diff options
Diffstat (limited to 'meta-python')
32 files changed, 426 insertions, 30 deletions
diff --git a/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb b/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb index e235682cf4..7910fcd18a 100644 --- a/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb +++ b/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=76699830db7fa9e897f6a1ad05f98ec8" DEPENDS = "python3-twisted python3-six python3-vcversioner python3-six-native python3-vcversioner-native" -SRC_URI = "git://github.com/MostAwesomeDude/txWS.git" +SRC_URI = "git://github.com/MostAwesomeDude/txWS.git;branch=master;protocol=https" SRCREV= "88cf6d9b9b685ffa1720644bd53c742afb10a414" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/gyp/gyp_git.bb b/meta-python/recipes-devtools/gyp/gyp_git.bb index d668d1ca10..bc7ae89a85 100644 --- a/meta-python/recipes-devtools/gyp/gyp_git.bb +++ b/meta-python/recipes-devtools/gyp/gyp_git.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=ab828cb8ce4c62ee82945a11247b6bbd" SECTION = "devel" -SRC_URI = "git://chromium.googlesource.com/external/gyp;protocol=https" +SRC_URI = "git://chromium.googlesource.com/external/gyp;protocol=https;branch=master" SRCREV = "caa60026e223fc501e8b337fd5086ece4028b1c6" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb b/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb index 5048e5bec9..bc3315f751 100644 --- a/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb +++ b/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=561205fdabc3ec52cae2d30815b8ade7" -SRC_URI = "git://github.com/berkerpeksag/astor.git \ +SRC_URI = "git://github.com/berkerpeksag/astor.git;branch=master;protocol=https \ file://0001-rtrip.py-convert-to-python3.patch \ " SRCREV ?= "c7553c79f9222e20783fe9bd8a553f932e918072" diff --git a/meta-python/recipes-devtools/python/python3-cvxopt_1.2.6.bb b/meta-python/recipes-devtools/python/python3-cvxopt_1.2.6.bb index 360df6a3ef..8032b59a43 100644 --- a/meta-python/recipes-devtools/python/python3-cvxopt_1.2.6.bb +++ b/meta-python/recipes-devtools/python/python3-cvxopt_1.2.6.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://cvxopt.org" LICENSE = "GPL-3.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=ba1a8a73d8ebea5c47a1173aaf476ddd" -SRC_URI = "git://github.com/cvxopt/cvxopt;protocol=https" +SRC_URI = "git://github.com/cvxopt/cvxopt;protocol=https;branch=master" SRCREV = "60fdb838e0bb2d8f32ba51129552c83b55acd2a7" diff --git a/meta-python/recipes-devtools/python/python3-dbussy_1.3.bb b/meta-python/recipes-devtools/python/python3-dbussy_1.3.bb index 08f5e940fe..029cc0eda8 100644 --- a/meta-python/recipes-devtools/python/python3-dbussy_1.3.bb +++ b/meta-python/recipes-devtools/python/python3-dbussy_1.3.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/ldo/dbussy" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" -SRC_URI = "git://github.com/ldo/dbussy.git" +SRC_URI = "git://github.com/ldo/dbussy.git;branch=master;protocol=https" SRCREV = "37ede4242b48def73ada46c2747a4c5cae6abf45" diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.22.bb b/meta-python/recipes-devtools/python/python3-django_2.2.22.bb deleted file mode 100644 index a0b8840259..0000000000 --- a/meta-python/recipes-devtools/python/python3-django_2.2.22.bb +++ /dev/null @@ -1,9 +0,0 @@ -require python-django.inc -inherit setuptools3 - -SRC_URI[md5sum] = "dca447b605dcabd924ac7ba17680cf73" -SRC_URI[sha256sum] = "db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060" - -RDEPENDS_${PN} += "\ - ${PYTHON_PN}-sqlparse \ -" diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.27.bb b/meta-python/recipes-devtools/python/python3-django_2.2.27.bb new file mode 100644 index 0000000000..7a50a69288 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django_2.2.27.bb @@ -0,0 +1,9 @@ +require python-django.inc +inherit setuptools3 + +SRC_URI[md5sum] = "4af3aeed9e515ccde107ae6a9804c31f" +SRC_URI[sha256sum] = "1ee37046b0bf2b61e83b3a01d067323516ec3b6f2b17cd49b1326dd4ba9dc913" + +RDEPENDS_${PN} += "\ + ${PYTHON_PN}-sqlparse \ +" diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.2.bb b/meta-python/recipes-devtools/python/python3-django_3.2.12.bb index 7deac2ca9b..ee71f953bb 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.2.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.12.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d" +SRC_URI[sha256sum] = "9772e6935703e59e993960832d66a614cf0233a1c5123bc6224ecc6ad69e41e2" RDEPENDS_${PN} += "\ ${PYTHON_PN}-sqlparse \ diff --git a/meta-python/recipes-devtools/python/python3-dt-schema_git.bb b/meta-python/recipes-devtools/python/python3-dt-schema_git.bb index 06a9012ca4..d14b7de62a 100644 --- a/meta-python/recipes-devtools/python/python3-dt-schema_git.bb +++ b/meta-python/recipes-devtools/python/python3-dt-schema_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://setup.py;beginline=2;endline=3;md5=c795d4924c5f739424 inherit setuptools3 -SRC_URI = "git://github.com/robherring/dt-schema.git" +SRC_URI = "git://github.com/robherring/dt-schema.git;branch=master;protocol=https" SRCREV = "5009e47c1c76e48871f5988e08dad61f3c91196b" PV = "0.1+git${SRCPV}" diff --git a/meta-python/recipes-devtools/python/python3-feedformatter_0.4.bb b/meta-python/recipes-devtools/python/python3-feedformatter_0.4.bb index 81c5fde132..a87cde4997 100644 --- a/meta-python/recipes-devtools/python/python3-feedformatter_0.4.bb +++ b/meta-python/recipes-devtools/python/python3-feedformatter_0.4.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=258e3f39e2383fbd011035d04311008d" -SRC_URI = "git://github.com/marianoguerra/feedformatter.git" +SRC_URI = "git://github.com/marianoguerra/feedformatter.git;branch=master;protocol=https" SRCREV = "7391193c83e10420b5a2d8ef846d23fc368c6d85" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb b/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb index 4293a63c1e..a124dd9f5b 100644 --- a/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb +++ b/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=366e2fd3c9714f162d3663b6f97cfe41" -SRC_URI = "git://github.com/keras-team/keras-applications.git" +SRC_URI = "git://github.com/keras-team/keras-applications.git;branch=master;protocol=https" SRCREV ?= "3b180cb10eda683dda7913ecee2e6487288d292d" diff --git a/meta-python/recipes-devtools/python/python3-lxml_4.6.3.bb b/meta-python/recipes-devtools/python/python3-lxml_4.6.5.bb index cefe1ba340..d03715cd4c 100644 --- a/meta-python/recipes-devtools/python/python3-lxml_4.6.3.bb +++ b/meta-python/recipes-devtools/python/python3-lxml_4.6.5.bb @@ -18,7 +18,7 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ DEPENDS += "libxml2 libxslt" -SRC_URI[sha256sum] = "39b78571b3b30645ac77b95f7c69d1bffc4cf8c3b157c435a34da72e78c82468" +SRC_URI[sha256sum] = "6e84edecc3a82f90d44ddee2ee2a2630d4994b8471816e226d2b771cda7ac4ca" inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-monotonic_1.6.bb b/meta-python/recipes-devtools/python/python3-monotonic_1.6.bb index 080c41e38b..aacc32a6d6 100644 --- a/meta-python/recipes-devtools/python/python3-monotonic_1.6.bb +++ b/meta-python/recipes-devtools/python/python3-monotonic_1.6.bb @@ -6,7 +6,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=d2794c0df5b907fdace235a619d80314" SRCREV = "80681f6604e136e513550342f977edb98f5fc5ad" -SRC_URI = "git://github.com/atdt/monotonic.git" +SRC_URI = "git://github.com/atdt/monotonic.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-ntplib_0.3.4.bb b/meta-python/recipes-devtools/python/python3-ntplib_0.3.4.bb index ae4c10f381..4c65377d94 100644 --- a/meta-python/recipes-devtools/python/python3-ntplib_0.3.4.bb +++ b/meta-python/recipes-devtools/python/python3-ntplib_0.3.4.bb @@ -3,7 +3,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://ntplib.py;beginline=1;endline=23;md5=afa07338a9595257e94c205c3e72224d" -SRC_URI = "git://github.com/cf-natali/ntplib.git" +SRC_URI = "git://github.com/cf-natali/ntplib.git;branch=master;protocol=https" SRCREV ?