From b7b11d7e94e316632fcc8ec49831e7b372cc055a Mon Sep 17 00:00:00 2001 From: Bernd Kuhls <bernd.kuhls@t-online.de> Date: Thu, 8 Jun 2023 18:53:05 +0200 Subject: [PATCH] package/python3: security bump version to 3.11.4 Rebased two patches. Changelog: https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4 Fixes the following security problems: - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329. Patch by Illia Volochii. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- .../0012-Add-an-option-to-disable-lib2to3.patch | 8 +++++--- ...4-Add-an-option-to-disable-the-tk-module.patch | 15 +++++++++------ package/python3/python3.hash | 2 +- package/python3/python3.mk | 2 +- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/package/python3/0012-Add-an-option-to-disable-lib2to3.patch b/package/python3/0012-Add-an-option-to-disable-lib2to3.patch index 0085d5a63f..228b86a90b 100644 --- a/package/python3/0012-Add-an-option-to-disable-lib2to3.patch +++ b/package/python3/0012-Add-an-option-to-disable-lib2to3.patch @@ -12,6 +12,8 @@ Signed-off-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> [ Adam Duskett: ported to Python 3.10.0 ] Signed-off-by: Adam Duskett <aduskett@gmail.com> +[ Bernd Kuhls: ported to Python 3.11.4] +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- Makefile.pre.in | 17 ++++++++++++----- configure.ac | 6 ++++++ @@ -48,9 +50,9 @@ index 403380e181..f5d0573067 100644 - lib2to3/tests/data \ - lib2to3/tests/data/fixers \ - lib2to3/tests/data/fixers/myfixes \ - test test/audiodata \ - test/capath test/cjkencodings \ - test/data test/decimaltestdata \ + test \ + test/audiodata \ + test/capath \ @@ -2013,6 +2010,14 @@ ifeq (@PYDOC@,yes) LIBSUBDIRS += pydoc_data endif diff --git a/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch b/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch index 04f7e34435..b89e1d27bc 100644 --- a/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch +++ b/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch @@ -9,6 +9,8 @@ Signed-off-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> [ Adam Duskett: ported to Python 3.10.0 ] Signed-off-by: Adam Duskett <aduskett@gmail.com> +[ Bernd Kuhls: ported to Python 3.11.4] +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- Makefile.pre.in | 10 +++++++--- configure.ac | 9 +++++++++ @@ -26,14 +28,15 @@ index 9f4cdf14cf..4f83911200 100644 tomllib \ turtledemo \ unittest \ -@@ -2001,8 +2000,6 @@ TESTSUBDIRS= ctypes/test \ - test/tracedmodules \ - test/xmltestdata test/xmltestdata/c14n-20 \ +@@ -2038,9 +2038,6 @@ + test/xmltestdata \ + test/xmltestdata/c14n-20 \ test/ziptestdata \ -- tkinter/test tkinter/test/test_tkinter \ +- tkinter/test \ +- tkinter/test/test_tkinter \ - tkinter/test/test_ttk \ - unittest/test unittest/test/testmock - + unittest/test \ + unittest/test/testmock ifeq (@PYDOC@,yes) @@ -2021,6 +2018,13 @@ ifeq (@SQLITE3@,yes) LIBSUBDIRS += sqlite3 diff --git a/package/python3/python3.hash b/package/python3/python3.hash index b04ee7fa2c..6c43e01a44 100644 --- a/package/python3/python3.hash +++ b/package/python3/python3.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 8a5db99c961a7ecf27c75956189c9602c968751f11dbeae2b900dbff1c085b5e Python-3.11.3.tar.xz +sha256 2f0e409df2ab57aa9fc4cbddfb976af44e4e55bf6f619eee6bc5c2297264a7f6 Python-3.11.4.tar.xz sha256 3b2f81fe21d181c499c59a256c8e1968455d6689d269aa85373bfb6af41da3bf LICENSE diff --git a/package/python3/python3.mk b/package/python3/python3.mk index ece5cad93e..bdb7cfd22f 100644 --- a/package/python3/python3.mk +++ b/package/python3/python3.mk @@ -5,7 +5,7 @@ ################################################################################ PYTHON3_VERSION_MAJOR = 3.11 -PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).3 +PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).4 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION) PYTHON3_LICENSE = Python-2.0, others