python3: upgrade 3.8.6 -> 3.8.7

Release Date: Dec. 21, 2020 Note: The release you're looking at is Python 3.8.7, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. * Drop patch for CVE-2020-27619 fixed in 3.8.7 References: https://nvd.nist.gov/vuln/detail/CVE-2020-27619 https://www.python.org/downloads/release/python-387/ https://docs.python.org/release/3.8.7/whatsnew/changelog.html (From OE-Core rev: a90dde9b1800acf364fa272177945e0a4cbf6560) Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Tim Orling <timothy.t.orling@intel.com> 2021-06-15 22:31:45 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-07-02 07:44:59 +0100
commit: 9d8c7d39f38b55216aaae7c9cc27087b5339e926 (patch)
tree: ba7daefebf143df874581466e4833cc63ecbd93b /meta
parent: 21c37d24411bb25773de16697a81f3dd412729ff (diff)
download: poky-9d8c7d39f38b55216aaae7c9cc27087b5339e926.tar.gz
2 files changed, 2 insertions, 73 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
deleted file mode 100644
index bafa1cb999..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001
-From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
-Date: Tue, 6 Oct 2020 05:38:54 -0700
-Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
- in the CJK codec tests (GH-22566) (GH-22577)
-(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33]
-CVE: CVE-2020-27619
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
- Lib/test/multibytecodec_support.py            | 22 +++++++------------
- .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst  |  1 +
- 2 files changed, 9 insertions(+), 14 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
-index cca8af67d6d1d..f76c0153f5ecf 100644
--- a/Lib/test/multibytecodec_support.py
-+++ b/Lib/test/multibytecodec_support.py
-@@ -305,29 +305,23 @@ def test_mapping_file(self):
-             self._test_mapping_file_plain()
- 
-     def _test_mapping_file_plain(self):
-        unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
-+        def unichrs(s):
-+            return ''.join(chr(int(x, 16)) for x in s.split('+'))
-+
-         urt_wa = {}
- 
-         with self.open_mapping_file() as f:
-             for line in f:
-                 if not line:
-                     break
-                data = line.split('#')[0].strip().split()
-+                data = line.split('#')[0].split()
-                 if len(data) != 2:
-                     continue
- 
-                csetval = eval(data[0])
-                if csetval <= 0x7F:
-                    csetch = bytes([csetval & 0xff])
-                elif csetval >= 0x1000000:
-                    csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
-                                    ((csetval >> 8) & 0xff), (csetval & 0xff)])
-                elif csetval >= 0x10000:
-                    csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
-                                    (csetval & 0xff)])
-                elif csetval >= 0x100:
-                    csetch = bytes([(csetval >> 8), (csetval & 0xff)])
-                else:
-+                if data[0][:2] != '0x':
-+                    self.fail(f"Invalid line: {line!r}")
-+                csetch = bytes.fromhex(data[0][2:])
-+                if len(csetch) == 1 and 0x80 <= csetch[0]:
-                     continue
- 
-                 unich = unichrs(data[1])
-diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-new file mode 100644
-index 0000000000000..4f9782f1c85af
--- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-@@ -0,0 +1 @@
-+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/meta/recipes-devtools/python/python3_3.8.6.bb b/meta/recipes-devtools/python/python3_3.8.7.bb
index bf33fce891..11a69ea808 100644
--- a/meta/recipes-devtools/python/python3_3.8.6.bb
+++ b/meta/recipes-devtools/python/python3_3.8.7.bb
@@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-configure.ac-fix-LIBPL.patch \
           file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
           file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
-           file://CVE-2020-27619.patch \
           file://CVE-2021-3177.patch \
           "
@@ -43,8 +42,8 @@ SRC_URI_append_class-native = " \
           file://0001-Don-t-search-system-for-headers-libraries.patch \
           "
-SRC_URI[md5sum] = "69e73c49eeb1a853cefd26d18c9d069d"
+SRC_URI[md5sum] = "60fe018fffc7f33818e6c340d29e2db9"
-SRC_URI[sha256sum] = "a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a"
+SRC_URI[sha256sum] = "ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
author	Tim Orling <timothy.t.orling@intel.com>	2021-06-15 22:31:45 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-07-02 07:44:59 +0100
commit	9d8c7d39f38b55216aaae7c9cc27087b5339e926 (patch)
tree	ba7daefebf143df874581466e4833cc63ecbd93b /meta
parent	21c37d24411bb25773de16697a81f3dd412729ff (diff)
download	poky-9d8c7d39f38b55216aaae7c9cc27087b5339e926.tar.gz

diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch deleted file mode 100644 index bafa1cb999..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch +++ /dev/null
@@ -1,70 +0,0 @@
1	From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001
2	From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
3	Date: Tue, 6 Oct 2020 05:38:54 -0700
4	Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
5	in the CJK codec tests (GH-22566) (GH-22577)
6
7	(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
8
9	Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
10
11	Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
12
13	Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33]
14	CVE: CVE-2020-27619
15	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
16	---
17	Lib/test/multibytecodec_support.py \| 22 +++++++------------
18	.../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst \| 1 +
19	2 files changed, 9 insertions(+), 14 deletions(-)
20	create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
21
22	diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
23	index cca8af67d6d1d..f76c0153f5ecf 100644
24	--- a/Lib/test/multibytecodec_support.py
25	+++ b/Lib/test/multibytecodec_support.py
26	@@ -305,29 +305,23 @@ def test_mapping_file(self):
27	self._test_mapping_file_plain()
28
29	def _test_mapping_file_plain(self):
30	- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
31	+ def unichrs(s):
32	+ return ''.join(chr(int(x, 16)) for x in s.split('+'))
33	+
34	urt_wa = {}
35
36	with self.open_mapping_file() as f:
37	for line in f:
38	if not line:
39	break
40	- data = line.split('#')[0].strip().split()
41	+ data = line.split('#')[0].split()
42	if len(data) != 2:
43	continue
44
45	- csetval = eval(data[0])
46	- if csetval <= 0x7F:
47	- csetch = bytes([csetval & 0xff])
48	- elif csetval >= 0x1000000:
49	- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
50	- ((csetval >> 8) & 0xff), (csetval & 0xff)])
51	- elif csetval >= 0x10000:
52	- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
53	- (csetval & 0xff)])
54	- elif csetval >= 0x100:
55	- csetch = bytes([(csetval >> 8), (csetval & 0xff)])
56	- else:
57	+ if data[0][:2] != '0x':
58	+ self.fail(f"Invalid line: {line!r}")
59	+ csetch = bytes.fromhex(data[0][2:])
60	+ if len(csetch) == 1 and 0x80 <= csetch[0]:
61	continue
62
63	unich = unichrs(data[1])
64	diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
65	new file mode 100644
66	index 0000000000000..4f9782f1c85af
67	--- /dev/null
68	+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
69	@@ -0,0 +1 @@
70	+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.


diff --git a/meta/recipes-devtools/python/python3_3.8.6.bb b/meta/recipes-devtools/python/python3_3.8.7.bb index bf33fce891..11a69ea808 100644 --- a/meta/recipes-devtools/python/python3_3.8.6.bb +++ b/meta/recipes-devtools/python/python3_3.8.7.bb
@@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
33	file://0001-configure.ac-fix-LIBPL.patch \	33	file://0001-configure.ac-fix-LIBPL.patch \
34	file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \	34	file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
35	file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \	35	file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
36	file://CVE-2020-27619.patch \
37	file://CVE-2021-3177.patch \	36	file://CVE-2021-3177.patch \
38	"	37	"
39		38
@@ -43,8 +42,8 @@ SRC_URI_append_class-native = " \
43	file://0001-Don-t-search-system-for-headers-libraries.patch \	42	file://0001-Don-t-search-system-for-headers-libraries.patch \
44	"	43	"
45		44
46	SRC_URI[md5sum] = "69e73c49eeb1a853cefd26d18c9d069d"	45	SRC_URI[md5sum] = "60fe018fffc7f33818e6c340d29e2db9"
47	SRC_URI[sha256sum] = "a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a"	46	SRC_URI[sha256sum] = "ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a"
48		47
49	# exclude pre-releases for both python 2.x and 3.x	48	# exclude pre-releases for both python 2.x and 3.x
50	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	49	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"