python3: upgrade 3.10.8 -> 3.10.9

Security and bug fixes. Drop patch for CVE-2022-42919 and CVE-2022-37454 which were merged in 3.10.9 Fixes: * CVE-2022-45061 (gh-98433) https://nvd.nist.gov/vuln/detail/CVE-2022-45061 List of changes: https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-9-final (From OE-Core rev: f98b9c71686eb5ce5115ee73155a7d0389831ef0) Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Florin Diaconescu <florin.diaconescu009@gmail.com> 2022-12-15 13:42:55 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-23 23:05:50 +0000
commit: c4bbc6d9c5077b26d6d8e48aa47927b3cbb023e0 (patch)
tree: e190ceacf38ca9832ad31da8e5c9075231d7e8ca /meta/recipes-devtools/python
parent: f7133e57f8688697fdb305b5e92a4c63ccc423a6 (diff)
download: poky-c4bbc6d9c5077b26d6d8e48aa47927b3cbb023e0.tar.gz
3 files changed, 1 insertions, 180 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
deleted file mode 100644
index 6040724dae..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 87ef80926ea0ec960a220af89d8ff4db99417b03 Mon Sep 17 00:00:00 2001
-From: Vivek Kumbhar <vkumbhar@mvista.com>
-Date: Thu, 24 Nov 2022 17:44:18 +0530
-Subject: [PATCH] CVE-2022-42919
-Upstream-Status: Backport [https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2]
-CVE: CVE-2022-42919
-Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
-[3.10] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (GH-98503)
-Linux abstract sockets are insecure as they lack any form of filesystem
-permissions so their use allows anyone on the system to inject code into
-the process.
-This removes the default preference for abstract sockets in
-multiprocessing introduced in Python 3.9+ via
-https://github.com/python/cpython/pull/18866 while fixing
-https://github.com/python/cpython/issues/84031.
-Explicit use of an abstract socket by a user now generates a
-RuntimeWarning.  If we choose to keep this warning, it should be
-backported to the 3.7 and 3.8 branches.
-(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
---
- Lib/multiprocessing/connection.py                 |  5 -----
- .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
- 2 files changed, 15 insertions(+), 5 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
-diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
-index 510e4b5..8e2facf 100644
--- a/Lib/multiprocessing/connection.py
-+++ b/Lib/multiprocessing/connection.py
-@@ -73,11 +73,6 @@ def arbitrary_address(family):
-     if family == 'AF_INET':
-         return ('localhost', 0)
-     elif family == 'AF_UNIX':
-        # Prefer abstract sockets if possible to avoid problems with the address
-        # size.  When coding portable applications, some implementations have
-        # sun_path as short as 92 bytes in the sockaddr_un struct.
-        if util.abstract_sockets_supported:
-            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
-         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
-     elif family == 'AF_PIPE':
-         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
-diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
-new file mode 100644
-index 0000000..02d95b5
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
-@@ -0,0 +1,15 @@
-+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
-+unix domain sockets for communication with the *forkserver* process instead of
-+the Linux abstract socket namespace.  Only code that chooses to use the
-+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
-+
-+Abstract sockets have no permissions and could allow any user on the system in
-+the same `network namespace
-+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
-+whole system) to inject code into the multiprocessing *forkserver* process.
-+This was a potential privilege escalation. Filesystem based socket permissions
-+restrict this to the *forkserver* process user as was the default in Python 3.8
-+and earlier.
-+
-+This prevents Linux `CVE-2022-42919
-+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
-- 
-2.25.1
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37454.patch b/meta/recipes-devtools/python/python3/cve-2022-37454.patch
deleted file mode 100644
index c019151a64..0000000000
--- a/meta/recipes-devtools/python/python3/cve-2022-37454.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 1f66b714c5f2fef80ec5389456ac31756dbfff0e Mon Sep 17 00:00:00 2001
-From: Theo Buehler <botovq@users.noreply.github.com>
-Date: Fri, 21 Oct 2022 21:26:01 +0200
-Subject: [PATCH] gh-98517: Fix buffer overflows in _sha3 module (#98519)
-This is a port of the applicable part of XKCP's fix [1] for
-CVE-2022-37454 and avoids the segmentation fault and the infinite
-loop in the test cases published in [2].
-[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
-[2]: https://mouha.be/sha-3-buffer-overflow/
-Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
---
-Patch applied without modification.
-CVE: CVE-2022-37454
-Upstream-Status: Backport [github.com/cpython/cpython.git 0e4e058602d...]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
- Lib/test/test_hashlib.py                          |  9 +++++++++
- .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst |  1 +
- Modules/_sha3/kcp/KeccakSponge.inc                | 15 ++++++++-------
- 3 files changed, 18 insertions(+), 7 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
-diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
-index ea31f8b..65330e1 100644
--- a/Lib/test/test_hashlib.py
-+++ b/Lib/test/test_hashlib.py
-@@ -491,6 +491,15 @@ class HashLibTestCase(unittest.TestCase):
-     def test_case_md5_uintmax(self, size):
-         self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
- 
-+    @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
-+    @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
-+    def test_sha3_update_overflow(self, size):
-+        """Regression test for gh-98517 CVE-2022-37454."""
-+        h = hashlib.sha3_224()
-+        h.update(b'\x01')
-+        h.update(b'\x01'*0xffff_ffff)
-+        self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
-+
-     # use the three examples from Federal Information Processing Standards
-     # Publication 180-1, Secure Hash Standard,  1995 April 17
-     # http://www.itl.nist.gov/div897/pubs/fip180-1.htm
-diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
-new file mode 100644
-index 0000000..2d23a6a
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
-@@ -0,0 +1 @@
-+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
-diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
-index e10739d..cf92e4d 100644
--- a/Modules/_sha3/kcp/KeccakSponge.inc
-+++ b/Modules/_sha3/kcp/KeccakSponge.inc
-@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
-     i = 0;
-     curData = data;
-     while(i < dataByteLen) {
-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
-+        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
- #ifdef SnP_FastLoop_Absorb
-             /* processing full blocks first */
- 
-@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
-         }
-         else {
-             /* normal lane: using the message queue */
-
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
-+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
-                 partialBlock = rateInBytes-instance->byteIOIndex;
-+            else
-+                partialBlock = (unsigned int)(dataByteLen - i);
-             #ifdef KeccakReference
-             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
-             #endif
-@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
-     i = 0;
-     curData = data;
-     while(i < dataByteLen) {
-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
-+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
-             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
-                 SnP_Permute(instance->state);
-                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
-@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
-                 SnP_Permute(instance->state);
-                 instance->byteIOIndex = 0;
-             }
-            partialBlock = (unsigned int)(dataByteLen - i);
-            if (partialBlock+instance->byteIOIndex > rateInBytes)
-+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
-                 partialBlock = rateInBytes-instance->byteIOIndex;
-+            else
-+                partialBlock = (unsigned int)(dataByteLen - i);
-             i += partialBlock;
- 
-             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
-- 
-2.32.0
diff --git a/meta/recipes-devtools/python/python3_3.10.8.bb b/meta/recipes-devtools/python/python3_3.10.9.bb
index 8963ce6dd2..d6b7a618c1 100644
--- a/meta/recipes-devtools/python/python3_3.10.8.bb
+++ b/meta/recipes-devtools/python/python3_3.10.9.bb
@@ -35,7 +35,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
           file://deterministic_imports.patch \
           file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
-           file://CVE-2022-42919.patch \
           "
 SRC_URI:append:class-native = " \
@@ -44,7 +43,7 @@ SRC_URI:append:class-native = " \
           file://12-distutils-prefix-is-inside-staging-area.patch \
           file://0001-Don-t-search-system-for-headers-libraries.patch \
           "
-SRC_URI[sha256sum] = "6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3"
+SRC_URI[sha256sum] = "5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
author	Florin Diaconescu <florin.diaconescu009@gmail.com>	2022-12-15 13:42:55 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-23 23:05:50 +0000
commit	c4bbc6d9c5077b26d6d8e48aa47927b3cbb023e0 (patch)
tree	e190ceacf38ca9832ad31da8e5c9075231d7e8ca /meta/recipes-devtools/python
parent	f7133e57f8688697fdb305b5e92a4c63ccc423a6 (diff)
download	poky-c4bbc6d9c5077b26d6d8e48aa47927b3cbb023e0.tar.gz

diff --git a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch deleted file mode 100644 index 6040724dae..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch +++ /dev/null
@@ -1,70 +0,0 @@
1	From 87ef80926ea0ec960a220af89d8ff4db99417b03 Mon Sep 17 00:00:00 2001
2	From: Vivek Kumbhar <vkumbhar@mvista.com>
3	Date: Thu, 24 Nov 2022 17:44:18 +0530
4	Subject: [PATCH] CVE-2022-42919
5
6	Upstream-Status: Backport [https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2]
7	CVE: CVE-2022-42919
8	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
9
10	[3.10] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (GH-98503)
11
12	Linux abstract sockets are insecure as they lack any form of filesystem
13	permissions so their use allows anyone on the system to inject code into
14	the process.
15
16	This removes the default preference for abstract sockets in
17	multiprocessing introduced in Python 3.9+ via
18	https://github.com/python/cpython/pull/18866 while fixing
19	https://github.com/python/cpython/issues/84031.
20
21	Explicit use of an abstract socket by a user now generates a
22	RuntimeWarning. If we choose to keep this warning, it should be
23	backported to the 3.7 and 3.8 branches.
24	(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
25	---
26	Lib/multiprocessing/connection.py \| 5 -----
27	.../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst \| 15 +++++++++++++++
28	2 files changed, 15 insertions(+), 5 deletions(-)
29	create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
30
31	diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
32	index 510e4b5..8e2facf 100644
33	--- a/Lib/multiprocessing/connection.py
34	+++ b/Lib/multiprocessing/connection.py
35	@@ -73,11 +73,6 @@ def arbitrary_address(family):
36	if family == 'AF_INET':
37	return ('localhost', 0)
38	elif family == 'AF_UNIX':
39	- # Prefer abstract sockets if possible to avoid problems with the address
40	- # size. When coding portable applications, some implementations have
41	- # sun_path as short as 92 bytes in the sockaddr_un struct.
42	- if util.abstract_sockets_supported:
43	- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
44	return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
45	elif family == 'AF_PIPE':
46	return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
47	diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
48	new file mode 100644
49	index 0000000..02d95b5
50	--- /dev/null
51	+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
52	@@ -0,0 +1,15 @@
53	+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
54	+unix domain sockets for communication with the forkserver process instead of
55	+the Linux abstract socket namespace. Only code that chooses to use the
56	+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
57	+
58	+Abstract sockets have no permissions and could allow any user on the system in
59	+the same `network namespace
60	+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
61	+whole system) to inject code into the multiprocessing forkserver process.
62	+This was a potential privilege escalation. Filesystem based socket permissions
63	+restrict this to the forkserver process user as was the default in Python 3.8
64	+and earlier.
65	+
66	+This prevents Linux `CVE-2022-42919
67	+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
68	--
69	2.25.1
70


diff --git a/meta/recipes-devtools/python/python3/cve-2022-37454.patch b/meta/recipes-devtools/python/python3/cve-2022-37454.patch deleted file mode 100644 index c019151a64..0000000000 --- a/meta/recipes-devtools/python/python3/cve-2022-37454.patch +++ /dev/null
@@ -1,108 +0,0 @@
1	From 1f66b714c5f2fef80ec5389456ac31756dbfff0e Mon Sep 17 00:00:00 2001
2	From: Theo Buehler <botovq@users.noreply.github.com>
3	Date: Fri, 21 Oct 2022 21:26:01 +0200
4	Subject: [PATCH] gh-98517: Fix buffer overflows in _sha3 module (#98519)
5
6	This is a port of the applicable part of XKCP's fix [1] for
7	CVE-2022-37454 and avoids the segmentation fault and the infinite
8	loop in the test cases published in [2].
9
10	[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
11	[2]: https://mouha.be/sha-3-buffer-overflow/
12
13	Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
14	---
15
16	Patch applied without modification.
17
18	CVE: CVE-2022-37454
19
20	Upstream-Status: Backport [github.com/cpython/cpython.git 0e4e058602d...]
21
22	Signed-off-by: Joe Slater <joe.slater@windriver.com>
23	---
24	Lib/test/test_hashlib.py \| 9 +++++++++
25	.../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst \| 1 +
26	Modules/_sha3/kcp/KeccakSponge.inc \| 15 ++++++++-------
27	3 files changed, 18 insertions(+), 7 deletions(-)
28	create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
29
30	diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
31	index ea31f8b..65330e1 100644
32	--- a/Lib/test/test_hashlib.py
33	+++ b/Lib/test/test_hashlib.py
34	@@ -491,6 +491,15 @@ class HashLibTestCase(unittest.TestCase):
35	def test_case_md5_uintmax(self, size):
36	self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
37
38	+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
39	+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
40	+ def test_sha3_update_overflow(self, size):
41	+ """Regression test for gh-98517 CVE-2022-37454."""
