These patches address issue:
CVE-2019-9948: Unnecessary URL scheme exists to allow local_file://
reading file in urllib
Link to Python issue:
https://bugs.python.org/issue35907
Issue 35907 is still currently open, waiting for a decision for
Python 3.5; these patches for Python 2.7 and 3.7 have been merged.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
These patches address issues:
CVE-2019-9740: Python urllib CRLF injection vulnerability
CVE-2019-9947: Header Injection in urllib
Links to Python issues:
https://bugs.python.org/issue36276 (resolved duplicated of 30458)
https://bugs.python.org/issue35906 (resolved duplicated of 30458)
https://bugs.python.org/issue30458
Issue 30458 is still currently open, waiting for a decision for
Python 3.5; these patches for Python 2.7 and 3.7 have been merged.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
These patches address issue:
CVE-2019-9636: urlsplit does not handle NFKC normalization
Link to Python issue:
https://bugs.python.org/issue36216
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Fixes: https://github.com/openwrt/packages/issues/8399
These 2 patches cause some breakage for other packages.
For now, we drop them and wait for upstream to finalize a fix.
We can live with deprecated SSL APIs for a while. No need to hurry, since
this doesn't seem to help.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This patch addresses issue:
[ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service
Link to Python issue:
https://bugs.python.org/issue35746
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
python3's lib2to3 would fail in silence if python3 and its packages are installed as compiled .pyc files. Root cause is, in Lib/lib2to3/refactor.py, the function get_all_fix_names only searches '.py' fix names.
Signed-off-by: Nj Hsiong <nj.hsiong@gmail.com>
This change bumps Python3 version to 3.7.1.
Patch `002-fix-implicit-dh-free-declaration.patch` is now included in
upstream.
This also fixes CVE-2018-1061.
https://www.cvedetails.com/cve/CVE-2018-1061/
Compile & run-tested on x86.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
No idea how this creeped up. Probably OpenSSL been has updated recently.
Will send this patch upstream as well, but in the meantime we should fix
the Python3 build.
Build error seems to be:
```
<openwrt>/build_dir/target-i386_pentium4_musl/Python-3.7.0/Modules/_ssl.c:4000:5: error: implicit declaration of function 'DH_free'; did you mean 'lh_free'? [-Werror=implicit-function-declaration]
DH_free(dh);
^~~~~~~
lh_free
cc1: some warnings being treated as errors
Python build finished successfully!
The necessary bits to build these optional modules were not found:
_tkinter _uuid nis
To find the necessary bits, look in setup.py in detect_modules() for the module's name.
The following modules found by detect_modules() in setup.py, have been
built by the Makefile instead, as configured by the Setup files:
_abc atexit pwd
time zlib
Failed to build these modules:
_ssl
Makefile:618: recipe for target 'sharedmods' failed
```
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The Modules/getbuildinfo.c allows the use of DATE and TIME
macros to be defined via CFLAGS.
These vars, control the build date & time when the
interpreter is opened, and can be read via the
`platform._sys_version()` function.
So, a conversion from SOURCE_DATE_EPOCH to DATE & TIME
is required at build-time.
This is especially needed for `platform._sys_version()`
to work.
The installation of pip seems to rely on this.
The logic has been adapted from:
https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal#Makefile
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Re-worked patch `003-do-not-run-distutils-tests.patch`
to reduce patch-size.
Removed `011-fix-ncursesw-definition-colisions.patch`
it is fixed upstream.
Refreshed with `make package/python3/refresh`
Resetting PKG_RELEASE to 1.
This variable was never used for pip3 & setuptools, since
VERSION is specified in the package definitions.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
See:
https://github.com/openwrt/packages/issues/5278
This should make Python & Python3 packages reproducible
when building.
In my local tests, I got the same sha256 for a sample
.pyc file, so likely this is the solution that should address
this.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
If there is only Python bytecodes, then
the __init__.py script will be concatenated, and
the __init__.pyc as well.
This is becase this bit `path = os.path.join(path, '__init__'+extension)`
is iterated twice.
This is a bug in Python3, also because we ship bytecodes
instead of source code [ with Python & Python3 ].
Python is not affected.
Reported-by: Mirko Vogt <mirko@nanl.de>
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
I admit this may be be a bit aggressive, but the lang
folder is getting cluttered/filled up with Python, PHP, Perl,
Ruby, etc. packages.
Makes sense to try to group them into per-lang folders.
I took the Pythons.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>