diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2019-04-15 12:54:54 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-04-16 11:10:02 +0100 |
commit | 0ee1b6d0c934944c0b6dba69e4c16d8e848b85bd (patch) | |
tree | 6d952de325df29a087789c74fc8bb4abadc69249 /meta/recipes-devtools | |
parent | 24597588d29388ab4fc9485fcf27f8b580a4f5e8 (diff) | |
download | poky-0ee1b6d0c934944c0b6dba69e4c16d8e848b85bd.tar.gz |
python: update to 2.7.16
Drop backported patches
License-update: copyright years
(From OE-Core rev: 061dfcdf062d64e4e1e50e28edfacb14e41b7d74)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
10 files changed, 29 insertions, 486 deletions
diff --git a/meta/recipes-devtools/python/python-native_2.7.15.bb b/meta/recipes-devtools/python/python-native_2.7.16.bb index 26d67df6b8..b7442800d9 100644 --- a/meta/recipes-devtools/python/python-native_2.7.15.bb +++ b/meta/recipes-devtools/python/python-native_2.7.16.bb | |||
@@ -1,7 +1,6 @@ | |||
1 | require python.inc | 1 | require python.inc |
2 | EXTRANATIVEPATH += "bzip2-native" | 2 | EXTRANATIVEPATH += "bzip2-native" |
3 | DEPENDS = "openssl-native bzip2-replacement-native zlib-native readline-native sqlite3-native expat-native gdbm-native db-native" | 3 | DEPENDS = "openssl-native bzip2-replacement-native zlib-native readline-native sqlite3-native expat-native gdbm-native db-native" |
4 | PR = "${INC_PR}.1" | ||
5 | 4 | ||
6 | SRC_URI += "\ | 5 | SRC_URI += "\ |
7 | file://05-enable-ctypes-cross-build.patch \ | 6 | file://05-enable-ctypes-cross-build.patch \ |
@@ -17,7 +16,6 @@ SRC_URI += "\ | |||
17 | file://parallel-makeinst-create-bindir.patch \ | 16 | file://parallel-makeinst-create-bindir.patch \ |
18 | file://revert_use_of_sysconfigdata.patch \ | 17 | file://revert_use_of_sysconfigdata.patch \ |
19 | file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \ | 18 | file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \ |
20 | file://0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch \ | ||
21 | " | 19 | " |
22 | 20 | ||
23 | S = "${WORKDIR}/Python-${PV}" | 21 | S = "${WORKDIR}/Python-${PV}" |
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc index 66923678b1..779df53521 100644 --- a/meta/recipes-devtools/python/python.inc +++ b/meta/recipes-devtools/python/python.inc | |||
@@ -5,18 +5,13 @@ SECTION = "devel/python" | |||
5 | # bump this on every change in contrib/python/generate-manifest-2.7.py | 5 | # bump this on every change in contrib/python/generate-manifest-2.7.py |
6 | INC_PR = "r1" | 6 | INC_PR = "r1" |
7 | 7 | ||
8 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754" | 8 | LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498" |
9 | 9 | ||
10 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | 10 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ |
11 | file://0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch \ | ||
12 | file://0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch \ | ||
13 | file://0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch \ | ||
14 | file://0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch \ | ||
15 | file://0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch \ | ||
16 | " | 11 | " |
17 | 12 | ||
18 | SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d" | 13 | SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5" |
19 | SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574" | 14 | SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7" |
20 | 15 | ||
21 | # python recipe is actually python 2.x | 16 | # python recipe is actually python 2.x |
22 | # also, exclude pre-releases for both python 2.x and 3.x | 17 | # also, exclude pre-releases for both python 2.x and 3.x |
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch deleted file mode 100644 index 3c0d662296..0000000000 --- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch +++ /dev/null | |||
