diff options
Diffstat (limited to 'meta/recipes-devtools/python/python3')
6 files changed, 1044 insertions, 249 deletions
diff --git a/meta/recipes-devtools/python/python3/020-dont-compile-python-files.patch b/meta/recipes-devtools/python/python3/020-dont-compile-python-files.patch deleted file mode 100644 index 819ba69eda..0000000000 --- a/meta/recipes-devtools/python/python3/020-dont-compile-python-files.patch +++ /dev/null @@ -1,48 +0,0 @@ -Dont cross compile site packages - --Khem - -Upstream-Status: Inappropriate[Embedded-Specific] - ---- - Makefile.pre.in | 16 ---------------- - 1 file changed, 16 deletions(-) - -Index: Python-3.5.0/Makefile.pre.in -=================================================================== ---- Python-3.5.0.orig/Makefile.pre.in -+++ Python-3.5.0/Makefile.pre.in -@@ -1262,33 +1262,6 @@ libinstall: build_all $(srcdir)/Lib/$(PL - $(INSTALL_DATA) $(srcdir)/Modules/xxmodule.c \ - $(DESTDIR)$(LIBDEST)/distutils/tests ; \ - fi -- -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ -- $(PYTHON_FOR_BUILD) -Wi $(DESTDIR)$(LIBDEST)/compileall.py \ -- -d $(LIBDEST) -f \ -- -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \ -- $(DESTDIR)$(LIBDEST) -- -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ -- $(PYTHON_FOR_BUILD) -Wi -O $(DESTDIR)$(LIBDEST)/compileall.py \ -- -d $(LIBDEST) -f \ -- -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \ -- $(DESTDIR)$(LIBDEST) -- -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ -- $(PYTHON_FOR_BUILD) -Wi -OO $(DESTDIR)$(LIBDEST)/compileall.py \ -- -d $(LIBDEST) -f \ -- -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \ -- $(DESTDIR)$(LIBDEST) -- -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ -- $(PYTHON_FOR_BUILD) -Wi $(DESTDIR)$(LIBDEST)/compileall.py \ -- -d $(LIBDEST)/site-packages -f \ -- -x badsyntax $(DESTDIR)$(LIBDEST)/site-packages -- -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ -- $(PYTHON_FOR_BUILD) -Wi -O $(DESTDIR)$(LIBDEST)/compileall.py \ -- -d $(LIBDEST)/site-packages -f \ -- -x badsyntax $(DESTDIR)$(LIBDEST)/site-packages -- -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ -- $(PYTHON_FOR_BUILD) -Wi -OO $(DESTDIR)$(LIBDEST)/compileall.py \ -- -d $(LIBDEST)/site-packages -f \ -- -x badsyntax $(DESTDIR)$(LIBDEST)/site-packages - -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ - $(PYTHON_FOR_BUILD) -m lib2to3.pgen2.driver $(DESTDIR)$(LIBDEST)/lib2to3/Grammar.txt - -PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \ diff --git a/meta/recipes-devtools/python/python3/CVE-2016-5636.patch b/meta/recipes-devtools/python/python3/CVE-2016-5636.patch deleted file mode 100644 index 0d494d20f4..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2016-5636.patch +++ /dev/null @@ -1,44 +0,0 @@ - -# HG changeset patch -# User Benjamin Peterson <benjamin@python.org> -# Date 1453357506 28800 -# Node ID 10dad6da1b28ea4af78ad9529e469fdbf4ebbc8f -# Parent a3ac2cd93db9d5336dfd7b5b27efde2c568d8794# Parent 01ddd608b85c85952537d95a43bbabf4fb655057 -merge 3.4 (#26171) - -Upstream-Status: Backport -CVE: CVE-2016-5636 - -https://hg.python.org/cpython/raw-rev/10dad6da1b28 -Signed-off-by: Armin Kuster <akuster@mvista.com> - -Index: Python-3.5.1/Misc/NEWS -=================================================================== ---- Python-3.5.1.orig/Misc/NEWS -+++ Python-3.5.1/Misc/NEWS -@@ -91,6 +91,9 @@ Core and Builtins - Python.h header to fix a compilation error with OpenMP. PyThreadState_GET() - becomes an alias to PyThreadState_Get() to avoid ABI incompatibilies. - -+- Issue #26171: Fix possible integer overflow and heap corruption in -+ zipimporter.get_data(). -+ - Library - ------- - -Index: Python-3.5.1/Modules/zipimport.c -=================================================================== ---- Python-3.5.1.orig/Modules/zipimport.c -+++ Python-3.5.1/Modules/zipimport.c -@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *to - } - file_offset += l; /* Start of file data */ - -+ if (data_size > LONG_MAX - 1) { -+ fclose(fp); -+ PyErr_NoMemory(); -+ return NULL; -+ } - bytes_size = compress == 0 ? data_size : data_size + 1; - if (bytes_size == 0) - bytes_size++; diff --git a/meta/recipes-devtools/python/python3/python-3.3-multilib.patch b/meta/recipes-devtools/python/python3/python-3.3-multilib.patch index 056e8e7631..08c4403cbf 100644 --- a/meta/recipes-devtools/python/python3/python-3.3-multilib.patch +++ b/meta/recipes-devtools/python/python3/python-3.3-multilib.patch @@ -1,16 +1,34 @@ -Upstream-Status: Pending - -get the sys.lib from python itself and do not use hardcoded value of 'lib' +From 51fe6f22d0ba113674fb358bd11d75fe659bd26e Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 14 May 2013 15:00:26 -0700 +Subject: [PATCH 01/13] get the sys.lib from python itself and do not use + hardcoded value of 'lib' 02/2015 Rebased for 3.4.2 +Upstream-Status: Pending Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> -Index: Python-3.5.2/Include/pythonrun.h -=================================================================== ---- Python-3.5.2.orig/Include/pythonrun.h -+++ Python-3.5.2/Include/pythonrun.h +--- + Include/pythonrun.h | 3 +++ + Lib/distutils/command/install.py | 4 +++- + Lib/pydoc.py | 2 +- + Lib/site.py | 4 ++-- + Lib/sysconfig.py | 18 +++++++++--------- + Lib/trace.py | 4 ++-- + Makefile.pre.in | 7 +++++-- + Modules/getpath.c | 10 +++++++++- + Python/getplatform.c | 20 ++++++++++++++++++++ + Python/sysmodule.c | 4 ++++ + configure.ac | 35 +++++++++++++++++++++++++++++++++++ + setup.py | 9 ++++----- + 12 files changed, 97 insertions(+), 23 deletions(-) + +diff --git a/Include/pythonrun.h b/Include/pythonrun.h +index 9c2e813..2f79cb6 100644 +--- a/Include/pythonrun.h ++++ b/Include/pythonrun.h @@ -23,6 +23,9 @@ typedef struct { } PyCompilerFlags; #endif @@ -21,10 +39,10 @@ Index: Python-3.5.2/Include/pythonrun.h #ifndef Py_LIMITED_API PyAPI_FUNC(int) PyRun_SimpleStringFlags(const char *, PyCompilerFlags *); PyAPI_FUNC(int) PyRun_AnyFileFlags(FILE *, const char *, PyCompilerFlags *); -Index: Python-3.5.2/Lib/distutils/command/install.py -=================================================================== ---- Python-3.5.2.orig/Lib/distutils/command/install.py -+++ Python-3.5.2/Lib/distutils/command/install.py +diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py +index 67db007..b46b45b 100644 +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py @@ -19,6 +19,8 @@ from site import USER_BASE from site import USER_SITE HAS_USER_SITE = True @@ -43,10 +61,10 @@ Index: Python-3.5.2/Lib/distutils/command/install.py 'headers': '$base/include/python$py_version_short$abiflags/$dist_name', 'scripts': '$base/bin', 'data' : '$base', -Index: Python-3.5.2/Lib/pydoc.py -=================================================================== ---- Python-3.5.2.orig/Lib/pydoc.py -+++ Python-3.5.2/Lib/pydoc.py +diff --git a/Lib/pydoc.py b/Lib/pydoc.py +index 3ca08c9..6528730 100755 +--- a/Lib/pydoc.py ++++ b/Lib/pydoc.py @@ -384,7 +384,7 @@ class Doc: docmodule = docclass = docroutine = docother = docproperty = docdata = fail @@ -56,10 +74,75 @@ Index: Python-3.5.2/Lib/pydoc.py "python%d.%d" % sys.version_info[:2])): """Return the location of module docs or None""" -Index: Python-3.5.2/Lib/trace.py -=================================================================== ---- Python-3.5.2.orig/Lib/trace.py -+++ Python-3.5.2/Lib/trace.py +diff --git a/Lib/site.py b/Lib/site.py +index 3f78ef5..511931e 100644 +--- a/Lib/site.py ++++ b/Lib/site.py +@@ -303,12 +303,12 @@ def getsitepackages(prefixes=None): + seen.add(prefix) + + if os.sep == '/': +- sitepackages.append(os.path.join(prefix, "lib", ++ sitepackages.append(os.path.join(prefix, sys.lib, + "python" + sys.version[:3], + "site-packages")) + else: + sitepackages.append(prefix) +- sitepackages.append(os.path.join(prefix, "lib", "site-packages")) ++ sitepackages.append(os.path.join(prefix, sys.lib, "site-packages")) + if sys.platform == "darwin": + # for