From 9f6a82a85d400d6ae7de04c43cee88dbc6bc4da0 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 26 Jun 2024 00:12:24 +0100 Subject: gentoo auto-resync : 26:06:2024 - 00:12:24 --- dev-python/js2py/Manifest | 4 +- .../js2py/files/js2py-0.74-CVE-2024-28397.patch | 21 ++++++++ .../js2py/files/js2py-0.74-py312-load_attr.patch | 57 ++++++++++++++++++++++ dev-python/js2py/js2py-0.74-r2.ebuild | 47 ++++++++++++++++++ dev-python/js2py/js2py-0.74.ebuild | 40 --------------- 5 files changed, 128 insertions(+), 41 deletions(-) create mode 100644 dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch create mode 100644 dev-python/js2py/files/js2py-0.74-py312-load_attr.patch create mode 100644 dev-python/js2py/js2py-0.74-r2.ebuild delete mode 100644 dev-python/js2py/js2py-0.74.ebuild (limited to 'dev-python/js2py') diff --git a/dev-python/js2py/Manifest b/dev-python/js2py/Manifest index 6704bc4fad61..cdbfe14ac320 100644 --- a/dev-python/js2py/Manifest +++ b/dev-python/js2py/Manifest @@ -1,3 +1,5 @@ +AUX js2py-0.74-CVE-2024-28397.patch 849 BLAKE2B feaa93b95dd0e25f91346257a151b8f00b6b1fd5ff6c97a9f2a6a55920c533cbf31277b4be87ee96e7efaf2898f635a3eb1d8ee23abc5c843a927771569f7c16 SHA512 539c763ba00f4d56490ac65d8d3cda52c5db0ef1b4a0193e95250847ee07a8829492e7358fd0b817c6be326ebeb9a0c5ba7328348483595cff6810b314f80670 +AUX js2py-0.74-py312-load_attr.patch 2542 BLAKE2B c5fa386e509f0040f6461a72d4a4fe0efc8d74ab2913ec399d688f8ac752d076f5e189d009b5d54347104c7ca7af6d11e4202a0e4be08e1c1753adc56ed7e0a1 SHA512 0d9d77461c3f95d561230473a83155ea7e202db2837dac0f989731dfe74d4c5d9bbbd625e6991ec30eadb6b6d6c16a4980ab3e17e189575bcaa431aac6492c3d DIST Js2Py-0.74.tar.gz 2504984 BLAKE2B 1e4f34ad94947118aeaf84ff438f9bec5b2a8ca3c722d907d3b8015acfcaafe1f229cfe401ae0f3d07c0f074ecf2f9ca3aeb94ef9c394b7ed6d90f1279c1ffa2 SHA512 cb2f42c2bec0c15dadc301ee0a7ac452cc8c4bba4669e95f1155863590d6d00781883b54d4dab755a0f66eb6e30990fedca732494b1f8b6c07dc29f5203a8c8c -EBUILD js2py-0.74.ebuild 1000 BLAKE2B 44b679221947f130feaa0ad888cc4d006af45b7ad785e12b0386b117ae0c2a93e1ab5a0ad864ac85c76921f32f866c331557d01b87324c2462297a562bf65ffd SHA512 a86a708b0654a5b6fada0734a43243e31207175ca644474e8c66ff919fc26ee1684c8fccadfc0ba2b85b51c7145f02286492cfdac25c416746f334acfd730c39 +EBUILD js2py-0.74-r2.ebuild 1176 BLAKE2B 53c0a1993f1119db6e194e1526f4aad6eed0fc38d111d8c6137b6e9de6267547a22178577d77c8e61a288fdfb96c11f853303bffaaa0e6a3c1dcf57ffa6e5bed SHA512 e31922cba4fd5ab14bd92052d6f563acdba5c7c89f37eade072b2a186f475814f4a491226c7405311ea728a9e49263c74ab66bb4de2a734f7982e4540b57dc87 MISC metadata.xml 385 BLAKE2B 145afe58273b407d1ba1f3859de0d79a3bdd4307575d043a8b574a8bac26c2d577efec841c6c3a9424ca7970dac33517df48c0f287c18bf4e1cc5faa5125ba6e SHA512 7e48c836578bcbb4abf0d99f0f2b870ab15158f05d5c402e2d84c9f9de7d2c994127eba26897e406b6c7d77c962867d39a37bf7ce78ca09d39b78d64f9d8d68d diff --git a/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch b/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch new file