= "aea7925c26152024ca8cf207e77f403f8127727a" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch new file mode 100644 index 0000000000..4c4f3d51f5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch @@ -0,0 +1,77 @@ +From c48271ab354db49cdbd740bc45e13be4f0f7993c Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Mon, 6 Dec 2021 22:25:14 +1100 +Subject: [PATCH] Handle case where path count is zero + +CVE: CVE-2022-22816 + +Upstream-Status: Backport +(https://github.com/python-pillow/Pillow/pull/5920/commits/c48271ab354db49cdbd740bc45e13be4f0f7993c) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> + +--- + Tests/test_imagepath.py | 1 + + src/path.c | 33 +++++++++++++++++++-------------- + 2 files changed, 20 insertions(+), 14 deletions(-) + +diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py +index cd850bb1..b18271cc 100644 +--- a/Tests/test_imagepath.py ++++ b/Tests/test_imagepath.py +@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates(): + [ + ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)), + ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)), ++ (0, (0.0, 0.0, 0.0, 0.0)), + (1, (0.0, 0.0, 0.0, 0.0)), + ], + ) +diff --git a/src/path.c b/src/path.c +index 64c767cb..dea274ee 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -327,21 +327,26 @@ path_getbbox(PyPathObject *self, PyObject *args) { + + xy = self->xy; + +- x0 = x1 = xy[0]; +- y0 = y1 = xy[1]; ++ if (self->count == 0) { ++ x0 = x1 = 0; ++ y0 = y1 = 0; ++ } else { ++ x0 = x1 = xy[0]; ++ y0 = y1 = xy[1]; + +- for (i = 1; i < self->count; i++) { +- if (xy[i + i] < x0) { +- x0 = xy[i + i]; +- } +- if (xy[i + i] > x1) { +- x1 = xy[i + i]; +- } +- if (xy[i + i + 1] < y0) { +- y0 = xy[i + i + 1]; +- } +- if (xy[i + i + 1] > y1) { +- y1 = xy[i + i + 1]; ++ for (i = 1; i < self->count; i++) { ++ if (xy[i + i] < x0) { ++ x0 = xy[i + i]; ++ } ++ if (xy[i + i] > x1) { ++ x1 = xy[i + i]; ++ } ++ if (xy[i + i + 1] < y0) { ++ y0 = xy[i + i + 1]; ++ } ++ if (xy[i + i + 1] > y1) { ++ y1 = xy[i + i + 1]; ++ } + } + } + +-- +2.33.0 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Initialize-coordinates-to-zero.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Initialize-coordinates-to-zero.patch new file mode 100644 index 0000000000..758531f678 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Initialize-coordinates-to-zero.patch @@ -0,0 +1,45 @@ +From 1e092419b6806495c683043ab3feb6ce264f3b9c Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Mon, 6 Dec 2021 22:24:19 +1100 +Subject: [PATCH] Initialize coordinates to zero + +CVE: CVE-2022-22815 + +Upstream-Status: Backport +(https://github.com/python-pillow/Pillow/pull/5920/commits/1e092419b6806495c683043ab3feb6ce264f3b9c) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> + +--- + Tests/test_imagepath.py | 1 + + src/path.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py +index 0835fdb4..cd850bb1 100644 +--- a/Tests/test_imagepath.py ++++ b/Tests/test_imagepath.py +@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates(): + [ + ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)), + ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)), ++ (1, (0.0, 0.0, 0.0, 0.0)), + ], + ) + def test_getbbox(coords, expected): +diff --git a/src/path.c b/src/path.c +index 4764c58a..64c767cb 100644 +--- a/src/path.c ++++ b/src/path.c +@@ -57,7 +57,7 @@ alloc_array(Py_ssize_t count) { + if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1) { + return ImagingError_MemoryError(); + } +- xy = malloc(2 * count * sizeof(double) + 1); ++ xy = calloc(2 * count * sizeof(double) + 1, sizeof(double)); + if (!xy) { + ImagingError_MemoryError(); + } +-- +2.33.0 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Limit-sprintf-modes-to-10-characters.