Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 906ed044aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also remove upstream patch 0033.
Fixes the following security issues:
- bpo-36216: Changes urlsplit() to raise ValueError when the URL contains
characters that decompose under IDNA encoding (NFKC-normalization) into
characters that affect how the URL is parsed.
- bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The
cert parser did not handle CRL distribution points with empty DP or URI
correctly. A malicious or buggy certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of
Cisco.
- bpo-35121: Don’t send cookies of domain A without Domain attribute to
domain B when domain A is a suffix match of domain B while using a
cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by
Karthikeyan Singaravelan.
For more details, see the changelog:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-3-final
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6afc83b60f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Other changes include:
- Refreshing all necessary patches for 3.7.0
- Add a hash for the license file.
- Python no longer has it's own internal libffi, as such, host-libffi
is now required to build host-python3, and is added as a
dependency.
- Drop PYTHON3_LIBTOOL_PATCH = NO, since there is no longer any
internal libffi copy that was causing the libtool patching process
to fail.
- A new core module "uuid" is now is added in the Config.in file, and
relies on util-linux's uuid library.
- Also, a new patch: 0030-Fix-cross-compiling-the-uuid-module.patch
is required to fix compiling the uuid module, because the include
directory search path for uuid.h is hardcoded to /usr/include/uuid,
which causes an "unsafe for cross-compilation" error during
compiling if the host pc has uuid headers installed.
- 0031-Add-an-option-to-disable-uuid-module.patch is added to allow
disabling the Python3 UUID module, so that when
BR2_PACKAGE_PYTHON3_UUID is disabled by the UUID library is
present, the uuid Python module is not built, as expected.
- 0032-fix-building-on-older-distributions.patch is added to change
os.replace by os.rename in the update_file.py script to fix
building on older Linux distributions that have older versions of
python that don't include os.replace.
os.rename acts in the same way as os.replace, but is cross-platform
compatible. Because Buildroot is guaranteed to be built in a POSIX
environment, it is safe to change replace to rename.
Tested on CentOS6 and Fedora28, All test results passed:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: SKIPPED
armv5-ctng-linux-gnueabi [6/6]: OK
6 builds, 2 skipped, 0 build failed, 0 legal-info failed
Signed-off-by: Adam Duskett <aduskett@gmail.com>
[Thomas:
- remove PYTHON3_LIBTOOL_PATCH = NO
- improve the solution in patch 0030-Fix-cross-compiling-the-uuid-module
- add patch 0031-Add-an-option-to-disable-uuid-module]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump Python3 version to 3.6.2.
Patches dropped:
"Support PGEN_FOR_BUILD and FREEZE_IMPORTLIB_FOR_BUILD"
Rationale: With commit 9d02f562961efd12d3c8317a10916db7f77330cc, code
generation step of building CPython now became explicit (instead of
always performed as a part of 'make' invocation) and more granular. We
no longer need to use Parser/pgen at all and tricking the build system
into using different Programs/_freeze_importlib can be done as a part
of recipe.
Additional info about the build change can be found at
https://bugs.python.org/issue23404
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update all appropriate version numbers as well as SHAs and MD5s as well
as repbasing BR's patches on top of 3.6.1 codebase (new github repo
tree, v3.6.1 tag was used). Note that patch:
[PATCH] Change the install location of _sysconfigdata.py
was dropped due to the fact taht build system now adds platform
specific suffix to sysconfigdata's name, so each platform's file
should have a unique name and distutils now allows to specify which
sysconfigdata is used via _PYTHON_SYSCONFIGDATA_NAME
see:
c4b53afce492dec548ff
and patches:
[PATCH] distutils/sysconfig: use sysconfigdata
[PATCH] setup.py: do not add invalid header locations
[PATCH] Do not harcode invalid path to ncursesw headers
was dropped since it looks like it made it's way upstream, see:
409482251b1351c31aa9e13c3201fb
respectively.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The major changes in terms of Buildroot packaging are:
- Due to PEP488, Python no longer generates .pyc (unoptimized) and
.pyo (optimized) byte-code files. Instead, it generates <foo>.pyc,
<foo>.opt-1.pyc and <foo>.opt-2.pyc. Therefore, we removed the
--disable-pyo-build option and kept only the --disable-pyc-build
option, which completely disables building all .pyc files. In
addition, since the optimized .opt-X.pyc files don't work if the
corresponding un-optimized .pyc file is not present, we are for the
moment unconditionally removing the optimized ones (keeping both
the unoptimized and optimized ones doubles the required filesystem
size!). So basically we preserve the behavior we had before this
commit:
BR2_PACKAGE_PYTHON3_PY_ONLY -> only *.py
BR2_PACKAGE_PYTHON3_PYC_ONLY -> only non-optimized *.pyc
BR2_PACKAGE_PYTHON3_PY_PYC -> both the *.py and non-optimized *.pyc
To achieve this, the TARGET_FINALIZE_HOOKS are reworked:
PYTHON3_REMOVE_PY_FILES is responsible for removing *.py files in
the BR2_PACKAGE_PYTHON3_PYC_ONLY case.
PYTHON3_REMOVE_PYC_FILES is responsible for removing *.pyc files
in the BR2_PACKAGE_PYTHON3_PY_ONLY case.
PYTHON3_REMOVE_OPTIMIZED_PYC_FILES is responsible for removing the
optimized *.opt-1.pyc and *.opt-2.pyc files, which is done
unconditionally.
- The PEP3147 disabling patch had to be significantly reworked due to
the code having changed heavily. The code was moved into a
_bootstrap_external.py, which is a "frozen" Python module, i.e a
module generated into a .h file at compile time using the
_freeze_importlib program.
- Due to the above, we now need to regenerate importlib.h at build
time. Unfortunately, for the target Python _freeze_importlib is
built for the target, so we can't run it on the build machine. To
fix this, we copy the _freeze_importlib program from the
host-python in $(HOST_DIR), and then patch the target python to use
it. Since the same solution can be used for 'pgen', we do it, and
avoid having to touch the graminit.{c,h} files.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
