From 1cf3f23200484257eaf7d863e323e7e9aee98d2b Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 24 Dec 2022 08:01:36 +0000 Subject: gentoo auto-resync : 24:12:2022 - 08:01:36 --- dev-python/future/Manifest | 3 +- .../files/future-0.18.2-cve-2022-40899.patch | 52 ++++++++++++++++++++++ dev-python/future/future-0.18.2-r2.ebuild | 40 ----------------- dev-python/future/future-0.18.2-r3.ebuild | 47 +++++++++++++++++++ 4 files changed, 101 insertions(+), 41 deletions(-) create mode 100644 dev-python/future/files/future-0.18.2-cve-2022-40899.patch delete mode 100644 dev-python/future/future-0.18.2-r2.ebuild create mode 100644 dev-python/future/future-0.18.2-r3.ebuild (limited to 'dev-python/future') diff --git a/dev-python/future/Manifest b/dev-python/future/Manifest index 5dced2f17c48..da0426ba4f36 100644 --- a/dev-python/future/Manifest +++ b/dev-python/future/Manifest @@ -1,7 +1,8 @@ +AUX future-0.18.2-cve-2022-40899.patch 2057 BLAKE2B 3ceaac51709be84a594474a35b8cb688c7e4382c7e625f328aa891c7f788efffba093daeff6551567425e7b9b2d1a4a5ed70df99dd5a6d0666bbc9915f72972f SHA512 7bd6743680ed69326eefd61ae517ebacebe2b175879367a66a1fa9729f75f77e2c632c3c50f64be197e71d09446a4ad01b733b15dc3508466ebd0cf06d7b6734 AUX future-0.18.2-py3.10.patch 850 BLAKE2B 79c51778686c03a0b2fa6ed084b38039d9e5c14312cbf534da51a9da66e8fb50f0b619912414439f9975db43d5686e80150e82642d64963d16384fce339a09d4 SHA512 438e7092c4e9ece575e1d4cb341e52e45d6506fed348511266b7a583731516ad5e5eac43bc8b81ff7a24e29a8495612f5bbcb0984f6e428dee2b7dcfbf241ae2 AUX future-0.18.2-py39-fileurl.patch 1005 BLAKE2B 9446c90649e5c06c1d603041c07e81ca96ea982fcf6ac9d7aaf48141015574ca2f81bd4da02c994e41ce96ef2e37290ae45f4ec70e332632e7086d08ce2feca0 SHA512 7d469a212b36828d20f65964aa52db30ab2c82f92b4411d39de054ba6ea7b7860413609b426f3f30dcc715be517e25e99f2b8afc05cc629c9a8e149fee2421b4 AUX future-0.18.2-py39.patch 2789 BLAKE2B db6c0cb0a030d166f01b95721e560d346f8a80ec63f81c58e5fca663f975b8f8f771d169742a421c34c08b0de01069bb5455b5fafdab440af6e73746df0bb24c SHA512 7bb140d526d2e728d5a988898977e8bf87934f68c42a38f97717b3e5fc040ddc736cdb2b366a8dbbb95c857bffee9f448ff1883dff9c61cb46582d3a01aad65f AUX future-0.18.2-tests.patch 11773 BLAKE2B e2b9321ab2a04e4567c312beaccd23886c87f8b78c1de5d480205181a68b77d8c8b1582a57f43e510d5cd3ecc54252bb85130fe6d7e82756c9f1db11263fdf7b SHA512 d884d6b4e320a6e2aeca2c0c46576d9b0fd0d31aaa6f8f9a79f2007ecbc949f1393aa0b9254f0c51616ca4e8d3fb3f11d828879e4e8c01549acd4ecf04e2cf68 DIST future-0.18.2.tar.gz 829220 BLAKE2B 68574b589bf54aa8dacbd162a54885589faa32829ccf212f50de5bf036ebd8b9aba0c13e63e80d34e507cc0dae4d8d3d47fea33433b17d2c2e6dbf6c37f66d8f SHA512 91c025f7d94bcdf93df838fab67053165a414fc84e8496f92ecbb910dd55f6b6af5e360bbd051444066880c5a6877e75157bd95e150ead46e5c605930dfc50f2 -EBUILD future-0.18.2-r2.ebuild 1144 BLAKE2B 7d7adc1e620acaa1c194eb0aad0e647aa80a8a23e8611a6fc777e548d6a8fbcd9294e255564a11a6f1dc2b1e6d2045707494ee97d493d5f31f3b9a29764984ad SHA512 38bd9df88bc0545daac2649effa4db53dd33d1c6d1d83811644fad550ac199472496c5e98dd6040e2d6f0684ef5f9e1af571bc20f18ca15e62f87ff0fba4fffc +EBUILD future-0.18.2-r3.ebuild 1274 BLAKE2B 57a0354a45b53c29d40d10d1a91104d15a175ab771c581273adc978f36ccbe02cff3ab89b2f2e6e374f820c25f7bcf3b63f1095f4cacab6e0ffc32e17f80e91a SHA512 8dc72d2e520ac0d322cb5a8d85506c804a64d9e51ef945e3cf4279e63600c23abbc5cb0204bf88fc8b229fa76088a627a355a0e932e232f830a20a03a84d6d94 MISC metadata.xml 402 BLAKE2B 84957a57a39c658794b57e41e2e683d826a6e5b7e1006f0430034a29b82d12f2983b021c63e9d519fe6ea21a90f30822b5561001c7e9283ea770fedb1d40ad9c SHA512 e1a2dfb08304d2cd0751dbde1e1410be0805493bf7624db17b3631dc10051fb443758a0c750ced2846a2769a3d33da752002ad7e92f95d88b4060f7a8be995bd diff --git a/dev-python/future/files/future-0.18.2-cve-2022-40899.patch b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch new file mode 100644 index 000000000000..c7341e0d6fdb --- /dev/null +++ b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch @@ -0,0 +1,52 @@ +From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001 +From: Will Shanks +Date: Fri, 23 Dec 2022 13:38:26 -0500 +Subject: [PATCH] Backport fix for bpo-38804 + +The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular +expression denial of service (REDoS). The regex contained multiple +overlapping \s* capture groups. A long sequence of spaces can trigger +bad performance. + +See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ +--- + src/future/backports/http/cookiejar.