mode 100644 index 000000000000..c8ecfab22485 --- /dev/null +++ b/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch @@ -0,0 +1,21 @@ +# https://nvd.nist.gov/vuln/detail/CVE-2024-28397 +# https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/patch.txt +# https://github.com/PiotrDabkowski/Js2Py/pull/323 +# https://github.com/Marven11/Js2Py/commit/56e244eb + +Author: Marven11 <110723864+Marven11@users.noreply.github.com> +Date: Fri, 1 Mar 2024 12:53:58 +0800 + +diff --git a/js2py/constructors/jsobject.py b/js2py/constructors/jsobject.py +index c4e0ada3..b1806ea6 100644 +--- a/js2py/constructors/jsobject.py ++++ b/js2py/constructors/jsobject.py +@@ -49,7 +49,7 @@ def getOwnPropertyNames(obj): + raise MakeError( + 'TypeError', + 'Object.getOwnPropertyDescriptor called on non-object') +- return obj.own.keys() ++ return list(obj.own.keys()) + + def create(obj): + if not (obj.is_object() or obj.is_null()): diff --git a/dev-python/js2py/files/js2py-0.74-py312-load_attr.patch b/dev-python/js2py/files/js2py-0.74-py312-load_attr.patch new file mode 100644 index 000000000000..6dfa467cc41f --- /dev/null +++ b/dev-python/js2py/files/js2py-0.74-py312-load_attr.patch @@ -0,0 +1,57 @@ +From fd7df4a91fb08060914c7b1d9e94583d18f3371b Mon Sep 17 00:00:00 2001 +From: Felix Yan +Date: Wed, 17 Apr 2024 16:47:47 +0300 +Subject: [PATCH] Fix bytecode for Python 3.12 + +`LOAD_ATTR` has been changed in Python 3.12 and it seems reusing the +`LOAD_GLOBAL` logic makes the simple tests passing. + +I am not sure if this is correct since I'm pretty new to the code, but +maybe it's still helpful. +--- + js2py/translators/translating_nodes.py | 2 +- + js2py/utils/injector.py | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/js2py/translators/translating_nodes.py b/js2py/translators/translating_nodes.py +index 4e2b5760..a780ba73 100644 +--- a/js2py/translators/translating_nodes.py ++++ b/js2py/translators/translating_nodes.py +@@ -543,7 +543,7 @@ def TryStatement(type, block, handler, handlers, guardedHandlers, finalizer): + if handler: + identifier = handler['param']['name'] + holder = 'PyJsHolder_%s_%d' % (to_hex(identifier), +- random.randrange(1e8)) ++ random.randrange(six.integer_types[-1](1e8))) + identifier = repr(identifier) + result += 'except PyJsException as PyJsTempException:\n' + # fill in except ( catch ) block and remember to recover holder variable to its previous state +diff --git a/js2py/utils/injector.py b/js2py/utils/injector.py +index 88e0d93e..835229f0 100644 +--- a/js2py/utils/injector.py ++++ b/js2py/utils/injector.py +@@ -14,6 +14,7 @@ + # Opcode constants used for comparison and replacecment + LOAD_FAST = opcode.opmap['LOAD_FAST'] + LOAD_GLOBAL = opcode.opmap['LOAD_GLOBAL'] ++LOAD_ATTR = opcode.opmap['LOAD_ATTR'] + STORE_FAST = opcode.opmap['STORE_FAST'] + + +@@ -79,6 +80,7 @@ def append_arguments(code_obj, new_locals): + (co_names.index(name), varnames.index(name)) for name in new_locals) + + is_new_bytecode = sys.version_info >= (3, 11) ++ is_new_load_attr = sys.version_info >= (3, 12) + # Now we modify the actual bytecode + modified = [] + drop_future_cache = False +@@ -97,7 +99,7 @@ def append_arguments(code_obj, new_locals): + # it's one of the globals that we are replacing. Either way, + # update its arg using the appropriate dict. + drop_future_cache = False +- if inst.opcode == LOAD_GLOBAL: ++ if inst.opcode == LOAD_GLOBAL or (is_new_load_attr and inst.opcode == LOAD_ATTR): + idx = inst.arg + if is_new_bytecode: + idx = idx // 2 diff --git a/dev-python/js2py/js2py-0.74-r2.ebuild b/dev-python/js2py/js2py-0.74-r2.ebuild new file mode 100644 index 000000000000..025770effe38 --- /dev/null +++ b/dev-python/js2py/js2py-0.74-r2.ebuild @@ -0,0 +1,47 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=setuptools +PYPI_NO_NORMALIZE=1 +PYPI_PN="Js2Py" +PYTHON_COMPAT=( python3_{10..12} ) + +inherit distutils-r1 pypi + +DESCRIPTION="JavaScript to Python Translator & JavaScript interpreter in Python" +HOMEPAGE="http://piter.io/projects/js2py + https://github.com/PiotrDabkowski/Js2Py + https://pypi.org/project/Js2Py/" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc x86" +RESTRICT="test" + +RDEPEND=" + >=dev-python/pyjsparser-2.5.1[${PYTHON_USEDEP}] + >=dev-python/tzlocal-1.2.0[${PYTHON_USEDEP}] + >=dev-python/six-1.10.0[${PYTHON_USEDEP}] +" + +PATCHES=( + "${FILESDIR}/${PN}-0.74-CVE-2024-28397.patch" + "${FILESDIR}/${PN}-0.74-py312-load_attr.patch" +) + +python_test() { + pushd ./tests >/dev/null || die + + # run.py requires "node_failed.txt" file + touch ./node_failed.txt || die + + # https://bugs.gentoo.org/831356 + # make run.py return a non-zero exit code if any test failed + echo 'sys.exit(len(FAILING))' >> ./run.py || die + + "${EPYTHON}" ./run.py || die "tests failed with ${EPYTHON}" + + popd >/dev/null || die +} diff --git a/dev-python/js2py/js2py-0.74.ebuild b/dev-python/js2py/js2py-0.74.ebuild deleted file mode 100644 index 22032fcf8e3b..000000000000 --- a/dev-python/js2py/js2py-0.74.ebuild +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_USE_PEP517=setuptools -PYPI_NO_NORMALIZE=1 -PYPI_PN="Js2Py" -PYTHON_COMPAT=( python3_{9..11} ) - -inherit distutils-r1 pypi - -DESCRIPTION="JavaScript to Python Translator & JavaScript interpreter in Python" -HOMEPAGE="http://piter.io/projects/js2py/ - https://github.com/PiotrDabkowski/Js2Py/ - https://pypi.org/project/Js2Py/" - -LICENSE="MIT" -SLOT="0" -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc x86" - -RDEPEND=" - >=dev-python/pyjsparser-2.5.1[${PYTHON_USEDEP}] - >=dev-python/tzlocal-1.2.0[${PYTHON_USEDEP}] - >=dev-python/six-1.10.0[${PYTHON_USEDEP}] -" - -python_test() { - pushd ./tests >/dev/null || die - - # Tests require "node_failed.txt" file where the logs are kept - if [[ -f ./node_failed.txt ]] ; then - rm ./node_failed.txt || die - fi - - touch ./node_failed.txt || die - "${EPYTHON}" ./run.py || die "tests failed with ${EPYTHON}" - - popd >/dev/null || die -} -- cgit v1.2.3