summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/python')
-rw-r--r--meta/recipes-devtools/python/python-setuptools.inc2
-rw-r--r--meta/recipes-devtools/python/python3-jinja2_2.11.3.bb (renamed from meta/recipes-devtools/python/python3-jinja2_2.11.2.bb)5
-rw-r--r--meta/recipes-devtools/python/python3-magic_0.4.15.bb7
-rw-r--r--meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch48
-rw-r--r--meta/recipes-devtools/python/python3-pip_20.0.2.bb1
-rw-r--r--meta/recipes-devtools/python/python3-pygobject_3.34.0.bb2
-rw-r--r--meta/recipes-devtools/python/python3-scons_3.1.2.bb1
-rw-r--r--meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch29
-rw-r--r--meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch42
-rw-r--r--meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch248
-rw-r--r--meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch33
-rw-r--r--meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch24
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2019-20907.patch44
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-14422.patch77
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-26116.patch104
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-27619.patch70
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2023-24329.patch80
-rw-r--r--meta/recipes-devtools/python/python3/makerace.patch23
-rw-r--r--meta/recipes-devtools/python/python3/python3-manifest.json4
-rw-r--r--meta/recipes-devtools/python/python3_3.8.18.bb (renamed from meta/recipes-devtools/python/python3_3.8.2.bb)28
20 files changed, 284 insertions, 588 deletions
diff --git a/meta/recipes-devtools/python/python-setuptools.inc b/meta/recipes-devtools/python/python-setuptools.inc
index 29be852f66..5faf62bc3a 100644
--- a/meta/recipes-devtools/python/python-setuptools.inc
+++ b/meta/recipes-devtools/python/python-setuptools.inc
@@ -8,6 +8,8 @@ PYPI_PACKAGE_EXT = "zip"
8 8
9inherit pypi 9inherit pypi
10 10
11SRC_URI += " file://CVE-2022-40897.patch "
12
11SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" 13SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
12 14
13SRC_URI[md5sum] = "0c956eea142af9c2b02d72e3c042af30" 15SRC_URI[md5sum] = "0c956eea142af9c2b02d72e3c042af30"
diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb
index 89538d2f27..9f054c6024 100644
--- a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
+++ b/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb
@@ -1,12 +1,15 @@
1DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python." 1DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python."
2HOMEPAGE = "https://pypi.org/project/Jinja2/"
2 3
3LICENSE = "BSD-3-Clause" 4LICENSE = "BSD-3-Clause"
4LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" 5LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
5 6
6SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0" 7SRC_URI[sha256sum] = "a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
7 8
8PYPI_PACKAGE = "Jinja2" 9PYPI_PACKAGE = "Jinja2"
9 10
11CVE_PRODUCT = "jinja2 jinja"
12
10CLEANBROKEN = "1" 13CLEANBROKEN = "1"
11 14
12inherit pypi setuptools3 15inherit pypi setuptools3
diff --git a/meta/recipes-devtools/python/python3-magic_0.4.15.bb b/meta/recipes-devtools/python/python3-magic_0.4.15.bb
index 698016ba4c..b73310c808 100644
--- a/meta/recipes-devtools/python/python3-magic_0.4.15.bb
+++ b/meta/recipes-devtools/python/python3-magic_0.4.15.bb
@@ -14,6 +14,11 @@ inherit pypi setuptools3
14SRC_URI[md5sum] = "e384c95a47218f66c6501cd6dd45ff59" 14SRC_URI[md5sum] = "e384c95a47218f66c6501cd6dd45ff59"
15SRC_URI[sha256sum] = "f3765c0f582d2dfc72c15f3b5a82aecfae9498bd29ca840d72f37d7bd38bfcd5" 15SRC_URI[sha256sum] = "f3765c0f582d2dfc72c15f3b5a82aecfae9498bd29ca840d72f37d7bd38bfcd5"
16 16
17RDEPENDS_${PN} += "file" 17DEPENDS_append_class-native = " file-replacement-native"
18
19RDEPENDS_${PN} += "file \
20 ${PYTHON_PN}-ctypes \
21 ${PYTHON_PN}-io \
22 ${PYTHON_PN}-shell"
18 23
19BBCLASSEXTEND = "native" 24BBCLASSEXTEND = "native"
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
new file mode 100644
index 0000000000..a38ab57bc6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
@@ -0,0 +1,48 @@
1From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 16 Jun 2022 09:52:43 +0530
4Subject: [PATCH] CVE-2021-3572
5
6Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b]
7CVE: CVE-2021-3572
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 news/9827.bugfix.rst | 3 +++
11 src/pip/_internal/vcs/git.py | 10 ++++++++--
12 2 files changed, 11 insertions(+), 2 deletions(-)
13 create mode 100644 news/9827.bugfix.rst
14
15diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
16new file mode 100644
17index 0000000..e0d27c3
18--- /dev/null
19+++ b/news/9827.bugfix.rst
20@@ -0,0 +1,3 @@
21+**SECURITY**: Stop splitting on unicode separators in git references,
22+which could be maliciously used to install a different revision on the
23+repository.
24diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
25index 7483303..1b895f6 100644
26--- a/src/pip/_internal/vcs/git.py
27+++ b/src/pip/_internal/vcs/git.py
28@@ -137,9 +137,15 @@ class Git(VersionControl):
29 output = cls.run_command(['show-ref', rev], cwd=dest,
30 show_stdout=False, on_returncode='ignore')
31 refs = {}
32- for line in output.strip().splitlines():
33+ # NOTE: We do not use splitlines here since that would split on other
34+ # unicode separators, which can be maliciously used to install a
35+ # different revision.