42	+ h = hashlib.sha3_224()
43	+ h.update(b'\x01')
44	+ h.update(b'\x01'*0xffff_ffff)
45	+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
46	+
47	# use the three examples from Federal Information Processing Standards
48	# Publication 180-1, Secure Hash Standard, 1995 April 17
49	# http://www.itl.nist.gov/div897/pubs/fip180-1.htm
50	diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
51	new file mode 100644
52	index 0000000..2d23a6a
53	--- /dev/null
54	+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
55	@@ -0,0 +1 @@
56	+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
57	diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
58	index e10739d..cf92e4d 100644
59	--- a/Modules/_sha3/kcp/KeccakSponge.inc
60	+++ b/Modules/_sha3/kcp/KeccakSponge.inc
61	@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance instance, const unsigned char data, size_t dat
62	i = 0;
63	curData = data;
64	while(i < dataByteLen) {
65	- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
66	+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
67	#ifdef SnP_FastLoop_Absorb
68	/* processing full blocks first */
69
70	@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance instance, const unsigned char data, size_t dat
71	}
72	else {
73	/* normal lane: using the message queue */
74	-
75	- partialBlock = (unsigned int)(dataByteLen - i);
76	- if (partialBlock+instance->byteIOIndex > rateInBytes)
77	+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
78	partialBlock = rateInBytes-instance->byteIOIndex;
79	+ else
80	+ partialBlock = (unsigned int)(dataByteLen - i);
81	#ifdef KeccakReference
82	displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
83	#endif
84	@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance instance, unsigned char data, size_t dataByte
85	i = 0;
86	curData = data;
87	while(i < dataByteLen) {
88	- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
89	+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
90	for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
91	SnP_Permute(instance->state);
92	SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
93	@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance instance, unsigned char data, size_t dataByte
94	SnP_Permute(instance->state);
95	instance->byteIOIndex = 0;
96	}
97	- partialBlock = (unsigned int)(dataByteLen - i);
98	- if (partialBlock+instance->byteIOIndex > rateInBytes)
99	+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
100	partialBlock = rateInBytes-instance->byteIOIndex;
101	+ else
102	+ partialBlock = (unsigned int)(dataByteLen - i);
103	i += partialBlock;
104
105	SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
106	--
107	2.32.0
108


diff --git a/meta/recipes-devtools/python/python3_3.10.8.bb b/meta/recipes-devtools/python/python3_3.10.9.bb index 8963ce6dd2..d6b7a618c1 100644 --- a/meta/recipes-devtools/python/python3_3.10.8.bb +++ b/meta/recipes-devtools/python/python3_3.10.9.bb
@@ -35,7 +35,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
35	file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \	35	file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
36	file://deterministic_imports.patch \	36	file://deterministic_imports.patch \
37	file://0001-Avoid-shebang-overflow-on-python-config.py.patch \	37	file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
38	file://CVE-2022-42919.patch \
39	"	38	"
40		39
41	SRC_URI:append:class-native = " \	40	SRC_URI:append:class-native = " \
@@ -44,7 +43,7 @@ SRC_URI:append:class-native = " \
44	file://12-distutils-prefix-is-inside-staging-area.patch \	43	file://12-distutils-prefix-is-inside-staging-area.patch \
45	file://0001-Don-t-search-system-for-headers-libraries.patch \	44	file://0001-Don-t-search-system-for-headers-libraries.patch \
46	"	45	"
47	SRC_URI[sha256sum] = "6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3"	46	SRC_URI[sha256sum] = "5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83"
48		47
49	# exclude pre-releases for both python 2.x and 3.x	48	# exclude pre-releases for both python 2.x and 3.x
50	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	49	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"