At least one of the following DISTRO_FEATURES needs to be present: X11
or Wayland. The recipe now work with pure Wayland.
Signed-off-by: Marine Vovard <m.vovard@phytec.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidator and URLValidator are subject to a potential ReDoS
(regular expression denial of service) attack via a very large
number of domain name labels of emails and URLs.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://github.com/advisories/GHSA-jh3w-4vvf-mjgr454f2fb934
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
According to the setup.py of v4.0.0 [1] the following runtime
dependencies are currently missing. Add them.
* packaging
* setuptools
* typing_extensions
While at it, also reorder the list alphabetically.
[1] https://github.com/hardbyte/python-can/blob/4.0.0/setup.py
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.19 and 3.2.20 contains the CVE-2023-36053 fix
and other bugfixes. git log --oneline 3.2.19..3.2.20 shows:
19bc11f636 (tag: 3.2.20) [3.2.x] Bumped version for 3.2.20 release.
454f2fb934 [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
07cc014cb3 [3.2.x] Added stub release notes for 3.2.20.
e1bbbbe6ac [3.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
47ef12e69c [3.2.x] Added CVE-2023-31047 to security archive.
15f90ebff3 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.20/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gcc-11 has metadata line "-: 0:Source is newer than graph" which throws an
error.
Backported from gcovr 5.2, as kirkstone release uses gcc-11.
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Modified the CVE-2023-23934.patch to fix the patch-fuzz.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
sqlparse is a non-validating SQL parser module for Python. In affected
versions the SQL parser contains a regular expression that is vulnerable
to ReDoS (Regular Expression Denial of Service). This issue was introduced
by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS).
This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users
are advised to upgrade. There are no known workarounds for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1,
it was possible to bypass validation when using one form field to
upload multiple files. This multiple upload has never been supported
by forms.FileField or forms.ImageField (only the last uploaded file was
validated). However, Django's "Uploading multiple files" documentation
suggested otherwise.
Since, there is no ptest available for python3-django so have not tested
the patch changes at runtime.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A flaw was found in all released versions of m2crypto, where they are
vulnerable to Bleichenbacher timing attacks in the RSA decryption API
via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest
threat from this vulnerability is to confidentiality.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Django 4.2* is designated as a long-term support release. It will receive
security updates for at least three years after its release (From April-2023
to April-2026).
The delta between 4.0.2 and 4.2.1 contain numerous CVEs and other
bugfixes.
Changelog: https://docs.djangoproject.com/en/dev/releases/4.2.1/
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a comprehensive WSGI web application library. Prior to
version 2.2.3, Werkzeug's multipart form data parser will parse an
unlimited number of parts, including file parts. Parts can be a
small amount of bytes, but each requires CPU time to parse and may
use more memory as Python data. If a request can be made to an
endpoint that accesses `request.data`, `request.form`, `request.files`,
or `request.get_data(parse_form_data=False)`, it can cause unexpectedly
high resource usage. This allows an attacker to cause a denial of
service by sending crafted multipart data to an endpoint that will
parse it. The amount of CPU time required can block worker processes
from handling legitimate requests. The amount of RAM required can
trigger an out of memory kill of the process. Unlimited file parts
can use up memory and file handles. If many concurrent requests are
sent continuously, this can exhaust or kill all available workers.
