* [OE-core][dunfell 00/14] Patch review
@ 2021-06-28 15:05 Steve Sakoman
2021-06-28 15:05 ` [OE-core][dunfell 01/14] uninative: Upgrade to 3.2 (gcc11 support) Steve Sakoman
` (14 more replies)
0 siblings, 15 replies; 17+ messages in thread
From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2291
The following changes since commit ac8181d9b9ad8360f7dba03aba8b00f008c6ebb4:
Revert "python3: fix CVE-2021-23336" (2021-06-19 13:11:58 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Jasper Orschulko (3):
expat: fix CVE-2013-0340
libxml2: Fix CVE-2021-3518
libx11: Fix CVE-2021-31535
Michael Halstead (1):
uninative: Upgrade to 3.2 (gcc11 support)
Tim Orling (10):
python3: upgrade 3.8.2 -> 3.8.3
python3: upgrade 3.8.3 -> 3.8.4
python3: upgrade 3.8.4 -> 3.8.5
python3: upgrade 3.8.5 -> 3.8.6
python3: upgrade 3.8.6 -> 3.8.7
python3: upgrade 3.8.7 -> 3.8.8
powertop: fix aclocal error too many loops
python3: upgrade 3.8.8 -> 3.8.9
python3: upgrade 3.8.9 -> 3.8.10
python3-ptest: add newly discovered missing rdeps
meta/conf/distro/include/yocto-uninative.inc | 8 +-
.../expat/expat/CVE-2013-0340.patch | 1758 +++++++++++++++++
.../expat/expat/libtool-tag.patch | 41 +-
meta/recipes-core/expat/expat_2.2.9.bb | 12 +-
.../libxml/libxml2/CVE-2021-3518.patch | 112 ++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 +
...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ---
...le.py-correct-the-test-output-format.patch | 24 +-
.../python/python3/CVE-2019-20907.patch | 44 -
.../python/python3/CVE-2020-14422.patch | 77 -
.../python/python3/CVE-2020-26116.patch | 104 -
.../python/python3/CVE-2020-27619.patch | 70 -
.../python/python3/CVE-2021-3177.patch | 191 --
.../{python3_3.8.2.bb => python3_3.8.10.bb} | 19 +-
.../xorg-lib/libx11/CVE-2021-31535.patch | 333 ++++
.../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 +
...2-configure.ac-ax_add_fortify_source.patch | 70 +
...003-configure-Use-AX_REQUIRE_DEFINED.patch | 29 +
meta/recipes-kernel/powertop/powertop_2.10.bb | 8 +-
19 files changed, 2357 insertions(+), 793 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch
delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch
rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.10.bb} (95%)
create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
create mode 100644 meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
create mode 100644 meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
--
2.25.1
^ permalink raw reply [flat|nested] 17+ messages in thread* [OE-core][dunfell 01/14] uninative: Upgrade to 3.2 (gcc11 support) 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 02/14] expat: fix CVE-2013-0340 Steve Sakoman ` (13 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Michael Halstead <mhalstead@linuxfoundation.org> This upgrade builds unnative with gcc11 allowing it to work with newer distros using gcc 11. Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a1c7b71c109ca68931d098f4149ab8284d56108e) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/conf/distro/include/yocto-uninative.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 05b79d14c3..740cca0ecf 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -8,7 +8,7 @@ UNINATIVE_MAXGLIBCVERSION = "2.33" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.1/" -UNINATIVE_CHECKSUM[aarch64] ?= "7fa12b9fe7a95934cc09beb0e8a25ff97179ef3105116015d32548eadd27b024" -UNINATIVE_CHECKSUM[i686] ?= "bbfcdd48336800b5af97e294918c6586a0a8fa903f127f813b0bd5110de8c55c" -UNINATIVE_CHECKSUM[x86_64] ?= "5d0611df544edff6428cef7d871257a91aa6ba1bd92f5365a2df8deb54b6b31e" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.2/" +UNINATIVE_CHECKSUM[aarch64] ?= "4f0872cdca2775b637a8a99815ca5c8dd42146abe903a24a50ee0448358c764b" +UNINATIVE_CHECKSUM[i686] ?= "e2eeab92e67263db37d9bb6d4c58579abd1f47ff4cded3171bde572fece124b2" +UNINATIVE_CHECKSUM[x86_64] ?= "3ee8c7d55e2d4c7ae3887cddb97219f97b94efddfeee2e24923c0cb0e8ce84c6" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 02/14] expat: fix CVE-2013-0340 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 01/14] uninative: Upgrade to 3.2 (gcc11 support) Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 03/14] libxml2: Fix CVE-2021-3518 Steve Sakoman ` (12 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Jasper Orschulko <jasper@fancydomain.eu> expat < 4.0 is vulnerable to billion laughs attacks (see [https://github.com/libexpat/libexpat/issues/34]). This patch backports the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8 and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream. Additionally, the SRC_URI had to be adjusted due to renaming of the source archive Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../expat/expat/CVE-2013-0340.patch | 1758 +++++++++++++++++ .../expat/expat/libtool-tag.patch | 41 +- meta/recipes-core/expat/expat_2.2.9.bb | 12 +- 3 files changed, 1782 insertions(+), 29 deletions(-) create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch new file mode 100644 index 0000000000..1ab4d06508 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch @@ -0,0 +1,1758 @@ +From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Mon, 19 Apr 2021 21:42:51 +0200 +Subject: [PATCH] expat: Backport fix for CVE-2013-0340 + +Issue: https://github.com/libexpat/libexpat/issues/34 + +This patch cherry-picks the following commits from upstream release +2.4.0 onto 2.2.9: + +- b1d039607d3d8a042bf0466bfcc1c0f104e353c8 +- 60959f2b491876199879d97c8ed956eabb0c2e73 + +Upstream-Status: Backport +CVE: CVE-2013-0340 +Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> +--- + lib/expat.h | 21 +- + lib/internal.h | 30 + + lib/libexpat.def | 3 + + lib/libexpatw.def | 3 + + lib/xmlparse.c | 1147 +++++++++++++++++++++++++++++++++++++-- + 5 files changed, 1143 insertions(+), 61 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 48a6e2a3..0fb70d9d 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -115,7 +115,9 @@ enum XML_Error { + XML_ERROR_RESERVED_PREFIX_XMLNS, + XML_ERROR_RESERVED_NAMESPACE_URI, + /* Added in 2.2.1. */ +- XML_ERROR_INVALID_ARGUMENT ++ XML_ERROR_INVALID_ARGUMENT, ++ /* Added in 2.4.0. */ ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH + }; + + enum XML_Content_Type { +@@ -997,7 +999,10 @@ enum XML_FeatureEnum { + XML_FEATURE_SIZEOF_XML_LCHAR, + XML_FEATURE_NS, + XML_FEATURE_LARGE_SIZE, +- XML_FEATURE_ATTR_INFO ++ XML_FEATURE_ATTR_INFO, ++ /* Added in Expat 2.4.0. */ ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT + /* Additional features must be added to the end of this enum. */ + }; + +@@ -1010,6 +1015,18 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + ++#ifdef XML_DTD ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++ XML_Parser parser, float maximumAmplificationFactor); ++ ++/* Added in Expat 2.4.0. */ ++XMLPARSEAPI(XML_Bool) ++XML_SetBillionLaughsAttackProtectionActivationThreshold( ++ XML_Parser parser, unsigned long long activationThresholdBytes); ++#endif ++ + /* Expat follows the semantic versioning convention. + See http://semver.org. + */ +diff --git a/lib/internal.h b/lib/internal.h +index 60913dab..d8b31fa2 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -101,10 +101,40 @@ + # endif + #endif + ++#include <limits.h> // ULONG_MAX ++ ++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO) ++# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u" ++# if defined(_WIN64) // Note: modifier "td" does not work for MinGW ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d" ++# else ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#else ++# define EXPAT_FMT_ULL(midpart) "%" midpart "llu" ++# if ! defined(ULONG_MAX) ++# error Compiler did not define ULONG_MAX for us ++# elif ULONG_MAX == 18446744073709551615u // 2^64-1 ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld" ++# else ++# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d" ++# endif ++#endif ++ + #ifndef UNUSED_P + # define UNUSED_P(p) (void)p + #endif + ++/* NOTE BEGIN If you ever patch these defaults to greater values ++ for non-attack XML payload in your environment, ++ please file a bug report with libexpat. Thank you! ++*/ ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \ ++ 100.0f ++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \ ++ 8388608 // 8 MiB, 2^23 ++/* NOTE END */ ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/lib/libexpat.def b/lib/libexpat.def +index 16faf595..5aefa6df 100644 +--- a/lib/libexpat.def ++++ b/lib/libexpat.def +@@ -76,3 +76,6 @@ EXPORTS + XML_SetHashSalt @67 + ; added with version 2.2.5 + _INTERNAL_trim_to_complete_utf8_characters @68 ++; added with version 2.4.0 ++ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 ++ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 +diff --git a/lib/libexpatw.def b/lib/libexpatw.def +index 16faf595..5aefa6df 100644 +--- a/lib/libexpatw.def ++++ b/lib/libexpatw.def +@@ -76,3 +76,6 @@ EXPORTS + XML_SetHashSalt @67 + ; added with version 2.2.5 + _INTERNAL_trim_to_complete_utf8_characters @68 ++; added with version 2.4.0 ++ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 ++ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 3aaf35b9..6790bc28 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -47,6 +47,8 @@ + #include <limits.h> /* UINT_MAX */ + #include <stdio.h> /* fprintf */ + #include <stdlib.h> /* getenv, rand_s */ ++#include <stdint.h> /* uintptr_t */ ++#include <math.h> /* isnan */ + + #ifdef _WIN32 + # define getpid GetCurrentProcessId +@@ -373,6 +375,31 @@ typedef struct open_internal_entity { + XML_Bool betweenDecl; /* WFC: PE Between Declarations */ + } OPEN_INTERNAL_ENTITY; + ++enum XML_Account { ++ XML_ACCOUNT_DIRECT, /* bytes directly passed to the Expat parser */ ++ XML_ACCOUNT_ENTITY_EXPANSION, /* intermediate bytes produced during entity ++ expansion */ ++ XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */ ++}; ++ ++#ifdef XML_DTD ++typedef unsigned long long XmlBigCount; ++typedef struct accounting { ++ XmlBigCount countBytesDirect; ++ XmlBigCount countBytesIndirect; ++ int debugLevel; ++ float maximumAmplificationFactor; // >=1.0 ++ unsigned long long activationThresholdBytes; ++} ACCOUNTING; ++ ++typedef struct entity_stats { ++ unsigned int countEverOpened; ++ unsigned int currentDepth; ++ unsigned int maximumDepthSeen; ++ int debugLevel; ++} ENTITY_STATS; ++#endif /* XML_DTD */ ++ + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start, + const char *end, const char **endPtr); + +@@ -403,16 +430,18 @@ static enum XML_Error initializeEncoding(XML_Parser parser); + static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc, + const char *s, const char *end, int tok, + const char *next, const char **nextPtr, +- XML_Bool haveMore, XML_Bool allowClosingDoctype); ++ XML_Bool haveMore, XML_Bool allowClosingDoctype, ++ enum XML_Account account); + static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity, + XML_Bool betweenDecl); + static enum XML_Error doContent(XML_Parser parser, int startTagLevel, + const ENCODING *enc, const char *start, + const char *end, const char **endPtr, +- XML_Bool haveMore); ++ XML_Bool haveMore, enum XML_Account account); + static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *, + const char **startPtr, const char *end, +- const char **nextPtr, XML_Bool haveMore); ++ const char **nextPtr, XML_Bool haveMore, ++ enum XML_Account account); + #ifdef XML_DTD + static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *, + const char **startPtr, const char *end, +@@ -422,7 +451,8 @@ static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *, + static void freeBindings(XML_Parser parser, BINDING *bindings); + static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *, + const char *s, TAG_NAME *tagNamePtr, +- BINDING **bindingsPtr); ++ BINDING **bindingsPtr, ++ enum XML_Account account); + static enum XML_Error addBinding(XML_Parser parser, PREFIX *prefix, + const ATTRIBUTE_ID *attId, const XML_Char *uri, + BINDING **bindingsPtr); +@@ -431,15 +461,18 @@ static int defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *, XML_Bool isCdata, + XML_Parser parser); + static enum XML_Error storeAttributeValue(XML_Parser parser, const ENCODING *, + XML_Bool isCdata, const char *, +- const char *, STRING_POOL *); ++ const char *, STRING_POOL *, ++ enum XML_Account account); + static enum XML_Error appendAttributeValue(XML_Parser parser, const ENCODING *, + XML_Bool isCdata, const char *, +- const char *, STRING_POOL *); ++ const char *, STRING_POOL *, ++ enum XML_Account account); + static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end); + static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *); + static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc, +- const char *start, const char *end); ++ const char *start, const char *end, ++ enum XML_Account account); + static int reportProcessingInstruction(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end); + static int reportComment(XML_Parser parser, const ENCODING *enc, +@@ -503,6 +536,35 @@ static XML_Parser parserCreate(const XML_Char *encodingName, + + static void parserInit(XML_Parser parser, const XML_Char *encodingName); + ++#ifdef XML_DTD ++static float accountingGetCurrentAmplification(XML_Parser rootParser); ++static void accountingReportStats(XML_Parser originParser, const char *epilog); ++static void accountingOnAbort(XML_Parser originParser); ++static void accountingReportDiff(XML_Parser rootParser, ++ unsigned int levelsAwayFromRootParser, ++ const char *before, const char *after, ++ ptrdiff_t bytesMore, int source_line, ++ enum XML_Account account); ++static XML_Bool accountingDiffTolerated(XML_Parser originParser, int tok, ++ const char *before, const char *after, ++ int source_line, ++ enum XML_Account account); ++ ++static void entityTrackingReportStats(XML_Parser parser, ENTITY *entity, ++ const char *action, int sourceLine); ++static void entityTrackingOnOpen(XML_Parser parser, ENTITY *entity, ++ int sourceLine); ++static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity, ++ int sourceLine); ++ ++static XML_Parser getRootParserOf(XML_Parser parser, ++ unsigned int *outLevelDiff); ++static const char *unsignedCharToPrintable(unsigned char c); ++#endif /* XML_DTD */ ++ ++static unsigned long getDebugLevel(const char *variableName, ++ unsigned long defaultDebugLevel); ++ + #define poolStart(pool) ((pool)->start) + #define poolEnd(pool) ((pool)->ptr) + #define poolLength(pool) ((pool)->ptr - (pool)->start) +@@ -616,6 +678,10 @@ struct XML_ParserStruct { + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif + unsigned long m_hash_secret_salt; ++#ifdef XML_DTD ++ ACCOUNTING m_accounting; ++ ENTITY_STATS m_entity_stats; ++#endif + }; + + #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s))) +@@ -1055,6 +1121,18 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER; + #endif + parser->m_hash_secret_salt = 0; ++ ++#ifdef XML_DTD ++ memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); ++ parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u); ++ parser->m_accounting.maximumAmplificationFactor ++ = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT; ++ parser->m_accounting.activationThresholdBytes ++ = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT; ++ ++ memset(&parser->m_entity_stats, 0, sizeof(ENTITY_STATS)); ++ parser->m_entity_stats.debugLevel = getDebugLevel("EXPAT_ENTITY_DEBUG", 0u); ++#endif + } + + /* moves list of bindings to m_freeBindingList */ +@@ -2318,6 +2396,10 @@ XML_ErrorString(enum XML_Error code) { + /* Added in 2.2.5. */ + case XML_ERROR_INVALID_ARGUMENT: /* Constant added in 