summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2019-05-29 15:06:39 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-27 18:05:18 +0100
commit81439e7d18ad12b25c67812c5277c24c92c8e3b5 (patch)
tree299ce99ef6fc426473a173b167933ee37e249338
parentf2961d88af7fa7345f40b1dc3b0edc926c5a2304 (diff)
downloadpoky-81439e7d18ad12b25c67812c5277c24c92c8e3b5.tar.gz
python: Update to 2.7.16
Source: Python.org MR: 98220 Type: Security Fix & Integration Disposition: Backport from python.org ChangeID: 96fdd2dee9fe9317eb72584583ae0100c0be9eaa Description: Bug fix update per Python.org https://www.python.org/downloads/release/python-2716/ drop backported patch License-update: copyright years Helps prepare Thud for 2.7 EOL support moving forward. Update includes: CVE-CVE-2019-5010 https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595 (From OE-Core rev: 592e7de7f5208940fbcfcad3371f93f8ce2ca738) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/python/python-native_2.7.16.bb (renamed from meta/recipes-devtools/python/python-native_2.7.15.bb)2
-rw-r--r--meta/recipes-devtools/python/python.inc18
-rw-r--r--meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch96
-rw-r--r--meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch55
-rw-r--r--meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch120
-rw-r--r--meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch67
-rw-r--r--meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch37
-rw-r--r--meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch37
-rw-r--r--meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch34
-rw-r--r--meta/recipes-devtools/python/python_2.7.16.bb (renamed from meta/recipes-devtools/python/python_2.7.15.bb)2
10 files changed, 6 insertions, 462 deletions
diff --git a/meta/recipes-devtools/python/python-native_2.7.15.bb b/meta/recipes-devtools/python/python-native_2.7.16.bb
index 26d67df6b8..b7442800d9 100644
--- a/meta/recipes-devtools/python/python-native_2.7.15.bb
+++ b/meta/recipes-devtools/python/python-native_2.7.16.bb
@@ -1,7 +1,6 @@
1require python.inc 1require python.inc
2EXTRANATIVEPATH += "bzip2-native" 2EXTRANATIVEPATH += "bzip2-native"
3DEPENDS = "openssl-native bzip2-replacement-native zlib-native readline-native sqlite3-native expat-native gdbm-native db-native" 3DEPENDS = "openssl-native bzip2-replacement-native zlib-native readline-native sqlite3-native expat-native gdbm-native db-native"
4PR = "${INC_PR}.1"
5 4
6SRC_URI += "\ 5SRC_URI += "\
7 file://05-enable-ctypes-cross-build.patch \ 6 file://05-enable-ctypes-cross-build.patch \
@@ -17,7 +16,6 @@ SRC_URI += "\
17 file://parallel-makeinst-create-bindir.patch \ 16 file://parallel-makeinst-create-bindir.patch \
18 file://revert_use_of_sysconfigdata.patch \ 17 file://revert_use_of_sysconfigdata.patch \
19 file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \ 18 file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \
20 file://0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch \
21 " 19 "
22 20
23S = "${WORKDIR}/Python-${PV}" 21S = "${WORKDIR}/Python-${PV}"
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 66923678b1..e5f1981ab8 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -5,18 +5,12 @@ SECTION = "devel/python"
5# bump this on every change in contrib/python/generate-manifest-2.7.py 5# bump this on every change in contrib/python/generate-manifest-2.7.py
6INC_PR = "r1" 6INC_PR = "r1"
7 7
8LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754" 8LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
9 9
10SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ 10SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz"
11 file://0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch \ 11
12 file://0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch \ 12SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
13 file://0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch \ 13SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7"
14 file://0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch \
15 file://0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch \
16 "
17
18SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d"
19SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574"
20 14
21# python recipe is actually python 2.x 15# python recipe is actually python 2.x
22# also, exclude pre-releases for both python 2.x and 3.x 16# also, exclude pre-releases for both python 2.x and 3.x
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch
deleted file mode 100644
index 3c0d662296..0000000000
--- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch
+++ /dev/null
@@ -1,96 +0,0 @@
1From 3ffc80959f01f9fde548f1632694b9f950c2dd7c Mon Sep 17 00:00:00 2001
2From: Christian Heimes <christian@python.org>
3Date: Tue, 18 Sep 2018 15:13:09 +0200
4Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree
5 (GH-9146) (GH-9394)
6
7The C accelerated _elementtree module now initializes hash randomization
8salt from _Py_HashSecret instead of libexpat's default CPRNG.
9
10Signed-off-by: Christian Heimes <christian@python.org>
11
12https://bugs.python.org/issue34623.
13(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
14
15Co-authored-by: Christian Heimes <christian@python.org>
16
17
18
19https://bugs.python.org/issue34623
20
21Upstream-Status: Backport
22CVE: CVE-2018-14647
23Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
24---
25 Include/pyexpat.h | 4 +++-
26 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++
27 Modules/_elementtree.c | 5 +++++
28 Modules/pyexpat.c | 5 +++++
29 4 files changed, 15 insertions(+), 1 deletion(-)
30 create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
31
32diff --git a/Include/pyexpat.h b/Include/pyexpat.h
33index 5340ef5..3fc5fa5 100644
34--- a/Include/pyexpat.h
35+++ b/Include/pyexpat.h
36@@ -3,7 +3,7 @@
37
38 /* note: you must import expat.h before importing this module! */
39
40-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
41+#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
42 #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
43
44 struct PyExpat_CAPI
45@@ -43,6 +43,8 @@ struct PyExpat_CAPI
46 XML_Parser parser, XML_UnknownEncodingHandler handler,
47 void *encodingHandlerData);
48 void (*SetUserData)(XML_Parser parser, void *userData);
49+ /* might be none for expat < 2.1.0 */
50+ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
51 /* always add new stuff to the end! */
52 };
53
54diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
55new file mode 100644
56index 0000000..31ad92e
57--- /dev/null
58+++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
59@@ -0,0 +1,2 @@
60+The C accelerated _elementtree module now initializes hash randomization
61+salt from _Py_HashSecret instead of libexpat's default CSPRNG.
62diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
63index 1d316a1..a19cbf7 100644
64--- a/Modules/_elementtree.c
65+++ b/Modules/_elementtree.c
66@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw)
67 PyErr_NoMemory();
68 return NULL;
69 }
70+ /* expat < 2.1.0 has no XML_SetHashSalt() */
71+ if (EXPAT(SetHashSalt) != NULL) {
72+ EXPAT(SetHashSalt)(self->parser,
73+ (unsigned long)_Py_HashSecret.prefix);
74+ }
75
76 ALLOC(sizeof(XMLParserObject), "create expatparser");
77
78diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
79index 2b4d312..1f8c0d7 100644
80--- a/Modules/pyexpat.c
81+++ b/Modules/pyexpat.c
82@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)
83 capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler;
84 capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler;
85 capi.SetUserData = XML_SetUserData;
86+#if XML_COMBINED_VERSION >= 20100
87+ capi.SetHashSalt = XML_SetHashSalt;
88+#else
89+ capi.SetHashSalt = NULL;
90+#endif
91
92 /* export using capsule */
93 capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
94--
952.7.4
96
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
deleted file mode 100644
index 4c0b3577b2..0000000000
--- a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From 19f6bd06af3c7fc0db5f96878aaa68f5589ff13e Mon Sep 17 00:00:00 2001
2From: Pablo Galindo <Pablogsal@gmail.com>
3Date: Thu, 24 May 2018 23:20:44 +0100
4Subject: [PATCH] bpo-33354: Fix test_ssl when a filename cannot be encoded
5 (GH-6613)
6
7Skip test_load_dh_params() of test_ssl when Python filesystem encoding
8cannot encode the provided path.
