python3: update 3.11.0 -> 3.11.1

Drop 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch: the patch has been rejected upstream (see the bug), and does quite a bit more than just fix the mips softfloat problem. If the problem still exists, then the fix needs to be re-done, and re-submitted. The other two patches have been merged upstream. License-Update: http->https (From OE-Core rev: 9b6e8c173162798428cf8627b596ca81cd8ab855) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2022-12-28 08:37:00 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-28 23:59:55 +0000
commit: 715a25b1f137d392d6de7c0101de64adf823a0eb (patch)
tree: 75f26ed2ed2c044d37b3e6b9e6560d57f67429c6 /meta/recipes-devtools/python/python3/cve-2022-37460.patch
parent: e20cf2149078ecf15ebe1402bf89b15c0c53a04b (diff)
download: poky-715a25b1f137d392d6de7c0101de64adf823a0eb.tar.gz
1 files changed, 0 insertions, 95 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37460.patch b/meta/recipes-devtools/python/python3/cve-2022-37460.patch
deleted file mode 100644
index 12177684fd..0000000000
--- a/meta/recipes-devtools/python/python3/cve-2022-37460.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 94582bb643f98bc58b1ff206d1d2a56f97c3a7e5 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Wed, 28 Sep 2022 16:46:11 -0700
-Subject: [PATCH] gh-97612: Fix shell injection in get-remote-certificate.py
- (GH-97613)
-Fix a shell code injection vulnerability in the
-get-remote-certificate.py example script. The script no longer uses a
-shell to run "openssl" commands. Issue reported and initial fix by
-Caleb Shortt.
-Remove the Windows code path to send "quit" on stdin to the "openssl
-s_client" command: use DEVNULL on all platforms instead.
-Co-authored-by: Caleb Shortt <caleb@rgauge.com>
-(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
-Co-authored-by: Victor Stinner <vstinner@python.org>
---
-CVE: CVE-2022-37460
-Upstream-Status: Backport [https://github.com/python/cpython.git]
-                          [commit 94582bb643... unmodified]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
- ...2-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst |  3 +++
- Tools/scripts/get-remote-certificate.py       | 25 ++++++-------------
- 2 files changed, 10 insertions(+), 18 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
-diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
-new file mode 100644
-index 0000000000..2f113492d4
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
-@@ -0,0 +1,3 @@
-+Fix a shell code injection vulnerability in the ``get-remote-certificate.py``
-+example script. The script no longer uses a shell to run ``openssl`` commands.
-+Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.
-diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py
-index 38901286e1..68272fca83 100755
--- a/Tools/scripts/get-remote-certificate.py
-+++ b/Tools/scripts/get-remote-certificate.py
-@@ -15,8 +15,8 @@
- def fetch_server_certificate (host, port):
- 
-     def subproc(cmd):
-        from subprocess import Popen, PIPE, STDOUT
-        proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
-+        from subprocess import Popen, PIPE, STDOUT, DEVNULL
-+        proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL)
-         status = proc.wait()
-         output = proc.stdout.read()
-         return status, output
-@@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
-                 fp.write(m.group(1) + b"\n")
-             try:
-                 tn2 = (outfile or tempfile.mktemp())
-                status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
-                                         (tn, tn2))
-+                cmd = ['openssl', 'x509', '-in', tn, '-out', tn2]
-+                status, output = subproc(cmd)
-                 if status != 0:
-                     raise RuntimeError('OpenSSL x509 failed with status %s and '
-                                        'output: %r' % (status, output))
-@@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
-             finally:
-                 os.unlink(tn)
- 
-    if sys.platform.startswith("win"):
-        tfile = tempfile.mktemp()
-        with open(tfile, "w") as fp:
-            fp.write("quit\n")
-        try:
-            status, output = subproc(
-                'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
-                (host, port, tfile))
-        finally:
-            os.unlink(tfile)
-    else:
-        status, output = subproc(
-            'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
