[meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=8bit, Size: 4771 bytes --]

For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[akuster]

On 2/16/21 7:23 AM, Rahul Taya wrote:
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>

Please add your signoff in the applying patches. see below for example.

Does this affect master or Gatesgarth?  What may avoid such questions is
by  adding  something like "Affects: < {version}" will convey that info.

Thanks for the patch.

-armin
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz]
> +CVE: CVE-2019-9674
> +Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>  <<<<----- somewhere in this area

I tend to do mine just after "cve:"

- armin

> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression failed.
> ++Such as allowable characters in the directory entries, length of the file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or killing the
> ++decompression process may result in incomplete decompression of the archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 5886 bytes --]

On Thu, Feb 18, 2021 at 07:19:53AM -0800, akuster wrote:
> 
> 
> On 2/16/21 7:23 AM, Rahul Taya wrote:
> > For python and python-native added patch to fix
> > CVE-2019-9674
> >
> > Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> 
> Please add your signoff in the applying patches. see below for example.
> 
> Does this affect master or Gatesgarth?  What may avoid such questions is
> by  adding  something like "Affects: < {version}" will convey that info.

python in meta-python2 is identical in dunfell/gatesgarth/master
branches, so it has to affect all of them.

> -armin
> > ---
> >  recipes-devtools/python/python.inc            |  1 +
> >  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
> >  2 files changed, 84 insertions(+)
> >  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
> >
> > diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
> > index a4ba0c5..787f23e 100644
> > --- a/recipes-devtools/python/python.inc
> > +++ b/recipes-devtools/python/python.inc
> > @@ -8,6 +8,7 @@ INC_PR = "r1"
> >  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
> >
> >  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> > +           file://CVE-2019-9674.patch \
> >             "
> >
> >  SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> > diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
> > new file mode 100644
> > index 0000000..647d9da
> > --- /dev/null
> > +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> > @@ -0,0 +1,83 @@
> > +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> > +From: JunWei Song <sungboss2004@gmail.com>
> > +Date: Wed, 11 Sep 2019 23:04:12 +0800
> > +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> > + (#13378)
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +* bpo-36260: Add pitfalls to zipfile module documentation
> > +
> > +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
> > +This gave us the idea of documentation improvement.
> > +
> > +So, we moved a little bit forward :P
> > +And the doc patch can be found (pr).
> > +
> > +* fix trailing whitespace
> > +
> > +* 📜🤖 Added by blurb_it.
> > +
> > +* Reformat text for consistency.
> > +
> > +Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz]
> > +CVE: CVE-2019-9674
> > +Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> > +Comment: From the original patch skipped changes for file
> > +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> > +as this file is not present in our source code.
> 
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>  <<<<----- somewhere in this area
> 
> I tend to do mine just after "cve:"
> 
> - armin
> 
> > +---
> > + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> > + 1 files changed, 41 insertions(+)
> > +
> > +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> > +index b421ea5..2e0a91d 100644
> > +--- a/Doc/library/zipfile.rst
> > ++++ b/Doc/library/zipfile.rst
> > +@@ -574,4 +574,45 @@ Instances have the following attributes:
> > +
> > +    Size of the uncompressed file.
> > +
> > ++Decompression pitfalls
> > ++----------------------
> > ++
> > ++The extraction in zipfile module might fail due to some pitfalls listed below.
> > ++
> > ++From file itself
> > ++~~~~~~~~~~~~~~~~
> > ++
> > ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
> > ++unsupported compression method / decryption.
> > ++
> > ++File System limitations
> > ++~~~~~~~~~~~~~~~~~~~~~~~
> > ++
> > ++Exceeding limitations on different file systems can cause decompression failed.
> > ++Such as allowable characters in the directory entries, length of the file name,
> > ++length of the pathname, size of a single file, and number of files, etc.
> > ++
> > ++Resources limitations
> > ++~~~~~~~~~~~~~~~~~~~~~
> > ++
> > ++The lack of memory or disk volume would lead to decompression
> > ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> > ++apply to zipfile library that can cause disk volume exhaustion.
> > ++
> > ++Interruption
> > ++~~~~~~~~~~~~
> > ++
> > ++Interruption during the decompression, such as pressing control-C or killing the
> > ++decompression process may result in incomplete decompression of the archive.
> > ++
> > ++Default behaviors of extraction
> > ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ++
> > ++Not knowing the default extraction behaviors
> > ++can cause unexpected decompression results.
> > ++For example, when extracting the same archive twice,
> > ++it overwrites files without asking.
> > ++
> > ++
> > ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> > + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> > --
> > 2.17.1
> >
> > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
> >
> > 
> >
> 
> 

> 
> 
> 


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 5400 bytes --]

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from
there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:

> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> ]
> +CVE: CVE-2019-9674
> +Link:
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed
> below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP
> format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression
> failed.
> ++Such as allowable characters in the directory entries, length of the
> file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or
> killing the
> ++decompression process may result in incomplete decompression of the
> archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> + .. _PKZIP Application Note:
> https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> 
>
>

[-- Attachment #2: Type: text/html, Size: 6736 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Attachment #1: Type: text/plain, Size: 8586 bytes --]

Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access below link:

https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch


Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061864315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=M6wXm5CcCKV9DNpCZFzn54Uls82AIl5ds1lDgCBTY38%3D&reserved=0> \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com<mailto:sungboss2004@gmail.com>>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061864315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=d19urO6APEkZb6B9c7il0Slws2rhMYaFV0%2FYnzXlKXU%3D&reserved=0>]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061874305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JwYkrj1hGsI2pQRU97lSDqHkKQIBVzFaTUIopntVqvo%3D&reserved=0>
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061874305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3hnU5mbEKRK4MYciikYhtHIM3Jf0QuIDPCJrG6Nih74%3D&reserved=0>
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061884298%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dpnrbk2pB1TxzEQEoEE8nKQuGWDxLr812e9%2FYBwYfHE%3D&reserved=0>
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.



This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 13510 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 9996 bytes --]

Hi,

normally you should fork meta-python2 and send a link to meta-python2
change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually applied your
change in meta-python2 master-next where it's now failing:

ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates
that patches do not apply cleanly. [patch-fuzz]


so I'll fix this as well, but next time please better test your
changes (nghttp2 patch also didn't apply, see my reply there, not sure
if you have fixed that in v2)


Regards,




On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> wrote:

> Hi Martin,
>
> I removed the emoticons and uploaded the patch to my git repo pls access
> below link:
>
> https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch
>
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 18, 2021 10:58 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> "git am" doesn't like those emoticons in the .patch file..
>
> git am ~/py2/cur/16136689*
> error: cannot convert from 8bit to UTF-8
> fatal: could not parse patch
>
> either drop them or upload it to some git repo so I can cherry-pick it
> from there.
>
> On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061864315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=M6wXm5CcCKV9DNpCZFzn54Uls82AIl5ds1lDgCBTY38%3D&reserved=0>
> \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061864315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=d19urO6APEkZb6B9c7il0Slws2rhMYaFV0%2FYnzXlKXU%3D&reserved=0>
> ]
> +CVE: CVE-2019-9674
> +Link:
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061874305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JwYkrj1hGsI2pQRU97lSDqHkKQIBVzFaTUIopntVqvo%3D&reserved=0>
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed
> below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP
> format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression
> failed.
> ++Such as allowable characters in the directory entries, length of the
> file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or
> killing the
> ++decompression process may result in incomplete decompression of the
> archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061874305%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3hnU5mbEKRK4MYciikYhtHIM3Jf0QuIDPCJrG6Nih74%3D&reserved=0>
> + .. _PKZIP Application Note:
> https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7Cbba977d6d9fe44e3c15d08d8d43295c6%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637492661061884298%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dpnrbk2pB1TxzEQEoEE8nKQuGWDxLr812e9%2FYBwYfHE%3D&reserved=0>
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> 
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>

[-- Attachment #2: Type: text/html, Size: 14118 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Attachment #1: Type: text/plain, Size: 11384 bytes --]

Hi Martin,

I have tested my changes before sending to you or ML i don’t know why it is failing now at your side.

Thanks and Regards,
Rahul

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi,

normally you should fork meta-python2 and send a link to meta-python2 change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually applied your change in meta-python2 master-next where it's now failing:


ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]


so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)


Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access below link:

https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748074264%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qndZUNjt2mXpJv6EukwdQCDEYFZkSUbV38AP%2FQrcG30%3D&reserved=0>


Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>; Khem Raj <raj.khem@gmail.com<mailto:raj.khem@gmail.com>>; Nisha Parrakat <Nisha.Parrakat@kpit.com<mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com<mailto:Harpritkaur.Bhandari@kpit.com>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748084260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kHGRcUbtYiE80jPSXSA1OrX6EcDTe2PP0bpSBRFyDyo%3D&reserved=0> \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com<mailto:sungboss2004@gmail.com>>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748084260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hDH63L6ISEUTBzc6FJzKsTnt74tsvDdAUijNSsrrT54%3D&reserved=0>]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748094253%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QM0y6ILLU8vDIBdLMC2vxuuJxStiYC4M7ZKUIzvh2NM%3D&reserved=0>
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748104250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=82Tp%2Fa2aYAafpAETzBuxKqwKZjKo1kqGrfMLqqm3luo%3D&reserved=0>
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748104250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VxtIgbD8ZIPw1x23s5QxHEeE51CEvglHimXAY6PytiQ%3D&reserved=0>
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.



This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 18539 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 12024 bytes --]

Hi Rahul,

you probably don't have patch-fuzz in ERROR_QA and overlooked the warning
generated by this QA check which is by default only in WARN_QA.

