From 87ecc7cef6fd208bad1d03331d82cd5d877c9007 Mon Sep 17 00:00:00 2001 From: Tim Orling Date: Tue, 11 Oct 2022 11:40:43 -0700 Subject: python3: upgrade 3.8.13 -> 3.8.14 Security and bug fixes. * Drop CVE-2021-28861.patch as it was merged in 3.8.14 release. Fixes: * CVE-2020-10735 https://nvd.nist.gov/vuln/detail/CVE-2020-10735 * CVE-2021-28861 https://nvd.nist.gov/vuln/detail/CVE-2021-28861 * CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032 Python 3.8.14 Release Date: Sept. 6, 2022 This is a security release of Python 3.8 Note: The release you're looking at is Python 3.8.14, a security bugfix release for the legacy 3.8 series. Python 3.10 is now the latest feature release series of Python 3. Security content in this release CVE-2020-10735: converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees to avoid a potential crash of the interpreter. gh-90355: Fix ensurepip environment isolation for the subprocess running pip. gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. (From OE-Core rev: 25fafd35a4698daa0d4abb814a91601e68223128) Signed-off-by: Tim Orling Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- meta/recipes-devtools/python/python3_3.8.14.bb | 366 +++++++++++++++++++++++++ 1 file changed, 366 insertions(+) create mode 100644 meta/recipes-devtools/python/python3_3.8.14.bb (limited to 'meta/recipes-devtools/python/python3_3.8.14.bb') diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb b/meta/recipes-devtools/python/python3_3.8.14.bb new file mode 100644 index 0000000000..035eda9ecd --- /dev/null +++ b/meta/recipes-devtools/python/python3_3.8.14.bb @@ -0,0 +1,366 @@ +SUMMARY = "The Python Programming Language" +HOMEPAGE = "http://www.python.org" +DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively." +LICENSE = "PSF-2.0 & BSD-0-Clause" +SECTION = "devel/python" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=c84eccf626bb6fde43e6ea5e28d8feb5" + +SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ + file://run-ptest \ + file://create_manifest3.py \ + file://get_module_deps3.py \ + file://python3-manifest.json \ + file://check_build_completeness.py \ + file://cgi_py.patch \ + file://0001-Do-not-add-usr-lib-termcap-to-linker-flags-to-avoid-.patch \ + ${@bb.utils.contains('PACKAGECONFIG', 'tk', '', 'file://avoid_warning_about_tkinter.patch', d)} \ + file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \ + file://python-config.patch \ + file://0001-Makefile.pre-use-qemu-wrapper-when-gathering-profile.patch \ + file://0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch \ + file://0001-python3-use-cc_basename-to-replace-CC-for-checking-c.patch \ + file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \ + file://0001-Makefile-fix-Issue36464-parallel-build-race-problem.patch \ + file://0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch \ + file://crosspythonpath.patch \ + file://reformat_sysconfig.py \ + file://0001-Use-FLAG_REF-always-for-interned-strings.patch \ + file://0001-test_locale.py-correct-the-test-output-format.patch \ + file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \ + file://0001-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \ + file://0001-Makefile-do-not-compile-.pyc-in-parallel.patch \ + file://0001-configure.ac-fix-LIBPL.patch \ + file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ + file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ + file://makerace.patch \ + " + +SRC_URI_append_class-native = " \ + file://0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch \ + file://12-distutils-prefix-is-inside-staging-area.patch \ + file://0001-Don-t-search-system-for-headers-libraries.patch \ + " + +SRC_URI[md5sum] = "78710eed185b71f4198d354502ff62c9" +SRC_URI[sha256sum] = "5d77e278271ba803e9909a41a4f3baca006181c93ada682a5e5fe8dc4a24c5f3" + +# exclude pre-releases for both python 2.x and 3.x +UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" + +CVE_PRODUCT = "python" + +# Upstream consider this expected behaviour +CVE_CHECK_WHITELIST += "CVE-2007-4559" +# This is not exploitable when glibc has CVE-2016-10739 fixed. +CVE_CHECK_WHITELIST += "CVE-2019-18348" + +# This is windows only issue. +CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488" +# The mailcap module is insecure by design, so this can't be fixed in a meaningful way. +# The module will be removed in the future and flaws documented. +CVE_CHECK_WHITELIST += "CVE-2015-20107" + +PYTHON_MAJMIN = "3.8" + +S = "${WORKDIR}/Python-${PV}" + +BBCLASSEXTEND = "native nativesdk" + +inherit autotools pkgconfig qemu ptest multilib_header update-alternatives + +MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}" + +ALTERNATIVE_${PN}-dev = "python3-config" +ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config" +ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}" + + +DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive" +DEPENDS_append_class-target = " python3-native" +DEPENDS_append_class-nativesdk = " python3-native" + +EXTRA_OECONF = " --without-ensurepip --enable-shared" +EXTRA_OECONF_append_class-native = " --bindir=${bindir}/${PN}" + +export CROSSPYTHONPATH="${STAGING_LIBDIR_NATIVE}/python${PYTHON_MAJMIN}/lib-dynload/" + +EXTRANATIVEPATH += "python3-native" + +CACHED_CONFIGUREVARS = " \ + ac_cv_file__dev_ptmx=yes \ + ac_cv_file__dev_ptc=no \ + ac_cv_working_tzset=yes \ +" +python() { + # PGO currently causes builds to not be reproducible, so disable it for + # now. See YOCTO #13407 + if bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', True, False, d) and d.getVar('BUILD_REPRODUCIBLE_BINARIES') != '1': + d.setVar('PACKAGECONFIG_PGO', 'pgo') + else: + d.setVar('PACKAGECONFIG_PGO', '') +} + +PACKAGECONFIG_class-target ??= "readline ${PACKAGECONFIG_PGO} gdbm" +PACKAGECONFIG_class-native ??= "readline gdbm" +PACKAGECONFIG_class-nativesdk ??= "readline gdbm" +PACKAGECONFIG[readline] = ",,readline" +# Use profile guided optimisation by running PyBench inside qemu-user +PACKAGECONFIG[pgo] = "--enable-optimizations,,qemu-native" +PACKAGECONFIG[tk] = ",,tk" +PACKAGECONFIG[gdbm] = ",,gdbm" + +do_configure_prepend () { + mkdir -p ${B}/Modules + cat > ${B}/Modules/Setup.local << EOF +*disabled* +${@bb.utils.contains('PACKAGECONFIG', 'gdbm', '', '_gdbm _dbm', d)} +${@bb.utils.contains('PACKAGECONFIG', 'readline', '', 'readline', d)} +EOF +} + +CPPFLAGS_append = " -I${STAGING_INCDIR}/ncursesw -I${STAGING_INCDIR}/uuid" + +EXTRA_OEMAKE = '\ + STAGING_LIBDIR=${STAGING_LIBDIR} \ + STAGING_INCDIR=${STAGING_INCDIR} \ + LIB=${baselib} \ +' + +do_compile_prepend_class-target() { + if ${@bb.utils.contains('PACKAGECONFIG', 'pgo', 'true', 'false', d)}; then + qemu_binary="${@qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}', ['${B}', '${STAGING_DIR_TARGET}/${base_libdir}'])}" + cat >pgo-wrapper <