From b7da01ace7ba75e4592318a797f372e6c2c54351 Mon Sep 17 00:00:00 2001
From: lipengyu <lipengyu@kylinos.cn>
Date: Thu, 30 Oct 2025 15:59:09 +0800
Subject: [PATCH] fix cve-2025-6075

---
 backport-CVE-2025-6075.patch | 387 +++++++++++++++++++++++++++++++++++
 python3.spec                 |   9 +-
 2 files changed, 395 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-6075.patch

diff --git a/backport-CVE-2025-6075.patch b/backport-CVE-2025-6075.patch
new file mode 100644
index 0000000..b65f566
--- /dev/null
+++ b/backport-CVE-2025-6075.patch
@@ -0,0 +1,387 @@
+From 2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl>
+Date: Fri, 31 Oct 2025 17:05:53 +0100
+Subject: [PATCH] [3.9] gh-136065: Fix quadratic complexity in
+ os.path.expandvars() (GH-134952) (GH-140839)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+Co-authored-by: Łukasz Langa <lukasz@langa.pl>
+---
+ Lib/ntpath.py                                 | 126 ++++++------------
+ Lib/posixpath.py                              |  43 +++---
+ Lib/test/test_genericpath.py                  |  19 ++-
+ Lib/test/test_ntpath.py                       |  23 +++-
+ ...-05-30-22-33-27.gh-issue-136065.bu337o.rst |   1 +
+ 5 files changed, 96 insertions(+), 116 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+
+diff --git a/Lib/ntpath.py b/Lib/ntpath.py
+index 56c3614ba76b2e..604a1bd8d7a4e5 100644
+--- a/Lib/ntpath.py
++++ b/Lib/ntpath.py
+@@ -335,17 +335,23 @@ def expanduser(path):
+ # XXX With COMMAND.COM you can use any characters in a variable name,
+ # XXX except '^|<>='.
+ 
++_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
++_varsub = None
++_varsubb = None
++
+ def expandvars(path):
+     """Expand shell variables of the forms $var, ${var} and %var%.
+ 
+     Unknown variables are left unchanged."""
+     path = os.fspath(path)
++    global _varsub, _varsubb
+     if isinstance(path, bytes):
+         if b'$' not in path and b'%' not in path:
+             return path
+-        import string
+-        varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii')
+-        quote = b'\''
++        if not _varsubb:
++            import re
++            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
++        sub = _varsubb
+         percent = b'%'
+         brace = b'{'
+         rbrace = b'}'
+@@ -354,94 +360,44 @@ def expandvars(path):
+     else:
+         if '$' not in path and '%' not in path:
+             return path
+-        import string
+-        varchars = string.ascii_letters + string.digits + '_-'
+-        quote = '\''
++        if not _varsub:
++            import re
++            _varsub = re.compile(_varpattern, re.ASCII).sub
++        sub = _varsub
+         percent = '%'
+         brace = '{'
+         rbrace = '}'
+         dollar = '$'
+         environ = os.environ
+-    res = path[:0]
+-    index = 0
+-    pathlen = len(path)
+-    while index < pathlen:
+-        c = path[index:index+1]
+-        if c == quote:   # no expansion within single quotes
+-            path = path[index + 1:]
+-            pathlen = len(path)
+-            try:
+-                index = path.index(c)
+-                res += c + path[:index + 1]
+-            except ValueError:
+-                res += c + path
+-                index = pathlen - 1
+-        elif c == percent:  # variable or '%'
+-            if path[index + 1:index + 2] == percent:
+-                res += c
+-                index += 1
+-            else:
+-                path = path[index+1:]
+-                pathlen = len(path)
+-                try:
+-                    index = path.index(percent)
+-                except ValueError:
+-                    res += percent + path
+-                    index = pathlen - 1
+-                else:
+-                    var = path[:index]
+-                    try:
+-                        if environ is None:
+-                            value = os.fsencode(os.environ[os.fsdecode(var)])
+-                        else:
+-                            value = environ[var]
+-                    except KeyError:
+-                        value = percent + var + percent
+-                    res += value
+-        elif c == dollar:  # variable or '$$'
+-            if path[index + 1:index + 2] == dollar:
+-                res += c
+-                index += 1
+-            elif path[index + 1:index + 2] == brace:
+-                path = path[index+2:]
+-                pathlen = len(path)
+-                try:
+-                    index = path.index(rbrace)
+-                except ValueError:
+-                    res += dollar + brace + path
+-                    index = pathlen - 1
+-                else:
+-                    var = path[:index]
+-                    try:
+-                        if environ is None:
+-                            value = os.fsencode(os.environ[os.fsdecode(var)])
+-                        else:
+-                            value = environ[var]