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Limit-sprintf-modes-to-10-characters.patch new file mode 100644 index 0000000000..a1dd0d29ff --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Limit-sprintf-modes-to-10-characters.patch @@ -0,0 +1,49 @@ +From 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Tue, 15 Jun 2021 15:14:26 +1000 +Subject: [PATCH 1/1] Limit sprintf modes to 10 characters + +Needed to make CVE-2021-34552 fix apply cleanly. + +commit 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97 (unmodified) + +Upstream-Status: Backport +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + src/libImaging/Convert.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c +index 8c7be36a2..1fa74a13b 100644 +--- a/src/libImaging/Convert.c ++++ b/src/libImaging/Convert.c +@@ -1594,9 +1594,8 @@ convert( + #ifdef notdef + return (Imaging)ImagingError_ValueError("conversion not supported"); + #else +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ +- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode); ++ static char buf[100]; ++ sprintf(buf, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging)ImagingError_ValueError(buf); + #endif + } +@@ -1645,11 +1644,10 @@ ImagingConvertTransparent(Imaging imIn, const char *mode, int r, int g, int b) { + } + #else + { +- static char buf[256]; +- /* FIXME: may overflow if mode is too large */ ++ static char buf[100]; + sprintf( + buf, +- "conversion from %s to %s not supported in convert_transparent", ++ "conversion from %.10s to %.10s not supported in convert_transparent", + imIn->mode, + mode); + return (Imaging)ImagingError_ValueError(buf); +-- +2.29.2 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch new file mode 100644 index 0000000000..91e16f5415 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Raise-ValueError-if-color-specifier-is-too-long.patch @@ -0,0 +1,49 @@ +From 9e08eb8f78fdfd2f476e1b20b7cf38683754866b Mon Sep 17 00:00:00 2001 +From: Hugo van Kemenade <hugovk@users.noreply.github.com> +Date: Mon, 23 Aug 2021 19:10:49 +0300 +Subject: [PATCH] Raise ValueError if color specifier is too long + +CVE: CVE-2021-23437 + +Upstream-Status: Backport +(https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + Tests/test_imagecolor.py | 9 +++++++++ + src/PIL/ImageColor.py | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/Tests/test_imagecolor.py b/Tests/test_imagecolor.py +index b5d69379..dbe8b9e9 100644 +--- a/Tests/test_imagecolor.py ++++ b/Tests/test_imagecolor.py +@@ -191,3 +191,12 @@ def test_rounding_errors(): + assert (255, 255) == ImageColor.getcolor("white", "LA") + assert (163, 33) == ImageColor.getcolor("rgba(0, 255, 115, 33)", "LA") + Image.new("LA", (1, 1), "white") ++ ++ ++def test_color_too_long(): ++ # Arrange ++ color_too_long = "hsl(" + "1" * 100 + ")" ++ ++ # Act / Assert ++ with pytest.raises(ValueError): ++ ImageColor.getrgb(color_too_long) +diff --git a/src/PIL/ImageColor.py b/src/PIL/ImageColor.py +index 51df4404..25f92f2c 100644 +--- a/src/PIL/ImageColor.py ++++ b/src/PIL/ImageColor.py +@@ -32,6 +32,8 @@ def getrgb(color): + :param color: A color string + :return: ``(red, green, blue[, alpha])`` + """ ++ if len(color) > 100: ++ raise ValueError("color specifier is too long") + color = color.lower() + + rgb = colormap.get(color, None) +-- +2.33.0 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Restrict-builtins-for-ImageMath.eval.