Hi Tim, Have sent the patch to backport the CVE fix on python3-mako 1.1.6 version.
Best Regards, Narpat From: Tim Orling<mailto:[email protected]> Sent: 03 November 2022 04:11 To: Mali, Narpat<mailto:[email protected]> Cc: Alexander Kanavin<mailto:[email protected]>; G Pillai, Hari<mailto:[email protected]>; Luca Ceresoli<mailto:[email protected]>; Polampalli, Archana<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [OE-core][kirkstone][PATCH 1/1] python3-mako: upgrade 1.1.6 -> 1.2.0 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wed, Nov 2, 2022 at 8:21 AM Narpat Mali <[email protected]<mailto:[email protected]>> wrote: Hi Tim, Actually, our product is based on “kirkstone” branch in which the current version of python3-mako is 1.1.6 version. The CVE-2022-40023 has been fixed in python3-mako 1.2.2 version and this is the patch available on GitHub https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1nnqKl0H$> In master branch python3-mako is already been upgraded to 1.2.2 version. We want the CVE-2022-40023 fix to be available on kirkstone branch so, I have sent patch request to upgrade python3-mako from 1.1.6 -> 1.2.0 , 1.2.0 -> 1.2.1 , & 1.2.1 -> 1.2.2 version. It is the 1.1.6 to 1.2.0 upgrade that adds new “changes”. So either you make a strong case that the changes do not break ABI or you backport a fix for the CVEs. Have also found that the version 1.2.2 doesn’t include any new feature as below. 1.2.2 Released: Mon Aug 29 2022 bug * [bug] [lexer] Fixed issue in lexer where the regexp used to match tags would not correctly interpret quoted sections individually. While this parsing issue still produced the same expected tag structure later on, the mis-handling of quoted sections was also subject to a regexp crash if a tag had a large number of quotes within its quoted sections. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input. References: #366<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/issues/366__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1ue7GW-n$> Shall I just backport this CVE-2022-40023 fix given in 1.2.2 version on python3-mako 1.1.6 version or what shall I do in this case ? Best Regards, Narpat From: Tim Orling <[email protected]<mailto:[email protected]>> Sent: Tuesday, November 1, 2022 8:47:47 PM To: Mali, Narpat <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>; Polampalli, Archana <[email protected]<mailto:[email protected]>>; G Pillai, Hari <[email protected]<mailto:[email protected]>>; Alexander Kanavin <[email protected]<mailto:[email protected]>>; Luca Ceresoli <[email protected]<mailto:[email protected]>> Subject: Re: [OE-core][kirkstone][PATCH 1/1] python3-mako: upgrade 1.1.6 -> 1.2.0 [Please note: This e-mail is from an EXTERNAL e-mail address] This would break stable policy as it includes new features: https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0<https://urldefense.com/v3/__https:/docs.makotemplates.org/en/latest/changelog.html*change-1.2.0__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABi7HzfhJ$> 1.2.0 Released: Thu Mar 10 2022 changed * [changed] [py3k] Corrected “universal wheel” directive in setup.cfg so that building a wheel does not target Python 2. References: #351<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/issues/351__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABkYd7YO7$> * [changed] [py3k] The bytestring_passthrough template argument is removed, as this flag only applied to Python 2. * [changed] [py3k] With the removal of Python 2’s cStringIO, Mako now uses its own internal FastEncodingBuffer exclusively. * [changed] [py3k] Removed disable_unicode flag, that’s no longer used in Python 3. * [changed] Refactored test utilities into mako.testing module. Removed unittest.TestCase dependency in favor of pytest. References: #349<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/issues/349__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABkPlQz9_$> * [changed] [setup] Replaced the use of pkg_resources with the importlib library. For Python < 3.8 the library importlib_metadata is used. * [changed] [py3k] Removed support for Python 2 and Python 3.6. Mako now requires Python >= 3.7. bug * [bug] [py3k] Mako now performs exception chaining using raise from, correctly identifying underlying exception conditions when it raises its own exceptions. Pull request courtesy Ram Rachum. On Thu, Oct 27, 2022 at 1:38 AM Narpat Mali <[email protected]<mailto:[email protected]>> wrote: License-Update: copyright years Signed-off-by: Alexander Kanavin <[email protected]<mailto:[email protected]>> Signed-off-by: Luca Ceresoli <[email protected]<mailto:[email protected]>> Upstream master commit: https://git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e<https://urldefense.com/v3/__https:/git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABiU1UtWG$> Signed-off-by: Narpat Mali <[email protected]<mailto:[email protected]>> --- .../python/{python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> => python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> => python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>} (59%) diff --git a/meta/recipes-devtools/python/python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> b/meta/recipes-devtools/python/python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$> similarity index 59% rename from meta/recipes-devtools/python/python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> rename to meta/recipes-devtools/python/python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$> index 71e5d96ba1..11e5f326bd 100644 --- a/meta/recipes-devtools/python/python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> +++ b/meta/recipes-devtools/python/python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$> @@ -2,16 +2,18 @@ SUMMARY = "Templating library for Python" HOMEPAGE = "http://www.makotemplates.org/<https://urldefense.com/v3/__http:/www.makotemplates.org/__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABgBvHIC8$>" SECTION = "devel/python" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b32291f107a8f1ea94c4a41e00a6a18d" PYPI_PACKAGE = "Mako" inherit pypi python_setuptools_build_meta -SRC_URI[sha256sum] = "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2" +SRC_URI[sha256sum] = "9a7c7e922b87db3686210cf49d5d767033a41d4010b284e747682c92bddd8b39" RDEPENDS:${PN} = "${PYTHON_PN}-html \ + ${PYTHON_PN}-markupsafe \ ${PYTHON_PN}-netclient \ + ${PYTHON_PN}-pygments \ ${PYTHON_PN}-threading \ " -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173076): https://lists.openembedded.org/g/openembedded-core/message/173076 Mute This Topic: https://lists.openembedded.org/mt/94600007/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
