* [PATCH 01/13] python: update to 2.7.17
@ 2019-11-18 13:07 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 02/13] runqemu: add options that enable virgl with the SDL frontend Alexander Kanavin
` (14 more replies)
0 siblings, 15 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Drop backports, rebase a couple of patches.
This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.
Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
...-fix-one-do_populate_sysroot-warning.patch | 25 +-
...tive_2.7.16.bb => python-native_2.7.17.bb} | 2 +-
meta/recipes-devtools/python/python.inc | 10 +-
...nt-parse-domains-containing-GH-13079.patch | 90 --------
...cape-the-server-title-of-DocXMLRPCSe.patch | 101 --------
...Resolve-intermediate-staging-issues.patch} | 53 +++--
.../python/python/CVE-2018-20852.patch | 123 ----------
.../python/python/CVE-2019-9740.patch | 216 ------------------
.../python/bpo-35907-cve-2019-9948-fix.patch | 55 -----
.../python/bpo-35907-cve-2019-9948.patch | 55 -----
.../python/bpo-36216-cve-2019-9636-fix.patch | 28 ---
.../python/bpo-36216-cve-2019-9636.patch | 111 ---------
.../python/bpo-36742-cve-2019-10160.patch | 81 -------
.../{python_2.7.16.bb => python_2.7.17.bb} | 3 -
14 files changed, 49 insertions(+), 904 deletions(-)
rename meta/recipes-devtools/python/{python-native_2.7.16.bb => python-native_2.7.17.bb} (97%)
delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
rename meta/recipes-devtools/python/python/{builddir.patch => 0001-python-Resolve-intermediate-staging-issues.patch} (58%)
delete mode 100644 meta/recipes-devtools/python/python/CVE-2018-20852.patch
delete mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
rename meta/recipes-devtools/python/{python_2.7.16.bb => python_2.7.17.bb} (97%)
diff --git a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
index 989818927d4..707ee596fa4 100644
--- a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
+++ b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
@@ -1,4 +1,4 @@
-From 12292444e1b3662b994bc223d92b8338fb0895ff Mon Sep 17 00:00:00 2001
+From 6cbb7529cf7ff0da3ca649fb3486facd9620d625 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Thu, 25 Oct 2018 07:32:14 +0000
Subject: [PATCH] python-native: fix one do_populate_sysroot warning
@@ -17,23 +17,24 @@ when do_populate_sysroot. use append to fix it.
Upstream-Status: Inappropriate [oe-specific]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
---
setup.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup.py b/setup.py
-index 7bf13ed..6c0f29b 100644
+index a2c8127..22f9e23 100644
--- a/setup.py
+++ b/setup.py
-@@ -40,7 +40,7 @@ def add_dir_to_list(dirlist, dir):
- 1) 'dir' is not already in 'dirlist'
- 2) 'dir' actually exists, and is a directory."""
- if dir is not None and os.path.isdir(dir) and dir not in dirlist:
-- dirlist.insert(0, dir)
-+ dirlist.append(dir)
-
- def macosx_sdk_root():
- """
+@@ -47,7 +47,7 @@ def add_dir_to_list(dirlist, dir):
+ else:
+ dir_exists = os.path.isdir(dir)
+ if dir_exists:
+- dirlist.insert(0, dir)
++ dirlist.append(dir)
+
+ MACOS_SDK_ROOT = None
+
--
-2.18.0
+2.17.1
diff --git a/meta/recipes-devtools/python/python-native_2.7.16.bb b/meta/recipes-devtools/python/python-native_2.7.17.bb
similarity index 97%
rename from meta/recipes-devtools/python/python-native_2.7.16.bb
rename to meta/recipes-devtools/python/python-native_2.7.17.bb
index 90103af8be5..936810d9806 100644
--- a/meta/recipes-devtools/python/python-native_2.7.16.bb
+++ b/meta/recipes-devtools/python/python-native_2.7.17.bb
@@ -11,7 +11,7 @@ SRC_URI += "\
file://nohostlibs.patch \
file://multilib.patch \
file://add-md5module-support.patch \
- file://builddir.patch \
+ file://0001-python-Resolve-intermediate-staging-issues.patch \
file://parallel-makeinst-create-bindir.patch \
file://revert_use_of_sysconfigdata.patch \
file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 1462b779e93..a630c26e898 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -8,16 +8,10 @@ INC_PR = "r1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
- file://bpo-35907-cve-2019-9948.patch \
- file://bpo-35907-cve-2019-9948-fix.patch \
- file://bpo-36216-cve-2019-9636.patch \
- file://bpo-36216-cve-2019-9636-fix.patch \
- file://CVE-2019-9740.patch \
- file://CVE-2018-20852.patch \
"
-SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
-SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7"
+SRC_URI[md5sum] = "b3b6d2c92f42a60667814358ab9f0cfd"
+SRC_URI[sha256sum] = "4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41"
# python recipe is actually python 2.x
# also, exclude pre-releases for both python 2.x and 3.x
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
deleted file mode 100644
index 5415472a358..00000000000
--- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
-Date: Sat, 14 Sep 2019 13:26:38 -0400
-Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
- (GH-16006)
-
-This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
-
-(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
-
-Excludes changes to Lib/email/_header_value_parser.py, which did not
-exist in 2.7.
-
-Co-authored-by: jpic <jpic@users.noreply.github.com>
-
-https://bugs.python.org/issue34155
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
-
-CVE: CVE-2019-16056
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- Lib/email/_parseaddr.py | 11 ++++++++++-
- Lib/email/test/test_email.py | 14 ++++++++++++++
- .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
- 3 files changed, 25 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-
-diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
-index 690db2c22d..dc49d2e45a 100644
---- a/Lib/email/_parseaddr.py
-+++ b/Lib/email/_parseaddr.py
-@@ -336,7 +336,12 @@ class AddrlistClass:
- aslist.append('@')
- self.pos += 1
- self.gotonext()
-- return EMPTYSTRING.join(aslist) + self.getdomain()
-+ domain = self.getdomain()
-+ if not domain:
-+ # Invalid domain, return an empty address instead of returning a
-+ # local part to denote failed parsing.
-+ return EMPTYSTRING
-+ return EMPTYSTRING.join(aslist) + domain
-
- def getdomain(self):
- """Get the complete domain name from an address."""
-@@ -351,6 +356,10 @@ class AddrlistClass:
- elif self.field[self.pos] == '.':
- self.pos += 1
- sdlist.append('.')
-+ elif self.field[self.pos] == '@':
-+ # bpo-34155: Don't parse domains with two `@` like
-+ # `a@malicious.org@important.com`.
-+ return EMPTYSTRING
- elif self.field[self.pos] in self.atomends:
- break
- else:
-diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
-index 4b4dee3d34..2efe44ac5a 100644
---- a/Lib/email/test/test_email.py
-+++ b/Lib/email/test/test_email.py
-@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
- self.assertEqual(Utils.parseaddr('<>'), ('', ''))
- self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
-
-+ def test_parseaddr_multiple_domains(self):
-+ self.assertEqual(
-+ Utils.parseaddr('a@b@c'),
-+ ('', '')
-+ )
-+ self.assertEqual(
-+ Utils.parseaddr('a@b.c@c'),
-+ ('', '')
-+ )
-+ self.assertEqual(
-+ Utils.parseaddr('a@172.17.0.1@c'),
-+ ('', '')
-+ )
-+
- def test_noquote_dump(self):
- self.assertEqual(
- Utils.formataddr(('A Silly Person', 'person@dom.ain')),
-diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-new file mode 100644
-index 0000000000..50292e29ed
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-@@ -0,0 +1 @@
-+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
deleted file mode 100644
index 3025cf7bc8f..00000000000
--- a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
-From: Dong-hee Na <donghee.na92@gmail.com>
-Date: Tue, 1 Oct 2019 19:58:01 +0900
-Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
- (GH-16447)
-
-Escape the server title of DocXMLRPCServer.DocXMLRPCServer
-when rendering the document page as HTML.
-
-CVE: CVE-2019-16935
-
-Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- Lib/DocXMLRPCServer.py | 13 +++++++++++-
- Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
- .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
- 3 files changed, 35 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-
-diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
-index 4064ec2e48..90b037dd35 100644
---- a/Lib/DocXMLRPCServer.py
-+++ b/Lib/DocXMLRPCServer.py
-@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
- CGIXMLRPCRequestHandler,
- resolve_dotted_attribute)
-
-+
-+def _html_escape_quote(s):
-+ s = s.replace("&", "&") # Must be done first!
-+ s = s.replace("<", "<")
-+ s = s.replace(">", ">")
-+ s = s.replace('"', """)
-+ s = s.replace('\'', "'")
-+ return s
-+
-+
- class ServerHTMLDoc(pydoc.HTMLDoc):
- """Class used to generate pydoc HTML document for a server"""
-
-@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
- methods
- )
-
-- return documenter.page(self.server_title, documentation)
-+ title = _html_escape_quote(self.server_title)
-+ return documenter.page(title, documentation)
-
- class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
- """XML-RPC and documentation request handler class.
-diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
-index 4dff4159e2..c45b892b8b 100644
---- a/Lib/test/test_docxmlrpc.py
-+++ b/Lib/test/test_docxmlrpc.py
-@@ -1,5 +1,6 @@
- from DocXMLRPCServer import DocXMLRPCServer
- import httplib
-+import re
- import sys
- from test import test_support
- threading = test_support.import_module('threading')
-@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
- self.assertIn("""Try self.<strong>add</strong>, too.""",
- response.read())
-
-+ def test_server_title_escape(self):
-+ """Test that the server title and documentation
-+ are escaped for HTML.
-+ """
-+ self.serv.set_server_title('test_title<script>')
-+ self.serv.set_server_documentation('test_documentation<script>')
-+ self.assertEqual('test_title<script>', self.serv.server_title)
-+ self.assertEqual('test_documentation<script>',
-+ self.serv.server_documentation)
-+
-+ generated = self.serv.generate_html_documentation()
-+ title = re.search(r'<title>(.+?)</title>', generated).group()
-+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
-+ self.assertEqual('<title>Python: test_title<script></title>',
-+ title)
-+ self.assertEqual('<p><tt>test_documentation<script></tt></p>',
-+ documentation)
-+
-+
- def test_main():
- test_support.run_unittest(DocXMLRPCHTTPGETServer)
-
-diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-new file mode 100644
-index 0000000000..8f02baed9e
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-@@ -0,0 +1,3 @@
-+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
-+when rendering the document page as HTML.
-+(Contributed by Dong-hee Na in :issue:`38243`.)
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python/builddir.patch b/meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
similarity index 58%
rename from meta/recipes-devtools/python/python/builddir.patch
rename to meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
index ad629a022e9..2ff2ccc43dc 100644
--- a/meta/recipes-devtools/python/python/builddir.patch
+++ b/meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
@@ -1,5 +1,10 @@
-When cross compiling python, we used to need to install the Makefile, pyconfig.h
-and the python library to their final location before being able to compile the
+From 77bcb3238b2853d511714544e0f84a37be6c79bf Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Wed, 14 Nov 2012 14:31:24 +0000
+Subject: [PATCH] python: Resolve intermediate staging issues
+
+When cross compiling python, we used to need to install the Makefile, pyconfig.h
+and the python library to their final location before being able to compile the
rest of python. This change allows us to point python at its own source when
building, avoiding a variety of sysroot staging issues and simplifying the main
python recipe.
@@ -7,10 +12,29 @@ python recipe.
Upstream-Status: Inappropriate
RP 2012/11/13
-Index: Python-2.7.9/Lib/sysconfig.py
-===================================================================
---- Python-2.7.9.orig/Lib/sysconfig.py
-+++ Python-2.7.9/Lib/sysconfig.py
+---
+ Lib/distutils/sysconfig.py | 3 +++
+ Lib/sysconfig.py | 5 ++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py
+index 2f4b8ca..15bceb5 100644
+--- a/Lib/distutils/sysconfig.py
++++ b/Lib/distutils/sysconfig.py
+@@ -31,6 +31,9 @@ else:
+ # sys.executable can be empty if argv[0] has been changed and Python is
+ # unable to retrieve the real program name
+ project_base = os.getcwd()
++_PYTHONBUILDDIR = os.environ.get("PYTHONBUILDDIR", None)
++if _PYTHONBUILDDIR:
++ project_base = _PYTHONBUILDDIR
+ if os.name == "nt" and "pcbuild" in project_base[-8:].lower():
+ project_base = os.path.abspath(os.path.join(project_base, os.path.pardir))
+ # PC/VS7.1
+diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
+index 9c8350d..bddbe2e 100644
+--- a/Lib/sysconfig.py
++++ b/Lib/sysconfig.py
@@ -93,6 +93,7 @@ _PREFIX = os.path.normpath(sys.prefix)
_EXEC_PREFIX = os.path.normpath(sys.exec_prefix)
_CONFIG_VARS = None
@@ -30,17 +54,6 @@ Index: Python-2.7.9/Lib/sysconfig.py
_PROJECT_BASE = os.path.dirname(_safe_realpath(sys.executable))
else:
# sys.executable can be empty if argv[0] has been changed and Python is
-Index: Python-2.7.9/Lib/distutils/sysconfig.py
-===================================================================
---- Python-2.7.9.orig/Lib/distutils/sysconfig.py
-+++ Python-2.7.9/Lib/distutils/sysconfig.py
-@@ -26,6 +26,9 @@ EXEC_PREFIX = os.path.normpath(sys.exec_
- # live in project/PCBuild9. If we're dealing with an x64 Windows build,
- # it'll live in project/PCbuild/amd64.
- project_base = os.path.dirname(os.path.abspath(sys.executable))
-+_PYTHONBUILDDIR = os.environ.get("PYTHONBUILDDIR", None)
-+if _PYTHONBUILDDIR:
-+ project_base = _PYTHONBUILDDIR
- if os.name == "nt" and "pcbuild" in project_base[-8:].lower():
- project_base = os.path.abspath(os.path.join(project_base, os.path.pardir))
- # PC/VS7.1
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/python/python/CVE-2018-20852.patch b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
deleted file mode 100644
index 23c784a2105..00000000000
--- a/meta/recipes-devtools/python/python/CVE-2018-20852.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001
-From: Xtreak <tir.karthi@gmail.com>
-Date: Sat, 15 Jun 2019 20:59:43 +0530
-Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
- validation (GH-10258) (GH-13426)
-
-This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
-
-
-https://bugs.python.org/issue35121
-CVE: CVE-2018-20852
-Upstream-Status: Backport [https://github.com/python/cpython/pull/13426]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/cookielib.py | 13 ++++++--
- Lib/test/test_cookielib.py | 30 +++++++++++++++++++
- .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++
- 3 files changed, 45 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
-
-diff --git a/Lib/cookielib.py b/Lib/cookielib.py
-index 2dd7c48728e0..0b471a42f296 100644
---- a/Lib/cookielib.py
-+++ b/Lib/cookielib.py
-@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
- req_host, erhn = eff_request_host(request)
- domain = cookie.domain
-
-+ if domain and not domain.startswith("."):
-+ dotdomain = "." + domain
-+ else:
-+ dotdomain = domain
-+
- # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
- if (cookie.version == 0 and
- (self.strict_ns_domain & self.DomainStrictNonDomain) and
-@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
- _debug(" effective request-host name %s does not domain-match "
- "RFC 2965 cookie domain %s", erhn, domain)
- return False
-- if cookie.version == 0 and not ("."+erhn).endswith(domain):
-+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
- _debug(" request-host %s does not match Netscape cookie domain "
- "%s", req_host, domain)
- return False
-@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
- req_host = "."+req_host
- if not erhn.startswith("."):
- erhn = "."+erhn
-- if not (req_host.endswith(domain) or erhn.endswith(domain)):
-+ if domain and not domain.startswith("."):
-+ dotdomain = "." + domain
-+ else:
-+ dotdomain = domain
-+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
- #_debug(" request domain %s does not match cookie domain %s",
- # req_host, domain)
- return False
-diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
-index f2dd9727d137..7f7ff614d61d 100644
---- a/Lib/test/test_cookielib.py
-+++ b/Lib/test/test_cookielib.py
-@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
- ("http://foo.bar.com/", ".foo.bar.com", True),
- ("http://foo.bar.com/", "foo.bar.com", True),
- ("http://foo.bar.com/", ".bar.com", True),
-+ ("http://foo.bar.com/", "bar.com", True),
- ("http://foo.bar.com/", "com", True),
- ("http://foo.com/", "rhubarb.foo.com", False),
- ("http://foo.com/", ".foo.com", True),
-@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
- ("http://foo/", "foo", True),
- ("http://foo/", "foo.local", True),
- ("http://foo/", ".local", True),
-+ ("http://barfoo.com", ".foo.com", False),
-+ ("http://barfoo.com", "foo.com", False),
- ]:
- request = urllib2.Request(url)
- r = pol.domain_return_ok(domain, request)
-@@ -938,6 +941,33 @@ def test_domain_block(self):
- c.add_cookie_header(req)
- self.assertFalse(req.has_header("Cookie"))
-
-+ c.clear()
-+
-+ pol.set_blocked_domains([])
-+ req = Request("http://acme.com/")
-+ res = FakeResponse(headers, "http://acme.com/")
-+ cookies = c.make_cookies(res, req)
-+ c.extract_cookies(res, req)
-+ self.assertEqual(len(c), 1)
-+
-+ req = Request("http://acme.com/")
-+ c.add_cookie_header(req)
-+ self.assertTrue(req.has_header("Cookie"))
-+
-+ req = Request("http://badacme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(pol.return_ok(cookies[0], req))
-+ self.assertFalse(req.has_header("Cookie"))
-+
-+ p = pol.set_blocked_domains(["acme.com"])
-+ req = Request("http://acme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(req.has_header("Cookie"))
-+
-+ req = Request("http://badacme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(req.has_header("Cookie"))
-+
- def test_secure(self):
- from cookielib import CookieJar, DefaultCookiePolicy
-
-diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
-new file mode 100644
-index 000000000000..77251806163b
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
-@@ -0,0 +1,4 @@
-+Don't send cookies of domain A without Domain attribute to domain B when
-+domain A is a suffix match of domain B while using a cookiejar with
-+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
-+Singaravelan.
diff --git a/meta/recipes-devtools/python/python/CVE-2019-9740.patch b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
deleted file mode 100644
index 95f43e0387d..00000000000
--- a/meta/recipes-devtools/python/python/CVE-2019-9740.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From bb8071a4cae5ab3fe321481dd3d73662ffb26052 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <victor.stinner@gmail.com>
-Date: Tue, 21 May 2019 15:12:33 +0200
-Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
- (GH-13154) (GH-13315)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Disallow control chars in http URLs in urllib2.urlopen. This
-addresses a potential security problem for applications that do not
-sanity check their URLs where http request headers could be injected.
-
-Disable https related urllib tests on a build without ssl (GH-13032)
-These tests require an SSL enabled build. Skip these tests when
-python is built without SSL to fix test failures.
-
-Use httplib.InvalidURL instead of ValueError as the new error case's
-exception. (GH-13044)
-
-Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
-
-(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
-
-Notes on backport to Python 2.7:
-
-* test_urllib tests urllib.urlopen() which quotes the URL and so is
- not vulerable to HTTP Header Injection.
-* Add tests to test_urllib2 on urllib2.urlopen().
-* Reject non-ASCII characters: range 0x80-0xff.
-
-Upstream-Status: Backport
-CVE: CVE-2019-9740
-CVE: CVE-2019-9947
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/httplib.py | 16 ++++++
- Lib/test/test_urllib.py | 25 +++++++++
- Lib/test/test_urllib2.py | 51 ++++++++++++++++++-
- Lib/test/test_xmlrpc.py | 8 ++-
- .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
- 5 files changed, 99 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-
-diff --git a/Lib/httplib.py b/Lib/httplib.py
-index 60a8fb4e355f..1b41c346e090 100644
---- a/Lib/httplib.py
-+++ b/Lib/httplib.py
-@@ -247,6 +247,16 @@
- _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
- _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
-
-+# These characters are not allowed within HTTP URL paths.
-+# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
-+# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
-+# Prevents CVE-2019-9740. Includes control characters such as \r\n.
-+# Restrict non-ASCII characters above \x7f (0x80-0xff).
-+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
-+# Arguably only these _should_ allowed:
-+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
-+# We are more lenient for assumed real world compatibility purposes.
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -927,6 +937,12 @@ def putrequest(self, method, url, skip_host=0, skip_accept_encoding=0):
- self._method = method
- if not url:
- url = '/'
-+ # Prevent CVE-2019-9740.
-+ match = _contains_disallowed_url_pchar_re.search(url)
-+ if match:
-+ raise InvalidURL("URL can't contain control characters. %r "
-+ "(found at least %r)"
-+ % (url, match.group()))
- hdr = '%s %s %s' % (method, url, self._http_vsn_str)
-
- self._output(hdr)
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 1ce9201c0693..d7778d4194f3 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -257,6 +257,31 @@ def test_url_fragment(self):
- finally:
- self.unfakehttp()
-
-+ def test_url_with_control_char_rejected(self):
-+ for char_no in range(0, 0x21) + range(0x7f, 0x100):
-+ char = chr(char_no)
-+ schemeless_url = "//localhost:7777/test%s/" % char
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ try:
-+ # urllib quotes the URL so there is no injection.
-+ resp = urllib.urlopen("http:" + schemeless_url)
-+ self.assertNotIn(char, resp.geturl())
-+ finally:
-+ self.unfakehttp()
-+
-+ def test_url_with_newline_header_injection_rejected(self):
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+ schemeless_url = "//" + host + ":8080/test/?test=a"
-+ try:
-+ # urllib quotes the URL so there is no injection.
-+ resp = urllib.urlopen("http:" + schemeless_url)
-+ self.assertNotIn(' ', resp.geturl())
-+ self.assertNotIn('\r', resp.geturl())
-+ self.assertNotIn('\n', resp.geturl())
-+ finally:
-+ self.unfakehttp()
-+
- def test_read_bogus(self):
- # urlopen() should raise IOError for many error codes.
- self.fakehttp('''HTTP/1.1 401 Authentication Required
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 6d24d5ddf83c..9531818e16b2 100644
---- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -15,6 +15,9 @@
- except ImportError:
- ssl = None
-
-+from test.test_urllib import FakeHTTPMixin
-+
-+
- # XXX
- # Request
- # CacheFTPHandler (hard to write)
-@@ -1262,7 +1265,7 @@ def _test_basic_auth(self, opener, auth_handler, auth_header,
- self.assertEqual(len(http_handler.requests), 1)
- self.assertFalse(http_handler.requests[0].has_header(auth_header))
-
--class MiscTests(unittest.TestCase):
-+class MiscTests(unittest.TestCase, FakeHTTPMixin):
-
- def test_build_opener(self):
- class MyHTTPHandler(urllib2.HTTPHandler): pass
-@@ -1317,6 +1320,52 @@ def test_unsupported_algorithm(self):
- "Unsupported digest authentication algorithm 'invalid'"
- )
-
-+ @unittest.skipUnless(ssl, "ssl module required")
-+ def test_url_with_control_char_rejected(self):
-+ for char_no in range(0, 0x21) + range(0x7f, 0x100):
-+ char = chr(char_no)
-+ schemeless_url = "//localhost:7777/test%s/" % char
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ try:
-+ # We explicitly test urllib.request.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. They use different url opening codepaths. Plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ escaped_char_repr = repr(char).replace('\\', r'\\')
-+ InvalidURL = httplib.InvalidURL
-+ with self.assertRaisesRegexp(
-+ InvalidURL, "contain control.*" + escaped_char_repr):
-+ urllib2.urlopen("http:" + schemeless_url)
-+ with self.assertRaisesRegexp(
-+ InvalidURL, "contain control.*" + escaped_char_repr):
-+ urllib2.urlopen("https:" + schemeless_url)
-+ finally:
-+ self.unfakehttp()
-+
-+ @unittest.skipUnless(ssl, "ssl module required")
-+ def test_url_with_newline_header_injection_rejected(self):
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+ schemeless_url = "//" + host + ":8080/test/?test=a"
-+ try:
-+ # We explicitly test urllib2.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. They use different url opening codepaths. Plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ InvalidURL = httplib.InvalidURL
-+ with self.assertRaisesRegexp(
-+ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
-+ urllib2.urlopen("http:" + schemeless_url)
-+ with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
-+ urllib2.urlopen("https:" + schemeless_url)
-+ finally:
-+ self.unfakehttp()
-+
-+
-
- class RequestTests(unittest.TestCase):
-
-diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
-index 36b3be67fd6b..90ccb30716ff 100644
---- a/Lib/test/test_xmlrpc.py
-+++ b/Lib/test/test_xmlrpc.py
-@@ -659,7 +659,13 @@ def test_dotted_attribute(self):
- def test_partial_post(self):
- # Check that a partial POST doesn't make the server loop: issue #14001.
