* [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652
@ 2020-01-17 17:04 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python/python3: Whitelist CVE-2019-18348 Adrian Bunk
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Adrian Bunk @ 2020-01-17 17:04 UTC (permalink / raw)
To: openembedded-core
One Windows-only CVE that cannot be fixed, and two CVEs
where upstream agreement is that they are not vulnerabilities.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
meta/recipes-devtools/python/python.inc | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index b093ea6f09..5d280dc63b 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -19,6 +19,16 @@ UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>2(\.\d+)+).tar"
CVE_PRODUCT = "python"
+# Upstream agreement is that these are not security issues:
+# https://bugs.python.org/issue32367
+CVE_CHECK_WHITELIST += "CVE-2017-17522"
+# https://bugs.python.org/issue32056
+CVE_CHECK_WHITELIST += "CVE-2017-18207"
+
+# Windows-only, "It was determined that this is a longtime behavior
+# of Python that cannot really be altered at this point."
+CVE_CHECK_WHITELIST += "CVE-2015-5652"
+
PYTHON_MAJMIN = "2.7"
inherit autotools pkgconfig
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [warrior][PATCH] python/python3: Whitelist CVE-2019-18348
2020-01-17 17:04 [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 Adrian Bunk
@ 2020-01-17 17:04 ` Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python3: Upgrade 3.7.5 -> 3.7.6 Adrian Bunk
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Adrian Bunk @ 2020-01-17 17:04 UTC (permalink / raw)
To: openembedded-core
This is not exploitable when glibc has CVE-2016-10739 fixed,
which is fixed in the upstream version since warrior.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
meta/recipes-devtools/python/python.inc | 3 +++
meta/recipes-devtools/python/python3_3.7.5.bb | 3 +++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 5d280dc63b..a2424a67bf 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -29,6 +29,9 @@ CVE_CHECK_WHITELIST += "CVE-2017-18207"
# of Python that cannot really be altered at this point."
CVE_CHECK_WHITELIST += "CVE-2015-5652"
+# This is not exploitable when glibc has CVE-2016-10739 fixed.
+CVE_CHECK_WHITELIST += "CVE-2019-18348"
+
PYTHON_MAJMIN = "2.7"
inherit autotools pkgconfig
diff --git a/meta/recipes-devtools/python/python3_3.7.5.bb b/meta/recipes-devtools/python/python3_3.7.5.bb
index c560c4a29d..c90054d45a 100644
--- a/meta/recipes-devtools/python/python3_3.7.5.bb
+++ b/meta/recipes-devtools/python/python3_3.7.5.bb
@@ -46,6 +46,9 @@ UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
CVE_PRODUCT = "python"
+# This is not exploitable when glibc has CVE-2016-10739 fixed.
+CVE_CHECK_WHITELIST += "CVE-2019-18348"
+
PYTHON_MAJMIN = "3.7"
PYTHON_BINABI = "${PYTHON_MAJMIN}m"
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [warrior][PATCH] python3: Upgrade 3.7.5 -> 3.7.6
2020-01-17 17:04 [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python/python3: Whitelist CVE-2019-18348 Adrian Bunk
@ 2020-01-17 17:04 ` Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python3: RDEPEND on libgcc Adrian Bunk
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Adrian Bunk @ 2020-01-17 17:04 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
.../python/{python3_3.7.5.bb => python3_3.7.6.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3_3.7.5.bb => python3_3.7.6.bb} (98%)
diff --git a/meta/recipes-devtools/python/python3_3.7.5.bb b/meta/recipes-devtools/python/python3_3.7.6.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.7.5.bb
rename to meta/recipes-devtools/python/python3_3.7.6.bb
index c90054d45a..7a569f9ca7 100644
--- a/meta/recipes-devtools/python/python3_3.7.5.bb
+++ b/meta/recipes-devtools/python/python3_3.7.6.bb
@@ -38,8 +38,8 @@ SRC_URI_append_class-nativesdk = " \
file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
"
-SRC_URI[md5sum] = "08ed8030b1183107c48f2092e79a87e2"
-SRC_URI[sha256sum] = "e85a76ea9f3d6c485ec1780fca4e500725a4a7bbc63c78ebc44170de9b619d94"
+SRC_URI[md5sum] = "c08fbee72ad5c2c95b0f4e44bf6fd72c"
+SRC_URI[sha256sum] = "55a2cce72049f0794e9a11a84862e9039af9183603b78bc60d89539f82cf533f"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [warrior][PATCH] python3: RDEPEND on libgcc
2020-01-17 17:04 [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python/python3: Whitelist CVE-2019-18348 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python3: Upgrade 3.7.5 -> 3.7.6 Adrian Bunk
@ 2020-01-17 17:04 ` Adrian Bunk
2020-01-17 17:34 ` ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev4) Patchwork
2020-01-17 17:34 ` ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev6) Patchwork
4 siblings, 0 replies; 6+ messages in thread
From: Adrian Bunk @ 2020-01-17 17:04 UTC (permalink / raw)
To: openembedded-core
From: Joshua Watt <jpewhacker@gmail.com>
Python uses features of glibc that require it to dynamically load (i.e.
dlopen()) libgcc_s at runtime. However, since this isn't a link time
dependency, it doesn't get picked up automatically by bitbake so
manually add it to RDEPENDS.
There is an outstanding bug in Python to make it explicitly link against
libgcc at link time which would remove the need for this. See:
https://bugs.python.org/issue37395
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[ merged the fix to make it glibc only ]
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---
meta/recipes-devtools/python/python3_3.7.6.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/python/python3_3.7.6.bb b/meta/recipes-devtools/python/python3_3.7.6.bb
index 7a569f9ca7..3efd3bcac8 100644
--- a/meta/recipes-devtools/python/python3_3.7.6.bb
+++ b/meta/recipes-devtools/python/python3_3.7.6.bb
@@ -308,6 +308,8 @@ FILES_${PN}-misc = "${libdir}/python${PYTHON_MAJMIN} ${libdir}/python${PYTHON_MA
PACKAGES += "${PN}-man"
FILES_${PN}-man = "${datadir}/man"
+# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395
+RDEPENDS_libpython3_append_libc-glibc = " libgcc"
RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed"
RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev4)
2020-01-17 17:04 [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 Adrian Bunk
` (2 preceding siblings ...)
2020-01-17 17:04 ` [warrior][PATCH] python3: RDEPEND on libgcc Adrian Bunk
@ 2020-01-17 17:34 ` Patchwork
2020-01-17 17:34 ` ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev6) Patchwork
4 siblings, 0 replies; 6+ messages in thread
From: Patchwork @ 2020-01-17 17:34 UTC (permalink / raw)
To: Adrian Bunk; +Cc: openembedded-core
== Series Details ==
Series: python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev4)
Revision: 4
URL : https://patchwork.openembedded.org/series/21468/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch warrior (currently at 279c4da2e5)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 6+ messages in thread
* ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev6)
2020-01-17 17:04 [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 Adrian Bunk
` (3 preceding siblings ...)
2020-01-17 17:34 ` ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev4) Patchwork
@ 2020-01-17 17:34 ` Patchwork
4 siblings, 0 replies; 6+ messages in thread
From: Patchwork @ 2020-01-17 17:34 UTC (permalink / raw)
To: Adrian Bunk; +Cc: openembedded-core
== Series Details ==
Series: python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev6)
Revision: 6
URL : https://patchwork.openembedded.org/series/21468/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch warrior (currently at 279c4da2e5)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-01-17 17:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-17 17:04 [warrior][PATCH] python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python/python3: Whitelist CVE-2019-18348 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python3: Upgrade 3.7.5 -> 3.7.6 Adrian Bunk
2020-01-17 17:04 ` [warrior][PATCH] python3: RDEPEND on libgcc Adrian Bunk
2020-01-17 17:34 ` ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev4) Patchwork
2020-01-17 17:34 ` ✗ patchtest: failure for python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 (rev6) Patchwork
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox