diff --git a/Python-3.11.10.tar.xz b/Python-3.11.11.tar.xz similarity index 69% rename from Python-3.11.10.tar.xz rename to Python-3.11.11.tar.xz index 2d484f18583d49884eb5609a12e6d2b63be6a13c..bccf5f7db6653f20578fbdeefa0ebd0188f7981f 100644 Binary files a/Python-3.11.10.tar.xz and b/Python-3.11.11.tar.xz differ diff --git a/backport-CVE-2024-9287.patch b/backport-CVE-2024-9287.patch deleted file mode 100644 index 1a894542e9b1174c3dd6609e28464329b19aa099..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-9287.patch +++ /dev/null @@ -1,312 +0,0 @@ -From ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97 Mon Sep 17 00:00:00 2001 -From: Victor Stinner -Date: Fri, 1 Nov 2024 14:11:47 +0100 -Subject: [PATCH] [3.11] gh-124651: Quote template strings in `venv` activation - scripts (GH-124712) (GH-126185) (#126269) - ---- - Lib/test/test_venv.py | 83 ++++++++++++++++++- - Lib/venv/__init__.py | 42 ++++++++-- - Lib/venv/scripts/common/activate | 8 +- - Lib/venv/scripts/nt/activate.bat | 6 +- - Lib/venv/scripts/posix/activate.csh | 8 +- - Lib/venv/scripts/posix/activate.fish | 8 +- - ...-09-28-02-03-04.gh-issue-124651.bLBGtH.rst | 1 + - 7 files changed, 135 insertions(+), 21 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst - -diff --git a/Lib/test/test_venv.py b/Lib/test/test_venv.py -index 9563282e6d9b9c..d3abb77f40f35f 100644 ---- a/Lib/test/test_venv.py -+++ b/Lib/test/test_venv.py -@@ -17,7 +17,8 @@ - import sys - import sysconfig - import tempfile --from test.support import (captured_stdout, captured_stderr, requires_zlib, -+import shlex -+from test.support import (captured_stdout, captured_stderr, - skip_if_broken_multiprocessing_synchronize, verbose, - requires_subprocess, is_emscripten, is_wasi, - requires_venv_with_pip, TEST_HOME_DIR, -@@ -96,6 +97,10 @@ def get_text_file_contents(self, *args, encoding='utf-8'): - result = f.read() - return result - -+ def assertEndsWith(self, string, tail): -+ if not string.endswith(tail): -+ self.fail(f"String {string!r} does not end with {tail!r}") -+ - class BasicTest(BaseTest): - """Test venv module functionality.""" - -@@ -446,6 +451,82 @@ def test_executable_symlinks(self): - 'import sys; print(sys.executable)']) - self.assertEqual(out.strip(), envpy.encode()) - -+ # gh-124651: test quoted strings -+ @unittest.skipIf(os.name == 'nt', 'contains invalid characters on Windows') -+ def test_special_chars_bash(self): -+ """ -+ Test that the template strings are quoted properly (bash) -+ """ -+ rmtree(self.env_dir) -+ bash = shutil.which('bash') -+ if bash is None: -+ self.skipTest('bash required for this test') -+ env_name = '"\';&&$e|\'"' -+ env_dir = os.path.join(os.path.realpath(self.env_dir), env_name) -+ builder = venv.EnvBuilder(clear=True) -+ builder.create(env_dir) -+ activate = os.path.join(env_dir, self.bindir, 'activate') -+ test_script = os.path.join(self.env_dir, 'test_special_chars.sh') -+ with open(test_script, "w") as f: -+ f.write(f'source {shlex.quote(activate)}\n' -+ 'python -c \'import sys; print(sys.executable)\'\n' -+ 'python -c \'import os; print(os.environ["VIRTUAL_ENV"])\'\n' -+ 'deactivate\n') -+ out, err = check_output([bash, test_script]) -+ lines = out.splitlines() -+ self.assertTrue(env_name.encode() in lines[0]) -+ self.assertEndsWith(lines[1], env_name.encode()) -+ -+ # gh-124651: test quoted strings -+ @unittest.skipIf(os.name == 'nt', 'contains invalid characters on Windows') -+ def test_special_chars_csh(self): -+ """ -+ Test that the template strings are quoted properly (csh) -+ """ -+ rmtree(self.env_dir) -+ csh = shutil.which('tcsh') or shutil.which('csh') -+ if csh is None: -+ self.skipTest('csh required for this test') -+ env_name = '"\';&&$e|\'"' -+ env_dir = os.path.join(os.path.realpath(self.env_dir), env_name) -+ builder = venv.EnvBuilder(clear=True) -+ builder.create(env_dir) -+ activate = os.path.join(env_dir, self.bindir, 'activate.csh') -+ test_script = os.path.join(self.env_dir, 'test_special_chars.csh') -+ with open(test_script, "w") as f: -+ f.write(f'source {shlex.quote(activate)}\n' -+ 'python -c \'import sys; print(sys.executable)\'\n' -+ 'python -c \'import os; print(os.environ["VIRTUAL_ENV"])\'\n' -+ 'deactivate\n') -+ out, err = check_output([csh, test_script]) -+ lines = out.splitlines() -+ self.assertTrue(env_name.encode() in lines[0]) -+ self.assertEndsWith(lines[1], env_name.encode()) -+ -+ # gh-124651: test quoted strings on Windows -+ @unittest.skipUnless(os.name == 'nt', 'only relevant on Windows') -+ def test_special_chars_windows(self): -+ """ -+ Test that the template strings are quoted properly on Windows -+ """ -+ rmtree(self.env_dir) -+ env_name = "'&&^$e" -+ env_dir = os.path.join(os.path.realpath(self.env_dir), env_name) -+ builder = venv.EnvBuilder(clear=True) -+ builder.create(env_dir) -+ activate = os.path.join(env_dir, self.bindir, 'activate.bat') -+ test_batch = os.path.join(self.env_dir, 'test_special_chars.bat') -+ with open(test_batch, "w") as f: -+ f.write('@echo off\n' -+ f'"{activate}" & ' -+ f'{self.exe} -c "import sys; print(sys.executable)" & ' -+ f'{self.exe} -c "import os; print(os.environ[\'VIRTUAL_ENV\'])" & ' -+ 'deactivate') -+ out, err = check_output([test_batch]) -+ lines = out.splitlines() -+ self.assertTrue(env_name.encode() in lines[0]) -+ self.assertEndsWith(lines[1], env_name.encode()) -+ - @unittest.skipUnless(os.name == 'nt', 'only relevant on Windows') - def test_unicode_in_batch_file(self): - """ -diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py -index 6bce3081088200..4403f2b1c4ef60 100644 ---- a/Lib/venv/__init__.py -+++ b/Lib/venv/__init__.py -@@ -11,6 +11,7 @@ - import sys - import sysconfig - import types -+import shlex - - - CORE_VENV_DEPS = ('pip', 'setuptools') -@@ -394,11 +395,41 @@ def replace_variables(self, text, context): - :param context: The information for the environment creation request - being processed. - """ -- text = text.replace('__VENV_DIR__', context.env_dir) -- text = text.replace('__VENV_NAME__', context.env_name) -- text = text.replace('__VENV_PROMPT__', context.prompt) -- text = text.replace('__VENV_BIN_NAME__', context.bin_name) -- text = text.replace('__VENV_PYTHON__', context.env_exe) -+ replacements = { -+ '__VENV_DIR__': context.env_dir, -+ '__VENV_NAME__': context.env_name, -+ '__VENV_PROMPT__': context.prompt, -+ '__VENV_BIN_NAME__': context.bin_name, -+ '__VENV_PYTHON__': context.env_exe, -+ } -+ -+ def quote_ps1(s): -+ """ -+ This should satisfy PowerShell quoting rules [1], unless the quoted -+ string is passed directly to Windows native commands [2]. -+ [1]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules -+ [2]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parsing#passing-arguments-that-contain-quote-characters -+ """ -+ s = s.replace("'", "''") -+ return f"'{s}'" -+ -+ def quote_bat(s): -+ return s -+ -+ # gh-124651: need to quote the template strings properly -+ quote = shlex.quote -+ script_path = context.script_path -+ if script_path.endswith('.ps1'): -+ quote = quote_ps1 -+ elif script_path.endswith('.bat'): -+ quote = quote_bat -+ else: -+ # fallbacks to POSIX shell compliant quote -+ quote = shlex.quote -+ -+ replacements = {key: quote(s) for key, s in replacements.items()} -+ for key, quoted in replacements.items(): -+ text = text.replace(key, quoted) - return text - - def install_scripts(self, context, path): -@@ -438,6 +469,7 @@ def install_scripts(self, context, path): - with open(srcfile, 'rb') as f: - data = f.read() - if not srcfile.endswith(('.exe', '.pdb')): -+ context.script_path = srcfile - try: - data = data.decode('utf-8') - data = self.replace_variables(data, context) -diff --git a/Lib/venv/scripts/common/activate b/Lib/venv/scripts/common/activate -index 982da08163b12d..e86442b3578342 100644 ---- a/Lib/venv/scripts/common/activate -+++ b/Lib/venv/scripts/common/activate -@@ -35,11 +35,11 @@ deactivate () { - # unset irrelevant variables - deactivate nondestructive - --VIRTUAL_ENV="__VENV_DIR__" -+VIRTUAL_ENV=__VENV_DIR__ - export VIRTUAL_ENV - - _OLD_VIRTUAL_PATH="$PATH" --PATH="$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH" -+PATH="$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH" - export PATH - - # unset PYTHONHOME if set -@@ -52,9 +52,9 @@ fi - - if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then - _OLD_VIRTUAL_PS1="${PS1:-}" -- PS1="__VENV_PROMPT__${PS1:-}" -+ PS1=__VENV_PROMPT__"${PS1:-}" - export PS1 -- VIRTUAL_ENV_PROMPT="__VENV_PROMPT__" -+ VIRTUAL_ENV_PROMPT=__VENV_PROMPT__ - export VIRTUAL_ENV_PROMPT - fi - -diff --git a/Lib/venv/scripts/nt/activate.bat b/Lib/venv/scripts/nt/activate.bat -index c1c3c82ee37f10..715b21b13fbe35 100644 ---- a/Lib/venv/scripts/nt/activate.bat -+++ b/Lib/venv/scripts/nt/activate.bat -@@ -8,7 +8,7 @@ - "%SystemRoot%\System32\chcp.com" 65001 > nul - ) - --set VIRTUAL_ENV=__VENV_DIR__ -+set "VIRTUAL_ENV=__VENV_DIR__" - - if not defined PROMPT set PROMPT=$P$G - -@@ -24,8 +24,8 @@ - if defined _OLD_VIRTUAL_PATH set PATH=%_OLD_VIRTUAL_PATH% - if not defined _OLD_VIRTUAL_PATH set _OLD_VIRTUAL_PATH=%PATH% - --set PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH% --set VIRTUAL_ENV_PROMPT=__VENV_PROMPT__ -+set "PATH=%VIRTUAL_ENV%\__VENV_BIN_NAME__;%PATH%" -+set "VIRTUAL_ENV_PROMPT=__VENV_PROMPT__" - - :END - if defined _OLD_CODEPAGE ( -diff --git a/Lib/venv/scripts/posix/activate.csh b/Lib/venv/scripts/posix/activate.csh -index d6f697c55ed81c..c47702127eff71 100644 ---- a/Lib/venv/scripts/posix/activate.csh -+++ b/Lib/venv/scripts/posix/activate.csh -@@ -8,17 +8,17 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA - # Unset irrelevant variables. - deactivate nondestructive - --setenv VIRTUAL_ENV "__VENV_DIR__" -+setenv VIRTUAL_ENV __VENV_DIR__ - - set _OLD_VIRTUAL_PATH="$PATH" --setenv PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH" -+setenv PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH" - - - set _OLD_VIRTUAL_PROMPT="$prompt" - - if (! "$?VIRTUAL_ENV_DISABLE_PROMPT") then -- set prompt = "__VENV_PROMPT__$prompt" -- setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__" -+ set prompt = __VENV_PROMPT__"$prompt" -+ setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__ - endif - - alias pydoc python -m pydoc -diff --git a/Lib/venv/scripts/posix/activate.fish b/Lib/venv/scripts/posix/activate.fish -index 9aa4446005f4d8..dc3a6c88270c18 100644 ---- a/Lib/venv/scripts/posix/activate.fish -+++ b/Lib/venv/scripts/posix/activate.fish -@@ -33,10 +33,10 @@ end - # Unset irrelevant variables. - deactivate nondestructive - --set -gx VIRTUAL_ENV "__VENV_DIR__" -+set -gx VIRTUAL_ENV __VENV_DIR__ - - set -gx _OLD_VIRTUAL_PATH $PATH --set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH -+set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH - - # Unset PYTHONHOME if set. - if set -q PYTHONHOME -@@ -56,7 +56,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT" - set -l old_status $status - - # Output the venv prompt; color taken from the blue of the Python logo. -- printf "%s%s%s" (set_color 4B8BBE) "__VENV_PROMPT__" (set_color normal) -+ printf "%s%s%s" (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal) - - # Restore the return status of the previous command. - echo "exit $old_status" | . -@@ -65,5 +65,5 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT" - end - - set -gx _OLD_FISH_PROMPT_OVERRIDE "$VIRTUAL_ENV" -- set -gx VIRTUAL_ENV_PROMPT "__VENV_PROMPT__" -+ set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__ - end -diff --git a/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst -new file mode 100644 -index 00000000000000..17fc9171390dd9 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst -@@ -0,0 +1 @@ -+Properly quote template strings in :mod:`venv` activation scripts. diff --git a/python3.spec b/python3.spec index 05e86f5edd8d73a0e17e52d779f32cef8c52469f..dd4985f5a2b0f7aed64c64e357d191e83ea0699f 100644 --- a/python3.spec +++ b/python3.spec @@ -5,8 +5,8 @@ Name: python3 Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ -Version: 3.11.10 -Release: 2 +Version: 3.11.11 +Release: 1 License: Python-2.0 %global branchversion 3.11 @@ -95,8 +95,6 @@ Source1: pyconfig.h Patch1: 00001-rpath.patch Patch251: 00251-change-user-install-location.patch -Patch6001: backport-CVE-2024-9287.patch - Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch Patch9001: 0001-add-loongarch64-support-for-python.patch @@ -852,6 +850,9 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Wed Dec 04 2024 Funda Wang - 3.11.11-1 +- update to 3.11.11 + * Wed Nov 06 2024 Funda Wang - 3.11.10-2 - Type:CVE - ID:CVE-2024-9287