36+ for line in output.strip().split("\n"):
37+ line = line.rstrip("\r")
38+ if not line:
39+ continue
40 try:
41- sha, ref = line.split()
42+ ref_sha, ref_name = line.split(" ", maxsplit=2)
43 except ValueError:
44 # Include the offending line to simplify troubleshooting if
45 # this error ever occurs.
46--
472.25.1
48
diff --git a/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/meta/recipes-devtools/python/python3-pip_20.0.2.bb
index 08738fb2f9..e24c6f4477 100644
--- a/meta/recipes-devtools/python/python3-pip_20.0.2.bb
+++ b/meta/recipes-devtools/python/python3-pip_20.0.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e"
6 6
7DEPENDS += "python3 python3-setuptools-native" 7DEPENDS += "python3 python3-setuptools-native"
8 8
9SRC_URI = "file://CVE-2021-3572.patch "
9SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" 10SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86"
10SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" 11SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f"
11 12
diff --git a/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb b/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
index 6babf0cae8..29825492b9 100644
--- a/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
+++ b/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Python GObject bindings" 1SUMMARY = "Python GObject bindings"
2HOMEPAGE = "https://gitlab.gnome.org/GNOME/pygobject"
3DESCRIPTION = "PyGObject is a Python package which provides bindings for GObject based libraries such as GTK, GStreamer, WebKitGTK, GLib, GIO and many more."
2SECTION = "devel/python" 4SECTION = "devel/python"
3LICENSE = "LGPLv2.1" 5LICENSE = "LGPLv2.1"
4LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" 6LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
diff --git a/meta/recipes-devtools/python/python3-scons_3.1.2.bb b/meta/recipes-devtools/python/python3-scons_3.1.2.bb
index ce117a92d4..12122131a5 100644
--- a/meta/recipes-devtools/python/python3-scons_3.1.2.bb
+++ b/meta/recipes-devtools/python/python3-scons_3.1.2.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Software Construction tool (make/autotools replacement)" 1SUMMARY = "Software Construction tool (make/autotools replacement)"
2HOMEPAGE = "https://github.com/SCons/scons"
2SECTION = "devel/python" 3SECTION = "devel/python"
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-python3-scons-${PV};md5=e14e1b33428df24a40a782ae142785d0" 5LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-python3-scons-${PV};md5=e14e1b33428df24a40a782ae142785d0"
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
new file mode 100644
index 0000000000..9150cea07e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
@@ -0,0 +1,29 @@
1From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001
2From: "Jason R. Coombs" <jaraco@jaraco.com>
3Date: Fri, 4 Nov 2022 13:47:53 -0400
4Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes
5 #3659.
6
7CVE: CVE-2022-40897
8Upstream-Status: Backport [
9Upstream : https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
10Import from Ubuntu: http://archive.ubuntu.com/ubuntu/pool/main/s/setuptools/setuptools_45.2.0-1ubuntu0.1.debian.tar.xz
11]
12Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
13
14---
15 setuptools/package_index.py | 2 +-
16 setuptools/tests/test_packageindex.py | 1 -
17 2 files changed, 1 insertion(+), 2 deletions(-)
18
19--- setuptools-45.2.0.orig/setuptools/package_index.py
20+++ setuptools-45.2.0/setuptools/package_index.py
21@@ -215,7 +215,7 @@ def unique_values(func):
22 return wrapper
23
24
25-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
26+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
27 # this line is here to fix emacs' cruddy broken syntax highlighting
28
29
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
index c4fae09a5b..4ac0e140cc 100644
--- a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
+++ b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
@@ -14,17 +14,21 @@ Upstream-Status: Submitted [https://github.com/python/cpython/pull/13196]
14Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io> 14Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io>
15 15
16%% original patch: 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch 16%% original patch: 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
17
18Updated to apply after dea270a2a80214de22afadaaca2043d0d782eb7d
19
20Signed-off-by: Tim Orling <tim.orling@konsulko.com>
17--- 21---
18 configure.ac | 175 +++++++-------------------------------------------- 22 configure.ac | 175 +++++++--------------------------------------------
19 1 file changed, 21 insertions(+), 154 deletions(-) 23 1 file changed, 21 insertions(+), 154 deletions(-)
20 24
21diff --git a/configure.ac b/configure.ac 25diff --git a/configure.ac b/configure.ac
22index ede710e..bc81b0b 100644 26index de83332dd3..16b02d0798 100644
23--- a/configure.ac 27--- a/configure.ac
24+++ b/configure.ac 28+++ b/configure.ac
25@@ -710,160 +710,27 @@ fi 29@@ -719,160 +719,27 @@ then
26 MULTIARCH=$($CC --print-multiarch 2>/dev/null) 30 fi
27 AC_SUBST(MULTIARCH) 31
28 32
29-AC_MSG_CHECKING([for the platform triplet based on compiler characteristics]) 33-AC_MSG_CHECKING([for the platform triplet based on compiler characteristics])
30-cat >> conftest.c <<EOF 34-cat >> conftest.c <<EOF
@@ -185,25 +189,25 @@ index ede710e..bc81b0b 100644
185+## Need to handle macos, vxworks and hurd special (?) :-/ 189+## Need to handle macos, vxworks and hurd special (?) :-/
186+case ${target_os} in 190+case ${target_os} in
187+ darwin*) 191+ darwin*)
