Bug#931044: installing python3.4 fails
Hi, Since the bug report was indicating that the issue was fixed in 3.4.2-1+deb8u4, I've tried to apply upgrades and it seems to have upgraded successfully. So the fix seems to work for me! signature.asc Description: OpenPGP digital signature
Bug#931044: installing python3.4 fails
Package: python3.4
Version: 3.4.2-1+deb8u3
Followup-For: Bug #931044
The following fix could be applied to the faulty Python standard library file
ultimately used by the /var/lib/dpkg/info/python3.4.postinst script:
--- /usr/lib/python3.4/http/client.py 2019-06-25 14:41:35.0 +0200
+++ /usr/lib/python3.4/http/client.py 2019-06-25 14:41:55.0 +0200
@@ -1011,8 +1011,9 @@
# Prevent CVE-2019-9740.
match = _contains_disallowed_url_pchar_re.search(url)
if match:
-raise InvalidURL(f"URL can't contain control characters. {url!r} "
- f"(found at least {match.group()!r})")
+raise InvalidURL("URL can't contain control characters. {url!r} "
+ "(found at least {group!r})"
+ .format(url=url, group=match.group()))
request = '%s %s %s' % (method, url, self._http_vsn_str)
# Non-ASCII characters should have been eliminated earlier
Sorry to provide this patch inline, but I am using the textual bug reporting
interface! I imagine that this regression has occurred because someone has
applied the noted vulnerability countermeasure without backporting it to the
syntax understood by Python 3.5 or earlier.
I hope this helps others experiencing the same problem.
Paul
-- System Information:
Debian Release: 8.11
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-9-586
Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=en_GB.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3.4 depends on:
ii libpython3.4-stdlib 3.4.2-1+deb8u3
ii mime-support 3.58
ii python3.4-minimal3.4.2-1+deb8u3
python3.4 recommends no packages.
Versions of packages python3.4 suggests:
ii binutils2.25-5+deb8u1
pn python3.4-doc
pn python3.4-venv
-- no debconf information
Bug#931044: installing python3.4 fails
Re: Andreas Bießmann 2019-06-25 <[email protected]> > Setting up python3.4 (3.4.2-1+deb8u3) ... > File "/usr/lib/python3.4/http/client.py", line 1014 > raise InvalidURL(f"URL can't contain control characters. {url!r} " > ^ > SyntaxError: invalid syntax Looks like the fix for this: * CVE-2019-9740, CVE-2019-9947 Issue #30458: Disallow control chars in http URLs in urllib.urlopen. Roberto? Christoph
Bug#931044: installing python3.4 fails
Package: python3.4
Version: 3.4.2-1+deb8u3
When I try to upgrade my packages it fails due to f-string in python3.4
code:
% LANG=C sudo apt full-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up python3.4 (3.4.2-1+deb8u3) ...
File "/usr/lib/python3.4/http/client.py", line 1014
raise InvalidURL(f"URL can't contain control characters. {url!r} "
^
SyntaxError: invalid syntax
dpkg: error processing package python3.4 (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
python3.4
E: Sub-process /usr/bin/dpkg returned an error code (1)
LANG=C sudo apt full-upgrade 5,37s user 1,38s system 83% cpu 8,085 total
% cat /etc/debian_version
8.11
I suggest to replace the f-string to one of the two supported mechanism
in < python3.6.
I think the surroundings (libc, kernel, ...) are unimportant here.
kind regards,
Andreas Bießmann