framework builds *only* we add the standard Apple + # locations. +diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py +index 9c34be0..3d1181a 100644 +--- a/Lib/sysconfig.py ++++ b/Lib/sysconfig.py +@@ -20,10 +20,10 @@ __all__ = [ + + _INSTALL_SCHEMES = { + 'posix_prefix': { +- 'stdlib': '{installed_base}/lib/python{py_version_short}', +- 'platstdlib': '{platbase}/lib/python{py_version_short}', ++ 'stdlib': '{installed_base}/'+sys.lib+'/python{py_version_short}', ++ 'platstdlib': '{platbase}/'+sys.lib+'/python{py_version_short}', + 'purelib': '{base}/lib/python{py_version_short}/site-packages', +- 'platlib': '{platbase}/lib/python{py_version_short}/site-packages', ++ 'platlib': '{platbase}/'+sys.lib+'/python{py_version_short}/site-packages', + 'include': + '{installed_base}/include/python{py_version_short}{abiflags}', + 'platinclude': +@@ -32,10 +32,10 @@ _INSTALL_SCHEMES = { + 'data': '{base}', + }, + 'posix_home': { +- 'stdlib': '{installed_base}/lib/python', +- 'platstdlib': '{base}/lib/python', ++ 'stdlib': '{installed_base}/'+sys.lib+'/python', ++ 'platstdlib': '{base}/'+sys.lib+'/python', + 'purelib': '{base}/lib/python', +- 'platlib': '{base}/lib/python', ++ 'platlib': '{base}/'+sys.lib+'/python', + 'include': '{installed_base}/include/python', + 'platinclude': '{installed_base}/include/python', + 'scripts': '{base}/bin', +@@ -61,10 +61,10 @@ _INSTALL_SCHEMES = { + 'data': '{userbase}', + }, + 'posix_user': { +- 'stdlib': '{userbase}/lib/python{py_version_short}', +- 'platstdlib': '{userbase}/lib/python{py_version_short}', ++ 'stdlib': '{userbase}/'+sys.lib+'/python{py_version_short}', ++ 'platstdlib': '{userbase}/'+sys.lib+'/python{py_version_short}', + 'purelib': '{userbase}/lib/python{py_version_short}/site-packages', +- 'platlib': '{userbase}/lib/python{py_version_short}/site-packages', ++ 'platlib': '{userbase}/'+sys.lib+'/python{py_version_short}/site-packages', + 'include': '{userbase}/include/python{py_version_short}', + 'scripts': '{userbase}/bin', + 'data': '{userbase}', +diff --git a/Lib/trace.py b/Lib/trace.py +index f108266..7fd83f2 100755 +--- a/Lib/trace.py ++++ b/Lib/trace.py @@ -749,10 +749,10 @@ def main(argv=None): # should I also call expanduser? (after all, could use $HOME) @@ -73,11 +156,11 @@ Index: Python-3.5.2/Lib/trace.py "python" + sys.version[:3])) s = os.path.normpath(s) ignore_dirs.append(s) -Index: Python-3.5.2/Makefile.pre.in -=================================================================== ---- Python-3.5.2.orig/Makefile.pre.in -+++ Python-3.5.2/Makefile.pre.in -@@ -106,6 +106,8 @@ PY_CORE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 109f402..61a41e2 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -106,6 +106,8 @@ PY_CORE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFORSHARE # Machine-dependent subdirectories MACHDEP= @MACHDEP@ @@ -95,7 +178,7 @@ Index: Python-3.5.2/Makefile.pre.in ABIFLAGS= @ABIFLAGS@ # Detailed destination directories -@@ -755,6 +757,7 @@ Modules/getpath.o: $(srcdir)/Modules/get +@@ -755,6 +757,7 @@ Modules/getpath.o: $(srcdir)/Modules/getpath.c Makefile -DEXEC_PREFIX='"$(exec_prefix)"' \ -DVERSION='"$(VERSION)"' \ -DVPATH='"$(VPATH)"' \ @@ -103,7 +186,7 @@ Index: Python-3.5.2/Makefile.pre.in -o $@ $(srcdir)/Modules/getpath.c Programs/python.o: $(srcdir)/Programs/python.c -@@ -835,7 +838,7 @@ $(OPCODE_H): $(srcdir)/Lib/opcode.py $(O +@@ -835,7 +838,7 @@ $(OPCODE_H): $(srcdir)/Lib/opcode.py $(OPCODE_H_SCRIPT) Python/compile.o Python/symtable.o Python/ast.o: $(GRAMMAR_H) $(AST_H) Python/getplatform.o: $(srcdir)/Python/getplatform.c @@ -112,10 +195,10 @@ Index: Python-3.5.2/Makefile.pre.in Python/importdl.o: $(srcdir)/Python/importdl.c $(CC) -c $(PY_CORE_CFLAGS) -I$(DLINCLDIR) -o $@ $(srcdir)/Python/importdl.c -Index: Python-3.5.2/Modules/getpath.c -=================================================================== ---- Python-3.5.2.orig/Modules/getpath.c -+++ Python-3.5.2/Modules/getpath.c +diff --git a/Modules/getpath.c