0012baabfc
Also remove upstream patch 0033.
Fixes the following security issues:
- bpo-36216: Changes urlsplit() to raise ValueError when the URL contains
characters that decompose under IDNA encoding (NFKC-normalization) into
characters that affect how the URL is parsed.
- bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The
cert parser did not handle CRL distribution points with empty DP or URI
correctly. A malicious or buggy certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of
Cisco.
- bpo-35121: Don’t send cookies of domain A without Domain attribute to
domain B when domain A is a suffix match of domain B while using a
cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by
Karthikeyan Singaravelan.
For more details, see the changelog:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-3-final
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6afc83b60f
)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
110 lines
4.0 KiB
Diff
110 lines
4.0 KiB
Diff
From 2c2afc80831c518e5daf3df6c9e4c4ac0a7be001 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Date: Wed, 22 Feb 2017 16:33:22 -0800
|
|
Subject: [PATCH] Add infrastructure to disable the build of certain extensions
|
|
|
|
Some of the extensions part of the Python core have dependencies on
|
|
external libraries (sqlite, tk, etc.) or are relatively big and not
|
|
necessarly always useful (CJK codecs for example). By extensions, we
|
|
mean part of Python modules that are written in C and therefore
|
|
compiled to binary code.
|
|
|
|
Therefore, we introduce a small infrastructure that allows to disable
|
|
some of those extensions. This can be done inside the configure.ac by
|
|
adding values to the DISABLED_EXTENSIONS variable (which is a
|
|
word-separated list of extensions).
|
|
|
|
The implementation works as follow :
|
|
|
|
* configure.ac defines a DISABLED_EXTENSIONS variable, which is
|
|
substituted (so that when Makefile.pre is generated from
|
|
Makefile.pre.in, the value of the variable is substituted). For
|
|
now, this DISABLED_EXTENSIONS variable is empty, later patches will
|
|
use it.
|
|
|
|
* Makefile.pre.in passes the DISABLED_EXTENSIONS value down to the
|
|
variables passed in the environment when calling the setup.py
|
|
script that actually builds and installs those extensions.
|
|
|
|
* setup.py is modified so that the existing "disabled_module_list" is
|
|
filled with those pre-disabled extensions listed in
|
|
DISABLED_EXTENSIONS.
|
|
|
|
Patch ported to python2.7 by Maxime Ripard <ripard@archos.com>, and
|
|
then extended by Thomas Petazzoni
|
|
<thomas.petazzoni@free-electrons.com>.
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
[ Andrey Smirnov: ported to Python 3.6 ]
|
|
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
|
|
---
|
|
Makefile.pre.in | 6 +++++-
|
|
configure.ac | 2 ++
|
|
setup.py | 6 +++++-
|
|
3 files changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Makefile.pre.in b/Makefile.pre.in
|
|
index b38bd79121..4ce917ab8d 100644
|
|
--- a/Makefile.pre.in
|
|
+++ b/Makefile.pre.in
|
|
@@ -204,6 +204,8 @@ FILEMODE= 644
|
|
# configure script arguments
|
|
CONFIG_ARGS= @CONFIG_ARGS@
|
|
|
|
+# disabled extensions
|
|
+DISABLED_EXTENSIONS= @DISABLED_EXTENSIONS@
|
|
|
|
# Subdirectories with code
|
|
SRCDIRS= @SRCDIRS@
|
|
@@ -617,6 +619,7 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o
|
|
esac; \
|
|
echo "$(RUNSHARED) CC='$(CC)' LDSHARED='$(BLDSHARED)' OPT='$(OPT)' \
|
|
_TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \
|
|
+ DISABLED_EXTENSIONS="$(DISABLED_EXTENSIONS)" \
|
|
$(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build"; \
|
|
$(RUNSHARED) CC='$(CC)' LDSHARED='$(BLDSHARED)' OPT='$(OPT)' \
|
|
_TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \
|
|
@@ -1526,7 +1529,8 @@ libainstall: @DEF_MAKE_RULE@ python-config
|
|
# Install the dynamically loadable modules
|
|
# This goes into $(exec_prefix)
|
|
sharedinstall: sharedmods
|
|
- $(RUNSHARED) $(PYTHON_FOR_BUILD) $(srcdir)/setup.py install \
|
|
+ $(RUNSHARED) DISABLED_EXTENSIONS="$(DISABLED_EXTENSIONS)" \
|
|
+ $(PYTHON_FOR_BUILD) $(srcdir)/setup.py install \
|
|
--prefix=$(prefix) \
|
|
--install-scripts=$(BINDIR) \
|
|
--install-platlib=$(DESTSHARED) \
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 5f87c4db5a..d5ee2aedfb 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -2966,6 +2966,8 @@ LIBS="$withval $LIBS"
|
|
|
|
PKG_PROG_PKG_CONFIG
|
|
|
|
+AC_SUBST(DISABLED_EXTENSIONS)
|
|
+
|
|
# Check for use of the system expat library
|
|
AC_MSG_CHECKING(for --with-system-expat)
|
|
AC_ARG_WITH(system_expat,
|
|
diff --git a/setup.py b/setup.py
|
|
index fe477974bd..86643ae8bf 100644
|
|
--- a/setup.py
|
|
+++ b/setup.py
|
|
@@ -48,7 +48,11 @@ host_platform = get_platform()
|
|
COMPILED_WITH_PYDEBUG = ('--with-pydebug' in sysconfig.get_config_var("CONFIG_ARGS"))
|
|
|
|
# This global variable is used to hold the list of modules to be disabled.
|
|
-disabled_module_list = []
|
|
+try:
|
|
+ disabled_module_list = sysconfig.get_config_var("DISABLED_EXTENSIONS").split(" ")
|
|
+except KeyError:
|
|
+ disabled_module_list = list()
|
|
+
|
|
|
|
def add_dir_to_list(dirlist, dir):
|
|
"""Add the directory 'dir' to the list 'dirlist' (after any relative
|
|
--
|
|
2.13.5
|
|
|