match('(aarch64|arm|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): -+ if re.match('(aarch64|arm|sw_64|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): - self.assertTrue('linux' in suffix, suffix) - if re.match('(i[3-6]86|x86_64)$', machine): - if ctypes.sizeof(ctypes.c_char_p()) == 4: -diff -Naur Python-3.6.8.org/Modules/_ctypes/callproc.c Python-3.6.8.sw/Modules/_ctypes/callproc.c ---- Python-3.6.8.org/Modules/_ctypes/callproc.c 2023-05-17 15:31:40.495671088 +0800 -+++ Python-3.6.8.sw/Modules/_ctypes/callproc.c 2023-05-17 15:37:29.182943941 +0800 -@@ -1050,7 +1050,7 @@ - #endif - - #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \ -- defined(__aarch64__) || defined(__loongarch__) -+ defined(__aarch64__) || defined(__loongarch__) || defined(__sw_64__) - #define CTYPES_PASS_BY_REF_HACK - #define POW2(x) (((x & ~(x - 1)) == x) ? x : 0) - #define IS_PASS_BY_REF(x) (x > 8 || !POW2(x)) diff --git a/add-anolis-platform.patch b/add-anolis-platform.patch deleted file mode 100644 index 9952007..0000000 --- a/add-anolis-platform.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nur Python-3.6.8/Lib/platform.py Python-3.6.8.new/Lib/platform.py ---- Python-3.6.8/Lib/platform.py 2018-12-24 05:37:14.000000000 +0800 -+++ Python-3.6.8.new/Lib/platform.py 2020-11-26 11:18:27.345369745 +0800 -@@ -297,7 +297,7 @@ - # and http://www.die.net/doc/linux/man/man1/lsb_release.1.html - - _supported_dists = ( -- 'SuSE', 'debian', 'fedora', 'redhat', 'centos', -+ 'SuSE', 'debian', 'fedora', 'redhat', 'centos', 'anolis', - 'mandrake', 'mandriva', 'rocks', 'slackware', 'yellowdog', 'gentoo', - 'UnitedLinux', 'turbolinux', 'arch', 'mageia') - diff --git a/python3.spec b/python3.spec index 53b2744..b200ffe 100644 --- a/python3.spec +++ b/python3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # ================== # Top-level metadata # ================== @@ -15,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 70%{anolis_release}%{?dist} +Release: 71%{?dist} License: Python @@ -34,11 +33,7 @@ License: Python %bcond_without optimizations # Run the test suite in %%check -%ifarch %{ix86} -%bcond_with tests -%else %bcond_without tests -%endif # Extra build for debugging the interpreter or C-API extensions # (the -debug subpackages) @@ -178,15 +173,11 @@ License: Python # need different filenames. Use "64" or "32" according to the word size. # Currently, the best way to determine an architecture's word size happens to # be checking %%{_lib}. -%ifnarch sw_64 %if "%{_lib}" == "lib64" %global wordsize 64 %else %global wordsize 32 %endif -%else -%global wordsize 64 -%endif # %ifnarch sw_64 # ======================= @@ -944,6 +935,12 @@ Patch444: 00444-security-fix-for-cve-2024-11168.patch # - downstream only patch that makes the changes work and compatible with Python 3.6 Patch465: 00465-tarfile-cves.patch +# 00467 # +# tarfile CVE-2025-8194 +# +# tarfile now validates archives to ensure member offsets are non-negative (GH-137027) +Patch467: 00467-tarfile-cve-2025-8194.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -953,13 +950,6 @@ Patch465: 00465-tarfile-cves.patch # # https://fedoraproject.org/wiki/SIGs/Python/PythonPatches -# add anolis platform dist -Patch1000: add-anolis-platform.patch - -Patch1001: 1001-python3-anolis-add-loongarch.patch -Patch1002: 1002-fix-faulthandler_register-stack.patch -Patch1003: 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch -Patch10000: Python-3.6.8-sw.