- conn = httplib.HTTPConnection(ADDR, PORT)
-- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
-+ conn.send('POST /RPC2 HTTP/1.0\r\n'
-+ 'Content-Length: 100\r\n\r\n'
-+ 'bye HTTP/1.1\r\n'
-+ 'Host: %s:%s\r\n'
-+ 'Accept-Encoding: identity\r\n'
-+ 'Content-Length: 0\r\n\r\n'
-+ % (ADDR, PORT))
- conn.close()
-
- class SimpleServerEncodingTestCase(BaseServerTestCase):
-diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-new file mode 100644
-index 000000000000..47cb899df1af
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-@@ -0,0 +1 @@
-+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
deleted file mode 100644
index b2672370186..00000000000
--- a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
-From: Sihoon Lee <push0ebp@gmail.com>
-Date: Fri, 17 May 2019 02:41:06 +0900
-Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
- assertRasies in DummyURLopener test, and simplify mitigation
-
-Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
-
-CVE: CVE-2019-9948
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Lib/test/test_urllib.py | 11 +++--------
- Lib/urllib.py | 4 ++--
- 2 files changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index e5f210e62a18..1e23dfb0bb16 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
- class DummyURLopener(urllib.URLopener):
- def open_local_file(self, url):
- return url
-- self.assertEqual(DummyURLopener().open(
-- 'local-file://example'), '//example')
-- self.assertEqual(DummyURLopener().open(
-- 'local_file://example'), '//example')
-- self.assertRaises(IOError, urllib.urlopen,
-- 'local-file://example')
-- self.assertRaises(IOError, urllib.urlopen,
-- 'local_file://example')
-+ for url in ('local_file://example', 'local-file://example'):
-+ self.assertRaises(IOError, DummyURLopener().open, url)
-+ self.assertRaises(IOError, urllib.urlopen, url)
-
- # Just commented them out.
- # Can't really tell why keep failing in windows and sparc.
-diff --git a/Lib/urllib.py b/Lib/urllib.py
-index a24e9a5c68fb..39b834054e9e 100644
---- a/Lib/urllib.py
-+++ b/Lib/urllib.py
-@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
- name = 'open_' + urltype
- self.type = urltype
- name = name.replace('-', '_')
--
-+
- # bpo-35907: # disallow the file reading with the type not allowed
- if not hasattr(self, name) or \
-- (self == _urlopener and name == 'open_local_file'):
-+ getattr(self, name) == self.open_local_file:
- if proxy:
- return self.open_unknown_proxy(proxy, fullurl, data)
- else:
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
deleted file mode 100644
index f4c225d2fcf..00000000000
--- a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
-From: push0ebp <push0ebp@shl-MacBook-Pro.local>
-Date: Thu, 14 Feb 2019 02:05:46 +0900
-Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
- URL scheme in urllib
-
-Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
-
-CVE: CVE-2019-9948
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Lib/test/test_urllib.py | 12 ++++++++++++
- Lib/urllib.py | 5 ++++-
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 1ce9201c0693..e5f210e62a18 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1023,6 +1023,18 @@ def open_spam(self, url):
- "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
- "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
-
-+ def test_local_file_open(self):
-+ class DummyURLopener(urllib.URLopener):
-+ def open_local_file(self, url):
-+ return url
-+ self.assertEqual(DummyURLopener().open(
-+ 'local-file://example'), '//example')
-+ self.assertEqual(DummyURLopener().open(
-+ 'local_file://example'), '//example')
-+ self.assertRaises(IOError, urllib.urlopen,
-+ 'local-file://example')
-+ self.assertRaises(IOError, urllib.urlopen,
-+ 'local_file://example')
-
- # Just commented them out.
- # Can't really tell why keep failing in windows and sparc.
-diff --git a/Lib/urllib.py b/Lib/urllib.py
-index d85504a5cb7e..a24e9a5c68fb 100644
---- a/Lib/urllib.py
-+++ b/Lib/urllib.py
-@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
- name = 'open_' + urltype
- self.type = urltype
- name = name.replace('-', '_')
-- if not hasattr(self, name):
-+
-+ # bpo-35907: # disallow the file reading with the type not allowed
-+ if not hasattr(self, name) or \
-+ (self == _urlopener and name == 'open_local_file'):
- if proxy:
- return self.open_unknown_proxy(proxy, fullurl, data)
- else:
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
deleted file mode 100644
index 2ce4d2cde7a..00000000000
--- a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 06b5ee585d6e76bdbb4002f642d864d860cbbd2b Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@python.org>
-Date: Tue, 12 Mar 2019 08:23:33 -0700
-Subject: [PATCH] bpo-36216: Only print test messages when verbose
-
-CVE: CVE-2019-9636
-
-Upstream-Status: Backport https://github.com/python/cpython/pull/12291/commits/06b5ee585d6e76bdbb4002f642d864d860cbbd2b
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Lib/test/test_urlparse.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 73b0228ea8e3..1830d0b28688 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -644,7 +644,8 @@ def test_urlsplit_normalization(self):
- for scheme in [u"http", u"https", u"ftp"]:
- for c in denorm_chars:
- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-- print "Checking %r" % url
-+ if test_support.verbose:
-+ print "Checking %r" % url
- with self.assertRaises(ValueError):
- urlparse.urlsplit(url)
-
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
deleted file mode 100644
index 352b13ba9b5..00000000000
--- a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@python.org>
-Date: Thu, 7 Mar 2019 08:25:22 -0800
-Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
- to separators (GH-12201)
-
-CVE: CVE-2019-9636
-
-Upstream-Status: Backport https://github.com/python/cpython/pull/12216/commits/3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Doc/library/urlparse.rst | 20 ++++++++++++++++
- Lib/test/test_urlparse.py | 24 +++++++++++++++++++
- Lib/urlparse.py | 17 +++++++++++++
- .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
- 4 files changed, 64 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 4e1ded73c266..73b0228ea8e3 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1,4 +1,6 @@
- from test import test_support
-+import sys
-+import unicodedata
- import unittest
- import urlparse
-
-@@ -624,6 +626,28 @@ def test_portseparator(self):
- self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
- ('http','www.python.org:80','','','',''))
-
-+ def test_urlsplit_normalization(self):
-+ # Certain characters should never occur in the netloc,
-+ # including under normalization.
-+ # Ensure that ALL of them are detected and cause an error
-+ illegal_chars = u'/:#?@'
-+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
-+ denorm_chars = [
-+ c for c in map(unichr, range(128, sys.maxunicode))
-+ if (hex_chars & set(unicodedata.decomposition(c).split()))
-+ and c not in illegal_chars
-+ ]
-+ # Sanity check that we found at least one such character
-+ self.assertIn(u'\u2100', denorm_chars)
-+ self.assertIn(u'\uFF03', denorm_chars)
-+
-+ for scheme in [u"http", u"https", u"ftp"]:
-+ for c in denorm_chars:
-+ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-+ print "Checking %r" % url
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(url)
-+
- def test_main():
- test_support.run_unittest(UrlParseTestCase)
-
-diff --git a/Lib/urlparse.py b/Lib/urlparse.py
-index f7c2b032b097..54eda08651ab 100644
---- a/Lib/urlparse.py
-+++ b/Lib/urlparse.py
-@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
- delim = min(delim, wdelim) # use earliest delim position
- return url[start:delim], url[delim:] # return (domain, rest)
-
-+def _checknetloc(netloc):
-+ if not netloc or not isinstance(netloc, unicode):
-+ return
-+ # looking for characters like \u2100 that expand to 'a/c'
-+ # IDNA uses NFKC equivalence, so normalize for this check
-+ import unicodedata
-+ netloc2 = unicodedata.normalize('NFKC', netloc)
-+ if netloc == netloc2:
-+ return
-+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
-+ for c in '/?#@:':
-+ if c in netloc2:
-+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-+ "characters under NFKC normalization")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
- """Parse a URL into 5 components:
- <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return v
-@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return v
-diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-new file mode 100644
-index 000000000000..1e1ad92c6feb
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-@@ -0,0 +1,3 @@
-+Changes urlsplit() to raise ValueError when the URL contains characters that
-+decompose under IDNA encoding (NFKC-normalization) into characters that
-+affect how the URL is parsed.
-\ No newline at end of file
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
deleted file mode 100644
index 1b6cb8cf3e6..00000000000
--- a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Thu, 10 Oct 2019 16:32:19 +0800
-Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
- urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
-
-Upstream-Status: Backport
-
-https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
-https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
-
-CVE: CVE-2019-10160
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- Lib/test/test_urlparse.py | 19 +++++++++++++------
- Lib/urlparse.py | 14 +++++++++-----
- 2 files changed, 22 insertions(+), 11 deletions(-)
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 1830d0b..857ed96 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
- self.assertIn(u'\u2100', denorm_chars)
- self.assertIn(u'\uFF03', denorm_chars)
-
-+ # bpo-36742: Verify port separators are ignored when they
-+ # existed prior to decomposition
-+ urlparse.urlsplit(u'http://\u30d5\u309a:80')
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
-+
- for scheme in [u"http", u"https", u"ftp"]:
-- for c in denorm_chars:
-- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-- if test_support.verbose:
-- print "Checking %r" % url
-- with self.assertRaises(ValueError):
-- urlparse.urlsplit(url)
-+ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
-+ for c in denorm_chars:
-+ url = u"{}://{}/path".format(scheme, netloc.format(c))
-+ if test_support.verbose:
-+ print "Checking %r" % url
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(url)
-
- def test_main():
- test_support.run_unittest(UrlParseTestCase)
-diff --git a/Lib/urlparse.py b/Lib/urlparse.py
-index 54eda08..e34b368 100644
---- a/Lib/urlparse.py
-+++ b/Lib/urlparse.py
-@@ -171,14 +171,18 @@ def _checknetloc(netloc):
- # looking for characters like \u2100 that expand to 'a/c'
- # IDNA uses NFKC equivalence, so normalize for this check
- import unicodedata
-- netloc2 = unicodedata.normalize('NFKC', netloc)
-- if netloc == netloc2:
-+ n = netloc.replace(u'@', u'') # ignore characters already included
-+ n = n.replace(u':', u'') # but not the surrounding text
-+ n = n.replace(u'#', u'')
-+ n = n.replace(u'?', u'')
-+
-+ netloc2 = unicodedata.normalize('NFKC', n)
-+ if n == netloc2:
- return
-- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
- for c in '/?#@:':
- if c in netloc2:
-- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-- "characters under NFKC normalization")
-+ raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
-+ u"characters under NFKC normalization")
-
- def urlsplit(url, scheme='', allow_fragments=True):
- """Parse a URL into 5 components:
---
-2.7.4
-
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.17.bb
similarity index 97%
rename from meta/recipes-devtools/python/python_2.7.16.bb
rename to meta/recipes-devtools/python/python_2.7.17.bb
index 625c5312a6e..5b856a50977 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.17.bb
@@ -30,9 +30,6 @@ SRC_URI += " \
file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
file://float-endian.patch \
file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
- file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
- file://bpo-36742-cve-2019-10160.patch \
- file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 02/13] runqemu: add options that enable virgl with the SDL frontend
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 03/13] oe-selftest: extend virgl gtk test to also check the SDL option Alexander Kanavin
` (13 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
scripts/runqemu | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/scripts/runqemu b/scripts/runqemu
index a05facd0db6..5c56c3fe6c1 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -67,9 +67,9 @@ of the following environment variables (in any order):
nographic - disable video console
sdl - choose the SDL UI frontend
gtk - choose the Gtk UI frontend
- gl - enable virgl-based GL acceleration (also needs gtk option)
- gl-es - enable virgl-based GL acceleration, using OpenGL ES (also needs gtk option)
- egl-headless - enable headless EGL output; use vnc or spice to see it
+ gl - enable virgl-based GL acceleration (also needs gtk or sdl options)
+ gl-es - enable virgl-based GL acceleration, using OpenGL ES (also needs gtk or sdl options)
+ egl-headless - enable headless EGL output; use vnc (via publicvnc option) or spice to see it
serial - enable a serial console on /dev/ttyS0
serialstdio - enable a serial console on the console (regardless of graphics mode)
slirp - enable user networking, no root privileges is required
@@ -437,7 +437,12 @@ class BaseConfig(object):
self.qemu_opt_script += ' -nographic'
self.kernel_cmdline_script += ' console=ttyS0'
elif arg == 'sdl':
- self.qemu_opt_script += ' -display sdl'
+ if 'gl' in sys.argv[1:]:
+ self.qemu_opt_script += ' -vga virtio -display sdl,gl=on'
+ elif 'gl-es' in sys.argv[1:]:
+ self.qemu_opt_script += ' -vga virtio -display sdl,gl=es'
+ else:
+ self.qemu_opt_script += ' -display sdl'
elif arg == 'gtk':
if 'gl' in sys.argv[1:]:
self.qemu_opt_script += ' -vga virtio -display gtk,gl=on'
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 03/13] oe-selftest: extend virgl gtk test to also check the SDL option
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 02/13] runqemu: add options that enable virgl with the SDL frontend Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 04/13] tiff: update to 4.1.0 Alexander Kanavin
` (12 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
meta/lib/oeqa/selftest/cases/runtime_test.py | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 4b56e5beca2..ccd2c40aa3f 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -166,9 +166,9 @@ class TestImage(OESelftestTestCase):
bitbake('core-image-full-cmdline socat')
bitbake('-c testimage core-image-full-cmdline')
- def test_testimage_virgl_gtk(self):
+ def test_testimage_virgl_gtk_sdl(self):
"""
- Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend
+ Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled
2. Check that kmscube demo runs without crashing.
Product: oe-core
@@ -183,18 +183,27 @@ class TestImage(OESelftestTestCase):
self.skipTest('virgl isn\'t working with Centos 7')
qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
+ sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native')
features = 'INHERIT += "testimage"\n'
if 'gtk+' not in qemu_packageconfig:
features += 'PACKAGECONFIG_append_pn-qemu-system-native = " gtk+"\n'
+ if 'sdl' not in qemu_packageconfig:
+ features += 'PACKAGECONFIG_append_pn-qemu-system-native = " sdl"\n'
if 'virglrenderer' not in qemu_packageconfig:
features += 'PACKAGECONFIG_append_pn-qemu-system-native = " virglrenderer"\n'
if 'glx' not in qemu_packageconfig:
features += 'PACKAGECONFIG_append_pn-qemu-system-native = " glx"\n'
+ if 'opengl' not in sdl_packageconfig:
+ features += 'PACKAGECONFIG_append_pn-libsdl2-native = " opengl"\n'
features += 'TEST_SUITES = "ping ssh virgl"\n'
features += 'IMAGE_FEATURES_append = " ssh-server-dropbear"\n'
features += 'IMAGE_INSTALL_append = " kmscube"\n'
- features += 'TEST_RUNQEMUPARAMS = "gtk gl"\n'
- self.write_config(features)
+ features_gtk = features + 'TEST_RUNQEMUPARAMS = "gtk gl"\n'
+ self.write_config(features_gtk)
+ bitbake('core-image-minimal')
+ bitbake('-c testimage core-image-minimal')
+ features_sdl = features + 'TEST_RUNQEMUPARAMS = "sdl gl"\n'
+ self.write_config(features_sdl)
bitbake('core-image-minimal')
bitbake('-c testimage core-image-minimal')
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 04/13] tiff: update to 4.1.0
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 02/13] runqemu: add options that enable virgl with the SDL frontend Alexander Kanavin
2019-11-18 13:07 ` [PATCH 03/13] oe-selftest: extend virgl gtk test to also check the SDL option Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 05/13] librepo: upgrade 1.10.6 -> 1.11.0 Alexander Kanavin
` (11 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Drop backported patches.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
.../libtiff/tiff/CVE-2019-14973.patch | 415 ------------------
.../libtiff/tiff/CVE-2019-17546.patch | 103 -----
.../libtiff/tiff/CVE-2019-6128.patch | 52 ---
.../libtiff/tiff/CVE-2019-7663.patch | 77 ----
.../libtiff/{tiff_4.0.10.bb => tiff_4.1.0.bb} | 10 +-
5 files changed, 3 insertions(+), 654 deletions(-)
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
delete mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
rename meta/recipes-multimedia/libtiff/{tiff_4.0.10.bb => tiff_4.1.0.bb} (85%)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
deleted file mode 100644
index 8345295d07b..00000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
+++ /dev/null
@@ -1,415 +0,0 @@
-From 95ac1e3fcc6b643b5bd100f2ea54faca0a003315 Mon Sep 17 00:00:00 2001
-From: Trevor Gamblin <trevor.gamblin@windriver.com>
-Date: Fri, 20 Sep 2019 09:33:22 -0400
-Subject: [PATCH] libtiff-fix-CVE-2019-14973
-
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c]
-CVE: CVE-2019-14973
-
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
----
- libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
- libtiff/tif_getimage.c | 6 ++----
- libtiff/tif_luv.c | 8 +------
- libtiff/tif_pixarlog.c | 7 +-----
- libtiff/tif_read.c | 38 +++++++++-----------------------
- libtiff/tif_strip.c | 35 ++++--------------------------
- libtiff/tif_tile.c | 27 +++--------------------
- libtiff/tiffiop.h | 7 +++++-
- 8 files changed, 71 insertions(+), 106 deletions(-)
-
-diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
-index 4ece162f..33fb8a44 100644
---- a/libtiff/tif_aux.c
-+++ b/libtiff/tif_aux.c
-@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
- return bytes;
- }
-
-+tmsize_t
-+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
-+{
-+ if( first <= 0 || second <= 0 )
-+ {
-+ if( tif != NULL && where != NULL )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, where,
-+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
-+ }
-+ return 0;
-+ }
-+
-+ if( first > TIFF_TMSIZE_T_MAX / second )
-+ {
-+ if( tif != NULL && where != NULL )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, where,
-+ "Integer overflow in %s", where);
-+ }
-+ return 0;
-+ }
-+ return first * second;
-+}
-+
-+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
-+{
-+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
-+ {
-+ if( tif != NULL && module != NULL )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-+ }
-+ return 0;
-+ }
-+ return (tmsize_t)val;
-+}
-+
- void*
- _TIFFCheckRealloc(TIFF* tif, void* buffer,
- tmsize_t nmemb, tmsize_t elem_size, const char* what)
- {
- void* cp = NULL;
-- tmsize_t bytes = nmemb * elem_size;
--
-+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
- /*
-- * XXX: Check for integer overflow.
-+ * Check for integer overflow.
- */
-- if (nmemb && elem_size && bytes / elem_size == nmemb)
-- cp = _TIFFrealloc(buffer, bytes);
-+ if (count != 0)
-+ {
-+ cp = _TIFFrealloc(buffer, count);
-+ }
-
- if (cp == NULL) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index 6a9d5a7c..2106ca21 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint32 leftmost_tw;
-
- tilesize = TIFFTileSize(tif);
-- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
-+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
- if (bufsize == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
- return (0);
- }
-
-@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint16 colorchannels;
-
- stripsize = TIFFStripSize(tif);
-- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
-+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
- if (bufsize == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
- return (0);
- }
-
-diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
-index aa35ea07..46d2dff2 100644
---- a/libtiff/tif_luv.c
-+++ b/libtiff/tif_luv.c
-@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
- return (SGILOGDATAFMT_UNKNOWN);
- }
-
--
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
-- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-- return 0;
-- return m1 * m2;
-+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
- }
-
- static int
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index 7438d692..b52a3ee4 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
- return guess;
- }
-
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
-- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-- return 0;
-- return m1 * m2;
-+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
- }
-
- static tmsize_t
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index e63810cc..8db39d7a 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -29,9 +29,6 @@
- #include "tiffiop.h"
- #include <stdio.h>
-
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- int TIFFFillStrip(TIFF* tif, uint32 strip);
- int TIFFFillTile(TIFF* tif, uint32 tile);
- static int TIFFStartStrip(TIFF* tif, uint32 strip);
-@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
- #define THRESHOLD_MULTIPLIER 10
- #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
-
-+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
-+
- /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
- * Returns 1 in case of success, 0 otherwise. */
- static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
-@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- return ((tmsize_t)(-1));
- }
- bytecount = td->td_stripbytecount[strip];
-- if ((int64)bytecount <= 0) {
--#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%I64u: Invalid strip byte count, strip %lu",
-- (unsigned __int64) bytecount,
-- (unsigned long) strip);
--#else
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%llu: Invalid strip byte count, strip %lu",
-- (unsigned long long) bytecount,
-- (unsigned long) strip);
--#endif
-- return ((tmsize_t)(-1));
-- }
-- bytecountm = (tmsize_t)bytecount;
-- if ((uint64)bytecountm!=bytecount) {
-- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
-+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
-+ if (bytecountm == 0) {
- return ((tmsize_t)(-1));
- }
- if (size != (tmsize_t)(-1) && size < bytecountm)
-@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- {
- uint64 bytecount = td->td_stripbytecount[strip];
-- if ((int64)bytecount <= 0) {
-+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "Invalid strip byte count %I64u, strip %lu",
-@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- (bytecount - 4096) / 10 > (uint64)stripsize )
- {
- uint64 newbytecount = (uint64)stripsize * 10 + 4096;
-- if( (int64)newbytecount >= 0 )
-+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
- {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFWarningExt(tif->tif_clientdata, module,
-@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
- bytecount64 = td->td_stripbytecount[tile];
- if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
- bytecount64 = (uint64)size;
-- bytecountm = (tmsize_t)bytecount64;
-- if ((uint64)bytecountm!=bytecount64)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
-+ if( bytecountm == 0 ) {
- return ((tmsize_t)(-1));
- }
- return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
-@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- {
- uint64 bytecount = td->td_stripbytecount[tile];
-- if ((int64)bytecount <= 0) {
-+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "%I64u: Invalid tile byte count, tile %lu",
-@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- (bytecount - 4096) / 10 > (uint64)stripsize )
- {
- uint64 newbytecount = (uint64)stripsize * 10 + 4096;
-- if( (int64)newbytecount >= 0 )
-+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
- {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFWarningExt(tif->tif_clientdata, module,
-diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
-index 5b76fba5..2366acf0 100644
---- a/libtiff/tif_strip.c
-+++ b/libtiff/tif_strip.c
-@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
- {
- static const char module[] = "TIFFVStripSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFVStripSize64(tif,nrows);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
- {
- static const char module[] = "TIFFStripSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFStripSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
- {
- static const char module[] = "TIFFScanlineSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFScanlineSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m) {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
- {
- static const char module[] = "TIFFRasterScanlineSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFRasterScanlineSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /* vim: set ts=8 sts=8 sw=8 noet: */
-diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
-index 58fe9354..661cc771 100644
---- a/libtiff/tif_tile.c
-+++ b/libtiff/tif_tile.c
-@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
- {
- static const char module[] = "TIFFTileRowSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFTileRowSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
- {
- static const char module[] = "TIFFVTileSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFVTileSize64(tif,nrows);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
- {
- static const char module[] = "TIFFTileSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFTileSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
-index 186c291f..558484fe 100644
---- a/libtiff/tiffiop.h
-+++ b/libtiff/tiffiop.h
-@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
- #define FALSE 0
- #endif
-
-+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-+
- typedef struct client_info {
- struct client_info *next;
- void *data;
-@@ -258,7 +261,7 @@ struct tiff {
- #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
- #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
-
--/* Safe multiply which returns zero if there is an integer overflow */
-+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
- #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
-
- #define TIFFmax(A,B) ((A)>(B)?(A):(B))
-@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
-
- extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
- extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
-+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
-+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
- extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
- extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
-
---
-2.17.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
deleted file mode 100644
index 04c5410930a..00000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-17546.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-libtiff: fix CVE-2019-17546
-
-Added after 4.0.10 release.
-
-CVE: CVE-2019-17546
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
-commit 4bb584a35f87af42d6cf09d15e9ce8909a839145
-Author: Even Rouault <even.rouault@spatialys.com>
-Date: Thu Aug 15 15:05:28 2019 +0200
-
- RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index c88b5fa..4da785d 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- fromskew = (w < imagewidth ? imagewidth - w : 0);
- for (row = 0; row < h; row += nrow)
- {
-+ uint32 temp;
- rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
- nrowsub = nrow;
- if ((nrowsub%subsamplingver)!=0)
- nrowsub+=subsamplingver-nrowsub%subsamplingver;
-+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
-+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
-+ return 0;
-+ }
- if (_TIFFReadEncodedStripAndAllocBuffer(tif,
- TIFFComputeStrip(tif,row+img->row_offset, 0),
- (void**)(&buf),
- maxstripsize,
-- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
-+ temp * scanline)==(tmsize_t)(-1)
- && (buf == NULL || img->stoponerr))
- {
- ret = 0;
-@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- fromskew = (w < imagewidth ? imagewidth - w : 0);
- for (row = 0; row < h; row += nrow)
- {
-+ uint32 temp;
- rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
- offset_row = row + img->row_offset;
-+ temp = (row + img->row_offset)%rowsperstrip + nrow;
-+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
-+ return 0;
-+ }
- if( buf == NULL )
- {
- if (_TIFFReadEncodedStripAndAllocBuffer(
- tif, TIFFComputeStrip(tif, offset_row, 0),
- (void**) &buf, bufsize,
-- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ temp * scanline)==(tmsize_t)(-1)
- && (buf == NULL || img->stoponerr))
- {
- ret = 0;
-@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- }
- }
- else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
-- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ p0, temp * scanline)==(tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
-@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- }
- if (colorchannels > 1
- && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
-- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+ p1, temp * scanline) == (tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
-@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- }
- if (colorchannels > 1
- && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
-- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+ p2, temp * scanline) == (tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
-@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- if (alpha)
- {
- if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
-- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ pa, temp * scanline)==(tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
deleted file mode 100644
index 6f1fd4d4478..00000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-CVE: CVE-2019-6128
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001
-From: Scott Gayou <github.scott@gmail.com>
-Date: Wed, 23 Jan 2019 15:03:53 -0500
-Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128.
-
-pal2rgb failed to free memory on a few errors. This was reported
-here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
----
- tools/pal2rgb.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
-index 01d8502ec..9492f1cf1 100644
---- a/tools/pal2rgb.c
-+++ b/tools/pal2rgb.c
-@@ -118,12 +118,14 @@ main(int argc, char* argv[])
- shortv != PHOTOMETRIC_PALETTE) {
- fprintf(stderr, "%s: Expecting a palette image.\n",
- argv[optind]);
-+ (void) TIFFClose(in);
- return (-1);
- }
- if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) {
- fprintf(stderr,
- "%s: No colormap (not a valid palette image).\n",
- argv[optind]);
-+ (void) TIFFClose(in);
- return (-1);
- }
- bitspersample = 0;
-@@ -131,11 +133,14 @@ main(int argc, char* argv[])
- if (bitspersample != 8) {
- fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n",
- argv[optind]);
-+ (void) TIFFClose(in);
- return (-1);
- }
- out = TIFFOpen(argv[optind+1], "w");
-- if (out == NULL)
-+ if (out == NULL) {
-+ (void) TIFFClose(in);
- return (-2);
-+ }
- cpTags(in, out);
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);
---
-2.21.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
deleted file mode 100644
index f244fb2f324..00000000000
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-CVE: CVE-2019-7663
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 10:05:33 +0100
-Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow
-
-fixes bug 2833
----
- tools/tiffcp.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 2f406e2d..f0ee2c02 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- int status = 1;
- uint32 imagew = TIFFRasterScanlineSize(in);
- uint32 tilew = TIFFTileRowSize(in);
-- int iskew = imagew - tilew*spp;
-+ int iskew;
- tsize_t tilesize = TIFFTileSize(in);
- tdata_t tilebuf;
- uint8* bufp = (uint8*) buf;
-@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- uint32 row;
- uint16 bps = 0, bytes_per_sample;
-
-+ if (spp > (0x7fffffff / tilew))
-+ {
-+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
-+ return 0;
-+ }
-+ iskew = imagew - tilew*spp;
- tilebuf = _TIFFmalloc(tilesize);
- if (tilebuf == 0)
- return 0;
---
-2.20.1
-
-
-From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 21:42:03 +0100
-Subject: [PATCH 2/2] tiffcp.c: use INT_MAX
-
----
- tools/tiffcp.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index f0ee2c02..8c81aa4f 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -41,6 +41,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
-
- #include <ctype.h>
-
-@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- uint32 row;
- uint16 bps = 0, bytes_per_sample;
-
-- if (spp > (0x7fffffff / tilew))
-+ if (spp > (INT_MAX / tilew))
- {
- TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
- return 0;
---
-2.20.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
similarity index 85%
rename from meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
rename to meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 5c008c53fed..1f92c185131 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -5,13 +5,9 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
- file://CVE-2019-6128.patch \
- file://CVE-2019-7663.patch \
- file://CVE-2019-14973.patch \
- file://CVE-2019-17546.patch \
-"
-SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd"
-SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4"
+ "
+SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
+SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 05/13] librepo: upgrade 1.10.6 -> 1.11.0
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (2 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 04/13] tiff: update to 4.1.0 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 06/13] btrfs-tools: upgrade 5.3 -> 5.3.1 Alexander Kanavin
` (10 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
.../librepo/{librepo_1.10.6.bb => librepo_1.11.0.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/librepo/{librepo_1.10.6.bb => librepo_1.11.0.bb} (93%)
diff --git a/meta/recipes-devtools/librepo/librepo_1.10.6.bb b/meta/recipes-devtools/librepo/librepo_1.11.0.bb
similarity index 93%
rename from meta/recipes-devtools/librepo/librepo_1.10.6.bb
rename to meta/recipes-devtools/librepo/librepo_1.11.0.bb
index cf4de22c474..30c8a5c55d5 100644
--- a/meta/recipes-devtools/librepo/librepo_1.10.6.bb
+++ b/meta/recipes-devtools/librepo/librepo_1.11.0.bb
@@ -8,7 +8,7 @@ SRC_URI = "git://github.com/rpm-software-management/librepo.git \
file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \
"
-SRCREV = "2ec349f1c686c1704dc83da6c118035ff57c8dea"
+SRCREV = "497f5eb2293662835bed6bdb0f43521788b2cebe"
S = "${WORKDIR}/git"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 06/13] btrfs-tools: upgrade 5.3 -> 5.3.1
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (3 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 05/13] librepo: upgrade 1.10.6 -> 1.11.0 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 07/13] psmisc: update to 23.3 Alexander Kanavin
` (9 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
.../btrfs-tools/{btrfs-tools_5.3.bb => btrfs-tools_5.3.1.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/btrfs-tools/{btrfs-tools_5.3.bb => btrfs-tools_5.3.1.bb} (97%)
diff --git a/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.3.bb b/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.3.1.bb
similarity index 97%
rename from meta/recipes-devtools/btrfs-tools/btrfs-tools_5.3.bb
rename to meta/recipes-devtools/btrfs-tools/btrfs-tools_5.3.1.bb
index 12b5c4562dc..a44c0bc87af 100644
--- a/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.3.bb
+++ b/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.3.1.bb
@@ -14,7 +14,7 @@ DEPENDS = "util-linux attr e2fsprogs lzo acl"
DEPENDS_append_class-target = " udev"
RDEPENDS_${PN} = "libgcc"
-SRCREV = "de7856cee5907938441f765ebab7cc106b7faf70"
+SRCREV = "f82e569b33c3c1cfd4f8f405085ff8d439a0a915"
SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git \
file://0001-Add-a-possibility-to-specify-where-python-modules-ar.patch \
"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 07/13] psmisc: update to 23.3
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (4 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 06/13] btrfs-tools: upgrade 5.3 -> 5.3.1 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 08/13] libxslt: update to 1.1.34 Alexander Kanavin
` (8 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
...am-create-src-directory-before-attempting-t.patch | 12 +++++-------
.../psmisc/{psmisc_23.2.bb => psmisc_23.3.bb} | 2 +-
2 files changed, 6 insertions(+), 8 deletions(-)
rename meta/recipes-extended/psmisc/{psmisc_23.2.bb => psmisc_23.3.bb} (87%)
diff --git a/meta/recipes-extended/psmisc/psmisc/0001-Makefile.am-create-src-directory-before-attempting-t.patch b/meta/recipes-extended/psmisc/psmisc/0001-Makefile.am-create-src-directory-before-attempting-t.patch
index 4d44495fd3f..9451303dd7b 100644
--- a/meta/recipes-extended/psmisc/psmisc/0001-Makefile.am-create-src-directory-before-attempting-t.patch
+++ b/meta/recipes-extended/psmisc/psmisc/0001-Makefile.am-create-src-directory-before-attempting-t.patch
@@ -1,4 +1,4 @@
-From 285877b7761d74736aca2687ed9bef2f78b82c33 Mon Sep 17 00:00:00 2001
+From dac375f640fecd45e6254a8d870ee37ec8f41670 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Thu, 2 Nov 2017 16:21:22 +0200
Subject: [PATCH] Makefile.am: create src directory before attempting to write
@@ -8,23 +8,21 @@ Otherwise out of tree builds will fail.
Upstream-Status: Pending
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
-index 9f61ab4..b4ced7f 100644
+index 441ae94..882969d 100644
--- a/Makefile.am
+++ b/Makefile.am
-@@ -79,7 +79,7 @@ EXTRA_DIST = src/signames.c README.md
+@@ -86,7 +86,7 @@ EXTRA_DIST = src/signames.c README.md misc/git-version-gen
CLEANFILES = src/signames.h
- src/signames.h: src/signames.c Makefile
+ src/signames.h: src/signames.c Makefile src/$(am__dirstamp)
- export LC_ALL=C ; \
+ export LC_ALL=C ; mkdir -p src ; \
@CPP@ -dM $< |\
tr -s '\t ' ' ' | sort -n -k 3 | sed \
's:#define SIG\([A-Z][A-Z]*[0-9]*\) \([0-9][0-9]*\).*$\:{\ \2,"\1" },:p;d' | \
---
-2.14.2
-
diff --git a/meta/recipes-extended/psmisc/psmisc_23.2.bb b/meta/recipes-extended/psmisc/psmisc_23.3.bb
similarity index 87%
rename from meta/recipes-extended/psmisc/psmisc_23.2.bb
rename to meta/recipes-extended/psmisc/psmisc_23.3.bb
index 38e0a440587..b3c3c7e5a84 100644
--- a/meta/recipes-extended/psmisc/psmisc_23.2.bb
+++ b/meta/recipes-extended/psmisc/psmisc_23.3.bb
@@ -6,5 +6,5 @@ SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https \
file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \
file://0001-Makefile.am-create-src-directory-before-attempting-t.patch \
"
-SRCREV = "44eab9a3a63394eae6b79a7ef0a042f57e0c8a8f"
+SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772"
S = "${WORKDIR}/git"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 08/13] libxslt: update to 1.1.34
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (5 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 07/13] psmisc: update to 23.3 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 09/13] Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish" Alexander Kanavin
` (7 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
Drop backported patches.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
.../0001-Fix-security-framework-bypass.patch | 124 ------------------
.../libxslt/files/CVE-2019-13117.patch | 33 -----
.../libxslt/files/CVE-2019-13118.patch | 76 -----------
.../libxslt/files/CVE-2019-18197.patch | 33 -----
.../{libxslt_1.1.33.bb => libxslt_1.1.34.bb} | 12 +-
5 files changed, 4 insertions(+), 274 deletions(-)
delete mode 100644 meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
delete mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13117.patch
delete mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13118.patch
delete mode 100644 meta/recipes-support/libxslt/files/CVE-2019-18197.patch
rename meta/recipes-support/libxslt/{libxslt_1.1.33.bb => libxslt_1.1.34.bb} (81%)
diff --git a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch b/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
deleted file mode 100644
index 89b647ddbf1..00000000000
--- a/meta/recipes-support/libxslt/files/0001-Fix-security-framework-bypass.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sun, 24 Mar 2019 09:51:39 +0100
-Subject: Fix security framework bypass
-
-xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
-don't check for this condition and allow access. With a specially
-crafted URL, xsltCheckRead could be tricked into returning an error
-because of a supposedly invalid URL that would still be loaded
-succesfully later on.
-
-Fixes #12.
-
-Thanks to Felix Wilhelm for the report.
-
-Signed-off-by: Adrian Bunk <bunk@stusta.de>
-Upstream-Status: Backport
-CVE: CVE-2019-11068
----
- libxslt/documents.c | 18 ++++++++++--------
- libxslt/imports.c | 9 +++++----
- libxslt/transform.c | 9 +++++----
- libxslt/xslt.c | 9 +++++----
- 4 files changed, 25 insertions(+), 20 deletions(-)
-
-diff --git a/libxslt/documents.c b/libxslt/documents.c
-index 3f3a7312..4aad11bb 100644
---- a/libxslt/documents.c
-+++ b/libxslt/documents.c
-@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
- int res;
-
- res = xsltCheckRead(ctxt->sec, ctxt, URI);
-- if (res == 0) {
-- xsltTransformError(ctxt, NULL, NULL,
-- "xsltLoadDocument: read rights for %s denied\n",
-- URI);
-+ if (res <= 0) {
-+ if (res == 0)
-+ xsltTransformError(ctxt, NULL, NULL,
-+ "xsltLoadDocument: read rights for %s denied\n",
-+ URI);
- return(NULL);
- }
- }
-@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
- int res;
-
- res = xsltCheckRead(sec, NULL, URI);
-- if (res == 0) {
-- xsltTransformError(NULL, NULL, NULL,
-- "xsltLoadStyleDocument: read rights for %s denied\n",
-- URI);
-+ if (res <= 0) {
-+ if (res == 0)
-+ xsltTransformError(NULL, NULL, NULL,
-+ "xsltLoadStyleDocument: read rights for %s denied\n",
-+ URI);
- return(NULL);
- }
- }
-diff --git a/libxslt/imports.c b/libxslt/imports.c
-index 874870cc..3783b247 100644
---- a/libxslt/imports.c
-+++ b/libxslt/imports.c
-@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
- int secres;
-
- secres = xsltCheckRead(sec, NULL, URI);
-- if (secres == 0) {
-- xsltTransformError(NULL, NULL, NULL,
-- "xsl:import: read rights for %s denied\n",
-- URI);
-+ if (secres <= 0) {
-+ if (secres == 0)
-+ xsltTransformError(NULL, NULL, NULL,
-+ "xsl:import: read rights for %s denied\n",
-+ URI);
- goto error;
- }
- }
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 13793914..0636dbd0 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
- */
- if (ctxt->sec != NULL) {
- ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
-- if (ret == 0) {
-- xsltTransformError(ctxt, NULL, inst,
-- "xsltDocumentElem: write rights for %s denied\n",
-- filename);
-+ if (ret <= 0) {
-+ if (ret == 0)
-+ xsltTransformError(ctxt, NULL, inst,
-+ "xsltDocumentElem: write rights for %s denied\n",
-+ filename);
- xmlFree(URL);
- xmlFree(filename);
- return;
-diff --git a/libxslt/xslt.c b/libxslt/xslt.c
-index 780a5ad7..a234eb79 100644
---- a/libxslt/xslt.c
-+++ b/libxslt/xslt.c
-@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
- int res;
-
- res = xsltCheckRead(sec, NULL, filename);
-- if (res == 0) {
-- xsltTransformError(NULL, NULL, NULL,
-- "xsltParseStylesheetFile: read rights for %s denied\n",
-- filename);
-+ if (res <= 0) {
-+ if (res == 0)
-+ xsltTransformError(NULL, NULL, NULL,
-+ "xsltParseStylesheetFile: read rights for %s denied\n",
-+ filename);
- return(NULL);
- }
- }
---
-2.20.1
-
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
deleted file mode 100644
index ef3f2709f73..00000000000
--- a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 27 Apr 2019 11:19:48 +0200
-Subject: [PATCH] Fix uninitialized read of xsl:number token
-
-Found by OSS-Fuzz.
-
-CVE: CVE-2019-13117
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- libxslt/numbers.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index 89e1f668..75c31eba 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
- tokens->tokens[tokens->nTokens].token = val - 1;
- ix += len;
- val = xmlStringCurrentChar(NULL, format+ix, &len);
-- }
-+ } else {
-+ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
-+ tokens->tokens[tokens->nTokens].width = 1;
-+ }
- } else if ( (val == (xmlChar)'A') ||
- (val == (xmlChar)'a') ||
- (val == (xmlChar)'I') ||
---
-2.21.0
-
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
deleted file mode 100644
index 595e6c2f336..00000000000
--- a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 3 Jun 2019 13:14:45 +0200
-Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
-
-The character type in xsltFormatNumberConversion was too narrow and
-an invalid character/length combination could be passed to
-xsltNumberFormatDecimal, resulting in an uninitialized read.
-
-Found by OSS-Fuzz.
-
-CVE: CVE-2019-13118
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-
----
- libxslt/numbers.c | 5 +++--
- tests/docs/bug-222.xml | 1 +
- tests/general/bug-222.out | 2 ++
- tests/general/bug-222.xsl | 6 ++++++
- 4 files changed, 12 insertions(+), 2 deletions(-)
- create mode 100644 tests/docs/bug-222.xml
- create mode 100644 tests/general/bug-222.out
- create mode 100644 tests/general/bug-222.xsl
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index f1ed8846..20b99d5a 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
- number = floor((scale * number + 0.5)) / scale;
- if ((self->grouping != NULL) &&
- (self->grouping[0] != 0)) {
-+ int gchar;
-
- len = xmlStrlen(self->grouping);
-- pchar = xsltGetUTF8Char(self->grouping, &len);
-+ gchar = xsltGetUTF8Char(self->grouping, &len);
- xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
- format_info.integer_digits,
- format_info.group,
-- pchar, len);
-+ gchar, len);
- } else
- xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
- format_info.integer_digits,
-diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
-new file mode 100644
-index 00000000..69d62f2c
---- /dev/null
-+++ b/tests/docs/bug-222.xml
-@@ -0,0 +1 @@
-+<doc/>
-diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
-new file mode 100644
-index 00000000..e3139698
---- /dev/null
-+++ b/tests/general/bug-222.out
-@@ -0,0 +1,2 @@
-+<?xml version="1.0"?>
-+1⠢0
-diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
-new file mode 100644
-index 00000000..e32dc473
---- /dev/null
-+++ b/tests/general/bug-222.xsl
-@@ -0,0 +1,6 @@
-+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-+ <xsl:decimal-format name="f" grouping-separator="⠢"/>
-+ <xsl:template match="/">
-+ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
-+ </xsl:template>
-+</xsl:stylesheet>
---
-2.21.0
-
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch b/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
deleted file mode 100644
index 5f2b620396f..00000000000
--- a/meta/recipes-support/libxslt/files/CVE-2019-18197.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-libxslt: fix CVE-2019-18197
-
-Added after 1.1.33 release.
-
-CVE: CVE-2019-18197
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt.git]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
-commit 2232473733b7313d67de8836ea3b29eec6e8e285
-Author: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat Aug 17 16:51:53 2019 +0200
-
- Fix dangling pointer in xsltCopyText
-
- xsltCopyText didn't reset ctxt->lasttext in some cases which could
- lead to various memory errors in relation with CDATA sections in input
- documents.
-
- Found by OSS-Fuzz.
-
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 95ebd07..d7ab0b6 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
- if ((copy->content = xmlStrdup(cur->content)) == NULL)
- return NULL;
- }
-+
-+ ctxt->lasttext = NULL;
- } else {
- /*
- * normal processing. keep counters to extend the text node
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.33.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
similarity index 81%
rename from meta/recipes-support/libxslt/libxslt_1.1.33.bb
rename to meta/recipes-support/libxslt/libxslt_1.1.34.bb
index 9f268e7bb03..ad37b5a44a0 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.33.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -9,14 +9,10 @@ SECTION = "libs"
DEPENDS = "libxml2"
SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
- file://0001-Fix-security-framework-bypass.patch \
- file://CVE-2019-13117.patch \
- file://CVE-2019-13118.patch \
- file://CVE-2019-18197.patch \
-"
-
-SRC_URI[md5sum] = "b3bd254a03e46d58f8ad1e4559cd2c2f"
-SRC_URI[sha256sum] = "8e36605144409df979cab43d835002f63988f3dc94d5d3537c12796db90e38c8"
+ "
+
+SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
+SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 09/13] Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish"
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (6 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 08/13] libxslt: update to 1.1.34 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 10/13] mpg123: upgrade 1.25.12 -> 1.25.13 Alexander Kanavin
` (6 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
This reverts commit 41d225f4a37d02e9f79bdbfb79caac8cd3d291ce.
Unfortunately this change broke 'devtool upgrade' functionality,
causing 'devtool finish' to write out an upgraded recipe that no
longer includes the original upstream source in SRC_URI.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
scripts/lib/devtool/standard.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index 8d9c1a30225..1c0cd8ab51b 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -2021,7 +2021,7 @@ def finish(args, config, basepath, workspace):
remove_work=args.remove_work
tinfoil = setup_tinfoil(basepath=basepath, tracking=True)
try:
- rd = parse_recipe(config, tinfoil, args.recipename, True, False)
+ rd = parse_recipe(config, tinfoil, args.recipename, True)
if not rd:
return 1
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 10/13] mpg123: upgrade 1.25.12 -> 1.25.13
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (7 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 09/13] Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish" Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:07 ` [PATCH 11/13] vala: upgrade 0.46.3 -> 0.46.4 Alexander Kanavin
` (5 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
---
.../mpg123/{mpg123_1.25.12.bb => mpg123_1.25.13.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-multimedia/mpg123/{mpg123_1.25.12.bb => mpg123_1.25.13.bb} (94%)
diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.25.12.bb b/meta/recipes-multimedia/mpg123/mpg123_1.25.13.bb
similarity index 94%
rename from meta/recipes-multimedia/mpg123/mpg123_1.25.12.bb
rename to meta/recipes-multimedia/mpg123/mpg123_1.25.13.bb
index a18b2f44174..125574fcfc9 100644
--- a/meta/recipes-multimedia/mpg123/mpg123_1.25.12.bb
+++ b/meta/recipes-multimedia/mpg123/mpg123_1.25.13.bb
@@ -11,8 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1e86753638d3cf2512528b99079bc4f3"
SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2 \
file://sdl2.patch"
-SRC_URI[md5sum] = "ddb38254966eb38c77f220d456a1839d"
-SRC_URI[sha256sum] = "1ffec7c9683dfb86ea9040d6a53d6ea819ecdda215df347f79def08f1fe731d1"
+SRC_URI[md5sum] = "294a6c30546504ec3d0deac2b2ea22be"
+SRC_URI[sha256sum] = "90306848359c793fd43b9906e52201df18775742dc3c81c06ab67a806509890a"
inherit autotools pkgconfig
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 11/13] vala: upgrade 0.46.3 -> 0.46.4
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (8 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 10/13] mpg123: upgrade 1.25.12 -> 1.25.13 Alexander Kanavin
@ 2019-11-18 13:07 ` Alexander Kanavin
2019-11-18 13:08 ` [PATCH 12/13] systat: upstream version check is working again Alexander Kanavin
` (4 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:07 UTC (permalink / raw)
To: openembedded-core
---
meta/recipes-devtools/vala/{vala_0.46.3.bb => vala_0.46.4.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/vala/{vala_0.46.3.bb => vala_0.46.4.bb} (57%)
diff --git a/meta/recipes-devtools/vala/vala_0.46.3.bb b/meta/recipes-devtools/vala/vala_0.46.4.bb
similarity index 57%
rename from meta/recipes-devtools/vala/vala_0.46.3.bb
rename to meta/recipes-devtools/vala/vala_0.46.4.bb
index eda5738c066..c4cd6dd4109 100644
--- a/meta/recipes-devtools/vala/vala_0.46.3.bb
+++ b/meta/recipes-devtools/vala/vala_0.46.4.bb
@@ -4,5 +4,5 @@ SRC_URI += "file://0001-git-version-gen-don-t-append-dirty-if-we-re-not-in-g.pat
file://0001-vapigen.m4-use-PKG_CONFIG_SYSROOT_DIR.patch \
"
-SRC_URI[md5sum] = "809ddac69b039ef509b61993c848613f"
-SRC_URI[sha256sum] = "e29c2b1f108dc22c91bb501975a77c938aef079ca7875e1fbf41191e22cc57e3"
+SRC_URI[md5sum] = "b79bbaf8929ec8ed35911b3571f5a248"
+SRC_URI[sha256sum] = "4bb9b60fc0230b0db2c8a0e2a80ec29f1c10b43dc78355abba78adedbc2e03a1"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 12/13] systat: upstream version check is working again
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (9 preceding siblings ...)
