From patchwork Tue Feb 23 13:50:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1443496 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=WIbLnxnD; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DlL6l6lfhz9sVr for ; Wed, 24 Feb 2021 00:50:53 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id BC95783A8A; Tue, 23 Feb 2021 13:50:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ipsXhLxdB76w; Tue, 23 Feb 2021 13:50:50 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 2136E83A9A; Tue, 23 Feb 2021 13:50:49 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 68DC91BF84C for ; Tue, 23 Feb 2021 13:50:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 5712A83A9A for ; Tue, 23 Feb 2021 13:50:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wtEYMBrOiuL for ; Tue, 23 Feb 2021 13:50:45 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) by smtp1.osuosl.org (Postfix) with ESMTPS id 621E583A8A for ; Tue, 23 Feb 2021 13:50:45 +0000 (UTC) Received: by mail-ej1-f42.google.com with SMTP id do6so34684190ejc.3 for ; Tue, 23 Feb 2021 05:50:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jWOqc/7LfI0Mdt29Ge1P1UAZzHzyVjjaGLkQf9iZFog=; b=WIbLnxnD5Dp5b/1YaLkD2RBhO7+s8J77st5sjv+ouDIsEXAgQjhX99MTIIreNat0DJ nC9geuKw9deazfjkLP1IBSY4NEmDFrgEhxQBJBajgCoGhTJrEKWIUitZ/bCz1V/hAJzE 8XDDgui8jH4KHuWTQxSMVtogasA839ZxVT0p/v419IJTV/nPWKtwzpxtBcbU4sSpC8mS pjEXmLU842mse4CRUsdD2eDNnjuVCPc3m21xiaCdc5zVQzXpgAiionxEy8Gsbu8kFHo0 bcb5fB8GzbJjcCBMBZTYqroT0DWKvw+we5vtpwRQzAKwEal/6F8E8a9Kf93SLt+KOpTw Tqqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=jWOqc/7LfI0Mdt29Ge1P1UAZzHzyVjjaGLkQf9iZFog=; b=P7eSAkBxwSM6XKP0QRRLzbIu/3bF68XCchJoPdwNzHPck6WyfWn5Q6S4v7zx/dcNuC +GeGl15cT1H4NFbpUcgqgNtmVwLwyhxNF/EsjyMjtXEGP5r3QpQ56V4f3UM/qlMMNKOL Sz9jY9Y/n5KDhTWyprSrgFX0j30QZmTX9CMRxN8OW+XN7+oScWYnu2RDQipQlGfMiEVw WLKSZCc8RTwxJUfWen9fy+hggNJ8IReuceBjjrV/uh01i7g3UPWNaIISDEWXtCHeSalz uf9D7KYCM+3DhURLbgBgUxQsJ4xvMFaRjW9uWmRLXXutuMtgie9Xf5uMnS627UrcAwpD xS6Q== X-Gm-Message-State: AOAM533bivJ8xrcsGrnd4CxON0AWrJa0L6cAHvKG3KrluYW1o4FigXpi KCzTkKkixZsStVGCTnZGYtITbxyOTPo= X-Google-Smtp-Source: ABdhPJwIgUjX3q7IPQWNp0TDtxQFpzHB+8cctNskxDPRPSYXmYI1ArrVYo8j4x2cIk6d+T5HIpbJig== X-Received: by 2002:a17:907:9802:: with SMTP id ji2mr5994493ejc.134.1614088243397; Tue, 23 Feb 2021 05:50:43 -0800 (PST) Received: from dell.be.48ers.dk (d51a5bc31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id f17sm1122940edu.28.2021.02.23.05.50.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Feb 2021 05:50:42 -0800 (PST) Received: from peko by dell.be.48ers.dk with local (Exim 4.92) (envelope-from ) id 1lEY5J-000636-DP; Tue, 23 Feb 2021 14:50:41 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Tue, 23 Feb 2021 14:50:31 +0100 Message-Id: <20210223135031.23198-1-peter@korsgaard.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] package/python3: security bump to version 3.9.2 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Petazzoni , Benjamin Peterson , Asaf Kahlon Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security issue: - CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator https://bugs.python.org/issue42967 And fixes a number of issues. For details, see the changelog: https://docs.python.org/release/3.9.2/whatsnew/changelog.html Drop the now upstreamed security patch and update the license hash for a change of copyright year: -2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation; +2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation; Signed-off-by: Peter Korsgaard --- ...-Replace-snprintf-with-Python-unicod.patch | 190 ------------------ package/python3/python3.hash | 8 +- package/python3/python3.mk | 5 +- 3 files changed, 5 insertions(+), 198 deletions(-) delete mode 100644 package/python3/0035-closes-bpo-42938-Replace-snprintf-with-Python-unicod.patch diff --git a/package/python3/0035-closes-bpo-42938-Replace-snprintf-with-Python-unicod.patch b/package/python3/0035-closes-bpo-42938-Replace-snprintf-with-Python-unicod.patch deleted file mode 100644 index 5f20265a23..0000000000 --- a/package/python3/0035-closes-bpo-42938-Replace-snprintf-with-Python-unicod.patch +++ /dev/null @@ -1,190 +0,0 @@ -From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 18 Jan 2021 13:29:31 -0800 -Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode - formatting in ctypes param reprs. (GH-24247) - -(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) - -Co-authored-by: Benjamin Peterson - -Co-authored-by: Benjamin Peterson -Signed-off-by: Peter Korsgaard ---- - Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ - .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + - Modules/_ctypes/callproc.c | 51 +++++++------------ - 3 files changed, 64 insertions(+), 32 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst - -diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py -index e4c25fd880..531894fdec 100644 ---- a/Lib/ctypes/test/test_parameters.py -+++ b/Lib/ctypes/test/test_parameters.py -@@ -201,6 +201,49 @@ class SimpleTypesTestCase(unittest.TestCase): - with self.assertRaises(ZeroDivisionError): - WorseStruct().