If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment variables.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-6075
Upstream-patch:
892747b4cf
(From OE-Core rev: 9a7f33d85355ffbe382aa175c04c64541e77b441)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Drop upstreamed patch and refresh remaining patches.
Release information:
* https://www.python.org/downloads/release/python-31019/
* The release you're looking at is Python 3.10.19, a security bugfix
release for the legacy 3.10 series.
Handles CVE-2025-59375, CVE-2025-47273 and CVE-2024-6345.
(From OE-Core rev: 9b3dbd691f6ebdbdfe88cef3d3a676ddd1399c63)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194
(From OE-Core rev: 4ae9daf3d05530952a8b002257dd9afda2e077e4)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Drop upstreamed patch and refresh remaining patches.
* https://www.python.org/downloads/release/python-31017/
Security content in this release
* gh-131809: Upgrade vendored expat to 2.7.1
* gh-80222: Folding of quoted string in display_name violates RFC
* gh-121284: Invalid RFC 2047 address header after refolding with
email.policy.default
* gh-131261: Update libexpat to 2.7.0
* gh-105704: CVE-2025-0938 urlparse does not flag hostname containing
[ or ] as incorrect
* gh-119511: OOM vulnerability in the imaplib module
* https://www.python.org/downloads/release/python-31018/
Security content in this release
* gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
[CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
tarfile extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
* gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
non-“strict” error handler.
* gh-128840: Short-circuit the processing of long IPv6 addresses early
in ipaddress to prevent excessive memory consumption and a minor
denial-of-service.
gh-133767 got meawhile CVE-2025-4516 assigned.
(From OE-Core rev: 838a8b5ca148dfa6c6c2c76f1705d1e358a31648)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit mentioned in NDV CVE report
b8b4b713c5
which is on 3.10 branch.
(From OE-Core rev: 70036b4ea0ab968adab82fc632bb967f95203de2)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Handles CVE-2024-50602, CVE-2024-11168 and CVE-2024-9287.
(From OE-Core rev: 5a611fbbdb3e373d379f922ffc5606ff70279831)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream-Status: Backport from b2f11ca766
Upstream-Status: Backport from 743acbe872
(From OE-Core rev: 3e5697687c8fb0aa6312773b233442b8df974feb)
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
[YOCTO #14933]
test_storlines is yet another Python ptest that fails intermittently on
the Yocto AB, so disable it during ptests for now.
(From OE-Core rev: b71d5ec10f8e64fc6102c66dfc36151f2b0b3c86)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d7b9f8157e6214a83b5495e8a32e11540ae65ff8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Wes Tarro <wes.tarro@azuresummit.com> noticed a missing comma in a
preplace() call, add it.
That said, calling replace() with one argument results in a TypeError,
so this is obviously dead code.
(From OE-Core rev: 3a79a210665efae1af6d68e9e923a739c82d800e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9b2e2c8d809e7ca34451ec9702b029a00dfb410b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Security and bug fixes.
Drop patch for CVE-2022-42919 and CVE-2022-37454 which were merged in 3.10.9
Fixes:
* CVE-2022-45061 (gh-98433)
https://nvd.nist.gov/vuln/detail/CVE-2022-45061
List of changes:
https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-9-final
(From OE-Core rev: f98b9c71686eb5ce5115ee73155a7d0389831ef0)
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes CVE-2022-37460. Also add patch to fix CVE-2022-37454.
(From OE-Core rev: b446dd69b79783ea232514e1c5212595ec28e553)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Check if the module object has attribute '__file__' to fix and
avoid errors like:
AttributeError: module '_abc' has no attribute '__file__'. Did you mean: '__name__'?
(From OE-Core rev: 1684457df9fb7029a276df4438c8fc4a17e3e1e9)
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 8acce12c1a4cf37ac312c92d62a6ae93a349dddf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds a backport patch that fixes a problem in subinterpreters related
to the garbagecollector. Without the patch, there are random segfaults in
several Kodi addons that use python3-sqlite3. Presumably there are real world
issues in other programs as well.
(From OE-Core rev: 39d57ef7e341a048b94bc5dd9c29d58f57e06f19)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The native path may be too big, leading to shebang
overflow. Just use the #!/usr/bin/env python3.
(From OE-Core rev: 8a86bd88f0b46b0f413b98df20891cb9aa84c271)
Signed-off-by: Paulo Neves <ptsneves@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 84783dee09e48cb930c7cd27944eaf3f03997237)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are two issues inside importlib. Firstly, the modules are accessed in
on disk order. This means behaviour seen on one system might not reproduce
on another and is a real headache.
Secondly, empty directories left behind by previous modules might be looked
at. This has caused a long string of different issues for us.
As a result, patch this to a behaviour which works for us. Upstream discussion
can follow later, this is breaking builds for too many people to leave unpatched.
[YOCTO #14816]
(From OE-Core rev: cdb6879b49d4f6dc2bea8ff064a5b1e62db34781)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5944a38db513e033c3a3e9313267055f7254be7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The setuptools version is now used by default when setuptools is installed,
but it is incompatible with some of python's own tests.
(From OE-Core rev: 8e34686911269e461dc646068f7a4d7c0e5da53f)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c0c1ee33781733d712cd983be460001cd7938014)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This was a long standing problem seen on aarch64 build hosts when
compiling python3 with clang cross compiler. The issue is not seen with
gcc because native glibc headers are still compatible with gcc cross compiler
(From OE-Core rev: 407744b00d702e3133304e1b43064a5634ca02cf)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Ross Burton <ross.burton@arm.com>
Cc: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: copyright years
(From OE-Core rev: d6515a7f58d0405efea21e3be4158681ed9edbe6)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pthread has been merged into the main libc library
(and was never separate in musl), so separate linking
for it is no longer needed.
I ran the reproducing sequence on qemux86, qemux86_64 and same targets with musl,
and it went fine:
root@qemux86:~# python3
Python 3.10.0 (default, Oct 4 2021, 17:55:55) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import multiprocessing
>>> pool_sema = multiprocessing.BoundedSemaphore(value=1)
>>> pool_sema.acquire()
True
>>> pool_sema.release()
>>>
(From OE-Core rev: 2eabd3b611f4afa5eafa4490b6b0ef7578b742de)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The test suite makes incorrect assumptions about OpenSSL versions post-
3.0, so backport the fix for the test suite.
(From OE-Core rev: 2b5e9cfd2c1914d606725029c59cd50cca3d5511)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Our patched python3-config uses distutils, but that will emit a
DeprecationWarning when imported. This isn't useful when using the
output of python3-config to find include paths.
This isn't a huge problem typically as the warning goes to stderr, but
some build systems read both stdout and stderr.
(From OE-Core rev: e25b8f5af70a094307dc5c0a25f213ae9570f349)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
native and target 0001-Lib-sysconfig.py-use-libdir-values-from-configuratio.patch
replaced by native-only 0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch
which is more reboust against upstream changes, and keeps target code unmodified.
This however necessitated adding 0001-sysconfig.py-use-platlibdir-also-for-purelib.patch
to avoid hardcoding 'lib' on target builds as libdir.
Drop chunk from 0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch as
upstream now uses sysconfig directly inside distutils.
Add 0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch and
0001-multiprocessing-disable-a-failing-test.patch to address ptest failures.
License-Update: copyright years, case corrections.
(From OE-Core rev: 72a75043a946f7db01d3ec04c8889e055f542cca)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes the reformatting of the sysconfigdata to be reproducible in the
sysroot as well as in the package. During this a bug was uncovered in
the way that the data was reformatted where it appears that python
cannot parse a single line of code over 40000 characters. To work around
this, pass a maximum with of "1" to pprint instead of sys.maxsize which
will cause it to wrap as often as possible and should keep it
reproducible.
(From OE-Core rev: 2def2c145c303f27d93ba73876d4c6b214f18166)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a fix for reproducibility issues where pyc files for python-config.py
may not always be generated.
(From OE-Core rev: d1c3a87c48b598b6e5624d0affe8bd89320631bf)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-Makefile-fix-Issue36464-parallel-build-race-problem.patch
removed since it is included in 3.9.6
(From OE-Core rev: 1a12d978f2046fc5d3abc96db3753e378f29ecae)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cpython/Lib/statistics.py contains common statistics functions
"""
Basic statistics module.
