"git am" doesn't like those emoticons in the .patch file.. git am ~/py2/cur/16136689* error: cannot convert from 8bit to UTF-8 fatal: could not parse patch
either drop them or upload it to some git repo so I can cherry-pick it from there. On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <[email protected]> wrote: > For python and python-native added patch to fix > CVE-2019-9674 > > Signed-off-by: Rahul Taya <[email protected]> > --- > recipes-devtools/python/python.inc | 1 + > .../python/python/CVE-2019-9674.patch | 83 +++++++++++++++++++ > 2 files changed, 84 insertions(+) > create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch > > diff --git a/recipes-devtools/python/python.inc > b/recipes-devtools/python/python.inc > index a4ba0c5..787f23e 100644 > --- a/recipes-devtools/python/python.inc > +++ b/recipes-devtools/python/python.inc > @@ -8,6 +8,7 @@ INC_PR = "r1" > LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" > > SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > + file://CVE-2019-9674.patch \ > " > > SRC_URI[sha256sum] = > "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" > diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch > b/recipes-devtools/python/python/CVE-2019-9674.patch > new file mode 100644 > index 0000000..647d9da > --- /dev/null > +++ b/recipes-devtools/python/python/CVE-2019-9674.patch > @@ -0,0 +1,83 @@ > +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 > +From: JunWei Song <[email protected]> > +Date: Wed, 11 Sep 2019 23:04:12 +0800 > +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation > + (#13378) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +* bpo-36260: Add pitfalls to zipfile module documentation > + > +We saw vulnerability warning description (including zip bomb) in > Doc/library/xml.rst file. > +This gave us the idea of documentation improvement. > + > +So, we moved a little bit forward :P > +And the doc patch can be found (pr). > + > +* fix trailing whitespace > + > +* 📜🤖 Added by blurb_it. > + > +* Reformat text for consistency. > + > +Upstream-Status: Backport[ > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz > ] > +CVE: CVE-2019-9674 > +Link: > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz > +Comment: From the original patch skipped changes for file > +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst > +as this file is not present in our source code. > +--- > + Doc/library/zipfile.rst | 41 +++++++++++++++++++ > + 1 files changed, 41 insertions(+) > + > +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst > +index b421ea5..2e0a91d 100644 > +--- a/Doc/library/zipfile.rst > ++++ b/Doc/library/zipfile.rst > +@@ -574,4 +574,45 @@ Instances have the following attributes: > + > + Size of the uncompressed file. > + > ++Decompression pitfalls > ++---------------------- > ++ > ++The extraction in zipfile module might fail due to some pitfalls listed > below. > ++ > ++From file itself > ++~~~~~~~~~~~~~~~~ > ++ > ++Decompression may fail due to incorrect password / CRC checksum / ZIP > format or > ++unsupported compression method / decryption. > ++ > ++File System limitations > ++~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Exceeding limitations on different file systems can cause decompression > failed. > ++Such as allowable characters in the directory entries, length of the > file name, > ++length of the pathname, size of a single file, and number of files, etc. > ++ > ++Resources limitations > ++~~~~~~~~~~~~~~~~~~~~~ > ++ > ++The lack of memory or disk volume would lead to decompression > ++failed. For example, decompression bombs (aka `ZIP bomb`_) > ++apply to zipfile library that can cause disk volume exhaustion. > ++ > ++Interruption > ++~~~~~~~~~~~~ > ++ > ++Interruption during the decompression, such as pressing control-C or > killing the > ++decompression process may result in incomplete decompression of the > archive. > ++ > ++Default behaviors of extraction > ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Not knowing the default extraction behaviors > ++can cause unexpected decompression results. > ++For example, when extracting the same archive twice, > ++it overwrites files without asking. > ++ > ++ > ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb > + .. _PKZIP Application Note: > https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT > -- > 2.17.1 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89587): https://lists.openembedded.org/g/openembedded-devel/message/89587 Mute This Topic: https://lists.openembedded.org/mt/80729615/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