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Restrict-builtins-for-ImageMath.eval.patch new file mode 100644 index 0000000000..4c266cc418 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Restrict-builtins-for-ImageMath.eval.patch @@ -0,0 +1,60 @@ +From 8531b01d6cdf0b70f256f93092caa2a5d91afc11 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sun, 2 Jan 2022 17:23:49 +1100 +Subject: [PATCH] Restrict builtins for ImageMath.eval + +CVE: CVE-2022-22817 + +Upstream-Status: Backport +(https://github.com/python-pillow/Pillow/pull/5923/commits/8531b01d6cdf0b70f256f93092caa2a5d91afc11) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> + +--- + Tests/test_imagemath.py | 7 +++++++ + src/PIL/ImageMath.py | 7 ++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index e7afd1ab..25811aa8 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -1,3 +1,5 @@ ++import pytest ++ + from PIL import Image, ImageMath + + +@@ -50,6 +52,11 @@ def test_ops(): + assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0" + + ++def test_prevent_exec(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("exec('pass')") ++ ++ + def test_logical(): + assert pixel(ImageMath.eval("not A", images)) == 0 + assert pixel(ImageMath.eval("A and B", images)) == "L 2" +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 7f9c88e1..06bea800 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -246,7 +246,12 @@ def eval(expression, _dict={}, **kw): + if hasattr(v, "im"): + args[k] = _Operand(v) + +- out = builtins.eval(expression, args) ++ code = compile(expression, "<string>", "eval") ++ for name in code.co_names: ++ if name not in args and name != "abs": ++ raise ValueError(f"'{name}' not allowed") ++ ++ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args) + try: + return out.im + except AttributeError: +-- +2.33.0 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Use-snprintf-instead-of-sprintf.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000000..fc0337f137 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,43 @@ +From 518ee3722a99d7f7d890db82a20bd81c1c0327fb Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Wed, 30 Jun 2021 23:47:10 +1000 +Subject: [PATCH 1/1] Use snprintf instead of sprintf + +Fix CVE-2021-34552. + +commit 518ee3722a99d7f7d890db82a20bd81c1c0327fb (unmodified) + +Upstream-Status: Backport +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + src/libImaging/Convert.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c +index 1fa74a13b..9012cfcd7 100644 +--- a/src/libImaging/Convert.c ++++ b/src/libImaging/Convert.c +@@ -1595,7 +1595,7 @@ convert( + return (Imaging)ImagingError_ValueError("conversion not supported"); + #else + static char buf[100]; +- sprintf(buf, "conversion from %.10s to %.10s not supported", imIn->mode, mode); ++ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging)ImagingError_ValueError(buf); + #endif + } +@@ -1645,8 +1645,9 @@ ImagingConvertTransparent(Imaging imIn, const char *mode, int r, int g, int b) { + #else + { + static char buf[100]; +- sprintf( ++ snprintf( + buf, ++ 100, + "conversion from %.10s to %.10s not supported in convert_transparent", + imIn->mode, + mode); +-- +2.29.2 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb index 3241230d13..4393d9356d 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_8.2.0.bb @@ -5,9 +5,15 @@ HOMEPAGE = "https://pillow.readthedocs.io" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=0337b116233da4616ae9fdb130bf6f1a" -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x \ +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=8.2.x;protocol=https \ file://0001-support-cross-compiling.patch \ file://0001-explicitly-set-compile-options.patch \ + file://0001-Limit-sprintf-modes-to-10-characters.patch \ + file://0001-Use-snprintf-instead-of-sprintf.patch \ + file://0001-Raise-ValueError-if-color-specifier-is-too-long.patch \ + file://0001-Initialize-coordinates-to-zero.patch \ + file://0001-Handle-case-where-path-count-is-zero.patch \ + file://0001-Restrict-builtins-for-ImageMath.eval.patch \ " SRCREV ?