diff options
| author | Tim Orling <timothy.t.orling@intel.com> | 2021-06-15 23:33:52 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-07-02 07:44:59 +0100 |
| commit | 2c53b198ed217c890007e008ea2144089cdd252f (patch) | |
| tree | b04a4bb5adb60fddb71f5e362d0b3bd4a16783b8 /meta | |
| parent | 9d8c7d39f38b55216aaae7c9cc27087b5339e926 (diff) | |
| download | poky-2c53b198ed217c890007e008ea2144089cdd252f.tar.gz | |
python3: upgrade 3.8.7 -> 3.8.8
Release Date: Feb. 19, 2021
Note: The release you're looking at is Python 3.8.8, a bugfix release for the
legacy 3.8 series. Python 3.9 is now the latest feature release series of
Python 3.
Notable changes in Python 3.8.8
Earlier Python versions allowed using both ; and & as query parameter
separators in urllib.parse.parse_qs() and urllib.parse.parse_qsl(). Due to
security concerns, and to conform with newer W3C recommendations, this has been
changed to allow only a single separator key, with & as the default. This
change also affects cgi.parse() and cgi.parse_multipart() as they use the
affected functions internally. For more details, please see their respective
documentation. (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin
in bpo-42967.)
License-Update: update copyright years
Drop patches fixed in 3.8.8:
- CVE-2021-3177
Fixes:
CVE: CVE-2021-3426
CVE: CVE-2021-23336
References:
https://www.python.org/downloads/release/python-388/
https://docs.python.org/release/3.8.8/whatsnew/changelog.html#changelog
https://docs.python.org/3/whatsnew/3.8.html#notable-changes-in-python-3-8-8
https://nvd.nist.gov/vuln/detail/CVE-2021-3177
https://nvd.nist.gov/vuln/detail/CVE-2021-3426
(From OE-Core rev: fdfc3340b58e1af0c231eedaa07358f7d9c6483e)
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2021-3177.patch | 191 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python3_3.8.8.bb (renamed from meta/recipes-devtools/python/python3_3.8.7.bb) | 7 |
2 files changed, 3 insertions, 195 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch deleted file mode 100644 index 43d678db46..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch +++ /dev/null | |||
| @@ -1,191 +0,0 @@ | |||
| 1 | From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Miss Islington (bot)" | ||
| 3 | <31488909+miss-islington@users.noreply.github.com> | ||
| 4 | Date: Mon, 18 Jan 2021 13:28:52 -0800 | ||
| 5 | Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode | ||
| 6 | formatting in ctypes param reprs. (GH-24248) | ||
| 7 | |||
| 8 | (cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) | ||
| 9 | |||
| 10 | Co-authored-by: Benjamin Peterson <benjamin@python.org> | ||
| 11 | |||
| 12 | Co-authored-by: Benjamin Peterson <benjamin@python.org> | ||
| 13 | |||
| 14 | CVE: CVE-2021-3177 | ||
| 15 | Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f] | ||
| 16 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
| 17 | --- | ||
| 18 | Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ | ||
| 19 | .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + | ||
| 20 | Modules/_ctypes/callproc.c | 51 +++++++------------ | ||
| 21 | 3 files changed, 64 insertions(+), 32 deletions(-) | ||
| 22 | create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | ||
| 23 | |||
| 24 | diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py | ||
| 25 | index e4c25fd880cef..531894fdec838 100644 | ||
| 26 | --- a/Lib/ctypes/test/test_parameters.py | ||
| 27 | +++ b/Lib/ctypes/test/test_parameters.py | ||
| 28 | @@ -201,6 +201,49 @@ def __dict__(self): | ||
| 29 | with self.assertRaises(ZeroDivisionError): | ||
| 30 | WorseStruct().__setstate__({}, b'foo') | ||
| 31 | |||
| 32 | + def test_parameter_repr(self): | ||
| 33 | + from ctypes import ( | ||
| 34 | + c_bool, | ||
| 35 | + c_char, | ||
| 36 | + c_wchar, | ||
| 37 | + c_byte, | ||
| 38 | + c_ubyte, | ||
| 39 | + c_short, | ||
| 40 | + c_ushort, | ||
| 41 | + c_int, | ||
| 42 | + c_uint, | ||
| 43 | + c_long, | ||
| 44 | + c_ulong, | ||
| 45 | + c_longlong, | ||
| 46 | + c_ulonglong, | ||
| 47 | + c_float, | ||
| 48 | + c_double, | ||
| 49 | + c_longdouble, | ||
| 50 | + c_char_p, | ||
