diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-11-04 21:55:29 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-11-04 21:56:09 +0300 |
| commit | 64c979e88e6d0917b6fe45e52e381affec150afd (patch) | |
| tree | a0e35da2075116b2d1d43813cc3f7f57f99d843a /poky/meta/recipes-devtools/python | |
| parent | 868407c65d79e82e83c37f7c32bef9a2e2bc4cd5 (diff) | |
| download | openbmc-64c979e88e6d0917b6fe45e52e381affec150afd.tar.xz | |
poky: subtree update:52a625582e..7035b4b21e
Adrian Bunk (9):
squashfs-tools: Upgrade to 4.4
screen: Upgrade 4.6.2 -> 4.7.0
stress-ng: Upgrade 0.10.00 -> 0.10.08
nspr: Upgrade 4.21 -> 4.23
gcc: Remove stale gcc 8 patchfile
gnu-efi: Upgrade 3.0.9 -> 3.0.10
python3-numpy: Stop shipping manual config files
coreutils: Move stdbuf into an own package coreutils-stdbuf
gnu-efi: Upgrade 3.0.10 -> 3.0.11
Alessio Igor Bogani (1):
systemtap: support usrmerge
Alexander Hirsch (1):
libksba: Fix license specification
Alexander Kanavin (6):
gcr: update to 3.34.0
btrfs-tools: update to 5.3
libmodulemd-v1: update to 1.8.16
selftest: skip virgl test on centos 7 entirely
nfs-utils: do not depend on bash unnecessarily
selftest: add a test for gpl3-free images
Alistair Francis (4):
opensbi: Bump from 0.4 to 0.5
u-boot: Bump from 2019.07 to 2019.10
qemuriscv64: Build smode U-Boot
libsdl2: Fix build failure when using mesa 19.2.1
Andreas Müller (4):
adwaita-icon-theme: upgrade 3.32.0 -> 3.34.0
gsettings-desktop-schemas: upgrade 3.32.0 -> 3.34.0
IMAGE_LINGUAS_COMPLEMENTARY: auto-add language packages other than locales
libical: add PACKAGECONFIG glib and enable it by default
André Draszik (10):
testimage.bbclass: support hardware-controlled targets
testimage.bbclass: enable ssh agent forwarding
oeqa/runtime/df: don't fail on long device names
oeqa/core/decorator: add skipIfFeature
oeqa/runtime/opkg: skip install on read-only-rootfs
oeqa/runtime/systemd: skip unit enable/disable on read-only-rootfs
ruby: update to v2.6.4
ruby: some ptest fixes
oeqa/runtime/context.py: ignore more files when loading controllers
connman: mark connman-wait-online as SYSTEMD_PACKAGE
Bruce Ashfield (6):
linux-yocto/4.19: update to v4.19.78
linux-yocto/5.2: update to v5.2.20
perf: fix v5.4+ builds
perf: create directories before copying single files
perf: add 'cap' PACKAGECONFIG
perf: drop 'include' copy
Carlos Rafael Giani (12):
gstreamer1.0: upgrade to version 1.16.1
gstreamer1.0-plugins-base: upgrade to version 1.16.1
gstreamer1.0-plugins-good: upgrade to version 1.16.1
gstreamer1.0-plugins-bad: upgrade to version 1.16.1
gstreamer1.0-plugins-ugly: upgrade to version 1.16.1
gstreamer1.0-libav: upgrade to version 1.16.1
gstreamer1.0-vaapi: upgrade to version 1.16.1
gstreamer1.0-omx: upgrade to version 1.16.1
gstreamer1.0-python: upgrade to version 1.16.1
gstreamer1.0-rtsp-server: upgrade to version 1.16.1
gst-validate: upgrade to version 1.16.1
gstreamer: Change SRC_URI to use HTTPS access instead of HTTP
Changqing Li (4):
qemu: Fix CVE-2019-12068
python: Fix CVE-2019-10160
sudo: fix CVE-2019-14287
mdadm: fix do_package failed when changed local.conf but not cleaned
Chee Yang Lee (2):
wic/help: change 'wic write' help description
wic/engine: use 'linux-swap' for swap file system
Chen Qi (3):
go: fix CVE-2019-16276
python3: fix CVE-2019-16935
python: fix CVE-2019-16935
Chris Laplante via bitbake-devel (2):
bitbake: bitbake: contrib/vim: initial commit, with unmodified code from indent/python.vim
bitbake: bitbake: contrib/vim: Modify Python indentation to work with 'python do_task {'
Christopher Larson (2):
bitbake: fetch2/git: fetch shallow revs when needed
bitbake: tests/fetch: add test for fetching shallow revs
Dan Callaghan (1):
elfutils: add PACKAGECONFIG for compression algorithms
Douglas Royds via Openembedded-core (1):
icecc: Export ICECC_CC and friends via wrapper-script
Eduardo Abinader (1):
devtool: add ssh key option to deploy-target param
Eugene Smirnov (1):
wic/rawcopy: Support files in sub-directories
Ferry Toth (1):
sudo: Fix fetching sources