b/Modules/getpath.c +index 18deb60..a01c3f8 100644 +--- a/Modules/getpath.c ++++ b/Modules/getpath.c @@ -105,6 +105,13 @@ #error "PREFIX, EXEC_PREFIX, VERSION, and VPATH must be constant defined" #endif @@ -138,10 +221,19 @@ Index: Python-3.5.2/Modules/getpath.c /* Get file status. Encode the path to the locale encoding. */ -Index: Python-3.5.2/Python/getplatform.c -=================================================================== ---- Python-3.5.2.orig/Python/getplatform.c -+++ Python-3.5.2/Python/getplatform.c +@@ -494,7 +502,7 @@ calculate_path(void) + _pythonpath = Py_DecodeLocale(PYTHONPATH, NULL); + _prefix = Py_DecodeLocale(PREFIX, NULL); + _exec_prefix = Py_DecodeLocale(EXEC_PREFIX, NULL); +- lib_python = Py_DecodeLocale("lib/python" VERSION, NULL); ++ lib_python = Py_DecodeLocale(LIB_PYTHON, NULL); + + if (!_pythonpath || !_prefix || !_exec_prefix || !lib_python) { + Py_FatalError( +diff --git a/Python/getplatform.c b/Python/getplatform.c +index 6899140..66a49c6 100644 +--- a/Python/getplatform.c ++++ b/Python/getplatform.c @@ -10,3 +10,23 @@ Py_GetPlatform(void) { return PLATFORM; @@ -166,10 +258,10 @@ Index: Python-3.5.2/Python/getplatform.c +{ + return LIB; +} -Index: Python-3.5.2/Python/sysmodule.c -=================================================================== ---- Python-3.5.2.orig/Python/sysmodule.c -+++ Python-3.5.2/Python/sysmodule.c +diff --git a/Python/sysmodule.c b/Python/sysmodule.c +index 8d7e05a..d9dee0f 100644 +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c @@ -1790,6 +1790,10 @@ _PySys_Init(void) PyUnicode_FromString(Py_GetCopyright())); SET_SYS_FROM_STRING("platform", @@ -181,94 +273,11 @@ Index: Python-3.5.2/Python/sysmodule.c SET_SYS_FROM_STRING("executable", PyUnicode_FromWideChar( Py_GetProgramFullPath(), -1)); -Index: Python-3.5.2/setup.py -=================================================================== ---- Python-3.5.2.orig/setup.py -+++ Python-3.5.2/setup.py -@@ -492,7 +492,7 @@ class PyBuildExt(build_ext): - # directories (i.e. '.' and 'Include') must be first. See issue - # 10520. - if not cross_compiling: -- add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib') -+ add_dir_to_list(self.compiler.library_dirs, os.path.join('/usr/local', sys.lib)) - add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') - # only change this for cross builds for 3.3, issues on Mageia - if cross_compiling: -@@ -550,8 +550,7 @@ class PyBuildExt(build_ext): - # be assumed that no additional -I,-L directives are needed. - if not cross_compiling: - lib_dirs = self.compiler.library_dirs + [ -- '/lib64', '/usr/lib64', -- '/lib', '/usr/lib', -+ '/' + sys.lib, '/usr/' + sys.lib, - ] - inc_dirs = self.compiler.include_dirs + ['/usr/include'] - else: -@@ -743,11 +742,11 @@ class PyBuildExt(build_ext): - elif curses_library: - readline_libs.append(curses_library) - elif self.compiler.find_library_file(lib_dirs + -- ['/usr/lib/termcap'], -+ ['/usr/'+sys.lib+'/termcap'], - 'termcap'): - readline_libs.append('termcap') - exts.append( Extension('readline', ['readline.c'], -- library_dirs=['/usr/lib/termcap'], -+ library_dirs=['/usr/'+sys.lib+'/termcap'], - extra_link_args=readline_extra_link_args, - libraries=readline_libs) ) - else: -Index: Python-3.5.2/Lib/sysconfig.py -=================================================================== ---- Python-3.5.2.orig/Lib/sysconfig.py -+++ Python-3.5.2/Lib/sysconfig.py -@@ -20,10 +20,10 @@ __all__ = [ - - _INSTALL_SCHEMES = { - 'posix_prefix': { -- 'stdlib': '{installed_base}/lib/python{py_version_short}', -- 'platstdlib': '{platbase}/lib/python{py_version_short}', -+ 'stdlib': '{installed_base}/'+sys.lib+'/python{py_version_short}', -+ 'platstdlib': '{platbase}/'+sys.lib+'/python{py_version_short}', - 'purelib': '{base}/lib/python{py_version_short}/site-packages', -- 'platlib': '{platbase}/lib/python{py_version_short}/site-packages', -+ 'platlib': '{platbase}/'+sys.lib+'/python{py_version_short}/site-packages', - 