188+ PLATFORM_TRIPLET=darwin 192+ PLATFORM_TRIPLET=darwin
189+ ;; 193+ ;;
190+ hurd*) 194+ hurd*)
191+ PLATFORM_TRIPLET=i386-gnu 195+ PLATFORM_TRIPLET=i386-gnu
192+ ;; 196+ ;;
193+ vxworks*) 197+ vxworks*)
194+ PLATFORM_TRIPLET=vxworks 198+ PLATFORM_TRIPLET=vxworks
195+ ;; 199+ ;;
196+ *) 200+ *)
197+ if test "${target_cpu}" != "i686"; then 201+ if test "${target_cpu}" != "i686"; then
198+ PLATFORM_TRIPLET=${target_cpu}-${target_os} 202+ PLATFORM_TRIPLET=${target_cpu}-${target_os}
199+ else 203+ else
200+ PLATFORM_TRIPLET=i386-${target_os} 204+ PLATFORM_TRIPLET=i386-${target_os}
201+ fi 205+ fi
202+ ;; 206+ ;;
203+esac 207+esac
204 208
205 if test x$PLATFORM_TRIPLET != x && test x$MULTIARCH != x; then 209 if test x$PLATFORM_TRIPLET != xdarwin; then
206 if test x$PLATFORM_TRIPLET != x$MULTIARCH; then 210 MULTIARCH=$($CC --print-multiarch 2>/dev/null)
207-- 211--
2082.24.1 2122.32.0
209 213
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
1From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
2From: Victor Stinner <vstinner@python.org>
3Date: Thu, 2 Apr 2020 02:52:20 +0200
4Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
5 (GH-18284)
6
7Upstream-Status: Backport
8(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
9
10CVE: CVE-2020-8492
11
12The AbstractBasicAuthHandler class of the urllib.request module uses
13an inefficient regular expression which can be exploited by an
14attacker to cause a denial of service. Fix the regex to prevent the
15catastrophic backtracking. Vulnerability reported by Ben Caller
16and Matt Schwager.
17
18AbstractBasicAuthHandler of urllib.request now parses all
19WWW-Authenticate HTTP headers and accepts multiple challenges per
20header: use the realm of the first Basic challenge.
21
22Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
23Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
24---
25 Lib/test/test_urllib2.py | 90 ++++++++++++-------
26 Lib/urllib/request.py | 69 ++++++++++----
27 .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 +
28 .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++
29 4 files changed, 115 insertions(+), 52 deletions(-)
30 create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
31 create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
32
33diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
34index 8abedaac98..e69ac3e213 100644
35--- a/Lib/test/test_urllib2.py
36+++ b/Lib/test/test_urllib2.py
37@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
38 bypass = {'exclude_simple': True, 'exceptions': []}
39 self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
40
41- def test_basic_auth(self, quote_char='"'):
42- opener = OpenerDirector()
43- password_manager = MockPasswordManager()
44- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
45- realm = "ACME Widget Store"
46- http_handler = MockHTTPHandler(
47- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
48- (quote_char, realm, quote_char))
49- opener.add_handler(auth_handler)
50- opener.add_handler(http_handler)
51- self._test_basic_auth(opener, auth_handler, "Authorization",
52- realm, http_handler, password_manager,
53- "http://acme.example.com/protected",
54- "http://acme.example.com/protected",
55- )
56-
57- def test_basic_auth_with_single_quoted_realm(self):
58- self.test_basic_auth(quote_char="'")
59-
60- def test_basic_auth_with_unquoted_realm(self):
61- opener = OpenerDirector()
62- password_manager = MockPasswordManager()
63- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
64- realm = "ACME Widget Store"
65- http_handler = MockHTTPHandler(
66- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
67- opener.add_handler(auth_handler)
68- opener.add_handler(http_handler)
69- with self.assertWarns(UserWarning):
70+ def check_basic_auth(self, headers, realm):
71+ with self.subTest(realm=realm, headers=headers):
72+ opener = OpenerDirector()
73+ password_manager = MockPasswordManager()
74+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
75+ body = '\r\n'.join(headers) + '\r\n\r\n'
76+ http_handler = MockHTTPHandler(401, body)
77+ opener.add_handler(auth_handler)
78+ opener.add_handler(http_handler)
79 self._test_basic_auth(opener, auth_handler, "Authorization",
80- realm, http_handler, password_manager,
81- "http://acme.example.com/protected",
82- "http://acme.example.com/protected",
83- )
84+ realm, http_handler, password_manager,
85+ "http://acme.example.com/protected",
86+ "http://acme.example.com/protected")
87+
88+ def test_basic_auth(self):
89+ realm = "realm2@example.com"
90+ realm2 = "realm2@example.com"
91+ basic = f'Basic realm="{realm}"'
92+ basic2 = f'Basic realm="{realm2}"'
93+ other_no_realm = 'Otherscheme xxx'
94+ digest = (f'Digest realm="{realm2}", '
95+ f'qop="auth, auth-int", '
96+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
97+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
98+ for realm_str in (
99+ # test "quote" and 'quote'
100+ f'Basic realm="{realm}"',
101+ f"Basic realm='{realm}'",
102+
103+ # charset is ignored
104+ f'Basic realm="{realm}", charset="UTF-8"',
105+
106+ # Multiple challenges per header
107+ f'{basic}, {basic2}',
108+ f'{basic}, {other_no_realm}',
109+ f'{other_no_realm}, {basic}',
110+ f'{basic}, {digest}',
111+ f'{digest}, {basic}',
112+ ):
113+ headers = [f'WWW-Authenticate: {realm_str}']
114+ self.check_basic_auth(headers, realm)
115+
116+ # no quote: expect a warning
117+ with support.check_warnings(("Basic Auth Realm was unquoted",
118+ UserWarning)):
119+ headers = [f'WWW-Authenticate: Basic realm={realm}']
120+ self.check_basic_auth(headers, realm)
121+
122+ # Multiple headers: one challenge per header.
123+ # Use the first Basic realm.
124+ for challenges in (
125+ [basic, basic2],
126+ [basic, digest],
127+ [digest, basic],
128+ ):
129+ headers = [f'WWW-Authenticate: {challenge}'
130+ for challenge in challenges]
131+ self.check_basic_auth(headers, realm)
132
133 def test_proxy_basic_auth(self):
134 opener = OpenerDirector()
135diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
136index 7fe50535da..2a3d71554f 100644
137--- a/Lib/urllib/request.py
138+++ b/Lib/urllib/request.py
139@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
140
141 # allow for double- and single-quoted realm values
142 # (single quotes are a violation of the RFC, but appear in the wild)
143- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
144- 'realm=(["\']?)([^"\']*)\\2', re.I)
145+ rx = re.compile('(?:^|,)' # start of the string or ','
146+ '[ \t]*' # optional whitespaces
147+ '([^ \t]+)' # scheme like "Basic"
148+ '[ \t]+' # mandatory whitespaces
149+ # realm=xxx
150+ # realm='xxx'
151+ # realm="xxx"
152+ 'realm=(["\']?)([^"\']*)\\2',
153+ re.I)
154
155 # XXX could pre-emptively send auth info already accepted (RFC 2617,
156 # end of section 2, and section 1.2 immediately after "credentials"
157@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
158 self.passwd = password_mgr
159 self.add_password = self.passwd.add_password
160
161+ def _parse_realm(self, header):
162+ # parse WWW-Authenticate header: accept multiple challenges per header
163+ found_challenge = False
164+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
165+ scheme, quote, realm = mo.groups()
166+ if quote not in ['"', "'"]:
167+ warnings.warn("Basic Auth Realm was unquoted",
168+ UserWarning, 3)
169+
170+ yield (scheme, realm)
171+
172+ found_challenge = True
173+
174+ if not found_challenge:
175+ if header:
176+ scheme = header.split()[0]
177+ else:
178+ scheme = ''
179+ yield (scheme, None)
180+
181 def http_error_auth_reqed(self, authreq, host, req, headers):
182 # host may be an authority (without userinfo) or a URL with an
183 # authority
184- # XXX could be multiple headers
185- authreq = headers.get(authreq, None)
186+ headers = headers.get_all(authreq)
187+ if not headers:
188+ # no header found
189+ return
190
191- if authreq:
192- scheme = authreq.split()[0]
193- if scheme.lower() != 'basic':
194- raise ValueError("AbstractBasicAuthHandler does not"
195- " support the following scheme: '%s'" %
196- scheme)
197- else:
198- mo = AbstractBasicAuthHandler.rx.search(authreq)
199- if mo:
200- scheme, quote, realm = mo.groups()
201- if quote not in ['"',"'"]:
202- warnings.warn("Basic Auth Realm was unquoted",
203- UserWarning, 2)
204- if scheme.lower() == 'basic':
205- return self.retry_http_basic_auth(host, req, realm)
206+ unsupported = None
207+ for header in headers:
208+ for scheme, realm in self._parse_realm(header):
209+ if scheme.lower() != 'basic':
210+ unsupported = scheme
211+ continue
212+
213+ if realm is not None:
214+ # Use the first matching Basic challenge.
215+ # Ignore following challenges even if they use the Basic
216+ # scheme.
217+ return self.retry_http_basic_auth(host, req, realm)
218+
219+ if unsupported is not None:
220+ raise ValueError("AbstractBasicAuthHandler does not "
221+ "support the following scheme: %r"
222+ % (scheme,))
223
224 def retry_http_basic_auth(self, host, req, realm):
225 user, pw = self.passwd.find_user_password(realm, host)
226diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
227new file mode 100644
228index 0000000000..be80ce79d9
229--- /dev/null
230+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
231@@ -0,0 +1,3 @@
232+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
233+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
234+per header: use the realm of the first Basic challenge.
235diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
236new file mode 100644
237index 0000000000..9f2800581c
238--- /dev/null
239+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
240@@ -0,0 +1,5 @@
241+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
242+:mod:`urllib.request` module uses an inefficient regular expression which can
243+be exploited by an attacker to cause a denial of service. Fix the regex to
244+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
245+and Matt Schwager.
246--
2472.24.1
248
diff --git a/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
new file mode 100644
index 0000000000..a44d3396a6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
@@ -0,0 +1,33 @@
1From 7a2bddfa437be633bb6945d0e6b7d6f27da870ad Mon Sep 17 00:00:00 2001
2From: Tim Orling <timothy.t.orling@intel.com>
3Date: Fri, 18 Jun 2021 11:56:50 -0700
4Subject: [PATCH] test_ctypes.test_find: skip without tools-sdk
5
6These tests need full packagegroup-core-buildessential, the
7easiest way to dynamically check for that is looking for
8'tools-sdk' in IMAGE_FEATURES.
