diff --git a/cve-2024-4030.patch b/cve-2024-4030.patch new file mode 100644 index 0000000000000000000000000000000000000000..01468319dcfe3789dacddfdf498354b0be183a78 --- /dev/null +++ b/cve-2024-4030.patch @@ -0,0 +1,42 @@ +From 3f5e5f5165beb1cbc368b7693e6e02cf204862e6 Mon Sep 17 00:00:00 2001 +From: Steve Dower +Date: Tue, 7 May 2024 22:14:43 +0100 +Subject: [PATCH] Fix CVE in docs + +--- + Doc/whatsnew/3.8.rst | 4 ++-- + .../Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst +index e0eb5b4dc3f777..c1e57456345525 100644 +--- a/Doc/whatsnew/3.8.rst ++++ b/Doc/whatsnew/3.8.rst +@@ -1049,7 +1049,7 @@ treat junctions as links. + As of 3.8.20, :func:`os.mkdir` and :func:`os.makedirs` on Windows now support + passing a *mode* value of ``0o700`` to apply access control to the new + directory. This implicitly affects :func:`tempfile.mkdtemp` and is a +-mitigation for :cve:`2024-4030`. Other values for *mode* continue to be ++mitigation for CVE-2024-4030. Other values for *mode* continue to be + ignored. + (Contributed by Steve Dower in :gh:`118486`.) + +@@ -1264,7 +1264,7 @@ tempfile + + As of 3.8.20 on Windows, the default mode ``0o700`` used by + :func:`tempfile.mkdtemp` now limits access to the new directory due to +-changes to :func:`os.mkdir`. This is a mitigation for :cve:`2024-4030`. ++changes to :func:`os.mkdir`. This is a mitigation for CVE-2024-4030. + (Contributed by Steve Dower in :gh:`118486`.) + + +diff --git a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst b/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst +index 8ac48aac816a60..a28a4e5cdb6991 100644 +--- a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst ++++ b/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst +@@ -1,4 +1,4 @@ + :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict +-the new directory to the current user. This fixes :cve:`2024-4030` ++the new directory to the current user. This fixes CVE-2024-4030 + affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary + directory is more permissive than the default. diff --git a/python3.spec b/python3.spec index 02c5fad0bbb47a09fc318ecdb8f70f677a003d40..df7681ffcb16f2069fa78af48fe39dadc0768edb 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.11.6 -Release: 2 +Release: 3 License: Python-2.0 %global branchversion 3.11 @@ -88,6 +88,8 @@ Source1: pyconfig.h Patch1: 00001-rpath.patch Patch251: 00251-change-user-install-location.patch +Patch500: cve-2024-4030.patch + Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch Patch9001: 0001-add-loongarch64-support-for-python.patch @@ -185,6 +187,8 @@ rm configure pyconfig.h.in %patch1 -p1 %patch251 -p1 +%patch500 -p1 + %patch9000 -p1 %patch9001 -p1 @@ -848,6 +852,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Wed May 08 2024 zhaosai - 3.11.6-3 +- Type:cve +- CVE:NA +- SUG:NA +- DESC: fix CVE-2024-4030 + * Mon Feb 26 2024 Wenlong Zhang - 3.11.6-2 - Type:bugfix - CVE:NA