diff options
Diffstat (limited to 'dev-python')
-rw-r--r-- | dev-python/Manifest.gz | bin | 260391 -> 260389 bytes | |||
-rw-r--r-- | dev-python/future/Manifest | 3 | ||||
-rw-r--r-- | dev-python/future/files/future-0.18.2-cve-2022-40899.patch | 52 | ||||
-rw-r--r-- | dev-python/future/future-0.18.2-r3.ebuild (renamed from dev-python/future/future-0.18.2-r2.ebuild) | 11 | ||||
-rw-r--r-- | dev-python/pipenv/Manifest | 2 | ||||
-rw-r--r-- | dev-python/pipenv/pipenv-2022.11.30.ebuild | 111 |
6 files changed, 176 insertions, 3 deletions
diff --git a/dev-python/Manifest.gz b/dev-python/Manifest.gz Binary files differindex 5d65da215030..81cbb7d2fdd3 100644 --- a/dev-python/Manifest.gz +++ b/dev-python/Manifest.gz diff --git a/dev-python/future/Manifest b/dev-python/future/Manifest index 5dced2f17c48..da0426ba4f36 100644 --- a/dev-python/future/Manifest +++ b/dev-python/future/Manifest @@ -1,7 +1,8 @@ +AUX future-0.18.2-cve-2022-40899.patch 2057 BLAKE2B 3ceaac51709be84a594474a35b8cb688c7e4382c7e625f328aa891c7f788efffba093daeff6551567425e7b9b2d1a4a5ed70df99dd5a6d0666bbc9915f72972f SHA512 7bd6743680ed69326eefd61ae517ebacebe2b175879367a66a1fa9729f75f77e2c632c3c50f64be197e71d09446a4ad01b733b15dc3508466ebd0cf06d7b6734 AUX future-0.18.2-py3.10.patch 850 BLAKE2B 79c51778686c03a0b2fa6ed084b38039d9e5c14312cbf534da51a9da66e8fb50f0b619912414439f9975db43d5686e80150e82642d64963d16384fce339a09d4 SHA512 438e7092c4e9ece575e1d4cb341e52e45d6506fed348511266b7a583731516ad5e5eac43bc8b81ff7a24e29a8495612f5bbcb0984f6e428dee2b7dcfbf241ae2 AUX future-0.18.2-py39-fileurl.patch 1005 BLAKE2B 9446c90649e5c06c1d603041c07e81ca96ea982fcf6ac9d7aaf48141015574ca2f81bd4da02c994e41ce96ef2e37290ae45f4ec70e332632e7086d08ce2feca0 SHA512 7d469a212b36828d20f65964aa52db30ab2c82f92b4411d39de054ba6ea7b7860413609b426f3f30dcc715be517e25e99f2b8afc05cc629c9a8e149fee2421b4 AUX future-0.18.2-py39.patch 2789 BLAKE2B db6c0cb0a030d166f01b95721e560d346f8a80ec63f81c58e5fca663f975b8f8f771d169742a421c34c08b0de01069bb5455b5fafdab440af6e73746df0bb24c SHA512 7bb140d526d2e728d5a988898977e8bf87934f68c42a38f97717b3e5fc040ddc736cdb2b366a8dbbb95c857bffee9f448ff1883dff9c61cb46582d3a01aad65f AUX future-0.18.2-tests.patch 11773 BLAKE2B e2b9321ab2a04e4567c312beaccd23886c87f8b78c1de5d480205181a68b77d8c8b1582a57f43e510d5cd3ecc54252bb85130fe6d7e82756c9f1db11263fdf7b SHA512 d884d6b4e320a6e2aeca2c0c46576d9b0fd0d31aaa6f8f9a79f2007ecbc949f1393aa0b9254f0c51616ca4e8d3fb3f11d828879e4e8c01549acd4ecf04e2cf68 DIST future-0.18.2.tar.gz 829220 BLAKE2B 68574b589bf54aa8dacbd162a54885589faa32829ccf212f50de5bf036ebd8b9aba0c13e63e80d34e507cc0dae4d8d3d47fea33433b17d2c2e6dbf6c37f66d8f SHA512 91c025f7d94bcdf93df838fab67053165a414fc84e8496f92ecbb910dd55f6b6af5e360bbd051444066880c5a6877e75157bd95e150ead46e5c605930dfc50f2 -EBUILD future-0.18.2-r2.ebuild 1144 BLAKE2B 7d7adc1e620acaa1c194eb0aad0e647aa80a8a23e8611a6fc777e548d6a8fbcd9294e255564a11a6f1dc2b1e6d2045707494ee97d493d5f31f3b9a29764984ad SHA512 38bd9df88bc0545daac2649effa4db53dd33d1c6d1d83811644fad550ac199472496c5e98dd6040e2d6f0684ef5f9e1af571bc20f18ca15e62f87ff0fba4fffc +EBUILD future-0.18.2-r3.ebuild 1274 BLAKE2B 57a0354a45b53c29d40d10d1a91104d15a175ab771c581273adc978f36ccbe02cff3ab89b2f2e6e374f820c25f7bcf3b63f1095f4cacab6e0ffc32e17f80e91a SHA512 