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1321,12 +1311,7 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch443 -p1 %patch444 -p1 %patch465 -p1 - -%patch1000 -p1 -%patch1001 -p1 -%patch1002 -p1 -%patch1003 -p1 -%patch10000 -p1 +%patch467 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2258,12 +2243,9 @@ fi # ====================================================== %changelog -* Wed Jul 02 2025 zhangbinchen - 3.6.8-70.0.1 -- Add Anolis platform -- Support Loongarch for python3 (songmingliang@uniontech.com) -- Fix testcase fails on loongarch64 (geliwei@openanolis.org) -- cherry-pick `add sw patch #1182efa2f05c5804a55d35d45a9d72f97b64a9b2`. (Weisson@linux.alibaba.com) - cherry-pick `sw use python of wordsize 64 #862dabb407d3f98c64f3a9d2675fcd3a6300a21f`. +* Mon Aug 11 2025 Lumír Balhar - 3.6.8-71 +- Security fix for CVE-2025-8194 +Resolves: RHEL-106333 * Tue Jun 24 2025 Lumír Balhar - 3.6.8-70 - Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 -- Gitee From 5597a67cc27301c2ecc24c27cbf6e22e381cd091 Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:46:55 +0800 Subject: [PATCH 2/5] rebrand: add anolis platform distribution --- add-anolis-platform.patch | 12 ++++++++++++ python3.spec | 10 +++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 add-anolis-platform.patch diff --git a/add-anolis-platform.patch b/add-anolis-platform.patch new file mode 100644 index 0000000..9952007 --- /dev/null +++ b/add-anolis-platform.patch @@ -0,0 +1,12 @@ +diff -Nur Python-3.6.8/Lib/platform.py Python-3.6.8.new/Lib/platform.py +--- Python-3.6.8/Lib/platform.py 2018-12-24 05:37:14.000000000 +0800 ++++ Python-3.6.8.new/Lib/platform.py 2020-11-26 11:18:27.345369745 +0800 +@@ -297,7 +297,7 @@ + # and http://www.die.net/doc/linux/man/man1/lsb_release.1.html + + _supported_dists = ( +- 'SuSE', 'debian', 'fedora', 'redhat', 'centos', ++ 'SuSE', 'debian', 'fedora', 'redhat', 'centos', 'anolis', + 'mandrake', 'mandriva', 'rocks', 'slackware', 'yellowdog', 'gentoo', + 'UnitedLinux', 'turbolinux', 'arch', 'mageia') + diff --git a/python3.spec b/python3.spec index b200ffe..22c60e3 100644 --- a/python3.spec +++ b/python3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # ================== # Top-level metadata # ================== @@ -14,7 +15,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 71%{?dist} +Release: 71%{anolis_release}%{?dist} License: Python @@ -950,6 +951,8 @@ Patch467: 00467-tarfile-cve-2025-8194.patch # # https://fedoraproject.org/wiki/SIGs/Python/PythonPatches +# add anolis platform dist +Patch1000: add-anolis-platform.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1313,6 +1316,8 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch465 -p1 %patch467 -p1 +%patch1000 -p1 + # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) rm configure pyconfig.h.in @@ -2243,6 +2248,9 @@ fi # ====================================================== %changelog +* Wed Aug 27 2025 zhangbinchen - 3.6.8-71.0.1 +- Add Anolis platform + * Mon Aug 11 2025 Lumír Balhar - 3.6.8-71 - Security fix for CVE-2025-8194 Resolves: RHEL-106333 -- Gitee From ffa81bee6533ae3aa8ab5930e7f3b3d65bb50dcb Mon Sep 17 00:00:00 2001 From: songmingliang Date: Thu, 5 May 2022 15:48:46 +0800 Subject: [PATCH 3/5] add loongarch support Signed-off-by: songmingliang --- 1001-python3-anolis-add-loongarch.patch | 12 ++++++++++++ python3.spec | 4 ++++ 2 files changed, 16 insertions(+) create mode 100644 1001-python3-anolis-add-loongarch.patch diff --git a/1001-python3-anolis-add-loongarch.patch b/1001-python3-anolis-add-loongarch.patch new file mode 100644 index 0000000..3a1e801 --- /dev/null +++ b/1001-python3-anolis-add-loongarch.patch @@ -0,0 +1,12 @@ +diff -Nurp Python-3.6.8.orig/configure.ac Python-3.6.8/configure.ac +--- Python-3.6.8.orig/configure.ac 2021-01-07 07:03:34.660156250 +0000 ++++ Python-3.6.8/configure.ac 2021-01-07 07:04:44.785156250 +0000 +@@ -824,6 +824,8 @@ cat >> conftest.c < - 3.6.8-71.0.1 - Add Anolis platform +- Support Loongarch for python3 (songmingliang@uniontech.com) * Mon Aug 11 2025 Lumír Balhar - 3.6.8-71 - Security fix for CVE-2025-8194 -- Gitee From 4ef5722643967e0f5bd7c6ffe3ce49a4b4c9ffb6 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Wed, 28 Sep 2022 17:56:54 +0800 Subject: [PATCH 4/5] build: fix testcase failure with loongarch64 https://bugzilla.openanolis.cn/show_bug.cgi?id=2295 --- 1002-fix-faulthandler_register-stack.patch | 43 +++++++++++++++++++ ...-by-value-for-structs-on-loongarch64.patch | 39 +++++++++++++++++ python3.spec | 5 +++ 3 files changed, 87 insertions(+) create mode 100644 1002-fix-faulthandler_register-stack.patch create mode 100644 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch diff --git a/1002-fix-faulthandler_register-stack.patch b/1002-fix-faulthandler_register-stack.patch new file mode 100644 index 0000000..13b7090 --- /dev/null +++ b/1002-fix-faulthandler_register-stack.patch @@ -0,0 +1,43 @@ +From ef158444cbe271d08d40c374316d3a2ffd6dea76 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Wed, 14 Aug 2019 23:35:27 +0200 +Subject: [PATCH] bpo-21131: Fix faulthandler.register(chain=True) stack + (GH-15276) + +faulthandler now allocates a dedicated stack of SIGSTKSZ*2 bytes, +instead of just SIGSTKSZ bytes. Calling the previous signal handler +in faulthandler signal handler uses more than SIGSTKSZ bytes of stack +memory on some platforms. +--- + .../next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst | 4 ++++ + Modules/faulthandler.c | 6 +++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst + +diff --git a/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst +new file mode 100644 +index 000000000000..d330aca1c17d +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2019-08-14-15-34-23.bpo-21131.0MMQRi.rst +@@ -0,0 +1,4 @@ ++Fix ``faulthandler.register(chain=True)`` stack. faulthandler now allocates a ++dedicated stack of ``SIGSTKSZ*2`` bytes, instead of just ``SIGSTKSZ`` bytes. ++Calling the previous signal handler in faulthandler signal handler uses more ++than ``SIGSTKSZ`` bytes of stack memory on some platforms. +diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c +index 2331051f7907..5dbbcad057e6 100644 +--- a/Modules/faulthandler.c ++++ b/Modules/faulthandler.c +@@ -1325,7 +1325,11 @@ _PyFaulthandler_Init(int enable) + * be able to allocate memory on the stack, even on a stack overflow. If it + * fails, ignore the error. */ + stack.ss_flags = 0; +- stack.ss_size = SIGSTKSZ; ++ /* bpo-21131: allocate dedicated stack of SIGSTKSZ*2 bytes, instead of just ++ SIGSTKSZ bytes. Calling the previous signal handler in faulthandler ++ signal handler uses more than SIGSTKSZ bytes of stack memory on some ++ platforms. */ ++ stack.ss_size = SIGSTKSZ * 2; + stack.ss_sp = PyMem_Malloc(stack.ss_size); + if (stack.ss_sp != NULL) { + err = sigaltstack(&stack, &old_stack); diff --git a/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch b/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch new file mode 100644 index 0000000..2b3cd0d --- /dev/null +++ b/1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch @@ -0,0 +1,39 @@ +From 52b9fb9288eaec8d1b9eaa756c4079ed7e5baf5f Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Wed, 28 Sep 2022 17:50:16 +0800 +Subject: [PATCH] ctypes: pass by value for structs on loongarch64 + +--- + Lib/test/test_sysconfig.py | 2 +- + Modules/_ctypes/callproc.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py +index 90e6719..384fe39 100644 +--- a/Lib/test/test_sysconfig.py ++++ b/Lib/test/test_sysconfig.py +@@ -407,7 +407,7 @@ class TestSysConfig(unittest.TestCase): + import platform, re + machine = platform.machine() + suffix = sysconfig.get_config_var('EXT_SUFFIX') +- if re.match('(aarch64|arm|mips|ppc|powerpc|s390|sparc)', machine): ++ if re.match('(aarch64|arm|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): + self.assertTrue('linux' in suffix, suffix) + if re.match('(i[3-6]86|x86_64)$', machine): + if ctypes.sizeof(ctypes.c_char_p()) == 4: +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index 2bb289b..7b3577f 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -1050,7 +1050,7 @@ GetComError(HRESULT errcode, GUID *riid, IUnknown *pIunk) + #endif + + #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \ +- defined(__aarch64__) ++ defined(__aarch64__) || defined(__loongarch__) + #define CTYPES_PASS_BY_REF_HACK + #define POW2(x) (((x & ~(x - 1)) == x) ? x : 0) + #define IS_PASS_BY_REF(x) (x > 8 || !POW2(x)) +-- +2.27.0 + diff --git a/python3.spec b/python3.spec index 6253ccc..439a84f 100644 --- a/python3.spec +++ b/python3.spec @@ -955,6 +955,8 @@ Patch467: 00467-tarfile-cve-2025-8194.patch Patch1000: add-anolis-platform.patch Patch1001: 1001-python3-anolis-add-loongarch.patch +Patch1002: 1002-fix-faulthandler_register-stack.patch +Patch1003: 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1320,6 +1322,8 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch1000 -p1 %patch1001 -p1 +%patch1002 -p1 +%patch1003 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2254,6 +2258,7 @@ fi * Wed Aug 27 2025 zhangbinchen - 3.6.8-71.0.1 - Add Anolis platform - Support Loongarch for python3 (songmingliang@uniontech.com) +- Fix testcase fails on loongarch64 (geliwei@openanolis.org) * Mon Aug 11 2025 Lumír Balhar - 3.6.8-71 - Security fix for CVE-2025-8194 -- Gitee From c42721c95ebdd67dc820ea489fa62d50808b6ca9 Mon Sep 17 00:00:00 2001 From: wxiat Date: Thu, 29 Jun 2023 16:45:50 +0800 Subject: [PATCH 5/5] cherry-pick `add sw patch #1182efa2f05c5804a55d35d45a9d72f97b64a9b2`. cherry-pick `sw use python of wordsize 64 #862dabb407d3f98c64f3a9d2675fcd3a6300a21f`. Signed-off-by: Weisson --- Python-3.6.8-sw.patch | 45 +++++++++++++++++++++++++++++++++++++++++++ python3.spec | 8 ++++++++ 2 files changed, 53 insertions(+) create mode 100644 Python-3.6.8-sw.patch diff --git a/Python-3.6.8-sw.patch b/Python-3.6.8-sw.patch new file mode 100644 index 0000000..1925652 --- /dev/null +++ b/Python-3.6.8-sw.patch @@ -0,0 +1,45 @@ +diff -Naur Python-3.6.8.org/configure.ac