2.2.1, already */ + return XML_L("invalid argument"); ++ /* Added in 2.4.0. */ ++ case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: ++ return XML_L( ++ "limit on input amplification factor (from DTD and entities) breached"); + } + return NULL; + } +@@ -2354,41 +2436,75 @@ XML_ExpatVersionInfo(void) { + + const XML_Feature *XMLCALL + XML_GetFeatureList(void) { +- static const XML_Feature features[] +- = {{XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"), +- sizeof(XML_Char)}, +- {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"), +- sizeof(XML_LChar)}, ++ static const XML_Feature features[] = { ++ {XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"), ++ sizeof(XML_Char)}, ++ {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"), ++ sizeof(XML_LChar)}, + #ifdef XML_UNICODE +- {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0}, ++ {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0}, + #endif + #ifdef XML_UNICODE_WCHAR_T +- {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0}, ++ {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0}, + #endif + #ifdef XML_DTD +- {XML_FEATURE_DTD, XML_L("XML_DTD"), 0}, ++ {XML_FEATURE_DTD, XML_L("XML_DTD"), 0}, + #endif + #ifdef XML_CONTEXT_BYTES +- {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"), +- XML_CONTEXT_BYTES}, ++ {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"), ++ XML_CONTEXT_BYTES}, + #endif + #ifdef XML_MIN_SIZE +- {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0}, ++ {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0}, + #endif + #ifdef XML_NS +- {XML_FEATURE_NS, XML_L("XML_NS"), 0}, ++ {XML_FEATURE_NS, XML_L("XML_NS"), 0}, + #endif + #ifdef XML_LARGE_SIZE +- {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0}, ++ {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0}, + #endif + #ifdef XML_ATTR_INFO +- {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, ++ {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, + #endif +- {XML_FEATURE_END, NULL, 0}}; ++#ifdef XML_DTD ++ /* Added in Expat 2.4.0. */ ++ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, ++ XML_L("XML_BLAP_MAX_AMP"), ++ (long int) ++ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT}, ++ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT, ++ XML_L("XML_BLAP_ACT_THRES"), ++ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT}, ++#endif ++ {XML_FEATURE_END, NULL, 0}}; + + return features; + } + ++#ifdef XML_DTD ++XML_Bool XMLCALL ++XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++ XML_Parser parser, float maximumAmplificationFactor) { ++ if ((parser == NULL) || (parser->m_parentParser != NULL) ++ || isnan(maximumAmplificationFactor) ++ || (maximumAmplificationFactor < 1.0f)) { ++ return XML_FALSE; ++ } ++ parser->m_accounting.maximumAmplificationFactor = maximumAmplificationFactor; ++ return XML_TRUE; ++} ++ ++XML_Bool XMLCALL ++XML_SetBillionLaughsAttackProtectionActivationThreshold( ++ XML_Parser parser, unsigned long long activationThresholdBytes) { ++ if ((parser == NULL) || (parser->m_parentParser != NULL)) { ++ return XML_FALSE; ++ } ++ parser->m_accounting.activationThresholdBytes = activationThresholdBytes; ++ return XML_TRUE; ++} ++#endif /* XML_DTD */ ++ + /* Initially tag->rawName always points into the parse buffer; + for those TAG instances opened while the current parse buffer was + processed, and not yet closed, we need to store tag->rawName in a more +@@ -2441,9 +2557,9 @@ storeRawNames(XML_Parser parser) { + static enum XML_Error PTRCALL + contentProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { +- enum XML_Error result +- = doContent(parser, 0, parser->m_encoding, start, end, endPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer); ++ enum XML_Error result = doContent( ++ parser, 0, parser->m_encoding, start, end, endPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT); + if (result == XML_ERROR_NONE) { + if (! storeRawNames(parser)) + return XML_ERROR_NO_MEMORY; +@@ -2468,6 +2584,14 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start, + int tok = XmlContentTok(parser->m_encoding, start, end, &next); + switch (tok) { + case XML_TOK_BOM: ++#ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, start, next, __LINE__, ++ XML_ACCOUNT_DIRECT)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++#endif /* XML_DTD */ ++ + /* If we are at the end of the buffer, this would cause the next stage, + i.e. externalEntityInitProcessor3, to pass control directly to + doContent (by detecting XML_TOK_NONE) without processing any xml text +@@ -2505,6 +2629,10 @@ externalEntityInitProcessor3(XML_Parser parser, const char *start, + const char *next = start; /* XmlContentTok doesn't always set the last arg */ + parser->m_eventPtr = start; + tok = XmlContentTok(parser->m_encoding, start, end, &next); ++ /* Note: These bytes are accounted later in: ++ - processXmlDecl ++ - externalEntityContentProcessor ++ */ + parser->m_eventEndPtr = next; + + switch (tok) { +@@ -2546,7 +2674,8 @@ externalEntityContentProcessor(XML_Parser parser, const char *start, + const char *end, const char **endPtr) { + enum XML_Error result + = doContent(parser, 1, parser->m_encoding, start, end, endPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_ENTITY_EXPANSION); + if (result == XML_ERROR_NONE) { + if (! storeRawNames(parser)) + return XML_ERROR_NO_MEMORY; +@@ -2557,7 +2686,7 @@ externalEntityContentProcessor(XML_Parser parser, const char *start, + static enum XML_Error + doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + const char *s, const char *end, const char **nextPtr, +- XML_Bool haveMore) { ++ XML_Bool haveMore, enum XML_Account account) { + /* save one level of indirection */ + DTD *const dtd = parser->m_dtd; + +@@ -2575,6 +2704,17 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + for (;;) { + const char *next = s; /* XmlContentTok doesn't always set the last arg */ + int tok = XmlContentTok(enc, s, end, &next); ++#ifdef XML_DTD ++ const char *accountAfter ++ = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR)) ++ ? (haveMore ? s /* i.e. 0 bytes */ : end) ++ : next; ++ if (! accountingDiffTolerated(parser, tok, s, accountAfter, __LINE__, ++ account)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++#endif + *eventEndPP = next; + switch (tok) { + case XML_TOK_TRAILING_CR: +@@ -2630,6 +2770,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { ++#ifdef XML_DTD ++ /* NOTE: We are replacing 4-6 characters original input for 1 character ++ * so there is no amplification and hence recording without ++ * protection. */ ++ accountingDiffTolerated(parser, tok, (char *)&ch, ++ ((char *)&ch) + sizeof(XML_Char), __LINE__, ++ XML_ACCOUNT_ENTITY_EXPANSION); ++#endif /* XML_DTD */ + if (parser->m_characterDataHandler) + parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1); + else if (parser->m_defaultHandler) +@@ -2748,7 +2896,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + } + tag->name.str = (XML_Char *)tag->buf; + *toPtr = XML_T('\0'); +- result = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings)); ++ result ++ = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings), account); + if (result) + return result; + if (parser->m_startElementHandler) +@@ -2772,7 +2921,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + if (! name.str) + return XML_ERROR_NO_MEMORY; + poolFinish(&parser->m_tempPool); +- result = storeAtts(parser, enc, s, &name, &bindings); ++ result = storeAtts(parser, enc, s, &name, &bindings, ++ XML_ACCOUNT_NONE /* token spans whole start tag */); + if (result != XML_ERROR_NONE) { + freeBindings(parser, bindings); + return result; +@@ -2907,7 +3057,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + /* END disabled code */ + else if (parser->m_defaultHandler) + reportDefault(parser, enc, s, next); +- result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore); ++ result ++ = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account); + if (result != XML_ERROR_NONE) + return result; + else if (! next) { +@@ -3036,7 +3187,8 @@ freeBindings(XML_Parser parser, BINDING *bindings) { + */ + static enum XML_Error + storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, +- TAG_NAME *tagNamePtr, BINDING **bindingsPtr) { ++ TAG_NAME *tagNamePtr, BINDING **bindingsPtr, ++ enum XML_Account account) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + ELEMENT_TYPE *elementType; + int nDefaultAtts; +@@ -3146,7 +3298,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr, + /* normalize the attribute value */ + result = storeAttributeValue( + parser, enc, isCdata, parser->m_atts[i].valuePtr, +- parser->m_atts[i].valueEnd, &parser->m_tempPool); ++ parser->m_atts[i].valueEnd, &parser->m_tempPool, account); + if (result) + return result; + appAtts[attIndex] = poolStart(&parser->m_tempPool); +@@ -3535,9 +3687,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, + static enum XML_Error PTRCALL + cdataSectionProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { +- enum XML_Error result +- = doCdataSection(parser, parser->m_encoding, &start, end, endPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer); ++ enum XML_Error result = doCdataSection( ++ parser, parser->m_encoding, &start, end, endPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT); + if (result != XML_ERROR_NONE) + return result; + if (start) { +@@ -3557,7 +3709,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end, + */ + static enum XML_Error + doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, +- const char *end, const char **nextPtr, XML_Bool haveMore) { ++ const char *end, const char **nextPtr, XML_Bool haveMore, ++ enum XML_Account account) { + const char *s = *startPtr; + const char **eventPP; + const char **eventEndPP; +@@ -3575,6 +3728,14 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + for (;;) { + const char *next; + int tok = XmlCdataSectionTok(enc, s, end, &next); ++#ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++#else ++ UNUSED_P(account); ++#endif + *eventEndPP = next; + switch (tok) { + case XML_TOK_CDATA_SECT_CLOSE: +@@ -3719,6 +3880,13 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + *eventPP = s; + *startPtr = NULL; + tok = XmlIgnoreSectionTok(enc, s, end, &next); ++# ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, ++ XML_ACCOUNT_DIRECT)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++# endif + *eventEndPP = next; + switch (tok) { + case XML_TOK_IGNORE_SECT: +@@ -3803,6 +3971,15 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s, + const char *versionend; + const XML_Char *storedversion = NULL; + int standalone = -1; ++ ++#ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__, ++ XML_ACCOUNT_DIRECT)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++#endif ++ + if (! (parser->m_ns ? XmlParseXmlDeclNS : XmlParseXmlDecl)( + isGeneralTextEntity, parser->m_encoding, s, next, &parser->m_eventPtr, + &version, &versionend, &encodingName, &newEncoding, &standalone)) { +@@ -3952,6 +4129,10 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + + for (;;) { + tok = XmlPrologTok(parser->m_encoding, start, end, &next); ++ /* Note: Except for XML_TOK_BOM below, these bytes are accounted later in: ++ - storeEntityValue ++ - processXmlDecl ++ */ + parser->m_eventEndPtr = next; + if (tok <= 0) { + if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) { +@@ -3970,7 +4151,8 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + break; + } + /* found end of entity value - can store it now */ +- return storeEntityValue(parser, parser->m_encoding, s, end); ++ return storeEntityValue(parser, parser->m_encoding, s, end, ++ XML_ACCOUNT_DIRECT); + } else if (tok == XML_TOK_XML_DECL) { + enum XML_Error result; + result = processXmlDecl(parser, 0, start, next); +@@ -3997,6 +4179,14 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + */ + else if (tok == XML_TOK_BOM && next == end + && ! parser->m_parsingStatus.finalBuffer) { ++# ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, ++ XML_ACCOUNT_DIRECT)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++# endif ++ + *nextPtr = next; + return XML_ERROR_NONE; + } +@@ -4039,16 +4229,24 @@ externalParEntProcessor(XML_Parser parser, const char *s, const char *end, + } + /* This would cause the next stage, i.e. doProlog to be passed XML_TOK_BOM. + However, when parsing an external subset, doProlog will not accept a BOM +- as valid, and report a syntax error, so we have to skip the BOM ++ as valid, and report a syntax error, so we have to skip the BOM, and ++ account for the BOM bytes. + */ + else if (tok == XML_TOK_BOM) { ++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, ++ XML_ACCOUNT_DIRECT)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++ + s = next; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + } + + parser->m_processor = prologProcessor; + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE); ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE, ++ XML_ACCOUNT_DIRECT); + } + + static enum XML_Error PTRCALL +@@ -4061,6 +4259,9 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end, + + for (;;) { + tok = XmlPrologTok(enc, start, end, &next); ++ /* Note: These bytes are accounted later in: ++ - storeEntityValue ++ */ + if (tok <= 0) { + if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) { + *nextPtr = s; +@@ -4078,7 +4279,7 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end, + break; + } + /* found end of entity value - can store it now */ +- return storeEntityValue(parser, enc, s, end); ++ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT); + } + start = next; + } +@@ -4092,13 +4293,14 @@ prologProcessor(XML_Parser parser, const char *s, const char *end, + const char *next = s; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE); ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE, ++ XML_ACCOUNT_DIRECT); + } + + static enum XML_Error + doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + int tok, const char *next, const char **nextPtr, XML_Bool haveMore, +- XML_Bool allowClosingDoctype) { ++ XML_Bool allowClosingDoctype, enum XML_Account account) { + #ifdef XML_DTD + static const XML_Char externalSubsetName[] = {ASCII_HASH, '\0'}; + #endif /* XML_DTD */ +@@ -4125,6 +4327,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + static const XML_Char enumValueSep[] = {ASCII_PIPE, '\0'}; + static const XML_Char enumValueStart[] = {ASCII_LPAREN, '\0'}; + ++#ifndef XML_DTD ++ UNUSED_P(account); ++#endif ++ + /* save one level of indirection */ + DTD *const dtd = parser->m_dtd; + +@@ -4189,6 +4395,19 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + } + role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc); ++#ifdef XML_DTD ++ switch (role) { ++ case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor ++ case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl ++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl ++ break; ++ default: ++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++ } ++#endif + switch (role) { + case XML_ROLE_XML_DECL: { + enum XML_Error result = processXmlDecl(parser, 0, s, next); +@@ -4464,7 +4683,8 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + const XML_Char *attVal; + enum XML_Error result = storeAttributeValue( + parser, enc, parser->m_declAttributeIsCdata, +- s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool); ++ s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool, ++ XML_ACCOUNT_NONE); + if (result) + return result; + attVal = poolStart(&dtd->pool); +@@ -4497,8 +4717,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + break; + case XML_ROLE_ENTITY_VALUE: + if (dtd->keepProcessing) { +- enum XML_Error result = storeEntityValue( +- parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar); ++ enum XML_Error result ++ = storeEntityValue(parser, enc, s + enc->minBytesPerChar, ++ next - enc->minBytesPerChar, XML_ACCOUNT_NONE); + if (parser->m_declEntity) { + parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool); + parser->m_declEntity->textLen +@@ -4888,12 +5109,15 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + if (parser->m_externalEntityRefHandler) { + dtd->paramEntityRead = XML_FALSE; + entity->open = XML_TRUE; ++ entityTrackingOnOpen(parser, entity, __LINE__); + if (! parser->m_externalEntityRefHandler( + parser->m_externalEntityRefHandlerArg, 0, entity->base, + entity->systemId, entity->publicId)) { ++ entityTrackingOnClose(parser, entity, __LINE__); + entity->open = XML_FALSE; + return XML_ERROR_EXTERNAL_ENTITY_HANDLING; + } ++ entityTrackingOnClose(parser, entity, __LINE__); + entity->open = XML_FALSE; + handleDefault = XML_FALSE; + if (! dtd->paramEntityRead) { +@@ -5091,6 +5315,13 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end, + for (;;) { + const char *next = NULL; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); ++#ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, ++ XML_ACCOUNT_DIRECT)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++#endif + parser->m_eventEndPtr = next; + switch (tok) { + /* report partial linebreak - it might be the last token */ +@@ -5164,6 +5395,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + return XML_ERROR_NO_MEMORY; + } + entity->open = XML_TRUE; ++#ifdef XML_DTD ++ entityTrackingOnOpen(parser, entity, __LINE__); ++#endif + entity->processed = 0; + openEntity->next = parser->m_openInternalEntities; + parser->m_openInternalEntities = openEntity; +@@ -5182,17 +5416,22 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + int tok + = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, +- tok, next, &next, XML_FALSE, XML_FALSE); ++ tok, next, &next, XML_FALSE, XML_FALSE, ++ XML_ACCOUNT_ENTITY_EXPANSION); + } else + #endif /* XML_DTD */ + result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding, +- textStart, textEnd, &next, XML_FALSE); ++ textStart, textEnd, &next, XML_FALSE, ++ XML_ACCOUNT_ENTITY_EXPANSION); + + if (result == XML_ERROR_NONE) { + if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) { + entity->processed = (int)(next - textStart); + parser->m_processor = internalEntityProcessor; + } else { ++#ifdef XML_DTD ++ entityTrackingOnClose(parser, entity, __LINE__); ++#endif /* XML_DTD */ + entity->open = XML_FALSE; + parser->m_openInternalEntities = openEntity->next; + /* put openEntity back in list of free instances */ +@@ -5225,12 +5464,13 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + int tok + = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, +- tok, next, &next, XML_FALSE, XML_TRUE); ++ tok, next, &next, XML_FALSE, XML_TRUE, ++ XML_ACCOUNT_ENTITY_EXPANSION); + } else + #endif /* XML_DTD */ + result = doContent(parser, openEntity->startTagLevel, + parser->m_internalEncoding, textStart, textEnd, &next, +- XML_FALSE); ++ XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION); + + if (result != XML_ERROR_NONE) + return result; +@@ -5239,6 +5479,9 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + entity->processed = (int)(next - (char *)entity->textPtr); + return result; + } else { ++#ifdef XML_DTD ++ entityTrackingOnClose(parser, entity, __LINE__); ++#endif + entity->open = XML_FALSE; + parser->m_openInternalEntities = openEntity->next; + /* put openEntity back in list of free instances */ +@@ -5252,7 +5495,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + parser->m_processor = prologProcessor; + tok = XmlPrologTok(parser->m_encoding, s, end, &next); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE); ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE, ++ XML_ACCOUNT_DIRECT); + } else + #endif /* XML_DTD */ + { +@@ -5260,7 +5504,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + /* see externalEntityContentProcessor vs contentProcessor */ + return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, + s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer); ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); + } + } + +@@ -5275,9 +5520,10 @@ errorProcessor(XML_Parser parser, const char *s, const char *end, + + static enum XML_Error + storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, +- const char *ptr, const char *end, STRING_POOL *pool) { ++ const char *ptr, const char *end, STRING_POOL *pool, ++ enum XML_Account account) { + enum XML_Error result +- = appendAttributeValue(parser, enc, isCdata, ptr, end, pool); ++ = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account); + if (result) + return result; + if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20) +@@ -5289,11 +5535,22 @@ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + + static enum XML_Error + appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, +- const char *ptr, const char *end, STRING_POOL *pool) { ++ const char *ptr, const char *end, STRING_POOL *pool, ++ enum XML_Account account) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ ++#ifndef XML_DTD ++ UNUSED_P(account); ++#endif ++ + for (;;) { + const char *next; + int tok = XmlAttributeValueTok(enc, ptr, end, &next); ++#ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) { ++ accountingOnAbort(parser); ++ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ } ++#endif + switch (tok) { + case XML_TOK_NONE: + return XML_ERROR_NONE; +@@ -5353,6 +5610,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { ++#ifdef XML_DTD ++ /* NOTE: We are replacing 4-6 characters original input for 1 character ++ * so there is no amplification and hence recording without ++ * protection. */ ++ accountingDiffTolerated(parser, tok, (char *)&ch, ++ ((char *)&ch) + sizeof(XML_Char), __LINE__, ++ XML_ACCOUNT_ENTITY_EXPANSION); ++#endif /* XML_DTD */ + if (! poolAppendChar(pool, ch)) + return XML_ERROR_NO_MEMORY; + break; +@@ -5430,9 +5695,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + enum XML_Error result; + const XML_Char *textEnd = entity->textPtr + entity->textLen; + entity->open = XML_TRUE; ++#ifdef XML_DTD ++ entityTrackingOnOpen(parser, entity, __LINE__); ++#endif + result = appendAttributeValue(parser, parser->m_internalEncoding, +- isCdata, (char *)entity->textPtr, +- (char *)textEnd, pool); ++ isCdata, (const char *)entity->textPtr, ++ (const char *)textEnd, pool, ++ XML_ACCOUNT_ENTITY_EXPANSION); ++#ifdef XML_DTD ++ entityTrackingOnClose(parser, entity, __LINE__); ++#endif + entity->open = XML_FALSE; + if (result) + return result; +@@ -5462,13 +5734,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + + static enum XML_Error + storeEntityValue(XML_Parser parser, const ENCODING *enc, +- const char *entityTextPtr, const char *entityTextEnd) { ++ const char *entityTextPtr, const char *entityTextEnd, ++ enum XML_Account account) { + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + STRING_POOL *pool = &(dtd->entityValuePool); + enum XML_Error result = XML_ERROR_NONE; + #ifdef XML_DTD + int oldInEntityValue = parser->m_prologState.inEntityValue; + parser->m_prologState.inEntityValue = 1; ++#else ++ UNUSED_P(account); + #endif /* XML_DTD */ + /* never return Null for the value argument in EntityDeclHandler, + since this would indicate an external entity; therefore we +@@ -5481,6 +5756,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + for (;;) { + const char *next; + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); ++ ++#ifdef XML_DTD ++ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__, ++ account)) { ++ accountingOnAbort(parser); ++ result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH; ++ goto endEntityValue; ++ } ++#endif ++ + switch (tok) { + case XML_TOK_PARAM_ENTITY_REF: + #ifdef XML_DTD +@@ -5516,13 +5801,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + if (parser->m_externalEntityRefHandler) { + dtd->paramEntityRead = XML_FALSE; + entity->open = XML_TRUE; ++ entityTrackingOnOpen(parser, entity, __LINE__); + if (! parser->m_externalEntityRefHandler( + parser->m_externalEntityRefHandlerArg, 0, entity->base, + entity->systemId, entity->publicId)) { ++ entityTrackingOnClose(parser, entity, __LINE__); + entity->open = XML_FALSE; + result = XML_ERROR_EXTERNAL_ENTITY_HANDLING; + goto endEntityValue; + } ++ entityTrackingOnClose(parser, entity, __LINE__); + entity->open = XML_FALSE; + if (! dtd->paramEntityRead) + dtd->keepProcessing = dtd->standalone; +@@ -5530,9 +5818,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + dtd->keepProcessing = dtd->standalone; + } else { + entity->open = XML_TRUE; ++ entityTrackingOnOpen(parser, entity, __LINE__); + result = storeEntityValue( +- parser, parser->m_internalEncoding, (char *)entity->textPtr, +- (char *)(entity->textPtr + entity->textLen)); ++ parser, parser->m_internalEncoding, (const char *)entity->textPtr, ++ (const char *)(entity->textPtr + entity->textLen), ++ XML_ACCOUNT_ENTITY_EXPANSION); ++ entityTrackingOnClose(parser, entity, __LINE__); + entity->open = XML_FALSE; + if (result) + goto endEntityValue; +@@ -6893,3 +7184,741 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + memcpy(result, s, charsRequired * sizeof(XML_Char)); + return result; + } ++ ++#ifdef XML_DTD ++ ++static float ++accountingGetCurrentAmplification(XML_Parser rootParser) { ++ const XmlBigCount countBytesOutput ++ = rootParser->m_accounting.countBytesDirect ++ + rootParser->m_accounting.countBytesIndirect; ++ const float amplificationFactor ++ = rootParser->m_accounting.countBytesDirect ++ ? (countBytesOutput ++ / (float)(rootParser->m_accounting.countBytesDirect)) ++ : 1.0f; ++ assert(! rootParser->m_parentParser); ++ return amplificationFactor; ++} ++ ++static void ++accountingReportStats(XML_Parser originParser, const char *epilog) { ++ const XML_Parser rootParser = getRootParserOf(originParser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ if (rootParser->m_accounting.debugLevel < 1) { ++ return; ++ } ++ ++ const float amplificationFactor ++ = accountingGetCurrentAmplification(rootParser); ++ fprintf(stderr, ++ "expat: Accounting(%p): Direct " EXPAT_FMT_ULL( ++ "10") ", indirect " EXPAT_FMT_ULL("10") ", amplification %8.2f%s", ++ (void *)rootParser, rootParser->m_accounting.countBytesDirect, ++ rootParser->m_accounting.countBytesIndirect, ++ (double)amplificationFactor, epilog); ++} ++ ++static void ++accountingOnAbort(XML_Parser originParser) { ++ accountingReportStats(originParser, " ABORTING\n"); ++} ++ ++static void ++accountingReportDiff(XML_Parser rootParser, ++ unsigned int levelsAwayFromRootParser, const char *before, ++ const char *after, ptrdiff_t bytesMore, int source_line, ++ enum XML_Account account) { ++ assert(! rootParser->m_parentParser); ++ ++ fprintf(stderr, ++ " (+" EXPAT_FMT_PTRDIFF_T("6") " bytes %s|%d, xmlparse.c:%d) %*s\"", ++ bytesMore, (account == XML_ACCOUNT_DIRECT) ? "DIR" : "EXP", ++ levelsAwayFromRootParser, source_line, 10, ""); ++ ++ const char ellipis[] = "[..]"; ++ const size_t ellipsisLength = sizeof(ellipis) /* because compile-time */ - 1; ++ const unsigned int contextLength = 10; ++ ++ /* Note: Performance is of no concern here */ ++ const char *walker = before; ++ if ((rootParser->m_accounting.debugLevel >= 3) ++ || (after - before) ++ <= (ptrdiff_t)(contextLength + ellipsisLength + contextLength)) { ++ for (; walker < after; walker++) { ++ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0])); ++ } ++ } else { ++ for (; walker < before + contextLength; walker++) { ++ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0])); ++ } ++ fprintf(stderr, ellipis); ++ walker = after - contextLength; ++ for (; walker < after; walker++) { ++ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0])); ++ } ++ } ++ fprintf(stderr, "\"\n"); ++} ++ ++static XML_Bool ++accountingDiffTolerated(XML_Parser originParser, int tok, const char *before, ++ const char *after, int source_line, ++ enum XML_Account account) { ++ /* Note: We need to check the token type *first* to be sure that ++ * we can even access variable <after>, safely. ++ * E.g. for XML_TOK_NONE <after> may hold an invalid pointer. */ ++ switch (tok) { ++ case XML_TOK_INVALID: ++ case XML_TOK_PARTIAL: ++ case XML_TOK_PARTIAL_CHAR: ++ case XML_TOK_NONE: ++ return XML_TRUE; ++ } ++ ++ if (account == XML_ACCOUNT_NONE) ++ return XML_TRUE; /* because these bytes have been accounted for, already */ ++ ++ unsigned int levelsAwayFromRootParser; ++ const XML_Parser rootParser ++ = getRootParserOf(originParser, &levelsAwayFromRootParser); ++ assert(! rootParser->m_parentParser); ++ ++ const int isDirect ++ = (account == XML_ACCOUNT_DIRECT) && (originParser == rootParser); ++ const ptrdiff_t bytesMore = after - before; ++ ++ XmlBigCount *const additionTarget ++ = isDirect ? &rootParser->m_accounting.countBytesDirect ++ : &rootParser->m_accounting.countBytesIndirect; ++ ++ /* Detect and avoid integer overflow */ ++ if (*additionTarget > (XmlBigCount)(-1) - (XmlBigCount)bytesMore) ++ return XML_FALSE; ++ *additionTarget += bytesMore; ++ ++ const XmlBigCount countBytesOutput ++ = rootParser->m_accounting.countBytesDirect ++ + rootParser->m_accounting.countBytesIndirect; ++ const float amplificationFactor ++ = accountingGetCurrentAmplification(rootParser); ++ const XML_Bool tolerated ++ = (countBytesOutput < rootParser->m_accounting.activationThresholdBytes) ++ || (amplificationFactor ++ <= rootParser->m_accounting.maximumAmplificationFactor); ++ ++ if (rootParser->m_accounting.debugLevel >= 2) { ++ accountingReportStats(rootParser, ""); ++ accountingReportDiff(rootParser, levelsAwayFromRootParser, before, after, ++ bytesMore, source_line, account); ++ } ++ ++ return tolerated; ++} ++ ++static void ++entityTrackingReportStats(XML_Parser rootParser, ENTITY *entity, ++ const char *action, int sourceLine) { ++ assert(! rootParser->m_parentParser); ++ if (rootParser->m_entity_stats.debugLevel < 1) ++ return; ++ ++# if defined(XML_UNICODE) ++ const char *const entityName = "[..]"; ++# else ++ const char *const entityName = entity->name; ++# endif ++ ++ fprintf( ++ stderr, ++ "expat: Entities(%p): Count %9d, depth %2d/%2d %*s%s%s; %s length %d (xmlparse.c:%d)\n", ++ (void *)rootParser, rootParser->m_entity_stats.countEverOpened, ++ rootParser->m_entity_stats.currentDepth, ++ rootParser->m_entity_stats.maximumDepthSeen, ++ (rootParser->m_entity_stats.currentDepth - 1) * 2, "", ++ entity->is_param ? "%" : "&", entityName, action, entity->textLen, ++ sourceLine); ++} ++ ++static void ++entityTrackingOnOpen(XML_Parser originParser, ENTITY *entity, int sourceLine) { ++ const XML_Parser rootParser = getRootParserOf(originParser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ rootParser->m_entity_stats.countEverOpened++; ++ rootParser->m_entity_stats.currentDepth++; ++ if (rootParser->m_entity_stats.currentDepth ++ > rootParser->m_entity_stats.maximumDepthSeen) { ++ rootParser->m_entity_stats.maximumDepthSeen++; ++ } ++ ++ entityTrackingReportStats(rootParser, entity, "OPEN ", sourceLine); ++} ++ ++static void ++entityTrackingOnClose(XML_Parser originParser, ENTITY *entity, int sourceLine) { ++ const XML_Parser rootParser = getRootParserOf(originParser, NULL); ++ assert(! rootParser->m_parentParser); ++ ++ entityTrackingReportStats(rootParser, entity, "CLOSE", sourceLine); ++ rootParser->m_entity_stats.currentDepth--; ++} ++ ++static XML_Parser ++getRootParserOf(XML_Parser parser, unsigned int *outLevelDiff) { ++ XML_Parser rootParser = parser; ++ unsigned int stepsTakenUpwards = 0; ++ while (rootParser->m_parentParser) { ++ rootParser = rootParser->m_parentParser; ++ stepsTakenUpwards++; ++ } ++ assert(! rootParser->m_parentParser); ++ if (outLevelDiff != NULL) { ++ *outLevelDiff = stepsTakenUpwards; ++ } ++ return rootParser; ++} ++ ++static const char * ++unsignedCharToPrintable(unsigned char c) { ++ switch (c) { ++ case 0: ++ return "\\0"; ++ case 1: ++ return "\\x1"; ++ case 2: ++ return "\\x2"; ++ case 3: ++ return "\\x3"; ++ case 4: ++ return "\\x4"; ++ case 5: ++ return "\\x5"; ++ case 6: ++ return "\\x6"; ++ case 7: ++ return "\\x7"; ++ case 8: ++ return "\\x8"; ++ case 9: ++ return "\\t"; ++ case 10: ++ return "\\n"; ++ case 11: ++ return "\\xB"; ++ case 12: ++ return "\\xC"; ++ case 13: ++ return "\\r"; ++ case 14: ++ return "\\xE"; ++ case 15: ++ return "\\xF"; ++ case 16: ++ return "\\x10"; ++ case 17: ++ return "\\x11"; ++ case 18: ++ return "\\x12"; ++ case 19: ++ return "\\x13"; ++ case 20: ++ return "\\x14"; ++ case 21: ++ return "\\x15"; ++ case 22: ++ return "\\x16"; ++ case 23: ++ return "\\x17"; ++ case 24: ++ return "\\x18"; ++ case 25: ++ return "\\x19"; ++ case 26: ++ return "\\x1A"; ++ case 27: ++ return "\\x1B"; ++ case 28: ++ return "\\x1C"; ++ case 29: ++ return "\\x1D"; ++ case 30: ++ return "\\x1E"; ++ case 31: ++ return "\\x1F"; ++ case 32: ++ return " "; ++ case 33: ++ return "!"; ++ case 34: ++ return "\\\""; ++ case 35: ++ return "#"; ++ case 36: ++ return "$"; ++ case 37: ++ return "%"; ++ case 38: ++ return "&"; ++ case 39: ++ return "'"; ++ case 40: ++ return "("; ++ case 41: ++ return ")"; ++ case 42: ++ return "*"; ++ case 43: ++ return "+"; ++ case 44: ++ return ","; ++ case 45: ++ return "-"; ++ case 46: ++ return "."; ++ case 47: ++ return "/"; ++ case 48: ++ return "0"; ++ case 49: ++ return "1"; ++ case 50: ++ return "2"; ++ case 51: ++ return "3"; ++ case 52: ++ return "4"; ++ case 53: ++ return "5"; ++ case 54: ++ return "6"; ++ case 55: ++ return "7"; ++ case 56: ++ return "8"; ++ case 57: ++ return "9"; ++ case 58: ++ return ":"; ++ case 59: ++ return ";"; ++ case 60: ++ return "<"; ++ case 61: ++ return "="; ++ case 62: ++ return ">"; ++ case 63: ++ return "?"; ++ case 64: ++ return "@"; ++ case 65: ++ return "A"; ++ case 66: ++ return "B"; ++ case 67: ++ return "C"; ++ case 68: ++ return "D"; ++ case 69: ++ return "E"; ++ case 70: ++ return "F"; ++ case 71: ++ return "G"; ++ case 72: ++ return "H"; ++ case 73: ++ return "I"; ++ case 74: ++ return "J"; ++ case 75: ++ return "K"; ++ case 76: ++ return "L"; ++ case 77: ++ return "M"; ++ case 78: ++ return "N"; ++ case 79: ++ return "O"; ++ case 80: ++ return "P"; ++ case 81: ++ return "Q"; ++ case 82: ++ return "R"; ++ case 83: ++ return "S"; ++ case 84: ++ return "T"; ++ case 85: ++ return "U"; ++ case 86: ++ return "V"; ++ case 87: ++ return "W"; ++ case 88: ++ return "X"; ++ case 89: ++ return "Y"; ++ case 90: ++ return "Z"; ++ case 91: ++ return "["; ++ case 92: ++ return "\\\\"; ++ case 93: ++ return "]"; ++ case 94: ++ return "^"; ++ case 95: ++ return "_"; ++ case 96: ++ return "`"; ++ case 97: ++ return "a"; ++ case 98: ++ return "b"; ++ case 99: ++ return "c"; ++ case 100: ++ return "d"; ++ case 101: ++ return "e"; ++ case 102: ++ return "f"; ++ case 103: ++ return "g"; ++ case 104: ++ return "h"; ++ case 105: ++ return "i"; ++ case 106: ++ return "j"; ++ case 107: ++ return "k"; ++ case 108: ++ return "l"; ++ case 109: ++ return "m"; ++ case 110: ++ return "n"; ++ case 111: ++ return "o"; ++ case 112: ++ return "p"; ++ case 113: ++ return "q"; ++ case 114: ++ return "r"; ++ case 115: ++ return "s"; ++ case 116: ++ return "t"; ++ case 117: ++ return "u"; ++ case 118: ++ return "v"; ++ case 119: ++ return "w"; ++ case 120: ++ return "x"; ++ case 121: ++ return "y"; ++ case 122: ++ return "z"; ++ case 123: ++ return "{"; ++ case 124: ++ return "|"; ++ case 125: ++ return "}"; ++ case 126: ++ return "~"; ++ case 127: ++ return "\\x7F"; ++ case 128: ++ return "\\x80"; ++ case 129: ++ return "\\x81"; ++ case 130: ++ return "\\x82"; ++ case 131: ++ return "\\x83"; ++ case 132: ++ return "\\x84"; ++ case 133: ++ return "\\x85"; ++ case 134: ++ return "\\x86"; ++ case 135: ++ return "\\x87"; ++ case 136: ++ return "\\x88"; ++ case 137: ++ return "\\x89"; ++ case 138: ++ return "\\x8A"; ++ case 139: ++ return "\\x8B"; ++ case 140: ++ return "\\x8C"; ++ case 141: ++ return "\\x8D"; ++ case 142: ++ return "\\x8E"; ++ case 143: ++ return "\\x8F"; ++ case 144: ++ return "\\x90"; ++ case 145: ++ return "\\x91"; ++ case 146: ++ return "\\x92"; ++ case 147: ++ return "\\x93"; ++ case 148: ++ return "\\x94"; ++ case 149: ++ return "\\x95"; ++ case 150: ++ return "\\x96"; ++ case 151: ++ return "\\x97"; ++ case 152: ++ return "\\x98"; ++ case 153: ++ return "\\x99"; ++ case 154: ++ return "\\x9A"; ++ case 155: ++ return "\\x9B"; ++ case 156: ++ return "\\x9C"; ++ case 157: ++ return "\\x9D"; ++ case 158: ++ return "\\x9E"; ++ case 159: ++ return "\\x9F"; ++ case 160: ++ return "\\xA0"; ++ case 161: ++ return "\\xA1"; ++ case 162: ++ return "\\xA2"; ++ case 163: ++ return "\\xA3"; ++ case 164: ++ return "\\xA4"; ++ case 165: ++ return "\\xA5"; ++ case 166: ++ return "\\xA6"; ++ case 167: ++ return "\\xA7"; ++ case 168: ++ return "\\xA8"; ++ case 169: ++ return "\\xA9"; ++ case 170: ++ return "\\xAA"; ++ case 171: ++ return "\\xAB"; ++ case 172: ++ return "\\xAC"; ++ case 173: ++ return "\\xAD"; ++ case 174: ++ return "\\xAE"; ++ case 175: ++ return "\\xAF"; ++ case 176: ++ return "\\xB0"; ++ case 177: ++ return "\\xB1"; ++ case 178: ++ return "\\xB2"; ++ case 179: ++ return "\\xB3"; ++ case 180: ++ return "\\xB4"; ++ case 181: ++ return "\\xB5"; ++ case 182: ++ return "\\xB6"; ++ case 183: ++ return "\\xB7"; ++ case 184: ++ return "\\xB8"; ++ case 185: ++ return "\\xB9"; ++ case 186: ++ return "\\xBA"; ++ case 187: ++ return "\\xBB"; ++ case 188: ++ return "\\xBC"; ++ case 189: ++ return "\\xBD"; ++ case 190: ++ return "\\xBE"; ++ case 191: ++ return "\\xBF"; ++ case 192: ++ return "\\xC0"; ++ case 193: ++ return "\\xC1"; ++ case 194: ++ return "\\xC2"; ++ case 195: ++ return "\\xC3"; ++ case 196: ++ return "\\xC4"; ++ case 197: ++ return "\\xC5"; ++ case 198: ++ return "\\xC6"; ++ case 199: ++ return "\\xC7"; ++ case 200: ++ return "\\xC8"; ++ case 201: ++ return "\\xC9"; ++ case 202: ++ return "\\xCA"; ++ case 203: ++ return "\\xCB"; ++ case 204: ++ return "\\xCC"; ++ case 205: ++ return "\\xCD"; ++ case 206: ++ return "\\xCE"; ++ case 207: ++ return "\\xCF"; ++ case 208: ++ return "\\xD0"; ++ case 209: ++ return "\\xD1"; ++ case 210: ++ return "\\xD2"; ++ case 211: ++ return "\\xD3"; ++ case 212: ++ return "\\xD4"; ++ case 213: ++ return "\\xD5"; ++ case 214: ++ return "\\xD6"; ++ case 215: ++ return "\\xD7"; ++ case 216: ++ return "\\xD8"; ++ case 217: ++ return "\\xD9"; ++ case 218: ++ return "\\xDA"; ++ case 219: ++ return "\\xDB"; ++ case 220: ++ return "\\xDC"; ++ case 221: ++ return "\\xDD"; ++ case 222: ++ return "\\xDE"; ++ case 223: ++ return "\\xDF"; ++ case 224: ++ return "\\xE0"; ++ case 225: ++ return "\\xE1"; ++ case 226: ++ return "\\xE2"; ++ case 227: ++ return "\\xE3"; ++ case 228: ++ return "\\xE4"; ++ case 229: ++ return "\\xE5"; ++ case 230: ++ return "\\xE6"; ++ case 231: ++ return "\\xE7"; ++ case 232: ++ return "\\xE8"; ++ case 233: ++ return "\\xE9"; ++ case 234: ++ return "\\xEA"; ++ case 235: ++ return "\\xEB"; ++ case 236: ++ return "\\xEC"; ++ case 237: ++ return "\\xED"; ++ case 238: ++ return "\\xEE"; ++ case 239: ++ return "\\xEF"; ++ case 240: ++ return "\\xF0"; ++ case 241: ++ return "\\xF1"; ++ case 242: ++ return "\\xF2"; ++ case 243: ++ return "\\xF3"; ++ case 244: ++ return "\\xF4"; ++ case 245: ++ return "\\xF5"; ++ case 246: ++ return "\\xF6"; ++ case 247: ++ return "\\xF7"; ++ case 248: ++ return "\\xF8"; ++ case 249: ++ return "\\xF9"; ++ case 250: ++ return "\\xFA"; ++ case 251: ++ return "\\xFB"; ++ case 252: ++ return "\\xFC"; ++ case 253: ++ return "\\xFD"; ++ case 254: ++ return "\\xFE"; ++ case 255: ++ return "\\xFF"; ++ default: ++ assert(0); /* never gets here */ ++ return "dead code"; ++ } ++ assert(0); /* never gets here */ ++} ++ ++#endif /* XML_DTD */ ++ ++static unsigned long ++getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) { ++ const char *const valueOrNull = getenv(variableName); ++ if (valueOrNull == NULL) { ++ return defaultDebugLevel; ++ } ++ const char *const value = valueOrNull; ++ ++ errno = 0; ++ char *afterValue = (char *)value; ++ unsigned long debugLevel = strtoul(value, &afterValue, 10); ++ if ((errno != 0) || (afterValue[0] != '\0')) { ++ errno = 0; ++ return defaultDebugLevel; ++ } ++ ++ return debugLevel; ++} +-- +2.32.0 + diff --git a/meta/recipes-core/expat/expat/libtool-tag.patch b/meta/recipes-core/expat/expat/libtool-tag.patch index 0a0aed23e5..c59ccbbede 100644 --- a/meta/recipes-core/expat/expat/libtool-tag.patch +++ b/meta/recipes-core/expat/expat/libtool-tag.patch @@ -1,30 +1,27 @@ -From 10342e6b600858b091bc7771e454d9e06af06410 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Thu, 2 Nov 2017 18:20:57 +0800 +From da433dbe79f2d4d5d7d79869c669594c99c5de9c Mon Sep 17 00:00:00 2001 +From: Jasper Orschulko <jasper@fancydomain.eu> +Date: Wed, 16 Jun 2021 19:00:30 +0200 Subject: [PATCH] Add CC tag to build -Add CC tag to build - Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> -Signed-off-by: Dengke Du <dengke.du@windriver.com> +Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> --- - Makefile.in | 2 +- + Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/Makefile.in b/Makefile.in -index 9560a95..d444bd6 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -319,7 +319,7 @@ LIBCURRENT = @LIBCURRENT@ - LIBOBJS = @LIBOBJS@ - LIBREVISION = @LIBREVISION@ - LIBS = @LIBS@ --LIBTOOL = @LIBTOOL@ -+LIBTOOL = @LIBTOOL@ --tag CC - LIPO = @LIPO@ - LN_S = @LN_S@ - LTLIBOBJS = @LTLIBOBJS@ +diff --git a/Makefile.am b/Makefile.am +index 5e1d37dd..f7a6dece 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -36,7 +36,7 @@ AUTOMAKE_OPTIONS = \ + subdir-objects + + ACLOCAL_AMFLAGS = -I m4 +-LIBTOOLFLAGS = --verbose ++LIBTOOLFLAGS = --verbose --tag=CC + + SUBDIRS = lib # lib goes first to build first + if WITH_EXAMPLES -- -2.7.4 +2.32.0 diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb index 174bf4be1f..cd38df91d9 100644 --- a/meta/recipes-core/expat/expat_2.2.9.bb +++ b/meta/recipes-core/expat/expat_2.2.9.bb @@ -6,18 +6,16 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79" -SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \ +SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https \ + file://CVE-2013-0340.patch \ file://libtool-tag.patch \ - " + " -SRC_URI[md5sum] = "875a2c2ff3e8eb9e5a5cd62db2033ab5" -SRC_URI[sha256sum] = "f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237" +SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" inherit autotools lib_package -do_configure_prepend () { - rm -f ${S}/conftools/libtool.m4 -} +S = "${WORKDIR}/git/expat" BBCLASSEXTEND = "native nativesdk" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 03/14] libxml2: Fix CVE-2021-3518 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 01/14] uninative: Upgrade to 3.2 (gcc11 support) Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 02/14] expat: fix CVE-2013-0340 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 04/14] libx11: Fix CVE-2021-31535 Steve Sakoman ` (11 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Jasper Orschulko <jasper@fancydomain.eu> There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243] Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../libxml/libxml2/CVE-2021-3518.patch | 112 ++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch new file mode 100644 index 0000000000..40d3debea1 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch @@ -0,0 +1,112 @@ +From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 10 Jun 2020 16:34:52 +0200 +Subject: [PATCH 1/2] Don't recurse into xi:include children in + xmlXIncludeDoProcess + +Otherwise, nested xi:include nodes might result in a use-after-free +if XML_PARSE_NOXINCNODE is specified. + +Found with libFuzzer and ASan. + +Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243] + +The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified, +as to avoid unnecessary modifications to fallback files. + +CVE: CVE-2021-3518 +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> +--- + xinclude.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index ba850fa5..f260c1a7 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + * First phase: lookup the elements in the document + */ + cur = tree; +- if (xmlXIncludeTestNode(ctxt, cur) == 1) +- xmlXIncludePreProcessNode(ctxt, cur); + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ +- if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { +- cur = cur->children; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); +- } else if (cur->next != NULL) { ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) { ++ xmlXIncludePreProcessNode(ctxt, cur); ++ } else if ((cur->children != NULL) && ++ (cur->children->type != XML_ENTITY_DECL) && ++ (cur->children->type != XML_XINCLUDE_START) && ++ (cur->children->type != XML_XINCLUDE_END)) { ++ cur = cur->children; ++ continue; ++ } ++ if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + } else { + if (cur == tree) + break; +@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + break; /* do */ + if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + break; /* do */ + } + } while (cur != NULL); +-- +2.32.0 + + +From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 22 Apr 2021 19:26:28 +0200 +Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd` + +The --dropdtd option can leave dangling pointers in entity reference +nodes. Make sure to skip these nodes when processing XIncludes. + +This also avoids scanning entity declarations and even modifying +them inadvertently during XInclude processing. + +Move from a block list to an allow list approach to avoid descending +into other node types that can't contain elements. + +Fixes #237. +Upstream-Status: Backport +CVE: CVE-2021-3518 +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> +--- + xinclude.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index f260c1a7..d7648529 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + if (xmlXIncludeTestNode(ctxt, cur) == 1) { + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { ++ ((cur->type == XML_DOCUMENT_NODE) || ++ (cur->type == XML_ELEMENT_NODE))) { + cur = cur->children; + continue; + } +-- +2.32.0 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index 097613fb28..b5fb3e6315 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -25,6 +25,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://CVE-2020-24977.patch \ file://CVE-2021-3517.patch \ file://CVE-2021-3537.patch \ + file://CVE-2021-3518.patch \ " SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 04/14] libx11: Fix CVE-2021-31535 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (2 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 03/14] libxml2: Fix CVE-2021-3518 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 05/14] python3: upgrade 3.8.2 -> 3.8.3 Steve Sakoman ` (10 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Jasper Orschulko <jasper@fancydomain.eu> https://lists.x.org/archives/xorg-announce/2021-May/003088.html XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server. Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../xorg-lib/libx11/CVE-2021-31535.patch | 333 ++++++++++++++++++ .../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 + 2 files changed, 334 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch new file mode 100644 index 0000000000..97c4c17a8a --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch @@ -0,0 +1,333 @@ +From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Fri, 19 Feb 2021 15:30:39 +0100 +Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on + the wire + +The X protocol uses CARD16 values to represent the length so +this would overflow. + +CVE-2021-31535 + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> + +https://lists.x.org/archives/xorg-announce/2021-May/003088.html + +XLookupColor() and other X libraries function lack proper validation +of the length of their string parameters. If those parameters can be +controlled by an external application (for instance a color name that +can be emitted via a terminal control sequence) it can lead to the +emission of extra X protocol requests to the X server. + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605] +CVE: CVE-2021-31535 +Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com> +--- + src/Font.c | 6 ++++-- + src/FontInfo.c | 3 +++ + src/FontNames.c | 3 +++ + src/GetColor.c | 4 ++++ + src/LoadFont.c | 4 ++++ + src/LookupCol.c | 6 ++++-- + src/ParseCol.c | 5 ++++- + src/QuExt.c | 5 +++++ + src/SetFPath.c | 8 +++++++- + src/SetHints.c | 7 +++++++ + src/StNColor.c | 3 +++ + src/StName.c | 7 ++++++- + 12 files changed, 54 insertions(+), 7 deletions(-) + +diff --git a/src/Font.c b/src/Font.c +index 09d2ae91..3f468e4b 100644 +--- a/src/Font.c ++++ b/src/Font.c +@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( + XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); + #endif + ++ if (strlen(name) >= USHRT_MAX) ++ return NULL; + if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) + return font_result; + LockDisplay(dpy); +@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont( + + if (!name) + return 0; +- l = strlen(name); +- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') ++ l = (int) strlen(name); ++ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) + return 0; + charset = NULL; + /* next three lines stolen from _XkbGetCharset() */ +diff --git a/src/FontInfo.c b/src/FontInfo.c +index f870e431..51b48e29 100644 +--- a/src/FontInfo.c ++++ b/src/FontInfo.c +@@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ + register xListFontsReq *req; + int j; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFontsWithInfo, req); + req->maxNames = maxNames; +diff --git a/src/FontNames.c b/src/FontNames.c +index b78792d6..4dac4916 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ + register xListFontsReq *req; + unsigned long rlen = 0; + ++ if (strlen(pattern) >= USHRT_MAX) ++ return NULL; ++ + LockDisplay(dpy); + GetReq(ListFonts, req); + req->maxNames = maxNames; +diff --git a/src/GetColor.c b/src/GetColor.c +index cd0eb9f6..512ac308 100644 +--- a/src/GetColor.c ++++ b/src/GetColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */ + XcmsColor cmsColor_exact; + Status ret; + ++ if (strlen(colorname) >= USHRT_MAX) ++ return (0); ++ + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +diff --git a/src/LoadFont.c b/src/LoadFont.c +index f547976b..85735249 100644 +--- a/src/LoadFont.c ++++ b/src/LoadFont.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include "Xlibint.h" + + Font +@@ -38,6 +39,9 @@ XLoadFont ( + Font fid; + register xOpenFontReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return (0); ++ + if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) + return fid; + +diff --git a/src/LookupCol.c b/src/LookupCol.c +index f7f969f5..cd9b1368 100644 +--- a/src/LookupCol.c ++++ b/src/LookupCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,9 @@ XLookupColor ( + XcmsCCC ccc; + XcmsColor cmsColor_exact; + ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms and i18n approach to Parse Color +@@ -77,8 +81,6 @@ XLookupColor ( + * Xcms and i18n methods failed, so lets pass it to the server + * for parsing. + */ +- +- n = strlen (spec); + LockDisplay(dpy); + GetReq (LookupColor, req); + req->cmap = cmap; +diff --git a/src/ParseCol.c b/src/ParseCol.c +index e997b1b8..180132dd 100644 +--- a/src/ParseCol.c ++++ b/src/ParseCol.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,7 +47,9 @@ XParseColor ( + XcmsColor cmsColor; + + if (!spec) return(0); +- n = strlen (spec); ++ n = (int) strlen (spec); ++ if (n >= USHRT_MAX) ++ return(0); + if (*spec == '#') { + /* + * RGB +diff --git a/src/QuExt.c b/src/QuExt.c +index 4e230e77..d38a1572 100644 +--- a/src/QuExt.c ++++ b/src/QuExt.c +@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> ++#include <stdbool.h> + #include "Xlibint.h" + + Bool +@@ -40,6 +42,9 @@ XQueryExtension( + xQueryExtensionReply rep; + register xQueryExtensionReq *req; + ++ if (strlen(name) >= USHRT_MAX) ++ return false; ++ + LockDisplay(dpy); + GetReq(QueryExtension, req); + req->nbytes = name ? strlen(name) : 0; +diff --git a/src/SetFPath.c b/src/SetFPath.c +index 60aaef01..3d8c50cb 100644 +--- a/src/SetFPath.c ++++ b/src/SetFPath.c +@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group. + + #ifdef HAVE_CONFIG_H + #include <config.h> ++#include <limits.h> + #endif + #include "Xlibint.h" + +@@ -48,7 +49,12 @@ XSetFontPath ( + GetReq (SetFontPath, req); + req->nFonts = ndirs; + for (i = 0; i < ndirs; i++) { +- n += safestrlen (directories[i]) + 1; ++ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); ++ if (n >= USHRT_MAX) { ++ UnlockDisplay(dpy); ++ SyncHandle(); ++ return 0; ++ } + } + nbytes = (n + 3) & ~3; + req->length += nbytes >> 2; +diff --git a/src/SetHints.c b/src/SetHints.c +index bc46498a..f3d727ec 100644 +--- a/src/SetHints.c ++++ b/src/SetHints.c +@@ -49,6 +49,7 @@ SOFTWARE. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <X11/Xlibint.h> + #include <X11/Xutil.h> + #include "Xatomtype.h" +@@ -214,6 +215,8 @@ XSetCommand ( + register char *buf, *bp; + for (i = 0, nbytes = 0; i < argc; i++) { + nbytes += safestrlen(argv[i]) + 1; ++ if (nbytes >= USHRT_MAX) ++ return 1; + } + if ((bp = buf = Xmalloc(nbytes))) { + /* copy arguments into single buffer */ +@@ -256,6 +259,8 @@ XSetStandardProperties ( + + if (name != NULL) XStoreName (dpy, w, name); + ++ if (safestrlen(icon_string) >= USHRT_MAX) ++ return 1; + if (icon_string != NULL) { + XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, +@@ -298,6 +303,8 @@ XSetClassHint( + + len_nm = safestrlen(classhint->res_name); + len_cl = safestrlen(classhint->res_class); ++ if (len_nm + len_cl >= USHRT_MAX) ++ return 1; + if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { + if (len_nm) { + strcpy(s, classhint->res_name); +diff --git a/src/StNColor.c b/src/StNColor.c +index 8b821c3e..ba021958 100644 +--- a/src/StNColor.c ++++ b/src/StNColor.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <stdio.h> + #include "Xlibint.h" + #include "Xcmsint.h" +@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */ + XcmsColor cmsColor_exact; + XColor scr_def; + ++ if (strlen(name) >= USHRT_MAX) ++ return 0; + #ifdef XCMS + /* + * Let's Attempt to use Xcms approach to Parse Color +diff --git a/src/StName.c b/src/StName.c +index b4048bff..5a632d0c 100644 +--- a/src/StName.c ++++ b/src/StName.c +@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group. + #ifdef HAVE_CONFIG_H + #include <config.h> + #endif ++#include <limits.h> + #include <X11/Xlibint.h> + #include <X11/Xatom.h> + +@@ -36,7 +37,9 @@ XStoreName ( + Window w, + _Xconst char *name) + { +- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, ++ if (strlen(name) >= USHRT_MAX) ++ return 0; ++ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ + 8, PropModeReplace, (_Xconst unsigned char *)name, + name ? strlen(name) : 0); + } +@@ -47,6 +50,8 @@ XSetIconName ( + Window w, + _Xconst char *icon_name) + { ++ if (strlen(icon_name) >= USHRT_MAX) ++ return 0; + return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, + PropModeReplace, (_Xconst unsigned char *)icon_name, + icon_name ? strlen(icon_name) : 0); +-- +2.32.0 + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index ebd2640743..ff2a6f7265 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb @@ -15,6 +15,7 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ file://libx11-whitespace.patch \ file://CVE-2020-14344.patch \ file://CVE-2020-14363.patch \ + file://CVE-2021-31535.patch \ " SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 05/14] python3: upgrade 3.8.2 -> 3.8.3 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (3 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 04/14] libx11: Fix CVE-2021-31535 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 06/14] python3: upgrade 3.8.3 -> 3.8.4 Steve Sakoman ` (9 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: May 13, 2020 Note: The release you're looking at is Python 3.8.3, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. Notable changes in Python 3.8.3: The constant values of future flags in the __future__ module are updated in order to prevent collision with compiler flags. Previously PyCF_ALLOW_TOP_LEVEL_AWAIT was clashing with CO_FUTURE_DIVISION. (Contributed by Batuhan Taskaya in bpo-39562) * Drop patch for CVE-2020-3492 fixed since 3.8.1 References: https://nvd.nist.gov/vuln/detail/CVE-2020-8492 https://www.python.org/downloads/release/python-383/ https://docs.python.org/release/3.8.3/whatsnew/changelog.html#changelog Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- ...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ------------------ .../{python3_3.8.2.bb => python3_3.8.3.bb} | 5 +- 2 files changed, 2 insertions(+), 251 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.3.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch deleted file mode 100644 index e16b99bcb9..0000000000 --- a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001 -From: Victor Stinner <vstinner@python.org> -Date: Thu, 2 Apr 2020 02:52:20 +0200 -Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler - (GH-18284) - -Upstream-Status: Backport -(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4) - -CVE: CVE-2020-8492 - -The AbstractBasicAuthHandler class of the urllib.request module uses -an inefficient regular expression which can be exploited by an -attacker to cause a denial of service. Fix the regex to prevent the -catastrophic backtracking. Vulnerability reported by Ben Caller -and Matt Schwager. - -AbstractBasicAuthHandler of urllib.request now parses all -WWW-Authenticate HTTP headers and accepts multiple challenges per -header: use the realm of the first Basic challenge. - -Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> -Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> ---- - Lib/test/test_urllib2.py | 90 ++++++++++++------- - Lib/urllib/request.py | 69 ++++++++++---- - .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 + - .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++ - 4 files changed, 115 insertions(+), 52 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst - create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst - -diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py -index 8abedaac98..e69ac3e213 100644 ---- a/Lib/test/test_urllib2.py -+++ b/Lib/test/test_urllib2.py -@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase): - bypass = {'exclude_simple': True, 'exceptions': []} - self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass)) - -- def test_basic_auth(self, quote_char='"'): -- opener = OpenerDirector() -- password_manager = MockPasswordManager() -- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -- realm = "ACME Widget Store" -- http_handler = MockHTTPHandler( -- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' % -- (quote_char, realm, quote_char)) -- opener.add_handler(auth_handler) -- opener.add_handler(http_handler) -- self._test_basic_auth(opener, auth_handler, "Authorization", -- realm, http_handler, password_manager, -- "http://acme.example.com/protected", -- "http://acme.example.com/protected", -- ) -- -- def test_basic_auth_with_single_quoted_realm(self): -- self.test_basic_auth(quote_char="'") -- -- def test_basic_auth_with_unquoted_realm(self): -- opener = OpenerDirector() -- password_manager = MockPasswordManager() -- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -- realm = "ACME Widget Store" -- http_handler = MockHTTPHandler( -- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm) -- opener.add_handler(auth_handler) -- opener.add_handler(http_handler) -- with self.assertWarns(UserWarning): -+ def check_basic_auth(self, headers, realm): -+ with self.subTest(realm=realm, headers=headers): -+ opener = OpenerDirector() -+ password_manager = MockPasswordManager() -+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -+ body = '\r\n'.join(headers) + '\r\n\r\n' -+ http_handler = MockHTTPHandler(401, body) -+ opener.add_handler(auth_handler) -+ opener.add_handler(http_handler) - self._test_basic_auth(opener, auth_handler, "Authorization", -- realm, http_handler, password_manager, -- "http://acme.example.com/protected", -- "http://acme.example.com/protected", -- ) -+ realm, http_handler, password_manager, -+ "http://acme.example.com/protected", -+ "http://acme.example.com/protected") -+ -+ def test_basic_auth(self): -+ realm = "realm2@example.com" -+ realm2 = "realm2@example.com" -+ basic = f'Basic realm="{realm}"' -+ basic2 = f'Basic realm="{realm2}"' -+ other_no_realm = 'Otherscheme xxx' -+ digest = (f'Digest realm="{realm2}", ' -+ f'qop="auth, auth-int", ' -+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", ' -+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"') -+ for realm_str in ( -+ # test "quote" and 'quote' -+ f'Basic realm="{realm}"', -+ f"Basic realm='{realm}'", -+ -+ # charset is ignored -+ f'Basic realm="{realm}", charset="UTF-8"', -+ -+ # Multiple challenges per header -+ f'{basic}, {basic2}', -+ f'{basic}, {other_no_realm}', -+ f'{other_no_realm}, {basic}', -+ f'{basic}, {digest}', -+ f'{digest}, {basic}', -+ ): -+ headers = [f'WWW-Authenticate: {realm_str}'] -+ self.check_basic_auth(headers, realm) -+ -+ # no quote: expect a warning -+ with support.check_warnings(("Basic Auth Realm was unquoted", -+ UserWarning)): -+ headers = [f'WWW-Authenticate: Basic realm={realm}'] -+ self.check_basic_auth(headers, realm) -+ -+ # Multiple headers: one challenge per header. -+ # Use the first Basic realm. -+ for challenges in ( -+ [basic, basic2], -+ [basic, digest], -+ [digest, basic], -+ ): -+ headers = [f'WWW-Authenticate: {challenge}' -+ for challenge in challenges] -+ self.check_basic_auth(headers, realm) - - def test_proxy_basic_auth(self): - opener = OpenerDirector() -diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py -index 7fe50535da..2a3d71554f 100644 ---- a/Lib/urllib/request.py -+++ b/Lib/urllib/request.py -@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler: - - # allow for double- and single-quoted realm values - # (single quotes are a violation of the RFC, but appear in the wild) -- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' -- 'realm=(["\']?)([^"\']*)\\2', re.I) -+ rx = re.compile('(?:^|,)' # start of the string or ',' -+ '[ \t]*' # optional whitespaces -+ '([^ \t]+)' # scheme like "Basic" -+ '[ \t]+' # mandatory whitespaces -+ # realm=xxx -+ # realm='xxx' -+ # realm="xxx" -+ 'realm=(["\']?)