906ed044aa
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
54 lines
2.1 KiB
Diff
54 lines
2.1 KiB
Diff
From 21f787cb9bf0c1440981262f03bc881c5b77c0d8 Mon Sep 17 00:00:00 2001
|
|
From: Matt Weber <matthew.weber@rockwellcollins.com>
|
|
Date: Fri, 6 Oct 2017 09:54:15 -0500
|
|
Subject: [PATCH] python-config.sh: don't reassign ${prefix}
|
|
|
|
When prefix is set to a path like /usr during crossbuild
|
|
the sed operations end up executing twice, once for the prefix
|
|
reassignment and another for includedir if it is set as a string
|
|
including the ${prefix} variable. This results in an issue
|
|
when the build directory is under /usr.
|
|
|
|
This patch updates the remaining location which uses the prefix
|
|
variable to also sed and update to use the real path.
|
|
|
|
Upstream bug report:
|
|
https://bugs.python.org/issue31713
|
|
|
|
Buildroot bug:
|
|
https://bugs.busybox.net/show_bug.cgi?id=10361
|
|
|
|
Fixes failures like the following:
|
|
dbus-python-1.2.4 | NOK | http://autobuild.buildroot.net/results/758858efa97b6273c1b470513f5492258a6d8853
|
|
|
|
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
|
|
---
|
|
Misc/python-config.sh.in | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Misc/python-config.sh.in b/Misc/python-config.sh.in
|
|
index 9e259c0..8b249d9 100644
|
|
--- a/Misc/python-config.sh.in
|
|
+++ b/Misc/python-config.sh.in
|
|
@@ -31,7 +31,7 @@ prefix_real=$(installed_prefix "$0")
|
|
# locations. Keep prefix & exec_prefix using their original values in case
|
|
# they are referenced in other configure variables, to prevent double
|
|
# substitution, issue #22140.
|
|
-prefix=$(echo "$prefix_build" | sed "s#^$prefix_build#$prefix_real#")
|
|
+prefix=$prefix_build
|
|
exec_prefix=$(echo "$exec_prefix_build" | sed "s#^$exec_prefix_build#$prefix_real#")
|
|
exec_prefix_real=${prefix_real}
|
|
includedir=$(echo "@includedir@" | sed "s#^$prefix_build#$prefix_real#")
|
|
@@ -48,7 +48,7 @@ LINKFORSHARED="@LINKFORSHARED@"
|
|
OPT="@OPT@"
|
|
PY_ENABLE_SHARED="@PY_ENABLE_SHARED@"
|
|
LDVERSION="@LDVERSION@"
|
|
-LIBDEST=${prefix_real}/lib/python${VERSION}
|
|
+LIBDEST=$( echo "${prefix}/lib/python${VERSION}" | sed "s#^$prefix_build#$prefix_real#")
|
|
LIBPL=$(echo "@LIBPL@" | sed "s#^$prefix_build#$prefix_real#")
|
|
SO="@EXT_SUFFIX@"
|
|
PYTHONFRAMEWORK="@PYTHONFRAMEWORK@"
|
|
--
|
|
2.14.3
|
|
|