Or you weren't testing it with master branch as the subject says it's for
dunfell, but it the python version is the same in master and dunfell, so
the warning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:

> Hi Martin,
>
> I have tested my changes before sending to you or ML i don’t know why it
> is failing now at your side.
>
> Thanks and Regards,
> Rahul
>
> Get Outlook for iOS <https://aka.ms/o0ukef>
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 8:25:50 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi,
>
> normally you should fork meta-python2 and send a link to meta-python2
> change I can cherry-pick, not the blob in otherwise empty repo.
>
> But as I've said in previous reply, I've already manually applied your
> change in meta-python2 master-next where it's now failing:
>
> ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2019-9674.patch
> patching file Doc/library/zipfile.rst
> Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify python-native
>     devtool finish --force-patch-refresh python-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
>
> so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
>
> Regards,
>
>
>
>
> On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I removed the emoticons and uploaded the patch to my git repo pls access
> below link:
>
> https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748074264%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qndZUNjt2mXpJv6EukwdQCDEYFZkSUbV38AP%2FQrcG30%3D&reserved=0>
>
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 18, 2021 10:58 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> "git am" doesn't like those emoticons in the .patch file..
>
> git am ~/py2/cur/16136689*
> error: cannot convert from 8bit to UTF-8
> fatal: could not parse patch
>
> either drop them or upload it to some git repo so I can cherry-pick it
> from there.
>
> On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748084260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kHGRcUbtYiE80jPSXSA1OrX6EcDTe2PP0bpSBRFyDyo%3D&reserved=0>
> \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748084260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hDH63L6ISEUTBzc6FJzKsTnt74tsvDdAUijNSsrrT54%3D&reserved=0>
> ]
> +CVE: CVE-2019-9674
> +Link:
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748094253%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QM0y6ILLU8vDIBdLMC2vxuuJxStiYC4M7ZKUIzvh2NM%3D&reserved=0>
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed
> below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP
> format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression
> failed.
> ++Such as allowable characters in the directory entries, length of the
> file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or
> killing the
> ++decompression process may result in incomplete decompression of the
> archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748104250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=82Tp%2Fa2aYAafpAETzBuxKqwKZjKo1kqGrfMLqqm3luo%3D&reserved=0>
> + .. _PKZIP Application Note:
> https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C041bfdaed11b41468d7508d8d99d7992%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498617748104250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VxtIgbD8ZIPw1x23s5QxHEeE51CEvglHimXAY6PytiQ%3D&reserved=0>
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> 
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>

[-- Attachment #2: Type: text/html, Size: 17419 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Attachment #1.1: Type: text/plain, Size: 13556 bytes --]

Hi Martin,

Yes i think you are right it can be possible that i overlooked or missed the warning.

Can you please tell me what i should do if a fuzz is detected while applying patch or i see some warning message ?


For nghttp patch please check attached screenshot this is the last message that i saw.
Can you tell me what next to do for that patch ?

Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 25, 2021 10:33 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi Rahul,

you probably don't have patch-fuzz in ERROR_QA and overlooked the warning generated by this QA check which is by default only in WARN_QA.

Or you weren't testing it with master branch as the subject says it's for dunfell, but it the python version is the same in master and dunfell, so the warning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I have tested my changes before sending to you or ML i don’t know why it is failing now at your side.

Thanks and Regards,
Rahul

Get Outlook for iOS<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137102812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jTo9bMC2ioJ6cvgSOSvusesF5ocgD0Tp60TzTbUUXng%3D&reserved=0>
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi,

normally you should fork meta-python2 and send a link to meta-python2 change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually applied your change in meta-python2 master-next where it's now failing:


ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]


so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)


Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access below link:

https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137112808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EvHk3r1U8hghpCjnNQMuDMq7a1RQbu7IzQuUj6Ot5XY%3D&reserved=0>


Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>; Khem Raj <raj.khem@gmail.com<mailto:raj.khem@gmail.com>>; Nisha Parrakat <Nisha.Parrakat@kpit.com<mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com<mailto:Harpritkaur.Bhandari@kpit.com>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137112808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X%2BIj5Dzl7SPlyu%2FNw3WtSDFGKkwjJBa3yWqDYoj2dkM%3D&reserved=0> \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com<mailto:sungboss2004@gmail.com>>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137122804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I%2Bn%2FmGzNXMzBNmO7jxk3tRPASv6%2FE9OX9ypn8rxg5Zg%3D&reserved=0>]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137122804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I%2Bn%2FmGzNXMzBNmO7jxk3tRPASv6%2FE9OX9ypn8rxg5Zg%3D&reserved=0>
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137132799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blZrwG834kAkxilemNsTQY3HDXP4RLbgN9e8SpVHON4%3D&reserved=0>
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137142788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EQe2u3Z%2FadRwhYjv6q5Y2ENne2EMG47gsAPp61OSxaQ%3D&reserved=0>
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.



This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #1.2: Type: text/html, Size: 23602 bytes --]

[-- Attachment #2: Screenshot from 2021-03-01 19-51-17.png --]
[-- Type: image/png, Size: 73992 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 14341 bytes --]

> Can you please tell me what i should do if a fuzz is detected while
applying patch or i see some warning message ?

The QA warning/error message about patch-fuzz shows you how to easily
resolve the fuzz with devtool.

If it doesn't apply at all (like that nghttp2 patch), then you need to
apply it manually by resolving all conflicts and then refresh the patch
file (I usually create a git repo in ${S} if it isn't there already from
SRC_URI, then manually apply the failing patch and then git format-patch
it).

On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:

> Hi Martin,
>
> Yes i think you are right it can be possible that i overlooked or missed
> the warning.
>
> Can you please tell me what i should do if a fuzz is detected while
> applying patch or i see some warning message ?
>
>
> For nghttp patch please check attached screenshot this is the last message
> that i saw.
> Can you tell me what next to do for that patch ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 10:33 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi Rahul,
>
> you probably don't have patch-fuzz in ERROR_QA and overlooked the warning
> generated by this QA check which is by default only in WARN_QA.
>
> Or you weren't testing it with master branch as the subject says it's for
> dunfell, but it the python version is the same in master and dunfell, so
> the warning should be triggered in both.
>
> On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I have tested my changes before sending to you or ML i don’t know why it
> is failing now at your side.
>
> Thanks and Regards,
> Rahul
>
> Get Outlook for iOS
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137102812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jTo9bMC2ioJ6cvgSOSvusesF5ocgD0Tp60TzTbUUXng%3D&reserved=0>
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 8:25:50 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi,
>
> normally you should fork meta-python2 and send a link to meta-python2
> change I can cherry-pick, not the blob in otherwise empty repo.
>
> But as I've said in previous reply, I've already manually applied your
> change in meta-python2 master-next where it's now failing:
>
> ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2019-9674.patch
> patching file Doc/library/zipfile.rst
> Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify python-native
>     devtool finish --force-patch-refresh python-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
>
> so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
>
> Regards,
>
>
>
>
> On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I removed the emoticons and uploaded the patch to my git repo pls access
> below link:
>
> https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137112808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EvHk3r1U8hghpCjnNQMuDMq7a1RQbu7IzQuUj6Ot5XY%3D&reserved=0>
>
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 18, 2021 10:58 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> "git am" doesn't like those emoticons in the .patch file..
>
> git am ~/py2/cur/16136689*
> error: cannot convert from 8bit to UTF-8
> fatal: could not parse patch
>
> either drop them or upload it to some git repo so I can cherry-pick it
> from there.
>
> On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137112808%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X%2BIj5Dzl7SPlyu%2FNw3WtSDFGKkwjJBa3yWqDYoj2dkM%3D&reserved=0>
> \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137122804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I%2Bn%2FmGzNXMzBNmO7jxk3tRPASv6%2FE9OX9ypn8rxg5Zg%3D&reserved=0>
> ]
> +CVE: CVE-2019-9674
> +Link:
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137122804%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=I%2Bn%2FmGzNXMzBNmO7jxk3tRPASv6%2FE9OX9ypn8rxg5Zg%3D&reserved=0>
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed
> below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP
> format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression
> failed.
> ++Such as allowable characters in the directory entries, length of the
> file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or
> killing the
> ++decompression process may result in incomplete decompression of the
> archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137132799%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=blZrwG834kAkxilemNsTQY3HDXP4RLbgN9e8SpVHON4%3D&reserved=0>
> + .. _PKZIP Application Note:
> https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C94256351f1fb463d886a08d8d9af44b8%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637498694137142788%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EQe2u3Z%2FadRwhYjv6q5Y2ENne2EMG47gsAPp61OSxaQ%3D&reserved=0>
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> 
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>

[-- Attachment #2: Type: text/html, Size: 22819 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Attachment #1: Type: text/plain, Size: 15791 bytes --]

Hi Martin,

Firstlty i run : devtool modify python

this command applied all the patches in the source code.
After this when i run :

         devtool finish --force-patch-refresh <recipe> <layer_path>

where recipe = python and layer path = /workspace/sources/python

i'm getting message:  workspace/sources/python appears to be in the middle of 'git am' or 'git apply' - please resolve this first

Can you please help why i'm getting this and how to resolve it ?

Thanks and Regards,
Rahul Taya
________________________________
From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> on behalf of Martin Jansa via lists.openembedded.org <Martin.Jansa=gmail.com@lists.openembedded.org>
Sent: Monday, March 1, 2021 8:16 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

> Can you please tell me what i should do if a fuzz is detected while applying patch or i see some warning message ?

The QA warning/error message about patch-fuzz shows you how to easily resolve the fuzz with devtool.

If it doesn't apply at all (like that nghttp2 patch), then you need to apply it manually by resolving all conflicts and then refresh the patch file (I usually create a git repo in ${S} if it isn't there already from SRC_URI, then manually apply the failing patch and then git format-patch it).

On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

Yes i think you are right it can be possible that i overlooked or missed the warning.

Can you please tell me what i should do if a fuzz is detected while applying patch or i see some warning message ?


For nghttp patch please check attached screenshot this is the last message that i saw.
Can you tell me what next to do for that patch ?

Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 25, 2021 10:33 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi Rahul,

you probably don't have patch-fuzz in ERROR_QA and overlooked the warning generated by this QA check which is by default only in WARN_QA.

Or you weren't testing it with master branch as the subject says it's for dunfell, but it the python version is the same in master and dunfell, so the warning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I have tested my changes before sending to you or ML i don’t know why it is failing now at your side.

