Release Date: Feb. 19, 2021 Note: The release you're looking at is Python 3.8.8, a bugfix release for the legacy 3.8 series. Python 3.9 is now the latest feature release series of Python 3.
Notable changes in Python 3.8.8 Earlier Python versions allowed using both ; and & as query parameter separators in urllib.parse.parse_qs() and urllib.parse.parse_qsl(). Due to security concerns, and to conform with newer W3C recommendations, this has been changed to allow only a single separator key, with & as the default. This change also affects cgi.parse() and cgi.parse_multipart() as they use the affected functions internally. For more details, please see their respective documentation. (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in bpo-42967.) License-Update: update copyright years Drop patches fixed in 3.8.8: - CVE-2021-3177 Fixes: CVE: CVE-2021-3426 CVE: CVE-2021-23336 References: https://www.python.org/downloads/release/python-388/ https://docs.python.org/release/3.8.8/whatsnew/changelog.html#changelog https://docs.python.org/3/whatsnew/3.8.html#notable-changes-in-python-3-8-8 https://nvd.nist.gov/vuln/detail/CVE-2021-3177 https://nvd.nist.gov/vuln/detail/CVE-2021-3426 Signed-off-by: Tim Orling <timothy.t.orl...@intel.com> --- .../python/python3/CVE-2021-3177.patch | 191 ------------------ .../{python3_3.8.7.bb => python3_3.8.8.bb} | 7 +- 2 files changed, 3 insertions(+), 195 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch rename meta/recipes-devtools/python/{python3_3.8.7.bb => python3_3.8.8.bb} (98%) diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch deleted file mode 100644 index 43d678db467..00000000000 --- a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch +++ /dev/null @@ -1,191 +0,0 @@ -From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-isling...@users.noreply.github.com> -Date: Mon, 18 Jan 2021 13:28:52 -0800 -Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode - formatting in ctypes param reprs. (GH-24248) - -(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) - -Co-authored-by: Benjamin Peterson <benja...@python.org> - -Co-authored-by: Benjamin Peterson <benja...@python.org> - -CVE: CVE-2021-3177 -Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f] -Signed-off-by: Anuj Mittal <anuj.mit...@intel.com> ---- - Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ - .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + - Modules/_ctypes/callproc.c | 51 +++++++------------ - 3 files changed, 64 insertions(+), 32 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst - -diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py -index e4c25fd880cef..531894fdec838 100644 ---- a/Lib/ctypes/test/test_parameters.py -+++ b/Lib/ctypes/test/test_parameters.py -@@ -201,6 +201,49 @@ def __dict__(self): - with self.assertRaises(ZeroDivisionError): - WorseStruct().__setstate__({}, b'foo') - -+ def test_parameter_repr(self): -+ from ctypes import ( -+ c_bool, -+ c_char, -+ c_wchar, -+ c_byte, -+ c_ubyte, -+ c_short, -+ c_ushort, -+ c_int, -+ c_uint, -+ c_long, -+ c_ulong, -+ c_longlong, -+ c_ulonglong, -+ c_float, -+ c_double, -+ c_longdouble, -+ c_char_p, -+ c_wchar_p, -+ c_void_p, -+ ) -+ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") -+ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") -+ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") -+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") -+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") -+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") -+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") -+ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") -+ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") -+ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") -+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") -+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") -+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") -+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") -+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") -+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") -+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") -+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") -+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") -+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") -+ - ################################################################ - - if __name__ == '__main__': -diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -new file mode 100644 -index 0000000000000..7df65a156feab ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -@@ -0,0 +1,2 @@ -+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and -+:class:`ctypes.c_longdouble` values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index a9b8675cd951b..de75918d49f37 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) - static PyObject * - PyCArg_repr(PyCArgObject *self) - { -- char buffer[256]; - switch(self->tag) { - case 'b': - case 'B': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.b); -- break; - case 'h': - case 'H': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.h); -- break; - case 'i': - case 'I': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.i); -- break; - case 'l': - case 'L': -- sprintf(buffer, "<cparam '%c' (%ld)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", - self->tag, self->value.l); -- break; - - case 'q': - case 'Q': -- sprintf(buffer, --#ifdef MS_WIN32 -- "<cparam '%c' (%I64d)>", --#else -- "<cparam '%c' (%lld)>", --#endif -+ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", - self->tag, self->value.q); -- break; - case 'd': -- sprintf(buffer, "<cparam '%c' (%f)>", -- self->tag, self->value.d); -- break; -- case 'f': -- sprintf(buffer, "<cparam '%c' (%f)>", -- self->tag, self->value.f); -- break; -- -+ case 'f': { -+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); -+ if (f == NULL) { -+ return NULL; -+ } -+ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); -+ Py_DECREF(f); -+ return result; -+ } - case 'c': - if (is_literal_char((unsigned char)self->value.c)) { -- sprintf(buffer, "<cparam '%c' ('%c')>", -+ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", - self->tag, self->value.c); - } - else { -- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", -+ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", - self->tag, (unsigned char)self->value.c); - } -- break; - - /* Hm, are these 'z' and 'Z' codes useful at all? - Shouldn't they be replaced by the functionality of c_string -@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) - case 'z': - case 'Z': - case 'P': -- sprintf(buffer, "<cparam '%c' (%p)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%p)>", - self->tag, self->value.p); - break; - - default: - if (is_literal_char((unsigned char)self->tag)) { -- sprintf(buffer, "<cparam '%c' at %p>", -+ return PyUnicode_FromFormat("<cparam '%c' at %p>", - (unsigned char)self->tag, (void *)self); - } - else { -- sprintf(buffer, "<cparam 0x%02x at %p>", -+ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", - (unsigned char)self->tag, (void *)self); - } -- break; - } -- return PyUnicode_FromString(buffer); - } - - static PyMemberDef PyCArgType_members[] = { - diff --git a/meta/recipes-devtools/python/python3_3.8.7.bb b/meta/recipes-devtools/python/python3_3.8.8.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.8.7.bb rename to meta/recipes-devtools/python/python3_3.8.8.bb index 11a69ea808a..d77c7d87fb7 100644 --- a/meta/recipes-devtools/python/python3_3.8.7.bb +++ b/meta/recipes-devtools/python/python3_3.8.8.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly LICENSE = "PSF-2.0 & BSD-0-Clause" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=33223c9ef60c31e3f0e866cb09b65e83" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c22d2438294c784731bf9dd224a467b7" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-configure.ac-fix-LIBPL.patch \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ - file://CVE-2021-3177.patch \ " SRC_URI_append_class-native = " \ @@ -42,8 +41,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "60fe018fffc7f33818e6c340d29e2db9" -SRC_URI[sha256sum] = "ddcc1df16bb5b87aa42ec5d20a5b902f2d088caa269b28e01590f97a798ec50a" +SRC_URI[md5sum] = "23e6b769857233c1ac07b6be7442eff4" +SRC_URI[sha256sum] = "7c664249ff77e443d6ea0e4cf0e587eae918ca3c48d081d1915fe2a1f1bcc5cc" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153147): https://lists.openembedded.org/g/openembedded-core/message/153147 Mute This Topic: https://lists.openembedded.org/mt/83693625/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
