[gentoo-commits] repo/gentoo:master commit in: dev-python/py/files/, dev-python/py/
commit: cda06314562b96bc09f2b423e449d6dc134a Author: Michał Górny gentoo org> AuthorDate: Sat Dec 12 08:41:56 2020 + Commit: Michał Górny gentoo org> CommitDate: Sat Dec 12 09:09:38 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cda06314 dev-python/py: Backport CVE-2020-29651 fix Closes: https://bugs.gentoo.org/759547 Signed-off-by: Michał Górny gentoo.org> dev-python/py/files/py-1.9.0-cve-2020-29651.patch | 31 ++ .../py/{py-1.9.0-r1.ebuild => py-1.9.0-r2.ebuild} | 4 +++ 2 files changed, 35 insertions(+) diff --git a/dev-python/py/files/py-1.9.0-cve-2020-29651.patch b/dev-python/py/files/py-1.9.0-cve-2020-29651.patch new file mode 100644 index 000..af89fb14808 --- /dev/null +++ b/dev-python/py/files/py-1.9.0-cve-2020-29651.patch @@ -0,0 +1,31 @@ +From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001 +From: Ran Benita +Date: Fri, 4 Sep 2020 13:57:26 +0300 +Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame + functionality + +The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject +to catastrophic backtracing given a string like `"1" * 5000`. + +SVN blame output seems to always have at least one space between the +revision number and the user name, so the ambiguity can be fixed by +changing the `*` to `+`. + +Fixes #256. +--- + py/_path/svnwc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py +index 3138dd85..b5b9d8d5 100644 +--- a/py/_path/svnwc.py b/py/_path/svnwc.py +@@ -396,7 +396,7 @@ def makecmdoptions(self): + def __str__(self): + return "" %(self.username,) + +-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)') ++rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)') + + class SvnWCCommandPath(common.PathBase): + """ path implementation offering access/modification to svn working copies. diff --git a/dev-python/py/py-1.9.0-r1.ebuild b/dev-python/py/py-1.9.0-r2.ebuild similarity index 88% rename from dev-python/py/py-1.9.0-r1.ebuild rename to dev-python/py/py-1.9.0-r2.ebuild index 78e1479659e..c7102745bc3 100644 --- a/dev-python/py/py-1.9.0-r1.ebuild +++ b/dev-python/py/py-1.9.0-r2.ebuild @@ -14,6 +14,8 @@ SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" LICENSE="MIT" SLOT="0" KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# This package is unmaintained and keeps being broken periodically. +RESTRICT=test BDEPEND=" dev-python/setuptools_scm[${PYTHON_USEDEP}]" @@ -21,6 +23,8 @@ BDEPEND=" PATCHES=( "${FILESDIR}"/${PN}-1.5.2-skip-apiwarn-pytest31.patch "${FILESDIR}"/${PN}-1.8.0-pytest-4.patch + # https://bugs.gentoo.org/759547 + "${FILESDIR}"/${P}-cve-2020-29651.patch ) distutils_enable_sphinx doc
[gentoo-commits] repo/gentoo:master commit in: dev-python/py/files/, dev-python/py/
commit: 7e8c85ded5c63f4fc99a844e64dd8abe0acbe9f4 Author: Michał Górny gentoo org> AuthorDate: Thu Jul 30 13:37:32 2020 + Commit: Michał Górny gentoo org> CommitDate: Thu Jul 30 14:30:55 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e8c85de dev-python/py: Bump to 1.9.0 Signed-off-by: Michał Górny gentoo.org> dev-python/py/Manifest | 1 + dev-python/py/files/py-1.8.0-pytest-4.patch | 25 - dev-python/py/py-1.9.0.ebuild | 42 + 3 files changed, 43 insertions(+), 25 deletions(-) diff --git a/dev-python/py/Manifest b/dev-python/py/Manifest index cad811a5f15..8fb96c6c11f 100644 --- a/dev-python/py/Manifest +++ b/dev-python/py/Manifest @@ -1 +1,2 @@ DIST py-1.8.0.tar.gz 205096 BLAKE2B e08554fc3e0bae2e2d4515f075991707af29aa5c39e1387e8f8a7dab25e78c7340d389c79936ddea27b1fb0438ebdee8b5e218bbb48c62089d7fb656b1b6dbe8 SHA512 37b9a66229b834a034d9ba6769a46addf098380b494c1eb863607a52d00b7ec5b9157dd7ac6ffc52535a05006648c775c78716d7f85cf44966065b225be6e95b +DIST py-1.9.0.tar.gz 210098 BLAKE2B d7f9b22ebaedd12534198912c1fa0be80f42e97751701442e060e1c244b06ab82239fe78a3cc7119fa4df5d87ecfd97bfb2568744693d3ffe9824ae1d73e59f9 SHA512 965b2adfe1b13177629ccfcdf6d0a13460683ca7a01d585163deb1af15d926fc86680d9e51660f6cbb8569f822a4d54ce281c029e363d244ddf67e33b102ad0a diff --git a/dev-python/py/files/py-1.8.0-pytest-4.patch b/dev-python/py/files/py-1.8.0-pytest-4.patch index d9d5cfa5b65..7d4de73ba77 100644 --- a/dev-python/py/files/py-1.8.0-pytest-4.patch +++ b/dev-python/py/files/py-1.8.0-pytest-4.patch @@ -38,31 +38,6 @@ Signed-off-by: Stanislav Levin testing/root/test_std.py | 3 ++- 17 files changed, 100 insertions(+), 82 deletions(-) -diff --git a/doc/faq.txt b/doc/faq.txt -index 52cb4b3f..cac83b2c 100644 a/doc/faq.txt -+++ b/doc/faq.txt -@@ -98,20 +98,6 @@ in a managed class/module/function scope. - .. _`xUnit style setup`: test/xunit_setup.html - .. _`pytest_nose`: test/plugin/nose.html - --.. _`why pytest_pyfuncarg__ methods?`: -- --Why the ``pytest_funcarg__*`` name for funcarg factories? - -- --When experimenting with funcargs an explicit registration mechanism --was considered. But lacking a good use case for this indirection and --flexibility we decided to go for `Convention over Configuration`_ and --allow to directly specify the factory. Besides removing the need --for an indirection it allows to "grep" for ``pytest_funcarg__MYARG`` --and will safely find all factory functions for the ``MYARG`` function --argument. It helps to alleviate the de-coupling of function --argument usage and creation. -- - .. _`Convention over Configuration`: http://en.wikipedia.org/wiki/Convention_over_Configuration - - Can I yield multiple values from a factory function? diff --git a/testing/code/test_assertion.py b/testing/code/test_assertion.py index e2a7f903..4cb39fe2 100644 --- a/testing/code/test_assertion.py diff --git a/dev-python/py/py-1.9.0.ebuild b/dev-python/py/py-1.9.0.ebuild new file mode 100644 index 000..958ce68bf62 --- /dev/null +++ b/dev-python/py/py-1.9.0.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python2_7 python3_{6..9} pypy3 ) + +inherit distutils-r1 + +DESCRIPTION="library with cross-python path, ini-parsing, io, code, log facilities" +HOMEPAGE="https://pylib.readthedocs.io/en/latest/ https://pypi.org/project/py/; +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + +BDEPEND=" + dev-python/setuptools_scm[${PYTHON_USEDEP}]" + +PATCHES=( + "${FILESDIR}"/${PN}-1.5.2-skip-apiwarn-pytest31.patch + "${FILESDIR}"/${PN}-1.8.0-pytest-4.patch +) + +distutils_enable_sphinx doc +distutils_enable_tests pytest + +src_prepare() { + # broken on py3.8, don't seem important + sed -i -e 's:test_syntaxerror_rerepresentation:_&:' \ + -e 's:test_comments:_&:' \ + testing/code/test_source.py || die + # broken on py3.9, this package is just dead + sed -i -e 's:test_getfslineno:_&:' \ + testing/code/test_source.py || die + + distutils-r1_src_prepare + + # broken, and relying on exact assertion strings + rm testing/code/test_assertion.py || die +}
[gentoo-commits] repo/gentoo:master commit in: dev-python/py/files/, dev-python/py/
commit: cdf4918d154aa61d1323245c173cc7c08a5d1327 Author: Thomas Deutschmann gentoo org> AuthorDate: Wed Apr 18 13:17:51 2018 + Commit: Thomas Deutschmann gentoo org> CommitDate: Wed Apr 18 13:22:02 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdf4918d dev-python/py: Fix tests Closes: https://bugs.gentoo.org/642440 Package-Manager: Portage-2.3.30, Repoman-2.3.9 .../py/files/py-1.4.34-skip-broken-pytest3.patch | 116 + dev-python/py/py-1.4.34.ebuild | 2 + 2 files changed, 118 insertions(+) diff --git a/dev-python/py/files/py-1.4.34-skip-broken-pytest3.patch b/dev-python/py/files/py-1.4.34-skip-broken-pytest3.patch new file mode 100644 index 000..67b1f4eb95a --- /dev/null +++ b/dev-python/py/files/py-1.4.34-skip-broken-pytest3.patch @@ -0,0 +1,116 @@ +Backport of https://github.com/pytest-dev/py/commit/3305183b964bded36f9cd43976d22524f6ae15b2 + +--- a/testing/code/test_assertion.py b/testing/code/test_assertion.py +@@ -141,7 +141,10 @@ def test_assert_implicit_multiline(): + e = exvalue() + assert str(e).find('assert [1, 2, 3] !=') != -1 + +- ++@py.test.mark.xfail(py.test.__version__[0] != "2", ++reason="broken on modern pytest", ++run=False ++) + def test_assert_with_brokenrepr_arg(): + class BrokenRepr: + def __repr__(self): 0 / 0 +@@ -278,7 +281,10 @@ def test_assert_raise_alias(testdir): + ]) + + +-@pytest.mark.skipif("sys.version_info < (2,5)") ++@py.test.mark.xfail(py.test.__version__[0] != "2", ++reason="broken on modern pytest", ++run=False) ++@py.test.mark.skipif("sys.version_info < (2,5)") + def test_assert_raise_subclass(): + class SomeEx(AssertionError): + def __init__(self, *args): +--- a/testing/code/test_excinfo.py b/testing/code/test_excinfo.py +@@ -16,6 +16,13 @@ else: + + import pytest + pytest_version_info = tuple(map(int, pytest.__version__.split(".")[:3])) ++ ++broken_on_modern_pytest = pytest.mark.xfail( ++pytest_version_info[0] != 2, ++reason="this test hasn't been fixed after moving py.code into pytest", ++run=False ++) ++ + + class TWMock: + def __init__(self): +@@ -355,6 +362,7 @@ class TestFormattedExcinfo: + assert lines[0] == "| def f(x):" + assert lines[1] == "pass" + ++@broken_on_modern_pytest + def test_repr_source_excinfo(self): + """ check if indentation is right """ + pr = FormattedExcinfo() +@@ -657,6 +665,7 @@ raise ValueError() + assert p._makepath(__file__) == __file__ + reprtb = p.repr_traceback(excinfo) + ++@broken_on_modern_pytest + def test_repr_excinfo_addouterr(self, importasmod): + mod = importasmod(""" + def entry(): +@@ -699,6 +708,7 @@ raise ValueError() + assert reprtb.extraline == "!!! Recursion detected (same locals & position)" + assert str(reprtb) + ++@broken_on_modern_pytest + def test_tb_entry_AssertionError(self, importasmod): + # probably this test is a bit redundant + # as py/magic/testing/test_assertion.py +@@ -742,6 +752,7 @@ raise ValueError() + x = py.builtin._totext(MyRepr()) + assert x == py.builtin._totext("я", "utf-8") + ++@broken_on_modern_pytest + def test_toterminal_long(self, importasmod): + mod = importasmod(""" + def g(x): +@@ -768,6 +779,7 @@ raise ValueError() + assert tw.lines[9] == "" + assert tw.lines[10].endswith("mod.py:3: ValueError") + ++@broken_on_modern_pytest + def test_toterminal_long_missing_source(self, importasmod, tmpdir): + mod = importasmod(""" + def g(x): +@@ -793,6 +805,7 @@ raise ValueError() + assert tw.lines[7] == "" + assert tw.lines[8].endswith("mod.py:3: ValueError") + ++@broken_on_modern_pytest + def test_toterminal_long_incomplete_source(self, importasmod, tmpdir): + mod = importasmod(""" + def g(x): +@@ -818,6 +831,7 @@ raise ValueError() + assert tw.lines[7] == "" + assert tw.lines[8].endswith("mod.py:3: ValueError") + ++@broken_on_modern_pytest + def test_toterminal_long_filenames(self, importasmod): + mod = importasmod(""" + def f(): +@@ -863,6 +877,7 @@ raise ValueError() + assert tw.stringio.getvalue() + + ++@broken_on_modern_pytest + def test_native_style(self): + excinfo = self.excinfo_from_exec(""" + assert 0 +@@ -877,6 +892,7 @@ raise ValueError() + if py.std.sys.version_info >= (2, 5): + assert s.count('assert 0') == 2 + ++@broken_on_modern_pytest + def test_traceback_repr_style(self, importasmod): + mod = importasmod(""" + def f(): diff --git a/dev-python/py/py-1.4.34.ebuild b/dev-python/py/py-1.4.34.ebuild index