Thanks and Regards,
Rahul

Get Outlook for iOS<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036671086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MPfsBf%2BvF%2FG5A8BqZRhXa7VxYOwvA7oSWokj4l%2BnBQs%3D&reserved=0>
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi,

normally you should fork meta-python2 and send a link to meta-python2 change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually applied your change in meta-python2 master-next where it's now failing:


ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]


so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)


Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access below link:

https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F8%2BYLk6kzSGFI0Un8Tk3C8pQXhgpbleUkcDhLkhUBRI%3D&reserved=0>


Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>; Khem Raj <raj.khem@gmail.com<mailto:raj.khem@gmail.com>>; Nisha Parrakat <Nisha.Parrakat@kpit.com<mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com<mailto:Harpritkaur.Bhandari@kpit.com>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Agwev%2FNAmBIVpMFGVO43e9fodCQDP51na6X9vRcF220%3D&reserved=0> \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com<mailto:sungboss2004@gmail.com>>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036691075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xTmtwvOtDUoFvuP9MyBRE5Majy%2BcqtsU5qhT83ruVuU%3D&reserved=0>]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=USaFhHgPBdg4QgGHYpo9FRhLyBt2Rv3pPeOhkVYyhRo%3D&reserved=0>
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cpU3nEPoLWqOsKeDGTeSDXmMgYhKbgh96viKBG%2F%2BD1A%3D&reserved=0>
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036711063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6r6U9Vm9nwtHzdnNnsBEmGw7tAIAot5uWkop%2FbEuKMg%3D&reserved=0>
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.



This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 29153 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 16381 bytes --]

Did you run "devtool modify python" twice? If the first call failed to
apply patches you need to go into workspace/sources/python and finish
applying it manually.

But as said in previous e-mails I've already updated your python patch to
apply cleanly (and it's in meta-python2/master-next), so I'm not sure what
you're trying to do now.

On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:

> Hi Martin,
>
> Firstlty i run : *devtool modify python*
>
> this command applied all the patches in the source code.
> After this when i run :
>
>          devtool finish --force-patch-refresh <recipe> <layer_path>
>
> where recipe = python and layer path = /workspace/sources/python
>
> i'm getting message:  *workspace/sources/python appears to be in the
> middle of 'git am' or 'git apply' - please resolve this first*
>
> Can you please help why i'm getting this and how to resolve it ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* openembedded-devel@lists.openembedded.org <
> openembedded-devel@lists.openembedded.org> on behalf of Martin Jansa via
> lists.openembedded.org <Martin.Jansa=gmail.com@lists.openembedded.org>
> *Sent:* Monday, March 1, 2021 8:16 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> > Can you please tell me what i should do if a fuzz is detected while
> applying patch or i see some warning message ?
>
> The QA warning/error message about patch-fuzz shows you how to easily
> resolve the fuzz with devtool.
>
> If it doesn't apply at all (like that nghttp2 patch), then you need to
> apply it manually by resolving all conflicts and then refresh the patch
> file (I usually create a git repo in ${S} if it isn't there already from
> SRC_URI, then manually apply the failing patch and then git format-patch
> it).
>
> On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> Yes i think you are right it can be possible that i overlooked or missed
> the warning.
>
> Can you please tell me what i should do if a fuzz is detected while
> applying patch or i see some warning message ?
>
>
> For nghttp patch please check attached screenshot this is the last message
> that i saw.
> Can you tell me what next to do for that patch ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 10:33 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi Rahul,
>
> you probably don't have patch-fuzz in ERROR_QA and overlooked the warning
> generated by this QA check which is by default only in WARN_QA.
>
> Or you weren't testing it with master branch as the subject says it's for
> dunfell, but it the python version is the same in master and dunfell, so
> the warning should be triggered in both.
>
> On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I have tested my changes before sending to you or ML i don’t know why it
> is failing now at your side.
>
> Thanks and Regards,
> Rahul
>
> Get Outlook for iOS
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036671086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MPfsBf%2BvF%2FG5A8BqZRhXa7VxYOwvA7oSWokj4l%2BnBQs%3D&reserved=0>
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 8:25:50 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi,
>
> normally you should fork meta-python2 and send a link to meta-python2
> change I can cherry-pick, not the blob in otherwise empty repo.
>
> But as I've said in previous reply, I've already manually applied your
> change in meta-python2 master-next where it's now failing:
>
> ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2019-9674.patch
> patching file Doc/library/zipfile.rst
> Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify python-native
>     devtool finish --force-patch-refresh python-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
>
> so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
>
> Regards,
>
>
>
>
> On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I removed the emoticons and uploaded the patch to my git repo pls access
> below link:
>
> https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F8%2BYLk6kzSGFI0Un8Tk3C8pQXhgpbleUkcDhLkhUBRI%3D&reserved=0>
>
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 18, 2021 10:58 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> "git am" doesn't like those emoticons in the .patch file..
>
> git am ~/py2/cur/16136689*
> error: cannot convert from 8bit to UTF-8
> fatal: could not parse patch
>
> either drop them or upload it to some git repo so I can cherry-pick it
> from there.
>
> On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Agwev%2FNAmBIVpMFGVO43e9fodCQDP51na6X9vRcF220%3D&reserved=0>
> \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036691075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xTmtwvOtDUoFvuP9MyBRE5Majy%2BcqtsU5qhT83ruVuU%3D&reserved=0>
> ]
> +CVE: CVE-2019-9674
> +Link:
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=USaFhHgPBdg4QgGHYpo9FRhLyBt2Rv3pPeOhkVYyhRo%3D&reserved=0>
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed
> below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP
> format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression
> failed.
> ++Such as allowable characters in the directory entries, length of the
> file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or
> killing the
> ++decompression process may result in incomplete decompression of the
> archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cpU3nEPoLWqOsKeDGTeSDXmMgYhKbgh96viKBG%2F%2BD1A%3D&reserved=0>
> + .. _PKZIP Application Note:
> https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036711063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6r6U9Vm9nwtHzdnNnsBEmGw7tAIAot5uWkop%2FbEuKMg%3D&reserved=0>
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
>
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>

[-- Attachment #2: Type: text/html, Size: 28031 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 19314 bytes --]

On Wed, Mar 3, 2021 at 4:26 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:

> Hi Martin,
>
> No i run devtool modify python only once and it applies the patch in
> source file.
>

Then you had to run "git am" manually in this directory and never finish?
you need to finish it or all git am --abort when you give up.

What i’ m not getting is how i generate a patch after this.
>  By taking git diff b/w the original source file and the patched file or
> what?
>

either "git format-patch" when you have applied the patch manually or
"devtool finish --force-patch-refresh ..." will call "git format-patch" for
you when devtool was able to apply the patch with just a fuzz.

Anyway you're still expected to review the changes in regenerated patch to
confirm that it still does what it was supposed to do.

Yes martin you applied my patch in master-next which is also required for
> dunfell.As i have other patches too i.e CVE-2019-20907 for python that i
> have sent and nghttp2 patch that’s why i thought to fix their warnings
> also using devtool and then send to you for applying.
>

I've already applied CVE-2019-20907 as well and fixed the patch-fuzz there,
will push it to master-next as well. I'll push it to gatesgarth-next and
dunfell-next as well.

And for nghttp2 patch I've sent the fix as well, see:
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=jansa/dunfell&id=3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0
which I've sent when your version of the patch was in dunfell-next, see:
https://lists.openembedded.org/g/openembedded-devel/message/89628

+oe-devel ML

*From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Wednesday, March 3, 2021 8:03:12 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel@lists.openembedded.org <
> openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Did you run "devtool modify python" twice? If the first call failed to
> apply patches you need to go into workspace/sources/python and finish
> applying it manually.
>
> But as said in previous e-mails I've already updated your python patch to
> apply cleanly (and it's in meta-python2/master-next), so I'm not sure what
> you're trying to do now.
>
> On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> Firstlty i run : *devtool modify python*
>
> this command applied all the patches in the source code.
> After this when i run :
>
>          devtool finish --force-patch-refresh <recipe> <layer_path>
>
> where recipe = python and layer path = /workspace/sources/python
>
> i'm getting message:  *workspace/sources/python appears to be in the
> middle of 'git am' or 'git apply' - please resolve this first*
>
> Can you please help why i'm getting this and how to resolve it ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* openembedded-devel@lists.openembedded.org <
> openembedded-devel@lists.openembedded.org> on behalf of Martin Jansa via
> lists.openembedded.org
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openembedded.org%2F&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090869534%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JCevxk14rWrYeYG6NMjCKbEc%2FGV%2FAPjF%2FsyKHGa0vcw%3D&reserved=0>
> <Martin.Jansa=gmail.com@lists.openembedded.org>
> *Sent:* Monday, March 1, 2021 8:16 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> > Can you please tell me what i should do if a fuzz is detected while
> applying patch or i see some warning message ?
>
> The QA warning/error message about patch-fuzz shows you how to easily
> resolve the fuzz with devtool.
>
> If it doesn't apply at all (like that nghttp2 patch), then you need to
> apply it manually by resolving all conflicts and then refresh the patch
> file (I usually create a git repo in ${S} if it isn't there already from
> SRC_URI, then manually apply the failing patch and then git format-patch
> it).
>
> On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> Yes i think you are right it can be possible that i overlooked or missed
> the warning.
>
> Can you please tell me what i should do if a fuzz is detected while
> applying patch or i see some warning message ?
>
>
> For nghttp patch please check attached screenshot this is the last message
> that i saw.
> Can you tell me what next to do for that patch ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 10:33 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi Rahul,
>
> you probably don't have patch-fuzz in ERROR_QA and overlooked the warning
> generated by this QA check which is by default only in WARN_QA.
>
> Or you weren't testing it with master branch as the subject says it's for
> dunfell, but it the python version is the same in master and dunfell, so
> the warning should be triggered in both.
>
> On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I have tested my changes before sending to you or ML i don’t know why it
> is failing now at your side.
>
> Thanks and Regards,
> Rahul
>
> Get Outlook for iOS
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090879514%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8qwZgjGzXSFBpHQtW9NXg8Z2ndlebOn7CGMbUvCco9Y%3D&reserved=0>
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 25, 2021 8:25:50 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> Hi,
>
> normally you should fork meta-python2 and send a link to meta-python2
> change I can cherry-pick, not the blob in otherwise empty repo.
>
> But as I've said in previous reply, I've already manually applied your
> change in meta-python2 master-next where it's now failing:
>
> ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2019-9674.patch
> patching file Doc/library/zipfile.rst
> Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify python-native
>     devtool finish --force-patch-refresh python-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
>
> so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
>
> Regards,
>
>
>
>
> On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> Hi Martin,
>
> I removed the emoticons and uploaded the patch to my git repo pls access
> below link:
>
> https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090879514%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eWAfxq3RnC58UC2fOdvLq%2BZ%2BdEqMY2jC4UC7QLVd7ow%3D&reserved=0>
>
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Thursday, February 18, 2021 10:58 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> "git am" doesn't like those emoticons in the .patch file..
>
> git am ~/py2/cur/16136689*
> error: cannot convert from 8bit to UTF-8
> fatal: could not parse patch
>
> either drop them or upload it to some git repo so I can cherry-pick it
> from there.
>
> On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> wrote:
>
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
> ---
>  recipes-devtools/python/python.inc            |  1 +
>  .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090889508%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=a78O00g99NZRFABWXJxxEnYi0XNXth%2Bz%2FKSkSQHXWWg%3D&reserved=0>
> \
> +           file://CVE-2019-9674.patch \
>             "
>
>  SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++ b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status: Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090889508%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8WNO3k087HhZTbusKgNIz90vEXsLPFvvWYPAhBOZia0%3D&reserved=0>
> ]
> +CVE: CVE-2019-9674
> +Link:
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090899497%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KVUivnPgsPMCcdqJYV2Zz4Xv1jdVaPvVoFNQtFl7RoQ%3D&reserved=0>
> +Comment: From the original patch skipped changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the following attributes:
> +
> +    Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail due to some pitfalls listed
> below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect password / CRC checksum / ZIP
> format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file systems can cause decompression
> failed.
> ++Such as allowable characters in the directory entries, length of the
> file name,
> ++length of the pathname, size of a single file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead to decompression
> ++failed. For example, decompression bombs (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such as pressing control-C or
> killing the
> ++decompression process may result in incomplete decompression of the
> archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090909491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yjgmXUObjQ3krrxYAcJ3351kmYUXBrDqWalvmaY4wxY%3D&reserved=0>
> + .. _PKZIP Application Note:
> https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C9193c43cbc274d86d5dc08d8de514df0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503788090909491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=r%2FAlrrXc2JKLe%2Bj0WIXXq6NlwAjpkxpy5h6sYO3v%2FCg%3D&reserved=0>
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
>
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>

