Integer overflow in bufferobject.c in Python before 2.7.8 allows
context-dependent attackers to obtain sensitive information from
process memory via a large size and offset in a "buffer" function.
This back-ported patch fixes CVE-2014-7185
(From OE-Core rev: 49ceed974e39ab8ac4be410e5caa5e1ef7a646d9)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch from:
https://hg.python.org/cpython/rev/af46a001d5ec
SysLogHandler converts message to utf8 and adds BOM, supposedly
to conform with RFC5424, but the implementation is broken:
the RFC specifies that the BOM should prefix only unstructured
message part, but current Python implementation puts it in the
middle of structured part, thus confusing RFC-compliant receivers.
(From OE-Core rev: c51caffe5ac0d49844dcbac7967f609d44c20470)
Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If DISTRO_FEATURES contains "largefile", force the size of off_t to 8 as
a workaround for having ac_cv_sizeof_off_t=4 on 32-bit systems. In
future we will likely drop the value from the site file, but for now
this is a slightly safer fix.
Fixes [YOCTO #6813].
(From OE-Core rev: a8216030ee6c65531de8fbf3eed878a345a94edc)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
musl has posix_close which conflicts in python
so lets rename it.
(From OE-Core rev: 9de4f6eb07696f618d4762c6eeb34dc9ea3080bd)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
http://bugs.python.org/issue21529
Python 2 and 3 are susceptible to arbitrary process memory reading by
a user or adversary due to a bug in the _json module caused by
insufficient bounds checking.
The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.
The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.
(From OE-Core rev: 9ec213bf67afbdfdbe25802ec86487bb22aeb2e4)
Signed-off-by: Benjamin Peterson <benjamin@python.org>
Applied to python-native recipe in order to fix the above mentioned
vulnerability.
Upstream-Status: Submitted
Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A remote user can send specially crafted data to trigger a buffer overflow
in socket.recvfrom_into() and execute arbitrary code on the target system.
The code will run with the privileges of the target service.
This back-ported patch fixes CVE-2014-1912
(From OE-Core rev: 344049ccfa59ae489c35fe0fb7592f7d34720b51)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport two patches from upstream:
use new readline function types (closes#20374)
Issue #20374: Avoid compiler warnings when compiling readline with libedit.
[YOCTO #6107]
(From OE-Core rev: a6b91ae7dec2edebc0eaea0592c42b1c455ad4d7)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This back ported patch fixes CVE-2013-1752 for smtplib
(From OE-Core rev: 4af111e94edc93657c94de6b584c099571b4cf40)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Reviewed-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
So it can get the correct python direcotries for python2
(From OE-Core rev: cfc780ec26474a61bd52a8f6a66c7280fa12a075)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using make -j with the 'install' target, it's possible for altbininstall
(which normally creates BINDIR) and libainstall (which doesn't, though it
installs python-config there) to race, resulting in a failure due to
attempting to install python-config into a nonexistent BINDIR. Ensure it also
exists in the libainstall target.
(From OE-Core rev: 54da47f3ddc1c009594744793060ffd09db3ad11)
Signed-off-by: Christopher Larson <kergoth@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python recipe did a sed s/ccache/$(CCACHE) on the Makefile, which
replaces all "ccache" including ones that consist of a full path.
This leads to build error when building in a project path with
"ccache" in its name. Fix it by only replacing "ccache " with
"$(CCACHE) ".
(From OE-Core rev: 1181112cf65bc0186807fc59399c5dddcb9f9449)
Signed-off-by: Lei Liu <lei.liu2@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The run-ptest contained in python uses a Makefile. The path of the
Makefile is changed to ${libdir}/python/ptest in do_install_ptest.
However, the directory is wrong when the project is configured with
"--enable-multilib=lib32"
In addition, do_install_ptest is defined before "inherit ptest", so
it is overriden by the one in ptest.bbclass. do_install_ptest is
moved down.
(From OE-Core rev: 0eb947454e1c92467283e6f1adeca67c7c57698b)
Signed-off-by: Zhangle Yang <zhangle.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
At the start of install, python swizzles the makefiles around, leading
to chunks of do_compile running again. These race against the install
target, leading to errors if pieces are being recompiled whilst others
are being installed.
For now, workaround this by running the compile target with the new
makefile, then running install ensuring a parallel make race doesn't
happen.
(From OE-Core rev: 72938a8631cfe5be5ac88ad67f2db595e2487e86)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These are back ports of 2 patches from upstream to address
CVE-2011-4944
CVE-2013-4238
(From OE-Core rev: 4606eab53e8eff57d6369ea20a5ea63916ea3ea7)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install python test suite and run it as ptest
(From OE-Core rev: a768047cb8fc00ecf13f4db08117c348a9312c47)
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently if you build nativesdk-python, install it and try and run it,
you see it search in the default nativesdk path for terminfo files
when the readline module is used.
If terminfo files cannot be found, or if the ones found are incorrect,
the system may emit control characters which confuse commandline
processing.
This patch sets the TERMINFO_DIRS variable to ensure the correct locations
are searched for terminfo files, starting with the nativesdk terminfo files
and falling back to the host systtem's.