Version 2.2.3 contains a patch for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ptest results:
====== 3600 passed, 324 skipped, 2 xfailed, 1 xpassed in 74.41s (0:01:14) ======
for qemux86-64 with 2 GB RAM which is the same as seen on master.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
License-Updated: copyright year updated to 2023
Changelog:
==========
Fixed null pointer dereference crash with malformed font #6846
Return from ImagingFill early if image has a zero dimension #6842
Reversed deprecations for Image constants, except for duplicate Resampling attributes #6830
Improve exception traceback readability #6836
Do not attempt to read IFD1 if absent #6840
Fixed writing int as ASCII tag #6800
If available, use wl-paste or xclip for grabclipboard() on Linux #6783
Added signed option when saving JPEG2000 images #6709
Patch OpenJPEG to include ARM64 fix#6718
Added support for I;16 modes in putdata() #6825
Added conversion from RGBa to RGB #6708
Added DDS support for uncompressed L and LA images #6820
Added LightSource tag values to ExifTags #6749
Fixed PyAccess after changing ICO size #6821
Do not use EXIF from info when saving PNG images #6819
Fixed saving EXIF data to MPO #6817
Added Exif hide_offsets() #6762
Only compare to previous frame when checking for duplicate GIF frames while saving #6787
Always initialize all plugins in registered_extensions() #6811
Ignore non-opaque WebP background when saving as GIF #6792
Only set tile in ImageFile __setstate__ #6793
When reading BLP, do not trust JPEG decoder to determine image is CMYK #6767
Added IFD enum to ExifTags #6748
Fixed bug combining GIF frame durations #6779
Support saving JPEG comments #6774
Added getxmp() to WebPImagePlugin #6758
Added "exact" option when saving WebP #6747
Use fractional coordinates when drawing text #6722
Fixed writing int as BYTE tag #6740
Added MP Format Version when saving MPO #6735
Added Interop to ExifTags #6724
CVE-2007-4559 patch when building on Windows #6704
Fix compiler warning: accessing 64 bytes in a region of size 48 #6714
Use verbose flag for pip install #6713
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b73867b9d7)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
=========
Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]
Initialize libtiff buffer when saving #6699 [radarhere]
Inline fname2char to fix memory leak #6329 [nulano]
Fix memory leaks related to text features #6330 [nulano]
Use double quotes for version check on old CPython on Windows #6695 [hugovk]
Remove backup implementation of Round for Windows platforms #6693 [cgohlke]
Fixed set_variation_by_name offset #6445 [radarhere]
Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]
Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]
Added ExifTags enums #6630 [radarhere]
Do not modify previous frame when calculating delta in PNG #6683 [radarhere]
Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]
Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]
Added GPS TIFF tag info #6661 [radarhere]
Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]
Do not attempt normalization if mode is already normal #6644 [radarhere]
Fixed seeking to an L frame in a GIF #6576 [radarhere]
Consider all frames when selecting mode for PNG save_all #6610 [radarhere]
Don't reassign crc on ChunkStream close#6627 [wiredfool, radarhere]
Raise a warning if NumPy failed to raise an error during conversion #6594 [radarhere]
Show all frames in ImageShow #6611 [radarhere]
Allow FLI palette chunk to not be first #6626 [radarhere]
If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [radarhere]
Round box position to integer when pasting embedded color #6517 [radarhere, nulano]
Removed EXIF prefix when saving WebP #6582 [radarhere]
Pad IM palette to 768 bytes when saving #6579 [radarhere]
Added DDS BC6H reading #6449 [ShadelessFox, REDxEYE, radarhere]
Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [JayWiz, radarhere]
Raise an error when allocating translucent color to RGB palette #6654 [jsbueno, radarhere]
Added reading of TIFF child images #6569 [radarhere]
Improved ImageOps palette handling #6596 [PososikTeam, radarhere]
Defer parsing of palette into colors #6567 [radarhere]
Apply transparency to P images in ImageTk.PhotoImage #6559 [radarhere]
Use rounding in ImageOps contain() and pad() #6522 [bibinhashley, radarhere]
Fixed GIF remapping to palette with duplicate entries #6548 [radarhere]
Allow remap_palette() to return an image with less than 256 palette entries #6543 [radarhere]