| 51 | + c_wchar_p, | ||
| 52 | + c_void_p, | ||
| 53 | + ) | ||
| 54 | + self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") | ||
| 55 | + self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") | ||
| 56 | + self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") | ||
| 57 | + self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") | ||
| 58 | + self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") | ||
| 59 | + self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") | ||
| 60 | + self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") | ||
| 61 | + self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") | ||
| 62 | + self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") | ||
| 63 | + self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") | ||
| 64 | + self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") | ||
| 65 | + self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") | ||
| 66 | + self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") | ||
| 67 | + self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") | ||
| 68 | + self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") | ||
| 69 | + self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") | ||
| 70 | + self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") | ||
| 71 | + self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") | ||
| 72 | + self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") | ||
| 73 | + self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") | ||
| 74 | + | ||
| 75 | ################################################################ | ||
| 76 | |||
| 77 | if __name__ == '__main__': | ||
| 78 | diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | ||
| 79 | new file mode 100644 | ||
| 80 | index 0000000000000..7df65a156feab | ||
| 81 | --- /dev/null | ||
| 82 | +++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | ||
| 83 | @@ -0,0 +1,2 @@ | ||
| 84 | +Avoid static buffers when computing the repr of :class:`ctypes.c_double` and | ||
| 85 | +:class:`ctypes.c_longdouble` values. | ||
| 86 | diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c | ||
| 87 | index a9b8675cd951b..de75918d49f37 100644 | ||
| 88 | --- a/Modules/_ctypes/callproc.c | ||
| 89 | +++ b/Modules/_ctypes/callproc.c | ||
| 90 | @@ -484,58 +484,47 @@ is_literal_char(unsigned char c) | ||
| 91 | static PyObject * | ||
| 92 | PyCArg_repr(PyCArgObject *self) | ||
| 93 | { | ||
| 94 | - char buffer[256]; | ||
| 95 | switch(self->tag) { | ||
| 96 | case 'b': | ||
| 97 | case 'B': | ||
| 98 | - sprintf(buffer, "<cparam '%c' (%d)>", | ||
| 99 | + return PyUnicode_FromFormat("<cparam '%c' (%d)>", | ||
| 100 | self->tag, self->value.b); | ||
| 101 | - break; | ||
| 102 | case 'h': | ||
| 103 | case 'H': | ||
| 104 | - sprintf(buffer, "<cparam '%c' (%d)>", | ||
| 105 | + return PyUnicode_FromFormat("<cparam '%c' (%d)>", | ||
| 106 | self->tag, self->value.h); | ||
| 107 | - break; | ||
| 108 | case 'i': | ||
| 109 | case 'I': | ||
| 110 | - sprintf(buffer, "<cparam '%c' (%d)>", | ||
| 111 | + return PyUnicode_FromFormat("<cparam '%c' (%d)>", | ||
| 112 | self->tag, self->value.i); | ||
| 113 | - break; | ||
| 114 | case 'l': | ||
| 115 | case 'L': | ||
| 116 | - sprintf(buffer, "<cparam '%c' (%ld)>", | ||
| 117 | + return PyUnicode_FromFormat("<cparam '%c' (%ld)>", | ||
| 118 | self->tag, self->value.l); | ||
| 119 | - break; | ||
| 120 | |||
| 121 | case 'q': | ||
| 122 | case 'Q': | ||
| 123 | - sprintf(buffer, | ||
| 124 | -#ifdef MS_WIN32 | ||
| 125 | - "<cparam '%c' (%I64d)>", | ||
| 126 | -#else | ||
| 127 | - "<cparam '%c' (%lld)>", | ||
| 128 | -#endif | ||
| 129 | + return PyUnicode_FromFormat("<cparam '%c' (%lld)>", | ||
| 130 | self->tag, self->value.q); | ||
| 131 | - break; | ||
| 132 | case 'd': | ||
| 133 | - sprintf(buffer, "<cparam '%c' (%f)>", | ||
| 134 | - self->tag, self->value.d); | ||
| 135 | - break; | ||
| 136 | - case 'f': | ||
| 137 | - sprintf(buffer, "<cparam '%c' (%f)>", | ||
| 138 | - self->tag, self->value.f); | ||
| 139 | - break; | ||
| 140 | - | ||
| 141 | + case 'f': { | ||
