On Tue, Dec 13, 2022 at 12:41:40PM -0500, Kurt Mosiejczuk wrote: > https://docs.python.org/release/3.9.16/whatsnew/changelog.html#python-3-9-16-final
> This is an update for Python 3.9.16 > I've tested it on amd64 and sparc64 > (You can't see it in the diff, but I've left REVISION-tkinter=0 for -stable > purposes) > I dropped the sha3 patch since upstream has integrated it. > ok? This takes into account the changes suggested in the 3.10 thread and the needed change for CHANGES.OpenBSD. ok? --Kurt Index: Makefile =================================================================== RCS file: /cvs/ports/lang/python/3.9/Makefile,v retrieving revision 1.38 diff -u -p -r1.38 Makefile --- Makefile 6 Dec 2022 15:55:58 -0000 1.38 +++ Makefile 16 Dec 2022 00:09:08 -0000 @@ -3,16 +3,11 @@ # requirement of the PSF license, if it constitutes a change to # Python itself. -FULL_VERSION = 3.9.15 +FULL_VERSION = 3.9.16 SHARED_LIBS = python3.9 0.0 VERSION_SPEC = >=3.9,<3.10 PORTROACH = limit:^3\.9 -REVISION-main = 4 -REVISION-idle = 0 -# -tkinter in 7.2-stable must be kept a higher version than 7.1-stable -# due to dep changes (Tcl/Tk 8.5 -> 8.6); 7.2-current must be kept at same -# or higher version than 7.2-stable. -REVISION-tkinter = 0 +REVISION = 0 .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/lang/python/3.9/distinfo,v retrieving revision 1.12 diff -u -p -r1.12 distinfo --- distinfo 14 Oct 2022 15:12:13 -0000 1.12 +++ distinfo 16 Dec 2022 00:09:08 -0000 @@ -1,2 +1,2 @@ -SHA256 (Python-3.9.15.tgz) = SNHMsp1fuvH7j5EicdCfdFDkJtTf6Vl472qq2nDs5Ng= -SIZE (Python-3.9.15.tgz) = 26334056 +SHA256 (Python-3.9.16.tgz) = GtU56dvStC33FLaXJuBpO8a50tLI6RwuQyBAJmBRQMU= +SIZE (Python-3.9.16.tgz) = 26333525 Index: files/CHANGES.OpenBSD =================================================================== RCS file: /cvs/ports/lang/python/3.9/files/CHANGES.OpenBSD,v retrieving revision 1.13 diff -u -p -r1.13 CHANGES.OpenBSD --- files/CHANGES.OpenBSD 5 Nov 2022 20:46:24 -0000 1.13 +++ files/CHANGES.OpenBSD 16 Dec 2022 00:09:08 -0000 @@ -19,8 +19,5 @@ compiler as passed to ports builds is /u 6. Use closefrom(2) instead of looping through all the file descriptors and calling close(2) on them. -7. Fix broken keccak implementation by pulling in the applicable part - of the fix of CVE-2022-37454. - These changes are available in the OpenBSD CVS repository <http://www.openbsd.org/anoncvs.html> in ports/lang/python/3.9. Index: patches/patch-Modules__sha3_kcp_KeccakSponge_inc =================================================================== RCS file: patches/patch-Modules__sha3_kcp_KeccakSponge_inc diff -N patches/patch-Modules__sha3_kcp_KeccakSponge_inc --- patches/patch-Modules__sha3_kcp_KeccakSponge_inc 21 Oct 2022 16:04:47 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,52 +0,0 @@ -SHA-3 buffer overflows (CVE-2022-37454) -https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a -https://github.com/python/cpython/pull/98519 - -Index: Modules/_sha3/kcp/KeccakSponge.inc ---- Modules/_sha3/kcp/KeccakSponge.inc.orig -+++ Modules/_sha3/kcp/KeccakSponge.inc -@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsig - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - -@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsig - } - else { - /* normal lane: using the message queue */ -- -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned c - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned c - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