@@ -1,96 +0,0 @@ | |||
1 | From 3ffc80959f01f9fde548f1632694b9f950c2dd7c Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Heimes <christian@python.org> | ||
3 | Date: Tue, 18 Sep 2018 15:13:09 +0200 | ||
4 | Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree | ||
5 | (GH-9146) (GH-9394) | ||
6 | |||
7 | The C accelerated _elementtree module now initializes hash randomization | ||
8 | salt from _Py_HashSecret instead of libexpat's default CPRNG. | ||
9 | |||
10 | Signed-off-by: Christian Heimes <christian@python.org> | ||
11 | |||
12 | https://bugs.python.org/issue34623. | ||
13 | (cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b) | ||
14 | |||
15 | Co-authored-by: Christian Heimes <christian@python.org> | ||
16 | |||
17 | |||
18 | |||
19 | https://bugs.python.org/issue34623 | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2018-14647 | ||
23 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
24 | --- | ||
25 | Include/pyexpat.h | 4 +++- | ||
26 | Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++ | ||
27 | Modules/_elementtree.c | 5 +++++ | ||
28 | Modules/pyexpat.c | 5 +++++ | ||
29 | 4 files changed, 15 insertions(+), 1 deletion(-) | ||
30 | create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | ||
31 | |||
32 | diff --git a/Include/pyexpat.h b/Include/pyexpat.h | ||
33 | index 5340ef5..3fc5fa5 100644 | ||
34 | --- a/Include/pyexpat.h | ||
35 | +++ b/Include/pyexpat.h | ||
36 | @@ -3,7 +3,7 @@ | ||
37 | |||
38 | /* note: you must import expat.h before importing this module! */ | ||
39 | |||
40 | -#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" | ||
41 | +#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" | ||
42 | #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" | ||
43 | |||
44 | struct PyExpat_CAPI | ||
45 | @@ -43,6 +43,8 @@ struct PyExpat_CAPI | ||
46 | XML_Parser parser, XML_UnknownEncodingHandler handler, | ||
47 | void *encodingHandlerData); | ||
48 | void (*SetUserData)(XML_Parser parser, void *userData); | ||
49 | + /* might be none for expat < 2.1.0 */ | ||
50 | + int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); | ||
51 | /* always add new stuff to the end! */ | ||
52 | }; | ||
53 | |||
54 | diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | ||
55 | new file mode 100644 | ||
56 | index 0000000..31ad92e | ||
57 | --- /dev/null | ||
58 | +++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | ||
59 | @@ -0,0 +1,2 @@ | ||
60 | +The C accelerated _elementtree module now initializes hash randomization | ||
61 | +salt from _Py_HashSecret instead of libexpat's default CSPRNG. | ||
62 | diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c | ||
63 | index 1d316a1..a19cbf7 100644 | ||
64 | --- a/Modules/_elementtree.c | ||
65 | +++ b/Modules/_elementtree.c | ||
66 | @@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw) | ||
67 | PyErr_NoMemory(); | ||
68 | return NULL; | ||
69 | } | ||
70 | + /* expat < 2.1.0 has no XML_SetHashSalt() */ | ||
71 | + if (EXPAT(SetHashSalt) != NULL) { | ||
72 | + EXPAT(SetHashSalt)(self->parser, | ||
73 | + (unsigned long)_Py_HashSecret.prefix); | ||
74 | + } | ||
75 | |||
76 | ALLOC(sizeof(XMLParserObject), "create expatparser"); | ||
77 | |||
78 | diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c | ||
79 | index 2b4d312..1f8c0d7 100644 | ||
80 | --- a/Modules/pyexpat.c | ||
81 | +++ b/Modules/pyexpat.c | ||
82 | @@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void) | ||
83 | capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler; | ||
84 | capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler; | ||
85 | capi.SetUserData = XML_SetUserData; | ||
86 | +#if XML_COMBINED_VERSION >= 20100 | ||
87 | + capi.SetHashSalt = XML_SetHashSalt; | ||
88 | +#else | ||
89 | + capi.SetHashSalt = NULL; | ||
90 | +#endif | ||
91 | |||
92 | /* export using capsule */ | ||
