commit: 215857178d642e1d21d3d6deab0fad7c8797fc55 Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Sun Feb 26 19:58:41 2023 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Sun Feb 26 20:11:14 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21585717
dev-lang/python: Backport CVE-2023-24329 fix to 3.10.10_p2 Bug: https://bugs.gentoo.org/897958 Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.10_p2.ebuild | 486 +++++++++++++++++++++++++++++++ 2 files changed, 487 insertions(+) diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest index d61d1c902a0b..134c93377990 100644 --- a/dev-lang/python/Manifest +++ b/dev-lang/python/Manifest @@ -18,6 +18,7 @@ DIST Python-3.9.16.tar.xz 19738796 BLAKE2B 70dedeb70d9d8f27e4f6db5106623e087c61d DIST Python-3.9.16.tar.xz.asc 833 BLAKE2B 416b4a4be06e101c5971c12a6f21229c425bcabaea58487e0d1b24d6dea318c58806ee43892fc704df8252670451bd6a4a2610c25672d3983ddb081fed34b92d SHA512 468959c36a3ec6136f57a39475fff4745a25be0cb5d3d58cf3e5faf0b9ce2d2a8b89f1f9fea1479c4c6ad12ac49e97c1cfd4291c978bb3d30df5a582ec315210 DIST python-gentoo-patches-2.7.18_p16.tar.xz 35448 BLAKE2B 0139c0944f62f9cdd236f6a8557e0ed19704c7d72869af1cb7d8bd3e646a746cd4a0201e1b44232a5e78ef49f254db20b0d0271bf744fbfd4fe0f1e99b8f3e6c SHA512 810be590d0e06fab4b2165e6852ca49662f09dcd7e20b47a29f613ad7653252c8dfac3f0eb228d77c8a914efa7c08788b2fbd552a4b47504f5fd0ec17450c48f DIST python-gentoo-patches-3.10.10_p1.tar.xz 12836 BLAKE2B 2a146138e4c34b35e7a3e79215ca03afb97c61b52fe68fe6b930aad2af748925c46b1faec9b38ec1b6be11c19b2e9ebecfa2acd86486a01babbe695fe305a284 SHA512 4821b0ba9731d5868dce31d6f51b6fa429331f49b1d07f1425d9561fb57b47719ef91ede9af33beb2d96d9824b755ba9d3fec867bbcc3462507c315153db57d2 +DIST python-gentoo-patches-3.10.10_p2.tar.xz 13992 BLAKE2B e18e708888dd28c8f238d4897aff79483a679396a168d8b5ff4f5e8c7f09cec5f1b13aeb327d3dc3e2149c2117c25da050987f1f1c3322b56c87245ba2d0b54d SHA512 14bc218a2f3c64ef9f42682fd1364208bcaa74f787dee39bd9566e40764c260a65fd42961be47a6e6c6227091cb2fef83e1d689302448647560689e20e07efe0 DIST python-gentoo-patches-3.10.9.tar.xz 12216 BLAKE2B ced4f951089c51ddaab6c62ade9d2c84f69e7e1baf2acf5247559534c7d0fb0e88dca1222f5bd2209b4e61f5aca17279b8054f269535dbc10de0786c2c5779f5 SHA512 2d01f0f3831beeba004517bb82f7d616f25f08e5c755409ecff79cd68e0a619b5bf6802fffd0e5f7f39f1d9d93e65b018b91cdeb337a5e47f1651f36bea0e96e DIST python-gentoo-patches-3.11.1.tar.xz 7076 BLAKE2B 3ec45f7529d34eabc9d9ba7fa7f8dd51d8754d9758a605b61857a9fd80386a0357837c925263ad7b0e207ff916944b94cc0e03c0f59921f839d5e51d92f0e47e SHA512 4253dbfa057a91db584b92550e2d39d87986f33041233bc400dd0254cbd95415b33fc47b0fe997bb84192c755bc16d3d31941bba4c216ee4d65facf0b48c7862 DIST python-gentoo-patches-3.11.2_p1.tar.xz 7788 BLAKE2B 9652c46cd323958a43e26fd6b0afdd8f214953db59d9acf133366f7576502578c10e0a80ca13a9d768442d79c71dd6d095d73ef2bbbd1f79ef269a9ee20fc4b8 SHA512 7c5794e582d8ea5f99acb9ccf87c7e1f45a6557d0eb95de2b8c0cd7831f22e53eef0f03f32ca37568d1742024be127f0219463351f5b604f258c8a9985f89ea9 diff --git a/dev-lang/python/python-3.10.10_p2.ebuild b/dev-lang/python/python-3.10.10_p2.ebuild new file mode 100644 index 000000000000..76282abcecd0 --- /dev/null +++ b/dev-lang/python/python-3.10.10_p2.ebuild @@ -0,0 +1,486 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" +WANT_LIBTOOL="none" + +inherit autotools check-reqs flag-o-matic multiprocessing pax-utils +inherit prefix python-utils-r1 toolchain-funcs verify-sig + +MY_PV=${PV/_rc/rc} +MY_P="Python-${MY_PV%_p*}" +PYVER=$(ver_cut 1-2) +PATCHSET="python-gentoo-patches-${MY_PV}" + +DESCRIPTION="An interpreted, interactive, object-oriented programming language" +HOMEPAGE=" + https://www.python.org/ + https://github.com/python/cpython/ +" +SRC_URI=" + https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz + https://dev.gentoo.org/~mgorny/dist/python/${PATCHSET}.tar.xz + verify-sig? ( + https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz.asc + ) +" +S="${WORKDIR}/${MY_P}" + +LICENSE="PSF-2" +SLOT="${PYVER}" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE=" + bluetooth build +ensurepip examples gdbm hardened libedit lto + +ncurses pgo +readline +sqlite +ssl test tk valgrind +xml +" +RESTRICT="!test? ( test )" + +# Do not add a dependency on dev-lang/python to this ebuild. +# If you need to apply a patch which requires python for bootstrapping, please +# run the bootstrap code on your dev box and include the results in the +# patchset. See bug 447752. + +RDEPEND=" + app-arch/bzip2:= + app-arch/xz-utils:= + dev-lang/python-exec[python_targets_python3_10(-)] + dev-libs/libffi:= + dev-python/gentoo-common + sys-apps/util-linux:= + >=sys-libs/zlib-1.1.3:= + virtual/libcrypt:= + virtual/libintl + ensurepip? ( dev-python/ensurepip-wheels ) + gdbm? ( sys-libs/gdbm:=[berkdb] ) + ncurses? ( >=sys-libs/ncurses-5.2:= ) + readline? ( + !libedit? ( >=sys-libs/readline-4.1:= ) + libedit? ( dev-libs/libedit:= ) + ) + sqlite? ( >=dev-db/sqlite-3.3.8:3= ) + ssl? ( >=dev-libs/openssl-1.1.1:= ) + tk? ( + >=dev-lang/tcl-8.0:= + >=dev-lang/tk-8.0:= + dev-tcltk/blt:= + dev-tcltk/tix + ) + xml? ( >=dev-libs/expat-2.1:= ) + !!<sys-apps/sandbox-2.21 +" +# bluetooth requires headers from bluez +DEPEND=" + ${RDEPEND} + bluetooth? ( net-wireless/bluez ) + valgrind? ( dev-util/valgrind ) + test? ( app-arch/xz-utils[extra-filters(+)] ) +" +# autoconf-archive needed to eautoreconf +BDEPEND=" + sys-devel/autoconf-archive + app-alternatives/awk + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-python ) +" +RDEPEND+=" + !build? ( app-misc/mime-types ) +" + +VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc + +# large file tests involve a 2.5G file being copied (duplicated) +CHECKREQS_DISK_BUILD=5500M + +QA_PKGCONFIG_VERSION=${PYVER} + +pkg_pretend() { + use test && check-reqs_pkg_pretend +} + +pkg_setup() { + use test && check-reqs_pkg_setup +} + +src_unpack() { + if use verify-sig; then + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc} + fi + default +} + +src_prepare() { + # Ensure that internal copies of expat and libffi are not used. + rm -r Modules/expat || die + rm -r Modules/_ctypes/libffi* || die + + local PATCHES=( + "${WORKDIR}/${PATCHSET}" + ) + + default + + # https://bugs.gentoo.org/850151 + sed -i -e "s:@@GENTOO_LIBDIR@@:$(get_libdir):g" setup.py || die + + # force the correct number of jobs + # https://bugs.gentoo.org/737660 + local jobs=$(makeopts_jobs) + sed -i -e "s:-j0:-j${jobs}:" Makefile.pre.in || die + sed -i -e "/self\.parallel/s:True:${jobs}:" setup.py || die + + eautoreconf +} + +src_configure() { + # disable automagic bluetooth headers detection + if ! use bluetooth; then + local -x ac_cv_header_bluetooth_bluetooth_h=no + fi + local disable + use gdbm || disable+=" gdbm" + use ncurses || disable+=" _curses _curses_panel" + use readline || disable+=" readline" + use sqlite || disable+=" _sqlite3" + use ssl || export PYTHON_DISABLE_SSL="1" + use tk || disable+=" _tkinter" + use xml || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat. + export PYTHON_DISABLE_MODULES="${disable}" + + if ! use xml; then + ewarn "You have configured Python without XML support." + ewarn "This is NOT a recommended configuration as you" + ewarn "may face problems parsing any XML documents." + fi + + if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then + einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}" + fi + + append-flags -fwrapv + filter-flags -malign-double + + # https://bugs.gentoo.org/700012 + if is-flagq -flto || is-flagq '-flto=*'; then + append-cflags $(test-flags-CC -ffat-lto-objects) + fi + + # Export CXX so it ends up in /usr/lib/python3.X/config/Makefile. + # PKG_CONFIG needed for cross. + tc-export CXX PKG_CONFIG + + local dbmliborder= + if use gdbm; then + dbmliborder+="${dbmliborder:+:}gdbm" + fi + + if use pgo; then + local profile_task_flags=( + -m test + "-j$(makeopts_jobs)" + --pgo-extended + -x test_gdb + -u-network + + # All of these seem to occasionally hang for PGO inconsistently + # They'll even hang here but be fine in src_test sometimes. + # bug #828535 (and related: bug #788022) + -x test_asyncio + -x test_httpservers + -x test_logging + -x test_multiprocessing_fork + -x test_socket + -x test_xmlrpc + ) + + if has_version "app-arch/rpm" ; then + # Avoid sandbox failure (attempts to write to /var/lib/rpm) + profile_task_flags+=( + -x test_distutils + ) + fi + local -x PROFILE_TASK="${profile_task_flags[*]}" + fi + + local myeconfargs=( + # glibc-2.30 removes it; since we can't cleanly force-rebuild + # Python on glibc upgrade, remove it proactively to give + # a chance for users rebuilding python before glibc + ac_cv_header_stropts_h=no + + --enable-shared + --without-static-libpython + --enable-ipv6 + --infodir='${prefix}/share/info' + --mandir='${prefix}/share/man' + --with-computed-gotos + --with-dbmliborder="${dbmliborder}" + --with-libc= + --enable-loadable-sqlite-extensions + --without-ensurepip + --with-system-expat + --with-system-ffi + --with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip + + $(use_with lto) + $(use_enable pgo optimizations) + $(use_with readline readline "$(usex libedit editline readline)") + $(use_with valgrind) + ) + + # disable implicit optimization/debugging flags + local -x OPT= + + if tc-is-cross-compiler ; then + # Hack to workaround get_libdir not being able to handle CBUILD, bug #794181 + local cbuild_libdir=$(unset PKG_CONFIG_PATH ; $(tc-getBUILD_PKG_CONFIG) --keep-system-libs --libs-only-L libffi) + + # pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get + # propagated to sysconfig for built extensions + local -x CFLAGS_NODIST=${CFLAGS_FOR_BUILD} + local -x LDFLAGS_NODIST=${LDFLAGS_FOR_BUILD} + local -x CFLAGS= LDFLAGS= + + # We need to build our own Python on CBUILD first, and feed it in. + # bug #847910 and bug #864911. + local myeconfargs_cbuild=( + "${myeconfargs[@]}" + + --libdir="${cbuild_libdir:2}" + + # Avoid needing to load the right libpython.so. + --disable-shared + + # As minimal as possible for the mini CBUILD Python + # we build just for cross. + --without-lto + --disable-optimizations + ) + + # Point the imminent CHOST build to the Python we just + # built for CBUILD. + export PATH="${WORKDIR}/${P}-${CBUILD}:${PATH}" + + mkdir "${WORKDIR}"/${P}-${CBUILD} || die + pushd "${WORKDIR}"/${P}-${CBUILD} &> /dev/null || die + # We disable _ctypes and _crypt for CBUILD because Python's setup.py can't handle locating + # libdir correctly for cross. + PYTHON_DISABLE_MODULES="${PYTHON_DISABLE_MODULES} _ctypes _crypt" \ + ECONF_SOURCE="${S}" econf_build "${myeconfargs_cbuild[@]}" + + # Avoid as many dependencies as possible for the cross build. + cat >> Makefile <<-EOF || die + MODULE_NIS=disabled + MODULE__DBM=disabled + MODULE__GDBM=disabled + MODULE__DBM=disabled + MODULE__SQLITE3=disabled + MODULE__HASHLIB=disabled + MODULE__SSL=disabled + MODULE__CURSES=disabled + MODULE__CURSES_PANEL=disabled + MODULE_READLINE=disabled + MODULE__TKINTER=disabled + MODULE_PYEXPAT=disabled + MODULE_ZLIB=disabled + EOF + + # Unfortunately, we do have to build this immediately, and + # not in src_compile, because CHOST configure for Python + # will check the existence of the Python it was pointed to + # immediately. + PYTHON_DISABLE_MODULES="${PYTHON_DISABLE_MODULES} _ctypes _crypt" emake + popd &> /dev/null || die + fi + + # pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get + # propagated to sysconfig for built extensions + local -x CFLAGS_NODIST=${CFLAGS} + local -x LDFLAGS_NODIST=${LDFLAGS} + local -x CFLAGS= LDFLAGS= + + # Fix implicit declarations on cross and prefix builds. Bug #674070. + if use ncurses; then + append-cppflags -I"${ESYSROOT}"/usr/include/ncursesw + fi + + hprefixify setup.py + econf "${myeconfargs[@]}" + + if grep -q "#define POSIX_SEMAPHORES_NOT_ENABLED 1" pyconfig.h; then + eerror "configure has detected that the sem_open function is broken." + eerror "Please ensure that /dev/shm is mounted as a tmpfs with mode 1777." + die "Broken sem_open function (bug 496328)" + fi + + # install epython.py as part of stdlib + echo "EPYTHON='python${PYVER}'" > Lib/epython.py || die +} + +src_compile() { + # Ensure sed works as expected + # https://bugs.gentoo.org/594768 + local -x LC_ALL=C + # Prevent using distutils bundled by setuptools. + # https://bugs.gentoo.org/823728 + export SETUPTOOLS_USE_DISTUTILS=stdlib + + # Save PYTHONDONTWRITEBYTECODE so that 'has_version' doesn't + # end up writing bytecode & violating sandbox. + # bug #831897 + local -x _PYTHONDONTWRITEBYTECODE=${PYTHONDONTWRITEBYTECODE} + + if use pgo ; then + # bug 660358 + local -x COLUMNS=80 + local -x PYTHONDONTWRITEBYTECODE= + + addpredict "/usr/lib/python${PYVER}/site-packages" + fi + + # also need to clear the flags explicitly here or they end up + # in _sysconfigdata* + emake CPPFLAGS= CFLAGS= LDFLAGS= + + # Restore saved value from above. + local -x PYTHONDONTWRITEBYTECODE=${_PYTHONDONTWRITEBYTECODE} + + # Work around bug 329499. See also bug 413751 and 457194. + if has_version dev-libs/libffi[pax-kernel]; then + pax-mark E python + else + pax-mark m python + fi +} + +src_test() { + # Tests will not work when cross compiling. + if tc-is-cross-compiler; then + elog "Disabling tests due to crosscompiling." + return + fi + + local test_opts=( + -u-network + -j "$(makeopts_jobs)" + + # fails + -x test_gdb + ) + + if use sparc ; then + # bug #788022 + test_opts+=( + -x test_multiprocessing_fork + -x test_multiprocessing_forkserver + ) + fi + + # workaround docutils breaking tests + cat > Lib/docutils.py <<-EOF || die + raise ImportError("Thou shalt not import!") + EOF + + # bug 660358 + local -x COLUMNS=80 + local -x PYTHONDONTWRITEBYTECODE= + # workaround https://bugs.gentoo.org/775416 + addwrite "/usr/lib/python${PYVER}/site-packages" + + nonfatal emake test EXTRATESTOPTS="${test_opts[*]}" \ + CPPFLAGS= CFLAGS= LDFLAGS= < /dev/tty + local ret=${?} + + rm Lib/docutils.py || die + + [[ ${ret} -eq 0 ]] || die "emake test failed" +} + +src_install() { + local libdir=${ED}/usr/lib/python${PYVER} + + emake DESTDIR="${D}" altinstall + + # Fix collisions between different slots of Python. + rm "${ED}/usr/$(get_libdir)/libpython3.so" || die + + # Cheap hack to get version with ABIFLAGS + local abiver=$(cd "${ED}/usr/include"; echo python*) + if [[ ${abiver} != python${PYVER} ]]; then + # Replace python3.X with a symlink to python3.Xm + rm "${ED}/usr/bin/python${PYVER}" || die + dosym "${abiver}" "/usr/bin/python${PYVER}" + # Create python3.X-config symlink + dosym "${abiver}-config" "/usr/bin/python${PYVER}-config" + # Create python-3.5m.pc symlink + dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc" + fi + + # python seems to get rebuilt in src_install (bug 569908) + # Work around it for now. + if has_version dev-libs/libffi[pax-kernel]; then + pax-mark E "${ED}/usr/bin/${abiver}" + else + pax-mark m "${ED}/usr/bin/${abiver}" + fi + + rm -r "${libdir}"/ensurepip/_bundled || die + if ! use ensurepip; then + rm -r "${libdir}"/ensurepip || die + fi + if ! use sqlite; then + rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die + fi + if ! use tk; then + rm -r "${ED}/usr/bin/idle${PYVER}" || die + rm -r "${libdir}/"{idlelib,tkinter,test/test_tk*} || die + fi + + ln -s ../python/EXTERNALLY-MANAGED "${libdir}/EXTERNALLY-MANAGED" || die + + dodoc Misc/{ACKS,HISTORY,NEWS} + + if use examples; then + docinto examples + find Tools -name __pycache__ -exec rm -fr {} + || die + dodoc -r Tools + fi + insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510 + local libname=$( + printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' | + emake --no-print-directory -s -f - 2>/dev/null + ) + newins Tools/gdb/libpython.py "${libname}"-gdb.py + + newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER} + newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER} + sed \ + -e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \ + -e "s:@PYDOC@:pydoc${PYVER}:" \ + -i "${ED}/etc/conf.d/pydoc-${PYVER}" \ + "${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed" + + # python-exec wrapping support + local pymajor=${PYVER%.*} + local EPYTHON=python${PYVER} + local scriptdir=${D}$(python_get_scriptdir) + mkdir -p "${scriptdir}" || die + # python and pythonX + ln -s "../../../bin/${abiver}" "${scriptdir}/python${pymajor}" || die + ln -s "python${pymajor}" "${scriptdir}/python" || die + # python-config and pythonX-config + # note: we need to create a wrapper rather than symlinking it due + # to some random dirname(argv[0]) magic performed by python-config + cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die + #!/bin/sh + exec "${abiver}-config" "\${@}" + EOF + chmod +x "${scriptdir}/python${pymajor}-config" || die + ln -s "python${pymajor}-config" "${scriptdir}/python-config" || die + # 2to3, pydoc + ln -s "../../../bin/2to3-${PYVER}" "${scriptdir}/2to3" || die + ln -s "../../../bin/pydoc${PYVER}" "${scriptdir}/pydoc" || die + # idle + if use tk; then + ln -s "../../../bin/idle${PYVER}" "${scriptdir}/idle" || die + fi +}