[-- Attachment #2: Type: text/html, Size: 33530 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Attachment #1: Type: text/plain, Size: 22115 bytes --]

Hi Martin,

Is there any update for nghttp2 CVE-2020-11080  fix that you have sent earlier ?
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=jansa/dunfell&id=3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614843758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qNySlF2ouK6IiAvo2J68imnOZRB66RjwjCGhTYCoAnw%3D&reserved=0>

I think it's still not merged.

Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Wednesday, March 3, 2021 9:22 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

On Wed, Mar 3, 2021 at 4:26 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

No i run devtool modify python only once and it applies the patch in source file.

Then you had to run "git am" manually in this directory and never finish? you need to finish it or all git am --abort when you give up.

What i’ m not getting is how i generate a patch after this.
 By taking git diff b/w the original source file and the patched file or what?

either "git format-patch" when you have applied the patch manually or "devtool finish --force-patch-refresh ..." will call "git format-patch" for you when devtool was able to apply the patch with just a fuzz.

Anyway you're still expected to review the changes in regenerated patch to confirm that it still does what it was supposed to do.

Yes martin you applied my patch in master-next which is also required for dunfell.As i have other patches too i.e CVE-2019-20907 for python that i have sent and nghttp2 patch that’s why i thought to fix their warnings also using devtool and then send to you for applying.

I've already applied CVE-2019-20907 as well and fixed the patch-fuzz there, will push it to master-next as well. I'll push it to gatesgarth-next and dunfell-next as well.

And for nghttp2 patch I've sent the fix as well, see:
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=jansa/dunfell&id=3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614843758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qNySlF2ouK6IiAvo2J68imnOZRB66RjwjCGhTYCoAnw%3D&reserved=0>
which I've sent when your version of the patch was in dunfell-next, see:
https://lists.openembedded.org/g/openembedded-devel/message/89628<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-devel%2Fmessage%2F89628&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614843758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dUbJ%2BoCGl7NtsJPluCH7LXWPAvlNWajSyDjZeXC3gjA%3D&reserved=0>

+oe-devel ML

From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Wednesday, March 3, 2021 8:03:12 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org> <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Did you run "devtool modify python" twice? If the first call failed to apply patches you need to go into workspace/sources/python and finish applying it manually.

But as said in previous e-mails I've already updated your python patch to apply cleanly (and it's in meta-python2/master-next), so I'm not sure what you're trying to do now.

On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

Firstlty i run : devtool modify python

this command applied all the patches in the source code.
After this when i run :

         devtool finish --force-patch-refresh <recipe> <layer_path>

where recipe = python and layer path = /workspace/sources/python

i'm getting message:  workspace/sources/python appears to be in the middle of 'git am' or 'git apply' - please resolve this first

Can you please help why i'm getting this and how to resolve it ?

Thanks and Regards,
Rahul Taya
________________________________
From: openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org> <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>> on behalf of Martin Jansa via lists.openembedded.org<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openembedded.org%2F&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614853753%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fvYJtvQvNCvjys3z0icl%2Bg5BNhax0egcZWkemoHy1To%3D&reserved=0> <Martin.Jansa=gmail.com@lists.openembedded.org<mailto:gmail.com@lists.openembedded.org>>
Sent: Monday, March 1, 2021 8:16 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

> Can you please tell me what i should do if a fuzz is detected while applying patch or i see some warning message ?

The QA warning/error message about patch-fuzz shows you how to easily resolve the fuzz with devtool.

If it doesn't apply at all (like that nghttp2 patch), then you need to apply it manually by resolving all conflicts and then refresh the patch file (I usually create a git repo in ${S} if it isn't there already from SRC_URI, then manually apply the failing patch and then git format-patch it).

On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

Yes i think you are right it can be possible that i overlooked or missed the warning.

Can you please tell me what i should do if a fuzz is detected while applying patch or i see some warning message ?


For nghttp patch please check attached screenshot this is the last message that i saw.
Can you tell me what next to do for that patch ?

Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 25, 2021 10:33 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi Rahul,

you probably don't have patch-fuzz in ERROR_QA and overlooked the warning generated by this QA check which is by default only in WARN_QA.

Or you weren't testing it with master branch as the subject says it's for dunfell, but it the python version is the same in master and dunfell, so the warning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I have tested my changes before sending to you or ML i don’t know why it is failing now at your side.

Thanks and Regards,
Rahul

Get Outlook for iOS<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614853753%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=923piAM9LEXp054cWFKRMfu3HGdFb9RX5UVcchwZJWk%3D&reserved=0>
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

Hi,

normally you should fork meta-python2 and send a link to meta-python2 change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually applied your change in meta-python2 master-next where it's now failing:


ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]


so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)


Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access below link:

https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614863746%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CC%2BRWYUzuXwF6IuPmgo%2BBNYSam6ki%2BKf3opXGs4jpBw%3D&reserved=0>


Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>; Khem Raj <raj.khem@gmail.com<mailto:raj.khem@gmail.com>>; Nisha Parrakat <Nisha.Parrakat@kpit.com<mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com<mailto:Harpritkaur.Bhandari@kpit.com>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>> wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com<mailto:Rahul.Taya@kpit.com>>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614873740%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fZ5XDPu0Tyw92t%2FlJ1ilsBn76Fi4BUGsHy5upFtw20c%3D&reserved=0> \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com<mailto:sungboss2004@gmail.com>>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614873740%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TMC75PnOu04fyODBF8KdtXjUhmR0YfU4ncWRWTRiLQg%3D&reserved=0>]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614883733%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=anqhyt5ynucB%2FlVaUnLA6RWrl0GKlz3u34kqk4ZUlXE%3D&reserved=0>
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614893728%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=47O05DRkPnU6CjbSKXWLQuM%2BO4%2B2Q%2FwKFrdzmpqB%2FF0%3D&reserved=0>
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614893728%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=E9aClMux7AXNYYe36EdbrksrvWp57TbGEpeo%2BJefZBM%3D&reserved=0>
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.



This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 41642 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[akuster]

On 3/16/21 12:25 AM, Rahul Taya wrote:
> Hi Martin,
>
> Is there any update for nghttp2 CVE-2020-11080  fix that you have sent
> earlier ?
> https://git.openembedded.org/meta-openembedded-contrib/commit/?h=jansa/dunfell&id=3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614843758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qNySlF2ouK6IiAvo2J68imnOZRB66RjwjCGhTYCoAnw%3D&reserved=0>
>
> I think it's still not merged.

I took the v2 and its in dunfell-next.
-armin
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------------------------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Wednesday, March 3, 2021 9:22 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>; Nisha Parrakat
> <Nisha.Parrakat@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>  
> On Wed, Mar 3, 2021 at 4:26 PM Rahul Taya <Rahul.Taya@kpit.com
> <mailto:Rahul.Taya@kpit.com>> wrote:
>
>     Hi Martin,
>
>     No i run devtool modify python only once and it applies the patch
>     in source file.
>
>
> Then you had to run "git am" manually in this directory and never
> finish? you need to finish it or all git am --abort when you give up.
>
>     What i’ m not getting is how i generate a patch after this.
>      By taking git diff b/w the original source file and the patched
>     file or what?
>
>
> either "git format-patch" when you have applied the patch manually or
> "devtool finish --force-patch-refresh ..." will call "git
> format-patch" for you when devtool was able to apply the patch with
> just a fuzz.
>
> Anyway you're still expected to review the changes in regenerated
> patch to confirm that it still does what it was supposed to do.
>
>     Yes martin you applied my patch in master-next which is also
>     required for dunfell.As i have other patches too i.e
>     CVE-2019-20907 for python that i have sent and nghttp2 patch
>     that’s why i thought to fix their warnings also using devtool and
>     then send to you for applying.
>
>
> I've already applied CVE-2019-20907 as well and fixed the patch-fuzz
> there, will push it to master-next as well. I'll push it to
> gatesgarth-next and dunfell-next as well.
>
> And for nghttp2 patch I've sent the fix as well, see:
> https://git.openembedded.org/meta-openembedded-contrib/commit/?h=jansa/dunfell&id=3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614843758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qNySlF2ouK6IiAvo2J68imnOZRB66RjwjCGhTYCoAnw%3D&reserved=0>
> which I've sent when your version of the patch was in dunfell-next, see:
> https://lists.openembedded.org/g/openembedded-devel/message/89628
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-devel%2Fmessage%2F89628&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614843758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dUbJ%2BoCGl7NtsJPluCH7LXWPAvlNWajSyDjZeXC3gjA%3D&reserved=0> 
>
> +oe-devel ML
>
>     *From:* Martin Jansa <martin.jansa@gmail.com
>     <mailto:martin.jansa@gmail.com>>
>     *Sent:* Wednesday, March 3, 2021 8:03:12 PM
>     *To:* Rahul Taya <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>>
>     *Cc:* openembedded-devel@lists.openembedded.org
>     <mailto:openembedded-devel@lists.openembedded.org>
>     <openembedded-devel@lists.openembedded.org
>     <mailto:openembedded-devel@lists.openembedded.org>>
>     *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix
>     for CVE-2019-9674
>      
>     Did you run "devtool modify python" twice? If the first call
>     failed to apply patches you need to go
>     into workspace/sources/python and finish applying it manually.
>
>     But as said in previous e-mails I've already updated your python
>     patch to apply cleanly (and it's in meta-python2/master-next), so
>     I'm not sure what you're trying to do now.
>
>     On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <Rahul.Taya@kpit.com
>     <mailto:Rahul.Taya@kpit.com>> wrote:
>
>         Hi Martin,
>
>         Firstlty i run : *devtool modify python*
>
>         this command applied all the patches in the source code.
>         After this when i run :
>
>                  devtool finish --force-patch-refresh <recipe> <layer_path>
>
>         where recipe = python and layer path = /workspace/sources/python
>
>         i'm getting message:  *workspace/sources/python appears to be
>         in the middle of 'git am' or 'git apply' - please resolve this
>         first*
>         *
>         *
>         Can you please help why i'm getting this and how to resolve it ?
>
>         Thanks and Regards,
>         Rahul Taya
>         ------------------------------------------------------------------------
>         *From:* openembedded-devel@lists.openembedded.org
>         <mailto:openembedded-devel@lists.openembedded.org>
>         <openembedded-devel@lists.openembedded.org
>         <mailto:openembedded-devel@lists.openembedded.org>> on behalf
>         of Martin Jansa via lists.openembedded.org
>         <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openembedded.org%2F&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614853753%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fvYJtvQvNCvjys3z0icl%2Bg5BNhax0egcZWkemoHy1To%3D&reserved=0>
>         <Martin.Jansa=gmail.com@lists.openembedded.org
>         <mailto:gmail.com@lists.openembedded.org>>
>         *Sent:* Monday, March 1, 2021 8:16 PM
>         *To:* Rahul Taya <Rahul.Taya@kpit.com
>         <mailto:Rahul.Taya@kpit.com>>
>         *Cc:* openembedded-devel
>         <openembedded-devel@lists.openembedded.org
>         <mailto:openembedded-devel@lists.openembedded.org>>
>         *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add
>         fix for CVE-2019-9674
>          
>         > Can you please tell me what i should do if a fuzz is
>         detected while applying patch or i see some warning message ?
>
>         The QA warning/error message about patch-fuzz shows you how to
>         easily resolve the fuzz with devtool.
>
>         If it doesn't apply at all (like that nghttp2 patch), then you
>         need to apply it manually by resolving all conflicts and then
>         refresh the patch file (I usually create a git repo in ${S} if
>         it isn't there already from SRC_URI, then manually apply the
>         failing patch and then git format-patch it).
>
>         On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com
>         <mailto:Rahul.Taya@kpit.com>> wrote:
>
>             Hi Martin,
>
>             Yes i think you are right it can be possible that i
>             overlooked or missed the warning.
>
>             Can you please tell me what i should do if a fuzz is
>             detected while applying patch or i see some warning message ?
>
>
>             For nghttp patch please check attached screenshot this is
>             the last message that i saw.
>             Can you tell me what next to do for that patch ?
>
>             Thanks and Regards,
>             Rahul Taya
>             ------------------------------------------------------------------------
>             *From:* Martin Jansa <martin.jansa@gmail.com
>             <mailto:martin.jansa@gmail.com>>
>             *Sent:* Thursday, February 25, 2021 10:33 PM
>             *To:* Rahul Taya <Rahul.Taya@kpit.com
>             <mailto:Rahul.Taya@kpit.com>>
>             *Cc:* openembedded-devel
>             <openembedded-devel@lists.openembedded.org
>             <mailto:openembedded-devel@lists.openembedded.org>>
>             *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python:
>             Add fix for CVE-2019-9674
>              
>             Hi Rahul,
>
>             you probably don't have patch-fuzz in ERROR_QA and
>             overlooked the warning generated by this QA check which is
>             by default only in WARN_QA.
>
>             Or you weren't testing it with master branch as the
>             subject says it's for dunfell, but it the python version
>             is the same in master and dunfell, so the warning should
>             be triggered in both.
>
>             On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya
>             <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>> wrote:
>
>                 Hi Martin,
>
>                 I have tested my changes before sending to you or ML i
>                 don’t know why it is failing now at your side.
>
>                 Thanks and Regards,
>                 Rahul
>
>                 Get Outlook for iOS
>                 <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614853753%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=923piAM9LEXp054cWFKRMfu3HGdFb9RX5UVcchwZJWk%3D&reserved=0>
>                 ------------------------------------------------------------------------
>                 *From:* Martin Jansa <martin.jansa@gmail.com
>                 <mailto:martin.jansa@gmail.com>>
>                 *Sent:* Thursday, February 25, 2021 8:25:50 PM
>                 *To:* Rahul Taya <Rahul.Taya@kpit.com
>                 <mailto:Rahul.Taya@kpit.com>>
>                 *Cc:* openembedded-devel
>                 <openembedded-devel@lists.openembedded.org
>                 <mailto:openembedded-devel@lists.openembedded.org>>
>                 *Subject:* Re: [oe] [meta-python2][dunfell][PATCH]
>                 python: Add fix for CVE-2019-9674
>                  
>                 Hi,
>
>                 normally you should fork meta-python2 and send a link
>                 to meta-python2 change I can cherry-pick, not the blob
>                 in otherwise empty repo.
>
>                 But as I've said in previous reply, I've already
>                 manually applied your change in meta-python2
>                 master-next where it's now failing:
>
>                 ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
>                 Applying patch CVE-2019-9674.patch
>                 patching file Doc/library/zipfile.rst
>                 Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
>                 The context lines in the patches can be updated with devtool:
>
>                     devtool modify python-native
>                     devtool finish --force-patch-refresh python-native <layer_path>
>
>                 Don't forget to review changes done by devtool!
>
>                 ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
>                 so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
>                 Regards,
>
>
>
>
>                 On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya
>                 <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>> wrote:
>
>                     Hi Martin,
>
>                     I removed the emoticons and uploaded the patch to
>                     my git repo pls access below link:
>
>                     https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch
>                     <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614863746%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CC%2BRWYUzuXwF6IuPmgo%2BBNYSam6ki%2BKf3opXGs4jpBw%3D&reserved=0>
>
>
>                     Thanks and Regards,
>                     Rahul Taya
>                     ------------------------------------------------------------------------
>                     *From:* Martin Jansa <martin.jansa@gmail.com
>                     <mailto:martin.jansa@gmail.com>>
>                     *Sent:* Thursday, February 18, 2021 10:58 PM
>                     *To:* Rahul Taya <Rahul.Taya@kpit.com
>                     <mailto:Rahul.Taya@kpit.com>>
>                     *Cc:* openembedded-devel
>                     <openembedded-devel@lists.openembedded.org
>                     <mailto:openembedded-devel@lists.openembedded.org>>;
>                     Khem Raj <raj.khem@gmail.com
>                     <mailto:raj.khem@gmail.com>>; Nisha Parrakat
>                     <Nisha.Parrakat@kpit.com
>                     <mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur
>                     Bhandari <Harpritkaur.Bhandari@kpit.com
>                     <mailto:Harpritkaur.Bhandari@kpit.com>>
>                     *Subject:* Re: [oe] [meta-python2][dunfell][PATCH]
>                     python: Add fix for CVE-2019-9674
>                      
>                     "git am" doesn't like those emoticons in the
>                     .patch file..
>
>                     git am ~/py2/cur/16136689*
>                     error: cannot convert from 8bit to UTF-8
>                     fatal: could not parse patch
>
>                     either drop them or upload it to some git repo so
>                     I can cherry-pick it from there.
>
>                     On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya
>                     <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>>
>                     wrote:
>
>                         For python and python-native added patch to fix
>                         CVE-2019-9674
>
>                         Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com
>                         <mailto:Rahul.Taya@kpit.com>>
>                         ---
>                          recipes-devtools/python/python.inc           
>                         |  1 +
>                          .../python/python/CVE-2019-9674.patch       
>                          | 83 +++++++++++++++++++
>                          2 files changed, 84 insertions(+)
>                          create mode 100644
>                         recipes-devtools/python/python/CVE-2019-9674.patch
>
>                         diff --git
>                         a/recipes-devtools/python/python.inc
>                         b/recipes-devtools/python/python.inc
>                         index a4ba0c5..787f23e 100644
>                         --- a/recipes-devtools/python/python.inc
>                         +++ b/recipes-devtools/python/python.inc
>                         @@ -8,6 +8,7 @@ INC_PR = "r1"
>                          LIC_FILES_CHKSUM =
>                         "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>                          SRC_URI =
>                         "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz
>                         <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614873740%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fZ5XDPu0Tyw92t%2FlJ1ilsBn76Fi4BUGsHy5upFtw20c%3D&reserved=0>
>                         \
>                         +           file://CVE-2019-9674.patch \
>                                     "
>
>                          SRC_URI[sha256sum] =
>                         "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
>                         diff --git
>                         a/recipes-devtools/python/python/CVE-2019-9674.patch
>                         b/recipes-devtools/python/python/CVE-2019-9674.patch
>                         new file mode 100644
>                         index 0000000..647d9da
>                         --- /dev/null
>                         +++
>                         b/recipes-devtools/python/python/CVE-2019-9674.patch
>                         @@ -0,0 +1,83 @@
>                         +From 3ba51d587f6897a45301ce9126300c14fcd4eba2
>                         Mon Sep 17 00:00:00 2001
>                         +From: JunWei Song <sungboss2004@gmail.com
>                         <mailto:sungboss2004@gmail.com>>
>                         +Date: Wed, 11 Sep 2019 23:04:12 +0800
>                         +Subject: [PATCH] bpo-36260: Add pitfalls to
>                         zipfile module documentation
>                         + (#13378)
>                         +MIME-Version: 1.0
>                         +Content-Type: text/plain; charset=UTF-8
>                         +Content-Transfer-Encoding: 8bit
>                         +
>                         +* bpo-36260: Add pitfalls to zipfile module
>                         documentation
>                         +
>                         +We saw vulnerability warning description
>                         (including zip bomb) in Doc/library/xml.rst file.
>                         +This gave us the idea of documentation
>                         improvement.
>                         +
>                         +So, we moved a little bit forward :P
>                         +And the doc patch can be found (pr).
>                         +
>                         +* fix trailing whitespace
>                         +
>                         +* 📜🤖 Added by blurb_it.
>                         +
>                         +* Reformat text for consistency.
>                         +
>                         +Upstream-Status:
>                         Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
>                         <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614873740%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TMC75PnOu04fyODBF8KdtXjUhmR0YfU4ncWRWTRiLQg%3D&reserved=0>]
>                         +CVE: CVE-2019-9674
>                         +Link:
>                         http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
>                         <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614883733%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=anqhyt5ynucB%2FlVaUnLA6RWrl0GKlz3u34kqk4ZUlXE%3D&reserved=0>
>                         +Comment: From the original patch skipped
>                         changes for file
>                         +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
>                         +as this file is not present in our source code.
>                         +---
>                         + Doc/library/zipfile.rst                     
>                          | 41 +++++++++++++++++++
>                         + 1 files changed, 41 insertions(+)
>                         +
>                         +diff --git a/Doc/library/zipfile.rst
>                         b/Doc/library/zipfile.rst
>                         +index b421ea5..2e0a91d 100644
>                         +--- a/Doc/library/zipfile.rst
>                         ++++ b/Doc/library/zipfile.rst
>                         +@@ -574,4 +574,45 @@ Instances have the
>                         following attributes:
>                         +
>                         +    Size of the uncompressed file.
>                         +
>                         ++Decompression pitfalls
>                         ++----------------------
>                         ++
>                         ++The extraction in zipfile module might fail
>                         due to some pitfalls listed below.
>                         ++
>                         ++From file itself
>                         ++~~~~~~~~~~~~~~~~
>                         ++
>                         ++Decompression may fail due to incorrect
>                         password / CRC checksum / ZIP format or
>                         ++unsupported compression method / decryption.
>                         ++
>                         ++File System limitations
>                         ++~~~~~~~~~~~~~~~~~~~~~~~
>                         ++
>                         ++Exceeding limitations on different file
>                         systems can cause decompression failed.
>                         ++Such as allowable characters in the
>                         directory entries, length of the file name,
>                         ++length of the pathname, size of a single
>                         file, and number of files, etc.
>                         ++
>                         ++Resources limitations
>                         ++~~~~~~~~~~~~~~~~~~~~~
>                         ++
>                         ++The lack of memory or disk volume would lead
>                         to decompression
>                         ++failed. For example, decompression bombs
>                         (aka `ZIP bomb`_)
>                         ++apply to zipfile library that can cause disk
>                         volume exhaustion.
>                         ++
>                         ++Interruption
>                         ++~~~~~~~~~~~~
>                         ++
>                         ++Interruption during the decompression, such
>                         as pressing control-C or killing the
>                         ++decompression process may result in
>                         incomplete decompression of the archive.
>                         ++
>                         ++Default behaviors of extraction
>                         ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>                         ++
>                         ++Not knowing the default extraction behaviors
>                         ++can cause unexpected decompression results.
>                         ++For example, when extracting the same
>                         archive twice,
>                         ++it overwrites files without asking.
>                         ++
>                         ++
>                         ++.. _ZIP bomb:
>                         https://en.wikipedia.org/wiki/Zip_bomb
>                         <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614893728%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=47O05DRkPnU6CjbSKXWLQuM%2BO4%2B2Q%2FwKFrdzmpqB%2FF0%3D&reserved=0>
>                         + .. _PKZIP Application Note:
>                         https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
>                         <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C10953aac03c94ff4821808d8de5c5d97%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637503835614893728%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=E9aClMux7AXNYYe36EdbrksrvWp57TbGEpeo%2BJefZBM%3D&reserved=0>
>                         --
>                         2.17.1
>
>                         This message contains information that may be
>                         privileged or confidential and is the property
>                         of the KPIT Technologies Ltd. It is intended
>                         only for the person to whom it is addressed.
>                         If you are not the intended recipient, you are
>                         not authorized to read, print, retain copy,
>                         disseminate, distribute, or use this message
>                         or any part thereof. If you receive this
>                         message in error, please notify the sender
>                         immediately and delete all copies of this
>                         message. KPIT Technologies Ltd. does not
>                         accept any liability for virus infected mails.
>
>
>
>                     This message contains information that may be
>                     privileged or confidential and is the property of
>                     the KPIT Technologies Ltd. It is intended only for
>                     the person to whom it is addressed. If you are not
>                     the intended recipient, you are not authorized to
>                     read, print, retain copy, disseminate, distribute,
>                     or use this message or any part thereof. If you
>                     receive this message in error, please notify the
>                     sender immediately and delete all copies of this
>                     message. KPIT Technologies Ltd. does not accept
>                     any liability for virus infected mails.
>
>                 This message contains information that may be
>                 privileged or confidential and is the property of the
>                 KPIT Technologies Ltd. It is intended only for the
>                 person to whom it is addressed. If you are not the
>                 intended recipient, you are not authorized to read,
>                 print, retain copy, disseminate, distribute, or use
>                 this message or any part thereof. If you receive this
>                 message in error, please notify the sender immediately
>                 and delete all copies of this message. KPIT
>                 Technologies Ltd. does not accept any liability for
>                 virus infected mails.
>
>             This message contains information that may be privileged
>             or confidential and is the property of the KPIT
>             Technologies Ltd. It is intended only for the person to
>             whom it is addressed. If you are not the intended
>             recipient, you are not authorized to read, print, retain
>             copy, disseminate, distribute, or use this message or any
>             part thereof. If you receive this message in error, please
>             notify the sender immediately and delete all copies of
>             this message. KPIT Technologies Ltd. does not accept any
>             liability for virus infected mails.
>
>         This message contains information that may be privileged or
>         confidential and is the property of the KPIT Technologies Ltd.
>         It is intended only for the person to whom it is addressed. If
>         you are not the intended recipient, you are not authorized to
>         read, print, retain copy, disseminate, distribute, or use this
>         message or any part thereof. If you receive this message in
>         error, please notify the sender immediately and delete all
>         copies of this message. KPIT Technologies Ltd. does not accept
>         any liability for virus infected mails.
>
>     This message contains information that may be privileged or
>     confidential and is the property of the KPIT Technologies Ltd. It
>     is intended only for the person to whom it is addressed. If you
>     are not the intended recipient, you are not authorized to read,
>     print, retain copy, disseminate, distribute, or use this message
>     or any part thereof. If you receive this message in error, please
>     notify the sender immediately and delete all copies of this
>     message. KPIT Technologies Ltd. does not accept any liability for
>     virus infected mails.
>
> This message contains information that may be privileged or
> confidential and is the property of the KPIT Technologies Ltd. It is
> intended only for the person to whom it is addressed. If you are not
> the intended recipient, you are not authorized to read, print, retain
> copy, disseminate, distribute, or use this message or any part
> thereof. If you receive this message in error, please notify the
> sender immediately and delete all copies of this message. KPIT
> Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

