diff --git a/00153-fix-test_gdb-noise.patch b/00153-fix-test_gdb-noise.patch deleted file mode 100644 index 227a977e10e14ab73e1313c53321c5f97572e176..0000000000000000000000000000000000000000 --- a/00153-fix-test_gdb-noise.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/Lib/test/test_gdb.py.old 2012-04-11 21:04:01.367073855 -0400 -+++ b/Lib/test/test_gdb.py 2012-04-12 08:52:58.320288761 -0400 -@@ -211,6 +211,10 @@ - # ignore all warnings - 'warning: ', - ) -+ ignore_patterns += ('warning: Unable to open', -+ 'Missing separate debuginfo for', -+ 'Try: yum --disablerepo=', -+ 'Undefined set print command') - for line in errlines: - if not line: - continue diff --git a/00157-uid-gid-overflows.patch b/00157-uid-gid-overflows.patch deleted file mode 100644 index a31c98af6677667768c04df03e2330c9c7fab10a..0000000000000000000000000000000000000000 --- a/00157-uid-gid-overflows.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff -up Python-2.7.3/Lib/test/test_os.py.uid-gid-overflows Python-2.7.3/Lib/test/test_os.py ---- Python-2.7.3/Lib/test/test_os.py.uid-gid-overflows 2012-04-09 19:07:32.000000000 -0400 -+++ Python-2.7.3/Lib/test/test_os.py 2012-06-26 14:51:36.000817929 -0400 -@@ -677,30 +677,36 @@ if sys.platform != 'win32': - def test_setuid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setuid, 0) -+ self.assertRaises(TypeError, os.setuid, 'not an int') - self.assertRaises(OverflowError, os.setuid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'setgid'), 'test needs os.setgid()') - def test_setgid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setgid, 0) -+ self.assertRaises(TypeError, os.setgid, 'not an int') - self.assertRaises(OverflowError, os.setgid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'seteuid'), 'test needs os.seteuid()') - def test_seteuid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.seteuid, 0) -+ self.assertRaises(TypeError, os.seteuid, 'not an int') - self.assertRaises(OverflowError, os.seteuid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'setegid'), 'test needs os.setegid()') - def test_setegid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setegid, 0) -+ self.assertRaises(TypeError, os.setegid, 'not an int') - self.assertRaises(OverflowError, os.setegid, 1<<32) - - @unittest.skipUnless(hasattr(os, 'setreuid'), 'test needs os.setreuid()') - def test_setreuid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setreuid, 0, 0) -+ self.assertRaises(TypeError, os.setreuid, 'not an int', 0) -+ self.assertRaises(TypeError, os.setreuid, 0, 'not an int') - self.assertRaises(OverflowError, os.setreuid, 1<<32, 0) - self.assertRaises(OverflowError, os.setreuid, 0, 1<<32) - -@@ -715,6 +721,8 @@ if sys.platform != 'win32': - def test_setregid(self): - if os.getuid() != 0: - self.assertRaises(os.error, os.setregid, 0, 0) -+ self.assertRaises(TypeError, os.setregid, 'not an int', 0) -+ self.assertRaises(TypeError, os.setregid, 0, 'not an int') - self.assertRaises(OverflowError, os.setregid, 1<<32, 0) - self.assertRaises(OverflowError, os.setregid, 0, 1<<32) - diff --git a/00168-distutils-cflags.patch b/00168-distutils-cflags.patch deleted file mode 100644 index 0c4a8df34a5f47af26b23ebde53d9d5ee0435ead..0000000000000000000000000000000000000000 --- a/00168-distutils-cflags.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Python-2.6.6/Lib/distutils/sysconfig.py.distutils-cflags Python-2.6.6/Lib/distutils/sysconfig.py ---- Python-2.6.6/Lib/distutils/sysconfig.py.distutils-cflags 2011-08-12 17:18:17.833091153 -0400 -+++ Python-2.6.6/Lib/distutils/sysconfig.py 2011-08-12 17:18:27.449106938 -0400 -@@ -187,7 +187,7 @@ def customize_compiler(compiler): - if 'LDFLAGS' in os.environ: - ldshared = ldshared + ' ' + os.environ['LDFLAGS'] - if 'CFLAGS' in os.environ: -- cflags = opt + ' ' + os.environ['CFLAGS'] -+ cflags = cflags + ' ' + os.environ['CFLAGS'] - ldshared = ldshared + ' ' + os.environ['CFLAGS'] - if 'CPPFLAGS' in os.environ: - cpp = cpp + ' ' + os.environ['CPPFLAGS'] diff --git a/00189-use-rpm-wheels.patch b/00189-use-rpm-wheels.patch index 