-            (host, port))
-+    cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts']
-+    status, output = subproc(cmd)
-+
-     if status != 0:
-         raise RuntimeError('OpenSSL connect failed with status %s and '
-                            'output: %r' % (status, output))
-- 
-2.38.1
author	Alexander Kanavin <alex.kanavin@gmail.com>	2022-12-28 08:37:00 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-28 23:59:55 +0000
commit	715a25b1f137d392d6de7c0101de64adf823a0eb (patch)
tree	75f26ed2ed2c044d37b3e6b9e6560d57f67429c6 /meta/recipes-devtools/python/python3/cve-2022-37460.patch
parent	e20cf2149078ecf15ebe1402bf89b15c0c53a04b (diff)
download	poky-715a25b1f137d392d6de7c0101de64adf823a0eb.tar.gz

diff --git a/meta/recipes-devtools/python/python3/cve-2022-37460.patch b/meta/recipes-devtools/python/python3/cve-2022-37460.patch deleted file mode 100644 index 12177684fd..0000000000 --- a/meta/recipes-devtools/python/python3/cve-2022-37460.patch +++ /dev/null
@@ -1,95 +0,0 @@
1	From 94582bb643f98bc58b1ff206d1d2a56f97c3a7e5 Mon Sep 17 00:00:00 2001
2	From: "Miss Islington (bot)"
3	<31488909+miss-islington@users.noreply.github.com>
4	Date: Wed, 28 Sep 2022 16:46:11 -0700
5	Subject: [PATCH] gh-97612: Fix shell injection in get-remote-certificate.py
6	(GH-97613)
7
8	Fix a shell code injection vulnerability in the
9	get-remote-certificate.py example script. The script no longer uses a
10	shell to run "openssl" commands. Issue reported and initial fix by
11	Caleb Shortt.
12
13	Remove the Windows code path to send "quit" on stdin to the "openssl
14	s_client" command: use DEVNULL on all platforms instead.
15
16	Co-authored-by: Caleb Shortt <caleb@rgauge.com>
17	(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
18
19	Co-authored-by: Victor Stinner <vstinner@python.org>
20	---
21	CVE: CVE-2022-37460
22
23	Upstream-Status: Backport [https://github.com/python/cpython.git]
24	[commit 94582bb643... unmodified]
25
26	Signed-off-by: Joe Slater <joe.slater@windriver.com>
27
28	---
29	...2-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst \| 3 +++
30	Tools/scripts/get-remote-certificate.py \| 25 ++++++-------------
31	2 files changed, 10 insertions(+), 18 deletions(-)
32	create mode 100644 Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
33
34	diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
35	new file mode 100644
36	index 0000000000..2f113492d4
37	--- /dev/null
38	+++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
39	@@ -0,0 +1,3 @@
40	+Fix a shell code injection vulnerability in the ``get-remote-certificate.py``
41	+example script. The script no longer uses a shell to run ``openssl`` commands.
42	+Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.
43	diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py
44	index 38901286e1..68272fca83 100755
45	--- a/Tools/scripts/get-remote-certificate.py
46	+++ b/Tools/scripts/get-remote-certificate.py
47	@@ -15,8 +15,8 @@
48	def fetch_server_certificate (host, port):
49
50	def subproc(cmd):
51	- from subprocess import Popen, PIPE, STDOUT
52	- proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
53	+ from subprocess import Popen, PIPE, STDOUT, DEVNULL
54	+ proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL)
55	status = proc.wait()
56	output = proc.stdout.read()
57	return status, output
58	@@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
59	fp.write(m.group(1) + b"\n")
60	try:
61	tn2 = (outfile or tempfile.mktemp())
62	- status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
63	- (tn, tn2))
64	+ cmd = ['openssl', 'x509', '-in', tn, '-out', tn2]
65	+ status, output = subproc(cmd)
66	if status != 0:
67	raise RuntimeError('OpenSSL x509 failed with status %s and '
68	'output: %r' % (status, output))
69	@@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
70	finally:
71	os.unlink(tn)
72
73	- if sys.platform.startswith("win"):
74	- tfile = tempfile.mktemp()
75	- with open(tfile, "w") as fp:
76	- fp.write("quit\n")
77	- try:
78	- status, output = subproc(
79	- 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
80	- (host, port, tfile))
81	- finally:
82	- os.unlink(tfile)
83	- else:
84	- status, output = subproc(
85	- 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
86	- (host, port))
87	+ cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts']
88	+ status, output = subproc(cmd)
89	+
90	if status != 0:
91	raise RuntimeError('OpenSSL connect failed with status %s and '
92	'output: %r' % (status, output))
93	--
94	2.38.1
95