diff options
Diffstat (limited to 'nixpkgs/pkgs/development/interpreters/python/cpython')
4 files changed, 79 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/CVE-2019-20907.patch b/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/CVE-2019-20907.patch new file mode 100644 index 000000000000..cf67ae2b51be --- /dev/null +++ b/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/CVE-2019-20907.patch @@ -0,0 +1,24 @@ +From 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4 Mon Sep 17 00:00:00 2001 +From: Rishi <rishi_devan@mail.com> +Date: Wed, 15 Jul 2020 13:51:00 +0200 +Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module + (GH-21454) + +Avoid infinite loop when reading specially crafted TAR files using the tarfile module +(CVE-2019-20907). +--- + Lib/tarfile.py | 2 ++ + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index e2b60532f6..6769066cab 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1249,6 +1249,8 @@ class TarInfo(object): + + length, keyword = match.groups() + length = int(length) ++ if length == 0: ++ raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + # Normally, we could just use "utf-8" as the encoding and "strict" diff --git a/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix b/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix index 62aae7b22129..2cfaa69a4c8b 100644 --- a/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/nixpkgs/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -90,6 +90,9 @@ let # Backport from CPython 3.8 of a good list of tests to run for PGO. ./profile-task.patch + + # Patch is likely to go away in the next release (if there is any) + ./CVE-2019-20907.patch ] ++ optionals (x11Support && stdenv.isDarwin) [ ./use-correct-tcl-tk-on-darwin.patch ] ++ optionals stdenv.isLinux [ diff --git a/nixpkgs/pkgs/development/interpreters/python/cpython/3.8/0001-On-all-posix-systems-not-just-Darwin-set-LDSHARED-if.patch b/nixpkgs/pkgs/development/interpreters/python/cpython/3.8/0001-On-all-posix-systems-not-just-Darwin-set-LDSHARED-if.patch new file mode 100644 index 000000000000..0c26300d9c06 --- /dev/null +++ b/nixpkgs/pkgs/development/interpreters/python/cpython/3.8/0001-On-all-posix-systems-not-just-Darwin-set-LDSHARED-if.patch @@ -0,0 +1,33 @@ +From 1911995b1a1252d80bf2b9651840e185a1a6baf5 Mon Sep 17 00:00:00 2001 +From: Hong Xu <hong@topbug.net> +Date: Thu, 25 Jul 2019 10:25:55 -0700 +Subject: [PATCH] On all posix systems, not just Darwin, set LDSHARED (if not + set) according to CC + +This patch is slightly different from https://bugs.python.org/issue24935 +, except that we now handle LDSHARED according to CC on all posix +systems, not just Darwin or Linux. +--- + Lib/distutils/sysconfig.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py +index 37feae5df7..9fdce6896d 100644 +--- a/Lib/distutils/sysconfig.py ++++ b/Lib/distutils/sysconfig.py +@@ -199,10 +199,10 @@ def customize_compiler(compiler): + + if 'CC' in os.environ: + newcc = os.environ['CC'] +- if (sys.platform == 'darwin' ++ if (os.name == 'posix' + and 'LDSHARED' not in os.environ + and ldshared.startswith(cc)): +- # On OS X, if CC is overridden, use that as the default ++ # On POSIX systems, if CC is overridden, use that as the default + # command for LDSHARED as well + ldshared = newcc + ldshared[len(cc):] + cc = newcc +-- +2.25.1 + diff --git a/nixpkgs/pkgs/development/interpreters/python/cpython/default.nix b/nixpkgs/pkgs/development/interpreters/python/cpython/default.nix index 59067276f76e..b25d613eb7f3 100644 --- a/nixpkgs/pkgs/development/interpreters/python/cpython/default.nix +++ b/nixpkgs/pkgs/development/interpreters/python/cpython/default.nix @@ -9,6 +9,7 @@ , readline , sqlite , tcl ? null, tk ? null, tix ? null, libX11 ? null, xorgproto ? null, x11Support ? false +, bluez ? null, bluezSupport ? false , zlib , self , configd @@ -45,6 +46,9 @@ assert x11Support -> tcl != null && tk != null && xorgproto != null && libX11 != null; + +assert bluezSupport -> bluez != null; + with stdenv.lib; let @@ -73,6 +77,7 @@ let buildInputs = filter (p: p != null) ([ zlib bzip2 expat lzma libffi gdbm sqlite readline ncurses openssl ] ++ optionals x11Support [ tcl tk libX11 xorgproto ] + ++ optionals (bluezSupport && stdenv.isLinux) [ bluez ] ++ optionals stdenv.isDarwin [ configd ]); hasDistutilsCxxPatch = !(stdenv.cc.isGNU or false); @@ -145,9 +150,14 @@ in with passthru; stdenv.mkDerivation { sha256 = "1h18lnpx539h5lfxyk379dxwr8m2raigcjixkf133l4xy3f4bzi2"; } ) + ] ++ [ + # LDSHARED now uses $CC instead of gcc. Fixes cross-compilation of extension modules. + ./3.8/0001-On-all-posix-systems-not-just-Darwin-set-LDSHARED-if.patch ]; postPatch = '' + substituteInPlace Lib/subprocess.py \ + --replace "'/bin/sh'" "'${bash}/bin/sh'" '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; @@ -281,6 +291,13 @@ in with passthru; stdenv.mkDerivation { find $out -name "*.py" | ${pythonForBuildInterpreter} -OO -m compileall -q -f -x "lib2to3" -i - '' + optionalString stripBytecode '' find $out -type d -name __pycache__ -print0 | xargs -0 -I {} rm -rf "{}" + '' + '' + # *strip* shebang from libpython gdb script - it should be dual-syntax and + # interpretable by whatever python the gdb in question is using, which may + # not even match the major version of this python. doing this after the + # bytecode compilations for the same reason. + mkdir -p $out/share/gdb + sed '/^#!/d' Tools/gdb/libpython.py > $out/share/gdb/libpython.py ''; preFixup = stdenv.lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) '' @@ -298,6 +315,8 @@ in with passthru; stdenv.mkDerivation { pythonForBuild buildPackages.bash ]; + separateDebugInfo = true; + inherit passthru; enableParallelBuilding = true; |