File python3.spec of Package python3-base
#
# spec file for package python3
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: python3
BuildRequires: automake
BuildRequires: db-devel
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: gdbm-devel
BuildRequires: gettext-tools
BuildRequires: gmp-devel
BuildRequires: intltool
BuildRequires: libbz2-devel
BuildRequires: libexpat-devel
BuildRequires: libffi-devel
BuildRequires: libopenssl-devel
BuildRequires: ncurses-devel
BuildRequires: readline-devel
BuildRequires: sqlite-devel
BuildRequires: tk-devel
BuildRequires: xorg-x11-devel
BuildRequires: xz
BuildRequires: xz-devel
URL: http://www.python.org/
Summary: Python3 Interpreter
License: Python-2.0
Group: Development/Languages/Python
Version: 3.4.10
Release: 0
%define tarversion %{version}
%define tarname Python-%{tarversion}
# required for idle3 (.desktop and .appdata.xml files)
BuildRequires: update-desktop-files
Requires: python3-base = %{version}
Recommends: python3-pip
Suggests: python3-curses
Suggests: python3-dbm
Suggests: python3-idlelib
Suggests: python3-tk
Source0: http://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz
Source1: baselibs.conf
Source2: python3-rpmlintrc
Source20: idle3.desktop
Source21: idle3.appdata.xml
#Source11: testfiles.tar.bz2
# issues with copyrighted Unicode testing files
# For Patch 34
Source34: recursion.tar
# do not add patches here, please edit python3-base.spec instead
# and run pre_checkin.sh
#
# see PACKAGING-NOTES for details
### COMMON-PATCH-BEGIN ###
# implement "--record-rpm" option for distutils installations
Patch01: Python-3.0b1-record-rpm.patch
# support lib-vs-lib64 distinction
Patch02: Python-3.3.0b2-multilib.patch
# support finding packages in /usr/local, install to /usr/local by default
Patch04: python-3.3.0b1-localpath.patch
# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
Patch06: python-3.3.0b1-fix_date_time_compiler.patch
# fix wrong include path in curses-panel module
Patch07: python-3.3.0b1-curses-panel.patch
# POSIX_FADV_WILLNEED throws EINVAL. Use a different constant in test
Patch09: python-3.3.0b1-test-posix_fadvise.patch
# Add missing bits for aarch64 in libffi
Patch10: ctypes-libffi-aarch64.patch
# Disable global and distutils sysconfig comparison test, we deviate from the default depending on optflags
Patch12: python-3.3.3-skip-distutils-test_sysconfig_module.patch
# Raise timeout value for test_subprocess
Patch15: subprocess-raise-timeout.patch
# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64
Patch18: python-2.7-libffi-aarch64.patch
# PATCH-FIX-UPSTREAM Prefer lowercase proxy environment variables
Patch19: python3-urllib-prefer-lowercase-proxies.patch
# PATCH-FIX-UPSTREAM python-3.6-CVE-2017-18207.patch psimons@suse.com -- Add check for channels of wav file in Lib/wave.py
# Suggested in https://github.com/python/cpython/pull/4437.
Patch20: python-3.6-CVE-2017-18207.patch
# PATCH-FIX-UPSTREAM https://bugs.python.org/issue30693
Patch21: python-sorted_tar.patch
# PATCH-FIX-UPSTREAM CVE-2019-10160-netloc-port-regression.patch bsc#1138459 mcepl@suse.com
# Fix regression introduced by fix for CVE-2019-9636
Patch26: CVE-2019-10160-netloc-port-regression.patch
# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch bsc#1109663 mcepl@suse.com
# Command injection in the shutil module
Patch28: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
# PATCH-FIX-UPSTREAM CVE-2019-16056-email-parse-addr.patch bsc#1149955 mcepl@suse.com
# bpo#34155 The email module wrongly parses email addresses
Patch29: CVE-2019-16056-email-parse-addr.patch
# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
# Fixes Python urrlib allowed an HTTP server to conduct Regular
# Expression Denial of Service (ReDoS)
Patch30: CVE-2020-8492-urllib-ReDoS.patch
# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
# Improve documentation warning against the possible zip bombs
Patch31: CVE-2019-9674-zip-bomb.patch
# PATCH-FIX-SLE skip-failing-tests.patch mcepl@suse.com
# test_write_filtered_python_package just wants to fail, and I have no idea why.
Patch32: skip-failing-tests.patch
# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 bpo#30458
# avoid CRLF injenction;
Patch33: CVE-2019-9947-no-ctrl-char-http.patch
# PATCH-FIX-UPSTREAM CVE-2019-18348-CRLF_injection_via_host_part.patch bsc#1155094 bpo#38576
# disallow control characters in hostnames in httplib
# DEPENDS on PATCH32
Patch34: CVE-2019-18348-CRLF_injection_via_host_part.patch
# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
# REQUIRES SOURCE 34
Patch35: CVE-2019-20907_tarfile-inf-loop.patch
# PATCH-FIX-UPSTREAM bpo37614-race_test_docxmlrpc_srv_setup.patch bpo#27614 mcepl@suse.com
# avoid race in test_docxmlrpc (REQUIRED for Patch #36)
Patch36: bpo37614-race_test_docxmlrpc_srv_setup.patch
# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
# XSS vulnerability in the documentation XML-RPC server in server_title field
Patch37: CVE-2019-16935-xmlrpc-doc-server_title.patch
# PATCH-FIX-UPSTREAM CVE-2020-14422-ipaddress-hash-collision.patch bsc#1173274 mcepl@suse.com
# oversimplicstic computation of hash values leads to conflicts and potential for DOS
Patch38: CVE-2020-14422-ipaddress-hash-collision.patch
# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 bpo#39603
# Fixes httplib to disallow control characters in method to avoid header
# injection, equivalent of Patch33 and Patch34 for method of URL (GET, POST, etc.)
Patch39: CVE-2020-26116-httplib-header-injection.patch
# Update SSL certificates due to certificates shipped with the package expiring
Patch40: update-ssl-certs.patch
# PATCH-FIX-UPSTREAM CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com
# buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
Patch41: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
# PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#1182379 mcepl@suse.com
# urlparse only use '&' as a query string separator
Patch42: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM CVE-2020-27619-no-eval-http-content.patch bsc#1182207 mcepl@suse.com
# No longer call eval() on content received via HTTP in the CJK codec tests
Patch43: CVE-2020-27619-no-eval-http-content.patch
# PATCH-FIX-UPSTREAM CVE-2021-3737-infinite-loop-on-100-Continue.patch bsc#1189241 mcepl@suse.com
# avoid DoS via infinitely reading potential HTTP headers after a 100 Continue status response from the server
Patch44: CVE-2021-3737-infinite-loop-on-100-Continue.patch
# PATCH-FIX-UPSTREAM CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch bsc#1189287 mcepl@suse.com
# Fix ReDoS in urllib AbstractBasicAuthHandler (bpo#43075)
Patch45: CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch
# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
# Make ftplib not trust the PASV response. (gh#python/cpython#24838)
Patch46: CVE-2021-4189-ftplib-trust-PASV-resp.patch
# PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch47: CVE-2022-0391-urllib_parse-newline-parsing.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch48: CVE-2015-20107-mailcap-unsafe-filenames.patch
# PATCH-FIX-UPSTREAM bpo-46623-skip-zlib-s390x.patch gh#python/cpython#90781 mcepl@suse.com
# skip two tests failing on s390x
Patch49: bpo-46623-skip-zlib-s390x.patch
# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624
# Coerce // to / in Lib/http/server.py
Patch50: CVE-2021-28861-double-slash-path.patch
# PATCH-FIX-UPSTREAM CVE-2020-10735-DoS-no-limit-int-size.patch bsc#1203125 mcepl@suse.com
# unlimited size of integers allows DoS by excessively long processing of large numbers
# >> n = 10**(10**7) ; s = str(n)
# Originally by Victor Stinner of Red Hat
# https://github.com/fedora-python/cpython/commit/31cfb692dc5d
Patch51: CVE-2020-10735-DoS-no-limit-int-size.patch
# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
# Avoid DoS by decoding IDNA for too long domain names
Patch52: CVE-2022-45061-DoS-by-IDNA-decode.patch
# PATCH-FIX-UPSTREAM CVE-2022-40899-ReDos-cookiejar.patch, bsc#1206673 gh#python/cpython#17157 daniel.garcia@suse.com
Patch53: CVE-2022-40899-ReDos-cookiejar.patch
# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
# blocklist bypass via the urllib.parse component when supplying
# a URL that starts with blank characters
Patch54: CVE-2023-24329-blank-URL-bypass.patch
# PATCH-FIX-UPSTREAM bpo-44434-libgcc_s-for-pthread_cancel.patch bsc#1203355 mcepl@suse.com
# don't run PyThread_exit_thread() when you don't have to
Patch55: bpo-44434-libgcc_s-for-pthread_cancel.patch
# PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
# Patch for gh#python/cpython#98086
Patch56: 99366-patch.dict-can-decorate-async.patch
# PATCH-FIX-OPENSUSE stack_overflow_test_endless_recursion.patch bpo#12051 mcepl@suse.com
# test_endless_recursion.patch has a tendency to overflow a stack
Patch57: stack_overflow_test_endless_recursion.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# Detect email address parsing errors and return empty tuple to
# indicate the parsing error (old API)
Patch58: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48564-DoS-read_ints-plistlib.patch bsc#1214677 mcepl@suse.com
# Prevent DoS when processing malformed Apple Property List files in binary format
Patch59: CVE-2022-48564-DoS-read_ints-plistlib.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
# Reject entity declarations in plists
Patch60: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch61: CVE-2022-48566-compare_digest-more-constant.patch
# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mcepl@suse.com
# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930)
Patch62: CVE-2023-6597-TempDir-cleaning-symlink.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch bsc#1214692 daniel.garcia@suse.com
# backport from upstream patch gh#python/cpython#108315
Patch63: CVE-2023-40217-avoid-ssl-pre-close.patch
# FIXME STILL NOT DEBUGGED, ESPECIALLY WITH PATH() COMPONENTS.
# # PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
# # Implement PEP-706 to filter outcome of the tarball extracing
# Patch63: CVE-2007-4559-filter-tarfile_extractall.patch
# PATCH-FIX-UPSTREAM CVE-2023-52425-libexpat-2.6.0-backport.patch bsc#1219559 mcepl@suse.com
# Make Python compatible with the new libexpat library.
Patch64: CVE-2023-52425-libexpat-2.6.0-backport.patch
# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com
# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016).
Patch65: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
### COMMON-PATCH-END ###
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# do not add defs here, please edit python3-base.spec instead
# and run pre_checkin.sh
#
# see PACKAGING-NOTES for details
### COMMON-DEF-BEGIN ###
# the versions are autogenerated from pre_checkin.sh
# based on the current source tarball
%define python_version 3.4
%define python_version_abitag 34
%define python_version_soname 3_4
%define sitedir %{_libdir}/python%{python_version}
# three possible ABI kinds: m - pymalloc, d - debug build
# see PEP 3149
%define abi_kind m
# python ABI version - used in some file names
%define python_abi %{python_version}%{abi_kind}
# soname ABI tag defined in PEP 3149
%define abi_tag %{python_version_abitag}%{abi_kind}
%define so_version %{python_version_soname}%{abi_kind}1_0
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}.so
### COMMON-DEF-END ###
# some compatibility Provides
Provides: python = %{python_version}
Provides: python3 = %{python_version}
Provides: python3-xml = %{version}
Obsoletes: python3-xml < %{version}
%description
Python 3 is an interpreted, object-oriented programming language, and is
often compared to Tcl, Perl, Scheme, or Java. You can find an overview
of Python in the documentation and tutorials included in the python-doc
(HTML) or python-doc-pdf (PDF) packages.
If you want to install third party modules using distutils, you need to
install python-devel package.
%package tk
Requires: %{name} = %{version}
Summary: TkInter - Python Tk Interface
Group: Development/Libraries/Python
%description tk
Python interface to Tk. Tk is the GUI toolkit that comes with Tcl. The
"xrpm" package uses this Python interface.
%package curses
Requires: %{name} = %{version}
Summary: Python Interface to the (N)Curses Library
Group: Development/Libraries/Python
%description curses
An easy to use interface to the (n)curses CUI library. CUI stands for
Console User Interface.
%package dbm
Requires: %{name} = %{version}
Summary: Python Interface to the GDBM Library
Group: Development/Languages/Python
%description dbm
An easy to use interface for Unix DBM databases, and more specifically,
the GNU implementation GDBM.
%package idle
Summary: An Integrated Development Environment for Python
Group: Development/Languages/Python
Requires: %{name} = %{version}
Requires: python3-tk
%description idle
IDLE is a Tkinter based integrated development environment for Python.
It features a multi-window text editor with multiple undo, Python
colorizing, and many other things, as well as a Python shell window and
a debugger.
%prep
%setup -q -n %{tarname}
### COMMON-PREP-BEGIN ###
%autopatch -p1
# For patch 34
cp -v %{SOURCE34} Lib/test/recursion.tar
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
# fix shebangs - convert /usr/local/bin/python and /usr/bin/env/python to /usr/bin/python3
for dir in Lib Tools; do
# find *.py, filter to files that contain bad shebangs
find $dir -name '*.py' -type f -print0 \
| xargs -0 grep -lE '^#! *(/usr/.*bin/(env +)?)?python' \
| xargs sed -r -i -e '1s@^#![[:space:]]*(/usr/(local/)?bin/(env +)?)?python([0-9]+(\.[0-9]+)?)?@#!/usr/bin/python3@'
done
### COMMON-PREP-END ###
%build
export SUSE_ASNEEDED=0
export OPT="%{optflags} -fwrapv -DOPENSSL_LOAD_CONF"
autoreconf -f -i .
# prevent make from trying to rebuild asdl stuff, which requires existing
# python installation
touch Parser/asdl* Python/Python-ast.c Include/Python-ast.h Objects/typeslots.inc
./configure \
--prefix=%{_prefix} \
--libdir=%{_libdir} \
--mandir=%{_mandir} \
--docdir=%{_docdir}/python \
--enable-ipv6 \
--with-fpectl \
--enable-shared \
--with-system-ffi \
--with-system-expat \
--with-ensurepip=no
make %{?_smp_mflags} # DESTDIR=$RPM_BUILD_ROOT
%check
# Limit virtual memory to avoid spurious failures
if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then
ulimit -v 10000000 || :
fi
# only test the parts skipped in python3-base
TESTS="test_dbm_gnu test_dbm_ndbm test_readline test_ssl test_tcl test_tk test_ttk_guionly test_ttk_textonly test_curses test_socketserver test_sqlite test_hashlib test_smtpnet"
# ensurepip-based tests
TESTS="$TESTS test_venv test_ensurepip test_tools"
# and the rest of the newly excluded stuff
TESTS="$TESTS test_urllib test_urllib2 test_urllib2net"
make test TESTOPTS="-u none $TESTS"
%install
make \
OPT="%{optflags} -fPIC" \
DESTDIR=$RPM_BUILD_ROOT \
install
# clean out stuff that is in python-base and subpackages
find $RPM_BUILD_ROOT%{_bindir} -mindepth 1 -not -name "*idle*" -print -delete
rm $RPM_BUILD_ROOT%{_libdir}/lib*
rm -r $RPM_BUILD_ROOT%{_libdir}/pkgconfig
rm -r $RPM_BUILD_ROOT%{_mandir}/*
rm -r $RPM_BUILD_ROOT%{_includedir}/*
rm -r $RPM_BUILD_ROOT%{sitedir}/config*
find $RPM_BUILD_ROOT%{sitedir} -name "*.egg-info" -exec rm {} ";"
rm -r $RPM_BUILD_ROOT%{sitedir}/__pycache__
rm -r $RPM_BUILD_ROOT%{sitedir}/site-packages
rm $RPM_BUILD_ROOT%{sitedir}/*.*
for module in \
asyncio ctypes collections concurrent distutils email encodings \
html http \
importlib json logging multiprocessing plat-* pydoc_data unittest \
urllib venv wsgiref lib2to3 test turtledemo
do
rm -r $RPM_BUILD_ROOT%{sitedir}/$module
done
for library in \
array audioop binascii _bisect _bz2 cmath _codecs_* _crypt _csv \
_ctypes _datetime _decimal fcntl grp _heapq _json _lsprof \
_lzma math mmap _multibytecodec _multiprocessing nis _opcode ossaudiodev \
parser _pickle _posixsubprocess _random resource select _socket spwd \
_struct syslog termios _testbuffer _testimportmultiple time unicodedata zlib \
_ctypes_test _testcapi xxlimited \
_md5 _sha1 _sha256 _sha512
do
eval rm "$RPM_BUILD_ROOT%{sitedir}/lib-dynload/$library.*"
done
# Idle is not packaged in base due to the appstream-glib dependency
# move idle config into /etc
install -d -m 755 %{buildroot}%{_sysconfdir}/idle3
(
cd %{buildroot}/%{sitedir}/idlelib/
for file in *.def ; do
mv $file %{buildroot}%{_sysconfdir}/idle3/
ln -sf %{_sysconfdir}/idle3/$file %{buildroot}/%{sitedir}/idlelib/
done
)
# install idle icons
for size in 16 32 48 ; do
install -m 644 -D Lib/idlelib/Icons/idle_${size}.png \
%{buildroot}%{_datadir}/icons/hicolor/${size}x${size}/apps/idle3.png
done
# install idle desktop file
install -m 644 -D -t %{buildroot}%{_datadir}/applications %{SOURCE20}
%suse_update_desktop_file idle3
install -m 644 -D -t %{buildroot}%{_datadir}/metainfo %{SOURCE21}
%fdupes $RPM_BUILD_ROOT/%{_libdir}/python%{python_version}
%files tk
%defattr(644, root, root, 755)
%{sitedir}/tkinter
%exclude %{sitedir}/tkinter/test
%{dynlib _tkinter}
%files curses
%defattr(644, root, root, 755)
%{sitedir}/curses
%{dynlib _curses}
%{dynlib _curses_panel}
%files dbm
%defattr(644, root, root, 755)
%{sitedir}/dbm
%{dynlib _dbm}
%{dynlib _gdbm}
%files
%defattr(644, root, root, 755)
%dir %{sitedir}
%dir %{sitedir}/lib-dynload
%{sitedir}/ensurepip
%{sitedir}/sqlite3
%exclude %{sitedir}/sqlite3/test
%{sitedir}/xml
%{sitedir}/xmlrpc
%{dynlib _elementtree}
%{dynlib _hashlib}
%{dynlib pyexpat}
%{dynlib readline}
%{dynlib _sqlite3}
%{dynlib _ssl}
%files idle
%defattr(644, root, root, 755)
%{sitedir}/idlelib
%dir %{_sysconfdir}/idle3
%config %{_sysconfdir}/idle3/*
%doc Lib/idlelib/NEWS.txt
%doc Lib/idlelib/README.txt
%doc Lib/idlelib/TODO.txt
%doc Lib/idlelib/extend.txt
%doc Lib/idlelib/ChangeLog
%{_bindir}/idle3
%{_datadir}/applications/idle3.desktop
%dir %{_datadir}/metainfo
%{_datadir}/metainfo/idle3.appdata.xml
%{_datadir}/icons/hicolor/*/apps/idle3.png
%dir %{_datadir}/icons/hicolor
%dir %{_datadir}/icons/hicolor/16x16
%dir %{_datadir}/icons/hicolor/32x32
%dir %{_datadir}/icons/hicolor/48x48
%dir %{_datadir}/icons/hicolor/*/apps
%attr(755, root, root) %{_bindir}/idle%{python_version}
%changelog