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py +index af3ef415..0ad80a02 100644 +--- a/src/future/backports/http/cookiejar.py ++++ b/src/future/backports/http/cookiejar.py +@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz): + (?::(\d\d))? # optional seconds + )? # optional clock + \s* +- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone ++ (?: ++ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone ++ \s* ++ )? ++ (?: ++ \(\w+\) # ASCII representation of timezone in parens. + \s* +- (?:\(\w+\))? # ASCII representation of timezone in parens. +- \s*$""", re.X | re.ASCII) ++ )?$""", re.X | re.ASCII) + def http2time(text): + """Returns time in seconds since epoch of time represented by a string. + +@@ -298,9 +302,11 @@ def http2time(text): + (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) + )? # optional clock + \s* +- ([-+]?\d\d?:?(:?\d\d)? +- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) +- \s*$""", re.X | re. ASCII) ++ (?: ++ ([-+]?\d\d?:?(:?\d\d)? ++ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) ++ \s* ++ )?$""", re.X | re. ASCII) + def iso2time(text): + """ + As for http2time, but parses the ISO 8601 formats: diff --git a/dev-python/future/future-0.18.2-r2.ebuild b/dev-python/future/future-0.18.2-r2.ebuild deleted file mode 100644 index 1558c0ea92ce..000000000000 --- a/dev-python/future/future-0.18.2-r2.ebuild +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{8..11} pypy3 ) -inherit distutils-r1 - -DESCRIPTION="Easy, clean, reliable Python 2/3 compatibility" -HOMEPAGE="https://python-future.org/" -SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" - -LICENSE="MIT" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux" - -BDEPEND=" - test? ( - $(python_gen_cond_dep ' - dev-python/numpy[${PYTHON_USEDEP}] - ' 'python*') - )" - -distutils_enable_tests pytest -distutils_enable_sphinx docs dev-python/sphinx-bootstrap-theme - -PATCHES=( - "${FILESDIR}"/${P}-tests.patch - "${FILESDIR}"/${P}-py39.patch - "${FILESDIR}"/${P}-py39-fileurl.patch - "${FILESDIR}"/${P}-py3.10.patch -) - -EPYTEST_DESELECT=( - # tests requiring network access - tests/test_future/test_requests.py - tests/test_future/test_standard_library.py::TestStandardLibraryReorganization::test_moves_urllib_request_http - tests/test_future/test_standard_library.py::TestStandardLibraryReorganization::test_urllib_request_http -) diff --git a/dev-python/future/future-0.18.2-r3.ebuild b/dev-python/future/future-0.18.2-r3.ebuild new file mode 100644 index 000000000000..a05bf7f207d5 --- /dev/null +++ b/dev-python/future/future-0.18.2-r3.ebuild @@ -0,0 +1,47 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{8..11} pypy3 ) + +inherit distutils-r1 + +DESCRIPTION="Easy, clean, reliable Python 2/3 compatibility" +HOMEPAGE=" + https://python-future.org/ + https://github.com/PythonCharmers/python-future/ + https://pypi.org/project/future/ +" +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux" + +BDEPEND=" + test? ( + $(python_gen_cond_dep ' + dev-python/numpy[${PYTHON_USEDEP}] + ' 'python*') + ) +" + +distutils_enable_tests pytest +distutils_enable_sphinx docs dev-python/sphinx-bootstrap-theme + +PATCHES=( + "${FILESDIR}"/${P}-tests.patch + "${FILESDIR}"/${P}-py39.patch + "${FILESDIR}"/${P}-py39-fileurl.patch + "${FILESDIR}"/${P}-py3.10.patch + "${FILESDIR}"/${P}-cve-2022-40899.patch +) + +EPYTEST_DESELECT=( + # tests requiring network access + tests/test_future/test_requests.py + tests/test_future/test_standard_library.py::TestStandardLibraryReorganization::test_moves_urllib_request_http + tests/test_future/test_standard_library.py::TestStandardLibraryReorganization::test_urllib_request_http +) -- cgit v1.2.3