+-                    except KeyError:
+-                        value = dollar + brace + var + rbrace
+-                    res += value
+-            else:
+-                var = path[:0]
+-                index += 1
+-                c = path[index:index + 1]
+-                while c and c in varchars:
+-                    var += c
+-                    index += 1
+-                    c = path[index:index + 1]
+-                try:
+-                    if environ is None:
+-                        value = os.fsencode(os.environ[os.fsdecode(var)])
+-                    else:
+-                        value = environ[var]
+-                except KeyError:
+-                    value = dollar + var
+-                res += value
+-                if c:
+-                    index -= 1
++
++    def repl(m):
++        lastindex = m.lastindex
++        if lastindex is None:
++            return m[0]
++        name = m[lastindex]
++        if lastindex == 1:
++            if name == percent:
++                return name
++            if not name.endswith(percent):
++                return m[0]
++            name = name[:-1]
+         else:
+-            res += c
+-        index += 1
+-    return res
++            if name == dollar:
++                return name
++            if name.startswith(brace):
++                if not name.endswith(rbrace):
++                    return m[0]
++                name = name[1:-1]
++
++        try:
++            if environ is None:
++                return os.fsencode(os.environ[os.fsdecode(name)])
++            else:
++                return environ[name]
++        except KeyError:
++            return m[0]
++
++    return sub(repl, path)
+ 
+ 
+ # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
+diff --git a/Lib/posixpath.py b/Lib/posixpath.py
+index de2b90c10cc3f2..5daa6ef5f12605 100644
+--- a/Lib/posixpath.py
++++ b/Lib/posixpath.py
+@@ -275,42 +275,41 @@ def expanduser(path):
+ # This expands the forms $variable and ${variable} only.
+ # Non-existent variables are left unchanged.
+ 
+-_varprog = None
+-_varprogb = None
++_varpattern = r'\$(\w+|\{[^}]*\}?)'
++_varsub = None
++_varsubb = None
+ 
+ def expandvars(path):
+     """Expand shell variables of form $var and ${var}.  Unknown variables
+     are left unchanged."""
+     path = os.fspath(path)
+-    global _varprog, _varprogb
++    global _varsub, _varsubb
+     if isinstance(path, bytes):
+         if b'$' not in path:
+             return path
+-        if not _varprogb:
++        if not _varsubb:
+             import re
+-            _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII)
+-        search = _varprogb.search
++            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
++        sub = _varsubb
+         start = b'{'
+         end = b'}'
+         environ = getattr(os, 'environb', None)
+     else:
+         if '$' not in path:
+             return path
+-        if not _varprog:
++        if not _varsub:
+             import re
+-            _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII)
+-        search = _varprog.search
++            _varsub = re.compile(_varpattern, re.ASCII).sub
++        sub = _varsub
+         start = '{'
+         end = '}'
+         environ = os.environ
+-    i = 0
+-    while True:
+-        m = search(path, i)
+-        if not m:
+-            break
+-        i, j = m.span(0)
+-        name = m.group(1)
+-        if name.startswith(start) and name.endswith(end):
++
++    def repl(m):
++        name = m[1]
++        if name.startswith(start):
++            if not name.endswith(end):
++                return m[0]
+             name = name[1:-1]
+         try:
+             if environ is None:
+@@ -318,13 +317,11 @@ def expandvars(path):
+             else:
+                 value = environ[name]
+         except KeyError:
+-            i = j
++            return m[0]
+         else:
+-            tail = path[j:]
+-            path = path[:i] + value
+-            i = len(path)
+-            path += tail
+-    return path
++            return value
++
++    return sub(repl, path)
+ 
+ 
+ # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
+diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py
+index e7acbcd29088b3..e53bb203a0c4fd 100644
+--- a/Lib/test/test_genericpath.py
++++ b/Lib/test/test_genericpath.py
+@@ -9,7 +9,7 @@
+ import warnings
+ from test import support
+ from test.support.script_helper import assert_python_ok
+-from test.support import FakePath
++from test.support import FakePath, EnvironmentVarGuard
+ 
+ 
+ def create_file(filename, data=b'foo'):
+@@ -374,7 +374,7 @@ def test_splitdrive(self):
+ 
+     def test_expandvars(self):
+         expandvars = self.pathmodule.expandvars
+-        with support.EnvironmentVarGuard() as env:
++        with EnvironmentVarGuard() as env:
+             env.clear()
+             env["foo"] = "bar"
+             env["{foo"] = "baz1"