__setstate__({}, b'foo') - -+ def test_parameter_repr(self): -+ from ctypes import ( -+ c_bool, -+ c_char, -+ c_wchar, -+ c_byte, -+ c_ubyte, -+ c_short, -+ c_ushort, -+ c_int, -+ c_uint, -+ c_long, -+ c_ulong, -+ c_longlong, -+ c_ulonglong, -+ c_float, -+ c_double, -+ c_longdouble, -+ c_char_p, -+ c_wchar_p, -+ c_void_p, -+ ) -+ self.assertRegex(repr(c_bool.from_param(True)), r"^$") -+ self.assertEqual(repr(c_char.from_param(97)), "") -+ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") -+ self.assertEqual(repr(c_byte.from_param(98)), "") -+ self.assertEqual(repr(c_ubyte.from_param(98)), "") -+ self.assertEqual(repr(c_short.from_param(511)), "") -+ self.assertEqual(repr(c_ushort.from_param(511)), "") -+ self.assertRegex(repr(c_int.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_long.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") -+ self.assertEqual(repr(c_float.from_param(1.5)), "") -+ self.assertEqual(repr(c_double.from_param(1.5)), "") -+ self.assertEqual(repr(c_double.from_param(1e300)), "") -+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") -+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") -+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") -+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") -+ - ################################################################ - - if __name__ == '__main__': -diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -new file mode 100644 -index 0000000000..7df65a156f ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -@@ -0,0 +1,2 @@ -+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and -+:class:`ctypes.c_longdouble` values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index b0a36a3024..f2506de544 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -489,58 +489,47 @@ is_literal_char(unsigned char c) - static PyObject * - PyCArg_repr(PyCArgObject *self) - { -- char buffer[256]; - switch(self->tag) { - case 'b': - case 'B': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.b); -- break; - case 'h': - case 'H': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.h); -- break; - case 'i': - case 'I': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.i); -- break; - case 'l': - case 'L': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.l); -- break; - - case 'q': - case 'Q': -- sprintf(buffer, --#ifdef MS_WIN32 -- "", --#else -- "", --#endif -+ return PyUnicode_FromFormat("", - self->tag, self->value.q); -- break; - case 'd': -- sprintf(buffer, "", -- self->tag, self->value.d); -- break; -- case 'f': -- sprintf(buffer, "", -- self->tag, self->value.f); -- break; -- -+ case 'f': { -+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); -+ if (f == NULL) { -+ return NULL; -+ } -+ PyObject *result = PyUnicode_FromFormat("", self->tag, f); -+ Py_DECREF(f); -+ return result; -+ } - case 'c': - if (is_literal_char((unsigned char)self->value.c)) { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.c); - } - else { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, (unsigned char)self->value.c); - } -- break; - - /* Hm, are these 'z' and 'Z' codes useful at all? - Shouldn't they be replaced by the functionality of c_string -@@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) - case 'z': - case 'Z': - case 'P': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.p); - break; - - default: - if (is_literal_char((unsigned char)self->tag)) { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - (unsigned char)self->tag, (void *)self); - } - else { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - (unsigned char)self->tag, (void *)self); - } -- break; - } -- return PyUnicode_FromString(buffer); - } - - static PyMemberDef PyCArgType_members[] = { --- -2.20.1 - diff --git a/package/python3/python3.hash b/package/python3/python3.hash index 2165daffcc..753973721b 100644 --- a/package/python3/python3.hash +++ b/package/python3/python3.hash @@ -1,5 +1,5 @@ -# From https://www.python.org/downloads/release/python-391/ -md5 61981498e75ac8f00adcb908281fadb6 Python-3.9.1.tar.xz +# From https://www.python.org/downloads/release/python-392/ +md5 f0dc9000312abeb16de4eccce9a870ab Python-3.9.2.tar.xz # Locally computed -sha256 991c3f8ac97992f3d308fefeb03a64db462574eadbff34ce8bc5bb583d9903ff Python-3.9.1.tar.xz -sha256 1dceef1677a39befa8bf0285ab2db441ba117520bb2de839547ace006a17750d LICENSE +sha256 3c2034c54f811448f516668dce09d24008a0716c3a794dd8639b5388cbde247d Python-3.9.2.tar.xz +sha256 599826df92bfdcd2702eac691072498bb096c55af04ee984cf90f70ed77b5a70 LICENSE diff --git a/package/python3/python3.mk b/package/python3/python3.mk index e85e704626..63d6c3f535 100644 --- a/package/python3/python3.mk +++ b/package/python3/python3.mk @@ -5,15 +5,12 @@ ################################################################################ PYTHON3_VERSION_MAJOR = 3.9 -PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).1 +PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).2 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION) PYTHON3_LICENSE = Python-2.0, others PYTHON3_LICENSE_FILES = LICENSE -# 0035-closes-bpo-42938-Replace-snprintf-with-Python-unicod.patch -PYTHON3_IGNORE_CVES += CVE-2021-3177 - # This host Python is installed in $(HOST_DIR), as it is needed when # cross-compiling third-party Python modules.