[AUTO-CHERRYPICK] [High] Patch python3 for CVE-2025-4516, CVE-2025-4517, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435 - branch 3.0-dev (#14005)

Co-authored-by: jykanase <v-jykanase@microsoft.com>
Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com>

Author: 3 people

SPECS/python3/CVE-2025-4516.patch

@@ -6,7 +6,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.12.9
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,8 @@ Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.t
 # It has been removed in Python-3.12.0.tar.xz, but as our packages still require it, we will still provide for now.
 Source1:        https://github.com/python/cpython/blob/3.9/Tools/scripts/pathfix.py
 Patch0:         cgi3.patch
+Patch1:         CVE-2025-4516.patch
+Patch2:         CVE-2025-4517.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@@ -238,6 +240,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Tue Jun 10 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 3.12.9-2
+- Patch CVE-2025-4516, CVE-2025-4517, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4330
+
 * Mon Feb 17 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.12.9-1
 - Auto-upgrade to 3.12.9 - to fix CVE-2025-0938 & CVE-2024-4032
 - Clean up the earlier patches not needed anymore

SPECS/python3/CVE-2025-4517.patch

@@ -244,9 +244,9 @@ ca-certificates-base-3.0.0-8.azl3.noarch.rpm
 ca-certificates-3.0.0-8.azl3.noarch.rpm
 dwz-0.14-2.azl3.aarch64.rpm
 unzip-6.0-22.azl3.aarch64.rpm
-python3-3.12.9-1.azl3.aarch64.rpm
-python3-devel-3.12.9-1.azl3.aarch64.rpm
-python3-libs-3.12.9-1.azl3.aarch64.rpm
+python3-3.12.9-2.azl3.aarch64.rpm
+python3-devel-3.12.9-2.azl3.aarch64.rpm
+python3-libs-3.12.9-2.azl3.aarch64.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.aarch64.rpm

SPECS/python3/python3.spec

@@ -244,9 +244,9 @@ ca-certificates-base-3.0.0-8.azl3.noarch.rpm
 ca-certificates-3.0.0-8.azl3.noarch.rpm
 dwz-0.14-2.azl3.x86_64.rpm
 unzip-6.0-22.azl3.x86_64.rpm
-python3-3.12.9-1.azl3.x86_64.rpm
-python3-devel-3.12.9-1.azl3.x86_64.rpm
-python3-libs-3.12.9-1.azl3.x86_64.rpm
+python3-3.12.9-2.azl3.x86_64.rpm
+python3-devel-3.12.9-2.azl3.x86_64.rpm
+python3-libs-3.12.9-2.azl3.x86_64.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.x86_64.rpm

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -531,18 +531,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm
 python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
-python3-3.12.9-1.azl3.aarch64.rpm
+python3-3.12.9-2.azl3.aarch64.rpm
 python3-audit-3.1.2-1.azl3.aarch64.rpm
 python3-cracklib-2.9.11-1.azl3.aarch64.rpm
-python3-curses-3.12.9-1.azl3.aarch64.rpm
+python3-curses-3.12.9-2.azl3.aarch64.rpm
 python3-Cython-3.0.5-2.azl3.aarch64.rpm
-python3-debuginfo-3.12.9-1.azl3.aarch64.rpm
-python3-devel-3.12.9-1.azl3.aarch64.rpm
+python3-debuginfo-3.12.9-2.azl3.aarch64.rpm
+python3-devel-3.12.9-2.azl3.aarch64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
-python3-libs-3.12.9-1.azl3.aarch64.rpm
+python3-libs-3.12.9-2.azl3.aarch64.rpm
 python3-libxml2-2.11.5-5.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
@@ -554,8 +554,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
-python3-test-3.12.9-1.azl3.aarch64.rpm
-python3-tools-3.12.9-1.azl3.aarch64.rpm
+python3-test-3.12.9-2.azl3.aarch64.rpm
+python3-tools-3.12.9-2.azl3.aarch64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm
 readline-8.2-2.azl3.aarch64.rpm
 readline-debuginfo-8.2-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -539,18 +539,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm
 python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
-python3-3.12.9-1.azl3.x86_64.rpm
+python3-3.12.9-2.azl3.x86_64.rpm
 python3-audit-3.1.2-1.azl3.x86_64.rpm
 python3-cracklib-2.9.11-1.azl3.x86_64.rpm
-python3-curses-3.12.9-1.azl3.x86_64.rpm
+python3-curses-3.12.9-2.azl3.x86_64.rpm
 python3-Cython-3.0.5-2.azl3.x86_64.rpm
-python3-debuginfo-3.12.9-1.azl3.x86_64.rpm
-python3-devel-3.12.9-1.azl3.x86_64.rpm
+python3-debuginfo-3.12.9-2.azl3.x86_64.rpm
+python3-devel-3.12.9-2.azl3.x86_64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-3.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
-python3-libs-3.12.9-1.azl3.x86_64.rpm
+python3-libs-3.12.9-2.azl3.x86_64.rpm
 python3-libxml2-2.11.5-5.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
@@ -562,8 +562,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
-python3-test-3.12.9-1.azl3.x86_64.rpm
-python3-tools-3.12.9-1.azl3.x86_64.rpm
+python3-test-3.12.9-2.azl3.x86_64.rpm
+python3-tools-3.12.9-2.azl3.x86_64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm
 readline-8.2-2.azl3.x86_64.rpm
 readline-debuginfo-8.2-2.azl3.x86_64.rpm