Debian Patches
Status for python3.11/3.11.2-6+deb12u6
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2023-24329-strip-control-chars-urlsplit.patch | [PATCH] [3.11] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (#104575) * gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). |
"Miss Islington (bot)" | no | 2023-05-17 | ||
| 0005-3.11-gh-103848-Adds-checks-to-ensure-that-bracketed-.patch | [3.11] gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849) (#104349) gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format |
"Miss Islington (bot)" | no | 2023-05-09 | ||
| 0001-3.11-gh-105704-Disallow-square-brackets-and-in-domai.patch | [3.11] gh-105704: Disallow square brackets (`[` and `]`) in domain names for parsed URLs (GH-129418) (#129528) | "Miss Islington (bot)" | no | 2025-02-19 | ||
| 0002-3.11-gh-100884-email-_header_value_parser-don-t-enco.patch | [3.11] gh-100884: email/_header_value_parser: don't encode list separators (GH-100885) (GH-115593) ListSeparator should not be encoded. This could happen when a long line pushes its separator to the next line, which would have been encoded. (cherry picked from commit 09fab93c3d857496c0bd162797fab816c311ee48) |
"Miss Islington (bot)" | no | 2024-02-17 | ||
| 0003-3.11-gh-118643-Fix-AttributeError-in-the-email-modul.patch | [3.11] gh-118643: Fix AttributeError in the email module (GH-119099) (#119393) Fix regression introduced in gh-100884: AttributeError when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list missed in gh-100884. (cherry picked from commit 858b9e85fcdd495947c9e892ce6e3734652c48f2) |
Serhiy Storchaka <storchaka@gmail.com> | no | 2024-05-23 | ||
| 0004-3.11-gh-124651-Quote-template-strings-in-venv-activa.patch | [3.11] gh-124651: Quote template strings in `venv` activation scripts (GH-124712) (GH-126185) (#126269) | Victor Stinner <vstinner@python.org> | no | 2024-11-01 | ||
| CVE-2023-40217-test-reliability.patch | [PATCH] [3.11] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108405) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) |
=?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl> | no | 2023-08-24 | ||
| 0002-3.11-gh-121650-Encode-newlines-in-headers-and-verify.patch | [3.11] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122608) Per RFC 2047: > [...] these encoding schemes allow the > encoding of arbitrary octet values, mail readers that implement this > decoding should also ensure that display of the decoded data on the > recipient's terminal will not cause unwanted side-effects It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters. They do need to be properly quoted when serialized to text, though. Verify that email headers are well-formed. This should fail for custom fold() implementations that aren't careful about newlines. (cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) |
=?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl> | no | 2024-09-04 | ||
| 0003-3.11-gh-123067-Fix-quadratic-complexity-in-parsing-q.patch | [3.11] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) (#123105) This fixes CVE-2024-7592. (cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) |
"Miss Islington (bot)" | no | 2024-09-04 | ||
| deb-setup.diff | C compiler flags: 1. Don't duplicate /usr/local in gcc search paths. FIXME: Not sure why. 2. Respect CPPFLAGS |
no | ||||
| deb-locations.diff | Debian: Adjust locations of directories to debian policy | not-needed | ||||
| distutils-install-layout.diff | Debian: Add a distutils option --install-layout=deb This option: - installs into $prefix/dist-packages instead of $prefix/site-packages. - doesn't encode the python version into the egg name. . We install modules into dist-packages so that a local admin can build their own cpython from source, and they won't see each others' installed modules. This keeps Debian packaged applications working correctly, isolated from the local cpython. . Customize site.py to import from Debian's dist-packages layout. |
not-needed | ||||
| locale-module.diff | Use glibc's name for the UTF-8 locale FIXME: back story? | no | ||||
| distutils-link.diff | distutils: Don't add standard library dirs to library_dirs and runtime_library_dirs. On amd64, runtime paths pointing to /usr/lib64 aren't recognized by dpkg-shlibdeps, and the packages containing these libraries aren't added to ${shlibs:Depends}. |
no | ||||
| distutils-sysconfig.diff | distutils: Use python's compiler arguments by default Get CONFIGURE_CFLAGS, CONFIGURE_CPPFLAGS, CONFIGURE_LDFLAGS from the python build, when CFLAGS, CPPFLAGS, LDSHARED) are not set in the environment. |
no | ||||
| sysconfig-debian-schemes.diff | no | |||||
| tkinter-import.diff | Suggest installation of python3-tk package We split Tk out into a separate binary package. Help users who try to import it, without it installed. |