'include': - '{installed_base}/include/python{py_version_short}{abiflags}', - 'platinclude': -@@ -32,10 +32,10 @@ _INSTALL_SCHEMES = { - 'data': '{base}', - }, - 'posix_home': { -- 'stdlib': '{installed_base}/lib/python', -- 'platstdlib': '{base}/lib/python', -+ 'stdlib': '{installed_base}/'+sys.lib+'/python', -+ 'platstdlib': '{base}/'+sys.lib+'/python', - 'purelib': '{base}/lib/python', -- 'platlib': '{base}/lib/python', -+ 'platlib': '{base}/'+sys.lib+'/python', - 'include': '{installed_base}/include/python', - 'platinclude': '{installed_base}/include/python', - 'scripts': '{base}/bin', -@@ -61,10 +61,10 @@ _INSTALL_SCHEMES = { - 'data': '{userbase}', - }, - 'posix_user': { -- 'stdlib': '{userbase}/lib/python{py_version_short}', -- 'platstdlib': '{userbase}/lib/python{py_version_short}', -+ 'stdlib': '{userbase}/'+sys.lib+'/python{py_version_short}', -+ 'platstdlib': '{userbase}/'+sys.lib+'/python{py_version_short}', - 'purelib': '{userbase}/lib/python{py_version_short}/site-packages', -- 'platlib': '{userbase}/lib/python{py_version_short}/site-packages', -+ 'platlib': '{userbase}/'+sys.lib+'/python{py_version_short}/site-packages', - 'include': '{userbase}/include/python{py_version_short}', - 'scripts': '{userbase}/bin', - 'data': '{userbase}', -Index: Python-3.5.2/configure.ac -=================================================================== ---- Python-3.5.2.orig/configure.ac -+++ Python-3.5.2/configure.ac -@@ -876,6 +876,41 @@ PLATDIR=plat-$MACHDEP +diff --git a/configure.ac b/configure.ac +index 707324d..e8d59a3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -883,6 +883,41 @@ PLATDIR=plat-$MACHDEP AC_SUBST(PLATDIR) AC_SUBST(PLATFORM_TRIPLET) @@ -310,3 +319,43 @@ Index: Python-3.5.2/configure.ac AC_MSG_CHECKING([for -Wl,--no-as-needed]) save_LDFLAGS="$LDFLAGS" +diff --git a/setup.py b/setup.py +index 6d26deb..7b14215 100644 +--- a/setup.py ++++ b/setup.py +@@ -495,7 +495,7 @@ class PyBuildExt(build_ext): + # directories (i.e. '.' and 'Include') must be first. See issue + # 10520. + if not cross_compiling: +- add_dir_to_list(self.compiler.library_dirs, '/usr/local/lib') ++ add_dir_to_list(self.compiler.library_dirs, os.path.join('/usr/local', sys.lib)) + add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') + # only change this for cross builds for 3.3, issues on Mageia + if cross_compiling: +@@ -553,8 +553,7 @@ class PyBuildExt(build_ext): + # be assumed that no additional -I,-L directives are needed. + if not cross_compiling: + lib_dirs = self.compiler.library_dirs + [ +- '/lib64', '/usr/lib64', +- '/lib', '/usr/lib', ++ '/' + sys.lib, '/usr/' + sys.lib, + ] + inc_dirs = self.compiler.include_dirs + ['/usr/include'] + else: +@@ -746,11 +745,11 @@ class PyBuildExt(build_ext): + elif curses_library: + readline_libs.append(curses_library) + elif self.compiler.find_library_file(lib_dirs + +- ['/usr/lib/termcap'], ++ ['/usr/'+sys.lib+'/termcap'], + 'termcap'): + readline_libs.append('termcap') + exts.append( Extension('readline', ['readline.c'], +- library_dirs=['/usr/lib/termcap'], ++ library_dirs=['/usr/'+sys.lib+'/termcap'], + extra_link_args=readline_extra_link_args, + libraries=readline_libs) ) + else: +-- +2.11.0 + diff --git a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch new file mode 100644 index 0000000000..ab1b7230ea --- /dev/null +++ b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch @@ -0,0 +1,148 @@ +From aab3e8c432b90508ac14755128f5a687be2fdf43 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <Mingli.Yu@windriver.com> +Date: Thu, 22 Sep 2016 16:39:49 +0800 +Subject: [PATCH] python3: fix CVE-2016-1000110 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which +indicates that the script is in CGI mode. + +Issue #27568 Reported and patch contributed by RĂ©mi Rampin. [#27568] + +Backport patch from https://hg.python.org/cpython/rev/a0ac52ed8f79 + +Upstream-Status: Backport +CVE: CVE-2016-1000110 +Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> +--- + Doc/howto/urllib2.rst | 5 +++++ + Doc/library/urllib.request.rst | 17 ++++++++++++++++- + Lib/test/test_urllib.py | 14 +++++++++++++- + Lib/urllib/request.py | 6 ++++++ + Misc/NEWS | 4 ++++ + 5 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst +index 24a4156..d2c7991 100644 +--- a/Doc/howto/urllib2.rst ++++ b/Doc/howto/urllib2.rst +@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: :: + through a proxy. However, this can be enabled by extending urllib.request as + shown in the recipe [#]_. + ++.. note:: ++ ++ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see ++ the documentation on :func:`~urllib.request.getproxies`. ++ + + Sockets and Layers + ================== +diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst +index 1338906..1291aeb 100644 +--- a/Doc/library/urllib.request.rst ++++ b/Doc/library/urllib.request.rst +@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions: + If both lowercase and uppercase environment variables exist (and disagree), + lowercase is preferred. + ++ .. note:: ++ ++ If the environment variable ``REQUEST_METHOD`` is set, which usually ++ indicates your script is running in a CGI environment, the environment ++ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is ++ because that variable can be injected by a client using the "Proxy:" HTTP ++ header. If you need to use an HTTP proxy in a CGI environment, either use ++ ``ProxyHandler`` explicitly, or make sure the variable name is in ++ lowercase (or at least the ``_proxy`` suffix). ++ + + The following classes are provided: + +@@ -280,6 +290,11 @@ The following classes are provided: + list of hostname suffixes, optionally with ``:port`` appended, for example + ``cern.ch,ncsa.uiuc.edu,some.host:8080``. + ++ .. note:: ++ ++ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; ++ see the documentation on :func:`~urllib.request.getproxies`. ++ + + .. class:: HTTPPasswordMgr() + +@@ -1138,7 +1153,7 @@ the returned bytes object to string once it determines or guesses + the appropriate encoding. + + The following W3C document, https://www.w3.org/International/O-charset\ , lists +-the various ways in which a (X)HTML or a XML document could have specified its ++the various ways in which an (X)HTML or an XML document could have specified its + encoding information. + + As the python.org website uses *utf-8* encoding as specified in its meta tag, we +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index 5d05f8d..247598a 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -1,4 +1,4 @@ +-"""Regresssion tests for what was in Python 2's "urllib" module""" ++"""Regression tests for what was in Python 2's "urllib" module""" + + import urllib.parse + import urllib.request +@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase): + self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888')) + self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234')) + ++ def test_proxy_cgi_ignore(self): ++ try: ++ self.env.set('HTTP_PROXY', 'http://somewhere:3128') ++ proxies = urllib.request.getproxies_environment() ++ self.assertEqual('http://somewhere:3128', proxies['http']) ++ self.env.set('REQUEST_METHOD', 'GET') ++ proxies = urllib.request.getproxies_environment() ++ self.assertNotIn('http', proxies) ++ finally: ++ self.env.unset('REQUEST_METHOD') ++ self.env.unset('HTTP_PROXY') ++ + def test_proxy_bypass_environment_host_match(self): + bypass = urllib.request.proxy_bypass_environment + self.env.set('NO_PROXY', +diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py +index 1731fe3..3be327d 100644 +--- a/Lib/urllib/request.py ++++ b/Lib/urllib/request.py +@@ -2412,6 +2412,12 @@ def getproxies_environment(): + name = name.lower() + if value and name[-6:] == '_proxy': + proxies[name[:-6]] = value ++ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY ++ # (non-all-lowercase) as it may be set from the web server by a "Proxy:" ++ # header from the client ++ # If "proxy" is lowercase, it will still be used thanks to the next block ++ if 'REQUEST_METHOD' in os.environ: ++ proxies.pop('http', None) + for name, value in os.environ.items(): + if name[-6:] == '_proxy': + name = name.lower() +diff --git a/Misc/NEWS b/Misc/NEWS +index 4ad2551..2fcc95b 100644 +--- a/Misc/NEWS ++++ b/Misc/NEWS +@@ -329,6 +329,10 @@ Library + - Issue #26644: Raise ValueError rather than SystemError when a negative + length is passed to SSLSocket.recv() or read(). + ++- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the ++ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates ++ that the script is in CGI mode. ++ + - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes + instead of up to 1024. + +-- +2.8.1 + diff --git a/meta/recipes-devtools/python/python3/upstream-random-fixes.patch b/meta/recipes-devtools/python/python3/upstream-random-fixes.patch new file mode 100644 index 0000000000..0d9152ccd7 --- /dev/null +++ b/meta/recipes-devtools/python/python3/upstream-random-fixes.patch @@ -0,0 +1,721 @@ +This patch updates random.c to match upstream python's code at revision +8125d9a8152b. This addresses various issues around problems with glibc 2.24 +and 2.25 such that python would fail to start with: + +[rpurdie@centos7 ~]$ /tmp/t2/sysroots/x86_64-pokysdk-linux/usr/bin/python3 +Fatal Python error: getentropy() failed +Aborted + +(taken from our buildtools-tarball also breaks eSDK) + +Upstream-Status: Backport + +# HG changeset patch +# User Victor Stinner <victor.stinner@gmail.com> +# Date 1483957133 -3600 +# Node ID 8125d9a8152b79e712cb09c7094b9129b9bcea86 +# Parent 337461574c90281630751b6095c4e1baf380cf7d +Issue #29157: Prefer getrandom() over getentropy() + +Copy and then adapt Python/random.c from default branch. Difference between 3.5 +and default branches: + +* Python 3.5 only uses getrandom() in non-blocking mode: flags=GRND_NONBLOCK +* If getrandom() fails with EAGAIN: py_getrandom() immediately fails and + remembers that getrandom() doesn't work. +* Python 3.5 has no _PyOS_URandomNonblock() function: _PyOS_URandom() + works in non-blocking mode on Python 3.5 + +RP 2017/1/22 + +Index: Python-3.5.2/Python/random.c +=================================================================== +--- Python-3.5.2.orig/Python/random.c ++++ Python-3.5.2/Python/random.c +@@ -1,6 +1,9 @@ + #include "Python.h" + #ifdef MS_WINDOWS + # include <windows.h> ++/* All sample MSDN wincrypt programs include the header below. It is at least ++ * required with Min GW. */ ++# include <wincrypt.h> + #else + # include <fcntl.h> + # ifdef HAVE_SYS_STAT_H +@@ -36,10 +39,9 @@ win32_urandom_init(int raise) + return 0; + + error: +- if (raise) ++ if (raise) { + PyErr_SetFromWindowsErr(0); +- else +- Py_FatalError("Failed to initialize Windows random API (CryptoGen)"); ++ } + return -1; + } + +@@ -52,8 +54,9 @@ win32_urandom(unsigned char *buffer, Py_ + + if (hCryptProv == 0) + { +- if (win32_urandom_init(raise) == -1) ++ if (win32_urandom_init(raise) == -1) { + return -1; ++ } + } + + while (size > 0) +@@ -62,11 +65,9 @@ win32_urandom(unsigned char *buffer, Py_ + if (!CryptGenRandom(hCryptProv, (DWORD)chunk, buffer)) + { + /* CryptGenRandom() failed */ +- if (raise) ++ if (raise) { + PyErr_SetFromWindowsErr(0); +- else +- Py_FatalError("Failed to initialized the randomized hash " +- "secret using CryptoGen)"); ++ } + return -1; + } + buffer += chunk; +@@ -75,55 +76,29 @@ win32_urandom(unsigned char *buffer, Py_ + return 0; + } + +-/* Issue #25003: Don't use getentropy() on Solaris (available since +- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */ +-#elif defined(HAVE_GETENTROPY) && !defined(sun) +-#define PY_GETENTROPY 1 +- +-/* Fill buffer with size pseudo-random bytes generated by getentropy(). +- Return 0 on success, or raise an exception and return -1 on error. +- +- If fatal is nonzero, call Py_FatalError() instead of raising an exception +- on error. */ +-static int +-py_getentropy(unsigned char *buffer, Py_ssize_t size, int fatal) +-{ +- while (size > 0) { +- Py_ssize_t len = Py_MIN(size, 256); +- int res; +- +- if (!fatal) { +- Py_BEGIN_ALLOW_THREADS +- res = getentropy(buffer, len); +- Py_END_ALLOW_THREADS +- +- if (res < 0) { +- PyErr_SetFromErrno(PyExc_OSError); +- return -1; +- } +- } +- else { +- res = getentropy(buffer, len); +- if (res < 0) +- Py_FatalError("getentropy() failed"); +- } +- +- buffer += len; +- size -= len; +- } +- return 0; +-} +- +-#else ++#else /* !MS_WINDOWS */ + + #if defined(HAVE_GETRANDOM) || defined(HAVE_GETRANDOM_SYSCALL) + #define PY_GETRANDOM 1 + ++/* Call getrandom() to get random bytes: ++ ++ - Return 1 on success ++ - Return 0 if getrandom() is not available (failed with ENOSYS or EPERM), ++ or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not ++ initialized yet). ++ - Raise an exception (if raise is non-zero) and return -1 on error: ++ if getrandom() failed with EINTR, raise is non-zero and the Python signal ++ handler raised an exception, or if getrandom() failed with a different ++ error. ++ ++ getrandom() is retried if it failed with EINTR: interrupted by a signal. */ + static int + py_getrandom(void *buffer, Py_ssize_t size, int raise) + { +- /* Is getrandom() supported by the running kernel? +- * Need Linux kernel 3.17 or newer, or Solaris 11.3 or newer */ ++ /* Is getrandom() supported by the running kernel? Set to 0 if getrandom() ++ failed with ENOSYS or EPERM. Need Linux kernel 3.17 or newer, or Solaris ++ 11.3 or newer */ + static int getrandom_works = 1; + + /* getrandom() on Linux will block if called before the kernel has +@@ -132,84 +107,165 @@ py_getrandom(void *buffer, Py_ssize_t si + * see https://bugs.python.org/issue26839. To avoid this, use the + * GRND_NONBLOCK flag. */ + const int flags = GRND_NONBLOCK; +- int n; ++ char *dest; ++ long n; + +- if (!getrandom_works) ++ if (!getrandom_works) { + return 0; ++ } + ++ dest = buffer; + while (0 < size) { + #ifdef sun + /* Issue #26735: On Solaris, getrandom() is limited to returning up +- to 1024 bytes */ ++ to 1024 bytes. Call it multiple times if more bytes are ++ requested. */ + n = Py_MIN(size, 1024); + #else +- n = size; ++ n = Py_MIN(size, LONG_MAX); + #endif + + errno = 0; + #ifdef HAVE_GETRANDOM + if (raise) { + Py_BEGIN_ALLOW_THREADS +- n = getrandom(buffer, n, flags); ++ n = getrandom(dest, n, flags); + Py_END_ALLOW_THREADS + } + else { +- n = getrandom(buffer, n, flags); ++ n = getrandom(dest, n, flags); + } + #else + /* On Linux, use the syscall() function because the GNU libc doesn't +- * expose the Linux getrandom() syscall yet. See: +- * https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */ ++ expose the Linux getrandom() syscall yet. See: ++ https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */ + if (raise) { + Py_BEGIN_ALLOW_THREADS +- n = syscall(SYS_getrandom, buffer, n, flags); ++ n = syscall(SYS_getrandom, dest, n, flags); + Py_END_ALLOW_THREADS + } + else { +- n = syscall(SYS_getrandom, buffer, n, flags); ++ n = syscall(SYS_getrandom, dest, n, flags); + } + #endif + + if (n < 0) { +- if (errno == ENOSYS) { ++ /* ENOSYS: the syscall is not supported by the kernel. ++ EPERM: the syscall is blocked by a security policy (ex: SECCOMP) ++ or something else. */ ++ if (errno == ENOSYS || errno == EPERM) { + getrandom_works = 0; + return 0; + } ++ + if (errno == EAGAIN) { +- /* If we failed with EAGAIN, the entropy pool was +- * uninitialized. In this case, we return failure to fall +- * back to reading from /dev/urandom. +- * +- * Note: In this case the data read will not be random so +- * should not be used for cryptographic purposes. Retaining +- * the existing semantics for practical purposes. */ ++ /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system ++ urandom is not initialiazed yet. In this case, fall back on ++ reading from /dev/urandom. ++ ++ Note: In this case the data read will not be random so ++ should not be used for cryptographic purposes. Retaining ++ the existing semantics for practical purposes. */ + getrandom_works = 0; |