diff options
Diffstat (limited to 'poky/meta/recipes-devtools/python')
12 files changed, 289 insertions, 44 deletions
diff --git a/poky/meta/recipes-devtools/python/python-native/debug.patch b/poky/meta/recipes-devtools/python/python-native/debug.patch deleted file mode 100644 index 361788264..000000000 --- a/poky/meta/recipes-devtools/python/python-native/debug.patch +++ /dev/null @@ -1,32 +0,0 @@ -Upstream-Status: Pending - -Index: Python-2.7.12/Lib/distutils/unixccompiler.py -=================================================================== ---- Python-2.7.12.orig/Lib/distutils/unixccompiler.py -+++ Python-2.7.12/Lib/distutils/unixccompiler.py -@@ -278,6 +278,8 @@ class UnixCCompiler(CCompiler): - - - -+ print "Looking in %s for %s" % (lib, dirs) -+ - for dir in dirs: - shared = os.path.join(dir, shared_f) - dylib = os.path.join(dir, dylib_f) -@@ -298,12 +300,16 @@ class UnixCCompiler(CCompiler): - # assuming that *all* Unix C compilers do. And of course I'm - # ignoring even GCC's "-static" option. So sue me. - if os.path.exists(dylib): -+ print "Found %s" % (dylib) - return dylib - elif os.path.exists(xcode_stub): -+ print "Found %s" % (xcode_stub) - return xcode_stub - elif os.path.exists(shared): -+ print "Found %s" % (shared) - return shared - elif os.path.exists(static): -+ print "Found %s" % (static) - return static - - # Oops, didn't find it in *any* of 'dirs' diff --git a/poky/meta/recipes-devtools/python/python-native_2.7.16.bb b/poky/meta/recipes-devtools/python/python-native_2.7.16.bb index b7442800d..90103af8b 100644 --- a/poky/meta/recipes-devtools/python/python-native_2.7.16.bb +++ b/poky/meta/recipes-devtools/python/python-native_2.7.16.bb @@ -7,7 +7,6 @@ SRC_URI += "\ file://10-distutils-fix-swig-parameter.patch \ file://11-distutils-never-modify-shebang-line.patch \ file://0001-distutils-set-the-prefix-to-be-inside-staging-direct.patch \ - file://debug.patch \ file://unixccompiler.patch \ file://nohostlibs.patch \ file://multilib.patch \ diff --git a/poky/meta/recipes-devtools/python/python-setuptools.inc b/poky/meta/recipes-devtools/python/python-setuptools.inc index 322197eed..027e259be 100644 --- a/poky/meta/recipes-devtools/python/python-setuptools.inc +++ b/poky/meta/recipes-devtools/python/python-setuptools.inc @@ -10,8 +10,8 @@ inherit pypi SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" -SRC_URI[md5sum] = "a3470ce184da33f0fa6c9f44f6221bc0" -SRC_URI[sha256sum] = "66b86bbae7cc7ac2e867f52dc08a6bd064d938bac59dfec71b9b565dd36d6012" +SRC_URI[md5sum] = "89a592d733b31e180a4b6ad760c0685a" +SRC_URI[sha256sum] = "7eae782ccf36b790c21bde7d86a4f303a441cd77036b25c559a602cf5186ce4d" DEPENDS += "${PYTHON_PN}" diff --git a/poky/meta/recipes-devtools/python/python-setuptools_41.2.0.bb b/poky/meta/recipes-devtools/python/python-setuptools_41.4.0.bb index cf9440495..cf9440495 100644 --- a/poky/meta/recipes-devtools/python/python-setuptools_41.2.0.bb +++ b/poky/meta/recipes-devtools/python/python-setuptools_41.4.0.bb diff --git a/poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch new file mode 100644 index 000000000..3025cf7bc --- /dev/null +++ b/poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch @@ -0,0 +1,101 @@ +From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001 +From: Dong-hee Na <donghee.na92@gmail.com> +Date: Tue, 1 Oct 2019 19:58:01 +0900 +Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer + (GH-16447) + +Escape the server title of DocXMLRPCServer.DocXMLRPCServer +when rendering the document page as HTML. + +CVE: CVE-2019-16935 + +Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Lib/DocXMLRPCServer.py | 13 +++++++++++- + Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++ + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py +index 4064ec2e48..90b037dd35 100644 +--- a/Lib/DocXMLRPCServer.py ++++ b/Lib/DocXMLRPCServer.py +@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer, + CGIXMLRPCRequestHandler, + resolve_dotted_attribute) + ++ ++def _html_escape_quote(s): ++ s = s.replace("&", "&") # Must be done first! ++ s = s.replace("<", "<") ++ s = s.replace(">", ">") ++ s = s.replace('"', """) ++ s = s.replace('\'', "'") ++ return s ++ ++ + class ServerHTMLDoc(pydoc.HTMLDoc): + """Class used to generate pydoc HTML document for a server""" + +@@ -210,7 +220,8 @@ class XMLRPCDocGenerator: + methods + ) + +- return documenter.page(self.server_title, documentation) ++ title = _html_escape_quote(self.server_title) ++ return documenter.page(title, documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index 4dff4159e2..c45b892b8b 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from DocXMLRPCServer import DocXMLRPCServer + import httplib ++import re + import sys + from test import test_support + threading = test_support.import_module('threading') +@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): + self.assertIn("""Try self.<strong>add</strong>, too.""", + response.read()) + ++ def test_server_title_escape(self): ++ """Test that the server title and documentation ++ are escaped for HTML. ++ """ ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', ++ title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', ++ documentation) ++ ++ + def test_main(): + test_support.run_unittest(DocXMLRPCHTTPGETServer) + +diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +new file mode 100644 +index 0000000000..8f02baed9e +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +@@ -0,0 +1,3 @@ ++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer` ++when rendering the document page as HTML. ++(Contributed by Dong-hee Na in :issue:`38243`.) +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/poky/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch new file mode 100644 index 000000000..1b6cb8cf3 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch @@ -0,0 +1,81 @@ +From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 10 Oct 2019 16:32:19 +0800 +Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in + urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames + +Upstream-Status: Backport + +https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259 +https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7 + +CVE: CVE-2019-10160 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + Lib/test/test_urlparse.py | 19 +++++++++++++------ + Lib/urlparse.py | 14 +++++++++----- + 2 files changed, 22 insertions(+), 11 deletions(-) + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 1830d0b..857ed96 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase): + self.assertIn(u'\u2100', denorm_chars) + self.assertIn(u'\uFF03', denorm_chars) + ++ # bpo-36742: Verify port separators are ignored when they ++ # existed prior to decomposition ++ urlparse.urlsplit(u'http://\u30d5\u309a:80') ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') ++ + for scheme in [u"http", u"https", u"ftp"]: +- for c in denorm_chars: +- url = u"{}://netloc{}false.netloc/path".format(scheme, c) +- if test_support.verbose: +- print "Checking %r" % url +- with self.assertRaises(ValueError): +- urlparse.urlsplit(url) ++ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]: ++ for c in denorm_chars: ++ url = u"{}://{}/path".format(scheme, netloc.format(c)) ++ if test_support.verbose: ++ print "Checking %r" % url ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(url) + + def test_main(): + test_support.run_unittest(UrlParseTestCase) +diff --git a/Lib/urlparse.py b/Lib/urlparse.py +index 54eda08..e34b368 100644 +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -171,14 +171,18 @@ def _checknetloc(netloc): + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check + import unicodedata +- netloc2 = unicodedata.normalize('NFKC', netloc) +- if netloc == netloc2: ++ n = netloc.replace(u'@', u'') # ignore characters already included ++ n = n.replace(u':', u'') # but not the surrounding text ++ n = n.replace(u'#', u'') ++ n = n.replace(u'?', u'') ++ ++ netloc2 = unicodedata.normalize('NFKC', n) ++ if n == netloc2: + return +- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay + for c in '/?