not-needed | ||||
| gdbm-import.diff | Debian: Suggest installation of python3-gdbm package We split gdbm out into a separate binary package. Help users who try to import it, without it installed. |
not-needed | ||||
| link-opt.diff | Call the linker with -O1 -Bsymbolic-functions FIXME: Why? Why -O1? | no | ||||
| setup-modules.diff | Configure linking for C-library wrapping modules Use the system C libraries, rather than sources bundled with cPython, or anything from /usr/local. |
not-needed | ||||
| profiled-build.diff | Ignore errors in the profile task. FIXME: Back story? | no | ||||
| langpack-gettext.diff | Ubuntu: Support separate langpack packages Support alternative gettext tree in /usr/share/locale-langpack; if a file is present in both trees, prefer the newer one. Ubuntu collates gettext from packages on the DVD into language packs, to reduce disk-space on the image. This is Ubuntu-Specific. |
not-needed | ||||
| disable-sem-check.diff | Debian: Don't autodetect whether semephores are present Assume working semaphores, don't rely on running kernel for the check. Build machine != Target machine. |
not-needed | ||||
| lib-argparse.diff | Debian: Degrade argparse gracefully without gettext python3.X-minimal includes argparse but not gettext. Use a fallback noop gettext, if it can't be imported. |
not-needed | ||||
| ctypes-arm.diff | Arch: Workaround the presence of hard-float in ldconfig -p output. Also, handle the wide variety of ARM unames. | Loïc Minier | invalid | |||
| multiarch.diff | Debian: Configure multiarch tuple. 1. Expose multiarchsubdir in sysconfig. 2. Return the multiarch include dir in distutils. 3. Install the .pc file into the multiarch path. |
no | ||||
| lib2to3-no-pickled-grammar.diff | Arch: Ignore grammer pickle mis-matches in lib2to3. Pickle files encode the endian of the arch that built them. They are architecture-independent, but there isn't a canonical endianness, both are handled on load. |
no | ||||
| ext-no-libpython-link.diff | Don't link extensions with the shared libpython library FIXME: Still needed since 3.8? | no | ||||
| test-no-random-order.diff | Don't run the test suite in random order. | not-needed | ||||
| multiarch-extname.diff | Debian: Make sure to rename extensions to a tag including the MULTIARCH name this patch can be dropped for python3.5 final, if the upstream chage is kept. FIXME: so, can we drop it? |
not-needed | ||||
| tempfile-minimal.diff | Debian: Degrade tempfile gracefully without shutil python3.X-minimal includes tempfile but not shutil. Use a fallback racy rmtree, if shutil can't be imported. |
not-needed | ||||
| disable-some-tests.diff | Arch: Disable some failing tests we are not interested in | no | ||||
| ensurepip-disabled.diff | Disable ensurepip for the system installation We have a python3-pip package, for users who want pip. We just need ensurepip to seed pip in virtual environments. |
not-needed | ||||
| mangle-fstack-protector.diff | Support gcc < 4.9 When using GCC versions older than 4.9, automagically mangle -fstack-protector-strong to -fstack-protector FIXME: Still needed? |
no | ||||
| reproducible-buildinfo.diff | Build reproduceable date and time into build info Build information is encoded into getbuildinfo.o at build time. Use the date and time from the debian changelog, to make this reproduceable. |
no | ||||
| pydoc-use-pager.diff | pydoc: use the pager command if available Debian file pagers register the "pager" alternative, so if any pager is available, /usr/bin/pager will exist, and point to the best pager available. |
no | ||||
| local-doc-references.diff | Debian: Reference the local path to the documentation | not-needed | ||||
| doc-build-texinfo.diff | Add the option to build Texinfo-format documentation. | Benjamin Moody <benjamin@physionet.org> | yes | debian | 2017-11-27 | |
| argparse-no-shutil.diff | Debian: Degrade argparse gracefully without shutil python3.X-minimal includes argparse but not shutil. Use a fixed terminal width, if shutil can't be imported. |
not-needed | ||||
| sysconfigdata-name.diff | Don't encode the MACHDEP into the _sysconfigdata file name. Unfortunately on KFreeBSD MACHDEP includes the kernel version, so you end up with a changing MACHDEP. |
no | ||||
| hurd_kfreebsd_thread_native_id.diff | Implement the native thread ids for the Hurd and KFreeBSD | Samuel Thibault | yes | debian | ||
| sphinx3.diff | Allow building with Sphinx >= 3.2 Additionally: Disable sphinx warnings | no | upstream, https://github.com/python/cpython/commit/423e77d6de497931585d1883805a9e3fa4096b0b | |||
| destshared-location.diff | Keep the lib-dynload dir in the same place when configuring with --libdir=/usr/bin/$(DEB_HOST_MULTIARCH) FIXME: Expand? |
no | ||||
| fix-py_compile.diff | Fix regression byte-compiling filenames from stdin | yes | ||||
