On Thu, Feb 18, 2021 at 07:19:53AM -0800, akuster wrote: > > > On 2/16/21 7:23 AM, Rahul Taya wrote: > > For python and python-native added patch to fix > > CVE-2019-9674 > > > > Signed-off-by: Rahul Taya <rahul.t...@kpit.com> > > Please add your signoff in the applying patches. see below for example. > > Does this affect master or Gatesgarth? What may avoid such questions is > by adding something like "Affects: < {version}" will convey that info.
python in meta-python2 is identical in dunfell/gatesgarth/master branches, so it has to affect all of them. > -armin > > --- > > recipes-devtools/python/python.inc | 1 + > > .../python/python/CVE-2019-9674.patch | 83 +++++++++++++++++++ > > 2 files changed, 84 insertions(+) > > create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch > > > > diff --git a/recipes-devtools/python/python.inc > > b/recipes-devtools/python/python.inc > > index a4ba0c5..787f23e 100644 > > --- a/recipes-devtools/python/python.inc > > +++ b/recipes-devtools/python/python.inc > > @@ -8,6 +8,7 @@ INC_PR = "r1" > > LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" > > > > SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > > + file://CVE-2019-9674.patch \ > > " > > > > SRC_URI[sha256sum] = > > "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" > > diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch > > b/recipes-devtools/python/python/CVE-2019-9674.patch > > new file mode 100644 > > index 0000000..647d9da > > --- /dev/null > > +++ b/recipes-devtools/python/python/CVE-2019-9674.patch > > @@ -0,0 +1,83 @@ > > +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 > > +From: JunWei Song <sungboss2...@gmail.com> > > +Date: Wed, 11 Sep 2019 23:04:12 +0800 > > +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation > > + (#13378) > > +MIME-Version: 1.0 > > +Content-Type: text/plain; charset=UTF-8 > > +Content-Transfer-Encoding: 8bit > > + > > +* bpo-36260: Add pitfalls to zipfile module documentation > > + > > +We saw vulnerability warning description (including zip bomb) in > > Doc/library/xml.rst file. > > +This gave us the idea of documentation improvement. > > + > > +So, we moved a little bit forward :P > > +And the doc patch can be found (pr). > > + > > +* fix trailing whitespace > > + > > +* 📜🤖 Added by blurb_it. > > + > > +* Reformat text for consistency. > > + > > +Upstream-Status: > > Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz] > > +CVE: CVE-2019-9674 > > +Link: > > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz > > +Comment: From the original patch skipped changes for file > > +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst > > +as this file is not present in our source code. > > Signed-off-by: Rahul Taya <rahul.t...@kpit.com> <<<<----- somewhere in this > area > > I tend to do mine just after "cve:" > > - armin > > > +--- > > + Doc/library/zipfile.rst | 41 +++++++++++++++++++ > > + 1 files changed, 41 insertions(+) > > + > > +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst > > +index b421ea5..2e0a91d 100644 > > +--- a/Doc/library/zipfile.rst > > ++++ b/Doc/library/zipfile.rst > > +@@ -574,4 +574,45 @@ Instances have the following attributes: > > + > > + Size of the uncompressed file. > > + > > ++Decompression pitfalls > > ++---------------------- > > ++ > > ++The extraction in zipfile module might fail due to some pitfalls listed > > below. > > ++ > > ++From file itself > > ++~~~~~~~~~~~~~~~~ > > ++ > > ++Decompression may fail due to incorrect password / CRC checksum / ZIP > > format or > > ++unsupported compression method / decryption. > > ++ > > ++File System limitations > > ++~~~~~~~~~~~~~~~~~~~~~~~ > > ++ > > ++Exceeding limitations on different file systems can cause decompression > > failed. > > ++Such as allowable characters in the directory entries, length of the file > > name, > > ++length of the pathname, size of a single file, and number of files, etc. > > ++ > > ++Resources limitations > > ++~~~~~~~~~~~~~~~~~~~~~ > > ++ > > ++The lack of memory or disk volume would lead to decompression > > ++failed. For example, decompression bombs (aka `ZIP bomb`_) > > ++apply to zipfile library that can cause disk volume exhaustion. > > ++ > > ++Interruption > > ++~~~~~~~~~~~~ > > ++ > > ++Interruption during the decompression, such as pressing control-C or > > killing the > > ++decompression process may result in incomplete decompression of the > > archive. > > ++ > > ++Default behaviors of extraction > > ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ++ > > ++Not knowing the default extraction behaviors > > ++can cause unexpected decompression results. > > ++For example, when extracting the same archive twice, > > ++it overwrites files without asking. > > ++ > > ++ > > ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb > > + .. _PKZIP Application Note: > > https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT > > -- > > 2.17.1 > > > > This message contains information that may be privileged or confidential > > and is the property of the KPIT Technologies Ltd. It is intended only for > > the person to whom it is addressed. If you are not the intended recipient, > > you are not authorized to read, print, retain copy, disseminate, > > distribute, or use this message or any part thereof. If you receive this > > message in error, please notify the sender immediately and delete all > > copies of this message. KPIT Technologies Ltd. does not accept any > > liability for virus infected mails. > > > > > > > > > > >
signature.asc
Description: PGP signature
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89588): https://lists.openembedded.org/g/openembedded-devel/message/89588 Mute This Topic: https://lists.openembedded.org/mt/80729615/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-