93 | capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); | ||
94 | -- | ||
95 | 2.7.4 | ||
96 | |||
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch deleted file mode 100644 index 4c0b3577b2..0000000000 --- a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From 19f6bd06af3c7fc0db5f96878aaa68f5589ff13e Mon Sep 17 00:00:00 2001 | ||
2 | From: Pablo Galindo <Pablogsal@gmail.com> | ||
3 | Date: Thu, 24 May 2018 23:20:44 +0100 | ||
4 | Subject: [PATCH] bpo-33354: Fix test_ssl when a filename cannot be encoded | ||
5 | (GH-6613) | ||
6 | |||
7 | Skip test_load_dh_params() of test_ssl when Python filesystem encoding | ||
8 | cannot encode the provided path. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/python/cpython/commit/19f6bd06af3c7fc0db5f96878aaa68f5589ff13e] | ||
11 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
12 | --- | ||
13 | Lib/test/test_ssl.py | 9 ++++++++- | ||
14 | .../next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | 2 ++ | ||
15 | 2 files changed, 10 insertions(+), 1 deletion(-) | ||
16 | create mode 100644 Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | ||
17 | |||
18 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
19 | index b59fe73f04..7ced90fdf6 100644 | ||
20 | --- a/Lib/test/test_ssl.py | ||
21 | +++ b/Lib/test/test_ssl.py | ||
22 | @@ -989,6 +989,13 @@ class ContextTests(unittest.TestCase): | ||
23 | |||
24 | |||
25 | def test_load_dh_params(self): | ||
26 | + filename = u'dhpäräm.pem' | ||
27 | + fs_encoding = sys.getfilesystemencoding() | ||
28 | + try: | ||
29 | + filename.encode(fs_encoding) | ||
30 | + except UnicodeEncodeError: | ||
31 | + self.skipTest("filename %r cannot be encoded to the filesystem encoding %r" % (filename, fs_encoding)) | ||
32 | + | ||
33 | ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) | ||
34 | ctx.load_dh_params(DHFILE) | ||
35 | if os.name != 'nt': | ||
36 | @@ -1001,7 +1008,7 @@ class ContextTests(unittest.TestCase): | ||
37 | with self.assertRaises(ssl.SSLError) as cm: | ||
38 | ctx.load_dh_params(CERTFILE) | ||
39 | with support.temp_dir() as d: | ||
40 | - fname = os.path.join(d, u'dhpäräm.pem') | ||
41 | + fname = os.path.join(d, filename) | ||
42 | shutil.copy(DHFILE, fname) | ||
43 | ctx.load_dh_params(fname) | ||
44 | |||
45 | diff --git a/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | ||
46 | new file mode 100644 | ||
47 | index 0000000000..c66cecac32 | ||
48 | --- /dev/null | ||
49 | +++ b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | ||
50 | @@ -0,0 +1,2 @@ | ||
51 | +Skip ``test_ssl.test_load_dh_params`` when Python filesystem encoding cannot encode the | ||
52 | +provided path. | ||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch deleted file mode 100644 index 1f70562fc0..0000000000 --- a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch +++ /dev/null | |||
@@ -1,120 +0,0 @@ | |||
1 | From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Heimes <christian@python.org> | ||
3 | Date: Wed, 15 Aug 2018 09:07:28 +0200 | ||
4 | Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976) | ||
5 | (GH-8760) | ||
6 | |||
7 | Change TLS 1.3 cipher suite settings for compatibility with OpenSSL | ||
8 | 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by | ||
9 | default. | ||
10 | |||
11 | Also update multissltests to test with latest OpenSSL. | ||
12 | |||
13 | Signed-off-by: Christian Heimes <christian@python.org>. | ||
14 | (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) | ||
15 | |||
16 | Co-authored-by: Christian Heimes <christian@python.org> | ||
17 | |||
18 | Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771] | ||
19 | |||
20 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
21 | --- | ||
22 | Doc/library/ssl.rst | 8 ++-- | ||
23 | Lib/test/test_ssl.py | 37 +++++++++++-------- | ||
24 | .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++ | ||
25 | 3 files changed, 27 insertions(+), 21 deletions(-) | ||