9
10Upstream-Status: Inappropriate [oe-specific]
11
12Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
13---
14 Lib/ctypes/test/test_find.py | 2 ++
15 1 file changed, 2 insertions(+)
16
17diff --git a/Lib/ctypes/test/test_find.py b/Lib/ctypes/test/test_find.py
18index 92ac184..0d009d1 100644
19--- a/Lib/ctypes/test/test_find.py
20+++ b/Lib/ctypes/test/test_find.py
21@@ -112,10 +112,12 @@ class FindLibraryLinux(unittest.TestCase):
22 # LD_LIBRARY_PATH)
23 self.assertEqual(find_library(libname), 'lib%s.so' % libname)
24
25+ @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
26 def test_find_library_with_gcc(self):
27 with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None):
28 self.assertNotEqual(find_library('c'), None)
29
30+ @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
31 def test_find_library_with_ld(self):
32 with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None), \
33 unittest.mock.patch("ctypes.util._findLib_gcc", lambda *args: None):
diff --git a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
index 35b7e0c480..f9d2eadc11 100644
--- a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
+++ b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
@@ -1,6 +1,6 @@
1From b94995e0c694ec9561efec0d1a59b323340e6105 Mon Sep 17 00:00:00 2001 1From e11787d373baa6d7b0e0d94aff8ccd373203bfb1 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com> 2From: Tim Orling <ticotimo@gmail.com>
3Date: Mon, 5 Aug 2019 15:57:39 +0800 3Date: Wed, 16 Jun 2021 07:49:52 -0700
4Subject: [PATCH] test_locale.py: correct the test output format 4Subject: [PATCH] test_locale.py: correct the test output format
5 5
6Before this patch: 6Before this patch:
@@ -24,23 +24,25 @@ Before this patch:
24Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132] 24Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132]
25 25
26Signed-off-by: Mingli Yu <mingli.yu@windriver.com> 26Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
27
28
29Refresh patch for upstream changes in 3.8.9
30
31Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
27--- 32---
28 Lib/test/test_locale.py | 2 +- 33 Lib/test/test_locale.py | 2 +-
29 1 file changed, 1 insertion(+), 1 deletion(-) 34 1 file changed, 1 insertion(+), 1 deletion(-)
30 35
31diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py 36diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py
32index e2c2178..558d63c 100644 37index 39091c0..5050f3d 100644
33--- a/Lib/test/test_locale.py 38--- a/Lib/test/test_locale.py
34+++ b/Lib/test/test_locale.py 39+++ b/Lib/test/test_locale.py
35@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase): 40@@ -563,7 +563,7 @@ class TestMiscellaneous(unittest.TestCase):
36 self.skipTest('test needs Turkish locale') 41 self.skipTest('test needs Turkish locale')
37 loc = locale.getlocale(locale.LC_CTYPE) 42 loc = locale.getlocale(locale.LC_CTYPE)
38 if verbose: 43 if verbose:
39- print('testing with %a' % (loc,), end=' ', flush=True) 44- print('testing with %a' % (loc,), end=' ', flush=True)
40+ print('testing with %a...' % (loc,), end=' ', flush=True) 45+ print('testing with %a...' % (loc,), end=' ', flush=True)
41 locale.setlocale(locale.LC_CTYPE, loc) 46 try:
42 self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE)) 47 locale.setlocale(locale.LC_CTYPE, loc)
43 48 except locale.Error as exc:
44--
452.7.4
46
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
deleted file mode 100644
index a2e72372dd..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From a06a6bf4e67a50561f6d6fb33534df1d3035ea34 Mon Sep 17 00:00:00 2001
2From: Rishi <rishi_devan@mail.com>
3Date: Wed, 15 Jul 2020 13:51:00 +0200
4Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
5 (GH-21454)
6
7Avoid infinite loop when reading specially crafted TAR files using the tarfile module
8(CVE-2019-20907).
9(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
10
11Co-authored-by: Rishi <rishi_devan@mail.com>
12
13Removed testing 'recursion.tar' tar file due to binary data
14
15Upstream-Status: Backport [https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559]
16CVE: CVE-2019-20907
17Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
18---
19 Lib/tarfile.py | 2 ++
20 .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
21 4 files changed, 10 insertions(+)
22 create mode 100644 Lib/test/recursion.tar
23 create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
24
25diff --git a/Lib/tarfile.py b/Lib/tarfile.py
26index d31b9cbb51d65..7a69e1b1aa544 100755
27--- a/Lib/tarfile.py
28+++ b/Lib/tarfile.py
29@@ -1241,6 +1241,8 @@ def _proc_pax(self, tarfile):
30
31 length, keyword = match.groups()
32 length = int(length)
33+ if length == 0:
34+ raise InvalidHeaderError("invalid header")
35 value = buf[match.end(2) + 1:match.start(1) + length - 1]
36
37 # Normally, we could just use "utf-8" as the encoding and "strict"
38diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
39new file mode 100644
40index 0000000000000..ad26676f8b856
41--- /dev/null
42+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
43@@ -0,0 +1 @@
44+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
deleted file mode 100644
index 6889e46da9..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
+++ /dev/null
@@ -1,77 +0,0 @@
1From dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Mon, 29 Jun 2020 11:12:50 -0700
5Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
6 IPv6Interface (GH-21033)
7
8The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
9of generating constant hash values of 32 and 128 respectively causing hash collisions.
