* [3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea44c3)
(cherry picked from commit 68a1778b77)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Within libexpat, a parser created via `XML_ExternalEntityParserCreate`
is relying on its parent parser throughout its entire lifetime.
Prior to this fix, is was possible for the parent parser to be
garbage-collected too early.
(cherry picked from commit 6edb2ddb5f)
(cherry picked from commit 64c876dd68)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Stan Ulbrych <stanulbrych@gmail.com>
* gh-131809: Upgrade vendored expat to 2.7.1 (GH-132192)
(cherry picked from commit c0de650024)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* make regen-sbom
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Now all structure members are initialized with zeroes by default.
(cherry picked from commit 345baa77ba)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
When replace() method is called on a subclass of datetime, date or time,
properly call derived constructor. Previously, only the base class's
constructor was called.
Also, make sure to pass non-zero fold values when creating subclasses in
various methods. Previously, fold was silently ignored.
(cherry picked from commit 46190d9ea8)
Co-authored-by: Eugene Toder <eltoder@users.noreply.github.com>
[3.13] gh-111178: Fix getsockaddrarg() undefined behavior (GH-131668) (GH-131977)
gh-111178: Fix getsockaddrarg() undefined behavior (GH-131668)
Don't pass direct references to sockaddr members since their type may
not match PyArg_ParseTuple() types. Instead, use temporary 'int' and
'unsigned char' variables, and update sockaddr members afterwards.
On FreeBSD, treat BTPROTO_HCI node name as a bytes string,
not as an integer.
(cherry picked from commit c318a03b17)
Co-authored-by: Victor Stinner <vstinner@python.org>
(cherry picked from commit 8cd29c2b53)
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-126037: fix UAF in `xml.etree.ElementTree.Element.find*` when concurrent mutations happen (#127964)
We fix a use-after-free in the `find`, `findtext` and `findall` methods of `xml.etree.ElementTree.Element`
objects that can be triggered when the tag to find implements an `__eq__` method that mutates the
element being queried.
(cherry picked from commit c57623c221)
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix gh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
gh-131418: remove unused legacy typedefs in `{md5,sha1}module.c` (GH-131420)
- Remove legacy typedefs `MD5_INT32` and `MD5_INT64` in `Modules/md5module.c`
- Remove legacy typedefs `SHA1_INT32` and `SHA1_INT64` in `Modules/sha1module.c`.
Those legacy typedefs were used to detect whether the host platform could
correctly implement MD5 and SHA-1, but this is no longer needed as we now
fallback to HACL* implementations.
(cherry picked from commit a9a399f0ec)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
[3.13] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176)
(cherry picked from commit bb0268f60d)
(cherry picked from commit 6af54d298d)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gh-127667: refactor and improve `_hashopenssl.c` error branches (#131145)
Refactor `_setException()` into different helpers that can be used separately:
- set_ssl_exception_from_errcode(): set an exception from an explicit SSL error code.
- raise_ssl_error(): set an exception from the last SSL error code or use a user-defined message.
- notify_ssl_error_occurred(): same as raise_ssl_error() but with a generic default message.
(cherry-picked from commit ac50ece6ce).
(cherry picked from commit 90130807d9)
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
gh-127667: fix memory leaks in `hashlib` (GH-127668)
- Correctly handle `NULL` values returned by `EVP_MD_CTX_md`.
- Correctly free resources in error branches.
- Consistently suppress `_setException()` return value when needed.
- Collapse `_setException() + return NULL` into a single statement.
(cherry-picked from commit 097846502b)
The use of PySys_GetObject() and _PySys_GetAttr(), which return a borrowed
reference, has been replaced by using one of the following functions, which
return a strong reference and distinguish a missing attribute from an error:
_PySys_GetOptionalAttr(), _PySys_GetOptionalAttrString(),
_PySys_GetRequiredAttr(), and _PySys_GetRequiredAttrString().
(cherry picked from commit 0ef4ffeefd)
(cherry picked from commit 7c1b76fce8)
(cherry picked from commit 2ab7e1135a)
gh-130151: Fix reference leaks in `_hashlib.hmac_{new,digest}` (GH-130152)
* fix leak in `_hashlib.hmac_new`
* fix leak in `hmac_digest`
* fix exception type in `_hashlib.HMAC.copy`
(cherry picked from commit 071820113f)
gh-129838: Don't redefine _Py_NO_SANITIZE_UNDEFINED (GH-129839)
Newer GCC versions accept both __attribute__((no_sanitize("undefined")))
and __attribute__((no_sanitize_undefined)) so check that the macro is
not already defined.
(cherry picked from commit 568db400ff)
Co-authored-by: Collin Funk <collin.funk1@gmail.com>
Unlikely errors in preparing arguments for ctypes callback are now
handled in the same way as errors raised in the callback of in converting
the result of the callback -- using sys.unraisablehook() instead of
sys.excepthook() and not setting sys.last_exc and other variables.
(cherry picked from commit 9d63ae5fe5)
[3.13] gh-129539: Include sysexits.h before checking EX_OK (#129590)
Previously, the macro would be redefined when the header was included.
(cherry picked from commit 65f3432ac3)
Co-authored-by: Collin Funk <collin.funk1@gmail.com>
gh-129409: Fix Integer overflow - SEGV while writing data more than 2GB in CSV file (GH-129413)
(cherry picked from commit 97b0ef05d9)
Co-authored-by: Srinivas Reddy Thatiparthy (తాటిపర్తి శ్రీనివాస్ రెడ్డి) <thatiparthysreenivas@gmail.com>
[3.13] gh-129185: Fix PyTraceMalloc_Untrack() at Python exit (#129191) (#129217)
gh-129185: Fix PyTraceMalloc_Untrack() at Python exit (#129191)
Support calling PyTraceMalloc_Track() and PyTraceMalloc_Untrack()
during late Python finalization.
* Call _PyTraceMalloc_Fini() later in Python finalization.
* Test also PyTraceMalloc_Untrack() without the GIL
* PyTraceMalloc_Untrack() now gets the GIL.
* Test also PyTraceMalloc_Untrack() in test_tracemalloc_track_race().
(cherry picked from commit 46c7e13c05)
(cherry picked from commit e3b3e01d6a)
[3.13] gh-128679: Fix tracemalloc.stop() race conditions (#128897)
tracemalloc_alloc(), tracemalloc_realloc(), PyTraceMalloc_Track(),
PyTraceMalloc_Untrack() and _PyTraceMalloc_TraceRef() now check
tracemalloc_config.tracing after calling TABLES_LOCK().
_PyTraceMalloc_Stop() now protects more code with TABLES_LOCK(),
especially setting tracemalloc_config.tracing to 1.
Add a test using PyTraceMalloc_Track() to test tracemalloc.stop()
race condition.
Call _PyTraceMalloc_Init() at Python startup.
(cherry picked from commit 6b47499510)
gh-58689: Fix os.kill() error handling on Windows (GH-128932)
(cherry picked from commit 939df0f9f6)
Co-authored-by: Victor Stinner <vstinner@python.org>
- Add a helper to set an error from locale-encoded `char*`
- Use the helper for gdbm & dlerror messages
Co-authored-by: Victor Stinner <vstinner@python.org>
For dlsym(), a return value of NULL does not necessarily indicate
an error [1].
Therefore, to avoid using stale (or NULL) dlerror() values, we must:
1. clear the previous error state by calling dlerror()
2. call dlsym()
3. call dlerror()
If the return value of dlerror() is not NULL, an error occured.
In ctypes we choose to treat a NULL return value from dlsym()
as a "not found" error. This is the same as the fallback
message we use on Windows, Cygwin or when getting/formatting
the error reason fails.
[1]: https://man7.org/linux/man-pages/man3/dlsym.3.html
Signed-off-by: Georgios Alexopoulos <grgalex42@gmail.com>
Signed-off-by: Georgios Alexopoulos <grgalex@ba.uoa.gr>
Co-authored-by: George Alexopoulos <giorgosalexo0@gmail.com>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361)
From the ERR_raise manpage:
ERR_LIB_SYS
This "library code" indicates that a system error is
being reported. In this case, the reason code given
to `ERR_raise()` and `ERR_raise_data()` *must* be
`errno(3)`.
This PR only handles ERR_LIB_SYS for the high-lever error types
SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where
OpenSSL indicates it has some more information about the issue.
(cherry picked from commit f4b31edf2d)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
gh-122431: Disallow negative values in `readline.append_history_file` (GH-122469)
(cherry picked from commit 208b0fb645)
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-126876: Fix socket internal_select() for large timeout (GH-126968)
If the timeout is larger than INT_MAX, replace it with INT_MAX, in
the poll() code path.
Add an unit test.
(cherry picked from commit b3687ad454)
Co-authored-by: Victor Stinner <vstinner@python.org>