26 | create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | ||
27 | |||
28 | diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst | ||
29 | index 0421031772..7c7c85b833 100644 | ||
30 | --- a/Doc/library/ssl.rst | ||
31 | +++ b/Doc/library/ssl.rst | ||
32 | @@ -294,11 +294,6 @@ purposes. | ||
33 | |||
34 | 3DES was dropped from the default cipher string. | ||
35 | |||
36 | - .. versionchanged:: 2.7.15 | ||
37 | - | ||
38 | - TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, | ||
39 | - and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. | ||
40 | - | ||
41 | .. function:: _https_verify_certificates(enable=True) | ||
42 | |||
43 | Specifies whether or not server certificates are verified when creating | ||
44 | @@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients. | ||
45 | when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will | ||
46 | give the currently selected cipher. | ||
47 | |||
48 | + OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites | ||
49 | + cannot be disabled with :meth:`~SSLContext.set_ciphers`. | ||
50 | + | ||
51 | .. method:: SSLContext.set_alpn_protocols(protocols) | ||
52 | |||
53 | Specify which protocols the socket should advertise during the SSL/TLS | ||
54 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
55 | index dc14e22ad1..f51572e319 100644 | ||
56 | --- a/Lib/test/test_ssl.py | ||
57 | +++ b/Lib/test/test_ssl.py | ||
58 | @@ -2772,19 +2772,24 @@ else: | ||
59 | sock.do_handshake() | ||
60 | self.assertEqual(cm.exception.errno, errno.ENOTCONN) | ||
61 | |||
62 | - def test_default_ciphers(self): | ||
63 | - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
64 | - try: | ||
65 | - # Force a set of weak ciphers on our client context | ||
66 | - context.set_ciphers("DES") | ||
67 | - except ssl.SSLError: | ||
68 | - self.skipTest("no DES cipher available") | ||
69 | - with ThreadedEchoServer(CERTFILE, | ||
70 | - ssl_version=ssl.PROTOCOL_SSLv23, | ||
71 | - chatty=False) as server: | ||
72 | - with closing(context.wrap_socket(socket.socket())) as s: | ||
73 | - with self.assertRaises(ssl.SSLError): | ||
74 | - s.connect((HOST, server.port)) | ||
75 | + def test_no_shared_ciphers(self): | ||
76 | + server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
77 | + server_context.load_cert_chain(SIGNED_CERTFILE) | ||
78 | + client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
79 | + client_context.verify_mode = ssl.CERT_REQUIRED | ||
80 | + client_context.check_hostname = True | ||
81 | + | ||
82 | + # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test | ||
83 | + client_context.options |= ssl.OP_NO_TLSv1_3 | ||
84 | + # Force different suites on client and master | ||
85 | + client_context.set_ciphers("AES128") | ||
86 | + server_context.set_ciphers("AES256") | ||
87 | + with ThreadedEchoServer(context=server_context) as server: | ||
88 | + s = client_context.wrap_socket( | ||
89 | + socket.socket(), | ||
90 | + server_hostname="localhost") | ||
91 | + with self.assertRaises(ssl.SSLError): | ||
92 | + s.connect((HOST, server.port)) | ||
93 | self.assertIn("no shared cipher", str(server.conn_errors[0])) | ||
94 | |||
95 | def test_version_basic(self): | ||
96 | @@ -2815,9 +2820,9 @@ else: | ||
97 | with context.wrap_socket(socket.socket()) as s: | ||
98 | s.connect((HOST, server.port)) | ||
99 | self.assertIn(s.cipher()[0], [ | ||
100 | - 'TLS13-AES-256-GCM-SHA384', | ||
101 | - 'TLS13-CHACHA20-POLY1305-SHA256', | ||
102 | - 'TLS13-AES-128-GCM-SHA256', | ||
103 | + 'TLS_AES_256_GCM_SHA384', | ||
104 | + 'TLS_CHACHA20_POLY1305_SHA256', | ||
105 | + 'TLS_AES_128_GCM_SHA256', | ||
106 | ]) | ||
107 | |||
108 | @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") | ||
109 | diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | ||
110 | new file mode 100644 | ||
111 | index 0000000000..bd719a47e8 | ||
112 | --- /dev/null | ||
113 | +++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | ||
114 | @@ -0,0 +1,3 @@ | ||
115 | +Change TLS 1.3 cipher suite settings for compatibility with OpenSSL | ||
116 | +1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by | ||
117 | +default. | ||
118 | -- | ||
119 | 2.17.1 | ||
120 | |||
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch deleted file mode 100644 index 125db8512a..0000000000 --- a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Peterson <benjamin@python.org> | ||
3 | Date: Wed, 29 Aug 2018 21:59:21 -0700 | ||
4 | Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use | ||
5 | subprocess rather than distutils.spawn. (GH-8985) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2018-1000802 | ||
9 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
10 | --- | ||
11 | Lib/shutil.py | 16 ++++++++++------ | ||
12 | .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ | ||
13 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
14 | create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
15 | |||
16 | diff --git a/Lib/shutil.py b/Lib/shutil.py | ||
17 | index 3462f7c..0ab1a06 100644 | ||
18 | --- a/Lib/shutil.py | ||
19 | +++ b/Lib/shutil.py | ||
20 | @@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0, | ||
21 | |||
22 | return archive_name | ||
23 | |||
24 | -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): | ||
25 | +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): | ||
26 | # XXX see if we want to keep an external call here | ||
27 | if verbose: | ||
28 | zipoptions = "-r" | ||
29 | else: | ||
30 | zipoptions = "-rq" | ||
31 | - from distutils.errors import DistutilsExecError | ||
32 | - from distutils.spawn import spawn | ||
33 | + cmd = ["zip", zipoptions, zip_filename, base_dir] | ||
34 | + if logger is not None: | ||
35 | + logger.info(' '.join(cmd)) | ||
36 | + if dry_run: | ||
37 | + return | ||
38 | + import subprocess | ||
39 | try: | ||
40 | - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) | ||
41 | - except DistutilsExecError: | ||
42 | + subprocess.check_call(cmd) | ||
43 | + except subprocess.CalledProcessError: | ||
44 | # XXX really should distinguish between "couldn't find | ||
45 | # external 'zip' command" and "zip failed". | ||
46 | raise ExecError, \ | ||
47 | @@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): | ||
48 | zipfile = None | ||
49 | |||
50 | if zipfile is None: | ||
51 | - _call_external_zip(base_dir, zip_filename, verbose, dry_run) | ||
52 | + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) | ||
53 | else: | ||
54 | if logger is not None: | ||
55 | logger.info("creating '%s' and adding '%s' to it", | ||
56 | diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
57 | new file mode 100644 | ||
58 | index 0000000..4f68696 | ||
59 | --- /dev/null | ||
60 | +++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
61 | @@ -0,0 +1,3 @@ | ||
62 | +When ``shutil.make_archive`` falls back to the external ``zip`` problem, it | ||
63 | +uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This | ||
64 | +closes a possible shell injection vector. | ||
65 | -- | ||
66 | 2.7.4 | ||
67 | |||
diff --git a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch deleted file mode 100644 index 96882712e9..0000000000 --- a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 0e1f3856a7e1511fb64d99646c54ddf3897cd444 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dimitri John Ledkov <xnox@ubuntu.com> | ||
3 | Date: Fri, 28 Sep 2018 14:15:52 +0100 | ||
4 | Subject: [PATCH 2/4] bpo-34818: Add missing closing() wrapper in test_tls1_3. | ||
5 | |||
6 | Python 2.7 socket classes do not implement context manager protocol, | ||
7 | hence closing() is required around it. Resolves testcase error | ||
8 | traceback. | ||
9 | |||
10 | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
11 | |||
12 | https://bugs.python.org/issue34818 | ||
13 | |||
14 | Patch taken from Ubuntu. | ||
15 | |||
16 | Upstream-Status: Submitted [https://github.com/python/cpython/pull/9622] | ||
17 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
18 | --- | ||
19 | Lib/test/test_ssl.py | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
23 | index f51572e319..7a14053cee 100644 | ||
24 | --- a/Lib/test/test_ssl.py | ||
25 | +++ b/Lib/test/test_ssl.py | ||
26 | @@ -2817,7 +2817,7 @@ else: | ||
27 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 | ||
28 | ) | ||
29 | with ThreadedEchoServer(context=context) as server: | ||
30 | - with context.wrap_socket(socket.socket()) as s: | ||
31 | + with closing(context.wrap_socket(socket.socket())) as s: | ||
32 | s.connect((HOST, server.port)) | ||
33 | self.assertIn(s.cipher()[0], [ | ||
34 | 'TLS_AES_256_GCM_SHA384', | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch deleted file mode 100644 index 77016cb430..0000000000 --- a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 8b06d56d26eee289fec22b9b72ab4c7cc3d6c482 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dimitri John Ledkov <xnox@ubuntu.com> | ||
3 | Date: Fri, 28 Sep 2018 16:34:16 +0100 | ||
4 | Subject: [PATCH 3/4] bpo-34834: Fix test_ssl.test_options to account for | ||
5 | OP_ENABLE_MIDDLEBOX_COMPAT. | ||
6 | |||
7 | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
8 | |||
9 | https://bugs.python.org/issue34834 | ||
10 | |||
11 | Patch taken from Ubuntu. | ||
12 | Upstream-Status: Submitted [https://github.com/python/cpython/pull/9624] | ||
13 | |||
14 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
15 | --- | ||
16 | Lib/test/test_ssl.py | 5 +++++ | ||
17 | 1 file changed, 5 insertions(+) | ||
18 | |||
19 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
20 | index 7a14053cee..efc906a5ba 100644 | ||
21 | --- a/Lib/test/test_ssl.py | ||
22 | +++ b/Lib/test/test_ssl.py | ||
23 | @@ -777,6 +777,11 @@ class ContextTests(unittest.TestCase): | ||
24 | default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) | ||
25 | if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): | ||
26 | default |= ssl.OP_NO_COMPRESSION | ||
27 | + if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1): | ||
28 | + # define MIDDLEBOX constant, as python2.7 does not know about it | ||
29 | + # but it is used by default. | ||
30 | + OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L | ||
31 | + default |= OP_ENABLE_MIDDLEBOX_COMPAT | ||
32 | self.assertEqual(default, ctx.options) | ||
33 | ctx.options |= ssl.OP_NO_TLSv1 | ||
34 | self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch deleted file mode 100644 index 39e1bcfc86..0000000000 --- a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 946a7969345c6697697effd226ec396d3fea05b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dimitri John Ledkov <xnox@ubuntu.com> | ||
3 | Date: Fri, 28 Sep 2018 17:30:19 +0100 | ||
4 | Subject: [PATCH 4/4] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3. | ||
5 | |||
6 | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
7 | |||
8 | https://bugs.python.org/issue34836 | ||
9 | |||
10 | Patch taken from Ubuntu. | ||
11 | Upstream-Status: Submitted [https://github.com/python/cpython/pull/9626] | ||
12 | |||
13 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
14 | --- | ||
15 | Lib/test/test_ssl.py | 3 +++ | ||
16 | 1 file changed, 3 insertions(+) | ||
17 | |||
18 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
19 | index efc906a5ba..4a3286cd5f 100644 | ||
20 | --- a/Lib/test/test_ssl.py | ||
21 | +++ b/Lib/test/test_ssl.py | ||
22 | @@ -2836,6 +2836,9 @@ else: | ||
23 | # should be enabled by default on SSL contexts. | ||
24 | context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
25 | context.load_cert_chain(CERTFILE) | ||
26 | + # TLSv1.3 defaults to PFS key agreement and no longer has KEA in | ||