10The fix uses the hash() function to generate hash values for the objects
11instead of XOR operation
12(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
13
14Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
15
16Upstream-Status: Backport [https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5]
17CVE: CVE-2020-14422
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 Lib/ipaddress.py | 4 ++--
21 Lib/test/test_ipaddress.py | 12 ++++++++++++
22 .../2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
23 3 files changed, 15 insertions(+), 2 deletions(-)
24 create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
25
26diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
27index 873c7644081af..a3a04f7f4b309 100644
28--- a/Lib/ipaddress.py
29+++ b/Lib/ipaddress.py
30@@ -1370,7 +1370,7 @@ def __lt__(self, other):
31 return False
32
33 def __hash__(self):
34- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
35+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
36
37 __reduce__ = _IPAddressBase.__reduce__
38
39@@ -2017,7 +2017,7 @@ def __lt__(self, other):
40 return False
41
42 def __hash__(self):
43- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
44+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
45
46 __reduce__ = _IPAddressBase.__reduce__
47
48diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
49index de77111705b69..2eba740e5e7a4 100644
50--- a/Lib/test/test_ipaddress.py
51+++ b/Lib/test/test_ipaddress.py
52@@ -2053,6 +2053,18 @@ def testsixtofour(self):
53 sixtofouraddr.sixtofour)
54 self.assertFalse(bad_addr.sixtofour)
55
56+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
57+ def testV4HashIsNotConstant(self):
58+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
59+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
60+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
61+
62+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
63+ def testV6HashIsNotConstant(self):
64+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
65+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
66+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
67+
68
69 if __name__ == '__main__':
70 unittest.main()
71diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
72new file mode 100644
73index 0000000000000..1380b31fbe9f4
74--- /dev/null
75+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
76@@ -0,0 +1 @@
77+The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
deleted file mode 100644
index c019db2a76..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
+++ /dev/null
@@ -1,104 +0,0 @@
1From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Sat, 18 Jul 2020 13:39:12 -0700
5Subject: [PATCH] bpo-39603: Prevent header injection in http methods
6 (GH-18485)
7
8reject control chars in http method in http.client.putrequest to prevent http header injection
9(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
10
11Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
12
13Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf]
14CVE: CVE-2020-26116
15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
16
17---
18 Lib/http/client.py | 15 +++++++++++++
19 Lib/test/test_httplib.py | 22 +++++++++++++++++++
20 .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++
21 3 files changed, 39 insertions(+)
22 create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
23
24diff --git a/Lib/http/client.py b/Lib/http/client.py
25index 019380a720318..c2ad0471bfee5 100644
26--- a/Lib/http/client.py
27+++ b/Lib/http/client.py
28@@ -147,6 +147,10 @@
29 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
30 # We are more lenient for assumed real world compatibility purposes.
31
32+# These characters are not allowed within HTTP method names
33+# to prevent http header injection.
34+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
35+
36 # We always set the Content-Length header for these methods because some
37 # servers will otherwise respond with a 411
38 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
39@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
40 else:
41 raise CannotSendRequest(self.__state)
42
43+ self._validate_method(method)
44+
45 # Save the method for use later in the response phase
46 self._method = method
47
48@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
49 # ASCII also helps prevent CVE-2019-9740.
50 return request.encode('ascii')
51
52+ def _validate_method(self, method):
53+ """Validate a method name for putrequest."""
54+ # prevent http header injection
55+ match = _contains_disallowed_method_pchar_re.search(method)
56+ if match:
57+ raise ValueError(
58+ f"method can't contain control characters. {method!r} "
59+ f"(found at least {match.group()!r})")
60+
61 def _validate_path(self, url):
62 """Validate a url for putrequest."""
63 # Prevent CVE-2019-9740.
64diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
65index 8f0e27a1fb836..5a5fcecbc9c15 100644
66--- a/Lib/test/test_httplib.py
67+++ b/Lib/test/test_httplib.py
68@@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
69 self.assertEqual(lines[3], "header: Second: val2")
70
71
72+class HttpMethodTests(TestCase):
73+ def test_invalid_method_names(self):
74+ methods = (
75+ 'GET\r',
76+ 'POST\n',
77+ 'PUT\n\r',
78+ 'POST\nValue',
79+ 'POST\nHOST:abc',
80+ 'GET\nrHost:abc\n',
81+ 'POST\rRemainder:\r',
82+ 'GET\rHOST:\n',
83+ '\nPUT'
84+ )
85+
86+ for method in methods:
87+ with self.assertRaisesRegex(
88+ ValueError, "method can't contain control characters"):
89+ conn = client.HTTPConnection('example.com')
90+ conn.sock = FakeSocket(None)
91+ conn.request(method=method, url="/")
92+
93+
94 class TransferEncodingTest(TestCase):
95 expected_body = b"It's just a flesh wound"
96
97diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
98new file mode 100644
99index 0000000000000..990affc3edd9d
100--- /dev/null
101+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
102@@ -0,0 +1,2 @@
103+Prevent http header injection by rejecting control characters in
104+http.client.putrequest(...).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
deleted file mode 100644
index bafa1cb999..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
+++ /dev/null
@@ -1,70 +0,0 @@
1From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001
2From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
3Date: Tue, 6 Oct 2020 05:38:54 -0700
4Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
5 in the CJK codec tests (GH-22566) (GH-22577)
6
7(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
8
9Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
10
11Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
12
13Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33]
14CVE: CVE-2020-27619
15Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
16---
17 Lib/test/multibytecodec_support.py | 22 +++++++------------
18 .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 +
19 2 files changed, 9 insertions(+), 14 deletions(-)
20 create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
21
22diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
23index cca8af67d6d1d..f76c0153f5ecf 100644
24--- a/Lib/test/multibytecodec_support.py
25+++ b/Lib/test/multibytecodec_support.py
26@@ -305,29 +305,23 @@ def test_mapping_file(self):
27 self._test_mapping_file_plain()
28
29 def _test_mapping_file_plain(self):
30- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
31+ def unichrs(s):
32+ return ''.join(chr(int(x, 16)) for x in s.split('+'))
33+
34 urt_wa = {}
35
36 with self.open_mapping_file() as f:
37 for line in f:
38 if not line:
39 break
40- data = line.split('#')[0].strip().split()
41+ data = line.split('#')[0].split()
42 if len(data) != 2:
43 continue
44
45- csetval = eval(data[0])
46- if csetval <= 0x7F:
47- csetch = bytes([csetval & 0xff])
48- elif csetval >= 0x1000000:
49- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
50- ((csetval >> 8) & 0xff), (csetval & 0xff)])
51- elif csetval >= 0x10000:
52- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
53- (csetval & 0xff)])
54- elif csetval >= 0x100:
55- csetch = bytes([(csetval >> 8), (csetval & 0xff)])
56- else:
57+ if data[0][:2] != '0x':
58+ self.fail(f"Invalid line: {line!r}")
59+ csetch = bytes.fromhex(data[0][2:])
60+ if len(csetch) == 1 and 0x80 <= csetch[0]:
61 continue
62
63 unich = unichrs(data[1])
64diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
65new file mode 100644
66index 0000000000000..4f9782f1c85af
67--- /dev/null
68+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
69@@ -0,0 +1 @@
70+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
new file mode 100644
index 0000000000..23dec65602
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
1From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Sun, 13 Nov 2022 11:00:25 -0800
5Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
6 must begin with an alphabetical ASCII character. (GH-99421)
7
8Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
9
10RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
11RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
12
13The WHATWG URL spec defines a scheme like this:
14`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
15(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
16
17Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
18
19Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
20CVE: CVE-2023-24329
21Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
22---
23 Lib/test/test_urlparse.py | 18 ++++++++++++++++++
24 Lib/urllib/parse.py | 2 +-
25 ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
26 3 files changed, 21 insertions(+), 1 deletion(-)
27 create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
28
29diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
30index 0ad3bf1..e1aa913 100644
31--- a/Lib/test/test_urlparse.py
32+++ b/Lib/test/test_urlparse.py
33@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
34 with self.assertRaises(ValueError):
35 p.port
36
37+ def test_attributes_bad_scheme(self):
38+ """Check handling of invalid schemes."""
39+ for bytes in (False, True):
40+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
41+ for scheme in (".", "+", "-", "0", "http&", "६http"):
42+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
43+ url = scheme + "://www.example.net"
44+ if bytes:
45+ if url.isascii():
46+ url = url.encode("ascii")
47+ else:
48+ continue
49+ p = parse(url)
50+ if bytes:
51+ self.assertEqual(p.scheme, b"")
52+ else:
53+ self.assertEqual(p.scheme, "")
54+
55 def test_attributes_without_netloc(self):
56 # This example is straight from RFC 3261. It looks like it
57 # should allow the username, hostname, and port to be filled
58diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
59index 979e6d2..2e7a3e2 100644
60--- a/Lib/urllib/parse.py
61+++ b/Lib/urllib/parse.py
62@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
63 clear_cache()
64 netloc = query = fragment = ''
65 i = url.find(':')
66- if i > 0:
67+ if i > 0 and url[0].isascii() and url[0].isalpha():
68 if url[:i] == 'http': # optimize the common case
69 url = url[i+1:]
70 if url[:2] == '//':
71diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
72new file mode 100644
73index 0000000..0a06e7c
74--- /dev/null
75+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
76@@ -0,0 +1,2 @@
77+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
78+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
79--
802.25.1
diff --git a/meta/recipes-devtools/python/python3/makerace.patch b/meta/recipes-devtools/python/python3/makerace.patch
new file mode 100644
index 0000000000..8971f28b8e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/makerace.patch
@@ -0,0 +1,23 @@
1libainstall installs python-config.py but the .pyc cache files are generated
2by the libinstall target. This means some builds may not generate the pyc files
3for python-config.py depending on the order things happen in. This means builds
4are not always reproducible.
5
6Add a dependency to avoid the race.