[-- Attachment #1: Type: text/plain, Size: 35145 bytes --]

Hi Akuster,

Thanks for the update appreciate your help.

I think these 2 CVE patches are also required for Zeus branch.

Can you please apply it there also as i have mentioned in the patch that it affects
version < 1.41.0.

Thanks and Regards,
Rahul Taya
________________________________
From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> on behalf of akuster via lists.openembedded.org <akuster808=gmail.com@lists.openembedded.org>
Sent: Wednesday, March 17, 2021 10:13 AM
To: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674





On 3/16/21 12:25 AM, Rahul Taya wrote:
> Hi Martin,
>
> Is there any update for nghttp2 CVE-2020-11080  fix that you have sent
> earlier ?
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195938437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ObeDQ1%2BH7hZU4D4TW4z5aRH%2FrLG1YXzKWpgMl2lqKA8%3D&amp;reserved=0
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195938437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ObeDQ1%2BH7hZU4D4TW4z5aRH%2FrLG1YXzKWpgMl2lqKA8%3D&amp;reserved=0>
>
> I think it's still not merged.

I took the v2 and its in dunfell-next.
-armin
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------------------------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Wednesday, March 3, 2021 9:22 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>; Nisha Parrakat
> <Nisha.Parrakat@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> On Wed, Mar 3, 2021 at 4:26 PM Rahul Taya <Rahul.Taya@kpit.com
> <mailto:Rahul.Taya@kpit.com>> wrote:
>
>     Hi Martin,
>
>     No i run devtool modify python only once and it applies the patch
>     in source file.
>
>
> Then you had to run "git am" manually in this directory and never
> finish? you need to finish it or all git am --abort when you give up.
>
>     What i’ m not getting is how i generate a patch after this.
>      By taking git diff b/w the original source file and the patched
>     file or what?
>
>
> either "git format-patch" when you have applied the patch manually or
> "devtool finish --force-patch-refresh ..." will call "git
> format-patch" for you when devtool was able to apply the patch with
> just a fuzz.
>
> Anyway you're still expected to review the changes in regenerated
> patch to confirm that it still does what it was supposed to do.
>
>     Yes martin you applied my patch in master-next which is also
>     required for dunfell.As i have other patches too i.e
>     CVE-2019-20907 for python that i have sent and nghttp2 patch
>     that’s why i thought to fix their warnings also using devtool and
>     then send to you for applying.
>
>
> I've already applied CVE-2019-20907 as well and fixed the patch-fuzz
> there, will push it to master-next as well. I'll push it to
> gatesgarth-next and dunfell-next as well.
>
> And for nghttp2 patch I've sent the fix as well, see:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=xsbSFmazK%2B%2BE0wQMCLWSnsuhksSbQ%2FoAuaNHQlmU%2Bms%3D&amp;reserved=0
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=xsbSFmazK%2B%2BE0wQMCLWSnsuhksSbQ%2FoAuaNHQlmU%2Bms%3D&amp;reserved=0>
> which I've sent when your version of the patch was in dunfell-next, see:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-devel%2Fmessage%2F89628&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=QGhAlgm69bEyO0FPNPfpIDF25P%2F1igZNBXCvTF6oevY%3D&amp;reserved=0
> <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-devel%2Fmessage%2F89628&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=QGhAlgm69bEyO0FPNPfpIDF25P%2F1igZNBXCvTF6oevY%3D&amp;reserved=0>
>
> +oe-devel ML
>
>     *From:* Martin Jansa <martin.jansa@gmail.com
>     <mailto:martin.jansa@gmail.com>>
>     *Sent:* Wednesday, March 3, 2021 8:03:12 PM
>     *To:* Rahul Taya <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>>
>     *Cc:* openembedded-devel@lists.openembedded.org
>     <mailto:openembedded-devel@lists.openembedded.org>
>     <openembedded-devel@lists.openembedded.org
>     <mailto:openembedded-devel@lists.openembedded.org>>
>     *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix
>     for CVE-2019-9674
>
>     Did you run "devtool modify python" twice? If the first call
>     failed to apply patches you need to go
>     into workspace/sources/python and finish applying it manually.
>
>     But as said in previous e-mails I've already updated your python
>     patch to apply cleanly (and it's in meta-python2/master-next), so
>     I'm not sure what you're trying to do now.
>
>     On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <Rahul.Taya@kpit.com
>     <mailto:Rahul.Taya@kpit.com>> wrote:
>
>         Hi Martin,
>
>         Firstlty i run : *devtool modify python*
>
>         this command applied all the patches in the source code.
>         After this when i run :
>
>                  devtool finish --force-patch-refresh <recipe> <layer_path>
>
>         where recipe = python and layer path = /workspace/sources/python
>
>         i'm getting message:  *workspace/sources/python appears to be
>         in the middle of 'git am' or 'git apply' - please resolve this
>         first*
>         *
>         *
>         Can you please help why i'm getting this and how to resolve it ?
>
>         Thanks and Regards,
>         Rahul Taya
>         ------------------------------------------------------------------------
>         *From:* openembedded-devel@lists.openembedded.org
>         <mailto:openembedded-devel@lists.openembedded.org>
>         <openembedded-devel@lists.openembedded.org
>         <mailto:openembedded-devel@lists.openembedded.org>> on behalf
>         of Martin Jansa via lists.openembedded.org
>         <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openembedded.org%2F&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=fYx5J2wpRfE6LeqzbnrNkLZ4sL3KSM7W3FXni%2FDtTC0%3D&amp;reserved=0>
>         <Martin.Jansa=gmail.com@lists.openembedded.org
>         <mailto:gmail.com@lists.openembedded.org>>
>         *Sent:* Monday, March 1, 2021 8:16 PM
>         *To:* Rahul Taya <Rahul.Taya@kpit.com
>         <mailto:Rahul.Taya@kpit.com>>
>         *Cc:* openembedded-devel
>         <openembedded-devel@lists.openembedded.org
>         <mailto:openembedded-devel@lists.openembedded.org>>
>         *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add
>         fix for CVE-2019-9674
>
>         > Can you please tell me what i should do if a fuzz is
>         detected while applying patch or i see some warning message ?
>
>         The QA warning/error message about patch-fuzz shows you how to
>         easily resolve the fuzz with devtool.
>
>         If it doesn't apply at all (like that nghttp2 patch), then you
>         need to apply it manually by resolving all conflicts and then
>         refresh the patch file (I usually create a git repo in ${S} if
>         it isn't there already from SRC_URI, then manually apply the
>         failing patch and then git format-patch it).
>
>         On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com
>         <mailto:Rahul.Taya@kpit.com>> wrote:
>
>             Hi Martin,
>
>             Yes i think you are right it can be possible that i
>             overlooked or missed the warning.
>
>             Can you please tell me what i should do if a fuzz is
>             detected while applying patch or i see some warning message ?
>
>
>             For nghttp patch please check attached screenshot this is
>             the last message that i saw.
>             Can you tell me what next to do for that patch ?
>
>             Thanks and Regards,
>             Rahul Taya
>             ------------------------------------------------------------------------
>             *From:* Martin Jansa <martin.jansa@gmail.com
>             <mailto:martin.jansa@gmail.com>>
>             *Sent:* Thursday, February 25, 2021 10:33 PM
>             *To:* Rahul Taya <Rahul.Taya@kpit.com
>             <mailto:Rahul.Taya@kpit.com>>
>             *Cc:* openembedded-devel
>             <openembedded-devel@lists.openembedded.org
>             <mailto:openembedded-devel@lists.openembedded.org>>
>             *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python:
>             Add fix for CVE-2019-9674
>
>             Hi Rahul,
>
>             you probably don't have patch-fuzz in ERROR_QA and
>             overlooked the warning generated by this QA check which is
>             by default only in WARN_QA.
>
>             Or you weren't testing it with master branch as the
>             subject says it's for dunfell, but it the python version
>             is the same in master and dunfell, so the warning should
>             be triggered in both.
>
>             On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya
>             <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>> wrote:
>
>                 Hi Martin,
>
>                 I have tested my changes before sending to you or ML i
>                 don’t know why it is failing now at your side.
>
>                 Thanks and Regards,
>                 Rahul
>
>                 Get Outlook for iOS
>                 <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=K8y18HmJbO47jEv4XNH932mE%2B0QyT7wt1oH%2BbcZ7dmc%3D&amp;reserved=0>
>                 ------------------------------------------------------------------------
>                 *From:* Martin Jansa <martin.jansa@gmail.com
>                 <mailto:martin.jansa@gmail.com>>
>                 *Sent:* Thursday, February 25, 2021 8:25:50 PM
>                 *To:* Rahul Taya <Rahul.Taya@kpit.com
>                 <mailto:Rahul.Taya@kpit.com>>
>                 *Cc:* openembedded-devel
>                 <openembedded-devel@lists.openembedded.org
>                 <mailto:openembedded-devel@lists.openembedded.org>>
>                 *Subject:* Re: [oe] [meta-python2][dunfell][PATCH]
>                 python: Add fix for CVE-2019-9674
>
>                 Hi,
>
>                 normally you should fork meta-python2 and send a link
>                 to meta-python2 change I can cherry-pick, not the blob
>                 in otherwise empty repo.
>
>                 But as I've said in previous reply, I've already
>                 manually applied your change in meta-python2
>                 master-next where it's now failing:
>
>                 ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
>                 Applying patch CVE-2019-9674.patch
>                 patching file Doc/library/zipfile.rst
>                 Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
>                 The context lines in the patches can be updated with devtool:
>
>                     devtool modify python-native
>                     devtool finish --force-patch-refresh python-native <layer_path>
>
>                 Don't forget to review changes done by devtool!
>
>                 ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
>                 so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
>                 Regards,
>
>
>
>
>                 On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya
>                 <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>> wrote:
>
>                     Hi Martin,
>
>                     I removed the emoticons and uploaded the patch to
>                     my git repo pls access below link:
>
>                     https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TvrhfQwvCCDTHu8%2BNvwUFBmVE%2B3wUDm3pvrtk%2FWrWwM%3D&amp;reserved=0
>                     <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4tGGvUZsd4qTLg4%2BgJPEZnJ861DfmBW0xFMQSLvQ7S8%3D&amp;reserved=0>
>
>
>                     Thanks and Regards,
>                     Rahul Taya
>                     ------------------------------------------------------------------------
>                     *From:* Martin Jansa <martin.jansa@gmail.com
>                     <mailto:martin.jansa@gmail.com>>
>                     *Sent:* Thursday, February 18, 2021 10:58 PM
>                     *To:* Rahul Taya <Rahul.Taya@kpit.com
>                     <mailto:Rahul.Taya@kpit.com>>
>                     *Cc:* openembedded-devel
>                     <openembedded-devel@lists.openembedded.org
>                     <mailto:openembedded-devel@lists.openembedded.org>>;
>                     Khem Raj <raj.khem@gmail.com
>                     <mailto:raj.khem@gmail.com>>; Nisha Parrakat
>                     <Nisha.Parrakat@kpit.com
>                     <mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur
>                     Bhandari <Harpritkaur.Bhandari@kpit.com
>                     <mailto:Harpritkaur.Bhandari@kpit.com>>
>                     *Subject:* Re: [oe] [meta-python2][dunfell][PATCH]
>                     python: Add fix for CVE-2019-9674
>
>                     "git am" doesn't like those emoticons in the
>                     .patch file..
>
>                     git am ~/py2/cur/16136689*
>                     error: cannot convert from 8bit to UTF-8
>                     fatal: could not parse patch
>
>                     either drop them or upload it to some git repo so
>                     I can cherry-pick it from there.
>
>                     On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya
>                     <Rahul.Taya@kpit.com <mailto:Rahul.Taya@kpit.com>>
>                     wrote:
>
>                         For python and python-native added patch to fix