This module provides functions for calculating statistics of data, including
averages, variance, and standard deviation.
"""
(From OE-Core rev: cf1c49fea90e11bc037025e15e44f705a12385bf)
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The imp module has een deprecated by upstream python, drop its usage
(imp.get_tag) in favor of sys.implementation.cache_tag.
Avoid incorrectly getting dependencies for running script and
multiprocessing module.
Improve logging behavior of the create_manifest task:
- Use indentation.
- Logs on temp directory.
- Use a proper debug flag.
- Standarize syntax.
(From OE-Core rev: a3ac339f5b8549a050308ba94c4ef9093f10e303)
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Skip tests until load issue is fixed,
most commonly seen on the arm64 builder.
[YOCTO #14296]
(From OE-Core rev: 7c67bc2476b784083acbc7a55ecf3627ec8f2b6b)
Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* it was changed from sysconf_dis to mods_disabled in:
https://git.openembedded.org/openembedded-core/diff/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch?id=7347556b18b45c5f9afc2cade565a75c95876914
but unfortunately this doesn't work as mods_disabled set by remove_configured_extensions
can contain only extensions which were disabled, as this list:
self.extensions: ['_struct', 'array', '_contextvars', 'math', 'cmath', 'time', '_datetime', '_zoneinfo', '_random', '_bisect', '_heapq', '_pickle', 'atexit', '_json', '_lsprof', 'unicodedata', '_opcode', '_asyncio', '_abc', '_queue', '_statistics', 'fcntl', 'pwd', 'grp', 'spwd', 'select', 'parser', 'mmap', 'syslog', '_xxsubinterpreters', 'audioop', '_csv', '_posixsubprocess', '_testcapi', '_testinternalcapi', '_testbuffer', '_testimportmultiple', '_testmultiphase', '_xxtestfuzz', '_curses', '_curses_panel', '_crypt', '_socket', '_ssl', '_hashlib', '_sha256', '_sha512', '_md5', '_sha1', '_blake2', '_sha3', '_sqlite3', 'termios', 'resource', 'ossaudiodev', 'nis', 'zlib', 'binascii', '_bz2', '_lzma', 'pyexpat', '_elementtree', '_multibytecodec', '_codecs_kr', '_codecs_jp', '_codecs_cn', '_codecs_tw', '_codecs_hk', '_codecs_iso2022', '_decimal', '_ctypes_test', '_posixshmem', '_multiprocessing', '_uuid', 'xxlimited', '_ctypes']
while PACKAGECONFIG in python3 usually uses this to disable _dbm, _gdbm or runtime modules.
* without this change the do_install will fail (based on check_build_completeness.py log.do_compile) with:
| ERROR: Execution of '/OE/build/oe-core/tmp-glibc/work/x86_64-linux/python3-native/3.9.0-r0/temp/run.do_install.69743' failed with exit code 1:
| The necessary bits to build these optional modules were not found:
| _dbm _gdbm readline
(From OE-Core rev: fa5243693e35e1e0dc3247e2178f181051f68e77)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: ad6b184b5a87b8bcdd5e28f19be841a78f5e51df)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update the python3-manifest to match the files installed by the
new version of python3.
- Kept tkinter the way it was although tk isnt part of OE-Core
- Made typing part of python3-core
- Update other packages with new dependencies such as filecmp and dataclasses.
(From OE-Core rev: 5933d7bae8103eaad5b204438704ea04ebc0d291)
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alhe@linux.microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop 0001-Do-not-hardcode-lib-as-location-for-site-packages-an.patch,
0001-configure.ac-fix-LIBPL.patch and 0001-python3-Do-not-hardcode-lib-for-distutils.patch
as they are all replaced by the new --platlibdir option to ./configure
Rename 0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch to
0001-Lib-sysconfig.py-use-libdir-values-from-configuratio.patch
and describe the changes better.
License-Update: documentation now dual license under PSF & BSD
(not relevant for the recipe.
(From OE-Core rev: 7347556b18b45c5f9afc2cade565a75c95876914)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
