Larry Hastings added the comment:
New changeset 71572bbe82aa0836c036d44d41c8269ba6a321be by larryhastings (Victor
Stinner) in branch '3.4':
[3.4] bpo-29591, bpo-30694: Upgrade Modules/expat to libexpat 2.2.1 (#2164)
(#2203)
https://github.com/python/cpython/commit
Larry Hastings added the comment:
New changeset 71572bbe82aa0836c036d44d41c8269ba6a321be by larryhastings (Victor
Stinner) in branch '3.4':
[3.4] bpo-29591, bpo-30694: Upgrade Modules/expat to libexpat 2.2.1 (#2164)
(#2203)
https://github.com/python/cpython/commit
Larry Hastings added the comment:
Okay. Closing this bug, because all the branches that are being upgraded to
expat 2.2.*0* have already gotten their upgrades. Job done.
The discussions for PRs 2203 and 2204 should move to Issue #30694, which is for
the upgrade to expat 2.2.*1
Larry Hastings added the comment:
Please instead choose to use bpo-30694 for the upgrades of 3.3 and 3.4 to expat
2.2.1. I guess there are historical reasons why the PRs are here, but bpo
stands as a historical record; let's not confuse posterity by upgrading to
2.2.1 using a bpo issue
Larry Hastings added the comment:
New changeset f7344798e57da6b9c4ed9372e8eaecde80989c86 by larryhastings (Serhiy
Storchaka) in branch '3.4':
[3.4] [3.5] bpo-27945: Fixed various segfaults with dict. (GH-1657) (GH-1678)
(#2248)
https://github.com/python/cpython/commit
Larry Hastings added the comment:
Yes, and thank you for submitting the PR to backport it to 3.4!
(And thank you for backporting it to 3.3, too!)
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
I don't quite understand what's happening on this issue. I see that master,
3.6, 3.6, and 2.7 have been upgraded to expat 2.2.0. This issue was created to
upgrade CPython to 2.2.0. But the PR against 3.3 and 3.4 upgrade expat to
2.2.1?!
I'm not against
Larry Hastings added the comment:
Will this be backported to 3.3 or 3.6? I don't see a PR or checkin for either
of those versions on this issue, and both those versions are open for security
fixes.b
--
nosy: +larry
___
Python tracker <
Larry Hastings added the comment:
Python 3.4 no longer accepts bug fixes; it is in "security fixes only" mode.
Since this is not a security fix, it will not be accepted into Python 3.4.
If this bug affects other versions of Python, please file a new bug. Although,
unless you
Larry Hastings added the comment:
New changeset fe82c46327effc124ff166e1fa1e611579e1176b by larryhastings (Serhiy
Storchaka) in branch '3.4':
[security][3.4] bpo-30730: Prevent environment variables injection in
subprocess on Windows. (GH-2325) (#2362)
https://github.com/python/cpython/commit
Larry Hastings added the comment:
(never-mind, 3.6.1 still permits this, but I see that it's been fixed in trunk)
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
It seems that os.execve() still permits this, even on Windows. Shouldn't we
solve it there too? (Thanks to Steve Dower for realizing this.)
--
import os
cmdline=["/usr/bin/printenv"]
env={'a=b': 'c'}
os.execve(cmdline[0], cmdline, env)
# this pr
Larry Hastings added the comment:
Serhiy, I don't see where you got a full review of this change. Eryksun
reviewed the code and asked for changes; you made the he asked for changes but
didn't get any further review. Nor did you get a full review / "looks good to
me" fr
Larry Hastings added the comment:
"Special cases aren't special enough to break the rules." I want the error
message to mirror the API, which it currently does. If we swapped them, the
error message would now contradict the API. So no, I don't support swapping
"src" an
Larry Hastings added the comment:
I don't know how to fix it. "make clinic" needs to be run in-tree anyway as
it's modifying the C source code in place.
Can you suggest a patch?
--
___
Python tracker <rep...@bugs.pyth
Larry Hastings added the comment:
What's to decide? If the new behavior is also broken, we should fix it. I'd
like a fix in the next 3.5.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
Why is this still open? GPS: didn't your checkin last June fix this?
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
Let's make it a release blocker for now.
--
priority: normal -> release blocker
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.or
Changes by Larry Hastings <la...@hastings.org>:
--
nosy: -larry
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29924>
___
__
Larry Hastings added the comment:
This is not an Argument Clinic issue.