27 | + # cipher name. | ||
28 | + context.options |= ssl.OP_NO_TLSv1_3 | ||
29 | # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled | ||
30 | # explicitly using the 'ECCdraft' cipher alias. Otherwise, | ||
31 | # our default cipher list should prefer ECDH-based ciphers | ||
32 | -- | ||
33 | 2.17.1 | ||
34 | |||
diff --git a/meta/recipes-devtools/python/python_2.7.15.bb b/meta/recipes-devtools/python/python_2.7.16.bb index 62051a227b..0e7dd2b3fb 100644 --- a/meta/recipes-devtools/python/python_2.7.15.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb | |||
@@ -3,38 +3,34 @@ require python.inc | |||
3 | DEPENDS = "python-native libffi bzip2 gdbm openssl \ | 3 | DEPENDS = "python-native libffi bzip2 gdbm openssl \ |
4 | readline sqlite3 zlib virtual/crypt" | 4 | readline sqlite3 zlib virtual/crypt" |
5 | 5 | ||
6 | PR = "${INC_PR}" | ||
7 | |||
8 | DISTRO_SRC_URI ?= "file://sitecustomize.py" | 6 | DISTRO_SRC_URI ?= "file://sitecustomize.py" |
9 | DISTRO_SRC_URI_linuxstdbase = "" | 7 | DISTRO_SRC_URI_linuxstdbase = "" |
10 | SRC_URI += "\ | 8 | SRC_URI += " \ |
11 | file://01-use-proper-tools-for-cross-build.patch \ | 9 | file://01-use-proper-tools-for-cross-build.patch \ |
12 | file://03-fix-tkinter-detection.patch \ | 10 | file://03-fix-tkinter-detection.patch \ |
13 | file://06-avoid_usr_lib_termcap_path_in_linking.patch \ | 11 | file://06-avoid_usr_lib_termcap_path_in_linking.patch \ |
14 | ${DISTRO_SRC_URI} \ | 12 | ${DISTRO_SRC_URI} \ |
15 | file://multilib.patch \ | 13 | file://multilib.patch \ |
16 | file://cgi_py.patch \ | 14 | file://cgi_py.patch \ |
17 | file://setup_py_skip_cross_import_check.patch \ | 15 | file://setup_py_skip_cross_import_check.patch \ |
18 | file://add-md5module-support.patch \ | 16 | file://add-md5module-support.patch \ |
19 | file://host_include_contamination.patch \ | 17 | file://host_include_contamination.patch \ |
20 | file://fix_for_using_different_libdir.patch \ | 18 | file://fix_for_using_different_libdir.patch \ |
21 | file://setuptweaks.patch \ | 19 | file://setuptweaks.patch \ |
22 | file://check-if-target-is-64b-not-host.patch \ | 20 | file://check-if-target-is-64b-not-host.patch \ |
23 | file://search_db_h_in_inc_dirs_and_avoid_warning.patch \ | 21 | file://search_db_h_in_inc_dirs_and_avoid_warning.patch \ |
24 | ${@bb.utils.contains('PACKAGECONFIG', 'tk', '', 'file://avoid_warning_about_tkinter.patch', d)} \ | 22 | ${@bb.utils.contains('PACKAGECONFIG', 'tk', '', 'file://avoid_warning_about_tkinter.patch', d)} \ |
25 | file://avoid_warning_for_sunos_specific_module.patch \ | 23 | file://avoid_warning_for_sunos_specific_module.patch \ |
26 | file://python-2.7.3-remove-bsdb-rpath.patch \ | 24 | file://python-2.7.3-remove-bsdb-rpath.patch \ |
27 | file://run-ptest \ | 25 | file://run-ptest \ |
28 | file://parallel-makeinst-create-bindir.patch \ | 26 | file://parallel-makeinst-create-bindir.patch \ |
29 | file://use_sysroot_ncurses_instead_of_host.patch \ | 27 | file://use_sysroot_ncurses_instead_of_host.patch \ |
30 | file://add-CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch \ | 28 | file://add-CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch \ |
31 | file://pass-missing-libraries-to-Extension-for-mul.patch \ | 29 | file://pass-missing-libraries-to-Extension-for-mul.patch \ |
32 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ | 30 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ |
33 | file://float-endian.patch \ | 31 | file://float-endian.patch \ |
34 | file://0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch \ | 32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ |
35 | file://0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch \ | 33 | " |
36 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ | ||
37 | " | ||
38 | 34 | ||
39 | S = "${WORKDIR}/Python-${PV}" | 35 | S = "${WORKDIR}/Python-${PV}" |
40 | 36 | ||