@@ -1,25 +1,14 @@

-From 134cb01cda50f02725575808130b05d2d776693f Mon Sep 17 00:00:00 2001

-From: Serhiy Storchaka <storchaka@gmail.com>

-Date: Sun, 18 Mar 2018 09:55:53 +0200

-Subject: [PATCH] bpo-32056: Improve exceptions in aifc, wave and sunau.

- (GH-5951)

+commit 134cb01cda50f02725575808130b05d2d776693f

+Author: Serhiy Storchaka <storchaka@gmail.com>

+Date:   Sun Mar 18 09:55:53 2018 +0200

- Lib/aifc.py                                        |  4 ++

- Lib/sunau.py                                       |  2 +

- Lib/test/test_aifc.py                              | 35 ++++++++++--

- Lib/test/test_sunau.py                             | 37 +++++++++++++

- Lib/test/test_wave.py                              | 62 ++++++++++++++++++++++

- Lib/wave.py                                        | 14 ++++-

- .../2018-03-01-17-49-56.bpo-32056.IlpfgE.rst       |  3 ++

- 7 files changed, 150 insertions(+), 7 deletions(-)

- create mode 100644 Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst

+    bpo-32056: Improve exceptions in aifc, wave and sunau. (GH-5951)

 diff --git a/Lib/aifc.py b/Lib/aifc.py

-index 3d2dc56de198..1916e7ef8e7e 100644

+index 3d2dc56..1916e7e 100644

 --- a/Lib/aifc.py

 +++ b/Lib/aifc.py

-@@ -467,6 +467,10 @@ def _read_comm_chunk(self, chunk):

+@@ -467,6 +467,10 @@ class Aifc_read:

          self._nframes = _read_long(chunk)

          self._sampwidth = (_read_short(chunk) + 7) // 8

          self._framerate = int(_read_float(chunk))

@@ -31,10 +20,10 @@ index 3d2dc56de198..1916e7ef8e7e 100644

          if self._aifc:

              #DEBUG: SGI's soundeditor produces a bad size :-(

 diff --git a/Lib/sunau.py b/Lib/sunau.py

-index dbad3db8392d..129502b0b417 100644

+index dbad3db..129502b 100644

 --- a/Lib/sunau.py

 +++ b/Lib/sunau.py

-@@ -208,6 +208,8 @@ def initfp(self, file):

+@@ -208,6 +208,8 @@ class Au_read:

              raise Error('unknown encoding')

          self._framerate = int(_read_u32(file))

          self._nchannels = int(_read_u32(file))

@@ -44,10 +33,10 @@ index dbad3db8392d..129502b0b417 100644

          if self._hdr_size > 24:

              self._info = file.read(self._hdr_size - 24)

 diff --git a/Lib/test/test_aifc.py b/Lib/test/test_aifc.py

-index 8fd306a36592..ff52f5b6feb8 100644

+index 8fd306a..ff52f5b 100644

 --- a/Lib/test/test_aifc.py

 +++ b/Lib/test/test_aifc.py

-@@ -268,7 +268,8 @@ def test_read_no_comm_chunk(self):

+@@ -268,7 +268,8 @@ class AIFCLowLevelTest(unittest.TestCase):

      def test_read_no_ssnd_chunk(self):

          b = b'FORM' + struct.pack('>L', 4) + b'AIFC'

@@ -57,7 +46,7 @@ index 8fd306a36592..ff52f5b6feb8 100644

          b += b'NONE' + struct.pack('B', 14) + b'not compressed' + b'\x00'

          with self.assertRaisesRegex(aifc.Error, 'COMM chunk and/or SSND chunk'

                                                  ' missing'):

-@@ -276,13 +277,35 @@ def test_read_no_ssnd_chunk(self):

+@@ -276,13 +277,35 @@ class AIFCLowLevelTest(unittest.TestCase):

      def test_read_wrong_compression_type(self):

          b = b'FORM' + struct.pack('>L', 4) + b'AIFC'

@@ -95,7 +84,7 @@ index 8fd306a36592..ff52f5b6feb8 100644

          b += b'SSND' + struct.pack('>L', 8) + b'\x00' * 8

          b += b'MARK' + struct.pack('>LhB', 3, 1, 1)

          with self.assertWarns(UserWarning) as cm:

