diff options
author | Divya Chellam <divya.chellam@windriver.com> | 2024-09-12 06:44:07 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-09-13 07:15:49 +0100 |
commit | 0249d9c8932674b8b00ec0d0a261f616794eee36 (patch) | |
tree | 880f3eb756ab7361704d661762260b597ef4fc61 /meta | |
parent | 1410b67bec84ed069742d21d7c12d0a3ca2013c7 (diff) | |
download | poky-0249d9c8932674b8b00ec0d0a261f616794eee36.tar.gz |
python3: Upgrade 3.12.5 -> 3.12.6
Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232
and other bug fixes.
Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
Release Notes:
https://www.python.org/downloads/release/python-3126/
(From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch | 19 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2024-7592.patch | 231 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.12.6.bb (renamed from meta/recipes-devtools/python/python3_3.12.5.bb) | 3 |
3 files changed, 9 insertions, 244 deletions
diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch index 50a4609f7a..e8d297c721 100644 --- a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch +++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch | |||
@@ -16,11 +16,11 @@ Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> | |||
16 | Lib/test/test_readline.py | 2 ++ | 16 | Lib/test/test_readline.py | 2 ++ |
17 | 1 file changed, 2 insertions(+) | 17 | 1 file changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py | 19 | Index: Python-3.12.6/Lib/test/test_readline.py |
20 | index 91fd7dd13f9..d81f9bf8eed 100644 | 20 | =================================================================== |
21 | --- a/Lib/test/test_readline.py | 21 | --- Python-3.12.6.orig/Lib/test/test_readline.py |
22 | +++ b/Lib/test/test_readline.py | 22 | +++ Python-3.12.6/Lib/test/test_readline.py |
23 | @@ -132,6 +132,7 @@ def test_nonascii_history(self): | 23 | @@ -133,6 +133,7 @@ class TestHistoryManipulation (unittest. |
24 | self.assertEqual(readline.get_history_item(1), "entrée 1") | 24 | self.assertEqual(readline.get_history_item(1), "entrée 1") |
25 | self.assertEqual(readline.get_history_item(2), "entrée 22") | 25 | self.assertEqual(readline.get_history_item(2), "entrée 22") |
26 | 26 | ||
@@ -28,14 +28,11 @@ index 91fd7dd13f9..d81f9bf8eed 100644 | |||
28 | def test_write_read_limited_history(self): | 28 | def test_write_read_limited_history(self): |
29 | previous_length = readline.get_history_length() | 29 | previous_length = readline.get_history_length() |
30 | self.addCleanup(readline.set_history_length, previous_length) | 30 | self.addCleanup(readline.set_history_length, previous_length) |
31 | @@ -349,6 +350,7 @@ def test_history_size(self): | 31 | @@ -371,6 +372,7 @@ readline.write_history_file(history_file |
32 | self.assertEqual(len(lines), history_size) | 32 | self.assertIn(b"done", output) |
33 | self.assertEqual(lines[-1].strip(), b"last input") | 33 | |
34 | 34 | ||
35 | + @unittest.skip("Skipping problematic test") | 35 | + @unittest.skip("Skipping problematic test") |
36 | def test_write_read_limited_history(self): | 36 | def test_write_read_limited_history(self): |
37 | previous_length = readline.get_history_length() | 37 | previous_length = readline.get_history_length() |
38 | self.addCleanup(readline.set_history_length, previous_length) | 38 | self.addCleanup(readline.set_history_length, previous_length) |
39 | -- | ||
40 | 2.39.2 | ||
41 | |||
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch deleted file mode 100644 index 7fd74abed3..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch +++ /dev/null | |||