7
8Upstream-Status: Pending
9Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
10
11Index: Python-3.8.11/Makefile.pre.in
12===================================================================
13--- Python-3.8.11.orig/Makefile.pre.in
14+++ Python-3.8.11/Makefile.pre.in
15@@ -1415,7 +1415,7 @@ LIBSUBDIRS= tkinter tkinter/test tkinter
16 unittest unittest/test unittest/test/testmock \
17 venv venv/scripts venv/scripts/common venv/scripts/posix \
18 curses pydoc_data
19-libinstall: build_all $(srcdir)/Modules/xxmodule.c
20+libinstall: build_all $(srcdir)/Modules/xxmodule.c libainstall
21 @for i in $(SCRIPTDIR) $(LIBDEST); \
22 do \
23 if test ! -d $(DESTDIR)$$i; then \
diff --git a/meta/recipes-devtools/python/python3/python3-manifest.json b/meta/recipes-devtools/python/python3/python3-manifest.json
index 3bcc9b8662..0e87f91dd8 100644
--- a/meta/recipes-devtools/python/python3/python3-manifest.json
+++ b/meta/recipes-devtools/python/python3/python3-manifest.json
@@ -531,7 +531,9 @@
531 "rdepends": [ 531 "rdepends": [
532 "core" 532 "core"
533 ], 533 ],
534 "files": [], 534 "files": [
535 "${libdir}/python${PYTHON_MAJMIN}/distutils/command/wininst-*.exe"
536 ],
535 "cached": [] 537 "cached": []
536 }, 538 },
537 "distutils": { 539 "distutils": {
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.18.bb
index a448b3ed97..9d0f72ecf9 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.18.bb
@@ -1,9 +1,10 @@
1SUMMARY = "The Python Programming Language" 1SUMMARY = "The Python Programming Language"
2HOMEPAGE = "http://www.python.org" 2HOMEPAGE = "http://www.python.org"
3LICENSE = "PSFv2" 3DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively."
4LICENSE = "PSF-2.0 & BSD-0-Clause"
4SECTION = "devel/python" 5SECTION = "devel/python"
5 6
6LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" 7LIC_FILES_CHKSUM = "file://LICENSE;md5=07fc4b9a9c0c0e48050ed38a5e72552b"
7 8
8SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ 9SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
9 file://run-ptest \ 10 file://run-ptest \
@@ -32,11 +33,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
32 file://0001-configure.ac-fix-LIBPL.patch \ 33 file://0001-configure.ac-fix-LIBPL.patch \
33 file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ 34 file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
34 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ 35 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
35 file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \ 36 file://makerace.patch \
36 file://CVE-2019-20907.patch \ 37 file://CVE-2023-24329.patch \
37 file://CVE-2020-14422.patch \
38 file://CVE-2020-26116.patch \
39 file://CVE-2020-27619.patch \
40 " 38 "
41 39
42SRC_URI_append_class-native = " \ 40SRC_URI_append_class-native = " \
@@ -45,8 +43,8 @@ SRC_URI_append_class-native = " \
45 file://0001-Don-t-search-system-for-headers-libraries.patch \ 43 file://0001-Don-t-search-system-for-headers-libraries.patch \
46 " 44 "
47 45
48SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67" 46SRC_URI[md5sum] = "5ea6267ea00513fc31d3746feb35842d"
49SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df" 47SRC_URI[sha256sum] = "3ffb71cd349a326ba7b2fadc7e7df86ba577dd9c4917e52a8401adbda7405e3f"
50 48
51# exclude pre-releases for both python 2.x and 3.x 49# exclude pre-releases for both python 2.x and 3.x
52UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" 50UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -59,7 +57,12 @@ CVE_CHECK_WHITELIST += "CVE-2007-4559"
59CVE_CHECK_WHITELIST += "CVE-2019-18348" 57CVE_CHECK_WHITELIST += "CVE-2019-18348"
60 58
61# This is windows only issue. 59# This is windows only issue.
62CVE_CHECK_WHITELIST += "CVE-2020-15523" 60CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488"
61# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
62# The module will be removed in the future and flaws documented.
63CVE_CHECK_WHITELIST += "CVE-2015-20107"
64# Not an issue, in fact expected behaviour
65CVE_CHECK_WHITELIST += "CVE-2023-36632"
63 66
64PYTHON_MAJMIN = "3.8" 67PYTHON_MAJMIN = "3.8"
65 68
@@ -76,7 +79,7 @@ ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config
76ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}" 79ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
77 80
78 81
79DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2" 82DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive"
80DEPENDS_append_class-target = " python3-native" 83DEPENDS_append_class-target = " python3-native"
81DEPENDS_append_class-nativesdk = " python3-native" 84DEPENDS_append_class-nativesdk = " python3-native"
82 85
@@ -335,6 +338,7 @@ PACKAGES =+ "libpython3 libpython3-staticdev"
335FILES_libpython3 = "${libdir}/libpython*.so.*" 338FILES_libpython3 = "${libdir}/libpython*.so.*"
336FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a" 339FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a"
337INSANE_SKIP_${PN}-dev += "dev-elf" 340INSANE_SKIP_${PN}-dev += "dev-elf"
341INSANE_SKIP_${PN}-ptest += "dev-deps"
338 342
339# catch all the rest (unsorted) 343# catch all the rest (unsorted)
340PACKAGES += "${PN}-misc" 344PACKAGES += "${PN}-misc"
@@ -350,7 +354,7 @@ FILES_${PN}-man = "${datadir}/man"
350# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395 354# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395
351RDEPENDS_libpython3_append_libc-glibc = " libgcc" 355RDEPENDS_libpython3_append_libc-glibc = " libgcc"
352RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig" 356RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig"
353RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed" 357RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed"
354RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9" 358RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
355RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}" 359RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
356RDEPENDS_${PN}-dev = "" 360RDEPENDS_${PN}-dev = ""
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-27 14:11:14 +0000