From dde596588459657b1cddebbcb8e57a48bbc89c6c Mon Sep 17 00:00:00 2001 From: Zhao Mengmeng Date: Thu, 30 May 2024 16:28:22 +0800 Subject: [PATCH] Fix etree XMLPullParser tests for Expat >=2.6.0 with reparse deferral For Expat >=2.6.0 or Expat <2.6.0 with CVE-2023-52425 applied, test_xml_etree will failed. Fix it by backporting upstream patch https://github.com/python/cpython/commit/366f3152a7313a7f3ab266dcbf333062afa49675, but replace pyexpat.version_info with expat header file check. Signed-off-by: Zhao Mengmeng --- ...sts-for-XMLPullParser-with-Expat-2.6.patch | 119 ++++++++++++++++++ python3.spec | 11 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 backport-gh-115133-Fix-tests-for-XMLPullParser-with-Expat-2.6.patch diff --git a/backport-gh-115133-Fix-tests-for-XMLPullParser-with-Expat-2.6.patch b/backport-gh-115133-Fix-tests-for-XMLPullParser-with-Expat-2.6.patch new file mode 100644 index 0000000..eb20a1e --- /dev/null +++ b/backport-gh-115133-Fix-tests-for-XMLPullParser-with-Expat-2.6.patch @@ -0,0 +1,119 @@ +From 027813e06dbc0fc1ac7571ff8473faaed9f88abb Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Wed, 21 Feb 2024 05:18:41 -0600 +Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 + (GH-115164) (GH-115536) + +Feeding the parser by too small chunks defers parsing to prevent +CVE-2023-52425. Future versions of Expat may be more reactive. +(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) + +Co-authored-by: Serhiy Storchaka + +[replace pyexpat.version_info with expat header file check] + +Signed-off-by: xinsheng +Signed-off-by: Zhao Mengmeng +--- + Lib/test/test_xml_etree.py | 71 ++++++++++++++++++++++++++------------ + 1 file changed, 49 insertions(+), 22 deletions(-) + +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index 5ba0de8..4d9077c 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -11,6 +11,8 @@ import html + import io + import operator + import pickle ++import pyexpat ++import subprocess + import sys + import types + import unittest +@@ -98,6 +100,22 @@ EXTERNAL_ENTITY_XML = """\ + &entity; + """ + ++ ++@functools.lru_cache(maxsize=32) ++def _is_expat_with_reparse_deferral(): ++ macro_to_find = 'XML_SetReparseDeferralEnabled' ++ header_file = '/usr/include/expat.h' ++ result = subprocess.run(['grep', '-q', macro_to_find, header_file], ++ stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ return result.returncode == 0 ++ ++is_expat_with_reparse_deferral = _is_expat_with_reparse_deferral() ++ ++fails_with_reparse_deferral = (unittest.expectedFailure ++ if is_expat_with_reparse_deferral else ++ lambda test: test) ++ ++ + def checkwarnings(*filters, quiet=False): + def decorator(test): + def newtest(*args, **kwargs): +@@ -1059,28 +1077,37 @@ class XMLPullParserTest(unittest.TestCase): + self.assertEqual([(action, elem.tag) for action, elem in events], + expected) + +- def test_simple_xml(self): +- for chunk_size in (None, 1, 5): +- with self.subTest(chunk_size=chunk_size): +- parser = ET.XMLPullParser() +- self.assert_event_tags(parser, []) +- self._feed(parser, "\n", chunk_size) +- self.assert_event_tags(parser, []) +- self._feed(parser, +- "\n text\n", chunk_size) +- self.assert_event_tags(parser, [('end', 'element')]) +- self._feed(parser, "texttail\n", chunk_size) +- self._feed(parser, "\n", chunk_size) +- self.assert_event_tags(parser, [ +- ('end', 'element'), +- ('end', 'empty-element'), +- ]) +- self._feed(parser, "\n", chunk_size) +- self.assert_event_tags(parser, [('end', 'root')]) +- self.assertIsNone(parser.close()) ++ def test_simple_xml(self, chunk_size=None): ++ parser = ET.XMLPullParser() ++ self.assert_event_tags(parser, []) ++ self._feed(parser, "\n", chunk_size) ++ self.assert_event_tags(parser, []) ++ self._feed(parser, ++ "\n text\n", chunk_size) ++ self.assert_event_tags(parser, [('end', 'element')]) ++ self._feed(parser, "texttail\n", chunk_size) ++ self._feed(parser, "\n", chunk_size) ++ self.assert_event_tags(parser, [ ++ ('end', 'element'), ++ ('end', 'empty-element'), ++ ]) ++ self._feed(parser, "\n", chunk_size) ++ self.assert_event_tags(parser, [('end', 'root')]) ++ self.assertIsNone(parser.close()) ++ ++ @fails_with_reparse_deferral ++ def test_simple_xml_chunk_1(self): ++ self.test_simple_xml(chunk_size=1) ++ ++ @fails_with_reparse_deferral ++ def test_simple_xml_chunk_5(self): ++ self.test_simple_xml(chunk_size=5) ++ ++ def test_simple_xml_chunk_22(self): ++ self.test_simple_xml(chunk_size=22) + + def test_feed_while_iterating(self): + parser = ET.XMLPullParser() +-- +2.33.0 + diff --git a/python3.spec b/python3.spec index 82b2869..23c2753 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.9 -Release: 38 +Release: 39 License: Python-2.0 %global branchversion 3.7 @@ -179,6 +179,7 @@ Patch9002: fix-CVE-2023-24329.patch Patch9003: backport-Fix-parsing-errors-in-email-_parseaddr.py.patch Patch9004: backport-Revert-fixes-for-CVE-2023-27043.patch Patch9005: backport-CVE-2023-27043.patch +Patch9006: backport-gh-115133-Fix-tests-for-XMLPullParser-with-Expat-2.6.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -342,6 +343,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch9003 -p1 %patch9004 -p1 %patch9005 -p1 +%patch9006 -p1 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py rm configure pyconfig.h.in @@ -943,6 +945,13 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Thu May 30 2024 Zhao Mengmeng - 3.7.9-39 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: Fix etree XMLPullParser tests for Expat >=2.6.0 with reparse deferral, + or Expat < 2.6.0 with CVE-2023-52425 applied. + * Tue Mar 05 GuoCe - 3.7.9-38 - Type:CVE - CVE:CVE-2023-27043 -- Gitee