python3: Upgrade 3.12.5 -> 3.12.6

Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232 and other bug fixes. Removed below patches, as the fix is included in 3.12.6 upgrade: 1. CVE-2024-7592.patch Release Notes: https://www.python.org/downloads/release/python-3126/ (From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Divya Chellam <divya.chellam@windriver.com> 2024-09-12 06:44:07 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-09-13 07:15:49 +0100
commit: 0249d9c8932674b8b00ec0d0a261f616794eee36 (patch)
tree: 880f3eb756ab7361704d661762260b597ef4fc61 /meta
parent: 1410b67bec84ed069742d21d7c12d0a3ca2013c7 (diff)
download: poky-0249d9c8932674b8b00ec0d0a261f616794eee36.tar.gz
3 files changed, 9 insertions, 244 deletions
diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
index 50a4609f7a..e8d297c721 100644
--- a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
+++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
@@ -16,11 +16,11 @@ Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
 Lib/test/test_readline.py | 2 ++
 1 file changed, 2 insertions(+)
-diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py
+Index: Python-3.12.6/Lib/test/test_readline.py
-index 91fd7dd13f9..d81f9bf8eed 100644
+===================================================================
--- a/Lib/test/test_readline.py
+--- Python-3.12.6.orig/Lib/test/test_readline.py
-+++ b/Lib/test/test_readline.py
+++ Python-3.12.6/Lib/test/test_readline.py
-@@ -132,6 +132,7 @@ def test_nonascii_history(self):
+@@ -133,6 +133,7 @@ class TestHistoryManipulation (unittest.
         self.assertEqual(readline.get_history_item(1), "entrée 1")
         self.assertEqual(readline.get_history_item(2), "entrée 22")
 
@@ -28,14 +28,11 @@ index 91fd7dd13f9..d81f9bf8eed 100644
     def test_write_read_limited_history(self):
         previous_length = readline.get_history_length()
         self.addCleanup(readline.set_history_length, previous_length)
-@@ -349,6 +350,7 @@ def test_history_size(self):
+@@ -371,6 +372,7 @@ readline.write_history_file(history_file
-             self.assertEqual(len(lines), history_size)
+         self.assertIn(b"done", output)
-             self.assertEqual(lines[-1].strip(), b"last input")
+ 
 
 +    @unittest.skip("Skipping problematic test")
     def test_write_read_limited_history(self):
         previous_length = readline.get_history_length()
         self.addCleanup(readline.set_history_length, previous_length)
-- 
-2.39.2
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
deleted file mode 100644
index 7fd74abed3..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 16 Aug 2024 19:13:37 +0300
-Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies
- with backslashes
-This fixes CVE-2024-7592.
-CVE: CVE-2024-7592
-Upstream-Status: Backport [https://github.com/python/cpython/pull/123075]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- Lib/http/cookies.py                           | 34 ++++-------------
- Lib/test/test_http_cookies.py                 | 38 +++++++++++++++++++
- ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |  1 +
- 3 files changed, 47 insertions(+), 26 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 351faf428a20cd..11a67e8a2e008b 100644
--- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,8 +184,12 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
- 
- 
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
-_QuotePatt = re.compile(r"[\\].")