>                         CVE-2019-9674
>
>                         Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com
>                         <mailto:Rahul.Taya@kpit.com>>
>                         ---
>                          recipes-devtools/python/python.inc
>                         |  1 +
>                          .../python/python/CVE-2019-9674.patch
>                          | 83 +++++++++++++++++++
>                          2 files changed, 84 insertions(+)
>                          create mode 100644
>                         recipes-devtools/python/python/CVE-2019-9674.patch
>
>                         diff --git
>                         a/recipes-devtools/python/python.inc
>                         b/recipes-devtools/python/python.inc
>                         index a4ba0c5..787f23e 100644
>                         --- a/recipes-devtools/python/python.inc
>                         +++ b/recipes-devtools/python/python.inc
>                         @@ -8,6 +8,7 @@ INC_PR = "r1"
>                          LIC_FILES_CHKSUM =
>                         "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
>                          SRC_URI =
>                         "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=YgvZGm4S04pyLBIJ1uWZUBOFfwjncvYCBQqtxcpb%2Ffk%3D&amp;reserved=0{PV}/Python-${PV}.tar.xz
>                         <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=o8CLLBE3r1qCYvQCa0UnT%2F0YyrWtA%2FJTrF9qc4SI1C8%3D&amp;reserved=0>
>                         \
>                         +           file://CVE-2019-9674.patch \
>                                     "
>
>                          SRC_URI[sha256sum] =
>                         "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
>                         diff --git
>                         a/recipes-devtools/python/python/CVE-2019-9674.patch
>                         b/recipes-devtools/python/python/CVE-2019-9674.patch
>                         new file mode 100644
>                         index 0000000..647d9da
>                         --- /dev/null
>                         +++
>                         b/recipes-devtools/python/python/CVE-2019-9674.patch
>                         @@ -0,0 +1,83 @@
>                         +From 3ba51d587f6897a45301ce9126300c14fcd4eba2
>                         Mon Sep 17 00:00:00 2001
>                         +From: JunWei Song <sungboss2004@gmail.com
>                         <mailto:sungboss2004@gmail.com>>
>                         +Date: Wed, 11 Sep 2019 23:04:12 +0800
>                         +Subject: [PATCH] bpo-36260: Add pitfalls to
>                         zipfile module documentation
>                         + (#13378)
>                         +MIME-Version: 1.0
>                         +Content-Type: text/plain; charset=UTF-8
>                         +Content-Transfer-Encoding: 8bit
>                         +
>                         +* bpo-36260: Add pitfalls to zipfile module
>                         documentation
>                         +
>                         +We saw vulnerability warning description
>                         (including zip bomb) in Doc/library/xml.rst file.
>                         +This gave us the idea of documentation
>                         improvement.
>                         +
>                         +So, we moved a little bit forward :P
>                         +And the doc patch can be found (pr).
>                         +
>                         +* fix trailing whitespace
>                         +
>                         +* 📜🤖 Added by blurb_it.
>                         +
>                         +* Reformat text for consistency.
>                         +
>                         +Upstream-Status:
>                         Backport[https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&amp;reserved=0
>                         <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&amp;reserved=0>]
>                         +CVE: CVE-2019-9674
>                         +Link:
>                         https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&amp;reserved=0
>                         <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&amp;reserved=0>
>                         +Comment: From the original patch skipped
>                         changes for file
>                         +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
>                         +as this file is not present in our source code.
>                         +---
>                         + Doc/library/zipfile.rst
>                          | 41 +++++++++++++++++++
>                         + 1 files changed, 41 insertions(+)
>                         +
>                         +diff --git a/Doc/library/zipfile.rst
>                         b/Doc/library/zipfile.rst
>                         +index b421ea5..2e0a91d 100644
>                         +--- a/Doc/library/zipfile.rst
>                         ++++ b/Doc/library/zipfile.rst
>                         +@@ -574,4 +574,45 @@ Instances have the
>                         following attributes:
>                         +
>                         +    Size of the uncompressed file.
>                         +
>                         ++Decompression pitfalls
>                         ++----------------------
>                         ++
>                         ++The extraction in zipfile module might fail
>                         due to some pitfalls listed below.
>                         ++
>                         ++From file itself
>                         ++~~~~~~~~~~~~~~~~
>                         ++
>                         ++Decompression may fail due to incorrect
>                         password / CRC checksum / ZIP format or
>                         ++unsupported compression method / decryption.
>                         ++
>                         ++File System limitations
>                         ++~~~~~~~~~~~~~~~~~~~~~~~
>                         ++
>                         ++Exceeding limitations on different file
>                         systems can cause decompression failed.
>                         ++Such as allowable characters in the
>                         directory entries, length of the file name,
>                         ++length of the pathname, size of a single
>                         file, and number of files, etc.
>                         ++
>                         ++Resources limitations
>                         ++~~~~~~~~~~~~~~~~~~~~~
>                         ++
>                         ++The lack of memory or disk volume would lead
>                         to decompression
>                         ++failed. For example, decompression bombs
>                         (aka `ZIP bomb`_)
>                         ++apply to zipfile library that can cause disk
>                         volume exhaustion.
>                         ++
>                         ++Interruption
>                         ++~~~~~~~~~~~~
>                         ++
>                         ++Interruption during the decompression, such
>                         as pressing control-C or killing the
>                         ++decompression process may result in
>                         incomplete decompression of the archive.
>                         ++
>                         ++Default behaviors of extraction
>                         ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>                         ++
>                         ++Not knowing the default extraction behaviors
>                         ++can cause unexpected decompression results.
>                         ++For example, when extracting the same
>                         archive twice,
>                         ++it overwrites files without asking.
>                         ++
>                         ++
>                         ++.. _ZIP bomb:
>                         https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=NincL7zuqCKvA8QsLsyaaOZnhMw38Rd%2FEuy4gs7A7y0%3D&amp;reserved=0
>                         <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=NincL7zuqCKvA8QsLsyaaOZnhMw38Rd%2FEuy4gs7A7y0%3D&amp;reserved=0>
>                         + .. _PKZIP Application Note:
>                         https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=60Az8NdjIo%2F9gbQMWhnSgHZE9WtnAfcCmo0d25HexUc%3D&amp;reserved=0
>                         <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&amp;data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=60Az8NdjIo%2F9gbQMWhnSgHZE9WtnAfcCmo0d25HexUc%3D&amp;reserved=0>
>                         --
>                         2.17.1
>
>                         This message contains information that may be
>                         privileged or confidential and is the property
>                         of the KPIT Technologies Ltd. It is intended
>                         only for the person to whom it is addressed.
>                         If you are not the intended recipient, you are
>                         not authorized to read, print, retain copy,
>                         disseminate, distribute, or use this message
>                         or any part thereof. If you receive this
>                         message in error, please notify the sender
>                         immediately and delete all copies of this
>                         message. KPIT Technologies Ltd. does not
>                         accept any liability for virus infected mails.
>
>
>
>                     This message contains information that may be
>                     privileged or confidential and is the property of
>                     the KPIT Technologies Ltd. It is intended only for
>                     the person to whom it is addressed. If you are not
>                     the intended recipient, you are not authorized to
>                     read, print, retain copy, disseminate, distribute,
>                     or use this message or any part thereof. If you
>                     receive this message in error, please notify the
>                     sender immediately and delete all copies of this
>                     message. KPIT Technologies Ltd. does not accept
>                     any liability for virus infected mails.
>
>                 This message contains information that may be
>                 privileged or confidential and is the property of the
>                 KPIT Technologies Ltd. It is intended only for the
>                 person to whom it is addressed. If you are not the
>                 intended recipient, you are not authorized to read,
>                 print, retain copy, disseminate, distribute, or use
>                 this message or any part thereof. If you receive this
>                 message in error, please notify the sender immediately
>                 and delete all copies of this message. KPIT
>                 Technologies Ltd. does not accept any liability for
>                 virus infected mails.
>
>             This message contains information that may be privileged
>             or confidential and is the property of the KPIT
>             Technologies Ltd. It is intended only for the person to
>             whom it is addressed. If you are not the intended
>             recipient, you are not authorized to read, print, retain
>             copy, disseminate, distribute, or use this message or any
>             part thereof. If you receive this message in error, please
>             notify the sender immediately and delete all copies of
>             this message. KPIT Technologies Ltd. does not accept any
>             liability for virus infected mails.
>
>         This message contains information that may be privileged or
>         confidential and is the property of the KPIT Technologies Ltd.
>         It is intended only for the person to whom it is addressed. If
>         you are not the intended recipient, you are not authorized to
>         read, print, retain copy, disseminate, distribute, or use this
>         message or any part thereof. If you receive this message in
>         error, please notify the sender immediately and delete all
>         copies of this message. KPIT Technologies Ltd. does not accept
>         any liability for virus infected mails.
>
>     This message contains information that may be privileged or
>     confidential and is the property of the KPIT Technologies Ltd. It
>     is intended only for the person to whom it is addressed. If you
>     are not the intended recipient, you are not authorized to read,
>     print, retain copy, disseminate, distribute, or use this message
>     or any part thereof. If you receive this message in error, please
>     notify the sender immediately and delete all copies of this
>     message. KPIT Technologies Ltd. does not accept any liability for
>     virus infected mails.
>
> This message contains information that may be privileged or
> confidential and is the property of the KPIT Technologies Ltd. It is
> intended only for the person to whom it is addressed. If you are not
> the intended recipient, you are not authorized to read, print, retain
> copy, disseminate, distribute, or use this message or any part
> thereof. If you receive this message in error, please notify the
> sender immediately and delete all copies of this message. KPIT
> Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 86317 bytes --]