@@ -1,231 +0,0 @@ | |||
1 | From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Serhiy Storchaka <storchaka@gmail.com> | ||
3 | Date: Fri, 16 Aug 2024 19:13:37 +0300 | ||
4 | Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies | ||
5 | with backslashes | ||
6 | |||
7 | This fixes CVE-2024-7592. | ||
8 | |||
9 | CVE: CVE-2024-7592 | ||
10 | Upstream-Status: Backport [https://github.com/python/cpython/pull/123075] | ||
11 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
12 | |||
13 | --- | ||
14 | Lib/http/cookies.py | 34 ++++------------- | ||
15 | Lib/test/test_http_cookies.py | 38 +++++++++++++++++++ | ||
16 | ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 + | ||
17 | 3 files changed, 47 insertions(+), 26 deletions(-) | ||
18 | create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | ||
19 | |||
20 | diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py | ||
21 | index 351faf428a20cd..11a67e8a2e008b 100644 | ||
22 | --- a/Lib/http/cookies.py | ||
23 | +++ b/Lib/http/cookies.py | ||
24 | @@ -184,8 +184,12 @@ def _quote(str): | ||
25 | return '"' + str.translate(_Translator) + '"' | ||
26 | |||
27 | |||
28 | -_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") | ||
29 | -_QuotePatt = re.compile(r"[\\].") | ||
30 | +_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))') | ||
31 | +def _unquote_replace(m): | ||
32 | + if m[1]: | ||
33 | + return chr(int(m[1], 8)) | ||
34 | + else: | ||
35 | + return m[2] | ||
36 | |||
37 | def _unquote(str): | ||
38 | # If there aren't any doublequotes, | ||
39 | @@ -205,30 +209,8 @@ def _unquote(str): | ||
40 | # \012 --> \n | ||
41 | # \" --> " | ||
42 | # | ||
43 | - i = 0 | ||
44 | - n = len(str) | ||
45 | - res = [] | ||
46 | - while 0 <= i < n: | ||
47 | - o_match = _OctalPatt.search(str, i) | ||
48 | - q_match = _QuotePatt.search(str, i) | ||
49 | - if not o_match and not q_match: # Neither matched | ||
50 | - res.append(str[i:]) | ||
51 | - break | ||
52 | - # else: | ||
53 | - j = k = -1 | ||
54 | - if o_match: | ||
55 | - j = o_match.start(0) | ||
56 | - if q_match: | ||
57 | - k = q_match.start(0) | ||
58 | - if q_match and (not o_match or k < j): # QuotePatt matched | ||
59 | - res.append(str[i:k]) | ||
60 | - res.append(str[k+1]) | ||
61 | - i = k + 2 | ||
62 | - else: # OctalPatt matched | ||
63 | - res.append(str[i:j]) | ||
64 | - res.append(chr(int(str[j+1:j+4], 8))) | ||
65 | - i = j + 4 | ||
66 | - return _nulljoin(res) | ||
67 | + | ||
68 | + return _unquote_re.sub(_unquote_replace, str) | ||
69 | |||
70 | # The _getdate() routine is used to set the expiration time in the cookie's HTTP | ||
71 | # header. By default, _getdate() returns the current time in the appropriate | ||
72 | diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py | ||
73 | index 925c8697f60de6..13b526d49b0856 100644 | ||
74 | --- a/Lib/test/test_http_cookies.py | ||
75 | +++ b/Lib/test/test_http_cookies.py | ||
76 | @@ -5,6 +5,7 @@ | ||
77 | import doctest | ||
78 | from http import cookies | ||
79 | import pickle | ||
80 | +from test import support | ||
81 | |||
82 | |||
83 | class CookieTests(unittest.TestCase): | ||
84 | @@ -58,6 +59,43 @@ def test_basic(self): | ||
85 | for k, v in sorted(case['dict'].items()): | ||
86 | self.assertEqual(C[k].value, v) | ||
87 | |||
88 | + def test_unquote(self): | ||
89 | + cases = [ | ||
90 | + (r'a="b=\""', 'b="'), | ||
91 | + (r'a="b=\\"', 'b=\\'), | ||
92 | + (r'a="b=\="', 'b=\\='), | ||
93 | + (r'a="b=\n"', 'b=\\n'), | ||
94 | + (r'a="b=\042"', 'b="'), | ||
95 | + (r'a="b=\134"', 'b=\\'), | ||
96 | + (r'a="b=\377"', 'b=\xff'), | ||
97 | + (r'a="b=\400"', 'b=\\400'), | ||
98 | + (r'a="b=\42"', 'b=\\42'), | ||
99 | + (r'a="b=\\042"', 'b=\\042'), | ||
100 | + (r'a="b=\\134"', 'b=\\134'), | ||
101 | + (r'a="b=\\\""', 'b=\\"'), | ||
102 | + (r'a="b=\\\042"', 'b=\\"'), | ||
103 | + (r'a="b=\134\""', 'b=\\"'), | ||
104 | + (r'a="b=\134\042"', 'b=\\"'), | ||
105 | + ] | ||
106 | + for encoded, decoded in cases: | ||
107 | + with self.subTest(encoded): | ||
108 | + C = cookies.SimpleCookie() | ||
109 | + C.load(encoded) | ||
110 | + self.assertEqual(C['a'].value, decoded) | ||
111 | + | ||
112 | + @support.requires_resource('cpu') | ||
113 | + def test_unquote_large(self): | ||
114 | + n = 10**6 | ||
115 | + for encoded in r'\\', r'\134': | ||
116 | + with self.subTest(encoded): | ||
117 | + data = 'a="b=' + encoded*n + ';"' | ||
118 | + C = cookies.SimpleCookie() | ||
119 | + C.load(data) | ||
120 | + value = C['a'].value | ||
121 | + self.assertEqual(value[:3], 'b=\\') | ||
122 | + self.assertEqual(value[-2:], '\\;') | ||
123 | + self.assertEqual(len(value), n + 3) | ||
124 | + | ||
125 | def test_load(self): | ||
126 | C = cookies.SimpleCookie() | ||
127 | C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme') | ||
128 | diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | ||
129 | new file mode 100644 | ||
130 | index 00000000000000..158b938a65a2d4 | ||
131 | --- /dev/null | ||
132 | +++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | ||
133 | @@ -0,0 +1 @@ | ||
134 | +Fix quadratic complexity in parsing cookies with backslashes. | ||
135 | |||
136 | From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001 | ||
137 | From: Serhiy Storchaka <storchaka@gmail.com> | ||
138 | Date: Fri, 16 Aug 2024 19:38:20 +0300 | ||
139 | Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping. | ||
140 | |||
141 | --- | ||
142 | Lib/http/cookies.py | 2 +- | ||
143 | Lib/test/test_http_cookies.py | 8 ++++---- | ||
144 | 2 files changed, 5 insertions(+), 5 deletions(-) | ||
145 | |||
146 | diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py | ||
147 | index 11a67e8a2e008b..464abeb0fb253a 100644 | ||
148 | --- a/Lib/http/cookies.py | ||
149 | +++ b/Lib/http/cookies.py | ||
150 | @@ -184,7 +184,7 @@ def _quote(str): | ||
151 | return '"' + str.translate(_Translator) + '"' | ||
152 | |||
153 | |||
154 | -_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))') | ||
155 | +_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))') | ||
156 | def _unquote_replace(m): | ||
157 | if m[1]: | ||
158 | return chr(int(m[1], 8)) | ||
159 | diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py | ||
160 | index 13b526d49b0856..8879902a6e2f41 100644 | ||
161 | --- a/Lib/test/test_http_cookies.py | ||
162 | +++ b/Lib/test/test_http_cookies.py | ||
163 | @@ -63,13 +63,13 @@ def test_unquote(self): | ||
164 | cases = [ | ||
165 | (r'a="b=\""', 'b="'), | ||
166 | (r'a="b=\\"', 'b=\\'), | ||
167 | - (r'a="b=\="', 'b=\\='), | ||
168 | - (r'a="b=\n"', 'b=\\n'), | ||
169 | + (r'a="b=\="', 'b=='), | ||
170 | + (r'a="b=\n"', 'b=n'), | ||
171 | (r'a="b=\042"', 'b="'), | ||
172 | (r'a="b=\134"', 'b=\\'), | ||
173 | (r'a="b=\377"', 'b=\xff'), | ||
174 | - (r'a="b=\400"', 'b=\\400'), | ||
175 | - (r'a="b=\42"', 'b=\\42'), | ||
176 | + (r'a="b=\400"', 'b=400'), | ||
177 | + (r'a="b=\42"', 'b=42'), | ||
178 | (r'a="b=\\042"', 'b=\\042'), | ||
179 | (r'a="b=\\134"', 'b=\\134'), | ||
180 | (r'a="b=\\\""', 'b=\\"'), | ||
181 | |||
182 | From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001 | ||
183 | From: Serhiy Storchaka <storchaka@gmail.com> | ||
184 | Date: Sat, 17 Aug 2024 12:40:11 +0300 | ||
185 | Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object. | ||
186 | |||
187 | --- | ||
188 | Lib/http/cookies.py | 6 +++--- | ||
189 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
190 | |||
191 | diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py | ||
192 | index 464abeb0fb253a..6b9ed24ad8ec78 100644 | ||
193 | --- a/Lib/http/cookies.py | ||
194 | +++ b/Lib/http/cookies.py | ||
195 | @@ -184,7 +184,8 @@ def _quote(str): | ||
196 | return '"' + str.translate(_Translator) + '"' | ||
197 | |||
198 | |||
199 | -_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))') | ||
200 | +_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub | ||
201 | + | ||
202 | def _unquote_replace(m): | ||
203 | if m[1]: | ||
204 | return chr(int(m[1], 8)) | ||
205 | @@ -209,8 +210,7 @@ def _unquote(str): | ||
206 | # \012 --> \n | ||
207 | # \" --> " | ||
208 | # | ||
209 | - | ||
210 | - return _unquote_re.sub(_unquote_replace, str) | ||
211 | + return _unquote_sub(_unquote_replace, str) | ||
212 | |||
213 | # The _getdate() routine is used to set the expiration time in the cookie's HTTP | ||
214 | # header. By default, _getdate() returns the current time in the appropriate | ||
215 | |||
216 | From 8256ed2228137c87d4b20747db84a9cdf0fa1d34 Mon Sep 17 00:00:00 2001 | ||
217 | From: Serhiy Storchaka <storchaka@gmail.com> | ||
218 | Date: Sat, 17 Aug 2024 13:08:20 +0300 | ||
219 | Subject: [PATCH 4/4] Add a reference to the module in NEWS. | ||
220 | |||
221 | --- | ||
222 | .../next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 2 +- | ||
223 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
224 | |||
225 | diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | ||
226 | index 158b938a65a2d4..6a234561fe31a3 100644 | ||
227 | --- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | ||
228 | +++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | ||
229 | @@ -1 +1 @@ | ||
230 | -Fix quadratic complexity in parsing cookies with backslashes. | ||
231 | +Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`. | ||
diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.6.bb index 29b02ef510..858124d104 100644 --- a/meta/recipes-devtools/python/python3_3.12.5.bb +++ b/meta/recipes-devtools/python/python3_3.12.6.bb | |||
@@ -34,14 +34,13 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
34 | file://0001-test_deadlock-skip-problematic-test.patch \ | 34 | file://0001-test_deadlock-skip-problematic-test.patch \ |
35 | file://0001-test_active_children-skip-problematic-test.patch \ | 35 | file://0001-test_active_children-skip-problematic-test.patch \ |
36 | file://0001-test_readline-skip-limited-history-test.patch \ | 36 | file://0001-test_readline-skip-limited-history-test.patch \ |
37 | file://CVE-2024-7592.patch \ | ||
38 | " | 37 | " |
39 | 38 | ||
40 | SRC_URI:append:class-native = " \ | 39 | SRC_URI:append:class-native = " \ |
41 | file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ | 40 | file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ |
42 | " | 41 | " |
43 | 42 | ||
44 | SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397" | 43 | SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c" |
45 | 44 | ||
46 | # exclude pre-releases for both python 2.x and 3.x | 45 | # exclude pre-releases for both python 2.x and 3.x |
47 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | 46 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |