commit: b5a326329d0121f8a618e73feb3fe1dfb31f9e1f Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Mon Feb 15 23:44:52 2021 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Tue Feb 16 00:12:52 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5a32632
dev-lang/python: Backport CVE-2021-23336 fix to 3.8 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.7_p2.ebuild | 337 +++++++++++++++++++++++++++++++++ 2 files changed, 338 insertions(+) diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest index d8f1cadb971..7fd9dcf150a 100644 --- a/dev-lang/python/Manifest +++ b/dev-lang/python/Manifest @@ -26,6 +26,7 @@ DIST python-gentoo-patches-3.7.9-r1.tar.xz 15664 BLAKE2B 271b95a52f4ba83c1aee6f6 DIST python-gentoo-patches-3.7.9-r2.tar.xz 17068 BLAKE2B 2cb838e6ab2f76b5d08df42a1187f3cdeaf3e26d845307ddb6f492eb46cfb14da26f7ceaca7ca09a5304ba717006d182cb632a0927029419064673e58a06d232 SHA512 fd9bdc0ed989ff9ca5f343d2fd04a9e7f4c078e434b03288b19797dab71006d89d601cf91d651a1dbb8cc6c66e829c977cec98e971b30c5f5cc29a751dc34d50 DIST python-gentoo-patches-3.8.6-r1.tar.xz 15880 BLAKE2B 9a08cd23af56bcc2ed0dffe4850698be6e0bcf7c44d3eafeb250e328a93833dc3e9ce084f1be89450d1e123cd72d81c6271edfe34046d1bab3d7c10a98d0d9c5 SHA512 83474915cab0928d1d2f4229832bef7c093b2943770fa900a7445bfaa633544f50791aa8b4bc4191662af56feef166814d98eb6fad2c0a0eb9db1f8f4806e689 DIST python-gentoo-patches-3.8.7-r1.tar.xz 12572 BLAKE2B 7658ae56993674a7f57cb2b6d9f23e9d01fa75f00edcc67dc3474bba0361373555c44d47c155cf9ffcbd8551ff2ae56bc22a25bef1bf6b3efed7314b2824d777 SHA512 76d0e4d18fbeedc28430a3dd1656cfafdfefdae28978baddd3e0102d0fce83be173b58da74203fc6a90cf50c63fa612f0b78e65bc59a41dce4739eead398d352 +DIST python-gentoo-patches-3.8.7_p2.tar.xz 17708 BLAKE2B 495a24e0496be246d2beddfaaa8886049197ca5973dadccfcd26b3b2237e4b06b85f0e4d418db411d055ca3d0c1173e03dd5a62e29f64c133e8da6261b17c99b SHA512 c06f2fc1fe48be010e8230ac3d474b9c8386bba8f762dbe35d128ad63eaa1a4c2a5a991ec6044564331d0dec4f248a71e37959ebe666b0693d6ed41f460a67f7 DIST python-gentoo-patches-3.9.0-r1.tar.xz 13728 BLAKE2B 50e85194c6bafefb8a0ddc4c9dea39227fc2c170db37ab44fa1e068340fa2fc5a59489f50431f0792024df551fc54a20de594579b57717c89fa134b3f000bb6d SHA512 a38c2800e3a0740af79f75f4120c925c7a891aa1f14a71ab56ad97fbabca3573c571140da3f34050bd9f97bd854a704453a910fa6883162196e6d1335a965b61 DIST python-gentoo-patches-3.9.1-r1.tar.xz 10464 BLAKE2B d69ce207020b7a34eb45c149ce88001167704763fbc373a8d5aff48a1d6337774dfb6c75d477442516b8dceb87b116e6d8cf3231334ced9b03aa970aa0d2e8e1 SHA512 72b1e37b1ceac9a0e95aa63a7dd404c69f60ae7a8aac472b8c17100c873a4d28d3291231643862c9d1cfaf990040f8e780590274314047adee199c159d745369 DIST python-gentoo-patches-3.9.1_p2.tar.xz 15556 BLAKE2B 5e265ef8edee70694d73c6df6eb908a747be34e1e89b900d2470d41e7e043d179408bc643a52ade6e54e61a210ee8850d02a2cb452a9336f3973345c1d027158 SHA512 eabfd304b39975258705f5e9b238f709196ce0cbd3803f157dc77d864631a3eea380084a3a4de180e3ba7e92239608ae369e810f8066c0f1ff9fa251bbc1816c diff --git a/dev-lang/python/python-3.8.7_p2.ebuild b/dev-lang/python/python-3.8.7_p2.ebuild new file mode 100644 index 00000000000..71bd7c3f061 --- /dev/null +++ b/dev-lang/python/python-3.8.7_p2.ebuild @@ -0,0 +1,337 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" +WANT_LIBTOOL="none" + +inherit autotools flag-o-matic multiprocessing pax-utils \ + python-utils-r1 toolchain-funcs verify-sig + +MY_P="Python-${PV%_p*}" +PYVER=$(ver_cut 1-2) +PATCHSET="python-gentoo-patches-${PV}" + +DESCRIPTION="An interpreted, interactive, object-oriented programming language" +HOMEPAGE="https://www.python.org/"; +SRC_URI="https://www.python.org/ftp/python/${PV%_*}/${MY_P}.tar.xz + https://dev.gentoo.org/~mgorny/dist/python/${PATCHSET}.tar.xz + verify-sig? ( + https://www.python.org/ftp/python/${PV%_*}/${MY_P}.tar.xz.asc + )" +S="${WORKDIR}/${MY_P}" + +LICENSE="PSF-2" +SLOT="${PYVER}" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="bluetooth build examples gdbm hardened ipv6 libressl +ncurses +readline sqlite +ssl test tk wininst +xml" +RESTRICT="!test? ( test )" + +# Do not add a dependency on dev-lang/python to this ebuild. +# If you need to apply a patch which requires python for bootstrapping, please +# run the bootstrap code on your dev box and include the results in the +# patchset. See bug 447752. + +RDEPEND="app-arch/bzip2:= + app-arch/xz-utils:= + dev-libs/libffi:= + sys-apps/util-linux:= + >=sys-libs/zlib-1.1.3:= + virtual/libcrypt:= + virtual/libintl + gdbm? ( sys-libs/gdbm:=[berkdb] ) + ncurses? ( >=sys-libs/ncurses-5.2:= ) + readline? ( >=sys-libs/readline-4.1:= ) + sqlite? ( >=dev-db/sqlite-3.3.8:3= ) + ssl? ( + !libressl? ( dev-libs/openssl:= ) + libressl? ( dev-libs/libressl:= ) + ) + tk? ( + >=dev-lang/tcl-8.0:= + >=dev-lang/tk-8.0:= + dev-tcltk/blt:= + dev-tcltk/tix + ) + xml? ( >=dev-libs/expat-2.1:= )" +# bluetooth requires headers from bluez +DEPEND="${RDEPEND} + bluetooth? ( net-wireless/bluez ) + test? ( app-arch/xz-utils[extra-filters(+)] )" +BDEPEND=" + virtual/pkgconfig + verify-sig? ( app-crypt/openpgp-keys-python ) + !sys-devel/gcc[libffi(-)]" +PDEPEND="app-eselect/eselect-python" +RDEPEND+=" !build? ( app-misc/mime-types )" + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/python.org.asc + +src_unpack() { + if use verify-sig; then + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc} + fi + default +} + +src_prepare() { + # Ensure that internal copies of expat, libffi and zlib are not used. + rm -fr Modules/expat || die + rm -fr Modules/_ctypes/libffi* || die + rm -fr Modules/zlib || die + + local PATCHES=( + "${WORKDIR}/${PATCHSET}" + ) + + default + + sed -i -e "s:@@GENTOO_LIBDIR@@:$(get_libdir):g" \ + setup.py || die "sed failed to replace @@GENTOO_LIBDIR@@" + + # force correct number of jobs + # https://bugs.gentoo.org/737660 + local jobs=$(makeopts_jobs "${MAKEOPTS}" "$(get_nproc)") + sed -i -e "s:-j0:-j${jobs}:" Makefile.pre.in || die + sed -i -e "/self\.parallel/s:True:${jobs}:" setup.py || die + + eautoreconf +} + +src_configure() { + local disable + # disable automagic bluetooth headers detection + use bluetooth || export ac_cv_header_bluetooth_bluetooth_h=no + use gdbm || disable+=" gdbm" + use ncurses || disable+=" _curses _curses_panel" + use readline || disable+=" readline" + use sqlite || disable+=" _sqlite3" + use ssl || export PYTHON_DISABLE_SSL="1" + use tk || disable+=" _tkinter" + use xml || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat. + export PYTHON_DISABLE_MODULES="${disable}" + + if ! use xml; then + ewarn "You have configured Python without XML support." + ewarn "This is NOT a recommended configuration as you" + ewarn "may face problems parsing any XML documents." + fi + + if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then + einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}" + fi + + if [[ "$(gcc-major-version)" -ge 4 ]]; then + append-flags -fwrapv + fi + + filter-flags -malign-double + + # https://bugs.gentoo.org/show_bug.cgi?id=50309 + if is-flagq -O3; then + is-flagq -fstack-protector-all && replace-flags -O3 -O2 + use hardened && replace-flags -O3 -O2 + fi + + # https://bugs.gentoo.org/700012 + if is-flagq -flto || is-flagq '-flto=*'; then + append-cflags $(test-flags-CC -ffat-lto-objects) + fi + + # Export CXX so it ends up in /usr/lib/python3.X/config/Makefile. + tc-export CXX + + # Fix implicit declarations on cross and prefix builds. Bug #674070. + use ncurses && append-cppflags -I"${ESYSROOT}"/usr/include/ncursesw + + local dbmliborder + if use gdbm; then + dbmliborder+="${dbmliborder:+:}gdbm" + fi + + local myeconfargs=( + # glibc-2.30 removes it; since we can't cleanly force-rebuild + # Python on glibc upgrade, remove it proactively to give + # a chance for users rebuilding python before glibc + ac_cv_header_stropts_h=no + + --enable-shared + $(use_enable ipv6) + --infodir='${prefix}/share/info' + --mandir='${prefix}/share/man' + --with-computed-gotos + --with-dbmliborder="${dbmliborder}" + --with-libc= + --enable-loadable-sqlite-extensions + --without-ensurepip + --with-system-expat + --with-system-ffi + ) + + OPT="" econf "${myeconfargs[@]}" + + if grep -q "#define POSIX_SEMAPHORES_NOT_ENABLED 1" pyconfig.h; then + eerror "configure has detected that the sem_open function is broken." + eerror "Please ensure that /dev/shm is mounted as a tmpfs with mode 1777." + die "Broken sem_open function (bug 496328)" + fi +} + +src_compile() { + # Ensure sed works as expected + # https://bugs.gentoo.org/594768 + local -x LC_ALL=C + + emake CPPFLAGS= CFLAGS= LDFLAGS= + + # Work around bug 329499. See also bug 413751 and 457194. + if has_version dev-libs/libffi[pax_kernel]; then + pax-mark E python + else + pax-mark m python + fi +} + +src_test() { + # Tests will not work when cross compiling. + if tc-is-cross-compiler; then + elog "Disabling tests due to crosscompiling." + return + fi + + # Skip failing tests. + local skipped_tests="gdb" + + for test in ${skipped_tests}; do + mv "${S}"/Lib/test/test_${test}.py "${T}" + done + + # bug 660358 + local -x COLUMNS=80 + local -x PYTHONDONTWRITEBYTECODE= + + local jobs=$(makeopts_jobs "${MAKEOPTS}" "$(get_nproc)") + + emake test EXTRATESTOPTS="-u-network -j${jobs}" \ + CPPFLAGS= CFLAGS= LDFLAGS= < /dev/tty + local result=$? + + for test in ${skipped_tests}; do + mv "${T}/test_${test}.py" "${S}"/Lib/test + done + + elog "The following tests have been skipped:" + for test in ${skipped_tests}; do + elog "test_${test}.py" + done + + elog "If you would like to run them, you may:" + elog "cd '${EPREFIX}/usr/lib/python${PYVER}/test'" + elog "and run the tests separately." + + if [[ ${result} -ne 0 ]]; then + die "emake test failed" + fi +} + +src_install() { + local libdir=${ED}/usr/lib/python${PYVER} + + emake DESTDIR="${D}" altinstall + + # Remove static library + rm "${ED}"/usr/$(get_libdir)/libpython*.a || die + + sed \ + -e "s/\(CONFIGURE_LDFLAGS=\).*/\1/" \ + -e "s/\(PY_LDFLAGS=\).*/\1/" \ + -i "${libdir}/config-${PYVER}"*/Makefile || die "sed failed" + + # Fix collisions between different slots of Python. + rm "${ED}/usr/$(get_libdir)/libpython3.so" || die + + # Cheap hack to get version with ABIFLAGS + local abiver=$(cd "${ED}/usr/include"; echo python*) + if [[ ${abiver} != python${PYVER} ]]; then + # Replace python3.X with a symlink to python3.Xm + rm "${ED}/usr/bin/python${PYVER}" || die + dosym "${abiver}" "/usr/bin/python${PYVER}" + # Create python3.X-config symlink + dosym "${abiver}-config" "/usr/bin/python${PYVER}-config" + # Create python-3.5m.pc symlink + dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc" + fi + + # python seems to get rebuilt in src_install (bug 569908) + # Work around it for now. + if has_version dev-libs/libffi[pax_kernel]; then + pax-mark E "${ED}/usr/bin/${abiver}" + else + pax-mark m "${ED}/usr/bin/${abiver}" + fi + + use sqlite || rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die + use tk || rm -r "${ED}/usr/bin/idle${PYVER}" "${libdir}/"{idlelib,tkinter,test/test_tk*} || die + + use wininst || rm "${libdir}/distutils/command/"wininst-*.exe || die + + dodoc Misc/{ACKS,HISTORY,NEWS} + + if use examples; then + docinto examples + find Tools -name __pycache__ -exec rm -fr {} + || die + dodoc -r Tools + fi + insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510 + local libname=$(printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' | \ + emake --no-print-directory -s -f - 2>/dev/null) + newins "${S}"/Tools/gdb/libpython.py "${libname}"-gdb.py + + newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER} + newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER} + sed \ + -e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \ + -e "s:@PYDOC@:pydoc${PYVER}:" \ + -i "${ED}/etc/conf.d/pydoc-${PYVER}" \ + "${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed" + + local -x EPYTHON=python${PYVER} + # if not using a cross-compiler, use the fresh binary + if ! tc-is-cross-compiler; then + local -x PYTHON=./python + local -x LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${PWD} + else + local -x PYTHON=${EPREFIX}/usr/bin/${EPYTHON} + fi + + echo "EPYTHON='${EPYTHON}'" > epython.py || die + python_domodule epython.py + + # python-exec wrapping support + local pymajor=${PYVER%.*} + local scriptdir=${D}$(python_get_scriptdir) + mkdir -p "${scriptdir}" || die + # python and pythonX + ln -s "../../../bin/${abiver}" \ + "${scriptdir}/python${pymajor}" || die + ln -s "python${pymajor}" "${scriptdir}/python" || die + # python-config and pythonX-config + # note: we need to create a wrapper rather than symlinking it due + # to some random dirname(argv[0]) magic performed by python-config + cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die + #!/bin/sh + exec "${abiver}-config" "\${@}" + EOF + chmod +x "${scriptdir}/python${pymajor}-config" || die + ln -s "python${pymajor}-config" \ + "${scriptdir}/python-config" || die + # 2to3, pydoc + ln -s "../../../bin/2to3-${PYVER}" \ + "${scriptdir}/2to3" || die + ln -s "../../../bin/pydoc${PYVER}" \ + "${scriptdir}/pydoc" || die + # idle + if use tk; then + ln -s "../../../bin/idle${PYVER}" \ + "${scriptdir}/idle" || die + fi +}