#@:': + if c in netloc2: +- raise ValueError("netloc '" + netloc2 + "' contains invalid " + +- "characters under NFKC normalization") ++ raise ValueError(u"netloc '" + netloc + u"' contains invalid " + ++ u"characters under NFKC normalization") + + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: +-- +2.7.4 + diff --git a/poky/meta/recipes-devtools/python/python3-pip_19.2.3.bb b/poky/meta/recipes-devtools/python/python3-pip_19.3.1.bb index 019e327e0..d27e6fce5 100644 --- a/poky/meta/recipes-devtools/python/python3-pip_19.2.3.bb +++ b/poky/meta/recipes-devtools/python/python3-pip_19.3.1.bb @@ -6,8 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e" DEPENDS += "python3 python3-setuptools-native" -SRC_URI[md5sum] = "f417444c66a0db1a82c8d9d2283a2f95" -SRC_URI[sha256sum] = "e7a31f147974362e6c82d84b91c7f2bdf57e4d3163d3d454e6c3e71944d67135" +SRC_URI[md5sum] = "1aaaf90fbafc50e7ba1e66ffceb00960" +SRC_URI[sha256sum] = "21207d76c1031e517668898a6b46a9fb1501c7a4710ef5dfd6a40ad9e6757ea7" inherit pypi distutils3 diff --git a/poky/meta/recipes-devtools/python/python3-setuptools_41.2.0.bb b/poky/meta/recipes-devtools/python/python3-setuptools_41.4.0.bb index 0dc1ed862..0dc1ed862 100644 --- a/poky/meta/recipes-devtools/python/python3-setuptools_41.2.0.bb +++ b/poky/meta/recipes-devtools/python/python3-setuptools_41.4.0.bb diff --git a/poky/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch b/poky/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch new file mode 100644 index 000000000..1a4c93207 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch @@ -0,0 +1,86 @@ +From c25abd43e8877b4a7098f79eaacb248710731c2b Mon Sep 17 00:00:00 2001 +From: Dong-hee Na <donghee.na92@gmail.com> +Date: Sat, 28 Sep 2019 04:59:37 +0900 +Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) + +Escape the server title of xmlrpc.server.DocXMLRPCServer +when rendering the document page as HTML. + +CVE: CVE-2019-16935 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++ + Lib/xmlrpc/server.py | 3 ++- + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index f077f05f5b..38215659b6 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from xmlrpc.server import DocXMLRPCServer + import http.client ++import re + import sys + import threading + from test import support +@@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): + b'method_annotation</strong></a>(x: bytes)</dt></dl>'), + response.read()) + ++ def test_server_title_escape(self): ++ # bpo-38243: Ensure that the server title and documentation ++ # are escaped for HTML. ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', documentation) ++ + + if __name__ == '__main__': + unittest.main() +diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py +index f1c467eb1b..32aba4df4c 100644 +--- a/Lib/xmlrpc/server.py ++++ b/Lib/xmlrpc/server.py +@@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode + from http.server import BaseHTTPRequestHandler + from functools import partial + from inspect import signature ++import html + import http.server + import socketserver + import sys +@@ -894,7 +895,7 @@ class XMLRPCDocGenerator: + methods + ) + +- return documenter.page(self.server_title, documentation) ++ return documenter.page(html.escape(self.server_title), documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +new file mode 100644 +index 0000000000..98d7be1295 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +@@ -0,0 +1,3 @@ ++Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` ++when rendering the document page as HTML. ++(Contributed by Dong-hee Na in :issue:`38243`.) +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/python/python3/python3-manifest.json b/poky/meta/recipes-devtools/python/python3/python3-manifest.json index 1ad85a9ff..dba92b0e3 100644 --- a/poky/meta/recipes-devtools/python/python3/python3-manifest.json +++ b/poky/meta/recipes-devtools/python/python3/python3-manifest.json @@ -210,7 +210,10 @@ "summary": "Python interpreter and core modules", "rdepends": [], "files": [ - "${bindir}/python*[!-config]", + "${bindir}/python3", + "${bindir}/python${PYTHON_MAJMIN}", + "${bindir}/python${PYTHON_MAJMIN}.real", + "${bindir}/python${PYTHON_BINABI}", "${includedir}/python${PYTHON_BINABI}/pyconfig*.h", "${prefix}/lib/python${PYTHON_MAJMIN}/config*/*[!.a]", "${libdir}/python${PYTHON_MAJMIN}/UserDict.py", @@ -487,7 +490,7 @@ "files": [ "${base_libdir}/*.a", "${base_libdir}/*.o", - "${bindir}/python*-config", + "${bindir}/python*-config*", "${datadir}/aclocal", "${datadir}/pkgconfig", "${includedir}", @@ -498,7 +501,8 @@ "${libdir}/pkgconfig" ], "rdepends": [ - "core" + "core", + "distutils" ], "summary": "Python development package" }, diff --git a/poky/meta/recipes-devtools/python/python3_3.7.4.bb b/poky/meta/recipes-devtools/python/python3_3.7.4.bb index c8b63fee9..dd61c0aa4 100644 --- a/poky/meta/recipes-devtools/python/python3_3.7.4.bb +++ b/poky/meta/recipes-devtools/python/python3_3.7.4.bb @@ -30,6 +30,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_locale.py-correct-the-test-output-format.patch \ file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \ file://0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ + file://0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch \ " SRC_URI_append_class-native = " \ @@ -59,9 +60,9 @@ inherit autotools pkgconfig qemu ptest multilib_header update-alternatives MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}" -ALTERNATIVE_${PN}-dev = "python-config" -ALTERNATIVE_LINK_NAME[python-config] = "${bindir}/python${PYTHON_BINABI}-config" -ALTERNATIVE_TARGET[python-config] = "${bindir}/python${PYTHON_BINABI}-config-${MULTILIB_SUFFIX}" +ALTERNATIVE_${PN}-dev = "python3-config" +ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_BINABI}-config" +ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_BINABI}-config-${MULTILIB_SUFFIX}" DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2" @@ -303,11 +304,14 @@ do_create_manifest[depends] += "${PN}:do_prepare_recipe_sysroot" do_create_manifest[depends] += "${PN}:do_patch" # manual dependency additions -RPROVIDES_${PN}-modules = "${PN}" RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules" RRECOMMENDS_${PN}-crypt_append_class-target = " openssl ca-certificates" RRECOMMENDS_${PN}-crypt_append_class-nativesdk = " openssl ca-certificates" +# For historical reasons PN is empty and provided by python3-modules +FILES_${PN} = "" +RPROVIDES_${PN}-modules = "${PN}" + FILES_${PN}-pydoc += "${bindir}/pydoc${PYTHON_MAJMIN} ${bindir}/pydoc3" FILES_${PN}-idle += "${bindir}/idle3 ${bindir}/idle${PYTHON_MAJMIN}" diff --git a/poky/meta/recipes-devtools/python/python_2.7.16.bb b/poky/meta/recipes-devtools/python/python_2.7.16.bb index aec877825..625c5312a 100644 --- a/poky/meta/recipes-devtools/python/python_2.7.16.bb +++ b/poky/meta/recipes-devtools/python/python_2.7.16.bb @@ -31,6 +31,8 @@ SRC_URI += " \ file://float-endian.patch \ file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ + file://bpo-36742-cve-2019-10160.patch \ + file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \ " S = "${WORKDIR}/Python-${PV}" |