Corrected BMP and TGA palette size when saving #6500 [radarhere]
Do not call load() before draft() in Image.thumbnail #6539 [radarhere]
Copy palette when converting from P to PA #6497 [radarhere]
Allow RGB and RGBA values for PA image putpixel #6504 [radarhere]
Removed support for tkinter in PyPy before Python 3.6 #6551 [nulano]
Do not use CCITTFaxDecode filter if libtiff is not available #6518 [radarhere]
Fallback to not using mmap if buffer is not large enough #6510 [radarhere]
Fixed writing bytes as ASCII tag #6493 [radarhere]
Open 1 bit EPS in mode 1 #6499 [radarhere]
Removed support for tkinter before Python 1.5.2 #6549 [radarhere]
Allow default ImageDraw font to be set #6484 [radarhere, hugovk]
Save 1 mode PDF using CCITTFaxDecode filter #6470 [radarhere]
Added support for RGBA PSD images #6481 [radarhere]
Parse orientation from XMP tag contents #6463 [bigcat88, radarhere]
Added support for reading ATI1/ATI2 (BC4/BC5) DDS images #6457 [REDxEYE, radarhere]
Do not clear GIF tile when checking number of frames #6455 [radarhere]
Support saving multiple MPO frames #6444 [radarhere]
Do not double quote Pillow version for setuptools >= 60 #6450 [radarhere]
Added ABGR BMP mask mode #6436 [radarhere]
Fixed PSDraw rectangle #6429 [radarhere]
Raise ValueError if PNG sRGB chunk is truncated #6431 [radarhere]
Handle missing Python executable in ImageShow on macOS #6416 [bryant1410, radarhere]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4e075c7dc8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
=========
Fixed null check for fribidi_version_info in FriBiDi shim
Added GIF decompression bomb check
Handle PCF fonts files with less than 256 characters
Improved GIF optimize condition
Reverted to array_interface with the release of NumPy 1.23
Pad PCX palette to 768 bytes when saving
Fixed bug with rounding pixels to palette colors
Use gnome-screenshot on Linux if available
Fixed loading L mode BMP RLE8 images
Fixed incorrect operator in ImageCms error
Limit FPX tile size to avoid extending outside image
Added support for decoding plain PPM formats
Added apply_transparency()
Fixed behaviour change from endian fix
Use python3
Allow remapping P images with RGBA palettes
Revert "Skip test_realloc_overflow unless libtiff 4.0.4 or higher"
[pre-commit.ci] pre-commit autoupdate
Only import ImageFont in ImageDraw when necessary
Fixed drawing translucent 1px high polygons
Pad COLORMAP to 768 items when saving TIFF
Fix P -> PA conversion
Once exif data is parsed, do not reload unless it changes
Only try to connect discontiguous corners at the end of edges
Improve transparency handling when saving GIF images
Do not update GIF frame position until local image is found
Netscape GIF extension belongs after the global color table
Only write GIF comments at the beginning of the file
Separate multiple GIF comment blocks with newlines
Always use GIF89a for comments
Ignore compression value from BMP info dictionary when saving as TIFF
If font is file-like object, do not re-read from object to get variant
Raise ValueError when trying to access internal fp after close
Support more affine expression forms in im.point()
Include 'twine check' in 'make sdist'
Ensure that furthest v is set in quantize2
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
tests/test_downloadutils.py::test_stream_response_to_specific_filename
requests_toolbelt/downloadutils/stream.py:161: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
if path and isinstance(getattr(path, 'write', None), collections.Callable):
Upstream-Status: Backport [7188b06330]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
As per CVE reference, version 3.2.1 fixes the CVE-2022-36087 issue. But after upgrading the python3-oauthlib version
to 3.2.1, observed that the vulnerable code lines are still available. The same observations were reported here in github at
https://github.com/oauthlib/oauthlib/issues/837 and found that it was a mistake during 3.2.1 release preparation and due to
which vulnerable code was still existing in 3.2.1 source code.
To fix CVE-2022-36087 issue, we need to upgrade python3-oauthlib to 3.2.2 version and here are the changelog of version 3.2.2
https://github.com/oauthlib/oauthlib/blob/v3.2.2/CHANGELOG.rst
Reference :
https://nvd.nist.gov/vuln/detail/CVE-2022-36087
Upstream fix :
2e40b412c8
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add an upstream patch that's not part of any release yet that addresses
an issue with python 3.10 (related to a missing macro).