2019-11-18 13:07 ` [PATCH 11/13] vala: upgrade 0.46.3 -> 0.46.4 Alexander Kanavin
@ 2019-11-18 13:08 ` Alexander Kanavin
2019-11-18 13:47 ` Peter Kjellerstedt
2019-11-18 13:08 ` [PATCH 13/13] man-pages: correct the SRC_URI Alexander Kanavin
` (3 subsequent siblings)
14 siblings, 1 reply; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:08 UTC (permalink / raw)
To: openembedded-core
As upstream has released a new stable version,
the exception is no longer needed.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
meta/recipes-extended/sysstat/sysstat.inc | 1 -
1 file changed, 1 deletion(-)
diff --git a/meta/recipes-extended/sysstat/sysstat.inc b/meta/recipes-extended/sysstat/sysstat.inc
index 62de36b44bf..77cc6f2cf2a 100644
--- a/meta/recipes-extended/sysstat/sysstat.inc
+++ b/meta/recipes-extended/sysstat/sysstat.inc
@@ -10,7 +10,6 @@ SRC_URI = "http://pagesperso-orange.fr/sebastien.godard/${BP}.tar.xz \
"
UPSTREAM_CHECK_URI = "http://sebastien.godard.pagesperso-orange.fr/download.html"
-UPSTREAM_VERSION_UNKNOWN = "1"
DEPENDS += "base-passwd"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* [PATCH 13/13] man-pages: correct the SRC_URI
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (10 preceding siblings ...)
2019-11-18 13:08 ` [PATCH 12/13] systat: upstream version check is working again Alexander Kanavin
@ 2019-11-18 13:08 ` Alexander Kanavin
2019-11-18 13:31 ` ✗ patchtest: failure for "python: update to 2.7.17..." and 12 more Patchwork
` (2 subsequent siblings)
14 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 13:08 UTC (permalink / raw)
To: openembedded-core
The homepage: https://www.kernel.org/doc/man-pages/download.html
specifies that the latest tarballs are published one level up
from where we currently take them.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
meta/recipes-extended/man-pages/man-pages_5.01.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/man-pages/man-pages_5.01.bb b/meta/recipes-extended/man-pages/man-pages_5.01.bb
index 28525f4ba7e..ea1249e4396 100644
--- a/meta/recipes-extended/man-pages/man-pages_5.01.bb
+++ b/meta/recipes-extended/man-pages/man-pages_5.01.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://www.kernel.org/pub/linux/docs/man-pages"
LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://README;md5=794f701617cc03fe50c53257660d8ec4"
-SRC_URI = "${KERNELORG_MIRROR}/linux/docs/${BPN}/Archive/${BP}.tar.gz"
+SRC_URI = "${KERNELORG_MIRROR}/linux/docs/${BPN}/${BP}.tar.gz"
SRC_URI[md5sum] = "38abead776a506109e128ab96bcbbe58"
SRC_URI[sha256sum] = "070bef794c6826b3fb3965d1a2efdb46c25cb37c06c715987f88a50906cd5b6f"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
* ✗ patchtest: failure for "python: update to 2.7.17..." and 12 more
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (11 preceding siblings ...)
2019-11-18 13:08 ` [PATCH 13/13] man-pages: correct the SRC_URI Alexander Kanavin
@ 2019-11-18 13:31 ` Patchwork
2019-11-18 18:13 ` [PATCH 01/13] python: update to 2.7.17 Khem Raj
2019-11-20 12:56 ` Tom Rini
14 siblings, 0 replies; 39+ messages in thread
From: Patchwork @ 2019-11-18 13:31 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: openembedded-core
== Series Details ==
Series: "python: update to 2.7.17..." and 12 more
Revision: 1
URL : https://patchwork.openembedded.org/series/21193/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch [10/13] mpg123: upgrade 1.25.12 -> 1.25.13
Issue Patch is missing Signed-off-by [test_signed_off_by_presence]
Suggested fix Sign off the patch (either manually or with "git commit --amend -s")
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 12/13] systat: upstream version check is working again
2019-11-18 13:08 ` [PATCH 12/13] systat: upstream version check is working again Alexander Kanavin
@ 2019-11-18 13:47 ` Peter Kjellerstedt
0 siblings, 0 replies; 39+ messages in thread
From: Peter Kjellerstedt @ 2019-11-18 13:47 UTC (permalink / raw)
To: Alexander Kanavin, openembedded-core
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org <openembedded-core-
> bounces@lists.openembedded.org> On Behalf Of Alexander Kanavin
> Sent: den 18 november 2019 14:08
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH 12/13] systat: upstream version check is working again
systat -> sysstat
//Peter
>
> As upstream has released a new stable version,
> the exception is no longer needed.
>
> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> ---
> meta/recipes-extended/sysstat/sysstat.inc | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/meta/recipes-extended/sysstat/sysstat.inc b/meta/recipes-
> extended/sysstat/sysstat.inc
> index 62de36b44bf..77cc6f2cf2a 100644
> --- a/meta/recipes-extended/sysstat/sysstat.inc
> +++ b/meta/recipes-extended/sysstat/sysstat.inc
> @@ -10,7 +10,6 @@ SRC_URI = "http://pagesperso-
> orange.fr/sebastien.godard/${BP}.tar.xz \
> "
>
> UPSTREAM_CHECK_URI = "http://sebastien.godard.pagesperso-
> orange.fr/download.html"
> -UPSTREAM_VERSION_UNKNOWN = "1"
>
> DEPENDS += "base-passwd"
>
> --
> 2.17.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (12 preceding siblings ...)
2019-11-18 13:31 ` ✗ patchtest: failure for "python: update to 2.7.17..." and 12 more Patchwork
@ 2019-11-18 18:13 ` Khem Raj
2019-11-18 21:05 ` Adrian Bunk
2019-11-20 12:56 ` Tom Rini
14 siblings, 1 reply; 39+ messages in thread
From: Khem Raj @ 2019-11-18 18:13 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> Drop backports, rebase a couple of patches.
>
> This is the second last release of py 2.x; upstream support ends on
> 1 January 2020, there will be one final 2.x afterwards.
>
> Note that the only thing that still needs python 2.x in oe-core is
> u-boot; when the next u-boot update arrives, we should find out
> where the py3 migration is for that component before merging the
> update.
>
I guess u-boot need it during build, in that case defer it to user to
have python2 on build host
could be possible.
> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
> ---
> ...-fix-one-do_populate_sysroot-warning.patch | 25 +-
> ...tive_2.7.16.bb => python-native_2.7.17.bb} | 2 +-
> meta/recipes-devtools/python/python.inc | 10 +-
> ...nt-parse-domains-containing-GH-13079.patch | 90 --------
> ...cape-the-server-title-of-DocXMLRPCSe.patch | 101 --------
> ...Resolve-intermediate-staging-issues.patch} | 53 +++--
> .../python/python/CVE-2018-20852.patch | 123 ----------
> .../python/python/CVE-2019-9740.patch | 216 ------------------
> .../python/bpo-35907-cve-2019-9948-fix.patch | 55 -----
> .../python/bpo-35907-cve-2019-9948.patch | 55 -----
> .../python/bpo-36216-cve-2019-9636-fix.patch | 28 ---
> .../python/bpo-36216-cve-2019-9636.patch | 111 ---------
> .../python/bpo-36742-cve-2019-10160.patch | 81 -------
> .../{python_2.7.16.bb => python_2.7.17.bb} | 3 -
> 14 files changed, 49 insertions(+), 904 deletions(-)
> rename meta/recipes-devtools/python/{python-native_2.7.16.bb => python-native_2.7.17.bb} (97%)
> delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
> delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
> rename meta/recipes-devtools/python/python/{builddir.patch => 0001-python-Resolve-intermediate-staging-issues.patch} (58%)
> delete mode 100644 meta/recipes-devtools/python/python/CVE-2018-20852.patch
> delete mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch
> delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
> delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
> delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
> delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
> delete mode 100644 meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
> rename meta/recipes-devtools/python/{python_2.7.16.bb => python_2.7.17.bb} (97%)
>
> diff --git a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
> index 989818927d4..707ee596fa4 100644
> --- a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
> +++ b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
> @@ -1,4 +1,4 @@
> -From 12292444e1b3662b994bc223d92b8338fb0895ff Mon Sep 17 00:00:00 2001
> +From 6cbb7529cf7ff0da3ca649fb3486facd9620d625 Mon Sep 17 00:00:00 2001
> From: Changqing Li <changqing.li@windriver.com>
> Date: Thu, 25 Oct 2018 07:32:14 +0000
> Subject: [PATCH] python-native: fix one do_populate_sysroot warning
> @@ -17,23 +17,24 @@ when do_populate_sysroot. use append to fix it.
> Upstream-Status: Inappropriate [oe-specific]
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +
> ---
> setup.py | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/setup.py b/setup.py
> -index 7bf13ed..6c0f29b 100644
> +index a2c8127..22f9e23 100644
> --- a/setup.py
> +++ b/setup.py
> -@@ -40,7 +40,7 @@ def add_dir_to_list(dirlist, dir):
> - 1) 'dir' is not already in 'dirlist'
> - 2) 'dir' actually exists, and is a directory."""
> - if dir is not None and os.path.isdir(dir) and dir not in dirlist:
> -- dirlist.insert(0, dir)
> -+ dirlist.append(dir)
> -
> - def macosx_sdk_root():
> - """
> +@@ -47,7 +47,7 @@ def add_dir_to_list(dirlist, dir):
> + else:
> + dir_exists = os.path.isdir(dir)
> + if dir_exists:
> +- dirlist.insert(0, dir)
> ++ dirlist.append(dir)
> +
> + MACOS_SDK_ROOT = None
> +
> --
> -2.18.0
> +2.17.1
>
> diff --git a/meta/recipes-devtools/python/python-native_2.7.16.bb b/meta/recipes-devtools/python/python-native_2.7.17.bb
> similarity index 97%
> rename from meta/recipes-devtools/python/python-native_2.7.16.bb
> rename to meta/recipes-devtools/python/python-native_2.7.17.bb
> index 90103af8be5..936810d9806 100644
> --- a/meta/recipes-devtools/python/python-native_2.7.16.bb
> +++ b/meta/recipes-devtools/python/python-native_2.7.17.bb
> @@ -11,7 +11,7 @@ SRC_URI += "\
> file://nohostlibs.patch \
> file://multilib.patch \
> file://add-md5module-support.patch \
> - file://builddir.patch \
> + file://0001-python-Resolve-intermediate-staging-issues.patch \
> file://parallel-makeinst-create-bindir.patch \
> file://revert_use_of_sysconfigdata.patch \
> file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \
> diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
> index 1462b779e93..a630c26e898 100644
> --- a/meta/recipes-devtools/python/python.inc
> +++ b/meta/recipes-devtools/python/python.inc
> @@ -8,16 +8,10 @@ INC_PR = "r1"
> LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
>
> SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> - file://bpo-35907-cve-2019-9948.patch \
> - file://bpo-35907-cve-2019-9948-fix.patch \
> - file://bpo-36216-cve-2019-9636.patch \
> - file://bpo-36216-cve-2019-9636-fix.patch \
> - file://CVE-2019-9740.patch \
> - file://CVE-2018-20852.patch \
> "
>
> -SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
> -SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7"
> +SRC_URI[md5sum] = "b3b6d2c92f42a60667814358ab9f0cfd"
> +SRC_URI[sha256sum] = "4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41"
>
> # python recipe is actually python 2.x
> # also, exclude pre-releases for both python 2.x and 3.x
> diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
> deleted file mode 100644
> index 5415472a358..00000000000
> --- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
> +++ /dev/null
> @@ -1,90 +0,0 @@
> -From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
> -Date: Sat, 14 Sep 2019 13:26:38 -0400
> -Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
> - (GH-16006)
> -
> -This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
> -
> -(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
> -
> -Excludes changes to Lib/email/_header_value_parser.py, which did not
> -exist in 2.7.
> -
> -Co-authored-by: jpic <jpic@users.noreply.github.com>
> -
> -https://bugs.python.org/issue34155
> -
> -Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
> -
> -CVE: CVE-2019-16056
> -
> -Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ----
> - Lib/email/_parseaddr.py | 11 ++++++++++-
> - Lib/email/test/test_email.py | 14 ++++++++++++++
> - .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
> - 3 files changed, 25 insertions(+), 1 deletion(-)
> - create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
> -
> -diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
> -index 690db2c22d..dc49d2e45a 100644
> ---- a/Lib/email/_parseaddr.py
> -+++ b/Lib/email/_parseaddr.py
> -@@ -336,7 +336,12 @@ class AddrlistClass:
> - aslist.append('@')
> - self.pos += 1
> - self.gotonext()
> -- return EMPTYSTRING.join(aslist) + self.getdomain()
> -+ domain = self.getdomain()
> -+ if not domain:
> -+ # Invalid domain, return an empty address instead of returning a
> -+ # local part to denote failed parsing.
> -+ return EMPTYSTRING
> -+ return EMPTYSTRING.join(aslist) + domain
> -
> - def getdomain(self):
> - """Get the complete domain name from an address."""
> -@@ -351,6 +356,10 @@ class AddrlistClass:
> - elif self.field[self.pos] == '.':
> - self.pos += 1
> - sdlist.append('.')
> -+ elif self.field[self.pos] == '@':
> -+ # bpo-34155: Don't parse domains with two `@` like
> -+ # `a@malicious.org@important.com`.
> -+ return EMPTYSTRING
> - elif self.field[self.pos] in self.atomends:
> - break
> - else:
> -diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
> -index 4b4dee3d34..2efe44ac5a 100644
> ---- a/Lib/email/test/test_email.py
> -+++ b/Lib/email/test/test_email.py
> -@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
> - self.assertEqual(Utils.parseaddr('<>'), ('', ''))
> - self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
> -
> -+ def test_parseaddr_multiple_domains(self):
> -+ self.assertEqual(
> -+ Utils.parseaddr('a@b@c'),
> -+ ('', '')
> -+ )
> -+ self.assertEqual(
> -+ Utils.parseaddr('a@b.c@c'),
> -+ ('', '')
> -+ )
> -+ self.assertEqual(
> -+ Utils.parseaddr('a@172.17.0.1@c'),
> -+ ('', '')
> -+ )
> -+
> - def test_noquote_dump(self):
> - self.assertEqual(
> - Utils.formataddr(('A Silly Person', 'person@dom.ain')),
> -diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
> -new file mode 100644
> -index 0000000000..50292e29ed
> ---- /dev/null
> -+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
> -@@ -0,0 +1 @@
> -+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
> diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
> deleted file mode 100644
> index 3025cf7bc8f..00000000000
> --- a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
> +++ /dev/null
> @@ -1,101 +0,0 @@
> -From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
> -From: Dong-hee Na <donghee.na92@gmail.com>
> -Date: Tue, 1 Oct 2019 19:58:01 +0900
> -Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
> - (GH-16447)
> -
> -Escape the server title of DocXMLRPCServer.DocXMLRPCServer
> -when rendering the document page as HTML.
> -
> -CVE: CVE-2019-16935
> -
> -Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]
> -
> -Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ----
> - Lib/DocXMLRPCServer.py | 13 +++++++++++-
> - Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
> - .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
> - 3 files changed, 35 insertions(+), 1 deletion(-)
> - create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
> -
> -diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
> -index 4064ec2e48..90b037dd35 100644
> ---- a/Lib/DocXMLRPCServer.py
> -+++ b/Lib/DocXMLRPCServer.py
> -@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
> - CGIXMLRPCRequestHandler,
> - resolve_dotted_attribute)
> -
> -+
> -+def _html_escape_quote(s):
> -+ s = s.replace("&", "&") # Must be done first!
> -+ s = s.replace("<", "<")
> -+ s = s.replace(">", ">")
> -+ s = s.replace('"', """)
> -+ s = s.replace('\'', "'")
> -+ return s
> -+
> -+
> - class ServerHTMLDoc(pydoc.HTMLDoc):
> - """Class used to generate pydoc HTML document for a server"""
> -
> -@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
> - methods
> - )
> -
> -- return documenter.page(self.server_title, documentation)
> -+ title = _html_escape_quote(self.server_title)
> -+ return documenter.page(title, documentation)
> -
> - class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
> - """XML-RPC and documentation request handler class.
> -diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
> -index 4dff4159e2..c45b892b8b 100644
> ---- a/Lib/test/test_docxmlrpc.py
> -+++ b/Lib/test/test_docxmlrpc.py
> -@@ -1,5 +1,6 @@
> - from DocXMLRPCServer import DocXMLRPCServer
> - import httplib
> -+import re
> - import sys
> - from test import test_support
> - threading = test_support.import_module('threading')
> -@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
> - self.assertIn("""Try self.<strong>add</strong>, too.""",
> - response.read())
> -
> -+ def test_server_title_escape(self):
> -+ """Test that the server title and documentation
> -+ are escaped for HTML.
> -+ """
> -+ self.serv.set_server_title('test_title<script>')
> -+ self.serv.set_server_documentation('test_documentation<script>')
> -+ self.assertEqual('test_title<script>', self.serv.server_title)
> -+ self.assertEqual('test_documentation<script>',
> -+ self.serv.server_documentation)
> -+
> -+ generated = self.serv.generate_html_documentation()
> -+ title = re.search(r'<title>(.+?)</title>', generated).group()
> -+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
> -+ self.assertEqual('<title>Python: test_title<script></title>',
> -+ title)
> -+ self.assertEqual('<p><tt>test_documentation<script></tt></p>',
> -+ documentation)
> -+
> -+
> - def test_main():
> - test_support.run_unittest(DocXMLRPCHTTPGETServer)
> -
> -diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
> -new file mode 100644
> -index 0000000000..8f02baed9e
> ---- /dev/null
> -+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
> -@@ -0,0 +1,3 @@
> -+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
> -+when rendering the document page as HTML.
> -+(Contributed by Dong-hee Na in :issue:`38243`.)
> ---
> -2.17.1
> -
> diff --git a/meta/recipes-devtools/python/python/builddir.patch b/meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
> similarity index 58%
> rename from meta/recipes-devtools/python/python/builddir.patch
> rename to meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
> index ad629a022e9..2ff2ccc43dc 100644
> --- a/meta/recipes-devtools/python/python/builddir.patch
> +++ b/meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
> @@ -1,5 +1,10 @@
> -When cross compiling python, we used to need to install the Makefile, pyconfig.h
> -and the python library to their final location before being able to compile the
> +From 77bcb3238b2853d511714544e0f84a37be6c79bf Mon Sep 17 00:00:00 2001
> +From: Richard Purdie <richard.purdie@linuxfoundation.org>
> +Date: Wed, 14 Nov 2012 14:31:24 +0000
> +Subject: [PATCH] python: Resolve intermediate staging issues
> +
> +When cross compiling python, we used to need to install the Makefile, pyconfig.h
> +and the python library to their final location before being able to compile the
> rest of python. This change allows us to point python at its own source when
> building, avoiding a variety of sysroot staging issues and simplifying the main
> python recipe.
> @@ -7,10 +12,29 @@ python recipe.
> Upstream-Status: Inappropriate
> RP 2012/11/13
>
> -Index: Python-2.7.9/Lib/sysconfig.py
> -===================================================================
> ---- Python-2.7.9.orig/Lib/sysconfig.py
> -+++ Python-2.7.9/Lib/sysconfig.py
> +---
> + Lib/distutils/sysconfig.py | 3 +++
> + Lib/sysconfig.py | 5 ++++-
> + 2 files changed, 7 insertions(+), 1 deletion(-)
> +
> +diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py
> +index 2f4b8ca..15bceb5 100644
> +--- a/Lib/distutils/sysconfig.py
> ++++ b/Lib/distutils/sysconfig.py
> +@@ -31,6 +31,9 @@ else:
> + # sys.executable can be empty if argv[0] has been changed and Python is
> + # unable to retrieve the real program name
> + project_base = os.getcwd()
> ++_PYTHONBUILDDIR = os.environ.get("PYTHONBUILDDIR", None)
> ++if _PYTHONBUILDDIR:
> ++ project_base = _PYTHONBUILDDIR
> + if os.name == "nt" and "pcbuild" in project_base[-8:].lower():
> + project_base = os.path.abspath(os.path.join(project_base, os.path.pardir))
> + # PC/VS7.1
> +diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
> +index 9c8350d..bddbe2e 100644
> +--- a/Lib/sysconfig.py
> ++++ b/Lib/sysconfig.py
> @@ -93,6 +93,7 @@ _PREFIX = os.path.normpath(sys.prefix)
> _EXEC_PREFIX = os.path.normpath(sys.exec_prefix)
> _CONFIG_VARS = None
> @@ -30,17 +54,6 @@ Index: Python-2.7.9/Lib/sysconfig.py
> _PROJECT_BASE = os.path.dirname(_safe_realpath(sys.executable))
> else:
> # sys.executable can be empty if argv[0] has been changed and Python is
> -Index: Python-2.7.9/Lib/distutils/sysconfig.py
> -===================================================================
> ---- Python-2.7.9.orig/Lib/distutils/sysconfig.py
> -+++ Python-2.7.9/Lib/distutils/sysconfig.py
> -@@ -26,6 +26,9 @@ EXEC_PREFIX = os.path.normpath(sys.exec_
> - # live in project/PCBuild9. If we're dealing with an x64 Windows build,
> - # it'll live in project/PCbuild/amd64.
> - project_base = os.path.dirname(os.path.abspath(sys.executable))
> -+_PYTHONBUILDDIR = os.environ.get("PYTHONBUILDDIR", None)
> -+if _PYTHONBUILDDIR:
> -+ project_base = _PYTHONBUILDDIR
> - if os.name == "nt" and "pcbuild" in project_base[-8:].lower():
> - project_base = os.path.abspath(os.path.join(project_base, os.path.pardir))
> - # PC/VS7.1
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-devtools/python/python/CVE-2018-20852.patch b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
> deleted file mode 100644
> index 23c784a2105..00000000000
> --- a/meta/recipes-devtools/python/python/CVE-2018-20852.patch
> +++ /dev/null
> @@ -1,123 +0,0 @@
> -From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001
> -From: Xtreak <tir.karthi@gmail.com>
> -Date: Sat, 15 Jun 2019 20:59:43 +0530
> -Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
> - validation (GH-10258) (GH-13426)
> -
> -This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
> -
> -
> -https://bugs.python.org/issue35121
> -CVE: CVE-2018-20852
> -Upstream-Status: Backport [https://github.com/python/cpython/pull/13426]
> -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
> ----
> - Lib/cookielib.py | 13 ++++++--
> - Lib/test/test_cookielib.py | 30 +++++++++++++++++++
> - .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++
> - 3 files changed, 45 insertions(+), 2 deletions(-)
> - create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
> -
> -diff --git a/Lib/cookielib.py b/Lib/cookielib.py
> -index 2dd7c48728e0..0b471a42f296 100644
> ---- a/Lib/cookielib.py
> -+++ b/Lib/cookielib.py
> -@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
> - req_host, erhn = eff_request_host(request)
> - domain = cookie.domain
> -
> -+ if domain and not domain.startswith("."):
> -+ dotdomain = "." + domain
> -+ else:
> -+ dotdomain = domain
> -+
> - # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
> - if (cookie.version == 0 and
> - (self.strict_ns_domain & self.DomainStrictNonDomain) and
> -@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
> - _debug(" effective request-host name %s does not domain-match "
> - "RFC 2965 cookie domain %s", erhn, domain)
> - return False
> -- if cookie.version == 0 and not ("."+erhn).endswith(domain):
> -+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
> - _debug(" request-host %s does not match Netscape cookie domain "
> - "%s", req_host, domain)
> - return False
> -@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
> - req_host = "."+req_host
> - if not erhn.startswith("."):
> - erhn = "."+erhn
> -- if not (req_host.endswith(domain) or erhn.endswith(domain)):
> -+ if domain and not domain.startswith("."):
> -+ dotdomain = "." + domain
> -+ else:
> -+ dotdomain = domain
> -+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
> - #_debug(" request domain %s does not match cookie domain %s",
> - # req_host, domain)
> - return False
> -diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
> -index f2dd9727d137..7f7ff614d61d 100644
> ---- a/Lib/test/test_cookielib.py
> -+++ b/Lib/test/test_cookielib.py
> -@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
> - ("http://foo.bar.com/", ".foo.bar.com", True),
> - ("http://foo.bar.com/", "foo.bar.com", True),
> - ("http://foo.bar.com/", ".bar.com", True),
> -+ ("http://foo.bar.com/", "bar.com", True),
> - ("http://foo.bar.com/", "com", True),
> - ("http://foo.com/", "rhubarb.foo.com", False),
> - ("http://foo.com/", ".foo.com", True),
> -@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
> - ("http://foo/", "foo", True),
> - ("http://foo/", "foo.local", True),
> - ("http://foo/", ".local", True),
> -+ ("http://barfoo.com", ".foo.com", False),
> -+ ("http://barfoo.com", "foo.com", False),
> - ]:
> - request = urllib2.Request(url)
> - r = pol.domain_return_ok(domain, request)
> -@@ -938,6 +941,33 @@ def test_domain_block(self):
> - c.add_cookie_header(req)
> - self.assertFalse(req.has_header("Cookie"))
> -
> -+ c.clear()
> -+
> -+ pol.set_blocked_domains([])
> -+ req = Request("http://acme.com/")
> -+ res = FakeResponse(headers, "http://acme.com/")
> -+ cookies = c.make_cookies(res, req)
> -+ c.extract_cookies(res, req)
> -+ self.assertEqual(len(c), 1)
> -+
> -+ req = Request("http://acme.com/")
> -+ c.add_cookie_header(req)
> -+ self.assertTrue(req.has_header("Cookie"))
> -+
> -+ req = Request("http://badacme.com/")
> -+ c.add_cookie_header(req)
> -+ self.assertFalse(pol.return_ok(cookies[0], req))
> -+ self.assertFalse(req.has_header("Cookie"))
> -+
> -+ p = pol.set_blocked_domains(["acme.com"])
> -+ req = Request("http://acme.com/")
> -+ c.add_cookie_header(req)
> -+ self.assertFalse(req.has_header("Cookie"))
> -+
> -+ req = Request("http://badacme.com/")
> -+ c.add_cookie_header(req)
> -+ self.assertFalse(req.has_header("Cookie"))
> -+
> - def test_secure(self):
> - from cookielib import CookieJar, DefaultCookiePolicy
> -
> -diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
> -new file mode 100644
> -index 000000000000..77251806163b
> ---- /dev/null
> -+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
> -@@ -0,0 +1,4 @@
> -+Don't send cookies of domain A without Domain attribute to domain B when
> -+domain A is a suffix match of domain B while using a cookiejar with
> -+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
> -+Singaravelan.
> diff --git a/meta/recipes-devtools/python/python/CVE-2019-9740.patch b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
> deleted file mode 100644
> index 95f43e0387d..00000000000
> --- a/meta/recipes-devtools/python/python/CVE-2019-9740.patch
> +++ /dev/null
> @@ -1,216 +0,0 @@
> -From bb8071a4cae5ab3fe321481dd3d73662ffb26052 Mon Sep 17 00:00:00 2001
> -From: Victor Stinner <victor.stinner@gmail.com>
> -Date: Tue, 21 May 2019 15:12:33 +0200
> -Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
> - (GH-13154) (GH-13315)
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Disallow control chars in http URLs in urllib2.urlopen. This
> -addresses a potential security problem for applications that do not
> -sanity check their URLs where http request headers could be injected.
> -
> -Disable https related urllib tests on a build without ssl (GH-13032)
> -These tests require an SSL enabled build. Skip these tests when
> -python is built without SSL to fix test failures.
> -
> -Use httplib.InvalidURL instead of ValueError as the new error case's
> -exception. (GH-13044)
> -
> -Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
> -
> -(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
> -
> -Notes on backport to Python 2.7:
> -
> -* test_urllib tests urllib.urlopen() which quotes the URL and so is
> - not vulerable to HTTP Header Injection.
> -* Add tests to test_urllib2 on urllib2.urlopen().
> -* Reject non-ASCII characters: range 0x80-0xff.
> -
> -Upstream-Status: Backport
> -CVE: CVE-2019-9740
> -CVE: CVE-2019-9947
> -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
> ----
> - Lib/httplib.py | 16 ++++++
> - Lib/test/test_urllib.py | 25 +++++++++
> - Lib/test/test_urllib2.py | 51 ++++++++++++++++++-
> - Lib/test/test_xmlrpc.py | 8 ++-
> - .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
> - 5 files changed, 99 insertions(+), 2 deletions(-)
> - create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
> -
> -diff --git a/Lib/httplib.py b/Lib/httplib.py
> -index 60a8fb4e355f..1b41c346e090 100644
> ---- a/Lib/httplib.py
> -+++ b/Lib/httplib.py
> -@@ -247,6 +247,16 @@
> - _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
> - _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
> -
> -+# These characters are not allowed within HTTP URL paths.
> -+# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
> -+# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
> -+# Prevents CVE-2019-9740. Includes control characters such as \r\n.
> -+# Restrict non-ASCII characters above \x7f (0x80-0xff).
> -+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
> -+# Arguably only these _should_ allowed:
> -+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
> -+# We are more lenient for assumed real world compatibility purposes.
> -+
> - # We always set the Content-Length header for these methods because some
> - # servers will otherwise respond with a 411
> - _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
> -@@ -927,6 +937,12 @@ def putrequest(self, method, url, skip_host=0, skip_accept_encoding=0):
> - self._method = method
> - if not url:
> - url = '/'
> -+ # Prevent CVE-2019-9740.
> -+ match = _contains_disallowed_url_pchar_re.search(url)
> -+ if match:
> -+ raise InvalidURL("URL can't contain control characters. %r "
> -+ "(found at least %r)"
> -+ % (url, match.group()))
> - hdr = '%s %s %s' % (method, url, self._http_vsn_str)
> -
> - self._output(hdr)
> -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
> -index 1ce9201c0693..d7778d4194f3 100644
> ---- a/Lib/test/test_urllib.py
> -+++ b/Lib/test/test_urllib.py
> -@@ -257,6 +257,31 @@ def test_url_fragment(self):
> - finally:
> - self.unfakehttp()
> -
> -+ def test_url_with_control_char_rejected(self):
> -+ for char_no in range(0, 0x21) + range(0x7f, 0x100):
> -+ char = chr(char_no)
> -+ schemeless_url = "//localhost:7777/test%s/" % char
> -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
> -+ try:
> -+ # urllib quotes the URL so there is no injection.
> -+ resp = urllib.urlopen("http:" + schemeless_url)
> -+ self.assertNotIn(char, resp.geturl())
> -+ finally:
> -+ self.unfakehttp()
> -+
> -+ def test_url_with_newline_header_injection_rejected(self):
> -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
> -+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
> -+ schemeless_url = "//" + host + ":8080/test/?test=a"
> -+ try:
> -+ # urllib quotes the URL so there is no injection.
> -+ resp = urllib.urlopen("http:" + schemeless_url)
> -+ self.assertNotIn(' ', resp.geturl())
> -+ self.assertNotIn('\r', resp.geturl())
> -+ self.assertNotIn('\n', resp.geturl())
> -+ finally:
> -+ self.unfakehttp()
> -+
> - def test_read_bogus(self):
> - # urlopen() should raise IOError for many error codes.
> - self.fakehttp('''HTTP/1.1 401 Authentication Required
> -diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
> -index 6d24d5ddf83c..9531818e16b2 100644
> ---- a/Lib/test/test_urllib2.py
> -+++ b/Lib/test/test_urllib2.py
> -@@ -15,6 +15,9 @@
> - except ImportError:
> - ssl = None
> -
> -+from test.test_urllib import FakeHTTPMixin
> -+
> -+
> - # XXX
> - # Request
> - # CacheFTPHandler (hard to write)
> -@@ -1262,7 +1265,7 @@ def _test_basic_auth(self, opener, auth_handler, auth_header,
> - self.assertEqual(len(http_handler.requests), 1)
> - self.assertFalse(http_handler.requests[0].has_header(auth_header))
> -
> --class MiscTests(unittest.TestCase):
> -+class MiscTests(unittest.TestCase, FakeHTTPMixin):
> -
> - def test_build_opener(self):
> - class MyHTTPHandler(urllib2.HTTPHandler): pass
> -@@ -1317,6 +1320,52 @@ def test_unsupported_algorithm(self):
> - "Unsupported digest authentication algorithm 'invalid'"
> - )
> -
> -+ @unittest.skipUnless(ssl, "ssl module required")
> -+ def test_url_with_control_char_rejected(self):
> -+ for char_no in range(0, 0x21) + range(0x7f, 0x100):
> -+ char = chr(char_no)
> -+ schemeless_url = "//localhost:7777/test%s/" % char
> -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
> -+ try:
> -+ # We explicitly test urllib.request.urlopen() instead of the top
> -+ # level 'def urlopen()' function defined in this... (quite ugly)
> -+ # test suite. They use different url opening codepaths. Plain
> -+ # urlopen uses FancyURLOpener which goes via a codepath that
> -+ # calls urllib.parse.quote() on the URL which makes all of the
> -+ # above attempts at injection within the url _path_ safe.
> -+ escaped_char_repr = repr(char).replace('\\', r'\\')
> -+ InvalidURL = httplib.InvalidURL
> -+ with self.assertRaisesRegexp(
> -+ InvalidURL, "contain control.*" + escaped_char_repr):
> -+ urllib2.urlopen("http:" + schemeless_url)
> -+ with self.assertRaisesRegexp(
> -+ InvalidURL, "contain control.*" + escaped_char_repr):
> -+ urllib2.urlopen("https:" + schemeless_url)
> -+ finally:
> -+ self.unfakehttp()
> -+
> -+ @unittest.skipUnless(ssl, "ssl module required")
> -+ def test_url_with_newline_header_injection_rejected(self):
> -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
> -+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
> -+ schemeless_url = "//" + host + ":8080/test/?test=a"
> -+ try:
> -+ # We explicitly test urllib2.urlopen() instead of the top
> -+ # level 'def urlopen()' function defined in this... (quite ugly)
> -+ # test suite. They use different url opening codepaths. Plain
> -+ # urlopen uses FancyURLOpener which goes via a codepath that
> -+ # calls urllib.parse.quote() on the URL which makes all of the
> -+ # above attempts at injection within the url _path_ safe.
> -+ InvalidURL = httplib.InvalidURL
> -+ with self.assertRaisesRegexp(
> -+ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
> -+ urllib2.urlopen("http:" + schemeless_url)
> -+ with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
> -+ urllib2.urlopen("https:" + schemeless_url)
> -+ finally:
> -+ self.unfakehttp()
> -+
> -+
> -
> - class RequestTests(unittest.TestCase):
> -
> -diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
> -index 36b3be67fd6b..90ccb30716ff 100644
> ---- a/Lib/test/test_xmlrpc.py
> -+++ b/Lib/test/test_xmlrpc.py
> -@@ -659,7 +659,13 @@ def test_dotted_attribute(self):
> - def test_partial_post(self):
> - # Check that a partial POST doesn't make the server loop: issue #14001.
> - conn = httplib.HTTPConnection(ADDR, PORT)
> -- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
> -+ conn.send('POST /RPC2 HTTP/1.0\r\n'
> -+ 'Content-Length: 100\r\n\r\n'
> -+ 'bye HTTP/1.1\r\n'
> -+ 'Host: %s:%s\r\n'
> -+ 'Accept-Encoding: identity\r\n'
> -+ 'Content-Length: 0\r\n\r\n'
> -+ % (ADDR, PORT))
> - conn.close()
> -
> - class SimpleServerEncodingTestCase(BaseServerTestCase):
> -diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
> -new file mode 100644
> -index 000000000000..47cb899df1af
> ---- /dev/null
> -+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
> -@@ -0,0 +1 @@
> -+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
> diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
> deleted file mode 100644
> index b2672370186..00000000000
> --- a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
> +++ /dev/null
> @@ -1,55 +0,0 @@
> -From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
> -From: Sihoon Lee <push0ebp@gmail.com>
> -Date: Fri, 17 May 2019 02:41:06 +0900
> -Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
> - assertRasies in DummyURLopener test, and simplify mitigation
> -
> -Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
> -
> -CVE: CVE-2019-9948
> -
> -Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> ----
> - Lib/test/test_urllib.py | 11 +++--------
> - Lib/urllib.py | 4 ++--
> - 2 files changed, 5 insertions(+), 10 deletions(-)
> -
> -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
> -index e5f210e62a18..1e23dfb0bb16 100644
> ---- a/Lib/test/test_urllib.py
> -+++ b/Lib/test/test_urllib.py
> -@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
> - class DummyURLopener(urllib.URLopener):
> - def open_local_file(self, url):
> - return url
> -- self.assertEqual(DummyURLopener().open(
> -- 'local-file://example'), '//example')
> -- self.assertEqual(DummyURLopener().open(
> -- 'local_file://example'), '//example')
> -- self.assertRaises(IOError, urllib.urlopen,
> -- 'local-file://example')
> -- self.assertRaises(IOError, urllib.urlopen,
> -- 'local_file://example')
> -+ for url in ('local_file://example', 'local-file://example'):
> -+ self.assertRaises(IOError, DummyURLopener().open, url)
> -+ self.assertRaises(IOError, urllib.urlopen, url)
> -
> - # Just commented them out.
> - # Can't really tell why keep failing in windows and sparc.
> -diff --git a/Lib/urllib.py b/Lib/urllib.py
> -index a24e9a5c68fb..39b834054e9e 100644
> ---- a/Lib/urllib.py
> -+++ b/Lib/urllib.py
> -@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
> - name = 'open_' + urltype
> - self.type = urltype
> - name = name.replace('-', '_')
> --
> -+
> - # bpo-35907: # disallow the file reading with the type not allowed
> - if not hasattr(self, name) or \
> -- (self == _urlopener and name == 'open_local_file'):
> -+ getattr(self, name) == self.open_local_file:
> - if proxy:
> - return self.open_unknown_proxy(proxy, fullurl, data)
> - else:
> diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
> deleted file mode 100644
> index f4c225d2fcf..00000000000
> --- a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
> +++ /dev/null
> @@ -1,55 +0,0 @@
> -From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
> -From: push0ebp <push0ebp@shl-MacBook-Pro.local>
> -Date: Thu, 14 Feb 2019 02:05:46 +0900
> -Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
> - URL scheme in urllib
> -
> -Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
> -
> -CVE: CVE-2019-9948
> -
> -Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> ----
> - Lib/test/test_urllib.py | 12 ++++++++++++
> - Lib/urllib.py | 5 ++++-
> - 2 files changed, 16 insertions(+), 1 deletion(-)
> -
> -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
> -index 1ce9201c0693..e5f210e62a18 100644
> ---- a/Lib/test/test_urllib.py
> -+++ b/Lib/test/test_urllib.py
> -@@ -1023,6 +1023,18 @@ def open_spam(self, url):
> - "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
> - "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
> -
> -+ def test_local_file_open(self):
> -+ class DummyURLopener(urllib.URLopener):
> -+ def open_local_file(self, url):
> -+ return url
> -+ self.assertEqual(DummyURLopener().open(
> -+ 'local-file://example'), '//example')
> -+ self.assertEqual(DummyURLopener().open(
> -+ 'local_file://example'), '//example')
> -+ self.assertRaises(IOError, urllib.urlopen,
> -+ 'local-file://example')
> -+ self.assertRaises(IOError, urllib.urlopen,
> -+ 'local_file://example')
> -
> - # Just commented them out.
> - # Can't really tell why keep failing in windows and sparc.
> -diff --git a/Lib/urllib.py b/Lib/urllib.py
> -index d85504a5cb7e..a24e9a5c68fb 100644
> ---- a/Lib/urllib.py
> -+++ b/Lib/urllib.py
> -@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
> - name = 'open_' + urltype
> - self.type = urltype
> - name = name.replace('-', '_')
> -- if not hasattr(self, name):
> -+
> -+ # bpo-35907: # disallow the file reading with the type not allowed
> -+ if not hasattr(self, name) or \
> -+ (self == _urlopener and name == 'open_local_file'):
> - if proxy:
> - return self.open_unknown_proxy(proxy, fullurl, data)
> - else:
> diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
> deleted file mode 100644
> index 2ce4d2cde7a..00000000000
> --- a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -From 06b5ee585d6e76bdbb4002f642d864d860cbbd2b Mon Sep 17 00:00:00 2001
> -From: Steve Dower <steve.dower@python.org>
> -Date: Tue, 12 Mar 2019 08:23:33 -0700
> -Subject: [PATCH] bpo-36216: Only print test messages when verbose
> -
> -CVE: CVE-2019-9636
> -
> -Upstream-Status: Backport https://github.com/python/cpython/pull/12291/commits/06b5ee585d6e76bdbb4002f642d864d860cbbd2b
> -
> -Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> ----
> - Lib/test/test_urlparse.py | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
> -index 73b0228ea8e3..1830d0b28688 100644
> ---- a/Lib/test/test_urlparse.py
> -+++ b/Lib/test/test_urlparse.py
> -@@ -644,7 +644,8 @@ def test_urlsplit_normalization(self):
> - for scheme in [u"http", u"https", u"ftp"]:
> - for c in denorm_chars:
> - url = u"{}://netloc{}false.netloc/path".format(scheme, c)
> -- print "Checking %r" % url
> -+ if test_support.verbose:
> -+ print "Checking %r" % url
> - with self.assertRaises(ValueError):
> - urlparse.urlsplit(url)
> -
> diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
> deleted file mode 100644
> index 352b13ba9b5..00000000000
> --- a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
> +++ /dev/null
> @@ -1,111 +0,0 @@
> -From 3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e Mon Sep 17 00:00:00 2001
> -From: Steve Dower <steve.dower@python.org>
> -Date: Thu, 7 Mar 2019 08:25:22 -0800
> -Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
> - to separators (GH-12201)
> -
> -CVE: CVE-2019-9636
> -
> -Upstream-Status: Backport https://github.com/python/cpython/pull/12216/commits/3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e
> -
> -Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> ----
> - Doc/library/urlparse.rst | 20 ++++++++++++++++
> - Lib/test/test_urlparse.py | 24 +++++++++++++++++++
> - Lib/urlparse.py | 17 +++++++++++++
> - .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
> - 4 files changed, 64 insertions(+)
> - create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
> -
> -diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
> -index 4e1ded73c266..73b0228ea8e3 100644
> ---- a/Lib/test/test_urlparse.py
> -+++ b/Lib/test/test_urlparse.py
> -@@ -1,4 +1,6 @@
> - from test import test_support
> -+import sys
> -+import unicodedata
> - import unittest
> - import urlparse
> -
> -@@ -624,6 +626,28 @@ def test_portseparator(self):
> - self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
> - ('http','www.python.org:80','','','',''))
> -
> -+ def test_urlsplit_normalization(self):
> -+ # Certain characters should never occur in the netloc,
> -+ # including under normalization.
> -+ # Ensure that ALL of them are detected and cause an error
> -+ illegal_chars = u'/:#?@'
> -+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
> -+ denorm_chars = [
> -+ c for c in map(unichr, range(128, sys.maxunicode))
> -+ if (hex_chars & set(unicodedata.decomposition(c).split()))
> -+ and c not in illegal_chars
> -+ ]
> -+ # Sanity check that we found at least one such character
> -+ self.assertIn(u'\u2100', denorm_chars)
> -+ self.assertIn(u'\uFF03', denorm_chars)
> -+
> -+ for scheme in [u"http", u"https", u"ftp"]:
> -+ for c in denorm_chars:
> -+ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
> -+ print "Checking %r" % url
> -+ with self.assertRaises(ValueError):
> -+ urlparse.urlsplit(url)
> -+
> - def test_main():
> - test_support.run_unittest(UrlParseTestCase)
> -
> -diff --git a/Lib/urlparse.py b/Lib/urlparse.py
> -index f7c2b032b097..54eda08651ab 100644
> ---- a/Lib/urlparse.py
> -+++ b/Lib/urlparse.py
> -@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
> - delim = min(delim, wdelim) # use earliest delim position
> - return url[start:delim], url[delim:] # return (domain, rest)
> -
> -+def _checknetloc(netloc):
> -+ if not netloc or not isinstance(netloc, unicode):
> -+ return
> -+ # looking for characters like \u2100 that expand to 'a/c'
> -+ # IDNA uses NFKC equivalence, so normalize for this check
> -+ import unicodedata
> -+ netloc2 = unicodedata.normalize('NFKC', netloc)
> -+ if netloc == netloc2:
> -+ return
> -+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
> -+ for c in '/?#@:':
> -+ if c in netloc2:
> -+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
> -+ "characters under NFKC normalization")
> -+
> - def urlsplit(url, scheme='', allow_fragments=True):
> - """Parse a URL into 5 components:
> - <scheme>://<netloc>/<path>?<query>#<fragment>
> -@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
> - url, fragment = url.split('#', 1)
> - if '?' in url:
> - url, query = url.split('?', 1)
> -+ _checknetloc(netloc)
> - v = SplitResult(scheme, netloc, url, query, fragment)
> - _parse_cache[key] = v
> - return v
> -@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
> - url, fragment = url.split('#', 1)
> - if '?' in url:
> - url, query = url.split('?', 1)
> -+ _checknetloc(netloc)
> - v = SplitResult(scheme, netloc, url, query, fragment)
> - _parse_cache[key] = v
> - return v
> -diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
> -new file mode 100644
> -index 000000000000..1e1ad92c6feb
> ---- /dev/null
> -+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
> -@@ -0,0 +1,3 @@
> -+Changes urlsplit() to raise ValueError when the URL contains characters that
> -+decompose under IDNA encoding (NFKC-normalization) into characters that
> -+affect how the URL is parsed.
> -\ No newline at end of file
> diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
> deleted file mode 100644
> index 1b6cb8cf3e6..00000000000
> --- a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
> +++ /dev/null
> @@ -1,81 +0,0 @@
> -From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
> -From: Changqing Li <changqing.li@windriver.com>
> -Date: Thu, 10 Oct 2019 16:32:19 +0800
> -Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
> - urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
> -
> -Upstream-Status: Backport
> -
> -https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
> -https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
> -
> -CVE: CVE-2019-10160
> -
> -Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ----
> - Lib/test/test_urlparse.py | 19 +++++++++++++------
> - Lib/urlparse.py | 14 +++++++++-----
> - 2 files changed, 22 insertions(+), 11 deletions(-)
> -
> -diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
> -index 1830d0b..857ed96 100644
> ---- a/Lib/test/test_urlparse.py
> -+++ b/Lib/test/test_urlparse.py
> -@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
> - self.assertIn(u'\u2100', denorm_chars)
> - self.assertIn(u'\uFF03', denorm_chars)
> -
> -+ # bpo-36742: Verify port separators are ignored when they
> -+ # existed prior to decomposition
> -+ urlparse.urlsplit(u'http://\u30d5\u309a:80')
> -+ with self.assertRaises(ValueError):
> -+ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
> -+
> - for scheme in [u"http", u"https", u"ftp"]:
> -- for c in denorm_chars:
> -- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
> -- if test_support.verbose:
> -- print "Checking %r" % url
> -- with self.assertRaises(ValueError):
> -- urlparse.urlsplit(url)
> -+ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
> -+ for c in denorm_chars:
> -+ url = u"{}://{}/path".format(scheme, netloc.format(c))
> -+ if test_support.verbose:
> -+ print "Checking %r" % url
> -+ with self.assertRaises(ValueError):
> -+ urlparse.urlsplit(url)
> -
> - def test_main():
> - test_support.run_unittest(UrlParseTestCase)
> -diff --git a/Lib/urlparse.py b/Lib/urlparse.py
> -index 54eda08..e34b368 100644
> ---- a/Lib/urlparse.py
> -+++ b/Lib/urlparse.py
> -@@ -171,14 +171,18 @@ def _checknetloc(netloc):
> - # looking for characters like \u2100 that expand to 'a/c'
> - # IDNA uses NFKC equivalence, so normalize for this check
> - import unicodedata
> -- netloc2 = unicodedata.normalize('NFKC', netloc)
> -- if netloc == netloc2:
> -+ n = netloc.replace(u'@', u'') # ignore characters already included
> -+ n = n.replace(u':', u'') # but not the surrounding text
> -+ n = n.replace(u'#', u'')
> -+ n = n.replace(u'?', u'')
> -+
> -+ netloc2 = unicodedata.normalize('NFKC', n)
> -+ if n == netloc2:
> - return
> -- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
> - for c in '/?#@:':
> - if c in netloc2:
> -- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
> -- "characters under NFKC normalization")
> -+ raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
> -+ u"characters under NFKC normalization")
> -
> - def urlsplit(url, scheme='', allow_fragments=True):
> - """Parse a URL into 5 components:
> ---
> -2.7.4
> -
> diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.17.bb
> similarity index 97%
> rename from meta/recipes-devtools/python/python_2.7.16.bb
> rename to meta/recipes-devtools/python/python_2.7.17.bb
> index 625c5312a6e..5b856a50977 100644
> --- a/meta/recipes-devtools/python/python_2.7.16.bb
> +++ b/meta/recipes-devtools/python/python_2.7.17.bb
> @@ -30,9 +30,6 @@ SRC_URI += " \
> file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
> file://float-endian.patch \
> file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
> - file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
> - file://bpo-36742-cve-2019-10160.patch \
> - file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \
> "
>
> S = "${WORKDIR}/Python-${PV}"
> --
> 2.17.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 18:13 ` [PATCH 01/13] python: update to 2.7.17 Khem Raj
@ 2019-11-18 21:05 ` Adrian Bunk
2019-11-18 21:39 ` Khem Raj
0 siblings, 1 reply; 39+ messages in thread
From: Adrian Bunk @ 2019-11-18 21:05 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> <alex.kanavin@gmail.com> wrote:
> >
> > Drop backports, rebase a couple of patches.