| ntpath-import.diff | # ntpath not in python-minimal | no | ||||
| shutdown-deadlock.diff | [3.11] GH-102126: fix deadlock at shutdown when clearing thread states (GH-102222) (cherry picked from commit 5f11478ce7fda826d399530af4c5ca96c592f144) | Kumar Aditya | no | debian | upstream, https://github.com/python/cpython/commit/026faf20cc9d1d5913ff7c01a93d8934594d7fec | |
| frame_dealloc-crash.diff | Fix use-after-free crash in frame_dealloc It was possible for the trashcan to delay the deallocation of a PyFrameObject until after its corresponding _PyInterpreterFrame has already been freed. So frame_dealloc needs to avoid dereferencing the f_frame pointer unless it first checks that the pointer still points to the interpreter frame within the frame object. |
Anders Kaseorg <andersk@mit.edu> | no | debian | https://github.com/python/cpython/commit/46cae02085311481dc8b1ea9a5110969d9325bc7 | 2023-08-29 |
| CVE-2024-0450.patch | commit a956e510f6336d5ae111ba429a61c3ade30a7549 [3.11] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113913) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> |
Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | no | debian | 2024-01-11 | |
| CVE-2023-6597.patch | commit 5585334d772b253a01a6730e8202ffb1607c3d25 [3.11] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112839) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) Co-authored-by: Sren Lvborg <sorenl@unity3d.com> |
Serhiy Storchaka <storchaka@gmail.com> | no | debian | 2023-12-07 | |
| relfile-nullptr-dereference.patch | [PATCH] =?UTF-8?q?[3.11]=20gh-102281:=20Fix=20potential=20nullptr?= =?UTF-8?q?=20dereference=20+=20use=20of=20uninitia=E2=80=A6=20(#103040)?= [3.11] gh-102281: Fix potential nullptr dereference + use of uninitialized memory (gh-102282) (cherry picked from commit afa6092ee4260bacf7bc11905466e4c3f8556cbb) |
Max Bachmann <kontakt@maxbachmann.de> | no | 2023-03-26 | ||
| CVE-2023-41105-path-truncation.patch | [PATCH] [3.11] gh-106242: Fix path truncation in os.path.normpath (GH-106816) (#107982) | Steve Dower <steve.dower@python.org> | no | 2023-08-15 | ||
| CVE-2023-40217-ssl-pre-close-flaw.patch | [PATCH] [3.11] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108317) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. |
=?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl> | no | 2023-08-22 | ||
| CVE-2023-40217-ref-cycle.patch | [PATCH] [3.11] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108349) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) |
"Miss Islington (bot)" | no | 2023-08-23 | ||
| CVE-2024-0397.diff | [PATCH] [3.11] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (#115549) gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) * gh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See https://github.com/openssl/openssl/pull/23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce693111bff906ccf9281c22371331aaff766ab) |
"Miss Islington (bot)" | no | 2024-02-20 | ||
| CVE-2024-4032.diff | [PATCH] [3.11] gh-113171: gh-65056: Fix "private" (non-global) IP address ranges (GH-113179) (GH-113186) (GH-118177) (#118227) | Petr Viktorin <encukou@gmail.com> | no | 2024-04-25 | ||
| CVE-2024-8088.diff | [PATCH] [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (#122925) * gh-122905: Sanitize names in zipfile.Path. (#122906) Ported from zipp 3.19.1; ref jaraco/zipp#119. (cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932) * [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932) |
"Jason R. Coombs" <jaraco@jaraco.com> | no | 2024-08-19 | ||
| 0001-3.11-gh-123270-Replaced-SanitizedNames-with-a-more-s.patch | [PATCH] [3.11] gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) (#123425) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6) * Restore the slash-prefixed paths in the malformed_paths test. |
"Jason R. Coombs" <jaraco@jaraco.com> | no | debian | upstream, https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798 | 2024-09-04 |
| CVE-2024-6232.patch | [PATCH] [3.11] gh-121285: Remove backtracking when parsing tarfile headers (GH-121286) (#123639) * Remove backtracking when parsing tarfile headers * Rewrite PAX header parsing to be stricter * Optimize parsing of GNU extended sparse headers v0.0 (cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4) |
Seth Michael Larson <seth@python.org> | no | backport, https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf | 2024-09-03 | |
| 0001-3.11-CVE-2023-27043-gh-102988-Reject-malformed-addre.patch | [3.11] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123767) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19) |
Petr Viktorin <encukou@gmail.com> | no | 2024-09-06 |
All known versions for source package 'python3.11'
- 3.11.2-6+deb12u6 (bookworm)
- 3.11.2-6+deb12u3 (bookworm-security)