Python-3.6.8.sw/configure.ac +--- Python-3.6.8.org/configure.ac 2023-05-17 15:31:40.509671581 +0800 ++++ Python-3.6.8.sw/configure.ac 2023-05-17 15:33:36.428751614 +0800 +@@ -784,6 +784,8 @@ + # else + aarch64_be-linux-gnu + # endif ++# elif defined(__sw_64__) ++ sw_64-linux-gnu + # elif defined(__alpha__) + alpha-linux-gnu + # elif defined(__ARM_EABI__) && defined(__ARM_PCS_VFP) +@@ -1808,7 +1810,7 @@ + # support. Without this, treatment of subnormals doesn't follow + # the standard. + case $host in +- alpha*) ++ alpha* | sw_64* ) + BASECFLAGS="$BASECFLAGS -mieee" + ;; + esac +diff -Naur Python-3.6.8.org/Lib/test/test_sysconfig.py Python-3.6.8.sw/Lib/test/test_sysconfig.py +--- Python-3.6.8.org/Lib/test/test_sysconfig.py 2023-05-17 15:31:40.495671088 +0800 ++++ Python-3.6.8.sw/Lib/test/test_sysconfig.py 2023-05-17 15:34:19.362262761 +0800 +@@ -407,7 +407,7 @@ + import platform, re + machine = platform.machine() + suffix = sysconfig.get_config_var('EXT_SUFFIX') +- if re.match('(aarch64|arm|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): ++ if re.match('(aarch64|arm|sw_64|loongarch64|mips|ppc|powerpc|s390|sparc)', machine): + self.assertTrue('linux' in suffix, suffix) + if re.match('(i[3-6]86|x86_64)$', machine): + if ctypes.sizeof(ctypes.c_char_p()) == 4: +diff -Naur Python-3.6.8.org/Modules/_ctypes/callproc.c Python-3.6.8.sw/Modules/_ctypes/callproc.c +--- Python-3.6.8.org/Modules/_ctypes/callproc.c 2023-05-17 15:31:40.495671088 +0800 ++++ Python-3.6.8.sw/Modules/_ctypes/callproc.c 2023-05-17 15:37:29.182943941 +0800 +@@ -1050,7 +1050,7 @@ + #endif + + #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \ +- defined(__aarch64__) || defined(__loongarch__) ++ defined(__aarch64__) || defined(__loongarch__) || defined(__sw_64__) + #define CTYPES_PASS_BY_REF_HACK + #define POW2(x) (((x & ~(x - 1)) == x) ? x : 0) + #define IS_PASS_BY_REF(x) (x > 8 || !POW2(x)) diff --git a/python3.spec b/python3.spec index 439a84f..ab9f41b 100644 --- a/python3.spec +++ b/python3.spec @@ -174,11 +174,15 @@ License: Python # need different filenames. Use "64" or "32" according to the word size. # Currently, the best way to determine an architecture's word size happens to # be checking %%{_lib}. +%ifnarch sw_64 %if "%{_lib}" == "lib64" %global wordsize 64 %else %global wordsize 32 %endif +%else +%global wordsize 64 +%endif # %ifnarch sw_64 # ======================= @@ -957,6 +961,7 @@ Patch1000: add-anolis-platform.patch Patch1001: 1001-python3-anolis-add-loongarch.patch Patch1002: 1002-fix-faulthandler_register-stack.patch Patch1003: 1003-ctypes-pass-by-value-for-structs-on-loongarch64.patch +Patch10000: Python-3.6.8-sw.patch # ========================================== # Descriptions, and metadata for subpackages @@ -1324,6 +1329,7 @@ GIT_DIR=$PWD git apply %{PATCH351} %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch10000 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2259,6 +2265,8 @@ fi - Add Anolis platform - Support Loongarch for python3 (songmingliang@uniontech.com) - Fix testcase fails on loongarch64 (geliwei@openanolis.org) +- cherry-pick `add sw patch #1182efa2f05c5804a55d35d45a9d72f97b64a9b2`. (Weisson@linux.alibaba.com) + cherry-pick `sw use python of wordsize 64 #862dabb407d3f98c64f3a9d2675fcd3a6300a21f`. * Mon Aug 11 2025 Lumír Balhar - 3.6.8-71 - Security fix for CVE-2025-8194 -- Gitee