([^"\']*)\\2', -+ re.I) - - # XXX could pre-emptively send auth info already accepted (RFC 2617, - # end of section 2, and section 1.2 immediately after "credentials" -@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler: - self.passwd = password_mgr - self.add_password = self.passwd.add_password - -+ def _parse_realm(self, header): -+ # parse WWW-Authenticate header: accept multiple challenges per header -+ found_challenge = False -+ for mo in AbstractBasicAuthHandler.rx.finditer(header): -+ scheme, quote, realm = mo.groups() -+ if quote not in ['"', "'"]: -+ warnings.warn("Basic Auth Realm was unquoted", -+ UserWarning, 3) -+ -+ yield (scheme, realm) -+ -+ found_challenge = True -+ -+ if not found_challenge: -+ if header: -+ scheme = header.split()[0] -+ else: -+ scheme = '' -+ yield (scheme, None) -+ - def http_error_auth_reqed(self, authreq, host, req, headers): - # host may be an authority (without userinfo) or a URL with an - # authority -- # XXX could be multiple headers -- authreq = headers.get(authreq, None) -+ headers = headers.get_all(authreq) -+ if not headers: -+ # no header found -+ return - -- if authreq: -- scheme = authreq.split()[0] -- if scheme.lower() != 'basic': -- raise ValueError("AbstractBasicAuthHandler does not" -- " support the following scheme: '%s'" % -- scheme) -- else: -- mo = AbstractBasicAuthHandler.rx.search(authreq) -- if mo: -- scheme, quote, realm = mo.groups() -- if quote not in ['"',"'"]: -- warnings.warn("Basic Auth Realm was unquoted", -- UserWarning, 2) -- if scheme.lower() == 'basic': -- return self.retry_http_basic_auth(host, req, realm) -+ unsupported = None -+ for header in headers: -+ for scheme, realm in self._parse_realm(header): -+ if scheme.lower() != 'basic': -+ unsupported = scheme -+ continue -+ -+ if realm is not None: -+ # Use the first matching Basic challenge. -+ # Ignore following challenges even if they use the Basic -+ # scheme. -+ return self.retry_http_basic_auth(host, req, realm) -+ -+ if unsupported is not None: -+ raise ValueError("AbstractBasicAuthHandler does not " -+ "support the following scheme: %r" -+ % (scheme,)) - - def retry_http_basic_auth(self, host, req, realm): - user, pw = self.passwd.find_user_password(realm, host) -diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst -new file mode 100644 -index 0000000000..be80ce79d9 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst -@@ -0,0 +1,3 @@ -+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` -+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges -+per header: use the realm of the first Basic challenge. -diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -new file mode 100644 -index 0000000000..9f2800581c ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -@@ -0,0 +1,5 @@ -+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the -+:mod:`urllib.request` module uses an inefficient regular expression which can -+be exploited by an attacker to cause a denial of service. Fix the regex to -+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller -+and Matt Schwager. --- -2.24.1 - diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.3.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.2.bb rename to meta/recipes-devtools/python/python3_3.8.3.bb index 072ce97472..3aa8980e13 100644 --- a/meta/recipes-devtools/python/python3_3.8.2.bb +++ b/meta/recipes-devtools/python/python3_3.8.3.bb @@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-configure.ac-fix-LIBPL.patch \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ - file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \ file://CVE-2019-20907.patch \ file://CVE-2020-14422.patch \ file://CVE-2020-26116.patch \ @@ -47,8 +46,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67" -SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df" +SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78" +SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 06/14] python3: upgrade 3.8.3 -> 3.8.4 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (4 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 05/14] python3: upgrade 3.8.2 -> 3.8.3 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 07/14] python3: upgrade 3.8.4 -> 3.8.5 Steve Sakoman ` (8 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: July 13, 2020 Note: The release you're looking at is Python 3.8.4, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. * Drop patch for CVE-2020-14422 fixed in 3.8.4 * Refresh CVE-2021-23336 patch References: https://nvd.nist.gov/vuln/detail/CVE-2020-14422 https://www.python.org/downloads/release/python-384/ https://docs.python.org/release/3.8.4/whatsnew/changelog.html#changelog Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../python/python3/CVE-2020-14422.patch | 77 ------------------- .../{python3_3.8.3.bb => python3_3.8.4.bb} | 5 +- 2 files changed, 2 insertions(+), 80 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch rename meta/recipes-devtools/python/{python3_3.8.3.bb => python3_3.8.4.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch deleted file mode 100644 index 6889e46da9..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch +++ /dev/null @@ -1,77 +0,0 @@ -From dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 29 Jun 2020 11:12:50 -0700 -Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and - IPv6Interface (GH-21033) - -The __hash__() methods of classes IPv4Interface and IPv6Interface had issue -of generating constant hash values of 32 and 128 respectively causing hash collisions. -The fix uses the hash() function to generate hash values for the objects -instead of XOR operation -(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) - -Co-authored-by: Ravi Teja P <rvteja92@gmail.com> - -Upstream-Status: Backport [https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5] -CVE: CVE-2020-14422 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> ---- - Lib/ipaddress.py | 4 ++-- - Lib/test/test_ipaddress.py | 12 ++++++++++++ - .../2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 + - 3 files changed, 15 insertions(+), 2 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst - -diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py -index 873c7644081af..a3a04f7f4b309 100644 ---- a/Lib/ipaddress.py -+++ b/Lib/ipaddress.py -@@ -1370,7 +1370,7 @@ def __lt__(self, other): - return False - - def __hash__(self): -- return self._ip ^ self._prefixlen ^ int(self.network.network_address) -+ return hash((self._ip, self._prefixlen, int(self.network.network_address))) - - __reduce__ = _IPAddressBase.__reduce__ - -@@ -2017,7 +2017,7 @@ def __lt__(self, other): - return False - - def __hash__(self): -- return self._ip ^ self._prefixlen ^ int(self.network.network_address) -+ return hash((self._ip, self._prefixlen, int(self.network.network_address))) - - __reduce__ = _IPAddressBase.__reduce__ - -diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py -index de77111705b69..2eba740e5e7a4 100644 ---- a/Lib/test/test_ipaddress.py -+++ b/Lib/test/test_ipaddress.py -@@ -2053,6 +2053,18 @@ def testsixtofour(self): - sixtofouraddr.sixtofour) - self.assertFalse(bad_addr.sixtofour) - -+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface -+ def testV4HashIsNotConstant(self): -+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4") -+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5") -+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__()) -+ -+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface -+ def testV6HashIsNotConstant(self): -+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1") -+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2") -+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__()) -+ - - if __name__ == '__main__': - unittest.main() -diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst -new file mode 100644 -index 0000000000000..1380b31fbe9f4 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst -@@ -0,0 +1 @@ -+The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). diff --git a/meta/recipes-devtools/python/python3_3.8.3.bb b/meta/recipes-devtools/python/python3_3.8.4.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.3.bb rename to meta/recipes-devtools/python/python3_3.8.4.bb index 3aa8980e13..438b3e5504 100644 --- a/meta/recipes-devtools/python/python3_3.8.3.bb +++ b/meta/recipes-devtools/python/python3_3.8.4.bb @@ -34,7 +34,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ file://CVE-2019-20907.patch \ - file://CVE-2020-14422.patch \ file://CVE-2020-26116.patch \ file://CVE-2020-27619.patch \ file://CVE-2021-3177.patch \ @@ -46,8 +45,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78" -SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864" +SRC_URI[md5sum] = "e16df33cd7b58702e57e137f8f5d13e7" +SRC_URI[sha256sum] = "5f41968a95afe9bc12192d7e6861aab31e80a46c46fa59d3d837def6a4cd4d37" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 07/14] python3: upgrade 3.8.4 -> 3.8.5 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (5 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 06/14] python3: upgrade 3.8.3 -> 3.8.4 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 08/14] python3: upgrade 3.8.5 -> 3.8.6 Steve Sakoman ` (7 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: July 20, 2020 Note: The release you're looking at is Python 3.8.5, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. Drop patches fixed in 3.8.5: - CVE-2019-20907 - CVE-2019-26116 References: https://nvd.nist.gov/vuln/detail/CVE-2019-20907 https://nvd.nist.gov/vuln/detail/CVE-2020-26116 https://www.python.org/downloads/release/python-385/ https://docs.python.org/release/3.8.5/whatsnew/changelog.html#changelog Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../python/python3/CVE-2019-20907.patch | 44 -------- .../python/python3/CVE-2020-26116.patch | 104 ------------------ .../{python3_3.8.4.bb => python3_3.8.5.bb} | 6 +- 3 files changed, 2 insertions(+), 152 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch rename meta/recipes-devtools/python/{python3_3.8.4.bb => python3_3.8.5.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch deleted file mode 100644 index a2e72372dd..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a06a6bf4e67a50561f6d6fb33534df1d3035ea34 Mon Sep 17 00:00:00 2001 -From: Rishi <rishi_devan@mail.com> -Date: Wed, 15 Jul 2020 13:51:00 +0200 -Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module - (GH-21454) - -Avoid infinite loop when reading specially crafted TAR files using the tarfile module -(CVE-2019-20907). -(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) - -Co-authored-by: Rishi <rishi_devan@mail.com> - -Removed testing 'recursion.tar' tar file due to binary data - -Upstream-Status: Backport [https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559] -CVE: CVE-2019-20907 -Signed-off-by: Andrej Valek <andrej.valek@siemens.com> ---- - Lib/tarfile.py | 2 ++ - .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + - 4 files changed, 10 insertions(+) - create mode 100644 Lib/test/recursion.tar - create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst - -diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index d31b9cbb51d65..7a69e1b1aa544 100755 ---- a/Lib/tarfile.py -+++ b/Lib/tarfile.py -@@ -1241,6 +1241,8 @@ def _proc_pax(self, tarfile): - - length, keyword = match.groups() - length = int(length) -+ if length == 0: -+ raise InvalidHeaderError("invalid header") - value = buf[match.end(2) + 1:match.start(1) + length - 1] - - # Normally, we could just use "utf-8" as the encoding and "strict" -diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst -new file mode 100644 -index 0000000000000..ad26676f8b856 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst -@@ -0,0 +1 @@ -+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch deleted file mode 100644 index c019db2a76..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Sat, 18 Jul 2020 13:39:12 -0700 -Subject: [PATCH] bpo-39603: Prevent header injection in http methods - (GH-18485) - -reject control chars in http method in http.client.putrequest to prevent http header injection -(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) - -Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> - -Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf] -CVE: CVE-2020-26116 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> - ---- - Lib/http/client.py | 15 +++++++++++++ - Lib/test/test_httplib.py | 22 +++++++++++++++++++ - .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++ - 3 files changed, 39 insertions(+) - create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst - -diff --git a/Lib/http/client.py b/Lib/http/client.py -index 019380a720318..c2ad0471bfee5 100644 ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -147,6 +147,10 @@ - # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") - # We are more lenient for assumed real world compatibility purposes. - -+# These characters are not allowed within HTTP method names -+# to prevent http header injection. -+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') -+ - # We always set the Content-Length header for these methods because some - # servers will otherwise respond with a 411 - _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} -@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, - else: - raise CannotSendRequest(self.__state) - -+ self._validate_method(method) -+ - # Save the method for use later in the response phase - self._method = method - -@@ -1177,6 +1183,15 @@ def _encode_request(self, request): - # ASCII also helps prevent CVE-2019-9740. - return request.encode('ascii') - -+ def _validate_method(self, method): -+ """Validate a method name for putrequest.""" -+ # prevent http header injection -+ match = _contains_disallowed_method_pchar_re.search(method) -+ if match: -+ raise ValueError( -+ f"method can't contain control characters. {method!r} " -+ f"(found at least {match.group()!r})") -+ - def _validate_path(self, url): - """Validate a url for putrequest.""" - # Prevent CVE-2019-9740. -diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 8f0e27a1fb836..5a5fcecbc9c15 100644 ---- a/Lib/test/test_httplib.py -+++ b/Lib/test/test_httplib.py -@@ -364,6 +364,28 @@ def test_headers_debuglevel(self): - self.assertEqual(lines[3], "header: Second: val2") - - -+class HttpMethodTests(TestCase): -+ def test_invalid_method_names(self): -+ methods = ( -+ 'GET\r', -+ 'POST\n', -+ 'PUT\n\r', -+ 'POST\nValue', -+ 'POST\nHOST:abc', -+ 'GET\nrHost:abc\n', -+ 'POST\rRemainder:\r', -+ 'GET\rHOST:\n', -+ '\nPUT' -+ ) -+ -+ for method in methods: -+ with self.assertRaisesRegex( -+ ValueError, "method can't contain control characters"): -+ conn = client.HTTPConnection('example.com') -+ conn.sock = FakeSocket(None) -+ conn.request(method=method, url="/") -+ -+ - class TransferEncodingTest(TestCase): - expected_body = b"It's just a flesh wound" - -diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst -new file mode 100644 -index 0000000000000..990affc3edd9d ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst -@@ -0,0 +1,2 @@ -+Prevent http header injection by rejecting control characters in -+http.client.putrequest(...). diff --git a/meta/recipes-devtools/python/python3_3.8.4.bb b/meta/recipes-devtools/python/python3_3.8.5.