diff options
Diffstat (limited to 'poky/meta/recipes-devtools/python/python3')
5 files changed, 173 insertions, 12 deletions
diff --git a/poky/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/poky/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch new file mode 100644 index 000000000..319e7ed07 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch @@ -0,0 +1,132 @@ +From 90d56127ae15b1e452755e62c77dc475dedf7161 Mon Sep 17 00:00:00 2001 +From: jpic <jpic@users.noreply.github.com> +Date: Wed, 17 Jul 2019 23:54:25 +0200 +Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079) + +Before: + + >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses + (Address(display_name='', username='a', domain='malicious.org'),) + + >>> parseaddr('a@malicious.org@important.com') + ('', 'a@malicious.org') + + After: + + >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses + (Address(display_name='', username='', domain=''),) + + >>> parseaddr('a@malicious.org@important.com') + ('', 'a@') + +https://bugs.python.org/issue34155 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9] + +CVE: CVE-2019-16056 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Lib/email/_header_value_parser.py | 2 ++ + Lib/email/_parseaddr.py | 11 ++++++++++- + Lib/test/test_email/test__header_value_parser.py | 10 ++++++++++ + Lib/test/test_email/test_email.py | 14 ++++++++++++++ + .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 + + 5 files changed, 37 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst + +diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py +index fc00b4a098..bbc026ec71 100644 +--- a/Lib/email/_header_value_parser.py ++++ b/Lib/email/_header_value_parser.py +@@ -1582,6 +1582,8 @@ def get_domain(value): + token, value = get_dot_atom(value) + except errors.HeaderParseError: + token, value = get_atom(value) ++ if value and value[0] == '@': ++ raise errors.HeaderParseError('Invalid Domain') + if leader is not None: + token[:0] = [leader] + domain.append(token) +diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py +index cdfa3729ad..41ff6f8c00 100644 +--- a/Lib/email/_parseaddr.py ++++ b/Lib/email/_parseaddr.py +@@ -379,7 +379,12 @@ class AddrlistClass: + aslist.append('@') + self.pos += 1 + self.gotonext() +- return EMPTYSTRING.join(aslist) + self.getdomain() ++ domain = self.getdomain() ++ if not domain: ++ # Invalid domain, return an empty address instead of returning a ++ # local part to denote failed parsing. ++ return EMPTYSTRING ++ return EMPTYSTRING.join(aslist) + domain + + def getdomain(self): + """Get the complete domain name from an address.""" +@@ -394,6 +399,10 @@ class AddrlistClass: + elif self.field[self.pos] == '.': + self.pos += 1 + sdlist.append('.') ++ elif self.field[self.pos] == '@': ++ # bpo-34155: Don't parse domains with two `@` like ++ # `a@malicious.org@important.com`. ++ return EMPTYSTRING + elif self.field[self.pos] in self.atomends: + break + else: +diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py +index 693487bc96..7dc4de1b7b 100644 +--- a/Lib/test/test_email/test__header_value_parser.py ++++ b/Lib/test/test_email/test__header_value_parser.py +@@ -1438,6 +1438,16 @@ class TestParser(TestParserMixin, TestEmailBase): + self.assertEqual(addr_spec.domain, 'example.com') + self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com') + ++ def test_get_addr_spec_multiple_domains(self): ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a.star@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@172.17.0.1@example.com') ++ + # get_obs_route + + def test_get_obs_route_simple(self): +diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py +index c29cc56203..aa775881c5 100644 +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py +@@ -3041,6 +3041,20 @@ class TestMiscellaneous(TestEmailBase): + self.assertEqual(utils.parseaddr('<>'), ('', '')) + self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '') + ++ def test_parseaddr_multiple_domains(self): ++ self.assertEqual( ++ utils.parseaddr('a@b@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@b.c@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@172.17.0.1@c'), ++ ('', '') ++ ) ++ + def test_noquote_dump(self): + self.assertEqual( + utils.formataddr(('A Silly Person', 'person@dom.ain')), +diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +new file mode 100644 +index 0000000000..50292e29ed +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +@@ -0,0 +1 @@ ++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic. diff --git a/poky/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/poky/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch index 1741f5753..1709011be 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch @@ -1,4 +1,4 @@ -From 17796e353acf08acd604610f34840a4a9d2f4b54 Mon Sep 17 00:00:00 2001 +From eff903c600f4c40f5753e95ab1557126fc6e0c9c Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Thu, 31 Jan 2019 16:46:30 +0100 Subject: [PATCH] distutils/sysconfig: append @@ -15,10 +15,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 2 files changed, 4 insertions(+) diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py -index e07a6c8..6b8c129 100644 +index 0a034ee..3dfd0a3 100644 --- a/Lib/distutils/sysconfig.py +++ b/Lib/distutils/sysconfig.py -@@ -421,6 +421,8 @@ def _init_posix(): +@@ -439,6 +439,8 @@ def _init_posix(): platform=sys.platform, multiarch=getattr(sys.implementation, '_multiarch', ''), )) @@ -28,10 +28,10 @@ index e07a6c8..6b8c129 100644 build_time_vars = _temp.build_time_vars global _config_vars diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py -index 9ee4d31..e586abd 100644 +index 87fa5e6..756a41c 100644 --- a/Lib/sysconfig.py +++ b/Lib/sysconfig.py -@@ -412,6 +412,8 @@ def _init_posix(vars): +@@ -419,6 +419,8 @@ def _init_posix(vars): """Initialize the module as appropriate for POSIX systems.""" # _sysconfigdata is generated at build time, see _generate_posix_vars() name = _get_sysconfigdata_name() diff --git a/poky/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch b/poky/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch index a0ed7cc83..a146c747f 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch @@ -1,4 +1,4 @@ -From ffe7797637f08cd6ee4c82e2d67462c5e194d30a Mon Sep 17 00:00:00 2001 +From 5ce3ac59531828ff682646fbba59b2126b28a8aa Mon Sep 17 00:00:00 2001 From: Jaewon Lee <jaewon.lee@xilinx.com> Date: Thu, 25 Apr 2019 15:34:26 -0700 Subject: [PATCH] main.c: if OEPYTHON3HOME is set use instead of PYTHONHOME @@ -12,15 +12,16 @@ to set a different path for python3 Signed-off-by: Jaewon Lee <jaewon.lee@xilinx.com> Upstream-Status: Inappropriate [OE specific configuration] + --- Modules/main.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/Modules/main.c b/Modules/main.c -index a745381..b553e30 100644 +index acc59c6..407085a 100644 --- a/Modules/main.c +++ b/Modules/main.c -@@ -1855,10 +1855,19 @@ config_init_home(_PyCoreConfig *config) +@@ -1834,10 +1834,19 @@ config_init_home(_PyCoreConfig *config) } return _Py_INIT_OK(); } @@ -44,6 +45,3 @@ index a745381..b553e30 100644 } config->home = home; return _Py_INIT_OK(); --- -2.7.4 - diff --git a/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch new file mode 100644 index 000000000..c15295c03 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch @@ -0,0 +1,31 @@ +From e3b59cb9658e1d3efa3535840939a0fa92a70a5a Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex.kanavin@gmail.com> +Date: Mon, 7 Oct 2019 13:22:14 +0200 +Subject: [PATCH] setup.py: do not report missing dependencies for disabled + modules + +Reporting those missing dependencies is misleading as the modules would not +have been built anyway. This particularly matters in oe-core's automated +build completeness checker which relies on the report. + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> +--- + setup.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/setup.py b/setup.py +index 4b53668..0097643 100644 +--- a/setup.py ++++ b/setup.py +@@ -365,6 +365,10 @@ class PyBuildExt(build_ext): + print("%-*s %-*s %-*s" % (longest, e, longest, f, + longest, g)) + ++ # There is no need to report missing module dependencies, ++ # if the modules have been disabled in the first place. ++ missing = list(set(missing) - set(sysconf_dis)) ++ + if missing: + print() + print("Python build finished successfully!") diff --git a/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index 0bafec73c..d49604ba4 100644 --- a/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch @@ -1,4 +1,4 @@ -From 6229502e5ae6cbb22240594f002638e9ef78f831 Mon Sep 17 00:00:00 2001 +From a274ba778838824efcacaba57c415b7262f779ec Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Tue, 14 May 2013 15:00:26 -0700 Subject: [PATCH] python3: Add target and native recipes |