76a132400fc0efd41d873eefdf2277c0f89311de..4c524972a0c97e78964ff879a8634cfcdfe89e91 100644 --- a/00189-use-rpm-wheels.patch +++ b/00189-use-rpm-wheels.patch @@ -18,10 +18,10 @@ index 5021ebf..1903cc0 100644 __all__ = ["version", "bootstrap"] --_SETUPTOOLS_VERSION = "40.6.2" +-_SETUPTOOLS_VERSION = "41.2.0" +_WHEEL_DIR = "/usr/share/python-wheels/" --_PIP_VERSION = "18.1" +-_PIP_VERSION = "19.2.3" +def _get_most_recent_wheel_version(pkg): + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) + suffix = "-py2.py3-none-any.whl" diff --git a/0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch b/0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch deleted file mode 100644 index b941ed9fc10db7a8e7220d39c31b4084384a4555..0000000000000000000000000000000000000000 --- a/0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 69b4a17f342146d6b7a73975a37678db9916aa75 Mon Sep 17 00:00:00 2001 -From: "Gao, Xiang" -Date: Thu, 28 Feb 2019 08:18:48 -0500 -Subject: [PATCH 342/362] bpo-36126: Fix ref count leakage in structseq_repr. - (GH-12035) - ---- - Objects/structseq.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/Objects/structseq.c b/Objects/structseq.c -index 3e45840..aee9528 100644 ---- a/Objects/structseq.c -+++ b/Objects/structseq.c -@@ -266,6 +266,7 @@ structseq_repr(PyStructSequence *obj) - - val = PyTuple_GetItem(tup, i); - if (cname == NULL || val == NULL) { -+ Py_DECREF(tup); - return NULL; - } - repr = PyObject_Repr(val); --- -1.8.3.1 - diff --git a/0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch b/0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch deleted file mode 100644 index 0c6186724b468dd61f626693c1cb715e45a2499d..0000000000000000000000000000000000000000 --- a/0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 710dcfd2f4bee034894a39026388f9c21ea976f1 Mon Sep 17 00:00:00 2001 -From: stratakis -Date: Mon, 4 Mar 2019 16:40:25 +0100 -Subject: [PATCH 349/362] [2.7] bpo-13096: Fix memory leak in ctypes POINTER - handling of large values (GH-12100) - ---- - Misc/NEWS.d/next/Library/2019-03-04-16-13-01.bpo-13096.SGPt_n.rst | 1 + - Modules/_ctypes/callproc.c | 1 + - 2 files changed, 2 insertions(+) - create mode 100644 Misc/NEWS.d/next/Library/2019-03-04-16-13-01.bpo-13096.SGPt_n.rst - -diff --git a/Misc/NEWS.d/next/Library/2019-03-04-16-13-01.bpo-13096.SGPt_n.rst b/Misc/NEWS.d/next/Library/2019-03-04-16-13-01.bpo-13096.SGPt_n.rst -new file mode 100644 -index 0000000..2bf49c8 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2019-03-04-16-13-01.bpo-13096.SGPt_n.rst -@@ -0,0 +1 @@ -+Fix memory leak in ctypes POINTER handling of large values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index 2097342..defcde1 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -1831,6 +1831,7 @@ POINTER(PyObject *self, PyObject *cls) - "s(O){}", - buf, - &PyCPointer_Type); -+ PyMem_Free(buf); - if (result == NULL) - return result; - key = PyLong_FromVoidPtr(result); --- -1.8.3.1 - diff --git a/0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch b/0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch deleted file mode 100644 index 9cf26b7f1f659f3e5ef55170cc51a6f26862856e..0000000000000000000000000000000000000000 --- a/0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 84b5ac9ba6fd71ba9d0ef98e2a166a35189b263f Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 4 Mar 2019 18:10:45 +0100 -Subject: [PATCH 350/362] [2.7] bpo-36179: Fix ref leaks in _hashopenssl - (GH-12158) (GH-12166) - -Fix two unlikely reference leaks in _hashopenssl. The leaks only occur in -out-of-memory cases. Thanks to Charalampos Stratakis. - -Signed-off-by: Christian Heimes - -https://bugs.python.org/issue36179. -(cherry picked from commit b7bc283ab6a23ee98784400ebffe7fe410232a2e) - -Co-authored-by: Christian Heimes - - - -https://bugs.python.org/issue36179 ---- - .../next/Library/2019-03-04-10-42-46.bpo-36179.jEyuI-.rst | 2 ++ - Modules/_hashopenssl.c | 14 ++++++++------ - 2 files changed, 10 insertions(+), 6 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2019-03-04-10-42-46.bpo-36179.jEyuI-.rst - -diff --git a/Misc/NEWS.d/next/Library/2019-03-04-10-42-46.bpo-36179.jEyuI-.rst