[PATCH] python3: Upgrade 3.12.5 -> 3.12.6

[PATCH] python3: Upgrade 3.12.5 -> 3.12.6

[dchellam]

From: Divya Chellam <divya.chellam@windriver.com>

Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232
and other bug fixes.

Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. 0001-test_readline-skip-limited-history-test.patch

Release Notes:
https://www.python.org/downloads/release/python-3126/

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 ...t_readline-skip-limited-history-test.patch |  41 ----
 .../python/python3/CVE-2024-7592.patch        | 231 ------------------
 .../{python3_3.12.5.bb => python3_3.12.6.bb}  |   4 +-
 3 files changed, 1 insertion(+), 275 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch
 rename meta/recipes-devtools/python/{python3_3.12.5.bb => python3_3.12.6.bb} (99%)

diff --git a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch b/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
deleted file mode 100644
index 50a4609f7a..0000000000
--- a/meta/recipes-devtools/python/python3/0001-test_readline-skip-limited-history-test.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From d9d916d5ea946c945323679d1709de1b87029b96 Mon Sep 17 00:00:00 2001
-From: Trevor Gamblin <tgamblin@baylibre.com>
-Date: Tue, 13 Aug 2024 11:07:05 -0400
-Subject: [PATCH] test_readline: skip limited history test
-
-This test was added recently and is failing on the ptest image when
-using the default PACKAGECONFIG settings (i.e. with editline instead of
-readline).. Disable it until the proper fix is determined.
-
-A bug has been opened upstream: https://github.com/python/cpython/issues/123018
-
-Upstream-Status: Inappropriate [OE-specific]
-
-Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
----
- Lib/test/test_readline.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/Lib/test/test_readline.py b/Lib/test/test_readline.py
-index 91fd7dd13f9..d81f9bf8eed 100644
---- a/Lib/test/test_readline.py
-+++ b/Lib/test/test_readline.py
-@@ -132,6 +132,7 @@ def test_nonascii_history(self):
-         self.assertEqual(readline.get_history_item(1), "entrée 1")
-         self.assertEqual(readline.get_history_item(2), "entrée 22")
- 
-+    @unittest.skip("Skipping problematic test")
-     def test_write_read_limited_history(self):
-         previous_length = readline.get_history_length()
-         self.addCleanup(readline.set_history_length, previous_length)
-@@ -349,6 +350,7 @@ def test_history_size(self):
-             self.assertEqual(len(lines), history_size)
-             self.assertEqual(lines[-1].strip(), b"last input")
- 
-+    @unittest.skip("Skipping problematic test")
-     def test_write_read_limited_history(self):
-         previous_length = readline.get_history_length()
-         self.addCleanup(readline.set_history_length, previous_length)
--- 
-2.39.2
-
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
deleted file mode 100644
index 7fd74abed3..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 16 Aug 2024 19:13:37 +0300
-Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies
- with backslashes
-
-This fixes CVE-2024-7592.
-
-CVE: CVE-2024-7592
-Upstream-Status: Backport [https://github.com/python/cpython/pull/123075]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
----
- Lib/http/cookies.py                           | 34 ++++-------------
- Lib/test/test_http_cookies.py                 | 38 +++++++++++++++++++
- ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |  1 +
- 3 files changed, 47 insertions(+), 26 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 351faf428a20cd..11a67e8a2e008b 100644
---- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,8 +184,12 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
- 
- 
--_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
--_QuotePatt = re.compile(r"[\\].")
-+_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))')
-+def _unquote_replace(m):
-+    if m[1]:
-+        return chr(int(m[1], 8))
-+    else:
-+        return m[2]
- 
- def _unquote(str):
-     # If there aren't any doublequotes,
-@@ -205,30 +209,8 @@ def _unquote(str):
-     #    \012 --> \n
-     #    \"   --> "
-     #
--    i = 0
--    n = len(str)
--    res = []
--    while 0 <= i < n:
--        o_match = _OctalPatt.search(str, i)
--        q_match = _QuotePatt.search(str, i)
--        if not o_match and not q_match:              # Neither matched
--            res.append(str[i:])
--            break
--        # else:
--        j = k = -1
--        if o_match:
--            j = o_match.start(0)
--        if q_match:
--            k = q_match.start(0)
--        if q_match and (not o_match or k < j):     # QuotePatt matched
--            res.append(str[i:k])
--            res.append(str[k+1])
--            i = k + 2
--        else:                                      # OctalPatt matched
--            res.append(str[i:j])
--            res.append(chr(int(str[j+1:j+4], 8)))
--            i = j + 4
--    return _nulljoin(res)
-+
-+    return _unquote_re.sub(_unquote_replace, str)
- 
- # The _getdate() routine is used to set the expiration time in the cookie's HTTP
- # header.  By default, _getdate() returns the current time in the appropriate
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index 925c8697f60de6..13b526d49b0856 100644
---- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -5,6 +5,7 @@
- import doctest
- from http import cookies
- import pickle
-+from test import support
- 
- 
- class CookieTests(unittest.TestCase):
-@@ -58,6 +59,43 @@ def test_basic(self):
-             for k, v in sorted(case['dict'].items()):
-                 self.assertEqual(C[k].value, v)
- 
-+    def test_unquote(self):
-+        cases = [
-+            (r'a="b=\""', 'b="'),
-+            (r'a="b=\\"', 'b=\\'),
-+            (r'a="b=\="', 'b=\\='),
-+            (r'a="b=\n"', 'b=\\n'),
-+            (r'a="b=\042"', 'b="'),
-+            (r'a="b=\134"', 'b=\\'),
-+            (r'a="b=\377"', 'b=\xff'),
-+            (r'a="b=\400"', 'b=\\400'),
-+            (r'a="b=\42"', 'b=\\42'),
-+            (r'a="b=\\042"', 'b=\\042'),
-+            (r'a="b=\\134"', 'b=\\134'),
-+            (r'a="b=\\\""', 'b=\\"'),
-+            (r'a="b=\\\042"', 'b=\\"'),
-+            (r'a="b=\134\""', 'b=\\"'),
-+            (r'a="b=\134\042"', 'b=\\"'),
-+        ]
-+        for encoded, decoded in cases:
-+            with self.subTest(encoded):
-+                C = cookies.SimpleCookie()
-+                C.load(encoded)
-+                self.assertEqual(C['a'].value, decoded)
-+
-+    @support.requires_resource('cpu')
-+    def test_unquote_large(self):
-+        n = 10**6
-+        for encoded in r'\\', r'\134':
-+            with self.subTest(encoded):
-+                data = 'a="b=' + encoded*n + ';"'
-+                C = cookies.SimpleCookie()
-+                C.load(data)
-+                value = C['a'].value
-+                self.assertEqual(value[:3], 'b=\\')
-+                self.assertEqual(value[-2:], '\\;')
-+                self.assertEqual(len(value), n + 3)
-+
-     def test_load(self):
-         C = cookies.SimpleCookie()
-         C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
-diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-new file mode 100644
-index 00000000000000..158b938a65a2d4
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-@@ -0,0 +1 @@
-+Fix quadratic complexity in parsing cookies with backslashes.
-
-From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Fri, 16 Aug 2024 19:38:20 +0300
-Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping.
-
----
- Lib/http/cookies.py           | 2 +-
- Lib/test/test_http_cookies.py | 8 ++++----
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 11a67e8a2e008b..464abeb0fb253a 100644
---- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,7 +184,7 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
- 
- 
--_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))')
-+_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))')
- def _unquote_replace(m):
-     if m[1]:
-         return chr(int(m[1], 8))
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index 13b526d49b0856..8879902a6e2f41 100644
---- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -63,13 +63,13 @@ def test_unquote(self):
-         cases = [
-             (r'a="b=\""', 'b="'),
-             (r'a="b=\\"', 'b=\\'),
--            (r'a="b=\="', 'b=\\='),
--            (r'a="b=\n"', 'b=\\n'),
-+            (r'a="b=\="', 'b=='),
-+            (r'a="b=\n"', 'b=n'),
-             (r'a="b=\042"', 'b="'),
-             (r'a="b=\134"', 'b=\\'),
-             (r'a="b=\377"', 'b=\xff'),
--            (r'a="b=\400"', 'b=\\400'),
--            (r'a="b=\42"', 'b=\\42'),
-+            (r'a="b=\400"', 'b=400'),
-+            (r'a="b=\42"', 'b=42'),
-             (r'a="b=\\042"', 'b=\\042'),
-             (r'a="b=\\134"', 'b=\\134'),
-             (r'a="b=\\\""', 'b=\\"'),
-
-From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Sat, 17 Aug 2024 12:40:11 +0300
-Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object.
-
----
- Lib/http/cookies.py | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index 464abeb0fb253a..6b9ed24ad8ec78 100644
---- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -184,7 +184,8 @@ def _quote(str):
-         return '"' + str.translate(_Translator) + '"'
- 
- 
--_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))')
-+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
-+
- def _unquote_replace(m):
-     if m[1]:
-         return chr(int(m[1], 8))
-@@ -209,8 +210,7 @@ def _unquote(str):
-     #    \012 --> \n
-     #    \"   --> "
-     #
--
--    return _unquote_re.sub(_unquote_replace, str)
-+    return _unquote_sub(_unquote_replace, str)
- 
- # The _getdate() routine is used to set the expiration time in the cookie's HTTP
- # header.  By default, _getdate() returns the current time in the appropriate
-
-From 8256ed2228137c87d4b20747db84a9cdf0fa1d34 Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Sat, 17 Aug 2024 13:08:20 +0300
-Subject: [PATCH 4/4] Add a reference to the module in NEWS.
-
----
- .../next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-index 158b938a65a2d4..6a234561fe31a3 100644
---- a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
-@@ -1 +1 @@
--Fix quadratic complexity in parsing cookies with backslashes.
-+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
diff --git a/meta/recipes-devtools/python/python3_3.12.5.bb b/meta/recipes-devtools/python/python3_3.12.6.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.12.5.bb
rename to meta/recipes-devtools/python/python3_3.12.6.bb
index 29b02ef510..8c938554ed 100644
--- a/meta/recipes-devtools/python/python3_3.12.5.bb
+++ b/meta/recipes-devtools/python/python3_3.12.6.bb
@@ -33,15 +33,13 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
 	   file://0001-test_deadlock-skip-problematic-test.patch \
 	   file://0001-test_active_children-skip-problematic-test.patch \
-           file://0001-test_readline-skip-limited-history-test.patch \
-           file://CVE-2024-7592.patch \
            "
 
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
            "
 
-SRC_URI[sha256sum] = "fa8a2e12c5e620b09f53e65bcd87550d2e5a1e2e04bf8ba991dcc55113876397"
+SRC_URI[sha256sum] = "1999658298cf2fb837dffed8ff3c033ef0c98ef20cf73c5d5f66bed5ab89697c"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
-- 
2.40.0

Re: [OE-core] [PATCH] python3: Upgrade 3.12.5 -> 3.12.6

[Richard Purdie]

On Thu, 2024-09-12 at 06:44 +0000, dchellam via lists.openembedded.org wrote:
> From: Divya Chellam <divya.chellam@windriver.com>
> 
> Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232
> and other bug fixes.
> 
> Removed below patches, as the fix is included in 3.12.6 upgrade:
> 1. CVE-2024-7592.patch
> 2. 0001-test_readline-skip-limited-history-test.patch
> 
> Release Notes:
> https://www.python.org/downloads/release/python-3126/
> 
> Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
> ---


Unfortunately "0001-test_readline-skip-limited-history-test.patch" is still needed as it failed in testing:

https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6985/steps/12/logs/stdio

Could you rebase that patch and resend with it included please?

Thanks,

Richard

Re: [OE-core] [PATCH] python3: Upgrade 3.12.5 -> 3.12.6

[Ross Burton]

Hi Divya,

> On 12 Sep 2024, at 16:22, Richard Purdie via lists.openembedded.org <richard.purdie=linuxfoundation.org@lists.openembedded.org> wrote:
> Unfortunately "0001-test_readline-skip-limited-history-test.patch" is still needed as it failed in testing:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6985/steps/12/logs/stdio
> 
> Could you rebase that patch and resend with it included please?

We’d really like this to be part of the next release which is scheduled to be built asap (like, Monday), so sending this revised patch promptly would be _much_ appreciated.

Cheers,
Ross

Re: [OE-core] [PATCH] python3: Upgrade 3.12.5 -> 3.12.6

[Richard Purdie]

On Thu, 2024-09-12 at 17:43 +0000, Ross Burton via
lists.openembedded.org wrote:
> Hi Divya,
> 
> > On 12 Sep 2024, at 16:22, Richard Purdie via lists.openembedded.org
> > <richard.purdie=linuxfoundation.org@lists.openembedded.org> wrote:
> > Unfortunately "0001-test_readline-skip-limited-history-test.patch"
> > is still needed as it failed in testing:
> > 
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/81/builds/6985/steps/12/logs/stdio
> > 
> > Could you rebase that patch and resend with it included please?
> 
> We’d really like this to be part of the next release which is
> scheduled to be built asap (like, Monday), so sending this revised
> patch promptly would be _much_ appreciated.

As I'm worried about time pressures, I've tried refreshing that patch
in master-next and am retesting...

Cheers,

Richard