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.4.bb rename to meta/recipes-devtools/python/python3_3.8.5.bb index 438b3e5504..21b6be58f7 100644 --- a/meta/recipes-devtools/python/python3_3.8.4.bb +++ b/meta/recipes-devtools/python/python3_3.8.5.bb @@ -33,8 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-configure.ac-fix-LIBPL.patch \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ - file://CVE-2019-20907.patch \ - file://CVE-2020-26116.patch \ file://CVE-2020-27619.patch \ file://CVE-2021-3177.patch \ " @@ -45,8 +43,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "e16df33cd7b58702e57e137f8f5d13e7" -SRC_URI[sha256sum] = "5f41968a95afe9bc12192d7e6861aab31e80a46c46fa59d3d837def6a4cd4d37" +SRC_URI[md5sum] = "35b5a3d0254c1c59be9736373d429db7" +SRC_URI[sha256sum] = "e3003ed57db17e617acb382b0cade29a248c6026b1bd8aad1f976e9af66a83b0" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 08/14] python3: upgrade 3.8.5 -> 3.8.6 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (6 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 07/14] python3: upgrade 3.8.4 -> 3.8.5 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 09/14] python3: upgrade 3.8.6 -> 3.8.7 Steve Sakoman ` (6 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: Sept. 24, 2020 Note: The release you're looking at is Python 3.8.6, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. References: https://www.python.org/downloads/release/python-386/ https://docs.python.org/release/3.8.6/whatsnew/changelog.html#changelog License-Update: PSFv2 -> PSF-2.0 and BSD-0-Clause Starting with Python 3.8.6, examples, recipes, and other code in the documentation are dual licensed under the PSF License Version 2 and the Zero-Clause BSD license. Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../python/{python3_3.8.5.bb => python3_3.8.6.bb} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename meta/recipes-devtools/python/{python3_3.8.5.bb => python3_3.8.6.bb} (98%) diff --git a/meta/recipes-devtools/python/python3_3.8.5.bb b/meta/recipes-devtools/python/python3_3.8.6.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.5.bb rename to meta/recipes-devtools/python/python3_3.8.6.bb index 21b6be58f7..bf33fce891 100644 --- a/meta/recipes-devtools/python/python3_3.8.5.bb +++ b/meta/recipes-devtools/python/python3_3.8.6.bb @@ -1,10 +1,10 @@ SUMMARY = "The Python Programming Language" HOMEPAGE = "http://www.python.org" DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively." -LICENSE = "PSFv2" +LICENSE = "PSF-2.0 & BSD-0-Clause" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" +LIC_FILES_CHKSUM = "file://LICENSE;md5=33223c9ef60c31e3f0e866cb09b65e83" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -43,8 +43,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "35b5a3d0254c1c59be9736373d429db7" -SRC_URI[sha256sum] = "e3003ed57db17e617acb382b0cade29a248c6026b1bd8aad1f976e9af66a83b0" +SRC_URI[md5sum] = "69e73c49eeb1a853cefd26d18c9d069d" +SRC_URI[sha256sum] = "a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 09/14] python3: upgrade 3.8.6 -> 3.8.7 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (7 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 08/14] python3: upgrade 3.8.5 -> 3.8.6 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 10/14] python3: upgrade 3.8.7 -> 3.8.8 Steve Sakoman ` (5 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: Dec. 21, 2020 Note: The release you're looking at is Python 3.8.7, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. * Drop patch for CVE-2020-27619 fixed in 3.8.7 References: https://nvd.nist.gov/vuln/detail/CVE-2020-27619 https://www.python.org/downloads/release/python-387/ https://docs.python.org/release/3.8.7/whatsnew/changelog.html Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../python/python3/CVE-2020-27619.patch | 70 ------------------- .../{python3_3.8.6.bb => python3_3.8.7.bb} | 5 +- 2 files changed, 2 insertions(+), 73 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch rename meta/recipes-devtools/python/{python3_3.8.6.bb => python3_3.8.7.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch deleted file mode 100644 index bafa1cb999..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001 -From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com> -Date: Tue, 6 Oct 2020 05:38:54 -0700 -Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP - in the CJK codec tests (GH-22566) (GH-22577) - -(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) - -Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> - -Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> - -Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33] -CVE: CVE-2020-27619 -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> ---- - Lib/test/multibytecodec_support.py | 22 +++++++------------ - .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 + - 2 files changed, 9 insertions(+), 14 deletions(-) - create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst - -diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py -index cca8af67d6d1d..f76c0153f5ecf 100644 ---- a/Lib/test/multibytecodec_support.py -+++ b/Lib/test/multibytecodec_support.py -@@ -305,29 +305,23 @@ def test_mapping_file(self): - self._test_mapping_file_plain() - - def _test_mapping_file_plain(self): -- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+')))) -+ def unichrs(s): -+ return ''.join(chr(int(x, 16)) for x in s.split('+')) -+ - urt_wa = {} - - with self.open_mapping_file() as f: - for line in f: - if not line: - break -- data = line.split('#')[0].strip().split() -+ data = line.split('#')[0].split() - if len(data) != 2: - continue - -- csetval = eval(data[0]) -- if csetval <= 0x7F: -- csetch = bytes([csetval & 0xff]) -- elif csetval >= 0x1000000: -- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff), -- ((csetval >> 8) & 0xff), (csetval & 0xff)]) -- elif csetval >= 0x10000: -- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff), -- (csetval & 0xff)]) -- elif csetval >= 0x100: -- csetch = bytes([(csetval >> 8), (csetval & 0xff)]) -- else: -+ if data[0][:2] != '0x': -+ self.fail(f"Invalid line: {line!r}") -+ csetch = bytes.fromhex(data[0][2:]) -+ if len(csetch) == 1 and 0x80 <= csetch[0]: - continue - - unich = unichrs(data[1]) -diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst -new file mode 100644 -index 0000000000000..4f9782f1c85af ---- /dev/null -+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst -@@ -0,0 +1 @@ -+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP. diff --git a/meta/recipes-devtools/python/python3_3.8.6.bb b/meta/recipes-devtools/python/python3_3.8.7.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.6.bb rename to meta/recipes-devtools/python/python3_3.8.7.bb index bf33fce891..11a69ea808 100644 --- a/meta/recipes-devtools/python/python3_3.8.6.bb +++ b/meta/recipes-devtools/python/python3_3.8.7.bb @@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-configure.ac-fix-LIBPL.patch \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ - file://CVE-2020-27619.patch \ file://CVE-2021-3177.patch \ " @@ -43,8 +42,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "69e73c49eeb1a853cefd26d18c9d069d" -SRC_URI[sha256sum] = "a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a" +SRC_URI[md5sum] = "60fe018fffc7f33818e6c340d29e2db9" +SRC_URI[sha256sum] = "ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 10/14] python3: upgrade 3.8.7 -> 3.8.8 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (8 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 09/14] python3: upgrade 3.8.6 -> 3.8.7 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 11/14] powertop: fix aclocal error too many loops Steve Sakoman ` (4 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: Feb. 19, 2021 Note: The release you're looking at is Python 3.8.8, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. Notable changes in Python 3.8.8 Earlier Python versions allowed using both ; and & as query parameter separators in urllib.parse.parse_qs() and urllib.parse.parse_qsl(). Due to security concerns, and to conform with newer W3C recommendations, this has been changed to allow only a single separator key, with & as the default. This change also affects cgi.parse() and cgi.parse_multipart() as they use the affected functions internally. For more details, please see their respective documentation. (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in bpo-42967.) License-Update: update copyright years Drop patches fixed in 3.8.8: - CVE-2021-3177 Fixes: CVE: CVE-2021-3426 CVE: CVE-2021-23336 References: https://www.python.org/downloads/release/python-388/ https://docs.python.org/release/3.8.8/whatsnew/changelog.html#changelog https://docs.python.org/3/whatsnew/3.8.html#notable-changes-in-python-3-8-8 https://nvd.nist.gov/vuln/detail/CVE-2021-3177 https://nvd.nist.gov/vuln/detail/CVE-2021-3426 Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../python/python3/CVE-2021-3177.patch | 191 ------------------ .../{python3_3.8.7.bb => python3_3.8.8.bb} | 7 +- 2 files changed, 3 insertions(+), 195 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch rename meta/recipes-devtools/python/{python3_3.8.7.bb => python3_3.8.8.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch deleted file mode 100644 index 43d678db46..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch +++ /dev/null @@ -1,191 +0,0 @@ -From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 18 Jan 2021 13:28:52 -0800 -Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode - formatting in ctypes param reprs. (GH-24248) - -(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) - -Co-authored-by: Benjamin Peterson <benjamin@python.org> - -Co-authored-by: Benjamin Peterson <benjamin@python.org> - -CVE: CVE-2021-3177 -Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f] -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> ---- - Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ - .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + - Modules/_ctypes/callproc.c | 51 +++++++------------ - 3 files changed, 64 insertions(+), 32 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst - -diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py -index e4c25fd880cef..531894fdec838 100644 ---- a/Lib/ctypes/test/test_parameters.py -+++ b/Lib/ctypes/test/test_parameters.py -@@ -201,6 +201,49 @@ def __dict__(self): - with self.assertRaises(ZeroDivisionError): - WorseStruct().__setstate__({}, b'foo') - -+ def test_parameter_repr(self): -+ from ctypes import ( -+ c_bool, -+ c_char, -+ c_wchar, -+ c_byte, -+ c_ubyte, -+ c_short, -+ c_ushort, -+ c_int, -+ c_uint, -+ c_long, -+ c_ulong, -+ c_longlong, -+ c_ulonglong, -+ c_float, -+ c_double, -+ c_longdouble, -+ c_char_p, -+ c_wchar_p, -+ c_void_p, -+ ) -+ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") -+ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") -+ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") -+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") -+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") -+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") -+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") -+ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") -+ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") -+ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") -+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") -+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") -+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") -+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") -+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") -+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") -+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") -+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") -+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") -+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") -+ - ################################################################ - - if __name__ == '__main__': -diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -new file mode 100644 -index 0000000000000..7df65a156feab ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -@@ -0,0 +1,2 @@ -+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and -+:class:`ctypes.c_longdouble` values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index a9b8675cd951b..de75918d49f37 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) - static PyObject * - PyCArg_repr(PyCArgObject *self) - { -- char buffer[256]; - switch(self->tag) { - case 'b': - case 'B': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.b); -- break; - case 'h': - case 'H': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.h); -- break; - case 'i': - case 'I': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.i); -- break; - case 'l': - case 'L': -- sprintf(buffer, "<cparam '%c' (%ld)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", - self->tag, self->value.l); -- break; - - case 'q': - case 'Q': -- sprintf(buffer, --#ifdef MS_WIN32 -- "<cparam '%c' (%I64d)>", --#else -- "<cparam '%c' (%lld)>", --#endif -+ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", - self->tag, self->value.q); -- break; - case 'd': -- sprintf(buffer, "<cparam '%c' (%f)>", -- self->tag, self->value.d); -- break; -- case 'f': -- sprintf(buffer, "<cparam '%c' (%f)>", -- self->tag, self->value.f); -- break; -- -+ case 'f': { -+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); -+ if (f == NULL) { -+ return NULL; -+ } -+ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); -+ Py_DECREF(f); -+ return result; -+ } - case 'c': - if (is_literal_char((unsigned char)self->value.c)) { -- sprintf(buffer, "<cparam '%c' ('%c')>", -+ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", - self->tag, self->value.c); - } - else { -- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", -+ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", - self->tag, (unsigned char)self->value.c); - } -- break; - - /* Hm, are these 'z' and 'Z' codes useful at all? - Shouldn't they be replaced by the functionality of c_string -@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) - case 'z': - case 'Z': - case 'P': -- sprintf(buffer, "<cparam '%c' (%p)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%p)>", - self->tag, self->value.p); - break; - - default: - if (is_literal_char((unsigned char)self->tag)) { -- sprintf(buffer, "<cparam '%c' at %p>", -+ return PyUnicode_FromFormat("<cparam '%c' at %p>", - (unsigned char)self->tag, (void *)self); - } - else { -- sprintf(buffer, "<cparam 0x%02x at %p>", -+ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", - (unsigned char)self->tag, (void *)self); - } -- break; - } -- return PyUnicode_FromString(buffer); - } - - static PyMemberDef PyCArgType_members[] = { - diff --git a/meta/recipes-devtools/python/python3_3.8.7.bb b/meta/recipes-devtools/python/python3_3.8.8.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.7.bb rename to meta/recipes-devtools/python/python3_3.8.8.bb index 11a69ea808..d77c7d87fb 100644 --- a/meta/recipes-devtools/python/python3_3.8.7.bb +++ b/meta/recipes-devtools/python/python3_3.8.8.