This backports fixes for security issues, including:
* CVE-2020-14422: Hash collisions in IPv4Interface and IPv6Interface
* CVE-2019-20907: Infinite loop in the tarfile module
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This package fails to build with newer setuptools, because setuptools
removed the (deprecated) Features feature in v46.0.0[1].
This adapts a commit[2] to remove the use of this feature. (Changes to
code formatting prevent the original commit/patch to be used.)
[1]: aff64ae89e/CHANGES.rst (v4600)
[2]: 3aac426e35
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This lets the Python build process set _PYTHON_HOST_PLATFORM instead of
forcing an explicit value.
Also:
* Save the target _PYTHON_HOST_PLATFORM value during Build/InstallDev
for use when building target Python packages (in python3-package.mk).
* Use the (mostly) default PYTHON_FOR_BUILD value, instead patch
configure to remove the platform triplet from the sysconfigdata file
name.
* Remove the "CROSS_COMPILE=yes" make variable (there is no indication
that this variable is necessary).
* Force host pip to build packages from source instead of downloading
binary wheels.
Previously, host pip can download universal (platform-independent)
wheels but not platform-specific wheels, because of the custom
_PYTHON_HOST_PLATFORM value. (Packages that do not have universal
wheels would be compiled from source.)
With a correct _PYTHON_HOST_PLATFORM, host pip can install
platform-specific wheels as well. However, the pre-built shared object
(.so) files in these wheels will have the host's platform triplet in
their file names. When target Python packages are built (using the
target's _PYTHON_HOST_PLATFORM), Python will not use these shared
object files.
By forcing host pip to build packages from source, the built shared
object files will not have the platform triplet in their file names.
(Host Python has been patched to remove the platform triplet from file
names.) This allows these packages to be used when building target
Python packages.
(The net effect of this complete change is that platform-dependent
packages will continue to be compiled from source, while
platform-independent packages will now also be compiled from source.)
Fixes https://github.com/openwrt/packages/issues/12680.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
When a Python package is installed from source (i.e. using setup.py)
into a custom location (with --home), setuptools may want to create a
site.py file in the custom location. This file is created based on the
source code of site-patch.py, a file bundled with setuptools.
Because the normal OpenWrt setuptools package does not contain Python
source code, this file is missing and the installation will end with an
error.
This copies site-patch.py to site-patch.py.txt so that it will be
included in python3-setuptools, and patches setuptools to look for this
file.
See https://github.com/openwrt/packages/issues/12223
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
When a Python package is installed from source (i.e. using setup.py)
into a custom location (with --home), setuptools may want to create a
site.py file in the custom location. This file is created based on the
source code of site-patch.py, a file bundled with setuptools.
Because the normal OpenWrt setuptools package does not contain Python
source code, this file is missing and the installation will end with an
error.
This copies site-patch.py to site-patch.py.txt so that it will be
included in python3-setuptools, and patches setuptools to look for this
file.
See https://github.com/openwrt/packages/issues/12223
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 70a7f736c5)
Python will record the values of CC, CXX, AR, and RANLIB (and other
configure options) used during compilation. pip will use these programs
when asked to compile extension modules on the target device.
* If ccache is used during build, CC and CXX will be ccache_cc and
ccache_cxx, respectively, which are not available on-device (#11912).
* If an external toolchain is used during build, the values of these
variables will contain the external toolchain prefix, which may not be
available on target.
* If the normal toolchain is used during build, AR and RANLIB will
contain the toolchain prefix, but the names of ar and ranlib on-device
do not contain the prefix; they are named "ar" and "ranlib".
This changes the values of these variables in Python's files to match
the names available on-device, and without any toolchain prefix.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Python will record the values of CC, CXX, AR, and READELF (and other
configure options) used during compilation. pip will use these programs
when asked to compile extension modules on the target device.
* If ccache is used during build, CC and CXX will be ccache_cc and
ccache_cxx, respectively, which are not available on-device (#11912).
* If an external toolchain is used during build, the values of these
variables will contain the external toolchain prefix, which may not be
available on target.
* If the normal toolchain is used during build, AR and READELF will
contain the toolchain prefix, but the names of ar and readelf
on-device do not contain the prefix; they are named "ar" and
"readelf".
This changes the values of these variables in Python's files to match
the names available on-device, and without any toolchain prefix.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 9f81ab895e)
Package python-idna was updated 2 weeks ago in OpenWrt 19.07.
It causes an issue:
pkg_resources.ContextualVersionConflict: (idna 2.9 (/usr/lib/python3.7/site-packages), Requirement.parse('idna<2.9,>=2.5'), {'requests'})
This is fixed in 2.23.0.
Signed-off-by: Javier Marcet <javier@marcet.info>
(cherry picked from commit d62e8b9f3c)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add commit message]
This backports a patch[1] to fix several request smuggling attacks.
This includes fixes for:
* CVE-2020-10108
* CVE-2020-10109
[1]: 4a7d22e490
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Optionally fixes compilation with uClibc-ng.
Based on the surrounding code, this looks like an oversight.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from 608df65a62)
Adjusted PKG_RELEASE
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This package is required by other packages to run some binaries via
`load_entry_point`.
So, this splits this package away from setuptools.
setuptools is pretty big, akd pkg-resources is also big, but not as big.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit ed0e77f3c3)
Reference to discussion at
c61579b564 (commitcomment-36665837)
Adjusted python PKG_RELEASE items to current situation
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Relevant bits of upstream changelog
New Features
argon2: Support more hashes
scrypt: Now uses python 3.6 stdlib’s hashlib.scrypt() as backend, if present (issue 86).
Bugfixes
Python 3.8 compatibility fixes
passlib.apache.HtpasswdFile: improve compatibility with Apache 2.4's htpasswd
passlib.totp: fix some compatibility issues with older TOTP clients (issue 92)
Fixed error in argon2.parsehash() (issue 97)
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