--
components: +Interpreter Core -Argument Clinic
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +617
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29683>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +619
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28598>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: -588
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29568>
___
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: -601
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24037>
___
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: -593
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29703>
___
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: -578
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27593>
___
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: -583
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue9303>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: -580
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28682>
___
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +622
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26121>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +625
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue7769>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +626
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29645>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +624
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28893>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +621
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29438>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +618
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29576>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +620
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29602>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +616
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29714>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +612
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29532>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +609
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26915>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +623
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29800>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +608
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28518>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +610
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29534>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +604
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28298>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +605
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28692>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +614
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29684>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +615
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29546>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +601
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24037>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +602
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue20087>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +613
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29607>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +607
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29347>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +596
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29742>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +603
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue25008>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +600
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28929>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +611
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29579>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +598
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28963>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +606
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue22807>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +595
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29615>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +597
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29110>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +594
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29623>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +599
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29619>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +585
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29723>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +589
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29695>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +593
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29703>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +591
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29271>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +590
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29139>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +584
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29463>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +592
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29704>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +580
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28682>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +578
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27593>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +587
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28231>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +577
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue8256>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +588
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29568>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +582
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28856>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +581
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29376>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +579
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29572>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +583
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue9303>
___
_
Changes by Larry Hastings <la...@hastings.org>:
--
pull_requests: +586
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28624>
___
_
Larry Hastings added the comment:
I've accepted PR 224. I don't plan an emergency release of 3.4 to get this
change out into the world. Unless there's any other business, we can now close
this issue.
--
resolution: -> fixed
stage: commit review -> resolved
status: open -&g
Larry Hastings added the comment:
Sorry about that! It's almost like manually updating Misc/NEWS is a bad design
:(
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
I don't think we should update it in 3.5. That sounds destabilizing.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Changes by Larry Hastings <la...@hastings.org>:
--
nosy: -larry
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue28339>
___
__
Larry Hastings added the comment:
Releasing 3.5.3 even though technically this is an open release blocker. IIUC
the fix is checked in, and fixed the issue for OS X. We don't know whether or
not it is also fixed on OpenBSD, because we don't know anybody running OpenBSD,
and nobody contacted
Larry Hastings added the comment:
If it "has a small attack surface" and affects "a very small number of
applications", I don't think it's a release blocker. Demoting to "high"
priority, which will permit me to release 3.5.3.
--
pri
Larry Hastings added the comment:
I'll make you a deal. If you check this in in the next 3 hours, I'll
cherry-pick it for 3.5.3. Otherwise I don't want to hold up the release. To
be honest I'm not sure why it's marked as "release blocker" if it's &quo
Larry Hastings added the comment:
Could one of you recent tagees (Terry, Zach) review the patch? Hoping to tag
3.5.3 final in less than 48 hours, and I want to cherry-pick the fix for
this...!
--
___
Python tracker <rep...@bugs.python.org>
Larry Hastings added the comment:
Hoping to tag in less than 48 hours...!
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
Ping. Hoping to resolve this in time for 3.5.3, which I tag in about four days.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
Well, clearly I'm not qualified to review the patch. Could someone please
review it? I want to cherry-pick the fix for this issue for 3.5.3 final, which
I tag in about four days.
--
___
Python tracker <
Larry Hastings added the comment:
FYI I'm keeping an eye on this for possible cherry-picking into 3.5.3 final,
depending on the resolution. Reverting 030e100f048a work for me, assuming
that's a reasonable solution.
--
___
Python tracker <
Larry Hastings added the comment:
I don't understand the fix. Does this really prevent the injection?
I would fix it this way:
if tixlib is not None and os.path.exists(tixlib):
--
___
Python tracker <rep...@bugs.python.org>
Larry Hastings added the comment:
I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago. Do you think the CVEs are
bad enough to warrant cherry-picking this? A quick google suggests they were
all low severity:
http://www.openwall.com/lists/oss-security/2016/12/05/21
I'm inclined to not cherry
Larry Hastings added the comment:
Mr. Nasby, as long as you're in a test-reproducing mood, would you mind
downloading the source to 3.5.3rc1 and confirming that it builds correctly for
you? I'd appreciate it! (Not that I don't trust Ned et al, but independent
confirmation always helps
Larry Hastings added the comment:
This code hasn't changed in years. So while I believe it's a security bug and
should be fixed, I don't know if I agree it's a bad enough security bug to stop
Python 3.5.3rc1, which is literally in the middle of the release process.
I'm guessing
Larry Hastings added the comment:
I'm making an executive decision to not hold up the 3.5.3rc1 release for
OpenBSD. Hopefully the OpenBSD folks can make sure it works for them before
3.5.3 final ships in two weeks.
--
___
Python tracker <
Larry Hastings added the comment:
Can this be marked closed now?
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29057>
___
___
Changes by Larry Hastings <la...@hastings.org>:
--
nosy: +larry
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29006>
___
__
Larry Hastings added the comment:
If this is fixed, can we close this issue? This release blocker is one of two
issues blocking 3.5.3 rc1.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
This is currently blocking the release of 3.5.3 rc1.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
Since this is the first time anybody has needed it, I suggest the latter.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
I don't want this change committed to CPython, you can do what you need with a
converter so do that.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
Larry Hastings added the comment:
Sorry, Argument Clinic doesn't support automatic tuple unpacking for arguments.
It was almost never used, I don't think it was ever a good idea, and it would
have made an already-too-complicated program even more complicated-er
401 - 500 of 2361 matches
Mail list logo