8dc72d2e520ac0d322cb5a8d85506c804a64d9e51ef945e3cf4279e63600c23abbc5cb0204bf88fc8b229fa76088a627a355a0e932e232f830a20a03a84d6d94 MISC metadata.xml 402 BLAKE2B 84957a57a39c658794b57e41e2e683d826a6e5b7e1006f0430034a29b82d12f2983b021c63e9d519fe6ea21a90f30822b5561001c7e9283ea770fedb1d40ad9c SHA512 e1a2dfb08304d2cd0751dbde1e1410be0805493bf7624db17b3631dc10051fb443758a0c750ced2846a2769a3d33da752002ad7e92f95d88b4060f7a8be995bd diff --git a/dev-python/future/files/future-0.18.2-cve-2022-40899.patch b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch new file mode 100644 index 000000000000..c7341e0d6fdb --- /dev/null +++ b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch @@ -0,0 +1,52 @@ +From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001 +From: Will Shanks <wshaos@posteo.net> +Date: Fri, 23 Dec 2022 13:38:26 -0500 +Subject: [PATCH] Backport fix for bpo-38804 + +The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular +expression denial of service (REDoS). The regex contained multiple +overlapping \s* capture groups. A long sequence of spaces can trigger +bad performance. + +See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ +--- + src/future/backports/http/cookiejar.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py +index af3ef415..0ad80a02 100644 +--- a/src/future/backports/http/cookiejar.py ++++ b/src/future/backports/http/cookiejar.py +@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz): + (?::(\d\d))? # optional seconds + )? # optional clock + \s* +- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone ++ (?: ++ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone ++ \s* ++ )? ++ (?: ++ \(\w+\) # ASCII representation of timezone in parens. + \s* +- (?:\(\w+\))? # ASCII representation of timezone in parens. +- \s*$""", re.X | re.ASCII) ++ )?$""", re.X | re.ASCII) + def http2time(text): + """Returns time in seconds since epoch of time represented by a string. + +@@ -298,9 +302,11 @@ def http2time(text): + (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) + )? # optional clock + \s* +- ([-+]?\d\d?:?(:?\d\d)? +- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) +- \s*$""", re.X | re. ASCII) ++ (?: ++ ([-+]?\d\d?:?(:?\d\d)? ++ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) ++ \s* ++ )?$""", re.X | re. ASCII) + def iso2time(text): + """ + As for http2time, but parses the ISO 8601 formats: diff --git a/dev-python/future/future-0.18.2-r2.ebuild b/dev-python/future/future-0.18.2-r3.ebuild index 1558c0ea92ce..a05bf7f207d5 100644 --- a/dev-python/future/future-0.18.2-r2.ebuild +++ b/dev-python/future/future-0.18.2-r3.ebuild @@ -5,10 +5,15 @@ EAPI=8 DISTUTILS_USE_PEP517=setuptools PYTHON_COMPAT=( python3_{8..11} pypy3 ) + inherit distutils-r1 DESCRIPTION="Easy, clean, reliable Python 2/3 compatibility" -HOMEPAGE="https://python-future.org/" +HOMEPAGE=" + https://python-future.org/ + https://github.com/PythonCharmers/python-future/ + https://pypi.org/project/future/ +" SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" LICENSE="MIT" @@ -20,7 +25,8 @@ BDEPEND=" $(python_gen_cond_dep ' dev-python/numpy[${PYTHON_USEDEP}] ' 'python*') - )" + ) +" distutils_enable_tests pytest distutils_enable_sphinx docs dev-python/sphinx-bootstrap-theme @@ -30,6 +36,7 @@ PATCHES=( "${FILESDIR}"/${P}-py39.patch "${FILESDIR}"/${P}-py39-fileurl.patch "${FILESDIR}"/${P}-py3.10.patch + "${FILESDIR}"/${P}-cve-2022-40899.patch ) EPYTEST_DESELECT=( diff --git a/dev-python/pipenv/Manifest b/dev-python/pipenv/Manifest index a6d14db2a3e3..af3ae87705ea 100644 --- a/dev-python/pipenv/Manifest +++ b/dev-python/pipenv/Manifest @@ -1,4 +1,6 @@ AUX pipenv-2022.9.24-inject-site-packages.patch 1155 BLAKE2B 61f296dd1f8168b86f17a55359c75febfc02807dd97c750217b46bd017b7bf73cf6fde0fcd2afa95908bd3e1cd7b50f626459f1a19f47b1c34ecdbea39fcfb7c SHA512 3a26ce6217fbf86eda1bb8266928dffe5fc1a55e4f7b66d0ade5ea31deff9cb68427f424995e4c8d402737e90ca9358a3a00364a4167667fae9a4bd018100ebc +DIST pipenv-2022.11.30.gh.tar.gz 11120234 BLAKE2B 3d33475932a59dfb862869becb792aea420b8c9fffd9179866dc01eb5e0b2ba77a23c5de8be5570f9ed2e46f098bc000173d74766d42953f93ab2439c20d7f2c SHA512 a44409d41196388b05f2b9620b9d0f45f4af7f244f8243143278b62560e54063574670356e141e07807b56b1181ad27f701f84b91bc045bf47b5701455b36c66 DIST pipenv-2022.9.24.gh.tar.gz 11543711 BLAKE2B e875068383c8ca55864bfcb53288ae9a02adc578c09ad7392bf50a7ebe07e2eb5944bc225cfefad2ca8265d8dcbb17af96b34e8c0fd51a709921148207021f2b SHA512 d29a728d914d8c762469fd2d72de7be41050165b4587c3304ebc03235a1946967f78473651e1834e5a69a35395d0cf9087e1515fd746450057774fc22e61e092 +EBUILD pipenv-2022.11.30.ebuild 4298 BLAKE2B 48765d4f94f1e22aaaaf15abbe3bc0258a76b7b0dff137debe44a714c699462cff9e55ce7f4086650745519d1bb918aca5a56829860718c1c261eddf02859df5 SHA512 52606570f856b91dd5fd900f97ee842f143af4008cf79def3297fb2229f72eb99de5939a822fd13fd436d352b5d71506c3890ec913e955964468f02353fce0f6 EBUILD pipenv-2022.9.24-r1.ebuild 3137 BLAKE2B 5beb68c4ca7aad9d8d8c5f17dc09b7e8078a26357618c5fd7044b0107b77c5adf1983592ddeac79b98224f0cdc5ad3a39123e155a354fe1d57c264681a8b36bb SHA512 500e4bd9b9c5ff6359fd46c99a3c635827bc1ff7e6d0e4de19aa3ca62b4b92d260b9c04a3bb187ac158c1c322b361974ed7a237ddae055a995d08b1debed967c MISC metadata.xml 643 BLAKE2B ff3557d9ae32b553c85455436683e2ca94bc16c6ec7c6d2ceb1113a69dc841b9ac2f0e4b96eec4c6c84ca899ad6a99b0747d7bf3f9289110a8bbdfb80f2cb2eb SHA512 7a611950572c2d700fb1680e0aa307069d80d992528144da781eca9f1fee729defa6f8b28382ddd8f66e58c5f68de9a17815989a4a39473bbf830a7be42ea282 diff --git a/dev-python/pipenv/pipenv-2022.11.30.ebuild b/dev-python/pipenv/pipenv-2022.11.30.ebuild new file mode 100644 index 000000000000..a398ffb770a3 --- /dev/null +++ b/dev-python/pipenv/pipenv-2022.11.30.ebuild @@ -0,0 +1,111 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{8..11} ) + +inherit distutils-r1 multiprocessing + +MY_PV=${PV/_beta/b} +DESCRIPTION="Python Development Workflow for Humans" +HOMEPAGE="https://github.com/pypa/pipenv https://pypi.org/project/pipenv/" +SRC_URI="https://github.com/pypa/pipenv/archive/v${MY_PV}.tar.gz -> ${P}.gh.tar.gz" +S="${WORKDIR}"/${PN}-${MY_PV} + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~amd64 ~riscv ~x86" + +PATCHES=( + "${FILESDIR}/pipenv-2022.9.24-inject-site-packages.patch" +) + +RDEPEND=" + dev-python/attrs[${PYTHON_USEDEP}] + >=dev-python/cerberus-1.3.2[${PYTHON_USEDEP}] + dev-python/click[${PYTHON_USEDEP}] + >=dev-python/colorama-0.4.4[${PYTHON_USEDEP}] + >=dev-python/markupsafe-2.0.1[${PYTHON_USEDEP}] + >=dev-python/pexpect-4.8.0[${PYTHON_USEDEP}] + >=dev-python/ptyprocess-0.7.0[${PYTHON_USEDEP}] + dev-python/pyparsing[${PYTHON_USEDEP}] + >=dev-python/python-dateutil-2.8.2[${PYTHON_USEDEP}] + >=dev-python/python-dotenv-0.21.0[${PYTHON_USEDEP}] + >=dev-python/virtualenv-20.0.35[${PYTHON_USEDEP}] + dev-python/virtualenv-clone[${PYTHON_USEDEP}] + >=dev-python/requests-2.26.0[${PYTHON_USEDEP}] + dev-python/ruamel-yaml[${PYTHON_USEDEP}] + dev-python/tomlkit[${PYTHON_USEDEP}] +" + +BDEPEND=" + ${RDEPEND} + test? ( + dev-python/flaky[${PYTHON_USEDEP}] + dev-python/mock[${PYTHON_USEDEP}] + dev-python/pytz[${PYTHON_USEDEP}] + ) +" + +distutils_enable_tests