-+_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))')
-+def _unquote_replace(m):
-+    if m[1]:
-+        return chr(int(m[1], 8))
-+    else:
-+        return m[2]
- 
- def _unquote(str):
-     # If there aren't any doublequotes,
-@@ -205,30 +209,8 @@ def _unquote(str):
-     #    \012 --> \n
-     #    \"   --> "
-     #
-    i = 0
-    n = len(str)
-    res = []
-    while 0 <= i < n:
-        o_match = _OctalPatt.search(str, i)
-        q_match = _QuotePatt.search(str, i)
-        if not o_match and not q_match:              # Neither matched
-            res.append(str[i:])
-            break
-        # else:
-        j = k = -1
-        if o_match:
-            j = o_match.start(0)
-        if q_match:
-            k = q_match.start(0)
-        if q_match and (not o_match or k < j):     # QuotePatt matched
-            res.append(str[i:k])
-            res.append(str[k+1])
-            i = k + 2
-        else:                                      # OctalPatt matched
-            res.append(str[i:j])
-            res.append(chr(int(str[j+1:j+4], 8)))
-            i = j + 4
-    return _nulljoin(res)
-+
-+    return _unquote_re.sub(_unquote_replace, str)
- 
- # The _getdate() routine is used to set the expiration time in the cookie's HTTP
- # header.  By default, _getdate() returns the current time in the appropriate
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index 925c8697f60de6..13b526d49b0856 100644
--- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -5,6 +5,7 @@
- import doctest
- from http import cookies
- import pickle
-+from test import support
- 
- 
- class CookieTests(unittest.TestCase):
-@@ -58,6 +59,43 @@ def test_basic(self):
-             for k, v in sorted(case['dict'].items()):
-                 self.assertEqual(C[k].value, v)
- 
-+    def test_unquote(self):
-+        cases = [
-+            (r'a="b=\""', 'b="'),
-+            (r'a="b=\\"', 'b=\\'),
-+            (r'a="b=\="', 'b=\\='),
-+            (r'a="b=\n"', 'b=\\n'),
-+            (r'a="b=\042"', 'b="'),
-+            (r'a="b=\134"', 'b=\\'),
-+            (r'a="b=\377"', 'b=\xff'),
-+            (r'a="b=\400"', 'b=\\400'),
-+            (r'a="b=\42"', 'b=\\42'),
-+            (r'a="b=\\042"', 'b=\\042'),
-+            (r'a="b=\\134"', 'b=\\134'),
-+            (r'a="b=\\\""', 'b=\\"'),
-+            (r'a="b=\\\042"', 'b=\\"'),
-+            (r'a="b=\134\""', 'b=\\"'),
-+            (r'a="b=\134\042"', 'b=\\"'),
-+        ]
-+        for encoded, decoded in cases:
-+            with self.subTest(encoded):
-+                C = cookies.SimpleCookie()
-+                C.load(encoded)
-+                self.assertEqual(C['a'].value, decoded)
-+
-+    @support.requires_resource('cpu')
-+    def test_unquote_large(self):
-+        n = 10**6
-+        for encoded in r'\\', r'\134':
-+            with self.subTest(encoded):
-+                data = 'a="b=' + encoded*n + ';"'
-+                C = cookies.SimpleCookie()
-+                C.load(data)
-+                value = C['a'].value
-+                self.assertEqual(value[:3], 'b=\\')
-+                self.assertEqual(value[-2:], '\\;')
-+                self.assertEqual(len(value), n + 3)
-+
-     def test_load(self):
-         C = cookies.SimpleCookie()
-         C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
-diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-new file mode 100644
-index 00000000000000..158b938a65a2d4
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-@@ -0,0 +1 @@
-+Fix quadratic complexity in parsing cookies with backslashes.
-From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 16 Aug 2024 19:38:20 +0300
-Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping.
---
- Lib/http/cookies.py           | 2 +-
- Lib/test/test_http_cookies.py | 8 ++++----
- 2 files changed, 5 insertions(+), 5 deletions(-)
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 11a67e8a2e008b..464abeb0fb253a 100644
--- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,7 +184,7 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
- 
- 
-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))')
-+_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))')
- def _unquote_replace(m):
-     if m[1]:
-         return chr(int(m[1], 8))
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index 13b526d49b0856..8879902a6e2f41 100644
--- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -63,13 +63,13 @@ def test_unquote(self):
-         cases = [
-             (r'a="b=\""', 'b="'),
-             (r'a="b=\\"', 'b=\\'),
-            (r'a="b=\="', 'b=\\='),
-            (r'a="b=\n"', 'b=\\n'),
-+            (r'a="b=\="', 'b=='),
-+            (r'a="b=\n"', 'b=n'),
-             (r'a="b=\042"', 'b="'),
-             (r'a="b=\134"', 'b=\\'),
-             (r'a="b=\377"', 'b=\xff'),
-            (r'a="b=\400"', 'b=\\400'),
-            (r'a="b=\42"', 'b=\\42'),
-+            (r'a="b=\400"', 'b=400'),
-+            (r'a="b=\42"', 'b=42'),
-             (r'a="b=\\042"', 'b=\\042'),
-             (r'a="b=\\134"', 'b=\\134'),
-             (r'a="b=\\\""', 'b=\\"'),
-From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Sat, 17 Aug 2024 12:40:11 +0300
-Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object.