9
10Upstream-Status: Backport [https://github.com/python/cpython/commit/19f6bd06af3c7fc0db5f96878aaa68f5589ff13e]
11Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
12---
13 Lib/test/test_ssl.py | 9 ++++++++-
14 .../next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | 2 ++
15 2 files changed, 10 insertions(+), 1 deletion(-)
16 create mode 100644 Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
17
18diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
19index b59fe73f04..7ced90fdf6 100644
20--- a/Lib/test/test_ssl.py
21+++ b/Lib/test/test_ssl.py
22@@ -989,6 +989,13 @@ class ContextTests(unittest.TestCase):
23
24
25 def test_load_dh_params(self):
26+ filename = u'dhpäräm.pem'
27+ fs_encoding = sys.getfilesystemencoding()
28+ try:
29+ filename.encode(fs_encoding)
30+ except UnicodeEncodeError:
31+ self.skipTest("filename %r cannot be encoded to the filesystem encoding %r" % (filename, fs_encoding))
32+
33 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
34 ctx.load_dh_params(DHFILE)
35 if os.name != 'nt':
36@@ -1001,7 +1008,7 @@ class ContextTests(unittest.TestCase):
37 with self.assertRaises(ssl.SSLError) as cm:
38 ctx.load_dh_params(CERTFILE)
39 with support.temp_dir() as d:
40- fname = os.path.join(d, u'dhpäräm.pem')
41+ fname = os.path.join(d, filename)
42 shutil.copy(DHFILE, fname)
43 ctx.load_dh_params(fname)
44
45diff --git a/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
46new file mode 100644
47index 0000000000..c66cecac32
48--- /dev/null
49+++ b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
50@@ -0,0 +1,2 @@
51+Skip ``test_ssl.test_load_dh_params`` when Python filesystem encoding cannot encode the
52+provided path.
53--
542.17.1
55
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
deleted file mode 100644
index 1f70562fc0..0000000000
--- a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
+++ /dev/null
@@ -1,120 +0,0 @@
1From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
2From: Christian Heimes <christian@python.org>
3Date: Wed, 15 Aug 2018 09:07:28 +0200
4Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
5 (GH-8760)
6
7Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
81.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
9default.
10
11Also update multissltests to test with latest OpenSSL.
12
13Signed-off-by: Christian Heimes <christian@python.org>.
14(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
15
16Co-authored-by: Christian Heimes <christian@python.org>
17
18Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]
19
20Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
21---
22 Doc/library/ssl.rst | 8 ++--
23 Lib/test/test_ssl.py | 37 +++++++++++--------
24 .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++
25 3 files changed, 27 insertions(+), 21 deletions(-)
26 create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
27
28diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
29index 0421031772..7c7c85b833 100644
30--- a/Doc/library/ssl.rst
31+++ b/Doc/library/ssl.rst
32@@ -294,11 +294,6 @@ purposes.
33
34 3DES was dropped from the default cipher string.
35
36- .. versionchanged:: 2.7.15
37-
38- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
39- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
40-
41 .. function:: _https_verify_certificates(enable=True)
42
43 Specifies whether or not server certificates are verified when creating
44@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
45 when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
46 give the currently selected cipher.
47
48+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
49+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
50+
51 .. method:: SSLContext.set_alpn_protocols(protocols)
52
53 Specify which protocols the socket should advertise during the SSL/TLS
54diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
55index dc14e22ad1..f51572e319 100644
56--- a/Lib/test/test_ssl.py
57+++ b/Lib/test/test_ssl.py
58@@ -2772,19 +2772,24 @@ else:
59 sock.do_handshake()
60 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
61
62- def test_default_ciphers(self):
63- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
64- try:
65- # Force a set of weak ciphers on our client context
66- context.set_ciphers("DES")
67- except ssl.SSLError:
68- self.skipTest("no DES cipher available")
69- with ThreadedEchoServer(CERTFILE,
70- ssl_version=ssl.PROTOCOL_SSLv23,
71- chatty=False) as server:
72- with closing(context.wrap_socket(socket.socket())) as s:
73- with self.assertRaises(ssl.SSLError):
74- s.connect((HOST, server.port))
75+ def test_no_shared_ciphers(self):
76+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
77+ server_context.load_cert_chain(SIGNED_CERTFILE)
78+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
79+ client_context.verify_mode = ssl.CERT_REQUIRED
80+ client_context.check_hostname = True
81+
82+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
83+ client_context.options |= ssl.OP_NO_TLSv1_3
84+ # Force different suites on client and master
85+ client_context.set_ciphers("AES128")
86+ server_context.set_ciphers("AES256")
87+ with ThreadedEchoServer(context=server_context) as server:
88+ s = client_context.wrap_socket(
89+ socket.socket(),
90+ server_hostname="localhost")
91+ with self.assertRaises(ssl.SSLError):
92+ s.connect((HOST, server.port))
93 self.assertIn("no shared cipher", str(server.conn_errors[0]))
94
95 def test_version_basic(self):
96@@ -2815,9 +2820,9 @@ else:
97 with context.wrap_socket(socket.socket()) as s:
98 s.connect((HOST, server.port))
99 self.assertIn(s.cipher()[0], [
100- 'TLS13-AES-256-GCM-SHA384',
101- 'TLS13-CHACHA20-POLY1305-SHA256',
102- 'TLS13-AES-128-GCM-SHA256',
103+ 'TLS_AES_256_GCM_SHA384',
104+ 'TLS_CHACHA20_POLY1305_SHA256',
105+ 'TLS_AES_128_GCM_SHA256',
106 ])
107
108 @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
109diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
110new file mode 100644
111index 0000000000..bd719a47e8
112--- /dev/null
113+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
114@@ -0,0 +1,3 @@
115+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
116+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
117+default.
118--
1192.17.1
120
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
deleted file mode 100644
index 125db8512a..0000000000
--- a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
+++ /dev/null
@@ -1,67 +0,0 @@
1From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001
2From: Benjamin Peterson <benjamin@python.org>
3Date: Wed, 29 Aug 2018 21:59:21 -0700
4Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use
5 subprocess rather than distutils.spawn. (GH-8985)
6
7Upstream-Status: Backport
8CVE: CVE-2018-1000802
9Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
10---
11 Lib/shutil.py | 16 ++++++++++------
12 .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++
13 2 files changed, 13 insertions(+), 6 deletions(-)
14 create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
15
16diff --git a/Lib/shutil.py b/Lib/shutil.py
17index 3462f7c..0ab1a06 100644
18--- a/Lib/shutil.py
19+++ b/Lib/shutil.py
20@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
21
22 return archive_name
23
24-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
25+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
26 # XXX see if we want to keep an external call here
27 if verbose:
28 zipoptions = "-r"
29 else:
30 zipoptions = "-rq"
31- from distutils.errors import DistutilsExecError
32- from distutils.spawn import spawn
33+ cmd = ["zip", zipoptions, zip_filename, base_dir]
34+ if logger is not None:
35+ logger.info(' '.join(cmd))
36+ if dry_run:
37+ return
38+ import subprocess
39 try:
40- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
41- except DistutilsExecError:
42+ subprocess.check_call(cmd)
43+ except subprocess.CalledProcessError:
44 # XXX really should distinguish between "couldn't find
45 # external 'zip' command" and "zip failed".
46 raise ExecError, \
47@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
48 zipfile = None
49
50 if zipfile is None:
51- _call_external_zip(base_dir, zip_filename, verbose, dry_run)
52+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
53 else:
54 if logger is not None:
55 logger.info("creating '%s' and adding '%s' to it",
56diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
57new file mode 100644
58index 0000000..4f68696
59--- /dev/null
60+++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
61@@ -0,0 +1,3 @@
62+When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
63+uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
64+closes a possible shell injection vector.
65--
662.7.4
67
diff --git a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
deleted file mode 100644
index 96882712e9..0000000000
--- a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From 0e1f3856a7e1511fb64d99646c54ddf3897cd444 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Fri, 28 Sep 2018 14:15:52 +0100
4Subject: [PATCH 2/4] bpo-34818: Add missing closing() wrapper in test_tls1_3.
5
6Python 2.7 socket classes do not implement context manager protocol,
7hence closing() is required around it. Resolves testcase error
8traceback.
9
10Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
11
12https://bugs.python.org/issue34818
13
14Patch taken from Ubuntu.
15
16Upstream-Status: Submitted [https://github.com/python/cpython/pull/9622]
17Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
18---
19 Lib/test/test_ssl.py | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
23index f51572e319..7a14053cee 100644
24--- a/Lib/test/test_ssl.py
25+++ b/Lib/test/test_ssl.py
26@@ -2817,7 +2817,7 @@ else:
27 ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
28 )
29 with ThreadedEchoServer(context=context) as server:
30- with context.wrap_socket(socket.socket()) as s:
31+ with closing(context.wrap_socket(socket.socket())) as s:
32 s.connect((HOST, server.port))
33 self.assertIn(s.cipher()[0], [
34 'TLS_AES_256_GCM_SHA384',
35--
362.17.1
37
diff --git a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
deleted file mode 100644
index 77016cb430..0000000000
--- a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From 8b06d56d26eee289fec22b9b72ab4c7cc3d6c482 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Fri, 28 Sep 2018 16:34:16 +0100
4Subject: [PATCH 3/4] bpo-34834: Fix test_ssl.test_options to account for
5 OP_ENABLE_MIDDLEBOX_COMPAT.
6
7Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
8
9https://bugs.python.org/issue34834
10
11Patch taken from Ubuntu.
12Upstream-Status: Submitted [https://github.com/python/cpython/pull/9624]
13
14Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15---
16 Lib/test/test_ssl.py | 5 +++++
17 1 file changed, 5 insertions(+)
18
19diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
20index 7a14053cee..efc906a5ba 100644
21--- a/Lib/test/test_ssl.py
22+++ b/Lib/test/test_ssl.py
23@@ -777,6 +777,11 @@ class ContextTests(unittest.TestCase):
24 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
25 if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
26 default |= ssl.OP_NO_COMPRESSION
27+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
28+ # define MIDDLEBOX constant, as python2.7 does not know about it
29+ # but it is used by default.
30+ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
31+ default |= OP_ENABLE_MIDDLEBOX_COMPAT
32 self.assertEqual(default, ctx.options)
33 ctx.options |= ssl.OP_NO_TLSv1
34 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
35--
362.17.1
37
diff --git a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
deleted file mode 100644
index 39e1bcfc86..0000000000
--- a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From 946a7969345c6697697effd226ec396d3fea05b7 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Fri, 28 Sep 2018 17:30:19 +0100
4Subject: [PATCH 4/4] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3.
5
6Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
7
8https://bugs.python.org/issue34836
9
10Patch taken from Ubuntu.
11Upstream-Status: Submitted [https://github.com/python/cpython/pull/9626]
12
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 Lib/test/test_ssl.py | 3 +++
16 1 file changed, 3 insertions(+)
17
18diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
19index efc906a5ba..4a3286cd5f 100644
20--- a/Lib/test/test_ssl.py
21+++ b/Lib/test/test_ssl.py
22@@ -2836,6 +2836,9 @@ else:
23 # should be enabled by default on SSL contexts.
24 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
25 context.load_cert_chain(CERTFILE)
26+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
27+ # cipher name.
28+ context.options |= ssl.OP_NO_TLSv1_3
29 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
30 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
31 # our default cipher list should prefer ECDH-based ciphers
32--
332.17.1
34
diff --git a/meta/recipes-devtools/python/python_2.7.15.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index 3f361ae7c4..7fe16f7e49 100644
--- a/meta/recipes-devtools/python/python_2.7.15.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,8 +31,6 @@ SRC_URI += "\
31 file://pass-missing-libraries-to-Extension-for-mul.patch \ 31 file://pass-missing-libraries-to-Extension-for-mul.patch \
32 file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ 32 file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
33 file://float-endian.patch \ 33 file://float-endian.patch \
34 file://0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch \
35 file://0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch \
36" 34"
37 35
38S = "${WORKDIR}/Python-${PV}" 36S = "${WORKDIR}/Python-${PV}"