pytest + +# IMPORTANT: The following sed command patches the vendor direcotry +# in the pipenv source. Attempts to simply bump the version of the +# package without checking that it works is likely to fail +# The vendored packages should eventually all be removed +# see: https://bugs.gentoo.org/717666 +src_prepare() { + local pkgName + local jobs=$(makeopts_jobs) + local packages=( attr attrs cerberus click colorama dotenv markupsafe \ + pexpect ptyprocess pyparsing requests urllib3 tomlkit ) + for pkgName in ${packages[@]}; do + find ./ -type f -print0 | \ + xargs --max-procs="${jobs}" --null \ + sed --in-place \ + -e "s/from pipenv.vendor import ${pkgName}/import ${pkgName}/g" \ + -e "s/from pipenv.vendor.${pkgName}\(.*\) import \(\w*\)/from ${pkgName}\1 import \2/g"\ + -e "s/import pipenv.vendor.${pkgName} as ${pkgName}/import ${pkgName}/g" \ + -e "s/from .vendor import ${pkgName}/import ${pkgName}/g" || die "Failed to sed for ${pkgName}" + done + + distutils-r1_src_prepare + + # remove vendored versions + for pkgName in ${packages[@]}; do + find ./pipenv/vendor -regextype posix-extended -regex ".*${pkgName}$" -prune -exec rm -rvf {} + || die + # package names can be foo-bar, their module will be however foo_bar + find ./pipenv/vendor -regextype posix-extended -regex ".*${pkgName/_/-}" -prune -exec rm -rvf {} + || die + done + + find ./pipenv/vendor -regextype posix-extended -regex '.*cached[_-]property.*' -prune -exec rm -rvf {} + || die + + find ./ -type f -print0 | \ + xargs --max-procs="${jobs}" --null \ + sed --in-place \ + -e "s/from pipenv\.vendor import plette, toml, tomlkit, vistir/from pipenv\.vendor import plette, toml, vistir\\nimport tomlkit/g" + + # remove tomlkit from vendoring + for fname in pipenv/utils/toml.py tests/integration/conftest.py; do + sed --in-place -e "s/from pipenv\.vendor import toml, tomlkit/from pipenv\.vendor import toml\\nimport tomlkit/g" $fname || die "Failed sed in $fname" + done + #for fname in "tests/unit/test_vendor.py "; do + # sed --in-place -e "s/from pipenv\.vendor import tomlkit/import tomlkit/g" $fname || die "Failed sed in tomlkit" + #done + # remove python ruaml yaml + sed --in-place -e "s/from pipenv\.vendor\.ruamel\.yaml import YAML/from ruaml\.yaml import YAML/g" pipenv/patched/safety/util.py || die "Failed sed in ruaml-yaml" + sed --in-place -e "s/from pipenv\.vendor\.ruamel\.yaml\.error import MarkedYAMLError/from ruaml\.yaml\.error import MarkedYAMLError/g" pipenv/patched/safety/util.py || die "Failed sed in ruamel-yaml" + + rm -vR pipenv/vendor/ruamel || die "Failed removing ruamel-yaml from vendor" + + for fname in Makefile README.md README.rst ruamel.*.LICENSE vendor.txt; do + rm -v pipenv/vendor/$fname || die "Failed removing pipenv/vendor/$fname" + done + +} + +python_test() { + epytest -m "not cli and not needs_internet" tests/unit/ +} |