= "e0e353c0ef7516979a9aedce3792596649ce4433" diff --git a/meta-python/recipes-devtools/python/python3-pybind11-json_0.2.6.bb b/meta-python/recipes-devtools/python/python3-pybind11-json_0.2.6.bb index c56c70ad37..ec8aef9f54 100644 --- a/meta-python/recipes-devtools/python/python3-pybind11-json_0.2.6.bb +++ b/meta-python/recipes-devtools/python/python3-pybind11-json_0.2.6.bb @@ -3,7 +3,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0e25ff0ec476d06d366439e1120cce98" SRCREV = "d1d00888bc0eb7c50dde6cff1a5eb4586e620b65" -SRC_URI = "git://github.com/pybind/pybind11_json" +SRC_URI = "git://github.com/pybind/pybind11_json;branch=master;protocol=https" DEPENDS += "nlohmann-json python3-pybind11" diff --git a/meta-python/recipes-devtools/python/python3-pybind11_2.6.2.bb b/meta-python/recipes-devtools/python/python3-pybind11_2.6.2.bb index bd16a6d0dc..c270983d18 100644 --- a/meta-python/recipes-devtools/python/python3-pybind11_2.6.2.bb +++ b/meta-python/recipes-devtools/python/python3-pybind11_2.6.2.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=774f65abd8a7fe3124be2cdf766cd06f" DEPENDS = "boost" -SRC_URI = "git://github.com/pybind/pybind11.git \ +SRC_URI = "git://github.com/pybind/pybind11.git;branch=master;protocol=https \ file://0001-Do-not-strip-binaries.patch \ file://0001-Do-not-check-pointer-size-when-cross-compiling.patch \ " diff --git a/meta-python/recipes-devtools/python/python3-pydbus-manager_git.bb b/meta-python/recipes-devtools/python/python3-pydbus-manager_git.bb index ae9e42160f..7f53a90e30 100644 --- a/meta-python/recipes-devtools/python/python3-pydbus-manager_git.bb +++ b/meta-python/recipes-devtools/python/python3-pydbus-manager_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fd5bb1dae91ba145745db55870be6a7" inherit setuptools3 -SRC_URI = "git://github.com/seebz/pydbus-manager.git" +SRC_URI = "git://github.com/seebz/pydbus-manager.git;branch=master;protocol=https" SRCREV = "6b576b969cbda50521dca62a7df929167207f9fc" PV = "git${SRCPV}" diff --git a/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb index 049c3c3cf7..d5e0873d4e 100644 --- a/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb +++ b/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb @@ -4,7 +4,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382" RDEPENDS_${PN} += "\ ${PYTHON_PN}-ctypes \ + ${PYTHON_PN}-fcntl \ ${PYTHON_PN}-io \ + ${PYTHON_PN}-logging \ ${PYTHON_PN}-misc \ ${PYTHON_PN}-shell \ ${PYTHON_PN}-smtpd \ diff --git a/meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch b/meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch new file mode 100644 index 0000000000..735530a8f4 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch @@ -0,0 +1,64 @@ +From 8238a9e450ed1524e40cb3a8b0b3c00606903aeb Mon Sep 17 00:00:00 2001 +From: Andi Albrecht <albrecht.andi@gmail.com> +Date: Tue, 7 Sep 2021 12:27:28 +0200 +Subject: [PATCH] Optimize regular expression for identifying line breaks in + comments. + +CVE: CVE-2021-32839 + +Upstream-Status: Backport +(https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + sqlparse/filters/others.py | 5 ++++- + tests/test_format.py | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/sqlparse/filters/others.py b/sqlparse/filters/others.py +index e0e1ca1..6905f2d 100644 +--- a/sqlparse/filters/others.py ++++ b/sqlparse/filters/others.py +@@ -22,7 +22,10 @@ class StripCommentsFilter: + def _get_insert_token(token): + """Returns either a whitespace or the line breaks from token.""" + # See issue484 why line breaks should be preserved. +- m = re.search(r'((\r\n|\r|\n)+) *$', token.value) ++ # Note: The actual value for a line break is replaced by \n ++ # in SerializerUnicode which will be executed in the ++ # postprocessing state. ++ m = re.search(r'((\r|\n)+) *$', token.value) + if m is not None: + return sql.Token(T.Whitespace.Newline, m.groups()[0]) + else: +diff --git a/tests/test_format.py b/tests/test_format.py +index 7117d9d..70bb805 100644 +--- a/tests/test_format.py ++++ b/tests/test_format.py +@@ -84,6 +84,23 @@ class TestFormat: + res = sqlparse.format(sql, strip_comments=True) + assert res == 'select (select 2)' + ++ def test_strip_comments_preserves_linebreak(self): ++ sql = 'select * -- a comment\r\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\nfrom foo' ++ sql = 'select * -- a