-@@ -293,7 +316,8 @@ def test_read_wrong_marks(self):

+@@ -293,7 +316,8 @@ class AIFCLowLevelTest(unittest.TestCase):

      def test_read_comm_kludge_compname_even(self):

          b = b'FORM' + struct.pack('>L', 4) + b'AIFC'

@@ -105,7 +94,7 @@ index 8fd306a36592..ff52f5b6feb8 100644

          b += b'NONE' + struct.pack('B', 4) + b'even' + b'\x00'

          b += b'SSND' + struct.pack('>L', 8) + b'\x00' * 8

          with self.assertWarns(UserWarning) as cm:

-@@ -303,7 +327,8 @@ def test_read_comm_kludge_compname_even(self):

+@@ -303,7 +327,8 @@ class AIFCLowLevelTest(unittest.TestCase):

      def test_read_comm_kludge_compname_odd(self):

          b = b'FORM' + struct.pack('>L', 4) + b'AIFC'

@@ -115,65 +104,11 @@ index 8fd306a36592..ff52f5b6feb8 100644

          b += b'NONE' + struct.pack('B', 3) + b'odd'

          b += b'SSND' + struct.pack('>L', 8) + b'\x00' * 8

          with self.assertWarns(UserWarning) as cm:

-diff --git a/Lib/test/test_sunau.py b/Lib/test/test_sunau.py

-index 966224b1df5a..470a1007b4d4 100644

-+++ b/Lib/test/test_sunau.py

-@@ -1,6 +1,8 @@

- import unittest

- from test import audiotests

- from audioop import byteswap

-+import io

-+import struct

- import sys

- import sunau

- 

-@@ -121,5 +123,40 @@ class SunauMiscTests(audiotests.AudioMiscTests, unittest.TestCase):

-     module = sunau

- 

- 

-+class SunauLowLevelTest(unittest.TestCase):

-+

-+    def test_read_bad_magic_number(self):

-+        b = b'SPA'

-+        with self.assertRaises(EOFError):

-+            sunau.open(io.BytesIO(b))

-+        b = b'SPAM'

-+        with self.assertRaisesRegex(sunau.Error, 'bad magic number'):

-+            sunau.open(io.BytesIO(b))

-+

-+    def test_read_too_small_header(self):

-+        b = struct.pack('>LLLLL', sunau.AUDIO_FILE_MAGIC, 20, 0,

-+                        sunau.AUDIO_FILE_ENCODING_LINEAR_8, 11025)

-+        with self.assertRaisesRegex(sunau.Error, 'header size too small'):

-+            sunau.open(io.BytesIO(b))

-+

-+    def test_read_too_large_header(self):

-+        b = struct.pack('>LLLLLL', sunau.AUDIO_FILE_MAGIC, 124, 0,

-+                        sunau.AUDIO_FILE_ENCODING_LINEAR_8, 11025, 1)

-+        b += b'\0' * 100

-+        with self.assertRaisesRegex(sunau.Error, 'header size ridiculously large'):

-+            sunau.open(io.BytesIO(b))

-+

-+    def test_read_wrong_encoding(self):

-+        b = struct.pack('>LLLLLL', sunau.AUDIO_FILE_MAGIC, 24, 0, 0, 11025, 1)

-+        with self.assertRaisesRegex(sunau.Error, r'encoding not \(yet\) supported'):

-+            sunau.open(io.BytesIO(b))

-+

-+    def test_read_wrong_number_of_channels(self):

-+        b = struct.pack('>LLLLLL', sunau.AUDIO_FILE_MAGIC, 24, 0,

-+                        sunau.AUDIO_FILE_ENCODING_LINEAR_8, 11025, 0)

-+        with self.assertRaisesRegex(sunau.Error, 'bad # of channels'):

-+            sunau.open(io.BytesIO(b))

-+

-+

- if __name__ == "__main__":

-     unittest.main()

 diff --git a/Lib/test/test_wave.py b/Lib/test/test_wave.py

-index c5d2e02450ef..8a42f8e47105 100644

+index c5d2e02..8a42f8e4 100644

 --- a/Lib/test/test_wave.py

 +++ b/Lib/test/test_wave.py

-@@ -2,6 +2,8 @@

+@@ -2,6 +2,8 @@ import unittest

  from test import audiotests

  from test import support

  from audioop import byteswap

@@ -182,7 +117,7 @@ index c5d2e02450ef..8a42f8e47105 100644

  import sys

  import wave

-@@ -111,5 +113,65 @@ def test__all__(self):

+@@ -111,5 +113,65 @@ class MiscTestCase(audiotests.AudioMiscTests, unittest.TestCase):

          support.check__all__(self, wave, blacklist=blacklist)

@@ -249,10 +184,10 @@ index c5d2e02450ef..8a42f8e47105 100644

  if __name__ == '__main__':

      unittest.main()

 diff --git a/Lib/wave.py b/Lib/wave.py

-index cf94d5af72b4..f155879a9a76 100644

+index cf94d5a..f155879 100644

 --- a/Lib/wave.py

 +++ b/Lib/wave.py

-@@ -253,12 +253,22 @@ def readframes(self, nframes):

+@@ -253,12 +253,22 @@ class Wave_read:

      #

      def _read_fmt_chunk(self, chunk):

@@ -279,10 +214,61 @@ index cf94d5af72b4..f155879a9a76 100644

          self._compname = 'not compressed'

 diff --git a/Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst b/Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst

 new file mode 100644

-index 000000000000..421aa3767794

+index 0000000..421aa37

 --- /dev/null

 +++ b/Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst

 @@ -0,0 +1,3 @@

 +Improved exceptions raised for invalid number of channels and sample width

 +when read an audio file in modules :mod:`aifc`, :mod:`wave` and

 +:mod:`sunau`.

+--- a/Lib/test/test_sunau.py	2018-12-31 18:42:22.647732415 +0530

+@@ -1,6 +1,8 @@

+ import unittest

+ from test import audiotests

+ from audioop import byteswap

++import io

++import struct

+ import sys

+ import sunau

+ 

+@@ -116,6 +118,39 @@ class SunauULAWTest(SunauTest, unittest.

+     if sys.byteorder != 'big':

+         frames = byteswap(frames, 2)

+ 

++class SunauLowLevelTest(unittest.TestCase):

++    def test_read_bad_magic_number(self):

++        b = b'SPA'

++        with self.assertRaises(EOFError):

++            sunau.open(io.BytesIO(b))

++        b = b'SPAM'

++        with self.assertRaisesRegex(sunau.Error, 'bad magic number'):

++            sunau.open(io.BytesIO(b))

++

++    def test_read_too_small_header(self):

++        b = struct.pack('>LLLLL', sunau.AUDIO_FILE_MAGIC, 20, 0,

++                        sunau.AUDIO_FILE_ENCODING_LINEAR_8, 11025)

++        with self.assertRaisesRegex(sunau.Error, 'header size too small'):

++            sunau.open(io.BytesIO(b))

++ 

++    def test_read_too_large_header(self):

++        b = struct.pack('>LLLLLL', sunau.AUDIO_FILE_MAGIC, 124, 0,

++                        sunau.AUDIO_FILE_ENCODING_LINEAR_8, 11025, 1)

++        b += b'\0' * 100

++        with self.assertRaisesRegex(sunau.Error, 'header size ridiculously large'):

++            sunau.open(io.BytesIO(b))

++ 

++    def test_read_wrong_encoding(self):

++        b = struct.pack('>LLLLLL', sunau.AUDIO_FILE_MAGIC, 24, 0, 0, 11025, 1)

++        with self.assertRaisesRegex(sunau.Error, r'encoding not \(yet\) supported'):

++            sunau.open(io.BytesIO(b))

++ 

++    def test_read_wrong_number_of_channels(self):

++        b = struct.pack('>LLLLLL', sunau.AUDIO_FILE_MAGIC, 24, 0,

++                        sunau.AUDIO_FILE_ENCODING_LINEAR_8, 11025, 0)

++        with self.assertRaisesRegex(sunau.Error, 'bad # of channels'):

++            sunau.open(io.BytesIO(b))

++

+ 

+ if __name__ == "__main__":

+     unittest.main()

new file mode 100644

@@ -0,0 +1,79 @@

+commit f7666e828cc3d5873136473ea36ba2013d624fa1

+Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

+Date:   Tue Sep 18 06:14:13 2018 -0700

+

+    bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)

+    

+    

+    The C accelerated _elementtree module now initializes hash randomization

+    salt from _Py_HashSecret instead of libexpat's default CPRNG.

+    

+    Signed-off-by: Christian Heimes <christian@python.org>

+    

+    https://bugs.python.org/issue34623

+    (cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)

+    

+    Co-authored-by: Christian Heimes <christian@python.org>

+

+diff --git a/Include/pyexpat.h b/Include/pyexpat.h

+index 44259bf..07020b5 100644

+--- a/Include/pyexpat.h

+@@ -3,7 +3,7 @@

+ 

+ /* note: you must import expat.h before importing this module! */

+ 

+-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"

++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"

+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"

+ 

+ struct PyExpat_CAPI

+@@ -48,6 +48,8 @@ struct PyExpat_CAPI

+     enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);

+     int (*DefaultUnknownEncodingHandler)(

+         void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);

++    /* might be none for expat < 2.1.0 */

++    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);

+     /* always add new stuff to the end! */

+ };

+ 

+diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst

+new file mode 100644

+index 0000000..31ad92e

+--- /dev/null

+@@ -0,0 +1,2 @@

++The C accelerated _elementtree module now initializes hash randomization

++salt from _Py_HashSecret instead of libexpat's default CSPRNG.

+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c

+index 707ab29..53f05f9 100644

+--- a/Modules/_elementtree.c

+@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,

+         PyErr_NoMemory();

+         return -1;

+     }

++    /* expat < 2.1.0 has no XML_SetHashSalt() */

++    if (EXPAT(SetHashSalt) != NULL) {

++        EXPAT(SetHashSalt)(self->parser,

++                           (unsigned long)_Py_HashSecret.expat.hashsalt);

++    }

+ 

+     if (target) {

+         Py_INCREF(target);

+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c

+index 47c3e86..aa21d93 100644

+--- a/Modules/pyexpat.c

+@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)

+     capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;

+     capi.SetEncoding = XML_SetEncoding;

+     capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;

++#if XML_COMBINED_VERSION >= 20100

++    capi.SetHashSalt = XML_SetHashSalt;

++#else

++    capi.SetHashSalt = NULL;

++#endif

+ 

+     /* export using capsule */

+     capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);

@@ -1,7 +1,7 @@

 Summary:        A high-level scripting language

 Name:           python3

 Version:        3.6.5

-Release:        2%{?dist}

+Release:        3%{?dist}

 License:        PSF

 URL:            http://www.python.org/

 Group:          System Environment/Programming

@@ -12,6 +12,7 @@ Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.t

 Patch0:         cgi3.patch

 Patch1:         python3-support-photon-platform.patch

 Patch2:         python3-CVE-2017-18207.patch

+Patch3:         python3-CVE-2018-14647.patch

 BuildRequires:  pkg-config >= 0.28

 BuildRequires:  bzip2-devel

 BuildRequires:  ncurses-devel

@@ -133,7 +134,9 @@ The test package contains all regression tests for Python as well as the modules

 %setup -q -n Python-%{version}

 %patch0 -p1

 %patch1 -p1

-#%patch2 -p1

+%patch2 -p1

+%patch3 -p1

+

 %build

 export OPT="${CFLAGS}"

@@ -263,6 +266,8 @@ rm -rf %{buildroot}/*

 %{_libdir}/python3.6/test/*

 %changelog

+*   Mon Dec 31 2018 Tapas Kundu <tkundu@vmware.com> 3.6.5-3

+-   Fix for CVE-2018-14647

 *   Thu Oct 25 2018 Sujay g <gsujay@vmware.com> 3.6.5-2

 -   Remove vulnerable Windows installers from python3-libs rpm

 *   Thu Apr 19 2018 Xiaolin Li <xiaolinl@vmware.com> 3.6.5-1