(From OE-Core rev: 682861166f39fbdcd0c9b923139faab2d40362cf)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes errors in packages using python( build with gcc 4.8)
|
/home/jenkins/oe/shr-core-branches/shr-core/tmp-eglibc/sysroots/qemuarm/usr/include/python2.7/modsupport.h:27:1:
error: 'PyArg_ParseTuple' is an unrecognized format function type
[-Werror=format=]
| PyAPI_FUNC(int) PyArg_ParseTuple(PyObject *, const char *, ...)
Py_FORMAT_PARSETUPLE(PyArg_ParseTuple, 2, 3);
| ^
| cc1: all warnings being treated as errors
| cc1: all warnings being treated as errors
(From OE-Core rev: 5745a482a85c064a1eec960aff104cf8ce588e30)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We had hard coded python-native and python's default optimization to 1,
which made the "assert" statement didn't work, and removed the "-O/-OO"
(optimization options), the target python had a "-N" option to disable
the default optimization, but the native python didn't.
I think that we can set the environment variable PYTHONOPTIMIZE or use
"python -O" if we need to optimize, but I'm not sure whether we need to
set it by default, it would confuse the user or cause/hide unexpected
problems if the "assert" doesn't work.
[YOCTO #4427]
(From OE-Core rev: 165ed464bbb9bf985dde9d8c15d000809901fff6)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Running 'python setup.py build' would fail due to the python Makefile having
CC= i586-angstrom-linux-gcc -m32 -march=core2 -msse3 -mtune=generic -mfpmath=sse --sysroot=/home/koen/v2012.12/build/tmp-angstrom_v2012_12-eglibc/sysroots/fri2
CXX= i586-angstrom-linux-g++ -m32 -march=core2 -msse3 -mtune=generic -mfpmath=sse --sysroot=/home/koen/v2012.12/build/tmp-angstrom_v2012_12-eglibc/sysroots/fri2
'--with-libtool-sysroot=/home/koen/v2012.12/build/tmp-angstrom_v2012_12-eglibc/sysroots/fri2'
And more
Multiple users have reported this problem:
http://hipstercircuits.com/?p=499http://www.gigamegablog.com/2012/09/09/beaglebone-coding-101-spi-output/
(From OE-Core rev: 5704dfa690a625abcface432cf5f9c9bc3ee8abd)
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reference:http://bugs.python.org/issue14579
The utf-16 decoder in Python 3.1 through 3.3 does not update the
aligned_end variable after calling the unicode_decode_call_errorhandler
function, which allows remote attackers to obtain sensitive information
(process memory) or cause a denial of service (memory corruption and crash)
via unspecified vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
[YOCTO #3450]
(From OE-Core rev: f60d3efe93323b7056a9400a483e625a3fed4491)
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Its bad practise to poke into the sysroot without knowledge of sstate.
This adds a patch to python allowing us to account for cross compiling
and allow it to find the Makefile/pyconfig.h files without needing them
in the sysroot for do_compile/do_install to complete.
Tested on two architectures and compared with buildhistory with no
significant delta.
(From OE-Core rev: 16da4f75a75dc8020803df9ea73a2a7ead88cc5a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The overrides virtclass-native and virtclass-nativesdk are deprecated,
which should be replaced by class-native and class-nativesdk.
[YOCTO #3297]
(From OE-Core rev: bb67ddeb2eed3e25c626a279ef53a7e8c7bfe6f2)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As discussed on the mailing lists, using a suffix to package names is
hard and has lead to many recipes having to do PKGSUFFIX games. Its
looking extremely hard to scale nativesdk much further without hacking
many recipes.
By comparison, using a prefix like multilib does works much better and
doesn't involve "hacking" as many recipes. This change converts nativesdk
to use a prefix using the existing multilib infrastructure.
(From OE-Core rev: 81813c0e322dc04ce4b069117188d8a54dfddb8c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
_bsddb module in python 2.7 could be built only with db version
between 4.1 and 4.7. A patch was added to avoid build warning
about this for [YOCTO #1937] but not actually fixed it.
This patch enable _bsddb module be built with db 5.3, and remove
--disable-statistics from the DB5_CONFIG to fix segmentation fault
when using _bsddb module in python.
[YOCTO #2749]
(From OE-Core rev: 11267f8a1ccf65142988b095351a84b0fa0fcbcf)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add pythonnative onto the list of inherits and update the paths to the binaries
referenced in the recipe to the new paths.
(From OE-Core rev: 284a65d55f0ffad0f4f7f32d72da0f9410578643)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Without this, python-nativesdk-crypt can depend on openssl which is incorrect.
(From OE-Core rev: 5740696c81a9143504c1cb93e94c54add27896e4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bin/python2 link is provided by the python install process,
so no need to create it.
rebase these patches to the newer code:
fix_for_using_different_libdir.patch
04-default-is-optimized.patch
remove this patch as it is upstream now:
sys_platform_is_now_always_linux2.patch
Change default python version to 2.7.3 in the distro config
(From OE-Core rev: 5d92a95ea9b480235b7c9ca5949a681376eba725)
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Wenzong Fan
Kai Kang
Paul Eggleton
Christopher Larson
Khem Raj
Daniel BORNAZ
Maxin B. John
Chong Lu
Yue Tao
Zhangle Yang
Richard Purdie
Saul Wold
Tudor Florea
Robert Yang
Koen Kooi
yanjun.zhu
Jackie Huang
Morgan Little
Nitin A Kamble