Frazer Leslie Clews (2):
makedevs: fix format strings in makedevs.c in print statements
makedevs: fix invalidScanfFormatWidth to prevent overflowing usr_buf
George McCollister (1):
openssl: make OPENSSL_ENGINES match install path
Haiqing Bai (1):
unfs3: fixed the issue that unfsd consumes 100% CPU
He Zhe (1):
ltp: Fix overcommit_memory failure
Hongxu Jia (1):
openssh: fix CVE-2019-16905
Joe Slater (2):
libtiff: fix CVE-2019-17546
libxslt: fix CVE-2019-18197
Kai Kang (1):
bind: fix CVE-2019-6471 and CVE-2018-5743
Liwei Song (1):
util-linux: fix PKNAME name is NULL when use lsblk [LIN1019-2963]
Mattias Hansson (1):
base.bbclass: add dependency on pseudo from do_prepare_recipe_sysroot
Max Tomago (1):
python-native: Remove debug.patch
Maxime Roussin-Bélanger (2):
meta: update and add missing homepage/bugtracker links
meta: add missing description in recipes-gnome
Michael Ho (1):
cmake.bbclass: add HOSTTOOLS_DIR to CMAKE_FIND_ROOT_PATH
Mike Crowe (2):
kernel-fitimage: Cope with non-standard kernel deploy subdirectory
kernel-devicetree: Cope with non-standard kernel deploy subdirectory
Mikko Rapeli (1):
systemd.bbclass: enable all services specified in ${SYSTEMD_SERVICE}
Nicola Lunghi (1):
ofono: tidy up the recipe
Ola x Nilsson (10):
oeqa/selftest/recipetool: Use with to control file handle lifetime
oe.types.path: Use with to control file handle lifetime
lib/oe/packagedata: Use with to control file handle lifetime
lib/oe/package_manager: Use with to control file handle lifetime
report-error.bbclass: Use with to control file handle lifetime
package.bbclass: Use with to manage file handle lifetimes
devtool-source.bbclass: Use with to manage file handle lifetime
libc-package.bbclass: Use with to manage filehandle in do_spit_gconvs
bitbake: bitbake: prserv/serv: Use with while reading pidfile
bitbake: bitbake: ConfHandler: Use with to manage filehandle lifetime
Oleksandr Kravchuk (4):
ell: update to 0.23
ell: update to 0.25
ell: update to 0.26
ofono: update to 1.31
Ricardo Ribalda Delgado (1):
i2c-tools: Add missing RDEPEND
Richard Leitner (1):
kernel-fitimage: introduce FIT_SIGN_ALG
Richard Purdie (4):
tinderclient: Drop obsolete class
meson: Backport fix to assist meta-oe breakage
nfs-utils: Improve handling when no exported fileysystems
qemu: Avoid potential build configuration contamination
Robert Yang (1):
bluez5: Fix for --enable-btpclient
Ross Burton (29):
sanity: check the format of SDK_VENDOR
file: explicitly disable seccomp
python3: -dev should depend on distutils
gawk: add PACKAGECONFIG for readline
python3: alternative name is python3-config not python-config
python3: ensure that all forms of python3-config are in python3-dev
oeqa/selftest: use specialist assert* methods
bluez5: refresh upstreamed patches
xorgproto: fix summary
libx11: upgrade to 1.6.9
xorgproto: upgrade to 2019.2
llvm: add missing Upstream-Status tags
buildhistory-analysis: filter out -src changes by default
squashfs-tools: remove redundant source checksums
squashfs-tools: clean up compile/install tasks
wpa-supplicant: fix CVE-2019-16275
gcr: remove intltool-native
elfutils: disable bzip
cve-check: ensure all known CVEs are in the report
git: some tools are no longer perl, so move to main recipe
git: cleanup man install
qemu-helper-native: add missing option to getopt() call
qemu-helper-native: showing help shouldn't be an error
qemu-helper-native: pass compiler flags
oeqa/selftest: add test for oe-run-native
cve-check: failure to parse versions should be more visible
gst-examples: rename so PV is in filename
sanity: check for more bits of Python
recipeutils-test: use a small dependency in the dummy recipe
Sai Hari Chandana Kalluri (1):
devtool: Add --remove-work option for devtool reset command
Scott Rifenbark (9):
ref-manual: First pass of 2.8 migration changes (WIP)
poky.ent: Updated the release date to October 2019
dev-manual: Added info to "Selecting an Initialization Manager"
ref-manual: 2nd pass 3.0 migration
documenation: Changed "2.8" to "3.0".