---
- Lib/http/cookies.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 464abeb0fb253a..6b9ed24ad8ec78 100644
--- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,7 +184,8 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
- 
- 
-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))')
-+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
-+
- def _unquote_replace(m):
-     if m[1]:
-         return chr(int(m[1], 8))
-@@ -209,8 +210,7 @@ def _unquote(str):
-     #    \012 --> \n
-     #    \"   --> "
-     #
-
-    return _unquote_re.sub(_unquote_replace, str)
-+    return _unquote_sub(_unquote_replace, str)
- 
- # The _getdate() routine is used to set the expiration time in the cookie's HTTP
- # header.  By default, _getdate() returns the current time in the appropriate
-From 8256ed2228137c87d4b20747db84a9cdf0fa1d34 Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Sat, 17 Aug 2024 13:08:20 +0300
-Subject: [PATCH 4/4] Add a reference to the module in NEWS.
---
- .../next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-index 158b938a65a2d4..6a234561fe31a3 100644
--- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-@@ -1 +1 @@
-Fix quadratic complexity in parsing cookies with backslashes.
-+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.6.bb
index 29b02ef510..858124d104 100644
--- a/meta/recipes-devtools/python/python3_3.12.5.bb
+++ b/meta/recipes-devtools/python/python3_3.12.6.bb
@@ -34,14 +34,13 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-test_deadlock-skip-problematic-test.patch \
           file://0001-test_active_children-skip-problematic-test.patch \
           file://0001-test_readline-skip-limited-history-test.patch \
-           file://CVE-2024-7592.patch \
           "
 SRC_URI:append:class-native = " \
           file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
           "
-SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397"
+SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
author	Divya Chellam <divya.chellam@windriver.com>	2024-09-12 06:44:07 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-09-13 07:15:49 +0100
commit	0249d9c8932674b8b00ec0d0a261f616794eee36 (patch)
tree	880f3eb756ab7361704d661762260b597ef4fc61 /meta
parent	1410b67bec84ed069742d21d7c12d0a3ca2013c7 (diff)
download	poky-0249d9c8932674b8b00ec0d0a261f616794eee36.tar.gz

diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch index 50a4609f7a..e8d297c721 100644 --- a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch +++ b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
@@ -16,11 +16,11 @@ Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
16	Lib/test/test_readline.py \| 2 ++	16	Lib/test/test_readline.py \| 2 ++
17	1 file changed, 2 insertions(+)	17	1 file changed, 2 insertions(+)
18		18
19	diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py	19	Index: Python-3.12.6/Lib/test/test_readline.py
20	index 91fd7dd13f9..d81f9bf8eed 100644	20	===================================================================
21	--- a/Lib/test/test_readline.py	21	--- Python-3.12.6.orig/Lib/test/test_readline.py
22	+++ b/Lib/test/test_readline.py	22	+++ Python-3.12.6/Lib/test/test_readline.py
23	@@ -132,6 +132,7 @@ def test_nonascii_history(self):	23	@@ -133,6 +133,7 @@ class TestHistoryManipulation (unittest.
