Skip to content

python-3.13/3.13.4 package update #55227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OddBloke merged 3 commits into from
Jun 9, 2025
Merged

python-3.13/3.13.4 package update #55227

OddBloke merged 3 commits into from
Jun 9, 2025

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jun 3, 2025

@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr python-3.13 P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Jun 3, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jun 3, 2025

🩹 Build Failed: Patch Application Failed

Hunk #3 FAILED at 178. 1 out of 4 hunks FAILED -- saving rejects to file Lib/hashlib.py.rej

Build Details

Category Details
Build System melange
Failure Point patch step applying modifications to Lib/hashlib.py

Root Cause Analysis 🔍

The patch could not be cleanly applied to the Lib/hashlib.py file. Specifically, hunk #3 at line 178 failed to apply. This is likely because the target file has changed since the patch was created, causing a context mismatch between the patch and the current file state.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: CVE-2025-4516.patch

  • update at line n/a (entire file)
    Original:
outdated patch file targeting an older version of Python

Replacement:

updated patch file targeting Python 3.13.4 source code

Content:

The patch file needs to be updated to match the current source code in Python 3.13.4. Since the specific patch content wasn't provided, we need to regenerate the patch against the current version. This can be done by:

File: Melange YAML

  • update at line after the patch step (pipeline section)
    Original:
  - uses: patch
    with:
      patches: gh-118224.patch gh-127301.patch CVE-2025-4516.patch

Replacement:

  - uses: patch
    with:
      patches: gh-118224.patch gh-127301.patch
      ignore-failed: true

  - name: Manually apply CVE-2025-4516 changes
    runs: |
      # Apply the changes that would have been in CVE-2025-4516.patch manually
      # Replace this with the actual content changes needed for the CVE fix

Content:

Add a step to manually apply the changes from the failing patch
Click to expand fix analysis

Analysis

The build failure occurs during the patch application step where one of the patches (likely CVE-2025-4516.patch) fails to apply cleanly to the Lib/hashlib.py file. Specifically, hunk #3 at line 178 failed to apply. This type of failure typically happens when the upstream source code has changed since the patch was created, causing context mismatches. The error "Hunk #3 FAILED at 178" indicates that the patch is trying to modify content around line 178, but the current content doesn't match what the patch expects.

Click to expand fix explanation

Explanation

The patch failure is occurring because the content of Lib/hashlib.py in Python 3.13.4 has changed since the CVE-2025-4516 patch was created. This is a common issue when maintaining patches against rapidly evolving upstream code.

There are two main approaches to solve this:

  1. Update the patch file: The best solution is to regenerate the CVE-2025-4516.patch against the current Python 3.13.4 source code. This involves:

    • Checking out the clean Python 3.13.4 source
    • Manually applying the security fix that CVE-2025-4516.patch was intended to apply
    • Generating a new patch file with git diff or similar

  2. Skip the failing patch and apply changes manually: As a workaround, we can modify the build pipeline to skip the failing patch and instead apply the necessary changes manually in a subsequent step. This approach is more error-prone but can be a quick fix.

The reason this error is occurring is that patches contain both the changes to be made AND context lines around those changes. When the context lines no longer match (because the upstream file has been modified), the patch tool cannot reliably determine where to apply the changes.

For a proper fix, we need to examine both the current version of Lib/hashlib.py and the CVE-2025-4516.patch to determine exactly what changes need to be made, then either update the patch or implement those changes in a manual step.

Click to expand alternative approaches

Alternative Approaches

  • Download the exact content of the failing hunk from the patch file and manually apply it with sed or a similar tool in a custom build step
  • Fork the upstream Python repository, apply the security fix there, and generate a new patch that's compatible with the current version
  • Contact the security team to get an updated version of the CVE-2025-4516 patch that's compatible with Python 3.13.4
  • Look at how other distributions package Python 3.13.4 with this security fix to see how they're handling the patch

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jun 3, 2025
@OddBloke OddBloke self-assigned this Jun 6, 2025
@OddBloke OddBloke force-pushed the wolfictl-c34431f0-0230-48a0-8b24-6a6b3f1b974c branch from b9f3a40 to ef40d4f Compare June 6, 2025 17:43
@octo-sts octo-sts bot added bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed labels Jun 6, 2025
@OddBloke OddBloke requested a review from a team June 9, 2025 12:59
@OddBloke OddBloke enabled auto-merge June 9, 2025 13:00
@OddBloke OddBloke merged commit ca37c04 into main Jun 9, 2025
18 checks passed
@OddBloke OddBloke deleted the wolfictl-c34431f0-0230-48a0-8b24-6a6b3f1b974c branch June 9, 2025 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philroche philroche philroche approved these changes

Assignees

@OddBloke OddBloke

Labels

ai/skip-comment Stop AI from commenting on PR automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. python-3.13 request-version-update request for a newer version of a package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@philroche @OddBloke @wolfi-bot @ajayk