comment\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\nfrom foo' ++ sql = 'select * -- a comment\rfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\nfrom foo' ++ sql = 'select * -- a comment\r\n\r\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\n\nfrom foo' ++ sql = 'select * -- a comment\n\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\n\nfrom foo' ++ + def test_strip_ws(self): + f = lambda sql: sqlparse.format(sql, strip_whitespace=True) + s = 'select\n* from foo\n\twhere ( 1 = 2 )\n' +-- +2.31.1 + diff --git a/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb b/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb index c8a64c1095..aeb9c23505 100644 --- a/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb +++ b/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb @@ -5,6 +5,7 @@ LICENSE = "BSD" LIC_FILES_CHKSUM = "file://LICENSE;md5=2b136f573f5386001ea3b7b9016222fc" SRC_URI += "file://0001-sqlparse-change-shebang-to-python3.patch \ + file://0001-Optimize-regular-expression-for-identifying-line-bre.patch \ file://run-ptest \ " diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.26.4.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.26.5.bb index 0a31fb1e2d..f2fb33c6dd 100644 --- a/meta-python/recipes-devtools/python/python3-urllib3_1.26.4.bb +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.26.5.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c2823cb995439c984fd62a973d79815c" -SRC_URI[sha256sum] = "e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" +SRC_URI[sha256sum] = "a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-xlrd_2.0.1.bb b/meta-python/recipes-devtools/python/python3-xlrd_2.0.1.bb index 8587ea8f33..92becc3eba 100644 --- a/meta-python/recipes-devtools/python/python3-xlrd_2.0.1.bb +++ b/meta-python/recipes-devtools/python/python3-xlrd_2.0.1.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=00ea1e843a43c20d9b63a8112239b0d1" SRC_URI[sha256sum] = "f72f148f54442c6b056bf931dbc34f986fd0c3b0b6b5a58d013c9aef274d0c88" -SRC_URI = "git://github.com/python-excel/xlrd.git \ +SRC_URI = "git://github.com/python-excel/xlrd.git;branch=master;protocol=https \ file://run-ptest \ " SRCREV = "b8d573e11ec149da695d695c81a156232b89a949" diff --git a/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb b/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb index 2b5b253b5d..52ae91484a 100644 --- a/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb +++ b/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "9b5ad2d5b5df159963e1c6c24523e1dfe1f71435" -SRC_URI = "git://github.com/rhinstaller/blivet;branch=3.1-release \ +SRC_URI = "git://github.com/rhinstaller/blivet;branch=3.1-release;protocol=https \ file://0001-comment-out-selinux.patch \ file://0002-run_program-support-timeout.patch \ file://0003-support-infinit-timeout.patch \ diff --git a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb index 92402bee56..809d09e3ad 100644 --- a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb +++ b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "67ec0b7a0e065ba24ab87963409bfb21b2aac6dd" -SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master \ +SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master;protocol=https \ file://0001-Fix-return-type-of-BlivetUtils.get_disks-1658893.patch \ " diff --git a/meta-python/recipes-extended/python-cson/python3-cson_git.bb b/meta-python/recipes-extended/python-cson/python3-cson_git.bb index 5c74c7a307..4d234d311d 100644 --- a/meta-python/recipes-extended/python-cson/python3-cson_git.bb +++ b/meta-python/recipes-extended/python-cson/python3-cson_git.bb @@ -8,7 +8,7 @@ SECTION = "devel/python" LIC_FILES_CHKSUM = "file://LICENSE;md5=7709d2635e63ab96973055a23c2a4cac" SRCREV = "f3f2898c44bb16b951d3e9f2fbf6d1c4158edda2" -SRC_URI = "git://github.com/gt3389b/python-cson.git" +SRC_URI = "git://github.com/gt3389b/python-cson.git;branch=master;protocol=https" S = "${WORKDIR}/git" |