24	self.assertEqual(readline.get_history_item(1), "entrée 1")	24	self.assertEqual(readline.get_history_item(1), "entrée 1")
25	self.assertEqual(readline.get_history_item(2), "entrée 22")	25	self.assertEqual(readline.get_history_item(2), "entrée 22")
26		26
@@ -28,14 +28,11 @@ index 91fd7dd13f9..d81f9bf8eed 100644
28	def test_write_read_limited_history(self):	28	def test_write_read_limited_history(self):
29	previous_length = readline.get_history_length()	29	previous_length = readline.get_history_length()
30	self.addCleanup(readline.set_history_length, previous_length)	30	self.addCleanup(readline.set_history_length, previous_length)
31	@@ -349,6 +350,7 @@ def test_history_size(self):	31	@@ -371,6 +372,7 @@ readline.write_history_file(history_file
32	self.assertEqual(len(lines), history_size)	32	self.assertIn(b"done", output)
33	self.assertEqual(lines[-1].strip(), b"last input")	33
34		34
35	+ @unittest.skip("Skipping problematic test")	35	+ @unittest.skip("Skipping problematic test")
36	def test_write_read_limited_history(self):	36	def test_write_read_limited_history(self):
37	previous_length = readline.get_history_length()	37	previous_length = readline.get_history_length()
38	self.addCleanup(readline.set_history_length, previous_length)	38	self.addCleanup(readline.set_history_length, previous_length)
39	--
40	2.39.2
41


diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch deleted file mode 100644 index 7fd74abed3..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch +++ /dev/null
@@ -1,231 +0,0 @@
1	From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001
2	From: Serhiy Storchaka <storchaka@gmail.com>
3	Date: Fri, 16 Aug 2024 19:13:37 +0300
4	Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies
5	with backslashes
6
7	This fixes CVE-2024-7592.
8
9	CVE: CVE-2024-7592
10	Upstream-Status: Backport [https://github.com/python/cpython/pull/123075]
11	Signed-off-by: Khem Raj <raj.khem@gmail.com>
12
13	---
14	Lib/http/cookies.py \| 34 ++++-------------
15	Lib/test/test_http_cookies.py \| 38 +++++++++++++++++++
16	...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst \| 1 +
17	3 files changed, 47 insertions(+), 26 deletions(-)
18	create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
19
20	diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
21	index 351faf428a20cd..11a67e8a2e008b 100644
22	--- a/Lib/http/cookies.py
23	+++ b/Lib/http/cookies.py
24	@@ -184,8 +184,12 @@ def _quote(str):
25	return '"' + str.translate(_Translator) + '"'
26
27
28	-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
29	-_QuotePatt = re.compile(r"[\\].")
30	+_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])\|(["\\]))')
31	+def _unquote_replace(m):
32	+ if m[1]:
33	+ return chr(int(m[1], 8))
34	+ else:
35	+ return m[2]
36
37	def _unquote(str):
38	# If there aren't any doublequotes,
39	@@ -205,30 +209,8 @@ def _unquote(str):
40	# \012 --> \n
41	# \" --> "
42	#
43	- i = 0
44	- n = len(str)
45	- res = []
46	- while 0 <= i < n:
47	- o_match = _OctalPatt.search(str, i)
48	- q_match = _QuotePatt.search(str, i)
49	- if not o_match and not q_match: # Neither matched
50	- res.append(str[i:])
51	- break
52	- # else:
53	- j = k = -1
54	- if o_match:
55	- j = o_match.start(0)
56	- if q_match:
57	- k = q_match.start(0)
58	- if q_match and (not o_match or k < j): # QuotePatt matched
59	- res.append(str[i:k])
60	- res.append(str[k+1])
61	- i = k + 2
62	- else: # OctalPatt matched
63	- res.append(str[i:j])
64	- res.append(chr(int(str[j+1:j+4], 8)))
65	- i = j + 4
66	- return _nulljoin(res)
67	+
68	+ return _unquote_re.sub(_unquote_replace, str)
69
70	# The _getdate() routine is used to set the expiration time in the cookie's HTTP
71	# header. By default, _getdate() returns the current time in the appropriate
72	diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
73	index 925c8697f60de6..13b526d49b0856 100644
74	--- a/Lib/test/test_http_cookies.py
75	+++ b/Lib/test/test_http_cookies.py
76	@@ -5,6 +5,7 @@
77	import doctest
78	from http import cookies
79	import pickle
80	+from test import support
81
82
83	class CookieTests(unittest.TestCase):
84	@@ -58,6 +59,43 @@ def test_basic(self):
85	for k, v in sorted(case['dict'].items()):
86	self.assertEqual(C[k].value, v)
87
88	+ def test_unquote(self):
89	+ cases = [
90	+ (r'a="b=\""', 'b="'),
91	+ (r'a="b=\\"', 'b=\\'),
92	+ (r'a="b=\="', 'b=\\='),
93	+ (r'a="b=\n"', 'b=\\n'),
94	+ (r'a="b=\042"', 'b="'),
95	+ (r'a="b=\134"', 'b=\\'),
96	+ (r'a="b=\377"', 'b=\xff'),
97	+ (r'a="b=\400"', 'b=\\400'),
98	+ (r'a="b=\42"', 'b=\\42'),
99	+ (r'a="b=\\042"', 'b=\\042'),
100	+ (r'a="b=\\134"', 'b=\\134'),
101	+ (r'a="b=\\\""', 'b=\\"'),
102	+ (r'a="b=\\\042"', 'b=\\"'),
103	+ (r'a="b=\134\""', 'b=\\"'),
104	+ (r'a="b=\134\042"', 'b=\\"'),
105	+ ]
106	+ for encoded, decoded in cases:
107	+ with self.subTest(encoded):
108	+ C = cookies.SimpleCookie()
109	+ C.load(encoded)
110	+ self.assertEqual(C['a'].value, decoded)
111	+
112	+ @support.requires_resource('cpu')
113	+ def test_unquote_large(self):
114	+ n = 10**6
115	+ for encoded in r'\\', r'\134':
116	+ with self.subTest(encoded):
117	+ data = 'a="b=' + encoded*n + ';"'
118	+ C = cookies.SimpleCookie()
119	+ C.load(data)
120	+ value = C['a'].value
121	+ self.assertEqual(value[:3], 'b=\\')
122	+ self.assertEqual(value[-2:], '\\;')
123	+ self.assertEqual(len(value), n + 3)
124	+
125	def test_load(self):
126	C = cookies.SimpleCookie()
127	C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
128	diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
129	new file mode 100644
130	index 00000000000000..158b938a65a2d4
131	--- /dev/null
132	+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
133	@@ -0,0 +1 @@
134	+Fix quadratic complexity in parsing cookies with backslashes.
135
136	From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001
137	From: Serhiy Storchaka <storchaka@gmail.com>
138	Date: Fri, 16 Aug 2024 19:38:20 +0300
139	Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping.
140
141	---
142	Lib/http/cookies.py \| 2 +-
143	Lib/test/test_http_cookies.py \| 8 ++++----
144	2 files changed, 5 insertions(+), 5 deletions(-)
145
146	diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
147	index 11a67e8a2e008b..464abeb0fb253a 100644
148	--- a/Lib/http/cookies.py
149	+++ b/Lib/http/cookies.py
150	@@ -184,7 +184,7 @@ def _quote(str):
151	return '"' + str.translate(_Translator) + '"'
152
153
154	-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])\|(["\\]))')
155	+_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])\|(.))')