+@@ -408,7 +408,7 @@ def test_expandvars_nonascii(self):
+         expandvars = self.pathmodule.expandvars
+         def check(value, expected):
+             self.assertEqual(expandvars(value), expected)
+-        with support.EnvironmentVarGuard() as env:
++        with EnvironmentVarGuard() as env:
+             env.clear()
+             nonascii = support.FS_NONASCII
+             env['spam'] = nonascii
+@@ -429,6 +429,19 @@ def check(value, expected):
+                   os.fsencode('$bar%s bar' % nonascii))
+             check(b'$spam}bar', os.fsencode('%s}bar' % nonascii))
+ 
++    @support.requires_resource('cpu')
++    def test_expandvars_large(self):
++        expandvars = self.pathmodule.expandvars
++        with EnvironmentVarGuard() as env:
++            env.clear()
++            env["A"] = "B"
++            n = 100_000
++            self.assertEqual(expandvars('$A'*n), 'B'*n)
++            self.assertEqual(expandvars('${A}'*n), 'B'*n)
++            self.assertEqual(expandvars('$A!'*n), 'B!'*n)
++            self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
++            self.assertEqual(expandvars('${'*10*n), '${'*10*n)
++
+     def test_abspath(self):
+         self.assertIn("foo", self.pathmodule.abspath("foo"))
+         with warnings.catch_warnings():
+diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py
+index 8f07d18e134fb7..9a8a44b235b2ce 100644
+--- a/Lib/test/test_ntpath.py
++++ b/Lib/test/test_ntpath.py
+@@ -1,11 +1,10 @@
+ import ntpath
+ import os
+-import subprocess
+ import sys
+ import unittest
+ import warnings
+ from ntpath import ALLOW_MISSING
+-from test.support import TestFailed, FakePath
++from test.support import TestFailed, FakePath, EnvironmentVarGuard
+ from test import support, test_genericpath
+ from tempfile import TemporaryFile
+ 
+@@ -642,7 +641,7 @@ def test_realpath_cwd(self):
+                         ntpath.realpath("file.txt", **kwargs))
+ 
+     def test_expandvars(self):
+-        with support.EnvironmentVarGuard() as env:
++        with EnvironmentVarGuard() as env:
+             env.clear()
+             env["foo"] = "bar"
+             env["{foo"] = "baz1"
+@@ -671,7 +670,7 @@ def test_expandvars(self):
+     def test_expandvars_nonascii(self):
+         def check(value, expected):
+             tester('ntpath.expandvars(%r)' % value, expected)
+-        with support.EnvironmentVarGuard() as env:
++        with EnvironmentVarGuard() as env:
+             env.clear()
+             nonascii = support.FS_NONASCII
+             env['spam'] = nonascii
+@@ -687,10 +686,23 @@ def check(value, expected):
+             check('%spam%bar', '%sbar' % nonascii)
+             check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii)
+ 
++    @support.requires_resource('cpu')
++    def test_expandvars_large(self):
++        expandvars = ntpath.expandvars
++        with EnvironmentVarGuard() as env:
++            env.clear()
++            env["A"] = "B"
++            n = 100_000
++            self.assertEqual(expandvars('%A%'*n), 'B'*n)
++            self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
++            self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
++            self.assertEqual(expandvars("%%"*n), "%"*n)
++            self.assertEqual(expandvars("$$"*n), "$"*n)
++
+     def test_expanduser(self):
+         tester('ntpath.expanduser("test")', 'test')
+ 
+-        with support.EnvironmentVarGuard() as env:
++        with EnvironmentVarGuard() as env:
+             env.clear()
+             tester('ntpath.expanduser("~test")', '~test')
+ 
+@@ -908,6 +920,7 @@ def test_nt_helpers(self):
+             self.assertIsInstance(b_final_path, bytes)
+             self.assertGreater(len(b_final_path), 0)
+ 
++
+ class NtCommonTest(test_genericpath.CommonTest, unittest.TestCase):
+     pathmodule = ntpath
+     attributes = ['relpath']
+diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+new file mode 100644
+index 00000000000000..1d152bb5318380
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
+@@ -0,0 +1 @@
++Fix quadratic complexity in :func:`os.path.expandvars`.
diff --git a/python3.spec b/python3.spec
index 78e536a..a1ccc2f 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.9.9
-Release: 48
+Release: 49
 License: Python-2.0
 
 %global branchversion 3.9
@@ -142,6 +142,7 @@ Patch6044: backport-CVE-2025-4517,CVE-2025-4138,CVE-2024-12718,CVE-2025-4330,CVE
 Patch6045:  backport-CVE-2025-6069.patch
 Patch6046: backport-CVE-2025-8291.patch
 Patch6047: backport-CVE-2024-5642.patch
+Patch6048: backport-CVE-2025-6075.patch
 
 Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
 Patch9001: python3-Add-sw64-architecture.patch
@@ -852,6 +853,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Wed Nov 5 2025 lipengyu <lipengyu@kylinos.cn> - 3.9.9-49
+- Type:CVE
+- CVE:CVE-2025-6075
+- SUG:NA
+- DESC:fix CVE-2025-6075
+
 * Thu Oct 30 2025 xinsheng <xinsheng3@h-partners.com> - 3.9.9-48
 - Type:CVE
 - CVE:CVE-2024-5642
-- 
Gitee