b/Misc/NEWS.d/next/Library/2019-03-04-10-42-46.bpo-36179.jEyuI-.rst -new file mode 100644 -index 0000000..61a9877 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2019-03-04-10-42-46.bpo-36179.jEyuI-.rst -@@ -0,0 +1,2 @@ -+Fix two unlikely reference leaks in _hashopenssl. The leaks only occur in -+out-of-memory cases. -diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index de69f6f..78445eb 100644 ---- a/Modules/_hashopenssl.c -+++ b/Modules/_hashopenssl.c -@@ -133,12 +133,6 @@ newEVPobject(PyObject *name) - if (retval == NULL) - return NULL; - -- retval->ctx = EVP_MD_CTX_new(); -- if (retval->ctx == NULL) { -- PyErr_NoMemory(); -- return NULL; -- } -- - /* save the name for .name to return */ - Py_INCREF(name); - retval->name = name; -@@ -146,6 +140,13 @@ newEVPobject(PyObject *name) - retval->lock = NULL; - #endif - -+ retval->ctx = EVP_MD_CTX_new(); -+ if (retval->ctx == NULL) { -+ Py_DECREF(retval); -+ PyErr_NoMemory(); -+ return NULL; -+ } -+ - return retval; - } - -@@ -205,6 +206,7 @@ EVP_copy(EVPobject *self, PyObject *unused) - return NULL; - - if (!locked_EVP_MD_CTX_copy(newobj->ctx, self)) { -+ Py_DECREF(newobj); - return _setException(PyExc_ValueError); - } - return (PyObject *)newobj; --- -1.8.3.1 - diff --git a/0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch b/0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch deleted file mode 100644 index 505772b5b81f6ad55435e03945086df27bf70acf..0000000000000000000000000000000000000000 --- a/0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch +++ /dev/null @@ -1,49 +0,0 @@ -From d9bf7f4198871132714cfe7d702baaa02206e9f1 Mon Sep 17 00:00:00 2001 -From: "T. Wouters" -Date: Mon, 4 Mar 2019 10:52:07 -0800 -Subject: [PATCH 351/362] [2.7] bpo-36149 Fix potential use of uninitialized - memory in cPickle (#12105) - -Fix off-by-one bug in cPickle that caused it to use uninitialised memory on truncated pickles read from FILE*s. ---- - .../2019-02-28-13-52-18.bpo-36149.GJdnh4.rst | 2 ++ - Modules/cPickle.c | 13 ++++++++----- - 2 files changed, 10 insertions(+), 5 deletions(-) - create mode 100644 Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst - -diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst b/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst -new file mode 100644 -index 0000000..672db6c ---- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst -@@ -0,0 +1,2 @@ -+Fix use of uninitialized memory in cPickle when reading a truncated pickle -+from a file object. -diff --git a/Modules/cPickle.c b/Modules/cPickle.c -index 914ebb3..f7c6fec 100644 ---- a/Modules/cPickle.c -+++ b/Modules/cPickle.c -@@ -586,12 +586,15 @@ readline_file(Unpicklerobject *self, char **s) - while (1) { - Py_ssize_t bigger; - char *newbuf; -- for (; i < (self->buf_size - 1); i++) { -- if (feof(self->fp) || -- (self->buf[i] = getc(self->fp)) == '\n') { -- self->buf[i + 1] = '\0'; -+ while (i < (self->buf_size - 1)) { -+ int newchar = getc(self->fp); -+ if (newchar != EOF) { -+ self->buf[i++] = newchar; -+ } -+ if (newchar == EOF || newchar == '\n') { -+ self->buf[i] = '\0'; - *s = self->buf; -- return i + 1; -+ return i; - } - } - if (self->buf_size > (PY_SSIZE_T_MAX >> 1)) { --- -1.8.3.1 - diff --git a/0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch b/0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch deleted file mode 100644 index d7a83a60cc46dbc8b2cce9dbb12d3f3217deac0c..0000000000000000000000000000000000000000 --- a/0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b2aefd77e1da438aed649d018d6aa504ec35eac8 Mon Sep 17 00:00:00 2001 -From: stratakis -Date: Wed, 6 Mar 2019 15:11:56 +0100 -Subject: [PATCH 353/362] [2.7] bpo-36186: Fix - linuxaudiodev.linux_audio_device() error handling (GH-12163) - -Fix linuxaudiodev.linux_audio_device() error handling: -close the internal file descriptor if it fails to open the device. ---- - Misc/NEWS.d/next/Library/2019-03-04-16-39-16.bpo-36186.Hqw1A_.rst | 1 + - Modules/linuxaudiodev.c | 2 ++ - 2 files changed, 3 insertions(+) - create mode 100644 Misc/NEWS.d/next/Library/2019-03-04-16-39-16.bpo-36186.Hqw1A_.rst - -diff --git a/Misc/NEWS.d/next/Library/2019-03-04-16-39-16.bpo-36186.Hqw1A_.rst b/Misc/NEWS.d/next/Library/2019-03-04-16-39-16.bpo-36186.Hqw1A_.rst -new file mode 100644 -index 0000000..a14d155 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2019-03-04-16-39-16.bpo-36186.Hqw1A_.rst -@@ -0,0 +1 @@ -+Fix linuxaudiodev.linux_audio_device() error handling: close the internal file descriptor if it fails to open the device. -diff --git a/Modules/linuxaudiodev.c b/Modules/linuxaudiodev.c -index 7fe20ae..f5135d9 100644 ---- a/Modules/linuxaudiodev.c -+++ b/Modules/linuxaudiodev.c -@@ -126,10 +126,12 @@ newladobject(PyObject *arg) - } - if (imode == O_WRONLY && ioctl(fd, SNDCTL_DSP_NONBLOCK, NULL) == -1) { - PyErr_SetFromErrnoWithFilename(LinuxAudioError, basedev); -+ close(fd); - return NULL; - } - if (ioctl(fd, SNDCTL_DSP_GETFMTS, &afmts) == -1) { - PyErr_SetFromErrnoWithFilename(LinuxAudioError, basedev); -+ close(fd); - return NULL; - } - /* Create and initialize the object */ --- -1.8.3.1 - diff --git a/0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch b/0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch deleted file mode 100644 index 9a9f15fa383ef6a2b3fe4a757810d4d90f8d5efb..0000000000000000000000000000000000000000 --- a/0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 098b139816f379271b8d4de2561b5805dd47d229 Mon Sep 17 00:00:00 2001 -From: stratakis -Date: Wed, 6 Mar 2019 15:14:06 +0100 -Subject: [PATCH 354/362] bpo-36147: Fix a memory leak in ctypes s_get() - (GH-12102) - -The s_get() function leaks the result variable on low memory. -Partially backport commit 19b52545df898ec911c44e29f75badb902924c0 -to fix it. ---- - Modules/_ctypes/cfield.c | 26 +++++++++----------------- - 1 file changed, 9 insertions(+), 17 deletions(-) - -diff --git a/Modules/_ctypes/cfield.c b/Modules/_ctypes/cfield.c -index 46f041b..1b495fc 100644 ---- a/Modules/_ctypes/cfield.c -+++ b/Modules/_ctypes/cfield.c -@@ -1291,24 +1291,16 @@ U_set(void *ptr, PyObject *value, Py_ssize_t length) - static PyObject * - s_get(void *ptr, Py_ssize_t size) - { -- PyObject *result; -- size_t slen; -+ Py_ssize_t i; -+ char *p; - -- result = PyString_FromString((char *)ptr); -- if (!result) -- return NULL; -- /* chop off at the first NUL character, if any. -- * On error, result will be deallocated and set to NULL. -- */ -- slen = strlen(PyString_AS_STRING(result)); -- size = min(size, (Py_ssize_t)slen); -- if (result->ob_refcnt == 1) { -- /* shorten the result */ -- _PyString_Resize(&result, size); -- return result; -- } else -- /* cannot shorten the result */ -- return PyString_FromStringAndSize(ptr, size); -+ p = (char *)ptr; -+ for (i = 0; i < size; ++i) { -+ if (*p++ == '\0') -+ break; -+ } -+ -+ return PyBytes_FromStringAndSize((char *)ptr, (Py_ssize_t)i); - } - - static PyObject * --- -1.8.3.1 - diff --git a/0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch b/0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch deleted file mode 100644 index a462c7b9a14165bfc2de495ecc4f79eb43396d93..0000000000000000000000000000000000000000 --- a/0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b19943ec97b80db97dd93ed714615f757cc12ad3 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Thu, 7 Mar 2019 10:49:15 -0800 -Subject: [PATCH 357/362] bpo-36140: Fix an incorrect check in - msidb_getsummaryinformation() (GH-12074) - -(cherry picked from commit bf94cc7b496a379e1f604aa2e4080bb70ca4020e) - -Co-authored-by: Zackery Spytz ---- - PC/_msi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/PC/_msi.c b/PC/_msi.c -index 4000f00..3c46d83 100644 ---- a/PC/_msi.c -+++ b/PC/_msi.c -@@ -894,7 +894,7 @@ msidb_getsummaryinformation(msiobj *db, PyObject *args) - return msierror(status); - - oresult = PyObject_NEW(struct msiobj, &summary_Type); -- if (!result) { -+ if (!oresult) { - MsiCloseHandle(result); - return NULL; - } --- -1.8.3.1 - diff --git a/0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch b/0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch deleted file mode 100644 index 6cf029010c49fad449c50c08ef3076077279fe69..0000000000000000000000000000000000000000 --- a/0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 498468d9c3f53d9cfdd79cf1dc83251316d6d3df Mon Sep 17 00:00:00 2001 -From: Terry Jan Reedy -Date: Thu, 7 Mar 2019 22:16:07 -0500 -Subject: [PATCH 358/362] [2.7] IDLE: Fix typo in keybindingDialog.py (GH-2322) - (GH-12231) - -Cherry picked by hand from a0e911b ---- - Lib/idlelib/keybindingDialog.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Lib/idlelib/keybindingDialog.py b/Lib/idlelib/keybindingDialog.py -index 755f1af..9713c79 100644 ---- a/Lib/idlelib/keybindingDialog.py -+++ b/Lib/idlelib/keybindingDialog.py -@@ -182,7 +182,7 @@ class GetKeysDialog(Toplevel): - - def LoadFinalKeyList(self): - #these tuples are also available for use in validity checks -- self.functionKeys=('F1','F2','F2','F4','F5','F6','F7','F8','F9', -+ self.functionKeys=('F1','F2','F3','F4','F5','F6','F7','F8','F9', - 'F10','F11','F12') - self.alphanumKeys=tuple(string.ascii_lowercase+string.digits) - self.punctuationKeys=tuple('~!@#%^&*()_-+={}[]|;:,.<>/?') --- -1.8.3.1 - diff --git a/CVE-2018-20852.patch b/CVE-2018-20852.patch deleted file mode 100644 index bbcc2c8e9dc8844c5596792937f2c7d99506f783..0000000000000000000000000000000000000000 --- a/CVE-2018-20852.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -uNrp a/Lib/cookielib.py b/Lib/cookielib.py ---- a/Lib/cookielib.py 2019-12-21 16:06:12.476000000 +0800 -+++ b/Lib/cookielib.py 2019-12-21 16:09:31.556000000 +0800 -@@ -1139,6 +1139,12 @@ class DefaultCookiePolicy(CookiePolicy): - req_host, erhn = eff_request_host(request) - domain = cookie.domain - -+ if domain and not domain.startswith("."): -+ dotdomain = "." + domain -+ else: -+ dotdomain = domain -+ -+ - # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't - if (cookie.version == 0 and - (self.strict_ns_domain & self.DomainStrictNonDomain) and -@@ -1151,7 +1157,7 @@ class DefaultCookiePolicy(CookiePolicy): - _debug(" effective request-host name %s does not domain-match " - "RFC 2965 cookie domain %s", erhn, domain) - return False -- if cookie.version == 0 and not ("."+erhn).endswith(domain): -+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): - _debug(" request-host %s does not match Netscape cookie domain " - "%s", req_host, domain) - return False -@@ -1165,7 +1171,11 @@ class DefaultCookiePolicy(CookiePolicy): - req_host = "."+req_host - if not erhn.startswith("."): - erhn = "."+erhn -- if not (req_host.endswith(domain) or erhn.endswith(domain)): -+ if domain and not domain.startswith("."): -+ dotdomain = "." + domain -+ else: -+ dotdomain = domain -+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): - #_debug(" request domain %s does not match cookie domain %s", - # req_host, domain) - return False -diff -uNrp a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py ---- a/Lib/test/test_cookielib.py 2019-12-21 16:06:12.640000000 +0800 -+++ b/Lib/test/test_cookielib.py 2019-12-21 16:11:53.888000000 +0800 -@@ -368,6 +368,7 @@ class CookieTests(TestCase): - ("http://foo.bar.com/", ".foo.bar.com", True), - ("http://foo.bar.com/", "foo.bar.com", True), - ("http://foo.bar.com/", ".bar.com", True), -+ ("http://foo.bar.com/", "bar.com", True), - ("http://foo.bar.com/", "com", True), - ("http://foo.com/", "rhubarb.foo.com", False), - ("http://foo.com/", ".foo.com", True), -@@ -378,6 +379,8 @@ class CookieTests(TestCase): - ("http://foo/", "foo", True), - ("http://foo/", "foo.local", True), - ("http://foo/", ".local", True), -+ ("http://barfoo.com", ".foo.com", False), -+ ("http://barfoo.com", "foo.com", False), - ]: - request = urllib2.Request(url) - r = pol.domain_return_ok(domain, request) -@@ -938,6 +941,34 @@ class CookieTests(TestCase): - c.add_cookie_header(req) - self.assertFalse(req.has_header("Cookie")) - -+ c.clear() -+ -+ pol.set_blocked_domains([]) -+ req = Request("http://acme.com/") -+ res = FakeResponse(headers, "http://acme.com/") -+ cookies = c.make_cookies(res, req) -+ c.extract_cookies(res, req) -+ self.assertEqual(len(c), 1) -+ -+ req = Request("http://acme.com/") -+ c.add_cookie_header(req) -+ self.assertTrue(req.has_header("Cookie")) -+ -+ req = Request("http://badacme.com/") -+ c.add_cookie_header(req) -+ self.assertFalse(pol.return_ok(cookies[0], req)) -+ self.assertFalse(req.has_header("Cookie")) -+ -+ p = pol.set_blocked_domains(["acme.com"]) -+ req = Request("http://acme.com/") -+ c.add_cookie_header(req) -+ self.assertFalse(req.has_header("Cookie")) -+ -+ req = Request("http://badacme.com/") -+ c.add_cookie_header(req) -+ self.assertFalse(req.has_header("Cookie")) -+ -+ - def test_secure(self): - from cookielib import CookieJar, DefaultCookiePolicy - -diff -uNrp a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst ---- a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst 1970-01-01 08:00:00.000000000 +0800 -+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst 2019-12-21 16:12:17.416000000 +0800 -@@ -0,0 +1,4 @@ -+Don't send cookies of domain A without Domain attribute to domain B when -+domain A is a suffix match of domain B while using a cookiejar with -+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan -+Singaravelan. diff --git a/CVE-2019-10160-1.patch b/CVE-2019-10160-1.patch deleted file mode 100644 index 865f709c4f1da9f0cd1fdb41b5310186778c6d76..0000000000000000000000000000000000000000 --- a/CVE-2019-10160-1.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -uNrp a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py ---- a/Lib/test/test_urlparse.py 2019-12-21 15:41:32.172000000 +0800 -+++ b/Lib/test/test_urlparse.py 2019-12-21 15:44:28.316000000 +0800 -@@ -641,6 +641,12 @@ class UrlParseTestCase(unittest.TestCase - self.assertIn(u'\u2100', denorm_chars) - self.assertIn(u'\uFF03', denorm_chars) - -+ # bpo-36742: Verify port separators are ignored when they -+ # existed prior to decomposition -+ urlparse.urlsplit(u'http://\u30d5\u309a:80') -+ with self.assertRaises(ValueError): -+ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') -+ - for scheme in [u"http", u"https", u"ftp"]: - for c in denorm_chars: - url = u"{}://netloc{}false.netloc/path".format(scheme, c) -diff -uNrp a/Lib/urlparse.py b/Lib/urlparse.py ---- a/Lib/urlparse.py 2019-12-21 15:41:32.080000000 +0800 -+++ b/Lib/urlparse.py 2019-12-21 15:46:11.480000000 +0800 -@@ -171,13 +171,17 @@ def _checknetloc(netloc): - # looking for characters like \u2100 that expand to 'a/c' - # IDNA uses NFKC equivalence, so normalize for this check - import unicodedata -- netloc2 = unicodedata.normalize('NFKC', netloc) -- if netloc == netloc2: -+ n = netloc.rpartition('@')[2] # ignore anything to the left of '@' -+ n = n.replace(':', '') # ignore characters already included -+ n = n.replace('#', '') # but not the surrounding text -+ n = n.replace('?', '') -+ netloc2 = unicodedata.normalize('NFKC', n) -+ if n == netloc2: - return - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay - for c in '/?#@:': - if c in netloc2: -- raise ValueError("netloc '" + netloc2 + "' contains invalid " + -+ raise ValueError("netloc '" + netloc + "' contains invalid " + - "characters under NFKC normalization") - - def urlsplit(url, scheme='', allow_fragments=True): -diff -uNrp a/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst b/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst ---- a/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst 1970-01-01 08:00:00.000000000 +0800 -+++ b/Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst 2019-12-21 15:53:31.188000000 +0800 -@@ -0,0 +1 @@ -+Fixes mishandling of pre-normalization characters in urlsplit(). diff --git a/CVE-2019-10160-2.patch b/CVE-2019-10160-2.patch deleted file mode 100644 index f4e8ca7b0d7370ac3aad6d4ce7eb5f18288d9d2b..0000000000000000000000000000000000000000 --- a/CVE-2019-10160-2.patch +++ /dev/null @@ -1,50 +0,0 @@ -diff -uNrp a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py ---- a/Lib/test/test_urlparse.py 2019-12-21 15:54:46.576000000 +0800 -+++ b/Lib/test/test_urlparse.py 2019-12-21 15:56:22.440000000 +0800 -@@ -648,11 +648,13 @@ class UrlParseTestCase(unittest.TestCase - urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') - - for scheme in [u"http", u"https", u"ftp"]: -- for c in denorm_chars: -- url = u"{}://netloc{}false.netloc/path".format(scheme, c) -- print "Checking %r" % url -- with self.assertRaises(ValueError): -- urlparse.urlsplit(url) -+ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]: -+ for c in denorm_chars: -+ url = u"{}://{}/path".format(scheme, netloc.format(c)) -+ if test_support.verbose: -+ print "Checking %r" % url -+ with self.assertRaises(ValueError): -+ urlparse.urlsplit(url) - - def test_main(): - test_support.run_unittest(UrlParseTestCase) -diff -uNrp a/Lib/urlparse.py b/Lib/urlparse.py ---- a/Lib/urlparse.py 2019-12-21 15:54:46.344000000 +0800 -+++ b/Lib/urlparse.py 2019-12-21 15:57:41.260000000 +0800 -@@ -171,18 +171,18 @@ def _checknetloc(netloc): - # looking for characters like \u2100 that expand to 'a/c' - # IDNA uses NFKC equivalence, so normalize for this check - import unicodedata -- n = netloc.rpartition('@')[2] # ignore anything to the left of '@' -- n = n.replace(':', '') # ignore characters already included -- n = n.replace('#', '') # but not the surrounding text -- n = n.replace('?', '') -+ n = netloc.replace(u'@', u'') # ignore characters already included -+ n = n.replace(u':', u'') # but not the surrounding text -+ n = n.replace(u'#', u'') -+ n = n.replace(u'?', u'') - netloc2 = unicodedata.normalize('NFKC', n) - if n == netloc2: - return - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay - for c in '/?#@:': - if c in netloc2: -- raise ValueError("netloc '" + netloc + "' contains invalid " + -- "characters under NFKC normalization") -+ raise ValueError(u"netloc '" + netloc + u"' contains invalid " + -+ u"characters under NFKC normalization") - - def urlsplit(url, scheme='', allow_fragments=True): - """Parse a URL into 5 components: diff --git a/CVE-2019-10160-3.patch b/CVE-2019-10160-3.patch deleted file mode 100644 index 78bfd3eb6041e4f82862a47a4d6c0b8c3c5bf8e2..0000000000000000000000000000000000000000 --- a/CVE-2019-10160-3.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -uNrp a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py ---- a/Lib/test/test_urlparse.py 2019-12-21 15:58:00.556000000 +0800 -+++ b/Lib/test/test_urlparse.py 2019-12-21 15:59:11.456000000 +0800 -@@ -656,6 +656,15 @@ class UrlParseTestCase(unittest.TestCase - with self.assertRaises(ValueError): - urlparse.urlsplit(url) - -+ # check error message: invalid netloc must be formated with repr() -+ # to get an ASCII error message -+ with self.assertRaises(ValueError) as cm: -+ urlparse.urlsplit(u'http://example.com\uFF03@bing.com') -+ self.assertEqual(str(cm.exception), -+ "netloc u'example.com\\uff03@bing.com' contains invalid characters " -+ "under NFKC normalization") -+ self.assertIsInstance(cm.exception.args[0], str) -+ - def test_main(): - test_support.run_unittest(UrlParseTestCase) - -diff -uNrp a/Lib/urlparse.py b/Lib/urlparse.py ---- a/Lib/urlparse.py 2019-12-21 15:58:00.480000000 +0800 -+++ b/Lib/urlparse.py 2019-12-21 15:59:55.128000000 +0800 -@@ -181,8 +181,9 @@ def _checknetloc(netloc): - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay - for c in '/?#@:': - if c in netloc2: -- raise ValueError(u"netloc '" + netloc + u"' contains invalid " + -- u"characters under NFKC normalization") -+ raise ValueError("netloc %r contains invalid characters " -+ "under NFKC normalization" -+ % netloc) - - def urlsplit(url, scheme='', allow_fragments=True): - """Parse a URL into 5 components: -diff -uNrp a/Misc/NEWS.d/next/Library/2019-06-10-12-02-45.bpo-36742.UEdHXJ.rst b/Misc/NEWS.d/next/Library/2019-06-10-12-02-45.bpo-36742.UEdHXJ.rst ---- a/Misc/NEWS.d/next/Library/2019-06-10-12-02-45.bpo-36742.UEdHXJ.rst 1970-01-01 08:00:00.000000000 +0800 -+++ b/Misc/NEWS.d/next/Library/2019-06-10-12-02-45.bpo-36742.UEdHXJ.rst 2019-12-21 16:00:40.480000000 +0800 -@@ -0,0 +1,3 @@ -+:func:`urlparse.urlsplit` error message for invalid ``netloc`` according to -+NFKC normalization is now a :class:`str` string, rather than a -+:class:`unicode` string, to prevent error when displaying the error. diff --git a/CVE-2019-16056.patch b/CVE-2019-16056.patch deleted file mode 100644 index 5a841437f3aadb61c09f1c8aa5bb93828169e0c9..0000000000000000000000000000000000000000 --- a/CVE-2019-16056.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -uNrp a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py ---- a/Lib/email/_parseaddr.py 2019-12-21 16:01:21.340000000 +0800 -+++ b/Lib/email/_parseaddr.py 2019-12-21 16:03:22.108000000 +0800 -@@ -336,7 +336,12 @@ class AddrlistClass: - aslist.append('@') - self.pos += 1 - self.gotonext() -- return EMPTYSTRING.join(aslist) + self.getdomain() -+ domain = self.getdomain() -+ if not domain: -+ # Invalid domain, return an empty address instead of returning a -+ # local part to denote failed parsing. -+ return EMPTYSTRING -+ return EMPTYSTRING.join(aslist) + domain - - def getdomain(self): - """Get the complete domain name from an address.""" -@@ -351,6 +356,10 @@ class AddrlistClass: - elif self.field[self.pos] == '.': - self.pos += 1 - sdlist.append('.') -+ elif self.field[self.pos] == '@': -+ # bpo-34155: Don't parse domains with two `@` like -+ # `a@malicious.org@important.com`. -+ return EMPTYSTRING - elif self.field[self.pos] in self.atomends: - break - else: -diff -uNrp a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py ---- a/Lib/email/test/test_email.py 2019-12-21 16:01:21.344000000 +0800 -+++ b/Lib/email/test/test_email.py 2019-12-21 16:04:40.564000000 +0800 -@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase): - self.assertEqual(Utils.parseaddr('<>'), ('', '')) - self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '') - -+ def test_parseaddr_multiple_domains(self): -+ self.assertEqual( -+ Utils.parseaddr('a@b@c'), -+ ('', '') -+ ) -+ self.assertEqual( -+ Utils.parseaddr('a@b.c@c'), -+ ('', '') -+ ) -+ self.assertEqual( -+ Utils.parseaddr('a@172.17.0.1@c'), -+ ('', '') -+ ) -+ - def test_noquote_dump(self): - self.assertEqual( - Utils.formataddr(('A Silly Person', 'person@dom.ain')), -diff -uNrp a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst ---- a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst 1970-01-01 08:00:00.000000000 +0800 -+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst 2019-12-21 16:05:05.292000000 +0800 -@@ -0,0 +1 @@ -+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic. diff --git a/CVE-2019-16935.patch b/CVE-2019-16935.patch deleted file mode 100644 index b33f146e19c1f941be0eb8b051cd8b4406002148..0000000000000000000000000000000000000000 --- a/CVE-2019-16935.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff -uNrp a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py ---- a/Lib/DocXMLRPCServer.py 2019-12-21 16:13:25.240000000 +0800 -+++ b/Lib/DocXMLRPCServer.py 2019-12-21 16:15:24.076000000 +0800 -@@ -20,6 +20,15 @@ from SimpleXMLRPCServer import (SimpleXM - CGIXMLRPCRequestHandler, - resolve_dotted_attribute) - -+def _html_escape_quote(s): -+ s = s.replace("&", "&") # Must be done first! -+ s = s.replace("<", "<") -+ s = s.replace(">", ">") -+ s = s.replace('"', """) -+ s = s.replace('\'', "'") -+ return s -+ -+ - class ServerHTMLDoc(pydoc.HTMLDoc): - """Class used to generate pydoc HTML document for a server""" - -@@ -210,7 +219,9 @@ class XMLRPCDocGenerator: - methods - ) - -- return documenter.page(self.server_title, documentation) -+ title = _html_escape_quote(self.server_title) -+ return documenter.page(title, documentation) -+ - - class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): - """XML-RPC and documentation request handler class. -diff -uNrp a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py ---- a/Lib/test/test_docxmlrpc.py 2019-12-21 16:13:25.340000000 +0800 -+++ b/Lib/test/test_docxmlrpc.py 2019-12-21 16:16:49.828000000 +0800 -@@ -1,5 +1,6 @@ - from DocXMLRPCServer import DocXMLRPCServer - import httplib -+import re - import sys - from test import test_support - threading = test_support.import_module('threading') -@@ -176,6 +177,26 @@ class DocXMLRPCHTTPGETServer(unittest.Te - self.assertIn("""Try self.add, too.""", - response.read()) - -+ def test_server_title_escape(self): -+ """Test that the server title and documentation -+ are escaped for HTML. -+ """ -+ self.serv.set_server_title('test_title