156	def _unquote_replace(m):
157	if m[1]:
158	return chr(int(m[1], 8))
159	diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
160	index 13b526d49b0856..8879902a6e2f41 100644
161	--- a/Lib/test/test_http_cookies.py
162	+++ b/Lib/test/test_http_cookies.py
163	@@ -63,13 +63,13 @@ def test_unquote(self):
164	cases = [
165	(r'a="b=\""', 'b="'),
166	(r'a="b=\\"', 'b=\\'),
167	- (r'a="b=\="', 'b=\\='),
168	- (r'a="b=\n"', 'b=\\n'),
169	+ (r'a="b=\="', 'b=='),
170	+ (r'a="b=\n"', 'b=n'),
171	(r'a="b=\042"', 'b="'),
172	(r'a="b=\134"', 'b=\\'),
173	(r'a="b=\377"', 'b=\xff'),
174	- (r'a="b=\400"', 'b=\\400'),
175	- (r'a="b=\42"', 'b=\\42'),
176	+ (r'a="b=\400"', 'b=400'),
177	+ (r'a="b=\42"', 'b=42'),
178	(r'a="b=\\042"', 'b=\\042'),
179	(r'a="b=\\134"', 'b=\\134'),
180	(r'a="b=\\\""', 'b=\\"'),
181
182	From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001
183	From: Serhiy Storchaka <storchaka@gmail.com>
184	Date: Sat, 17 Aug 2024 12:40:11 +0300
185	Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object.
186
187	---
188	Lib/http/cookies.py \| 6 +++---
189	1 file changed, 3 insertions(+), 3 deletions(-)
190
191	diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
192	index 464abeb0fb253a..6b9ed24ad8ec78 100644
193	--- a/Lib/http/cookies.py
194	+++ b/Lib/http/cookies.py
195	@@ -184,7 +184,8 @@ def _quote(str):
196	return '"' + str.translate(_Translator) + '"'
197
198
199	-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])\|(.))')
200	+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])\|(.))').sub
201	+
202	def _unquote_replace(m):
203	if m[1]:
204	return chr(int(m[1], 8))
205	@@ -209,8 +210,7 @@ def _unquote(str):
206	# \012 --> \n
207	# \" --> "
208	#
209	-
210	- return _unquote_re.sub(_unquote_replace, str)
211	+ return _unquote_sub(_unquote_replace, str)
212
213	# The _getdate() routine is used to set the expiration time in the cookie's HTTP
214	# header. By default, _getdate() returns the current time in the appropriate
215
216	From 8256ed2228137c87d4b20747db84a9cdf0fa1d34 Mon Sep 17 00:00:00 2001
217	From: Serhiy Storchaka <storchaka@gmail.com>
218	Date: Sat, 17 Aug 2024 13:08:20 +0300
219	Subject: [PATCH 4/4] Add a reference to the module in NEWS.
220
221	---
222	.../next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst \| 2 +-
223	1 file changed, 1 insertion(+), 1 deletion(-)
224
225	diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
226	index 158b938a65a2d4..6a234561fe31a3 100644
227	--- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
228	+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
229	@@ -1 +1 @@
230	-Fix quadratic complexity in parsing cookies with backslashes.
231	+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.


diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.6.bb index 29b02ef510..858124d104 100644 --- a/meta/recipes-devtools/python/python3_3.12.5.bb +++ b/meta/recipes-devtools/python/python3_3.12.6.bb
@@ -34,14 +34,13 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
34	file://0001-test_deadlock-skip-problematic-test.patch \	34	file://0001-test_deadlock-skip-problematic-test.patch \
35	file://0001-test_active_children-skip-problematic-test.patch \	35	file://0001-test_active_children-skip-problematic-test.patch \
36	file://0001-test_readline-skip-limited-history-test.patch \	36	file://0001-test_readline-skip-limited-history-test.patch \
37	file://CVE-2024-7592.patch \
38	"	37	"
39		38
40	SRC_URI:append:class-native = " \	39	SRC_URI:append:class-native = " \
41	file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \	40	file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
42	"	41	"
43		42
44	SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397"	43	SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c"
45		44
46	# exclude pre-releases for both python 2.x and 3.x	45	# exclude pre-releases for both python 2.x and 3.x
47	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	46	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"