system/python3: bump { 3.10.2 --> 3.10.4 }. fixes #658.

3 files changed, 135 insertions, 116 deletions

diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD
index 7c80d89a7..8d9ad55c4 100644
--- a/system/python3/APKBUILD
+++ b/system/python3/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Sheila Aman <sheila@vulpine.house>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=python3
-pkgver=3.10.2
+pkgver=3.10.4
 _basever="${pkgver%.*}"
 pkgrel=0
 pkgdesc="A high-level scripting language"
@@ -39,7 +39,7 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev
 source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
 	musl-find_library.patch
 	fix-xattrs-glibc.patch
-	fix-python-tests-expat-ge245.patch
+	CVE-2015-20107.patch
 	"
 builddir="$srcdir/Python-$pkgver"
 
@@ -186,7 +186,7 @@ tests() {
 		"$subpkgdir"/usr/lib/python$_basever/
 }
 
-sha512sums="215a7159face84788fe547c1e2689b8d0ae510275157cf01636bef2902d0ff465f844eb0328c9f39fd1cd03a1d1736d4cf258992f2788e492a801a372032c08b  Python-3.10.2.tar.xz
+sha512sums="6c9aeecddc55c7896b2e8527fca131c7b2b6127d56ce1a001ccedfebf590334e0c0bb7c517ed3cf1da3c1910e002552b56aa7e03eeb672f42ff0bd8150799113  Python-3.10.4.tar.xz
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
 4b4696d139e53aad184b72461478821335aadedc4811ec9e96cdea9a4f7ef19ebf0aac8c6afae6345f33c79fbd3ae2c63021de36044a2803d0dc8894fa291cf5  fix-xattrs-glibc.patch
-a98b1c2b2520d996ad3181513e20bc8f1705f0ed3ec262d67d7f1a7d6dc3a90e8ef68078124c2ba008945bf07494fc978a6eaeb62309a9d1d48450fccab62671  fix-python-tests-expat-ge245.patch"
+a33454a727304360c2370153a695511a41fda6c526104ebffaadae01bbf1f433869e9f9f817b7cd1b8291062719ec35808ca1aa84398a8ace9901f5b16591359  CVE-2015-20107.patch"
diff --git a/system/python3/CVE-2015-20107.patch b/system/python3/CVE-2015-20107.patch
new file mode 100644
index 000000000..59cb4d7ed
--- /dev/null
+++ b/system/python3/CVE-2015-20107.patch
@@ -0,0 +1,131 @@
+From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 27 Apr 2022 18:17:33 +0200
+Subject: [PATCH 1/2] gh-68966: Make mailcap refuse to match unsafe
+ filenames/types/params
+
+---
+ Lib/mailcap.py           | 26 ++++++++++++++++++++++++--
+ Lib/test/test_mailcap.py |  8 ++++++--
+ 2 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index 856b6a55475f3..cfb70edc61ecf 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+ 
+ import os
+ import warnings
++import re
+ 
+ __all__ = ["getcaps","findmatch"]
+ 
+@@ -19,6 +20,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+ 
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+ 
+ # Part 1: top-level interface.
+ 
+@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+ 
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+ 
+ def lookup(caps, MIMEtype, key=None):
+@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index 97a8fac6e074a..2ed367dba78b7 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -128,7 +128,8 @@ def test_subst(self):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -212,7 +213,10 @@ def test_findmatch(self):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
+
+From 3904f682b6dde32b4f51e7b8c3867e27d13333e0 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 27 Apr 2022 18:29:35 +0200
+Subject: [PATCH 2/2] Add blurb
+
+---
+ .../Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst    | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000000..da81a1f6993db
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).
diff --git a/system/python3/fix-python-tests-expat-ge245.patch b/system/python3/fix-python-tests-expat-ge245.patch
deleted file mode 100644
index f95b648a1..000000000
--- a/system/python3/fix-python-tests-expat-ge245.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From dd7da01325ca32796e139507a38da08886f8f972 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Sun, 20 Feb 2022 20:39:07 +0100
-Subject: [PATCH 1/3] test_xml_etree.py: Drop mistaken test_issue3151
-
-Curly brackets were never allowed in namespace URIs
-according to RFC 3986, and so-called namespace-validating
-XML parsers have the right to reject them a invalid URIs.
-
-libexpat >=2.4.5 has become strcter in that regard due to
-related security issues; with ET.XML instantiating a
-namespace-aware parser under the hood, this test has no
-future in CPython.
-
-References:
-- https://datatracker.ietf.org/doc/html/rfc3968
-- https://www.w3.org/TR/xml-names/
----
- Lib/test/test_xml_etree.py | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
-index a25f536134c7b..c5292b5e9ef68 100644
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -2192,12 +2192,6 @@ def test_issue6233(self):
-                 b"<?xml version='1.0' encoding='ascii'?>\n"
-                 b'<body>t&#227;g</body>')
- 
--    def test_issue3151(self):
--        e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>')
--        self.assertEqual(e.tag, '{${stuff}}localname')
--        t = ET.ElementTree(e)
--        self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}" />')
--
-     def test_issue6565(self):
-         elem = ET.XML("<body><tag/></body>")
-         self.assertEqual(summarize_list(elem), ['tag'])
-
-From aa7523fef6e3759d02a02fa484acfebf9d0bd852 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Sun, 20 Feb 2022 20:56:38 +0100
-Subject: [PATCH 2/3] test_minidom.py: Support Expat >=2.4.5
-
----
- Lib/test/test_minidom.py | 17 +++++++++++++++--
- 1 file changed, 15 insertions(+), 2 deletions(-)
-
-diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py
-index 1663b1f1143dd..97620258d82f6 100644
---- a/Lib/test/test_minidom.py
-+++ b/Lib/test/test_minidom.py
-@@ -6,10 +6,12 @@
- from test import support
- import unittest
- 
-+import pyexpat
- import xml.dom.minidom
- 
- from xml.dom.minidom import parse, Node, Document, parseString
- from xml.dom.minidom import getDOMImplementation
-+from xml.parsers.expat import ExpatError
- 
- 
- tstfile = support.findfile("test.xml", subdir="xmltestdata")
-@@ -1147,7 +1149,13 @@ def testEncodings(self):
- 
-         # Verify that character decoding errors raise exceptions instead
-         # of crashing
--        self.assertRaises(UnicodeDecodeError, parseString,
-+        if pyexpat.version_info >= (2, 4, 5):
-+            self.assertRaises(ExpatError, parseString,
-+                    b'<fran\xe7ais></fran\xe7ais>')
-+            self.assertRaises(ExpatError, parseString,
-+                    b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
-+        else:
-+            self.assertRaises(UnicodeDecodeError, parseString,
-                 b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
- 
-         doc.unlink()
-@@ -1609,7 +1617,12 @@ def testEmptyXMLNSValue(self):
-         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
- 
-     def testExceptionOnSpacesInXMLNSValue(self):
--        with self.assertRaisesRegex(ValueError, 'Unsupported syntax'):
-+        if pyexpat.version_info >= (2, 4, 5):
-+            context = self.assertRaisesRegex(ExpatError, 'syntax error')
-+        else:
-+            context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
-+
-+        with context:
-             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
- 
-     def testDocRemoveChild(self):
-
-From 2dcb3051b243fff2f031c14eea50a649e8b7c7ea Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Sun, 20 Feb 2022 21:03:40 +0100
-Subject: [PATCH 3/3] Add blurp file for bpo-46811 to section "Library"
-
----
- .../NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
-
-diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
-new file mode 100644
-index 0000000000000..6969bd1898f65
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
-@@ -0,0 +1 @@
-+Make test suite support Expat >=2.4.5