Re: Private: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1030 bytes --]

Hi,

you patch has:
Content-Type: text/plain; charset=8bit
Content-Transfer-Encoding: quoted-printable

and git am doesn't handle it

$ git am python2/cur/1614253357.R13620585686638879435.jama\:2\,RS
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

if I manually change it to
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

like most other patches have, then it works, that's why I've asked you to
fix your e-mail client/server or git push it somewhere so I can just
cherry-pick from there.

Anyway I've manually applied it to master-next with Backport URL
http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
replaced with:
https://github.com/python/cpython/commit/3ba51d587f6897a45301ce9126300c14fcd4eba2

Adding oe-devel ML.

Regards,

On Thu, Feb 25, 2021 at 8:36 AM <Rahult9@kpit.com> wrote:

> Hi Martin,
>
> So do you need this patch in UTF-8 format ?
>
> Thanks,
> Rahul Taya

[-- Attachment #2: Type: text/html, Size: 1780 bytes --]

Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Anuj Mittal]

On Tue, 2021-02-16 at 20:53 +0530, Rahul Taya wrote:
> +* bpo-36260: Add pitfalls to zipfile module documentation
> +
> +We saw vulnerability warning description (including zip bomb) in
> Doc/library/xml.rst file.
> +This gave us the idea of documentation improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status:
> Backport[
> http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz
> ]

It looks like this is just a documentation change that is changing a
file that I don't think we package. Is this something that we should
care about?

Thanks,

Anuj