> >
> > This is the second last release of py 2.x; upstream support ends on
> > 1 January 2020, there will be one final 2.x afterwards.
> >
> > Note that the only thing that still needs python 2.x in oe-core is
> > u-boot; when the next u-boot update arrives, we should find out
> > where the py3 migration is for that component before merging the
> > update.
>
> I guess u-boot need it during build, in that case defer it to user to
> have python2 on build host
> could be possible.
>...
That's a non-option since it could mean
"Yocto 3.1 cannot be built on Ubuntu 20.04".
Ubuntu 20.04 might end up still shipping Python2,[1]
but you cannot rely on future distributions shipping it.
cu
Adrian
[1] it is not clear whether the Python2 removal in Ubuntu
will be finished in time for 20.04
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 21:05 ` Adrian Bunk
@ 2019-11-18 21:39 ` Khem Raj
2019-11-18 22:06 ` Adrian Bunk
0 siblings, 1 reply; 39+ messages in thread
From: Khem Raj @ 2019-11-18 21:39 UTC (permalink / raw)
To: Adrian Bunk; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]
On Mon, Nov 18, 2019 at 1:05 PM Adrian Bunk <bunk@stusta.de> wrote:
> On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> > On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> > <alex.kanavin@gmail.com> wrote:
> > >
> > > Drop backports, rebase a couple of patches.
> > >
> > > This is the second last release of py 2.x; upstream support ends on
> > > 1 January 2020, there will be one final 2.x afterwards.
> > >
> > > Note that the only thing that still needs python 2.x in oe-core is
> > > u-boot; when the next u-boot update arrives, we should find out
> > > where the py3 migration is for that component before merging the
> > > update.
> >
> > I guess u-boot need it during build, in that case defer it to user to
> > have python2 on build host
> > could be possible.
> >...
>
> That's a non-option since it could mean
> "Yocto 3.1 cannot be built on Ubuntu 20.04".
>
> Ubuntu 20.04 might end up still shipping Python2,[1]
> but you cannot rely on future distributions shipping it.
>
And why should OE ship something that’s dropped by its own upstream and
other distributions
> cu
> Adrian
>
> [1] it is not clear whether the Python2 removal in Ubuntu
> will be finished in time for 20.04
>
[-- Attachment #2: Type: text/html, Size: 1920 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 21:39 ` Khem Raj
@ 2019-11-18 22:06 ` Adrian Bunk
2019-11-18 22:16 ` Khem Raj
2019-11-19 11:24 ` Alexander Kanavin
0 siblings, 2 replies; 39+ messages in thread
From: Adrian Bunk @ 2019-11-18 22:06 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 18, 2019 at 01:39:48PM -0800, Khem Raj wrote:
> On Mon, Nov 18, 2019 at 1:05 PM Adrian Bunk <bunk@stusta.de> wrote:
> > On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> > > On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> > > <alex.kanavin@gmail.com> wrote:
> > > >
> > > > Drop backports, rebase a couple of patches.
> > > >
> > > > This is the second last release of py 2.x; upstream support ends on
> > > > 1 January 2020, there will be one final 2.x afterwards.
> > > >
> > > > Note that the only thing that still needs python 2.x in oe-core is
> > > > u-boot; when the next u-boot update arrives, we should find out
> > > > where the py3 migration is for that component before merging the
> > > > update.
> > >
> > > I guess u-boot need it during build, in that case defer it to user to
> > > have python2 on build host
> > > could be possible.
> > >...
> >
> > That's a non-option since it could mean
> > "Yocto 3.1 cannot be built on Ubuntu 20.04".
> >
> > Ubuntu 20.04 might end up still shipping Python2,[1]
> > but you cannot rely on future distributions shipping it.
>
> And why should OE ship something that’s dropped by its own upstream and
> other distributions
All I am saying is that relying on the host Python2 is a non-option.
If any layer needs a native Python2, this has to be shipped either in
this layer or in a layer it depends on.
cu
Adrian
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 22:06 ` Adrian Bunk
@ 2019-11-18 22:16 ` Khem Raj
2019-11-18 22:34 ` Ross Burton
2019-11-18 22:55 ` Adrian Bunk
2019-11-19 11:24 ` Alexander Kanavin
1 sibling, 2 replies; 39+ messages in thread
From: Khem Raj @ 2019-11-18 22:16 UTC (permalink / raw)
To: Adrian Bunk; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]
On Mon, Nov 18, 2019 at 2:06 PM Adrian Bunk <bunk@stusta.de> wrote:
> On Mon, Nov 18, 2019 at 01:39:48PM -0800, Khem Raj wrote:
> > On Mon, Nov 18, 2019 at 1:05 PM Adrian Bunk <bunk@stusta.de> wrote:
> > > On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> > > > On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> > > > <alex.kanavin@gmail.com> wrote:
> > > > >
> > > > > Drop backports, rebase a couple of patches.
> > > > >
> > > > > This is the second last release of py 2.x; upstream support ends on
> > > > > 1 January 2020, there will be one final 2.x afterwards.
> > > > >
> > > > > Note that the only thing that still needs python 2.x in oe-core is
> > > > > u-boot; when the next u-boot update arrives, we should find out
> > > > > where the py3 migration is for that component before merging the
> > > > > update.
> > > >
> > > > I guess u-boot need it during build, in that case defer it to user to
> > > > have python2 on build host
> > > > could be possible.
> > > >...
> > >
> > > That's a non-option since it could mean
> > > "Yocto 3.1 cannot be built on Ubuntu 20.04".
> > >
> > > Ubuntu 20.04 might end up still shipping Python2,[1]
> > > but you cannot rely on future distributions shipping it.
> >
> > And why should OE ship something that’s dropped by its own upstream and
> > other distributions
>
> All I am saying is that relying on the host Python2 is a non-option.
>
> If any layer needs a native Python2, this has to be shipped either in
> this layer or in a layer it depends on.
We should explore disabling python support in uboot if it does not move to
py3 perhaps there is a way like that having a single recipe require py2 is
a bit too much
>
> cu
> Adrian
>
[-- Attachment #2: Type: text/html, Size: 2644 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 22:16 ` Khem Raj
@ 2019-11-18 22:34 ` Ross Burton
2019-11-18 22:55 ` Adrian Bunk
1 sibling, 0 replies; 39+ messages in thread
From: Ross Burton @ 2019-11-18 22:34 UTC (permalink / raw)
To: openembedded-core
On 18/11/2019 22:16, Khem Raj wrote:
> We should explore disabling python support in uboot if it does not move
> to py3 perhaps there is a way like that having a single recipe require
> py2 is a bit too much
The next release of u-boot (2020.01) is ported to Python 3. The current
release of u-boot needs Python/Swig to build libpyfdt, but as I've never
used u-boot I don't know if this is actually needed or could be an option.
Ross
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 22:16 ` Khem Raj
2019-11-18 22:34 ` Ross Burton
@ 2019-11-18 22:55 ` Adrian Bunk
2019-11-18 23:26 ` Khem Raj
1 sibling, 1 reply; 39+ messages in thread
From: Adrian Bunk @ 2019-11-18 22:55 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 18, 2019 at 02:16:30PM -0800, Khem Raj wrote:
> On Mon, Nov 18, 2019 at 2:06 PM Adrian Bunk <bunk@stusta.de> wrote:
>
> > On Mon, Nov 18, 2019 at 01:39:48PM -0800, Khem Raj wrote:
> > > On Mon, Nov 18, 2019 at 1:05 PM Adrian Bunk <bunk@stusta.de> wrote:
> > > > On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> > > > > On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> > > > > <alex.kanavin@gmail.com> wrote:
> > > > > >
> > > > > > Drop backports, rebase a couple of patches.
> > > > > >
> > > > > > This is the second last release of py 2.x; upstream support ends on
> > > > > > 1 January 2020, there will be one final 2.x afterwards.
> > > > > >
> > > > > > Note that the only thing that still needs python 2.x in oe-core is
> > > > > > u-boot; when the next u-boot update arrives, we should find out
> > > > > > where the py3 migration is for that component before merging the
> > > > > > update.
> > > > >
> > > > > I guess u-boot need it during build, in that case defer it to user to
> > > > > have python2 on build host
> > > > > could be possible.
> > > > >...
> > > >
> > > > That's a non-option since it could mean
> > > > "Yocto 3.1 cannot be built on Ubuntu 20.04".
> > > >
> > > > Ubuntu 20.04 might end up still shipping Python2,[1]
> > > > but you cannot rely on future distributions shipping it.
> > >
> > > And why should OE ship something that’s dropped by its own upstream and
> > > other distributions
> >
> > All I am saying is that relying on the host Python2 is a non-option.
> >
> > If any layer needs a native Python2, this has to be shipped either in
> > this layer or in a layer it depends on.
>
>
> We should explore disabling python support in uboot if it does not move to
> py3 perhaps there is a way like that having a single recipe require py2 is
> a bit too much
In u-boot build scripts are using Python2.
But this is being fixed upstream, so realistically in Yocto 3.1
Python2 can move to meta-oe.
cu
Adrian
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 22:55 ` Adrian Bunk
@ 2019-11-18 23:26 ` Khem Raj
2019-11-19 7:57 ` Tim Orling
0 siblings, 1 reply; 39+ messages in thread
From: Khem Raj @ 2019-11-18 23:26 UTC (permalink / raw)
To: Adrian Bunk; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 18, 2019 at 2:55 PM Adrian Bunk <bunk@stusta.de> wrote:
>
> On Mon, Nov 18, 2019 at 02:16:30PM -0800, Khem Raj wrote:
> > On Mon, Nov 18, 2019 at 2:06 PM Adrian Bunk <bunk@stusta.de> wrote:
> >
> > > On Mon, Nov 18, 2019 at 01:39:48PM -0800, Khem Raj wrote:
> > > > On Mon, Nov 18, 2019 at 1:05 PM Adrian Bunk <bunk@stusta.de> wrote:
> > > > > On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> > > > > > On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> > > > > > <alex.kanavin@gmail.com> wrote:
> > > > > > >
> > > > > > > Drop backports, rebase a couple of patches.
> > > > > > >
> > > > > > > This is the second last release of py 2.x; upstream support ends on
> > > > > > > 1 January 2020, there will be one final 2.x afterwards.
> > > > > > >
> > > > > > > Note that the only thing that still needs python 2.x in oe-core is
> > > > > > > u-boot; when the next u-boot update arrives, we should find out
> > > > > > > where the py3 migration is for that component before merging the
> > > > > > > update.
> > > > > >
> > > > > > I guess u-boot need it during build, in that case defer it to user to
> > > > > > have python2 on build host
> > > > > > could be possible.
> > > > > >...
> > > > >
> > > > > That's a non-option since it could mean
> > > > > "Yocto 3.1 cannot be built on Ubuntu 20.04".
> > > > >
> > > > > Ubuntu 20.04 might end up still shipping Python2,[1]
> > > > > but you cannot rely on future distributions shipping it.
> > > >
> > > > And why should OE ship something that’s dropped by its own upstream and
> > > > other distributions
> > >
> > > All I am saying is that relying on the host Python2 is a non-option.
> > >
> > > If any layer needs a native Python2, this has to be shipped either in
> > > this layer or in a layer it depends on.
> >
> >
> > We should explore disabling python support in uboot if it does not move to
> > py3 perhaps there is a way like that having a single recipe require py2 is
> > a bit too much
>
> In u-boot build scripts are using Python2.
>
> But this is being fixed upstream, so realistically in Yocto 3.1
> Python2 can move to meta-oe.
No I do not want it in meta-oe, whoever needs it, should step up to
maintain it and start a new layer
much like meta-qt4
>
> cu
> Adrian
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 23:26 ` Khem Raj
@ 2019-11-19 7:57 ` Tim Orling
2019-11-19 11:30 ` Alexander Kanavin
0 siblings, 1 reply; 39+ messages in thread
From: Tim Orling @ 2019-11-19 7:57 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer, Adrian Bunk
[-- Attachment #1: Type: text/plain, Size: 3304 bytes --]
On Mon, Nov 18, 2019 at 3:27 PM Khem Raj <raj.khem@gmail.com> wrote:
> On Mon, Nov 18, 2019 at 2:55 PM Adrian Bunk <bunk@stusta.de> wrote:
> >
> > On Mon, Nov 18, 2019 at 02:16:30PM -0800, Khem Raj wrote:
> > > On Mon, Nov 18, 2019 at 2:06 PM Adrian Bunk <bunk@stusta.de> wrote:
> > >
> > > > On Mon, Nov 18, 2019 at 01:39:48PM -0800, Khem Raj wrote:
> > > > > On Mon, Nov 18, 2019 at 1:05 PM Adrian Bunk <bunk@stusta.de>
> wrote:
> > > > > > On Mon, Nov 18, 2019 at 10:13:05AM -0800, Khem Raj wrote:
> > > > > > > On Mon, Nov 18, 2019 at 5:08 AM Alexander Kanavin
> > > > > > > <alex.kanavin@gmail.com> wrote:
> > > > > > > >
> > > > > > > > Drop backports, rebase a couple of patches.
> > > > > > > >
> > > > > > > > This is the second last release of py 2.x; upstream support
> ends on
> > > > > > > > 1 January 2020, there will be one final 2.x afterwards.
> > > > > > > >
> > > > > > > > Note that the only thing that still needs python 2.x in
> oe-core is
> > > > > > > > u-boot; when the next u-boot update arrives, we should find
> out
> > > > > > > > where the py3 migration is for that component before merging
> the
> > > > > > > > update.
> > > > > > >
> > > > > > > I guess u-boot need it during build, in that case defer it to
> user to
> > > > > > > have python2 on build host
> > > > > > > could be possible.
> > > > > > >...
> > > > > >
> > > > > > That's a non-option since it could mean
> > > > > > "Yocto 3.1 cannot be built on Ubuntu 20.04".
> > > > > >
> > > > > > Ubuntu 20.04 might end up still shipping Python2,[1]
> > > > > > but you cannot rely on future distributions shipping it.
> > > > >
> > > > > And why should OE ship something that’s dropped by its own
> upstream and
> > > > > other distributions
> > > >
> > > > All I am saying is that relying on the host Python2 is a non-option.
> > > >
> > > > If any layer needs a native Python2, this has to be shipped either in
> > > > this layer or in a layer it depends on.
> > >
> > >
> > > We should explore disabling python support in uboot if it does not
> move to
> > > py3 perhaps there is a way like that having a single recipe require
> py2 is
> > > a bit too much
> >
> > In u-boot build scripts are using Python2.
> >
> > But this is being fixed upstream, so realistically in Yocto 3.1
> > Python2 can move to meta-oe.
>
> No I do not want it in meta-oe, whoever needs it, should step up to
> maintain it and start a new layer
> much like meta-qt4
>
I have the beginnings of scripts to generate a meta-python2 layer. Someone
with a vested interest in keeping python2 supported will need to step up to
maintain it. After bitbake and Oe-core moved to python3, my use of python2
has gone to near zero.
I intend to move all python2 recipes from meta-python to the new layer.
meta-python will become python3 only in 3.1 release timeframe. The bb files
and inc files will also be merged, simplifying AUH and devtool usage.
Attempts to send python2 patches to meta-python after that shift will be
nacked.
> >
> > cu
> > Adrian
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 4987 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 22:06 ` Adrian Bunk
2019-11-18 22:16 ` Khem Raj
@ 2019-11-19 11:24 ` Alexander Kanavin
1 sibling, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-19 11:24 UTC (permalink / raw)
To: Adrian Bunk; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 937 bytes --]
On Mon, 18 Nov 2019 at 23:06, Adrian Bunk <bunk@stusta.de> wrote:
>
> > > That's a non-option since it could mean
> > > "Yocto 3.1 cannot be built on Ubuntu 20.04".
> > >
> > > Ubuntu 20.04 might end up still shipping Python2,[1]
> > > but you cannot rely on future distributions shipping it.
> >
> > And why should OE ship something that’s dropped by its own upstream and
> > other distributions
>
> All I am saying is that relying on the host Python2 is a non-option.
>
> If any layer needs a native Python2, this has to be shipped either in
> this layer or in a layer it depends on.
>
Sadly, not relying on host Python 2 is not possible. Building Python 2
needs a working binary of Python 2. So there is a circular dependency chain
that cannot be broken: host py2 -> native py2 -> target py2 -> self-hosted
packagegroup.
You can remove all three versions of py2, but not any of them individually.
Alex
[-- Attachment #2: Type: text/html, Size: 1350 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 7:57 ` Tim Orling
@ 2019-11-19 11:30 ` Alexander Kanavin
2019-11-19 15:49 ` Khem Raj
` (2 more replies)
0 siblings, 3 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-19 11:30 UTC (permalink / raw)
To: Tim Orling; +Cc: Adrian Bunk, Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]
On Tue, 19 Nov 2019 at 08:58, Tim Orling <ticotimo@gmail.com> wrote:
>
> I have the beginnings of scripts to generate a meta-python2 layer. Someone
> with a vested interest in keeping python2 supported will need to step up to
> maintain it. After bitbake and Oe-core moved to python3, my use of python2
> has gone to near zero.
>
> I intend to move all python2 recipes from meta-python to the new layer.
> meta-python will become python3 only in 3.1 release timeframe. The bb files
> and inc files will also be merged, simplifying AUH and devtool usage.
>
> Attempts to send python2 patches to meta-python after that shift will be
> nacked.
>
Thanks! There is however a missing part: how close is meta-oe to being
py2-free? Oe-core is very close (u-boot is the last holdout as noted), but
I am not sure that we can simply take out py2, and not have half of meta-oe
fail. For instance (random example) mozjs, a fairly important component,
still pulls it in, together with a few 3rd party libraries:
https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/mozjs/mozjs_60.5.2.bb
It's tempting to force the transition by breaking things, but it also
antagonizes users.
Alex
[-- Attachment #2: Type: text/html, Size: 1799 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 11:30 ` Alexander Kanavin
@ 2019-11-19 15:49 ` Khem Raj
2019-11-19 16:30 ` Adrian Bunk
2019-11-19 22:44 ` Andreas Müller
2019-11-30 9:49 ` Adrian Bunk
2 siblings, 1 reply; 39+ messages in thread
From: Khem Raj @ 2019-11-19 15:49 UTC (permalink / raw)
To: Alexander Kanavin
Cc: Adrian Bunk, Patches and discussions about the oe-core layer
On Tue, Nov 19, 2019 at 3:30 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> On Tue, 19 Nov 2019 at 08:58, Tim Orling <ticotimo@gmail.com> wrote:
>>
>>
>> I have the beginnings of scripts to generate a meta-python2 layer. Someone with a vested interest in keeping python2 supported will need to step up to maintain it. After bitbake and Oe-core moved to python3, my use of python2 has gone to near zero.
>>
>> I intend to move all python2 recipes from meta-python to the new layer. meta-python will become python3 only in 3.1 release timeframe. The bb files and inc files will also be merged, simplifying AUH and devtool usage.
>>
>> Attempts to send python2 patches to meta-python after that shift will be nacked.
>
>
> Thanks! There is however a missing part: how close is meta-oe to being py2-free? Oe-core is very close (u-boot is the last holdout as noted), but I am not sure that we can simply take out py2, and not have half of meta-oe fail. For instance (random example) mozjs, a fairly important component, still pulls it in, together with a few 3rd party libraries: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/mozjs/mozjs_60.5.2.bb
>
> It's tempting to force the transition by breaking things, but it also antagonizes users.
>
Its for how python2 should be organised after it retires and
suggestion is to move it to an independent layer rather than
meta-openembedded repo,
wether, layers under meta-openembedded will depend on it is a separate issue
> Alex
>
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 15:49 ` Khem Raj
@ 2019-11-19 16:30 ` Adrian Bunk
2019-11-19 16:47 ` Khem Raj
2019-11-20 11:57 ` Ross Burton
0 siblings, 2 replies; 39+ messages in thread
From: Adrian Bunk @ 2019-11-19 16:30 UTC (permalink / raw)
To: Khem Raj; +Cc: Patches and discussions about the oe-core layer
On Tue, Nov 19, 2019 at 07:49:15AM -0800, Khem Raj wrote:
> On Tue, Nov 19, 2019 at 3:30 AM Alexander Kanavin
> <alex.kanavin@gmail.com> wrote:
> >
> > On Tue, 19 Nov 2019 at 08:58, Tim Orling <ticotimo@gmail.com> wrote:
> >>
> >>
> >> I have the beginnings of scripts to generate a meta-python2 layer. Someone with a vested interest in keeping python2 supported will need to step up to maintain it. After bitbake and Oe-core moved to python3, my use of python2 has gone to near zero.
> >>
> >> I intend to move all python2 recipes from meta-python to the new layer. meta-python will become python3 only in 3.1 release timeframe. The bb files and inc files will also be merged, simplifying AUH and devtool usage.
> >>
> >> Attempts to send python2 patches to meta-python after that shift will be nacked.
> >
> >
> > Thanks! There is however a missing part: how close is meta-oe to being py2-free? Oe-core is very close (u-boot is the last holdout as noted), but I am not sure that we can simply take out py2, and not have half of meta-oe fail. For instance (random example) mozjs, a fairly important component, still pulls it in, together with a few 3rd party libraries: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/mozjs/mozjs_60.5.2.bb
> >
> > It's tempting to force the transition by breaking things, but it also antagonizes users.
>
> Its for how python2 should be organised after it retires and
> suggestion is to move it to an independent layer rather than
> meta-openembedded repo,
> wether, layers under meta-openembedded will depend on it is a separate issue
You want meta-oe to have a LAYERDEPENDS on a new python2 layer that is
not in meta-openembedded?
cu
Adrian
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 16:30 ` Adrian Bunk
@ 2019-11-19 16:47 ` Khem Raj
2019-11-20 11:57 ` Ross Burton
1 sibling, 0 replies; 39+ messages in thread
From: Khem Raj @ 2019-11-19 16:47 UTC (permalink / raw)
To: Adrian Bunk; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 2031 bytes --]
On Tue, Nov 19, 2019 at 8:30 AM Adrian Bunk <bunk@stusta.de> wrote:
> On Tue, Nov 19, 2019 at 07:49:15AM -0800, Khem Raj wrote:
> > On Tue, Nov 19, 2019 at 3:30 AM Alexander Kanavin
> > <alex.kanavin@gmail.com> wrote:
> > >
> > > On Tue, 19 Nov 2019 at 08:58, Tim Orling <ticotimo@gmail.com> wrote:
> > >>
> > >>
> > >> I have the beginnings of scripts to generate a meta-python2 layer.
> Someone with a vested interest in keeping python2 supported will need to
> step up to maintain it. After bitbake and Oe-core moved to python3, my use
> of python2 has gone to near zero.
> > >>
> > >> I intend to move all python2 recipes from meta-python to the new
> layer. meta-python will become python3 only in 3.1 release timeframe. The
> bb files and inc files will also be merged, simplifying AUH and devtool
> usage.
> > >>
> > >> Attempts to send python2 patches to meta-python after that shift will
> be nacked.
> > >
> > >
> > > Thanks! There is however a missing part: how close is meta-oe to being
> py2-free? Oe-core is very close (u-boot is the last holdout as noted), but
> I am not sure that we can simply take out py2, and not have half of meta-oe
> fail. For instance (random example) mozjs, a fairly important component,
> still pulls it in, together with a few 3rd party libraries:
> https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/mozjs/mozjs_60.5.2.bb
> > >
> > > It's tempting to force the transition by breaking things, but it also
> antagonizes users.
> >
> > Its for how python2 should be organised after it retires and
> > suggestion is to move it to an independent layer rather than
> > meta-openembedded repo,
> > wether, layers under meta-openembedded will depend on it is a separate
> issue
>
> You want meta-oe to have a LAYERDEPENDS on a new python2 layer that is
> not in meta-openembedded?
Ideally no preferable is that all recipes move to py3 or they perhaps
blacklist until someone ports them to py3
>
> cu
> Adrian
>
[-- Attachment #2: Type: text/html, Size: 2912 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 11:30 ` Alexander Kanavin
2019-11-19 15:49 ` Khem Raj
@ 2019-11-19 22:44 ` Andreas Müller
2019-11-30 9:49 ` Adrian Bunk
2 siblings, 0 replies; 39+ messages in thread
From: Andreas Müller @ 2019-11-19 22:44 UTC (permalink / raw)
To: Alexander Kanavin
Cc: Patches and discussions about the oe-core layer, Adrian Bunk
On Tue, Nov 19, 2019 at 12:31 PM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> On Tue, 19 Nov 2019 at 08:58, Tim Orling <ticotimo@gmail.com> wrote:
>>
>>
>> I have the beginnings of scripts to generate a meta-python2 layer. Someone with a vested interest in keeping python2 supported will need to step up to maintain it. After bitbake and Oe-core moved to python3, my use of python2 has gone to near zero.
>>
>> I intend to move all python2 recipes from meta-python to the new layer. meta-python will become python3 only in 3.1 release timeframe. The bb files and inc files will also be merged, simplifying AUH and devtool usage.
>>
>> Attempts to send python2 patches to meta-python after that shift will be nacked.
>
>
> Thanks! There is however a missing part: how close is meta-oe to being py2-free? Oe-core is very close (u-boot is the last holdout as noted), but I am not sure that we can simply take out py2, and not have half of meta-oe fail. For instance (random example) mozjs, a fairly important component, still pulls it in, together with a few 3rd party libraries: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/mozjs/mozjs_60.5.2.bb
Will take care on mozjs and interrupt my gnome crusade till its done.
Tried that months ago and used firefox-esr sources because there the
transition to python3-build is marked as working.
Unfortunately I did not succeed. Started that they rely on VERY old
version of parts of autotools - think it was automake. Need/like
polkit although I will never understand why a privileged process uses
javascipt for configuration files...
Cheers
Andreas
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 16:30 ` Adrian Bunk
2019-11-19 16:47 ` Khem Raj
@ 2019-11-20 11:57 ` Ross Burton
2019-11-25 3:36 ` Adrian Bunk
1 sibling, 1 reply; 39+ messages in thread
From: Ross Burton @ 2019-11-20 11:57 UTC (permalink / raw)
To: openembedded-core
On 19/11/2019 16:30, Adrian Bunk wrote:
> You want meta-oe to have a LAYERDEPENDS on a new python2 layer that is
> not in meta-openembedded?
Would that be a bad thing? Layers shouldn't care about where they are
hosted.
My ideal would be that meta-python2 exists with both the python2 recipes
and all of the py2 parts of meta-python. Until meta-oe is Py3-only, it
can either depend on this layer or recipes are blacklisted unless the
layer is present.
Ross
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
` (13 preceding siblings ...)
2019-11-18 18:13 ` [PATCH 01/13] python: update to 2.7.17 Khem Raj
@ 2019-11-20 12:56 ` Tom Rini
2019-11-20 13:47 ` Alexander Kanavin
14 siblings, 1 reply; 39+ messages in thread
From: Tom Rini @ 2019-11-20 12:56 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 696 bytes --]
On Mon, Nov 18, 2019 at 02:07:49PM +0100, Alexander Kanavin wrote:
> Drop backports, rebase a couple of patches.
>
> This is the second last release of py 2.x; upstream support ends on
> 1 January 2020, there will be one final 2.x afterwards.
>
> Note that the only thing that still needs python 2.x in oe-core is
> u-boot; when the next u-boot update arrives, we should find out
> where the py3 migration is for that component before merging the
> update.
>
> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
I would _really_ like to see someone move master to using v2020.01-rc3
or so for U-Boot as that should not have any Python 2 dependencies left.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-20 12:56 ` Tom Rini
@ 2019-11-20 13:47 ` Alexander Kanavin
2019-11-20 13:50 ` Tom Rini
0 siblings, 1 reply; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-20 13:47 UTC (permalink / raw)
To: Tom Rini; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 308 bytes --]
On Wed, 20 Nov 2019 at 13:56, Tom Rini <trini@konsulko.com> wrote:
> I would _really_ like to see someone move master to using v2020.01-rc3
> or so for U-Boot as that should not have any Python 2 dependencies left.
>
rc3 means the final release is very soon, so we'll gladly update to that.
Alex
[-- Attachment #2: Type: text/html, Size: 614 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-20 13:47 ` Alexander Kanavin
@ 2019-11-20 13:50 ` Tom Rini
2019-11-20 15:06 ` Alexander Kanavin
0 siblings, 1 reply; 39+ messages in thread
From: Tom Rini @ 2019-11-20 13:50 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 685 bytes --]
On Wed, Nov 20, 2019 at 02:47:19PM +0100, Alexander Kanavin wrote:
> On Wed, 20 Nov 2019 at 13:56, Tom Rini <trini@konsulko.com> wrote:
>
> > I would _really_ like to see someone move master to using v2020.01-rc3
> > or so for U-Boot as that should not have any Python 2 dependencies left.
>
> rc3 means the final release is very soon, so we'll gladly update to that.
Well, the release is scheduled for January 6th. I'd really like to see
more testing in no-python2 environment. I believe the Fedora folks have
confirmed things are good now but it would be good to see OE do it too,
especially on master and not too close to branching out another release.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-20 13:50 ` Tom Rini
@ 2019-11-20 15:06 ` Alexander Kanavin
2019-11-20 15:08 ` Tom Rini
0 siblings, 1 reply; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-20 15:06 UTC (permalink / raw)
To: Tom Rini; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 657 bytes --]
On Wed, 20 Nov 2019 at 14:50, Tom Rini <trini@konsulko.com> wrote:
> Well, the release is scheduled for January 6th. I'd really like to see
> more testing in no-python2 environment. I believe the Fedora folks have
> confirmed things are good now but it would be good to see OE do it too,
> especially on master and not too close to branching out another release.
>
I made a few patches to do that, and can confirm that various flavours of
u-boot recipe build without issues.
If someone else wants to test a py2-less poky with their builds, here it is:
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akanavin/drop-python2
Alex
[-- Attachment #2: Type: text/html, Size: 1103 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-20 15:06 ` Alexander Kanavin
@ 2019-11-20 15:08 ` Tom Rini
0 siblings, 0 replies; 39+ messages in thread
From: Tom Rini @ 2019-11-20 15:08 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 766 bytes --]
On Wed, Nov 20, 2019 at 04:06:44PM +0100, Alexander Kanavin wrote:
> On Wed, 20 Nov 2019 at 14:50, Tom Rini <trini@konsulko.com> wrote:
>
> > Well, the release is scheduled for January 6th. I'd really like to see
> > more testing in no-python2 environment. I believe the Fedora folks have
> > confirmed things are good now but it would be good to see OE do it too,
> > especially on master and not too close to branching out another release.
> >
>
> I made a few patches to do that, and can confirm that various flavours of
> u-boot recipe build without issues.
>
> If someone else wants to test a py2-less poky with their builds, here it is:
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akanavin/drop-python2
Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-20 11:57 ` Ross Burton
@ 2019-11-25 3:36 ` Adrian Bunk
0 siblings, 0 replies; 39+ messages in thread
From: Adrian Bunk @ 2019-11-25 3:36 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core
On Wed, Nov 20, 2019 at 11:57:47AM +0000, Ross Burton wrote:
> On 19/11/2019 16:30, Adrian Bunk wrote:
> > You want meta-oe to have a LAYERDEPENDS on a new python2 layer that is
> > not in meta-openembedded?
>
> Would that be a bad thing? Layers shouldn't care about where they are
> hosted.
Hosting is less of a problem than maintainership and quality.
And when something isn't good enough for inclusion in meta-oe then
meta-oe shouldn't depend on it.
> My ideal would be that meta-python2 exists with both the python2 recipes and
> all of the py2 parts of meta-python. Until meta-oe is Py3-only, it can
> either depend on this layer or recipes are blacklisted unless the layer is
> present.
Layer dependencies are not transparent, a dependency means all users
have to add meta-python2 to bblayers.conf.
> Ross
cu
Adrian
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [PATCH 01/13] python: update to 2.7.17
2019-11-19 11:30 ` Alexander Kanavin
2019-11-19 15:49 ` Khem Raj
2019-11-19 22:44 ` Andreas Müller
@ 2019-11-30 9:49 ` Adrian Bunk
2 siblings, 0 replies; 39+ messages in thread
From: Adrian Bunk @ 2019-11-30 9:49 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: Patches and discussions about the oe-core layer
On Tue, Nov 19, 2019 at 12:30:41PM +0100, Alexander Kanavin wrote:
> On Tue, 19 Nov 2019 at 08:58, Tim Orling <ticotimo@gmail.com> wrote:
>
> > I have the beginnings of scripts to generate a meta-python2 layer. Someone
> > with a vested interest in keeping python2 supported will need to step up to
> > maintain it. After bitbake and Oe-core moved to python3, my use of python2
> > has gone to near zero.
> >
> > I intend to move all python2 recipes from meta-python to the new layer.
> > meta-python will become python3 only in 3.1 release timeframe. The bb files
> > and inc files will also be merged, simplifying AUH and devtool usage.
> >
> > Attempts to send python2 patches to meta-python after that shift will be
> > nacked.
>
> Thanks! There is however a missing part: how close is meta-oe to being
> py2-free? Oe-core is very close (u-boot is the last holdout as noted), but
> I am not sure that we can simply take out py2, and not have half of meta-oe
> fail. For instance (random example) mozjs, a fairly important component,
> still pulls it in, together with a few 3rd party libraries:
> https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/mozjs/mozjs_60.5.2.bb
>
> It's tempting to force the transition by breaking things, but it also
> antagonizes users.
The problem is not that half of meta-oe would fail, but the few hard cases.
There might be 1 or 2 recipes where the rational solution would be to
keep Python 2 in meta-oe for one release until a new upstream of these
recipes solves the problem.
AFAIK for nodejs the choice for Yocto 3.1 will be between a short-term
stable that can be built with Python 3 but will become EOL shortly after
Yocto 3.1 releases, and an LTS release with upstream support for 2 more
years that needs Python 2.
Python 2 is security supportable without upstream support since many
other distributions have committed to do the same, security supporting
Node.js without upstream support might be impossible.
> Alex
cu
Adrian
^ permalink raw reply [flat|nested] 39+ messages in thread
* [PATCH 01/13] python: update to 2.7.17
@ 2019-11-18 14:28 Alexander Kanavin
0 siblings, 0 replies; 39+ messages in thread
From: Alexander Kanavin @ 2019-11-18 14:28 UTC (permalink / raw)
To: openembedded-core
Drop backports, rebase a couple of patches.
This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.
Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
---
...-fix-one-do_populate_sysroot-warning.patch | 25 +-
...tive_2.7.16.bb => python-native_2.7.17.bb} | 2 +-
meta/recipes-devtools/python/python.inc | 10 +-
...nt-parse-domains-containing-GH-13079.patch | 90 --------
...cape-the-server-title-of-DocXMLRPCSe.patch | 101 --------
...Resolve-intermediate-staging-issues.patch} | 53 +++--
.../python/python/CVE-2018-20852.patch | 123 ----------
.../python/python/CVE-2019-9740.patch | 216 ------------------
.../python/bpo-35907-cve-2019-9948-fix.patch | 55 -----
.../python/bpo-35907-cve-2019-9948.patch | 55 -----
.../python/bpo-36216-cve-2019-9636-fix.patch | 28 ---
.../python/bpo-36216-cve-2019-9636.patch | 111 ---------
.../python/bpo-36742-cve-2019-10160.patch | 81 -------
.../{python_2.7.16.bb => python_2.7.17.bb} | 3 -
14 files changed, 49 insertions(+), 904 deletions(-)
rename meta/recipes-devtools/python/{python-native_2.7.16.bb => python-native_2.7.17.bb} (97%)
delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
rename meta/recipes-devtools/python/python/{builddir.patch => 0001-python-Resolve-intermediate-staging-issues.patch} (58%)
delete mode 100644 meta/recipes-devtools/python/python/CVE-2018-20852.patch
delete mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
delete mode 100644 meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
rename meta/recipes-devtools/python/{python_2.7.16.bb => python_2.7.17.bb} (97%)
diff --git a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
index 989818927d4..707ee596fa4 100644
--- a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
+++ b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
@@ -1,4 +1,4 @@
-From 12292444e1b3662b994bc223d92b8338fb0895ff Mon Sep 17 00:00:00 2001
+From 6cbb7529cf7ff0da3ca649fb3486facd9620d625 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Thu, 25 Oct 2018 07:32:14 +0000
Subject: [PATCH] python-native: fix one do_populate_sysroot warning
@@ -17,23 +17,24 @@ when do_populate_sysroot. use append to fix it.
Upstream-Status: Inappropriate [oe-specific]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
---
setup.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup.py b/setup.py
-index 7bf13ed..6c0f29b 100644
+index a2c8127..22f9e23 100644
--- a/setup.py
+++ b/setup.py
-@@ -40,7 +40,7 @@ def add_dir_to_list(dirlist, dir):
- 1) 'dir' is not already in 'dirlist'
- 2) 'dir' actually exists, and is a directory."""
- if dir is not None and os.path.isdir(dir) and dir not in dirlist:
-- dirlist.insert(0, dir)
-+ dirlist.append(dir)
-
- def macosx_sdk_root():
- """
+@@ -47,7 +47,7 @@ def add_dir_to_list(dirlist, dir):
+ else:
+ dir_exists = os.path.isdir(dir)
+ if dir_exists:
+- dirlist.insert(0, dir)
++ dirlist.append(dir)
+
+ MACOS_SDK_ROOT = None
+
--
-2.18.0
+2.17.1
diff --git a/meta/recipes-devtools/python/python-native_2.7.16.bb b/meta/recipes-devtools/python/python-native_2.7.17.bb
similarity index 97%
rename from meta/recipes-devtools/python/python-native_2.7.16.bb
rename to meta/recipes-devtools/python/python-native_2.7.17.bb
index 90103af8be5..936810d9806 100644
--- a/meta/recipes-devtools/python/python-native_2.7.16.bb
+++ b/meta/recipes-devtools/python/python-native_2.7.17.bb
@@ -11,7 +11,7 @@ SRC_URI += "\
file://nohostlibs.patch \
file://multilib.patch \
file://add-md5module-support.patch \
- file://builddir.patch \
+ file://0001-python-Resolve-intermediate-staging-issues.patch \
file://parallel-makeinst-create-bindir.patch \
file://revert_use_of_sysconfigdata.patch \
file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 1462b779e93..a630c26e898 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -8,16 +8,10 @@ INC_PR = "r1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
- file://bpo-35907-cve-2019-9948.patch \
- file://bpo-35907-cve-2019-9948-fix.patch \
- file://bpo-36216-cve-2019-9636.patch \
- file://bpo-36216-cve-2019-9636-fix.patch \
- file://CVE-2019-9740.patch \
- file://CVE-2018-20852.patch \
"
-SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
-SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7"
+SRC_URI[md5sum] = "b3b6d2c92f42a60667814358ab9f0cfd"
+SRC_URI[sha256sum] = "4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41"
# python recipe is actually python 2.x
# also, exclude pre-releases for both python 2.x and 3.x
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
deleted file mode 100644
index 5415472a358..00000000000
--- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
-Date: Sat, 14 Sep 2019 13:26:38 -0400
-Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
- (GH-16006)
-
-This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
-
-(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
-
-Excludes changes to Lib/email/_header_value_parser.py, which did not
-exist in 2.7.
-
-Co-authored-by: jpic <jpic@users.noreply.github.com>
-
-https://bugs.python.org/issue34155
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
-
-CVE: CVE-2019-16056
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- Lib/email/_parseaddr.py | 11 ++++++++++-
- Lib/email/test/test_email.py | 14 ++++++++++++++
- .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
- 3 files changed, 25 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-
-diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
-index 690db2c22d..dc49d2e45a 100644
---- a/Lib/email/_parseaddr.py
-+++ b/Lib/email/_parseaddr.py
-@@ -336,7 +336,12 @@ class AddrlistClass:
- aslist.append('@')
- self.pos += 1
- self.gotonext()
-- return EMPTYSTRING.join(aslist) + self.getdomain()
-+ domain = self.getdomain()
-+ if not domain:
-+ # Invalid domain, return an empty address instead of returning a
-+ # local part to denote failed parsing.
-+ return EMPTYSTRING
-+ return EMPTYSTRING.join(aslist) + domain
-
- def getdomain(self):
- """Get the complete domain name from an address."""
-@@ -351,6 +356,10 @@ class AddrlistClass:
- elif self.field[self.pos] == '.':
- self.pos += 1
- sdlist.append('.')
-+ elif self.field[self.pos] == '@':
-+ # bpo-34155: Don't parse domains with two `@` like
-+ # `a@malicious.org@important.com`.
-+ return EMPTYSTRING
- elif self.field[self.pos] in self.atomends:
- break
- else:
-diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
-index 4b4dee3d34..2efe44ac5a 100644
---- a/Lib/email/test/test_email.py
-+++ b/Lib/email/test/test_email.py
-@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
- self.assertEqual(Utils.parseaddr('<>'), ('', ''))
- self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
-
-+ def test_parseaddr_multiple_domains(self):
-+ self.assertEqual(
-+ Utils.parseaddr('a@b@c'),
-+ ('', '')
-+ )
-+ self.assertEqual(
-+ Utils.parseaddr('a@b.c@c'),
-+ ('', '')
-+ )
-+ self.assertEqual(
-+ Utils.parseaddr('a@172.17.0.1@c'),
-+ ('', '')
-+ )
-+
- def test_noquote_dump(self):
- self.assertEqual(
- Utils.formataddr(('A Silly Person', 'person@dom.ain')),
-diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-new file mode 100644
-index 0000000000..50292e29ed
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-@@ -0,0 +1 @@
-+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
deleted file mode 100644
index 3025cf7bc8f..00000000000
--- a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
-From: Dong-hee Na <donghee.na92@gmail.com>
-Date: Tue, 1 Oct 2019 19:58:01 +0900
-Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
- (GH-16447)
-
-Escape the server title of DocXMLRPCServer.DocXMLRPCServer
-when rendering the document page as HTML.
-
-CVE: CVE-2019-16935
-
-Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- Lib/DocXMLRPCServer.py | 13 +++++++++++-
- Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
- .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
- 3 files changed, 35 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-
-diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
-index 4064ec2e48..90b037dd35 100644
---- a/Lib/DocXMLRPCServer.py
-+++ b/Lib/DocXMLRPCServer.py
-@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
- CGIXMLRPCRequestHandler,
- resolve_dotted_attribute)
-
-+
-+def _html_escape_quote(s):
-+ s = s.replace("&", "&") # Must be done first!
-+ s = s.replace("<", "<")
-+ s = s.replace(">", ">")
-+ s = s.replace('"', """)
-+ s = s.replace('\'', "'")
-+ return s
-+
-+
- class ServerHTMLDoc(pydoc.HTMLDoc):
- """Class used to generate pydoc HTML document for a server"""
-
-@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
- methods
- )
-
-- return documenter.page(self.server_title, documentation)
-+ title = _html_escape_quote(self.server_title)
-+ return documenter.page(title, documentation)
-
- class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
- """XML-RPC and documentation request handler class.
-diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
-index 4dff4159e2..c45b892b8b 100644
---- a/Lib/test/test_docxmlrpc.py
-+++ b/Lib/test/test_docxmlrpc.py
-@@ -1,5 +1,6 @@
- from DocXMLRPCServer import DocXMLRPCServer
- import httplib
-+import re
- import sys
- from test import test_support
- threading = test_support.import_module('threading')
-@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
- self.assertIn("""Try self.<strong>add</strong>, too.""",
- response.read())
-
-+ def test_server_title_escape(self):
-+ """Test that the server title and documentation
-+ are escaped for HTML.
-+ """
-+ self.serv.set_server_title('test_title<script>')
-+ self.serv.set_server_documentation('test_documentation<script>')
-+ self.assertEqual('test_title<script>', self.serv.server_title)
-+ self.assertEqual('test_documentation<script>',
-+ self.serv.server_documentation)
-+
-+ generated = self.serv.generate_html_documentation()
-+ title = re.search(r'<title>(.+?)</title>', generated).group()
-+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
-+ self.assertEqual('<title>Python: test_title<script></title>',
-+ title)
-+ self.assertEqual('<p><tt>test_documentation<script></tt></p>',
-+ documentation)
-+
-+
- def test_main():
- test_support.run_unittest(DocXMLRPCHTTPGETServer)
-
-diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-new file mode 100644
-index 0000000000..8f02baed9e
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-@@ -0,0 +1,3 @@
-+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
-+when rendering the document page as HTML.
-+(Contributed by Dong-hee Na in :issue:`38243`.)
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python/builddir.patch b/meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
similarity index 58%
rename from meta/recipes-devtools/python/python/builddir.patch
rename to meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
index ad629a022e9..2ff2ccc43dc 100644
--- a/meta/recipes-devtools/python/python/builddir.patch
+++ b/meta/recipes-devtools/python/python/0001-python-Resolve-intermediate-staging-issues.patch
@@ -1,5 +1,10 @@
-When cross compiling python, we used to need to install the Makefile, pyconfig.h
-and the python library to their final location before being able to compile the
+From 77bcb3238b2853d511714544e0f84a37be6c79bf Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Wed, 14 Nov 2012 14:31:24 +0000
+Subject: [PATCH] python: Resolve intermediate staging issues
+
+When cross compiling python, we used to need to install the Makefile, pyconfig.h
+and the python library to their final location before being able to compile the
rest of python. This change allows us to point python at its own source when
building, avoiding a variety of sysroot staging issues and simplifying the main
python recipe.
@@ -7,10 +12,29 @@ python recipe.
Upstream-Status: Inappropriate
RP 2012/11/13
-Index: Python-2.7.9/Lib/sysconfig.py
-===================================================================
---- Python-2.7.9.orig/Lib/sysconfig.py
-+++ Python-2.7.9/Lib/sysconfig.py
+---
+ Lib/distutils/sysconfig.py | 3 +++
+ Lib/sysconfig.py | 5 ++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py
+index 2f4b8ca..15bceb5 100644
+--- a/Lib/distutils/sysconfig.py
++++ b/Lib/distutils/sysconfig.py
+@@ -31,6 +31,9 @@ else:
+ # sys.executable can be empty if argv[0] has been changed and Python is
+ # unable to retrieve the real program name
+ project_base = os.getcwd()
++_PYTHONBUILDDIR = os.environ.get("PYTHONBUILDDIR", None)
++if _PYTHONBUILDDIR:
++ project_base = _PYTHONBUILDDIR
+ if os.name == "nt" and "pcbuild" in project_base[-8:].lower():
+ project_base = os.path.abspath(os.path.join(project_base, os.path.pardir))
+ # PC/VS7.1
+diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
+index 9c8350d..bddbe2e 100644
+--- a/Lib/sysconfig.py
++++ b/Lib/sysconfig.py
@@ -93,6 +93,7 @@ _PREFIX = os.path.normpath(sys.prefix)
_EXEC_PREFIX = os.path.normpath(sys.exec_prefix)
_CONFIG_VARS = None
@@ -30,17 +54,6 @@ Index: Python-2.7.9/Lib/sysconfig.py
_PROJECT_BASE = os.path.dirname(_safe_realpath(sys.executable))
else:
# sys.executable can be empty if argv[0] has been changed and Python is
-Index: Python-2.7.9/Lib/distutils/sysconfig.py
-===================================================================
---- Python-2.7.9.orig/Lib/distutils/sysconfig.py
-+++ Python-2.7.9/Lib/distutils/sysconfig.py
-@@ -26,6 +26,9 @@ EXEC_PREFIX = os.path.normpath(sys.exec_
- # live in project/PCBuild9. If we're dealing with an x64 Windows build,
- # it'll live in project/PCbuild/amd64.
- project_base = os.path.dirname(os.path.abspath(sys.executable))
-+_PYTHONBUILDDIR = os.environ.get("PYTHONBUILDDIR", None)
-+if _PYTHONBUILDDIR:
-+ project_base = _PYTHONBUILDDIR
- if os.name == "nt" and "pcbuild" in project_base[-8:].lower():
- project_base = os.path.abspath(os.path.join(project_base, os.path.pardir))
- # PC/VS7.1
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/python/python/CVE-2018-20852.patch b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
deleted file mode 100644
index 23c784a2105..00000000000
--- a/meta/recipes-devtools/python/python/CVE-2018-20852.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001
-From: Xtreak <tir.karthi@gmail.com>
-Date: Sat, 15 Jun 2019 20:59:43 +0530
-Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
- validation (GH-10258) (GH-13426)
-
-This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
-
-
-https://bugs.python.org/issue35121
-CVE: CVE-2018-20852
-Upstream-Status: Backport [https://github.com/python/cpython/pull/13426]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/cookielib.py | 13 ++++++--
- Lib/test/test_cookielib.py | 30 +++++++++++++++++++
- .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++
- 3 files changed, 45 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
-
-diff --git a/Lib/cookielib.py b/Lib/cookielib.py
-index 2dd7c48728e0..0b471a42f296 100644
---- a/Lib/cookielib.py
-+++ b/Lib/cookielib.py
-@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
- req_host, erhn = eff_request_host(request)
- domain = cookie.domain
-
-+ if domain and not domain.startswith("."):
-+ dotdomain = "." + domain
-+ else:
-+ dotdomain = domain
-+
- # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
- if (cookie.version == 0 and
- (self.strict_ns_domain & self.DomainStrictNonDomain) and
-@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
- _debug(" effective request-host name %s does not domain-match "
- "RFC 2965 cookie domain %s", erhn, domain)
- return False
-- if cookie.version == 0 and not ("."+erhn).endswith(domain):
-+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
- _debug(" request-host %s does not match Netscape cookie domain "
- "%s", req_host, domain)
- return False
-@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
- req_host = "."+req_host
- if not erhn.startswith("."):
- erhn = "."+erhn
-- if not (req_host.endswith(domain) or erhn.endswith(domain)):
-+ if domain and not domain.startswith("."):
-+ dotdomain = "." + domain
-+ else:
-+ dotdomain = domain
-+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
- #_debug(" request domain %s does not match cookie domain %s",
- # req_host, domain)
- return False
-diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
-index f2dd9727d137..7f7ff614d61d 100644
---- a/Lib/test/test_cookielib.py
-+++ b/Lib/test/test_cookielib.py
-@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
- ("http://foo.bar.com/", ".foo.bar.com", True),
- ("http://foo.bar.com/", "foo.bar.com", True),
- ("http://foo.bar.com/", ".bar.com", True),
-+ ("http://foo.bar.com/", "bar.com", True),
- ("http://foo.bar.com/", "com", True),
- ("http://foo.com/", "rhubarb.foo.com", False),
- ("http://foo.com/", ".foo.com", True),
-@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
- ("http://foo/", "foo", True),
- ("http://foo/", "foo.local", True),
- ("http://foo/", ".local", True),
-+ ("http://barfoo.com", ".foo.com", False),
-+ ("http://barfoo.com", "foo.com", False),
- ]:
- request = urllib2.Request(url)
- r = pol.domain_return_ok(domain, request)
-@@ -938,6 +941,33 @@ def test_domain_block(self):
- c.add_cookie_header(req)
- self.assertFalse(req.has_header("Cookie"))
-
-+ c.clear()
-+
-+ pol.set_blocked_domains([])
-+ req = Request("http://acme.com/")
-+ res = FakeResponse(headers, "http://acme.com/")
-+ cookies = c.make_cookies(res, req)
-+ c.extract_cookies(res, req)
-+ self.assertEqual(len(c), 1)
-+
-+ req = Request("http://acme.com/")
-+ c.add_cookie_header(req)
-+ self.assertTrue(req.has_header("Cookie"))
-+
-+ req = Request("http://badacme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(pol.return_ok(cookies[0], req))
-+ self.assertFalse(req.has_header("Cookie"))
-+
-+ p = pol.set_blocked_domains(["acme.com"])
-+ req = Request("http://acme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(req.has_header("Cookie"))
-+
-+ req = Request("http://badacme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(req.has_header("Cookie"))
-+
- def test_secure(self):
- from cookielib import CookieJar, DefaultCookiePolicy
-
-diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
-new file mode 100644
-index 000000000000..77251806163b
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
-@@ -0,0 +1,4 @@
-+Don't send cookies of domain A without Domain attribute to domain B when
-+domain A is a suffix match of domain B while using a cookiejar with
-+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
-+Singaravelan.
diff --git a/meta/recipes-devtools/python/python/CVE-2019-9740.patch b/meta/recipes-devtools/python/python/CVE-2019-9740.patch
deleted file mode 100644
index 95f43e0387d..00000000000
--- a/meta/recipes-devtools/python/python/CVE-2019-9740.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From bb8071a4cae5ab3fe321481dd3d73662ffb26052 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <victor.stinner@gmail.com>
-Date: Tue, 21 May 2019 15:12:33 +0200
-Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
- (GH-13154) (GH-13315)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Disallow control chars in http URLs in urllib2.urlopen. This
-addresses a potential security problem for applications that do not
-sanity check their URLs where http request headers could be injected.
-
-Disable https related urllib tests on a build without ssl (GH-13032)
-These tests require an SSL enabled build. Skip these tests when
-python is built without SSL to fix test failures.
-
-Use httplib.InvalidURL instead of ValueError as the new error case's
-exception. (GH-13044)
-
-Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
-
-(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
-
-Notes on backport to Python 2.7:
-
-* test_urllib tests urllib.urlopen() which quotes the URL and so is
- not vulerable to HTTP Header Injection.
-* Add tests to test_urllib2 on urllib2.urlopen().
-* Reject non-ASCII characters: range 0x80-0xff.
-
-Upstream-Status: Backport
-CVE: CVE-2019-9740
-CVE: CVE-2019-9947
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/httplib.py | 16 ++++++
- Lib/test/test_urllib.py | 25 +++++++++
- Lib/test/test_urllib2.py | 51 ++++++++++++++++++-
- Lib/test/test_xmlrpc.py | 8 ++-
- .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
- 5 files changed, 99 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-
-diff --git a/Lib/httplib.py b/Lib/httplib.py
-index 60a8fb4e355f..1b41c346e090 100644
---- a/Lib/httplib.py
-+++ b/Lib/httplib.py
-@@ -247,6 +247,16 @@
- _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
- _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
-
-+# These characters are not allowed within HTTP URL paths.
-+# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
-+# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
-+# Prevents CVE-2019-9740. Includes control characters such as \r\n.
-+# Restrict non-ASCII characters above \x7f (0x80-0xff).
-+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
-+# Arguably only these _should_ allowed:
-+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
-+# We are more lenient for assumed real world compatibility purposes.
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -927,6 +937,12 @@ def putrequest(self, method, url, skip_host=0, skip_accept_encoding=0):
- self._method = method
- if not url:
- url = '/'
-+ # Prevent CVE-2019-9740.
-+ match = _contains_disallowed_url_pchar_re.search(url)
-+ if match:
-+ raise InvalidURL("URL can't contain control characters. %r "
-+ "(found at least %r)"
-+ % (url, match.group()))
- hdr = '%s %s %s' % (method, url, self._http_vsn_str)
-
- self._output(hdr)
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 1ce9201c0693..d7778d4194f3 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -257,6 +257,31 @@ def test_url_fragment(self):
- finally:
- self.unfakehttp()
-
-+ def test_url_with_control_char_rejected(self):
-+ for char_no in range(0, 0x21) + range(0x7f, 0x100):
-+ char = chr(char_no)
-+ schemeless_url = "//localhost:7777/test%s/" % char
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ try:
-+ # urllib quotes the URL so there is no injection.
-+ resp = urllib.urlopen("http:" + schemeless_url)
-+ self.assertNotIn(char, resp.geturl())
-+ finally:
-+ self.unfakehttp()
-+
-+ def test_url_with_newline_header_injection_rejected(self):
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+ schemeless_url = "//" + host + ":8080/test/?test=a"
-+ try:
-+ # urllib quotes the URL so there is no injection.
-+ resp = urllib.urlopen("http:" + schemeless_url)
-+ self.assertNotIn(' ', resp.geturl())
-+ self.assertNotIn('\r', resp.geturl())
-+ self.assertNotIn('\n', resp.geturl())
-+ finally:
-+ self.unfakehttp()
-+
- def test_read_bogus(self):
- # urlopen() should raise IOError for many error codes.
- self.fakehttp('''HTTP/1.1 401 Authentication Required
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 6d24d5ddf83c..9531818e16b2 100644
---- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -15,6 +15,9 @@
- except ImportError:
- ssl = None
-
-+from test.test_urllib import FakeHTTPMixin
-+
-+
- # XXX
- # Request
- # CacheFTPHandler (hard to write)
-@@ -1262,7 +1265,7 @@ def _test_basic_auth(self, opener, auth_handler, auth_header,
- self.assertEqual(len(http_handler.requests), 1)
- self.assertFalse(http_handler.requests[0].has_header(auth_header))
-
--class MiscTests(unittest.TestCase):
-+class MiscTests(unittest.TestCase, FakeHTTPMixin):
-
- def test_build_opener(self):
- class MyHTTPHandler(urllib2.HTTPHandler): pass
-@@ -1317,6 +1320,52 @@ def test_unsupported_algorithm(self):
- "Unsupported digest authentication algorithm 'invalid'"
- )
-
-+ @unittest.skipUnless(ssl, "ssl module required")
-+ def test_url_with_control_char_rejected(self):
-+ for char_no in range(0, 0x21) + range(0x7f, 0x100):
-+ char = chr(char_no)
-+ schemeless_url = "//localhost:7777/test%s/" % char
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ try:
-+ # We explicitly test urllib.request.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. They use different url opening codepaths. Plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ escaped_char_repr = repr(char).replace('\\', r'\\')
-+ InvalidURL = httplib.InvalidURL
-+ with self.assertRaisesRegexp(
-+ InvalidURL, "contain control.*" + escaped_char_repr):
-+ urllib2.urlopen("http:" + schemeless_url)
-+ with self.assertRaisesRegexp(
-+ InvalidURL, "contain control.*" + escaped_char_repr):
-+ urllib2.urlopen("https:" + schemeless_url)
-+ finally:
-+ self.unfakehttp()
-+
-+ @unittest.skipUnless(ssl, "ssl module required")
-+ def test_url_with_newline_header_injection_rejected(self):
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+ schemeless_url = "//" + host + ":8080/test/?test=a"
-+ try:
-+ # We explicitly test urllib2.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. They use different url opening codepaths. Plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ InvalidURL = httplib.InvalidURL
-+ with self.assertRaisesRegexp(
-+ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
-+ urllib2.urlopen("http:" + schemeless_url)
-+ with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
-+ urllib2.urlopen("https:" + schemeless_url)
-+ finally:
-+ self.unfakehttp()
-+
-+
-
- class RequestTests(unittest.TestCase):
-
-diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
-index 36b3be67fd6b..90ccb30716ff 100644
---- a/Lib/test/test_xmlrpc.py
-+++ b/Lib/test/test_xmlrpc.py
-@@ -659,7 +659,13 @@ def test_dotted_attribute(self):
- def test_partial_post(self):
- # Check that a partial POST doesn't make the server loop: issue #14001.
- conn = httplib.HTTPConnection(ADDR, PORT)
-- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
-+ conn.send('POST /RPC2 HTTP/1.0\r\n'
-+ 'Content-Length: 100\r\n\r\n'
-+ 'bye HTTP/1.1\r\n'
-+ 'Host: %s:%s\r\n'
-+ 'Accept-Encoding: identity\r\n'
-+ 'Content-Length: 0\r\n\r\n'
-+ % (ADDR, PORT))
- conn.close()
-
- class SimpleServerEncodingTestCase(BaseServerTestCase):
-diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-new file mode 100644
-index 000000000000..47cb899df1af
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-@@ -0,0 +1 @@
-+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
deleted file mode 100644
index b2672370186..00000000000
--- a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
-From: Sihoon Lee <push0ebp@gmail.com>
-Date: Fri, 17 May 2019 02:41:06 +0900
-Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
- assertRasies in DummyURLopener test, and simplify mitigation
-
-Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
-
-CVE: CVE-2019-9948
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Lib/test/test_urllib.py | 11 +++--------
- Lib/urllib.py | 4 ++--
- 2 files changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index e5f210e62a18..1e23dfb0bb16 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
- class DummyURLopener(urllib.URLopener):
- def open_local_file(self, url):
- return url
-- self.assertEqual(DummyURLopener().open(
-- 'local-file://example'), '//example')
-- self.assertEqual(DummyURLopener().open(
-- 'local_file://example'), '//example')
-- self.assertRaises(IOError, urllib.urlopen,
-- 'local-file://example')
-- self.assertRaises(IOError, urllib.urlopen,
-- 'local_file://example')
-+ for url in ('local_file://example', 'local-file://example'):
-+ self.assertRaises(IOError, DummyURLopener().open, url)
-+ self.assertRaises(IOError, urllib.urlopen, url)
-
- # Just commented them out.
- # Can't really tell why keep failing in windows and sparc.
-diff --git a/Lib/urllib.py b/Lib/urllib.py
-index a24e9a5c68fb..39b834054e9e 100644
---- a/Lib/urllib.py
-+++ b/Lib/urllib.py
-@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
- name = 'open_' + urltype
- self.type = urltype
- name = name.replace('-', '_')
--
-+
- # bpo-35907: # disallow the file reading with the type not allowed
- if not hasattr(self, name) or \
-- (self == _urlopener and name == 'open_local_file'):
-+ getattr(self, name) == self.open_local_file:
- if proxy:
- return self.open_unknown_proxy(proxy, fullurl, data)
- else:
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
deleted file mode 100644
index f4c225d2fcf..00000000000
--- a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
-From: push0ebp <push0ebp@shl-MacBook-Pro.local>
-Date: Thu, 14 Feb 2019 02:05:46 +0900
-Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
- URL scheme in urllib
-
-Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
-
-CVE: CVE-2019-9948
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Lib/test/test_urllib.py | 12 ++++++++++++
- Lib/urllib.py | 5 ++++-
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 1ce9201c0693..e5f210e62a18 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1023,6 +1023,18 @@ def open_spam(self, url):
- "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
- "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
-
-+ def test_local_file_open(self):
-+ class DummyURLopener(urllib.URLopener):
-+ def open_local_file(self, url):
-+ return url
-+ self.assertEqual(DummyURLopener().open(
-+ 'local-file://example'), '//example')
-+ self.assertEqual(DummyURLopener().open(
-+ 'local_file://example'), '//example')
-+ self.assertRaises(IOError, urllib.urlopen,
-+ 'local-file://example')
-+ self.assertRaises(IOError, urllib.urlopen,
-+ 'local_file://example')
-
- # Just commented them out.
- # Can't really tell why keep failing in windows and sparc.
-diff --git a/Lib/urllib.py b/Lib/urllib.py
-index d85504a5cb7e..a24e9a5c68fb 100644
---- a/Lib/urllib.py
-+++ b/Lib/urllib.py
-@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
- name = 'open_' + urltype
- self.type = urltype
- name = name.replace('-', '_')
-- if not hasattr(self, name):
-+
-+ # bpo-35907: # disallow the file reading with the type not allowed
-+ if not hasattr(self, name) or \
-+ (self == _urlopener and name == 'open_local_file'):
- if proxy:
- return self.open_unknown_proxy(proxy, fullurl, data)
- else:
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
deleted file mode 100644
index 2ce4d2cde7a..00000000000
--- a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 06b5ee585d6e76bdbb4002f642d864d860cbbd2b Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@python.org>
-Date: Tue, 12 Mar 2019 08:23:33 -0700
-Subject: [PATCH] bpo-36216: Only print test messages when verbose
-
-CVE: CVE-2019-9636
-
-Upstream-Status: Backport https://github.com/python/cpython/pull/12291/commits/06b5ee585d6e76bdbb4002f642d864d860cbbd2b
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Lib/test/test_urlparse.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 73b0228ea8e3..1830d0b28688 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -644,7 +644,8 @@ def test_urlsplit_normalization(self):
- for scheme in [u"http", u"https", u"ftp"]:
- for c in denorm_chars:
- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-- print "Checking %r" % url
-+ if test_support.verbose:
-+ print "Checking %r" % url
- with self.assertRaises(ValueError):
- urlparse.urlsplit(url)
-
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
deleted file mode 100644
index 352b13ba9b5..00000000000
--- a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@python.org>
-Date: Thu, 7 Mar 2019 08:25:22 -0800
-Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
- to separators (GH-12201)
-
-CVE: CVE-2019-9636
-
-Upstream-Status: Backport https://github.com/python/cpython/pull/12216/commits/3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- Doc/library/urlparse.rst | 20 ++++++++++++++++
- Lib/test/test_urlparse.py | 24 +++++++++++++++++++
- Lib/urlparse.py | 17 +++++++++++++
- .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
- 4 files changed, 64 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 4e1ded73c266..73b0228ea8e3 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1,4 +1,6 @@
- from test import test_support
-+import sys
-+import unicodedata
- import unittest
- import urlparse
-
-@@ -624,6 +626,28 @@ def test_portseparator(self):
- self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
- ('http','www.python.org:80','','','',''))
-
-+ def test_urlsplit_normalization(self):
-+ # Certain characters should never occur in the netloc,
-+ # including under normalization.
-+ # Ensure that ALL of them are detected and cause an error
-+ illegal_chars = u'/:#?@'
-+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
-+ denorm_chars = [
-+ c for c in map(unichr, range(128, sys.maxunicode))
-+ if (hex_chars & set(unicodedata.decomposition(c).split()))
-+ and c not in illegal_chars
-+ ]
-+ # Sanity check that we found at least one such character
-+ self.assertIn(u'\u2100', denorm_chars)
-+ self.assertIn(u'\uFF03', denorm_chars)
-+
-+ for scheme in [u"http", u"https", u"ftp"]:
-+ for c in denorm_chars:
-+ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-+ print "Checking %r" % url
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(url)
-+
- def test_main():
- test_support.run_unittest(UrlParseTestCase)
-
-diff --git a/Lib/urlparse.py b/Lib/urlparse.py
-index f7c2b032b097..54eda08651ab 100644
---- a/Lib/urlparse.py
-+++ b/Lib/urlparse.py
-@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
- delim = min(delim, wdelim) # use earliest delim position
- return url[start:delim], url[delim:] # return (domain, rest)
-
-+def _checknetloc(netloc):
-+ if not netloc or not isinstance(netloc, unicode):
-+ return
-+ # looking for characters like \u2100 that expand to 'a/c'
-+ # IDNA uses NFKC equivalence, so normalize for this check
-+ import unicodedata
-+ netloc2 = unicodedata.normalize('NFKC', netloc)
-+ if netloc == netloc2:
-+ return
-+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
-+ for c in '/?#@:':
-+ if c in netloc2:
-+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-+ "characters under NFKC normalization")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
- """Parse a URL into 5 components:
- <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return v
-@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return v
-diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-new file mode 100644
-index 000000000000..1e1ad92c6feb
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-@@ -0,0 +1,3 @@
-+Changes urlsplit() to raise ValueError when the URL contains characters that
-+decompose under IDNA encoding (NFKC-normalization) into characters that
-+affect how the URL is parsed.
-\ No newline at end of file
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
deleted file mode 100644
index 1b6cb8cf3e6..00000000000
--- a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Thu, 10 Oct 2019 16:32:19 +0800
-Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
- urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
-
-Upstream-Status: Backport
-
-https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
-https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
-
-CVE: CVE-2019-10160
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- Lib/test/test_urlparse.py | 19 +++++++++++++------
- Lib/urlparse.py | 14 +++++++++-----
- 2 files changed, 22 insertions(+), 11 deletions(-)
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 1830d0b..857ed96 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
- self.assertIn(u'\u2100', denorm_chars)
- self.assertIn(u'\uFF03', denorm_chars)
-
-+ # bpo-36742: Verify port separators are ignored when they
-+ # existed prior to decomposition
-+ urlparse.urlsplit(u'http://\u30d5\u309a:80')
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
-+
- for scheme in [u"http", u"https", u"ftp"]:
-- for c in denorm_chars:
-- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-- if test_support.verbose:
-- print "Checking %r" % url
-- with self.assertRaises(ValueError):
-- urlparse.urlsplit(url)
-+ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
-+ for c in denorm_chars:
-+ url = u"{}://{}/path".format(scheme, netloc.format(c))
-+ if test_support.verbose:
-+ print "Checking %r" % url
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(url)
-
- def test_main():
- test_support.run_unittest(UrlParseTestCase)
-diff --git a/Lib/urlparse.py b/Lib/urlparse.py
-index 54eda08..e34b368 100644
---- a/Lib/urlparse.py
-+++ b/Lib/urlparse.py
-@@ -171,14 +171,18 @@ def _checknetloc(netloc):
- # looking for characters like \u2100 that expand to 'a/c'
- # IDNA uses NFKC equivalence, so normalize for this check
- import unicodedata
-- netloc2 = unicodedata.normalize('NFKC', netloc)
-- if netloc == netloc2:
-+ n = netloc.replace(u'@', u'') # ignore characters already included
-+ n = n.replace(u':', u'') # but not the surrounding text
-+ n = n.replace(u'#', u'')
-+ n = n.replace(u'?', u'')
-+
-+ netloc2 = unicodedata.normalize('NFKC', n)
-+ if n == netloc2:
- return
-- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
- for c in '/?#@:':
- if c in netloc2:
-- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-- "characters under NFKC normalization")
-+ raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
-+ u"characters under NFKC normalization")
-
- def urlsplit(url, scheme='', allow_fragments=True):
- """Parse a URL into 5 components:
---
-2.7.4
-
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.17.bb
similarity index 97%
rename from meta/recipes-devtools/python/python_2.7.16.bb
rename to meta/recipes-devtools/python/python_2.7.17.bb
index 625c5312a6e..5b856a50977 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.17.bb
@@ -30,9 +30,6 @@ SRC_URI += " \
file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
file://float-endian.patch \
file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
- file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
- file://bpo-36742-cve-2019-10160.patch \
- file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 39+ messages in thread
end of thread, other threads:[~2019-11-30 9:49 UTC | newest]
Thread overview: 39+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 13:07 [PATCH 01/13] python: update to 2.7.17 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 02/13] runqemu: add options that enable virgl with the SDL frontend Alexander Kanavin
2019-11-18 13:07 ` [PATCH 03/13] oe-selftest: extend virgl gtk test to also check the SDL option Alexander Kanavin
2019-11-18 13:07 ` [PATCH 04/13] tiff: update to 4.1.0 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 05/13] librepo: upgrade 1.10.6 -> 1.11.0 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 06/13] btrfs-tools: upgrade 5.3 -> 5.3.1 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 07/13] psmisc: update to 23.3 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 08/13] libxslt: update to 1.1.34 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 09/13] Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish" Alexander Kanavin
2019-11-18 13:07 ` [PATCH 10/13] mpg123: upgrade 1.25.12 -> 1.25.13 Alexander Kanavin
2019-11-18 13:07 ` [PATCH 11/13] vala: upgrade 0.46.3 -> 0.46.4 Alexander Kanavin
2019-11-18 13:08 ` [PATCH 12/13] systat: upstream version check is working again Alexander Kanavin
2019-11-18 13:47 ` Peter Kjellerstedt
2019-11-18 13:08 ` [PATCH 13/13] man-pages: correct the SRC_URI Alexander Kanavin
2019-11-18 13:31 ` ✗ patchtest: failure for "python: update to 2.7.17..." and 12 more Patchwork
2019-11-18 18:13 ` [PATCH 01/13] python: update to 2.7.17 Khem Raj
2019-11-18 21:05 ` Adrian Bunk
2019-11-18 21:39 ` Khem Raj
2019-11-18 22:06 ` Adrian Bunk
2019-11-18 22:16 ` Khem Raj
2019-11-18 22:34 ` Ross Burton
2019-11-18 22:55 ` Adrian Bunk
2019-11-18 23:26 ` Khem Raj
2019-11-19 7:57 ` Tim Orling
2019-11-19 11:30 ` Alexander Kanavin
2019-11-19 15:49 ` Khem Raj
2019-11-19 16:30 ` Adrian Bunk
2019-11-19 16:47 ` Khem Raj
2019-11-20 11:57 ` Ross Burton
2019-11-25 3:36 ` Adrian Bunk
2019-11-19 22:44 ` Andreas Müller
2019-11-30 9:49 ` Adrian Bunk
2019-11-19 11:24 ` Alexander Kanavin
2019-11-20 12:56 ` Tom Rini
2019-11-20 13:47 ` Alexander Kanavin
2019-11-20 13:50 ` Tom Rini
2019-11-20 15:06 ` Alexander Kanavin
2019-11-20 15:08 ` Tom Rini
2019-11-18 14:28 Alexander Kanavin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.