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly LICENSE = "PSF-2.0 & BSD-0-Clause" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=33223c9ef60c31e3f0e866cb09b65e83" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-configure.ac-fix-LIBPL.patch \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ - file://CVE-2021-3177.patch \ " SRC_URI_append_class-native = " \ @@ -42,8 +41,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "60fe018fffc7f33818e6c340d29e2db9" -SRC_URI[sha256sum] = "ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a" +SRC_URI[md5sum] = "23e6b769857233c1ac07b6be7442eff4" +SRC_URI[sha256sum] = "7c664249ff77e443d6ea0e4cf0e587eae918ca3c48d081d1915fe2a1f1bcc5cc" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 11/14] powertop: fix aclocal error too many loops 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (9 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 10/14] python3: upgrade 3.8.7 -> 3.8.8 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 12/14] python3: upgrade 3.8.8 -> 3.8.9 Steve Sakoman ` (3 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Backport configure.ac patches to fix aclocal: error: too many loops Adds build dependency on autoconf-archive References: https://bugzilla.redhat.com/show_bug.cgi?id=1826935 Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- ...2-configure.ac-ax_add_fortify_source.patch | 70 +++++++++++++++++++ ...003-configure-Use-AX_REQUIRE_DEFINED.patch | 29 ++++++++ meta/recipes-kernel/powertop/powertop_2.10.bb | 8 ++- 3 files changed, 104 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch create mode 100644 meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch diff --git a/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch new file mode 100644 index 0000000000..4ccbdbfcd1 --- /dev/null +++ b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch @@ -0,0 +1,70 @@ +From 0d833743954ac1c58773cbf7a78fe0dc8105ae4a Mon Sep 17 00:00:00 2001 +From: Joe Konno <joe.konno@linux.intel.com> +Date: Tue, 11 Feb 2020 14:15:42 -0800 +Subject: [PATCH] configure.ac: ax_add_fortify_source + +Use a maintained autoconf-archive macro to determine whether we need to +add -D_FORTIFY_SOURCE=3D2, or if the underlying OS (or toolchain) has it +baked in. + +Signed-off-by: Joe Konno <joe.konno@intel.com> + +Fixes: + aclocal: error: too many loops + +Upstream-Status: Backport from 2.12 +Signed-off-by: Tim Orling <timothy.t.orling@intel.com> +--- + configure.ac | 2 +- + m4/gcc_fortify_source_cc.m4 | 29 ----------------------------- + 2 files changed, 1 insertion(+), 30 deletions(-) + delete mode 100644 m4/gcc_fortify_source_cc.m4 + +diff --git a/configure.ac b/configure.ac +index d6a15e1..d68369c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -36,7 +36,7 @@ AC_PROG_LIBTOOL + AC_PROG_CC + AC_PROG_INSTALL + AM_PROG_CC_C_O +-GCC_FORTIFY_SOURCE_CC ++AX_ADD_FORTIFY_SOURCE + AX_CXX_COMPILE_STDCXX_11([noext], [mandatory]) + + # Checks for libraries. +diff --git a/m4/gcc_fortify_source_cc.m4 b/m4/gcc_fortify_source_cc.m4 +deleted file mode 100644 +index 1206672..0000000 +--- a/m4/gcc_fortify_source_cc.m4 ++++ /dev/null +@@ -1,29 +0,0 @@ +-dnl GCC_FORTIFY_SOURCE_CC +-dnl checks -D_FORTIFY_SOURCE with the C++ compiler, if it exists then +-dnl updates CXXCPP +-AC_DEFUN([GCC_FORTIFY_SOURCE_CC],[ +- AC_LANG_ASSERT([C++]) +- AS_IF([test "X$CXX" != "X"], [ +- AC_MSG_CHECKING([for FORTIFY_SOURCE support]) +- fs_old_cxxcpp="$CXXCPP" +- fs_old_cxxflags="$CXXFLAGS" +- CXXCPP="$CXXCPP -D_FORTIFY_SOURCE=2" +- CXXFLAGS="$CXXFLAGS -Werror" +- AC_COMPILE_IFELSE([ +- AC_LANG_PROGRAM([[]], [[ +- int main(void) { +- #if !(__GNUC_PREREQ (4, 1) ) +- #error No FORTIFY_SOURCE support +- #endif +- return 0; +- } +- ]], [ +- AC_MSG_RESULT([yes]) +- ], [ +- AC_MSG_RESULT([no]) +- CXXCPP="$fs_old_cxxcpp" +- ]) +- ]) +- CXXFLAGS="$fs_old_cxxflags" +- ]) +-]) diff --git a/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch new file mode 100644 index 0000000000..ac728f4a39 --- /dev/null +++ b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch @@ -0,0 +1,29 @@ +From fbf74492236676e844b021b0dbb45b1ca43a0410 Mon Sep 17 00:00:00 2001 +From: David King <amigadave@amigadave.com> +Date: Thu, 15 Apr 2021 11:45:13 +0100 +Subject: [PATCH] configure: Use AX_REQUIRE_DEFINED + +Require additional macros to be defined early, to avoid an aclocal +"too many loops" error when copying macros. + +Upstream-Status: Backport from tip + +Signed-off-by: Tim Orling <ticotimo@gmail.com> +--- + configure.ac | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/configure.ac b/configure.ac +index d68369c..b90831b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -29,6 +29,9 @@ AM_GNU_GETTEXT([external]) + AM_GNU_GETTEXT_VERSION([0.18.2]) + + m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) ++AX_REQUIRE_DEFINED([AX_ADD_FORTIFY_SOURCE]) ++AX_REQUIRE_DEFINED([AX_CXX_COMPILE_STDCXX]) ++AX_REQUIRE_DEFINED([AX_PTHREAD]) + # Checks for programs. + AC_PROG_CPP + AC_PROG_CXX diff --git a/meta/recipes-kernel/powertop/powertop_2.10.bb b/meta/recipes-kernel/powertop/powertop_2.10.bb index f1b0e92b2b..ffa3b4685c 100644 --- a/meta/recipes-kernel/powertop/powertop_2.10.bb +++ b/meta/recipes-kernel/powertop/powertop_2.10.bb @@ -2,13 +2,15 @@ SUMMARY = "Power usage tool" DESCRIPTION = "Linux tool to diagnose issues with power consumption and power management." HOMEPAGE = "https://01.org/powertop/" BUGTRACKER = "https://app.devzing.com/powertopbugs/bugzilla" -DEPENDS = "ncurses libnl pciutils" +DEPENDS = "ncurses libnl pciutils autoconf-archive" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e" SRC_URI = "git://github.com/fenrus75/powertop;protocol=https \ - file://0001-wakeup_xxx.h-include-limits.h.patch \ -" + file://0001-wakeup_xxx.h-include-limits.h.patch \ + file://0002-configure.ac-ax_add_fortify_source.patch \ + file://0003-configure-Use-AX_REQUIRE_DEFINED.patch \ + " SRCREV = "e8765b5475b22b7a2b6e9e8a031c68a268a0b0b3" S = "${WORKDIR}/git" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 12/14] python3: upgrade 3.8.8 -> 3.8.9 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (10 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 11/14] powertop: fix aclocal error too many loops Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 13/14] python3: upgrade 3.8.9 -> 3.8.10 Steve Sakoman ` (2 subsequent siblings) 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: April 2, 2021 Note: The release you're looking at is Python 3.8.9, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. * Refresh test_local.py patch for upstream changes * Add DEPENDS on autoconf-archive: - bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros. References: https://www.python.org/downloads/release/python-389/ https://docs.python.org/release/3.8.9/whatsnew/changelog.html#python-3-8-9 https://bugs.python.org/issue43617 Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- ...le.py-correct-the-test-output-format.patch | 24 ++++++++++--------- .../{python3_3.8.8.bb => python3_3.8.9.bb} | 6 ++--- 2 files changed, 16 insertions(+), 14 deletions(-) rename meta/recipes-devtools/python/{python3_3.8.8.bb => python3_3.8.9.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch index 35b7e0c480..f9d2eadc11 100644 --- a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch +++ b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch @@ -1,6 +1,6 @@ -From b94995e0c694ec9561efec0d1a59b323340e6105 Mon Sep 17 00:00:00 2001 -From: Mingli Yu <mingli.yu@windriver.com> -Date: Mon, 5 Aug 2019 15:57:39 +0800 +From e11787d373baa6d7b0e0d94aff8ccd373203bfb1 Mon Sep 17 00:00:00 2001 +From: Tim Orling <ticotimo@gmail.com> +Date: Wed, 16 Jun 2021 07:49:52 -0700 Subject: [PATCH] test_locale.py: correct the test output format Before this patch: @@ -24,23 +24,25 @@ Before this patch: Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132] Signed-off-by: Mingli Yu <mingli.yu@windriver.com> + + +Refresh patch for upstream changes in 3.8.9 + +Signed-off-by: Tim Orling <timothy.t.orling@intel.com> --- Lib/test/test_locale.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py -index e2c2178..558d63c 100644 +index 39091c0..5050f3d 100644 --- a/Lib/test/test_locale.py +++ b/Lib/test/test_locale.py -@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase): +@@ -563,7 +563,7 @@ class TestMiscellaneous(unittest.TestCase): self.skipTest('test needs Turkish locale') loc = locale.getlocale(locale.LC_CTYPE) if verbose: - print('testing with %a' % (loc,), end=' ', flush=True) + print('testing with %a...' % (loc,), end=' ', flush=True) - locale.setlocale(locale.LC_CTYPE, loc) - self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE)) - --- -2.7.4 - + try: + locale.setlocale(locale.LC_CTYPE, loc) + except locale.Error as exc: diff --git a/meta/recipes-devtools/python/python3_3.8.8.bb b/meta/recipes-devtools/python/python3_3.8.9.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.8.bb rename to meta/recipes-devtools/python/python3_3.8.9.bb index d77c7d87fb..13d3b8e5b5 100644 --- a/meta/recipes-devtools/python/python3_3.8.8.bb +++ b/meta/recipes-devtools/python/python3_3.8.9.bb @@ -41,8 +41,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "23e6b769857233c1ac07b6be7442eff4" -SRC_URI[sha256sum] = "7c664249ff77e443d6ea0e4cf0e587eae918ca3c48d081d1915fe2a1f1bcc5cc" +SRC_URI[md5sum] = "51b5bbf2ab447e66d15af4883db1c133" +SRC_URI[sha256sum] = "5e391f3ec45da2954419cab0beaefd8be38895ea5ce33577c3ec14940c4b9572" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" @@ -72,7 +72,7 @@ ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}" -DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2" +DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive" DEPENDS_append_class-target = " python3-native" DEPENDS_append_class-nativesdk = " python3-native" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 13/14] python3: upgrade 3.8.9 -> 3.8.10 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (11 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 12/14] python3: upgrade 3.8.8 -> 3.8.9 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 14/14] python3-ptest: add newly discovered missing rdeps Steve Sakoman 2021-06-29 0:13 ` [dunfell 00/14] Patch review Minjae Kim 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Release Date: May 3, 2021 This is the tenth and final regular maintenance release of Python 3.8 Note: The release you're looking at is Python 3.8.10, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3. FIXME: AssertionError: Failed ptests: {'python3': ['test_record_extensions', 'test_build_ext']} References: https://www.python.org/downloads/release/python-3810/ https://docs.python.org/release/3.8.10/whatsnew/changelog.html Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../python/{python3_3.8.9.bb => python3_3.8.10.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3_3.8.9.bb => python3_3.8.10.bb} (99%) diff --git a/meta/recipes-devtools/python/python3_3.8.9.bb b/meta/recipes-devtools/python/python3_3.8.10.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.8.9.bb rename to meta/recipes-devtools/python/python3_3.8.10.bb index 13d3b8e5b5..91fbc672a1 100644 --- a/meta/recipes-devtools/python/python3_3.8.9.bb +++ b/meta/recipes-devtools/python/python3_3.8.10.bb @@ -41,8 +41,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "51b5bbf2ab447e66d15af4883db1c133" -SRC_URI[sha256sum] = "5e391f3ec45da2954419cab0beaefd8be38895ea5ce33577c3ec14940c4b9572" +SRC_URI[md5sum] = "d9eee4b20155553830a2025e4dcaa7b3" +SRC_URI[sha256sum] = "6af24a66093dd840bcccf371d4044a3027e655cf24591ce26e48022bc79219d9" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* [OE-core][dunfell 14/14] python3-ptest: add newly discovered missing rdeps 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (12 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 13/14] python3: upgrade 3.8.9 -> 3.8.10 Steve Sakoman @ 2021-06-28 15:05 ` Steve Sakoman 2021-06-29 0:13 ` [dunfell 00/14] Patch review Minjae Kim 14 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core From: Tim Orling <timothy.t.orling@intel.com> Making ptest images based on core-image-minimal uncovered quite a few missing depenendcies from various recipes, here they are. (From OE-Core rev: 2cda6242f2f0f6f9c6bdef72bbb271eab7e5e1f5) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Backport to Python 3.8.10 (only python3 portion of patch) Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/python/python3_3.8.10.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/python/python3_3.8.10.bb b/meta/recipes-devtools/python/python3_3.8.10.bb index 91fbc672a1..ae32ccc40e 100644 --- a/meta/recipes-devtools/python/python3_3.8.10.bb +++ b/meta/recipes-devtools/python/python3_3.8.10.bb @@ -331,6 +331,7 @@ PACKAGES =+ "libpython3 libpython3-staticdev" FILES_libpython3 = "${libdir}/libpython*.so.*" FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a" INSANE_SKIP_${PN}-dev += "dev-elf" +INSANE_SKIP_${PN}-ptest += "dev-deps" # catch all the rest (unsorted) PACKAGES += "${PN}-misc" @@ -346,7 +347,7 @@ FILES_${PN}-man = "${datadir}/man" # See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395 RDEPENDS_libpython3_append_libc-glibc = " libgcc" RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig" -RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed" +RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed" RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9" RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}" RDEPENDS_${PN}-dev = "" -- 2.25.1 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [dunfell 00/14] Patch review 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (13 preceding siblings ...) 2021-06-28 15:05 ` [OE-core][dunfell 14/14] python3-ptest: add newly discovered missing rdeps Steve Sakoman @ 2021-06-29 0:13 ` Minjae Kim 2021-06-29 14:09 ` [OE-core] " Steve Sakoman 14 siblings, 1 reply; 17+ messages in thread From: Minjae Kim @ 2021-06-29 0:13 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 185 bytes --] Hi Steve, How about this patch? I already tested on qemux86-64. https://lists.openembedded.org/g/openembedded-core/message/153284 Do I need more testing? Thanks, Minjae Kim. [-- Attachment #2: Type: text/html, Size: 303 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [OE-core] [dunfell 00/14] Patch review 2021-06-29 0:13 ` [dunfell 00/14] Patch review Minjae Kim @ 2021-06-29 14:09 ` Steve Sakoman 0 siblings, 0 replies; 17+ messages in thread From: Steve Sakoman @ 2021-06-29 14:09 UTC (permalink / raw) To: Minjae Kim; +Cc: Patches and discussions about the oe-core layer On Mon, Jun 28, 2021 at 2:13 PM Minjae Kim <flowergom@gmail.com> wrote: > How about this patch? I already tested on qemux86-64. > https://lists.openembedded.org/g/openembedded-core/message/153284 > Do I need more testing? It will be in the next set of patches. I haven't seen any issues on the autobuilder. Steve ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2021-06-29 14:10 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-28 15:05 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 01/14] uninative: Upgrade to 3.2 (gcc11 support) Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 02/14] expat: fix CVE-2013-0340 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 03/14] libxml2: Fix CVE-2021-3518 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 04/14] libx11: Fix CVE-2021-31535 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 05/14] python3: upgrade 3.8.2 -> 3.8.3 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 06/14] python3: upgrade 3.8.3 -> 3.8.4 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 07/14] python3: upgrade 3.8.4 -> 3.8.5 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 08/14] python3: upgrade 3.8.5 -> 3.8.6 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 09/14] python3: upgrade 3.8.6 -> 3.8.7 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 10/14] python3: upgrade 3.8.7 -> 3.8.8 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 11/14] powertop: fix aclocal error too many loops Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 12/14] python3: upgrade 3.8.8 -> 3.8.9 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 13/14] python3: upgrade 3.8.9 -> 3.8.10 Steve Sakoman 2021-06-28 15:05 ` [OE-core][dunfell 14/14] python3-ptest: add newly discovered missing rdeps Steve Sakoman 2021-06-29 0:13 ` [dunfell 00/14] Patch review Minjae Kim 2021-06-29 14:09 ` [OE-core] " Steve Sakoman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.