Link: https://github.com/pybluez/pybluez/issues/426
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In order to fix the dependency issue on PIL module, python3-pillow is required.
Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d4e70a1960)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There are packages missing in RDEPENDS needed to run speedtest-cli. Add
them and use += for the assignment as we don't know what inherited
classes may have added.
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3413265185)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
sip/cpp/sip_corewxWindow.cpp requires gdk/gdkx.h which wont be built
when gtk is built without x11, therefore require x11 when building this
recipe, if gdkx.h is removed form includes then it fails
../../../../sip/cpp/sip_corewxWindow.cpp:56:16: error: unknown type name 'XID'
static XID GetXWindow(const wxWindow* wxwin) {
^
../../../../sip/cpp/sip_corewxWindow.cpp:59:28: error: use of undeclared identifier 'GDK_WINDOW_XID'
return GDK_WINDOW_XID(gtk_widget_get_window((wxwin)->m_wxwindow));
^
../../../../sip/cpp/sip_corewxWindow.cpp:64:28: error: use of undeclared identifier 'GDK_WINDOW_XID'
return GDK_WINDOW_XID(gtk_widget_get_window((wxwin)->m_widget));
^
so it is using it and will need some work to get it going without x11
until then disable building it on non-x11 distros
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Robert Yang <liezhi.yang@windriver.com>
(cherry picked from commit e347168b10)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
Fixed an error in the Qt brain when building instance_attrs.
Fixed a crash in the gi brain.
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 890bf7dffe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
changelog:
-Bug Fixes
Fixed value for ansi.Bg.YELLOW.
Fixed unit tests for ansi.allow_style.
-Enhancements
async_alert() raises a RuntimeError if called from the main thread.
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <tvgamblin@gmail.com>
Upgrade to release 3.15.0:
- Allow passing a dict to fields.Nested
- Address distutils deprecation warning in Python 3.10
- Add py310 to black target-version
- Drop support for Python 3.6
- Use postponed evaluation of annotations
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <tvgamblin@gmail.com>
Upgrade to release 8.14.0:
- C implementation: allow partial decoding of truncated data
- Python implementation: allow partial decoding of truncated data
- fix segmentation faults on CI
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <tvgamblin@gmail.com>
Backport patch from upstream for python3-blivetgui to use symbolic
list-add and edit- icons that Adwaita dropped old ones.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <tvgamblin@gmail.com>
License-Update: type of file changed
"ASCII text, with CRLF line terminators" -> "ASCII text"
changelog:
===============================================================================
Bug fixes:
-Mitigated the coveralls HTTP status 422 by pinning coveralls-python to <3.0.0 .
-Fixed issues raised by new Pylint 2.9 and 2.10.
-Fixed a dependency error that caused importlib-metadata to be installed on
Python 3.8, while it is included in the Python base.
-Disabled new Pylint issue 'consider-using-f-string', since f-strings were
introduced only in Python 3.6.
-Fixed install error of wrapt 1.13.0 on Python 2.7 on Windows due to lack of
MS Visual C++ 9.0 on GitHub Actions, by pinning it to <1.13.
-Fixed potential issue with Sphinx/docutils versions on Python 2.7.
-Fixed error when installing virtualenv in install test on Python 2.7.
-Fixed that the added setup.py commands (test, leaktest, installtest) were not
displayed. They are now displayed at verbosity level 1 (using '-v').
Enhancements:
-Enhanced test matrix on GitHub Actions to always include Python 2.7 and
Python 3.4 on Ubuntu and Windows, and Python 2.7 and Python 3.5 on macOS.
-Support for Python 3.10: Added Python 3.10 in GitHub Actions tests, and in
package metadata.
Cleanup:
-Removed old tools that were needed for travis and Appveyor but no longer on
GitHub Actions: remove_duplicate_setuptools.py, retry.bat
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <tvgamblin@gmail.com>