| 142 | + PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); | ||
| 143 | + if (f == NULL) { | ||
| 144 | + return NULL; | ||
| 145 | + } | ||
| 146 | + PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); | ||
| 147 | + Py_DECREF(f); | ||
| 148 | + return result; | ||
| 149 | + } | ||
| 150 | case 'c': | ||
| 151 | if (is_literal_char((unsigned char)self->value.c)) { | ||
| 152 | - sprintf(buffer, "<cparam '%c' ('%c')>", | ||
| 153 | + return PyUnicode_FromFormat("<cparam '%c' ('%c')>", | ||
| 154 | self->tag, self->value.c); | ||
| 155 | } | ||
| 156 | else { | ||
| 157 | - sprintf(buffer, "<cparam '%c' ('\\x%02x')>", | ||
| 158 | + return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", | ||
| 159 | self->tag, (unsigned char)self->value.c); | ||
| 160 | } | ||
| 161 | - break; | ||
| 162 | |||
| 163 | /* Hm, are these 'z' and 'Z' codes useful at all? | ||
| 164 | Shouldn't they be replaced by the functionality of c_string | ||
| 165 | @@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) | ||
| 166 | case 'z': | ||
| 167 | case 'Z': | ||
| 168 | case 'P': | ||
| 169 | - sprintf(buffer, "<cparam '%c' (%p)>", | ||
| 170 | + return PyUnicode_FromFormat("<cparam '%c' (%p)>", | ||
| 171 | self->tag, self->value.p); | ||
| 172 | break; | ||
| 173 | |||
| 174 | default: | ||
| 175 | if (is_literal_char((unsigned char)self->tag)) { | ||
| 176 | - sprintf(buffer, "<cparam '%c' at %p>", | ||
| 177 | + return PyUnicode_FromFormat("<cparam '%c' at %p>", | ||
| 178 | (unsigned char)self->tag, (void *)self); | ||
| 179 | } | ||
| 180 | else { | ||
| 181 | - sprintf(buffer, "<cparam 0x%02x at %p>", | ||
| 182 | + return PyUnicode_FromFormat("<cparam 0x%02x at %p>", | ||
| 183 | (unsigned char)self->tag, (void *)self); | ||
| 184 | } | ||
| 185 | - break; | ||
| 186 | } | ||
| 187 | - return PyUnicode_FromString(buffer); | ||
| 188 | } | ||
| 189 | |||
| 190 | static PyMemberDef PyCArgType_members[] = { | ||
| 191 | |||
diff --git a/meta/recipes-devtools/python/python3_3.8.7.bb b/meta/recipes-devtools/python/python3_3.8.8.bb index 11a69ea808..d77c7d87fb 100644 --- a/meta/recipes-devtools/python/python3_3.8.7.bb +++ b/meta/recipes-devtools/python/python3_3.8.8.bb | |||
| @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly | |||
| 4 | LICENSE = "PSF-2.0 & BSD-0-Clause" | 4 | LICENSE = "PSF-2.0 & BSD-0-Clause" |
| 5 | SECTION = "devel/python" | 5 | SECTION = "devel/python" |
| 6 | 6 | ||
| 7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=33223c9ef60c31e3f0e866cb09b65e83" | 7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7" |
| 8 | 8 | ||
| 9 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | 9 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ |
| 10 | file://run-ptest \ | 10 | file://run-ptest \ |
| @@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
| 33 | file://0001-configure.ac-fix-LIBPL.patch \ | 33 | file://0001-configure.ac-fix-LIBPL.patch \ |
| 34 | file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ | 34 | file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ |
| 35 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ | 35 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ |
| 36 | file://CVE-2021-3177.patch \ | ||
| 37 | " | 36 | " |
| 38 | 37 | ||
| 39 | SRC_URI_append_class-native = " \ | 38 | SRC_URI_append_class-native = " \ |
| @@ -42,8 +41,8 @@ SRC_URI_append_class-native = " \ | |||
| 42 | file://0001-Don-t-search-system-for-headers-libraries.patch \ | 41 | file://0001-Don-t-search-system-for-headers-libraries.patch \ |
| 43 | " | 42 | " |
| 44 | 43 | ||
| 45 | SRC_URI[md5sum] = "60fe018fffc7f33818e6c340d29e2db9" | 44 | SRC_URI[md5sum] = "23e6b769857233c1ac07b6be7442eff4" |
| 46 | SRC_URI[sha256sum] = "ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a" | 45 | SRC_URI[sha256sum] = "7c664249ff77e443d6ea0e4cf0e587eae918ca3c48d081d1915fe2a1f1bcc5cc" |
| 47 | 46 | ||
| 48 | # exclude pre-releases for both python 2.x and 3.x | 47 | # exclude pre-releases for both python 2.x and 3.x |
| 49 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | 48 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |