python3: patch CVE-2025-12084

Pick patch from 3.12 branch according to [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-12084 (From OE-Core rev: c3ed0dfa3a7b8716008968b0d7f80885b2f61a84) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-12-30 16:35:08 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:45:38 +0000
commit: 5ae239f8eabf239703297885d06e88da9c075102 (patch)
tree: c2c24e68622f74fb275bb6f157351a04c52de04a /meta/recipes-devtools/python/python3
parent: 8c2c3b114e5b5a1e36e76275391119cae9a12c43 (diff)
download: poky-5ae239f8eabf239703297885d06e88da9c075102.tar.gz
1 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-12084.patch b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
new file mode 100644
index 0000000000..b7c0650cdc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
@@ -0,0 +1,144 @@
+From 9c9dda6625a2a90d2a06c657eee021d6be19842d Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 22 Dec 2025 14:48:49 +0100
+Subject: [PATCH] [3.12] gh-142145: Remove quadratic behavior in node ID cache
+ clearing (GH-142146) (#142211)
+* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
+* gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
+(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
+(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
+(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
+Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
+Co-authored-by: Seth Michael Larson <seth@python.org>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+CVE: CVE-2025-12084
+Upstream-Status: Backport [https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Lib/test/test_minidom.py                      | 33 ++++++++++++++++++-
+ Lib/xml/dom/minidom.py                        | 11 ++-----
+ ...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst |  6 ++++
+ 3 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
+index 699265ccadc..ab4823c8315 100644
+--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
+@@ -2,13 +2,14 @@
+ 
+ import copy
+ import pickle
+import time
+ import io
+ from test import support
+ import unittest
+ 
+ import xml.dom.minidom
+ 
+-from xml.dom.minidom import parse, Attr, Node, Document, parseString
+from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
+ from xml.dom.minidom import getDOMImplementation
+ from xml.parsers.expat import ExpatError
+ 
+@@ -176,6 +177,36 @@ class MinidomTest(unittest.TestCase):
+         self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
+         dom.unlink()
+ 
+    @support.requires_resource('cpu')
+    def testAppendChildNoQuadraticComplexity(self):
+        impl = getDOMImplementation()
+
+        newdoc = impl.createDocument(None, "some_tag", None)
+        top_element = newdoc.documentElement
+        children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
+        element = top_element
+
+        start = time.monotonic()
+        for child in children:
+            element.appendChild(child)
+            element = child
+        end = time.monotonic()
+
+        # This example used to take at least 30 seconds.
+        # Conservative assertion due to the wide variety of systems and
+        # build configs timing based tests wind up run under.
+        # A --with-address-sanitizer --with-pydebug build on a rpi5 still
+        # completes this loop in <0.5 seconds.
+        self.assertLess(end - start, 4)
+
+    def testSetAttributeNodeWithoutOwnerDocument(self):
+        # regression test for gh-142754
+        elem = Element("test")
+        attr = Attr("id")
+        attr.value = "test-id"
+        elem.setAttributeNode(attr)
+        self.assertEqual(elem.getAttribute("id"), "test-id")
+
+     def testAppendChildFragment(self):
+         dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
+         dom.documentElement.appendChild(frag)
+diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
+index ef8a159833b..cada981f39f 100644
+--- a/Lib/xml/dom/minidom.py
+++ b/Lib/xml/dom/minidom.py
+@@ -292,13 +292,6 @@ def _append_child(self, node):
+     childNodes.append(node)
+     node.parentNode = self
+ 
+-def _in_document(node):
+-    # return True iff node is part of a document tree
+-    while node is not None:
+-        if node.nodeType == Node.DOCUMENT_NODE:
+-            return True
+-        node = node.parentNode
+-    return False
+ 
+ def _write_data(writer, data):
+     "Writes datachars to writer."
+@@ -355,6 +348,7 @@ class Attr(Node):
+     def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
+                  prefix=None):
+         self.ownerElement = None
+        self.ownerDocument = None
+         self._name = qName
+         self.namespaceURI = namespaceURI
+         self._prefix = prefix
+@@ -680,6 +674,7 @@ class Element(Node):
+ 
+     def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
+                  localName=None):
+        self.ownerDocument = None
+         self.parentNode = None
+         self.tagName = self.nodeName = tagName
+         self.prefix = prefix
+@@ -1539,7 +1534,7 @@ def _clear_id_cache(node):
+     if node.nodeType == Node.DOCUMENT_NODE:
+         node._id_cache.clear()
+         node._id_search_stack = None
+-    elif _in_document(node):
+    elif node.ownerDocument:
+         node.ownerDocument._id_cache.clear()
+         node.ownerDocument._id_search_stack= None
+ 
+diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+new file mode 100644
+index 00000000000..05c7df35d14
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
+@@ -0,0 +1,6 @@
+Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.  In order
+to do this without breaking existing users, we also add the *ownerDocument*
+attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
+instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
+nodes is not supported; creator functions like
+:py:meth:`xml.dom.Document.documentElement` should be used instead.
author	Peter Marko <peter.marko@siemens.com>	2025-12-30 16:35:08 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:45:38 +0000
commit	5ae239f8eabf239703297885d06e88da9c075102 (patch)
tree	c2c24e68622f74fb275bb6f157351a04c52de04a /meta/recipes-devtools/python/python3
parent	8c2c3b114e5b5a1e36e76275391119cae9a12c43 (diff)
download	poky-5ae239f8eabf239703297885d06e88da9c075102.tar.gz

diff --git a/meta/recipes-devtools/python/python3/CVE-2025-12084.patch b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch new file mode 100644 index 0000000000..b7c0650cdc --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2025-12084.patch
@@ -0,0 +1,144 @@
	1	From 9c9dda6625a2a90d2a06c657eee021d6be19842d Mon Sep 17 00:00:00 2001
	2	From: "Miss Islington (bot)"
	3	<31488909+miss-islington@users.noreply.github.com>
	4	Date: Mon, 22 Dec 2025 14:48:49 +0100
	5	Subject: [PATCH] [3.12] gh-142145: Remove quadratic behavior in node ID cache
	6	clearing (GH-142146) (#142211)
	7
	8	* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
	9	* gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
	10	(cherry picked from commit 1cc7551b3f9f71efbc88d96dce90f82de98b2454)
	11	(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
	12	(cherry picked from commit 8d2d7bb2e754f8649a68ce4116271a4932f76907)
	13
	14	Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
	15	Co-authored-by: Seth Michael Larson <seth@python.org>
	16	Co-authored-by: Petr Viktorin <encukou@gmail.com>
	17	Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
	18	Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
	19	Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
	20	Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
	21	Co-authored-by: Gregory P. Smith <greg@krypto.org>
	22
	23	CVE: CVE-2025-12084
	24	Upstream-Status: Backport [https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d]
	25	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	26	---
	27	Lib/test/test_minidom.py \| 33 ++++++++++++++++++-
	28	Lib/xml/dom/minidom.py \| 11 ++-----
	29	...-12-01-09-36-45.gh-issue-142145.tcAUhg.rst \| 6 ++++
	30	3 files changed, 41 insertions(+), 9 deletions(-)
	31	create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
	32
	33	diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
	34	index 699265ccadc..ab4823c8315 100644
	35	--- a/Lib/test/test_minidom.py
	36	+++ b/Lib/test/test_minidom.py
	37	@@ -2,13 +2,14 @@
	38
	39	import copy
	40	import pickle
	41	+import time
	42	import io
	43	from test import support
	44	import unittest
	45
	46	import xml.dom.minidom
	47
	48	-from xml.dom.minidom import parse, Attr, Node, Document, parseString
	49	+from xml.dom.minidom import parse, Attr, Node, Document, Element, parseString
	50	from xml.dom.minidom import getDOMImplementation
	51	from xml.parsers.expat import ExpatError
	52
	53	@@ -176,6 +177,36 @@ class MinidomTest(unittest.TestCase):
	54	self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
	55	dom.unlink()
	56
	57	+ @support.requires_resource('cpu')
	58	+ def testAppendChildNoQuadraticComplexity(self):
	59	+ impl = getDOMImplementation()
	60	+
	61	+ newdoc = impl.createDocument(None, "some_tag", None)
	62	+ top_element = newdoc.documentElement
	63	+ children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
	64	+ element = top_element
	65	+
	66	+ start = time.monotonic()
	67	+ for child in children:
	68	+ element.appendChild(child)
	69	+ element = child
	70	+ end = time.monotonic()
	71	+
	72	+ # This example used to take at least 30 seconds.
	73	+ # Conservative assertion due to the wide variety of systems and
	74	+ # build configs timing based tests wind up run under.
	75	+ # A --with-address-sanitizer --with-pydebug build on a rpi5 still
	76	+ # completes this loop in <0.5 seconds.
	77	+ self.assertLess(end - start, 4)
	78	+
	79	+ def testSetAttributeNodeWithoutOwnerDocument(self):
	80	+ # regression test for gh-142754
	81	+ elem = Element("test")
	82	+ attr = Attr("id")
	83	+ attr.value = "test-id"
	84	+ elem.setAttributeNode(attr)
	85	+ self.assertEqual(elem.getAttribute("id"), "test-id")
	86	+
	87	def testAppendChildFragment(self):
	88	dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
	89	dom.documentElement.appendChild(frag)
	90	diff --git a/Lib/xml/dom/minidom.py b/Lib/xml/dom/minidom.py
	91	index ef8a159833b..cada981f39f 100644
	92	--- a/Lib/xml/dom/minidom.py
	93	+++ b/Lib/xml/dom/minidom.py
	94	@@ -292,13 +292,6 @@ def _append_child(self, node):
	95	childNodes.append(node)
	96	node.parentNode = self
	97
	98	-def _in_document(node):
	99	- # return True iff node is part of a document tree
	100	- while node is not None:
	101	- if node.nodeType == Node.DOCUMENT_NODE:
	102	- return True
	103	- node = node.parentNode
	104	- return False
	105
	106	def _write_data(writer, data):
	107	"Writes datachars to writer."
	108	@@ -355,6 +348,7 @@ class Attr(Node):
	109	def __init__(self, qName, namespaceURI=EMPTY_NAMESPACE, localName=None,
	110	prefix=None):
	111	self.ownerElement = None
	112	+ self.ownerDocument = None
	113	self._name = qName
	114	self.namespaceURI = namespaceURI
	115	self._prefix = prefix
	116	@@ -680,6 +674,7 @@ class Element(Node):
	117
	118	def __init__(self, tagName, namespaceURI=EMPTY_NAMESPACE, prefix=None,
	119	localName=None):
	120	+ self.ownerDocument = None
	121	self.parentNode = None
	122	self.tagName = self.nodeName = tagName
	123	self.prefix = prefix
	124	@@ -1539,7 +1534,7 @@ def _clear_id_cache(node):
	125	if node.nodeType == Node.DOCUMENT_NODE:
	126	node._id_cache.clear()
	127	node._id_search_stack = None
	128	- elif _in_document(node):
	129	+ elif node.ownerDocument:
	130	node.ownerDocument._id_cache.clear()
	131	node.ownerDocument._id_search_stack= None
	132
	133	diff --git a/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
	134	new file mode 100644
	135	index 00000000000..05c7df35d14
	136	--- /dev/null
	137	+++ b/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
	138	@@ -0,0 +1,6 @@
	139	+Remove quadratic behavior in ``xml.minidom`` node ID cache clearing. In order
	140	+to do this without breaking existing users, we also add the ownerDocument
	141	+attribute to :mod:`xml.dom.minidom` elements and attributes created by directly
	142	+instantiating the ``Element`` or ``Attr`` class. Note that this way of creating
	143	+nodes is not supported; creator functions like
	144	+:py:meth:`xml.dom.Document.documentElement` should be used instead.