From 6eb88b178404d837b4ff02920550faaacb5cd92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 20 Oct 2017 20:31:31 +0200 Subject: [PATCH] Update to 5.9 (#1504427) --- .gitignore | 2 + 009-raise-an-error-when-STARTTLS-fails.patch | 35 ---- ...TTP-header-injections-in-http.client.patch | 163 ------------------ 011-no-faulthandler.patch | 65 +++++-- pypy3.spec | 50 +++--- sources | 2 +- 6 files changed, 79 insertions(+), 238 deletions(-) delete mode 100644 009-raise-an-error-when-STARTTLS-fails.patch delete mode 100644 010-disabled-HTTP-header-injections-in-http.client.patch diff --git a/.gitignore b/.gitignore index 3fcf7b6..602e7b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ /pypy3-2.4.0-src.tar.bz2 /pypy3.3-v5.2.0-alpha1-src.tar.bz2 /pypy3.3-v5.5.0-alpha-src.tar.bz2 +/pypy3-v5.7.0-src.tar.bz2 +/pypy3-v5.9.0-src.tar.bz2 diff --git a/009-raise-an-error-when-STARTTLS-fails.patch b/009-raise-an-error-when-STARTTLS-fails.patch deleted file mode 100644 index 58ceb01..0000000 --- a/009-raise-an-error-when-STARTTLS-fails.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4c0f6a6fe6c71009ab4a6b3716e70af021e04904 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= -Date: Sat, 2 Jul 2016 20:18:12 +0200 -Subject: [PATCH] Raise an error when STARTTLS fails - -CVE-2016-0772 python: smtplib StartTLS stripping attack -rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 -rhbz#1351680: https://bugzilla.redhat.com/show_bug.cgi?id=1351680 - -Based on an upstream change by Benjamin Peterson -- in changeset 101887:d590114c2394 3.4 -- https://hg.python.org/cpython/rev/d590114c2394 ---- - lib-python/3/smtplib.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib-python/3/smtplib.py b/lib-python/3/smtplib.py -index 57f181b..5656cc6 100755 ---- a/lib-python/3/smtplib.py -+++ b/lib-python/3/smtplib.py -@@ -680,6 +680,11 @@ class SMTP: - self.ehlo_resp = None - self.esmtp_features = {} - self.does_esmtp = 0 -+ else: -+ # RFC 3207: -+ # 501 Syntax error (no parameters allowed) -+ # 454 TLS not available due to temporary reason -+ raise SMTPResponseException(resp, reply) - return (resp, reply) - - def sendmail(self, from_addr, to_addrs, msg, mail_options=[], --- -2.9.0 - diff --git a/010-disabled-HTTP-header-injections-in-http.client.patch b/010-disabled-HTTP-header-injections-in-http.client.patch deleted file mode 100644 index bed386c..0000000 --- a/010-disabled-HTTP-header-injections-in-http.client.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 9a8db191cf8a3557a24e91081bf434d581b98c5a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= -Date: Sat, 2 Jul 2016 20:20:58 +0200 -Subject: [PATCH] Disabled HTTP header injections in http.client. - -CVE-2016-5699 python: http protocol steam injection attack -rhbz#1303699: https://bugzilla.redhat.com/show_bug.cgi?id=1303699 -rhbz#1351687: https://bugzilla.redhat.com/show_bug.cgi?id=1351687 - -Based on an upstream change by Demian Brecht and Serhiy Storchaka -- in changeset 94952:bf3e1c9b80e9 3.4 -- https://hg.python.org/cpython/rev/bf3e1c9b80e9 ---- - lib-python/3/http/client.py | 37 +++++++++++++++++++++++++ - lib-python/3/test/test_httplib.py | 57 +++++++++++++++++++++++++++++++++++++++ - 2 files changed, 94 insertions(+) - -diff --git a/lib-python/3/http/client.py b/lib-python/3/http/client.py -index e05c84d..476d6c8 100644 ---- a/lib-python/3/http/client.py -+++ b/lib-python/3/http/client.py -@@ -70,6 +70,7 @@ import email.parser - import email.message - import io - import os -+import re - import socket - import collections - from urllib.parse import urlsplit -@@ -217,6 +218,34 @@ _MAXLINE = 65536 - _MAXHEADERS = 100 - - -+# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2) -+# -+# VCHAR = %x21-7E -+# obs-text = %x80-FF -+# header-field = field-name ":" OWS field-value OWS -+# field-name = token -+# field-value = *( field-content / obs-fold ) -+# field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] -+# field-vchar = VCHAR / obs-text -+# -+# obs-fold = CRLF 1*( SP / HTAB ) -+# ; obsolete line folding -+# ; see Section 3.2.4 -+ -+# token = 1*tchar -+# -+# tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" -+# / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" -+# / DIGIT / ALPHA -+# ; any VCHAR, except delimiters -+# -+# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1 -+ -+# the patterns for both name and value are more leniant than RFC -+# definitions to allow for backwards compatibility -+_is_legal_header_name = re.compile(b'^[^:\s][^:\r\n]*$').match -+_is_illegal_header_value = re.compile(b'\n(?![ \t])|\r(?![ \t\n])').search -+ - class HTTPMessage(email.message.Message): - # XXX The only usage of this method is in - # http.server.CGIHTTPRequestHandler. Maybe move the code there so -@@ -1035,12 +1064,20 @@ class HTTPConnection: - - if hasattr(header, 'encode'): - header = header.encode('ascii') -+ -+ if not _is_legal_header_name(header): -+ raise ValueError('Invalid header name %r' % (header,)) -+ - values = list(values) - for i, one_value in enumerate(values): - if hasattr(one_value, 'encode'): - values[i] = one_value.encode('latin-1') - elif isinstance(one_value, int): - values[i] = str(one_value).encode('ascii') -+ -+ if _is_illegal_header_value(values[i]): -+ raise ValueError('Invalid header value %r' % (values[i],)) -+ - value = b'\r\n\t'.join(values) - header = header + b': ' + value - self._output(header) -diff --git a/lib-python/3/test/test_httplib.py b/lib-python/3/test/test_httplib.py -index c8ded92..fd71bea 100644 ---- a/lib-python/3/test/test_httplib.py -+++ b/lib-python/3/test/test_httplib.py -@@ -134,6 +134,33 @@ class HeaderTests(TestCase): - conn.putheader('Content-length', 42) - self.assertIn(b'Content-length: 42', conn._buffer) - -+ conn.putheader('Foo', ' bar ') -+ self.assertIn(b'Foo: bar ', conn._buffer) -+ conn.putheader('Bar', '\tbaz\t') -+ self.assertIn(b'Bar: \tbaz\t', conn._buffer) -+ conn.putheader('Authorization', 'Bearer mytoken') -+ self.assertIn(b'Authorization: Bearer mytoken', conn._buffer) -+ conn.putheader('IterHeader', 'IterA', 'IterB') -+ self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer) -+ conn.putheader('LatinHeader', b'\xFF') -+ self.assertIn(b'LatinHeader: \xFF', conn._buffer) -+ conn.putheader('Utf8Header', b'\xc3\x80') -+ self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer) -+ conn.putheader('C1-Control', b'next\x85line') -+ self.assertIn(b'C1-Control: next\x85line', conn._buffer) -+ conn.putheader('Embedded-Fold-Space', 'is\r\n allowed') -+ self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer) -+ conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed') -+ self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer) -+ conn.putheader('Key Space', 'value') -+ self.assertIn(b'Key Space: value', conn._buffer) -+ conn.putheader('KeySpace ', 'value') -+ self.assertIn(b'KeySpace : value', conn._buffer) -+ conn.putheader(b'Nonbreak\xa0Space', 'value') -+ self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer) -+ conn.putheader(b'\xa0NonbreakSpace', 'value') -+ self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer) -+ - def test_ipv6host_header(self): - # Default host header on IPv6 transaction should wrapped by [] if - # its actual IPv6 address -@@ -153,6 +180,36 @@ class HeaderTests(TestCase): - conn.request('GET', '/foo') - self.assertTrue(sock.data.startswith(expected)) - -+ def test_invalid_headers(self): -+ conn = client.HTTPConnection('example.com') -+ conn.sock = FakeSocket('') -+ conn.putrequest('GET', '/') -+ -+ # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no -+ # longer allowed in header names -+ cases = ( -+ (b'Invalid\r\nName', b'ValidValue'), -+ (b'Invalid\rName', b'ValidValue'), -+ (b'Invalid\nName', b'ValidValue'), -+ (b'\r\nInvalidName', b'ValidValue'), -+ (b'\rInvalidName', b'ValidValue'), -+ (b'\nInvalidName', b'ValidValue'), -+ (b' InvalidName', b'ValidValue'), -+ (b'\tInvalidName', b'ValidValue'), -+ (b'Invalid:Name', b'ValidValue'), -+ (b':InvalidName', b'ValidValue'), -+ (b'ValidName', b'Invalid\r\nValue'), -+ (b'ValidName', b'Invalid\rValue'), -+ (b'ValidName', b'Invalid\nValue'), -+ (b'ValidName', b'InvalidValue\r\n'), -+ (b'ValidName', b'InvalidValue\r'), -+ (b'ValidName', b'InvalidValue\n'), -+ ) -+ for name, value in cases: -+ with self.subTest((name, value)): -+ with self.assertRaisesRegex(ValueError, 'Invalid header'): -+ conn.putheader(name, value) -+ - - class BasicTest(TestCase): - def test_status_lines(self): --- -2.9.0 - diff --git a/011-no-faulthandler.patch b/011-no-faulthandler.patch index f0154eb..f96d232 100644 --- a/011-no-faulthandler.patch +++ b/011-no-faulthandler.patch @@ -1,30 +1,37 @@ -diff --git pypy3-v5.5.0-src/lib-python/3/test/regrtest.py pypy3-v5.5.0-src/lib-python/3/test/regrtest.py-new -index 8d18a9297a..e99322ebe1 100755 ---- pypy3-v5.5.0-src/lib-python/3/test/regrtest.py -+++ pypy3-v5.5.0-src/lib-python/3/test/regrtest.py-new -@@ -169,7 +169,6 @@ option '-uall,-gui'. - import importlib +commit ea4d6a12548eea7ce0424feea13a499fb7085e96 +Author: rpm-build +Date: Wed Mar 29 04:31:55 2017 +0200 + + 011-no-faulthandler.patch + +diff --git a/lib-python/3/test/regrtest.py b/lib-python/3/test/regrtest.py +index c1d85f6..3d3072c 100755 +--- a/lib-python/3/test/regrtest.py ++++ b/lib-python/3/test/regrtest.py +@@ -124,7 +124,6 @@ import importlib + import argparse import builtins -import faulthandler - import getopt import io import json -@@ -197,6 +196,10 @@ try: - import multiprocessing.process + import locale +@@ -152,7 +151,10 @@ try: + import _multiprocessing, multiprocessing.process except ImportError: multiprocessing = None +- +try: + import faulthandler +except ImportError: + faulthandler = None - # Some times __path__ and __file__ are not absolute (e.g. while running from -@@ -283,17 +286,18 @@ def main(tests=None, testdir=None, verbose=0, quiet=False, + # Lib/) and, if we change the CWD to run the tests in a temporary dir, some +@@ -486,17 +488,18 @@ def main(tests=None, **kwargs): + directly to set the values that would normally be set by flags on the command line. """ - - # Display the Python traceback on fatal errors (e.g. segfault) - faulthandler.enable(all_threads=True) - @@ -51,3 +58,37 @@ index 8d18a9297a..e99322ebe1 100755 replace_stdout() +diff --git a/lib-python/3/test/support/__init__.py b/lib-python/3/test/support/__init__.py +index 5d7f308..4424637 100644 +--- a/lib-python/3/test/support/__init__.py ++++ b/lib-python/3/test/support/__init__.py +@@ -6,7 +6,6 @@ if __name__ != 'test.support': + import collections.abc + import contextlib + import errno +-import faulthandler + import fnmatch + import functools + import gc +@@ -65,6 +64,11 @@ try: + except ImportError: + resource = None + ++try: ++ import faulthandler ++except ImportError: ++ faulthandler = None ++ + __all__ = [ + # globals + "PIPE_MAX_SIZE", "verbose", "max_memuse", "use_resources", "failfast", +@@ -2060,7 +2064,8 @@ def start_threads(threads, unlock=None): + finally: + started = [t for t in started if t.isAlive()] + if started: +- faulthandler.dump_traceback(sys.stdout) ++ if faulthandler is not None: ++ faulthandler.dump_traceback(sys.stdout) + raise AssertionError('Unable to join %d threads' % len(started)) + + @contextlib.contextmanager diff --git a/pypy3.spec b/pypy3.spec index f878bb2..9e9d37a 100644 --- a/pypy3.spec +++ b/pypy3.spec @@ -1,6 +1,7 @@ Name: pypy3 -Version: 5.5.0 -Release: 6%{?dist} +Version: 5.9.0 +%global pyversion 3.5 +Release: 1%{?dist} Summary: Python 3 implementation with a Just-In-Time compiler # LGPL and another free license we'd need to ask spot about are present in some @@ -131,7 +132,7 @@ ExcludeArch: aarch64 %(echo '%{__os_install_post}' | sed -e 's!/usr/lib[^[:space:]]*/brp-python-bytecompile[[:space:]].*$!!g') # Source and patches: -Source0: https://bitbucket.org/pypy/pypy/downloads/pypy3.3-v%{version}-alpha-src.tar.bz2 +Source0: https://bitbucket.org/pypy/pypy/downloads/pypy3-v%{version}-src.tar.bz2 # Supply various useful RPM macros for building python modules against pypy: # __pypy, pypy_sitelib, pypy_sitearch @@ -141,36 +142,21 @@ Source2: macros.pypy3 # set to indicate progress. # This obscures useful messages, and may waste CPU cycles, so suppress it, and # merely render dots: -Patch0: 001-nevertty.patch +Patch1: 001-nevertty.patch # Patch pypy.translator.platform so that stdout from "make" etc gets logged, # rather than just stderr, so that the command-line invocations of the compiler # and linker are captured: -Patch1: 006-always-log-stdout.patch +Patch6: 006-always-log-stdout.patch # Disable the printing of a quote from IRC on startup (these are stored in # ROT13 form in lib_pypy/_pypy_irc_topic.py). Some are cute, but some could # cause confusion for end-users (and many are in-jokes within the PyPy # community that won't make sense outside of it). [Sorry to be a killjoy] -Patch2: 007-remove-startup-message.patch - - -# CVE-2016-0772 python: smtplib StartTLS stripping attack -# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 -# rhbz#1351680: https://bugzilla.redhat.com/show_bug.cgi?id=1351680 -# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394 -# Raise an error when STARTTLS fails -Patch4: 009-raise-an-error-when-STARTTLS-fails.patch - -# CVE-2016-5699 python: http protocol steam injection attack -# rhbz#1303699: https://bugzilla.redhat.com/show_bug.cgi?id=1303699 -# rhbz#1351687: https://bugzilla.redhat.com/show_bug.cgi?id=1351687 -# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9 -# Disabled HTTP header injections in http.client -Patch5: 010-disabled-HTTP-header-injections-in-http.client.patch +Patch7: 007-remove-startup-message.patch # It seems ppc64 has no faulthandler -Patch6: 011-no-faulthandler.patch +Patch11: 011-no-faulthandler.patch # Build-time requirements: @@ -186,12 +172,14 @@ Patch6: 011-no-faulthandler.patch %if 0%{use_self_when_building} # pypy3 can only be build with pypy2 BuildRequires: pypy +# no pypy-pycparser available ATM %global bootstrap_python_interp pypy %else # pypy3 can only be build with python2 BuildRequires: python2-devel +BuildRequires: python-pycparser %global bootstrap_python_interp python %endif @@ -523,8 +511,9 @@ find \ mkdir -p %{buildroot}/%{pypyprefix}/site-packages -ln -s %{pypyprefix}/bin/pypy3.3 %{buildroot}/%{_bindir}/pypy3.3 -ln -s pypy3.3 %{buildroot}/%{_bindir}/pypy3 +ln -s ./pypy3 %{buildroot}%{pypyprefix}/bin/pypy%{pyversion} +ln -s %{pypyprefix}/bin/pypy%{pyversion} %{buildroot}%{_bindir}/pypy%{pyversion} +ln -s pypy%{pyversion} %{buildroot}%{_bindir}/pypy3 # pypy uses .pyc files by default (--objspace-usepycfiles), but has a slightly # different bytecode format to CPython. It doesn't use .pyo files: the -O flag @@ -790,10 +779,10 @@ CheckPyPy() { #pypy/goal/pypy pypy/test_all.py --resultlog=pypyjit_new.log %if %{run_selftests} -CheckPyPy pypy-c +CheckPyPy %{name}-c %if 0%{with_stackless} -CheckPyPy pypy3-stackless +CheckPyPy %{name}-stackless %endif %endif # run_selftests @@ -821,7 +810,7 @@ CheckPyPy pypy3-stackless %license LICENSE %doc README.rst %{_bindir}/pypy3 -%{_bindir}/pypy3.3 +%{_bindir}/pypy%{pyversion} %{pypyprefix}/bin/ %exclude %{_libdir}/%{name}-%{version}.tar.bz2 @@ -840,6 +829,13 @@ CheckPyPy pypy3-stackless %changelog +* Fri Oct 20 2017 Miro HronĨok - 5.9.0-1 +- Update to 5.9 (#1504427) +- Remove merged patches +- Reindex the patches to match the filenames +- Rebase the faulthandler Patch11 +- BR python-pycparser + * Thu Aug 03 2017 Fedora Release Engineering - 5.5.0-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index 5155d51..728ee37 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -536008fd7b17af8878915393fc1ecfc3 pypy3.3-v5.5.0-alpha-src.tar.bz2 +SHA512 (pypy3-v5.9.0-src.tar.bz2) = 3d5384d644fdd1bc8b95f5747dbd1771ae06eb2cfc7b57be359b8bf40177676afd097620d0cb9d9000c40d8cce075cfa6bfd92de987d3dd927c04d7d595dc5bd