ref-manual: Removed deprecated link to ref-classes-bluetooth
ref-manual, dev-manual: Clean up of a commit
ref-manual: Updated the BUSYBOX_SPLIT_SUID variable.
ref-manual, dev-manual: Added CMake toolchain files.
Stefan Agner (1):
uninative: check .done file instead of tarball
Tom Benn (1):
dbus: update dbus-1.init to reflect new PID file
Trevor Gamblin (5):
aspell: upgrade from 0.60.7 to 0.60.8
binutils: fix CVE-2019-17450
binutils: fix CVE-2019-17451
ncurses: fix CVE-2019-17594, CVE-2019-17595
libgcrypt: upgrade 1.8.4 -> 1.8.5
Trevor Woerner (1):
libcap-ng: undefined reference to `pthread_atfork'
Wenlin Kang (1):
sysstat: fix CVE-2019-16167
Yann Dirson (1):
mesa: fix meson configure fix when 'dri' is excluded from PACKAGECONFIG
Yeoh Ee Peng (1):
scripts/oe-pkgdata-util: Enable list-pkgs to print ordered packages
Yi Zhao (2):
libsdl2: fix CVE-2019-13616
libgcrypt: fix CVE-2019-12904
Zang Ruochen (6):
bison:upgrade 3.4.1 -> 3.4.2
e2fsprogs:upgrade 1.45.3 -> 1.45.4
libxvmc:upgrade 1.0.11 -> 1.0.12
python3-pip:upgrade 19.2.3 -> 19.3.1
python-setuptools:upgrade 41.2.0 -> 41.4.0
libcap-ng:upgrade 0.7.9 -> 0.7.10
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Change-Id: I50bc42f74dffdc406ffc0dea034e41462fe6e06b
Diffstat (limited to 'poky/meta/recipes-devtools/python')
12 files changed, 289 insertions, 44 deletions
diff --git a/poky/meta/recipes-devtools/python/python-native/debug.patch b/poky/meta/recipes-devtools/python/python-native/debug.patch deleted file mode 100644 index 3617882640..0000000000 --- a/poky/meta/recipes-devtools/python/python-native/debug.patch +++ /dev/null @@ -1,32 +0,0 @@ -Upstream-Status: Pending - -Index: Python-2.7.12/Lib/distutils/unixccompiler.py -=================================================================== ---- Python-2.7.12.orig/Lib/distutils/unixccompiler.py -+++ Python-2.7.12/Lib/distutils/unixccompiler.py -@@ -278,6 +278,8 @@ class UnixCCompiler(CCompiler): - - - -+ print "Looking in %s for %s" % (lib, dirs) -+ - for dir in dirs: - shared = os.path.join(dir, shared_f) - dylib = os.path.join(dir, dylib_f) -@@ -298,12 +300,16 @@ class UnixCCompiler(CCompiler): - # assuming that *all* Unix C compilers do. And of course I'm - # ignoring even GCC's "-static" option. So sue me. - if os.path.exists(dylib): -+ print "Found %s" % (dylib) - return dylib - elif os.path.exists(xcode_stub): -+ print "Found %s" % (xcode_stub) - return xcode_stub - elif os.path.exists(shared): -+ print "Found %s" % (shared) - return shared - elif os.path.exists(static): -+ print "Found %s" % (static) - return static - - # Oops, didn't find it in *any* of 'dirs' diff --git a/poky/meta/recipes-devtools/python/python-native_2.7.16.bb b/poky/meta/recipes-devtools/python/python-native_2.7.16.bb index b7442800d9..90103af8be 100644 --- a/poky/meta/recipes-devtools/python/python-native_2.7.16.bb +++ b/poky/meta/recipes-devtools/python/python-native_2.7.16.bb @@ -7,7 +7,6 @@ SRC_URI += "\ file://10-distutils-fix-swig-parameter.patch \ file://11-distutils-never-modify-shebang-line.patch \ file://0001-distutils-set-the-prefix-to-be-inside-staging-direct.patch \ - file://debug.patch \ file://unixccompiler.patch \ file://nohostlibs.patch \ file://multilib.patch \ diff --git a/poky/meta/recipes-devtools/python/python-setuptools.inc b/poky/meta/recipes-devtools/python/python-setuptools.inc index 322197eed8..027e259be8 100644 --- a/poky/meta/recipes-devtools/python/python-setuptools.inc +++ b/poky/meta/recipes-devtools/python/python-setuptools.inc @@ -10,8 +10,8 @@ inherit pypi SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" -SRC_URI[md5sum] = "a3470ce184da33f0fa6c9f44f6221bc0" -SRC_URI[sha256sum] = "66b86bbae7cc7ac2e867f52dc08a6bd064d938bac59dfec71b9b565dd36d6012" +SRC_URI[md5sum] = "89a592d733b31e180a4b6ad760c0685a" +SRC_URI[sha256sum] = "7eae782ccf36b790c21bde7d86a4f303a441cd77036b25c559a602cf5186ce4d" DEPENDS += "${PYTHON_PN}" diff --git a/poky/meta/recipes-devtools/python/python-setuptools_41.2.0.bb b/poky/meta/recipes-devtools/python/python-setuptools_41.4.0.bb index cf9440495b..cf9440495b 100644 --- a/poky/meta/recipes-devtools/python/python-setuptools_41.2.0.bb +++ b/poky/meta/recipes-devtools/python/python-setuptools_41.4.0.bb diff --git a/poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch new file mode 100644 index 0000000000..3025cf7bc8 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch @@ -0,0 +1,101 @@ +From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001 +From: Dong-hee Na <donghee.na92@gmail.com> +Date: Tue, 1 Oct 2019 19:58:01 +0900 +Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer + (GH-16447) + +Escape the server title of DocXMLRPCServer.DocXMLRPCServer +when rendering the document page as HTML. + +CVE: CVE-2019-16935 + +Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Lib/DocXMLRPCServer.py | 13 +++++++++++- + Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++ + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py +index 4064ec2e48..90b037dd35 100644 +--- a/Lib/DocXMLRPCServer.py ++++ b/Lib/DocXMLRPCServer.py +@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer, + CGIXMLRPCRequestHandler, + resolve_dotted_attribute) + ++ ++def _html_escape_quote(s): ++ s = s.replace("&", "&") # Must be done first! ++ s = s.replace("<", "<") ++ s = s.replace(">", ">") ++ s = s.replace('"', """) ++ s = s.replace('\'', "'") ++ return s ++ ++ + class ServerHTMLDoc(pydoc.HTMLDoc): + """Class used to generate pydoc HTML document for a server""" + +@@ -210,7 +220,8 @@ class XMLRPCDocGenerator: + methods + ) + +- return documenter.page(self.server_title, documentation) ++ title = _html_escape_quote(self.server_title) ++ return documenter.page(title, documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index 4dff4159e2..c45b892b8b 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from DocXMLRPCServer import DocXMLRPCServer + import httplib ++import re + import sys + from test import test_support + threading = test_support.import_module('threading') +@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): + self.assertIn("""Try self.<strong>add</strong>, too.""", + response.read()) + ++ def test_server_title_escape(self): ++ """Test that the server title and documentation ++ are escaped for HTML. ++ """ ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', ++ title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', ++ documentation) ++ ++ + def test_main(): + test_support.run_unittest(DocXMLRPCHTTPGETServer) + +diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +new file mode 100644 +index 0000000000..8f02baed9e +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +@@ -0,0 +1,3 @@ ++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer` ++when rendering the document page as HTML. ++(Contributed by Dong-hee Na in :issue:`38243`.) +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/poky/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch new file mode 100644 index 0000000000..1b6cb8cf3e --- /dev/null +++ b/poky/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch @@ -0,0 +1,81 @@ +From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 10 Oct 2019 16:32:19 +0800 +Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in + urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames + +Upstream-Status: Backport + +https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259 +https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7 + +CVE: CVE-2019-10160 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + Lib/test/test_urlparse.py | 19 +++++++++++++------ + Lib/urlparse.py | 14 +++++++++----- + 2 files changed, 22 insertions(+), 11 deletions(-) + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 1830d0b..857ed96 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase): + self.assertIn(u'\u2100', denorm_chars) + self.assertIn(u'\uFF03', denorm_chars) + ++ # bpo-36742: Verify port separators are ignored when they ++ # existed prior to decomposition ++ urlparse.urlsplit(u'http://\u30d5\u309a:80') ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') ++ + for scheme in [u"http", u"https", u"ftp"]: +- for c in denorm_chars: +- url = u"{}://netloc{}false.netloc/path".format(scheme, c) +- if test_support.verbose: +- print "Checking %r" % url +- with self.assertRaises(ValueError): +- urlparse.urlsplit(url) ++ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]: ++ for c in denorm_chars: ++ url = u"{}://{}/path".format(scheme, netloc.format(c)) ++ if test_support.verbose: ++ print "Checking %r" % url ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(url) + + def test_main(): + test_support.run_unittest(UrlParseTestCase) +diff --git a/Lib/urlparse.py b/Lib/urlparse.py +index 54eda08..e34b368 100644 +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -171,14 +171,18 @@ def _checknetloc(netloc): + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check + import unicodedata +- netloc2 = unicodedata.normalize('NFKC', netloc) +- if netloc == netloc2: ++ n = netloc.replace(u'@', u'') # ignore characters already included ++ n = n.replace(u':', u'') # but not the surrounding text ++ n = n.replace(u'#', u'') ++ n = n.replace(u'?', u'') ++ ++ netloc2 = unicodedata.normalize('NFKC', n) ++ if n == netloc2: + return +- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay + for c in '/?#@:': + if c in netloc2: +- raise ValueError("netloc '" + netloc2 + "' contains invalid " + +- "characters under NFKC normalization") ++ raise ValueError(u"netloc '" + netloc + u"' contains invalid " + ++ u"characters under NFKC normalization") + + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: +-- +2.7.4 + diff --git a/poky/meta/recipes-devtools/python/python3-pip_19.2.3.bb b/poky/meta/recipes-devtools/python/python3-pip_19.3.1.bb index 019e327e0c..d27e6fce5c 100644 --- a/poky/meta/recipes-devtools/python/python3-pip_19.2.3.bb +++ b/poky/meta/recipes-devtools/python/python3-pip_19.3.1.bb @@ -6,8 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e" DEPENDS += "python3 python3-setuptools-native" -SRC_URI[md5sum] = "f417444c66a0db1a82c8d9d2283a2f95" -SRC_URI[sha256sum] = "e7a31f147974362e6c82d84b91c7f2bdf57e4d3163d3d454e6c3e71944d67135" +SRC_URI[md5sum] = "1aaaf90fbafc50e7ba1e66ffceb00960" +SRC_URI[sha256sum] = "21207d76c1031e517668898a6b46a9fb1501c7a4710ef5dfd6a40ad9e6757ea7" inherit pypi distutils3 diff --git a/poky/meta/recipes-devtools/python/python3-setuptools_41.2.0.bb b/poky/meta/recipes-devtools/python/python3-setuptools_41.4.0.bb index 0dc1ed8622..0dc1ed8622 100644 --- a/poky/meta/recipes-devtools/python/python3-setuptools_41.2.0.bb +++ b/poky/meta/recipes-devtools/python/python3-setuptools_41.4.0.bb diff --git a/poky/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch b/poky/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch new file mode 100644 index 0000000000..1a4c932070 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch @@ -0,0 +1,86 @@ +From c25abd43e8877b4a7098f79eaacb248710731c2b Mon Sep 17 00:00:00 2001 +From: Dong-hee Na <donghee.na92@gmail.com> +Date: Sat, 28 Sep 2019 04:59:37 +0900 +Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) + +Escape the server title of xmlrpc.server.DocXMLRPCServer +when rendering the document page as HTML. + +CVE: CVE-2019-16935 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++ + Lib/xmlrpc/server.py | 3 ++- + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index f077f05f5b..38215659b6 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from xmlrpc.server import DocXMLRPCServer + import http.client ++import re + import sys + import threading + from test import support +@@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): + b'method_annotation</strong></a>(x: bytes)</dt></dl>'), + response.read()) + ++ def test_server_title_escape(self): ++ # bpo-38243: Ensure that the server title and documentation ++ # are escaped for HTML. ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', documentation) ++ + + if __name__ == '__main__': + unittest.main() +diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py +index f1c467eb1b..32aba4df4c 100644 +--- a/Lib/xmlrpc/server.py ++++ b/Lib/xmlrpc/server.py +@@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode + from http.server import BaseHTTPRequestHandler + from functools import partial + from inspect import signature ++import html + import http.server + import socketserver + import sys +@@ -894,7 +895,7 @@ class XMLRPCDocGenerator: + methods + ) + +- return documenter.page(self.server_title, documentation) ++ return documenter.page(html.escape(self.server_title), documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +new file mode 100644 +index 0000000000..98d7be1295 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst +@@ -0,0 +1,3 @@ ++Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer` ++when rendering the document page as HTML. ++(Contributed by Dong-hee Na in :issue:`38243`.) +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/python/python3/python3-manifest.json b/poky/meta/recipes-devtools/python/python3/python3-manifest.json index 1ad85a9ff3..dba92b0e39 100644 --- a/poky/meta/recipes-devtools/python/python3/python3-manifest.json +++ b/poky/meta/recipes-devtools/python/python3/python3-manifest.json @@ -210,7 +210,10 @@ "summary": "Python interpreter and core modules", "rdepends": [], "files": [ - "${bindir}/python*[!-config]", + "${bindir}/python3", + "${bindir}/python${PYTHON_MAJMIN}", + "${bindir}/python${PYTHON_MAJMIN}.real", + "${bindir}/python${PYTHON_BINABI}", "${includedir}/python${PYTHON_BINABI}/pyconfig*.h", "${prefix}/lib/python${PYTHON_MAJMIN}/config*/*[!.a]", "${libdir}/python${PYTHON_MAJMIN}/UserDict.py", @@ -487,7 +490,7 @@ "files": [ "${base_libdir}/*.a", "${base_libdir}/*.o", - "${bindir}/python*-config", + "${bindir}/python*-config*", "${datadir}/aclocal", "${datadir}/pkgconfig", "${includedir}", @@ -498,7 +501,8 @@ "${libdir}/pkgconfig" ], "rdepends": [ - "core" + "core", + "distutils" ], "summary": "Python development package" }, diff --git a/poky/meta/recipes-devtools/python/python3_3.7.4.bb b/poky/meta/recipes-devtools/python/python3_3.7.4.bb index c8b63fee9d..dd61c0aa45 100644 --- a/poky/meta/recipes-devtools/python/python3_3.7.4.bb +++ b/poky/meta/recipes-devtools/python/python3_3.7.4.bb @@ -30,6 +30,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_locale.py-correct-the-test-output-format.patch \ file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \ file://0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ + file://0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch \ " SRC_URI_append_class-native = " \ @@ -59,9 +60,9 @@ inherit autotools pkgconfig qemu ptest multilib_header update-alternatives MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}" -ALTERNATIVE_${PN}-dev = "python-config" -ALTERNATIVE_LINK_NAME[python-config] = "${bindir}/python${PYTHON_BINABI}-config" -ALTERNATIVE_TARGET[python-config] = "${bindir}/python${PYTHON_BINABI}-config-${MULTILIB_SUFFIX}" +ALTERNATIVE_${PN}-dev = "python3-config" +ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_BINABI}-config" +ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_BINABI}-config-${MULTILIB_SUFFIX}" DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2" @@ -303,11 +304,14 @@ do_create_manifest[depends] += "${PN}:do_prepare_recipe_sysroot" do_create_manifest[depends] += "${PN}:do_patch" # manual dependency additions -RPROVIDES_${PN}-modules = "${PN}" RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules" RRECOMMENDS_${PN}-crypt_append_class-target = " openssl ca-certificates" RRECOMMENDS_${PN}-crypt_append_class-nativesdk = " openssl ca-certificates" +# For historical reasons PN is empty and provided by python3-modules +FILES_${PN} = "" +RPROVIDES_${PN}-modules = "${PN}" + FILES_${PN}-pydoc += "${bindir}/pydoc${PYTHON_MAJMIN} ${bindir}/pydoc3" FILES_${PN}-idle += "${bindir}/idle3 ${bindir}/idle${PYTHON_MAJMIN}" diff --git a/poky/meta/recipes-devtools/python/python_2.7.16.bb b/poky/meta/recipes-devtools/python/python_2.7.16.bb index aec877825e..625c5312a6 100644 --- a/poky/meta/recipes-devtools/python/python_2.7.16.bb +++ b/poky/meta/recipes-devtools/python/python_2.7.16.bb @@ -31,6 +31,8 @@ SRC_URI += " \ file://float-endian.patch \ file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ + file://bpo-36742-cve-2019-10160.patch \ + file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \ " S = "${WORKDIR}/Python-${PV}" |