This backports fixes for security issues, including:
* CVE-2020-14422: Hash collisions in IPv4Interface and IPv6Interface
* CVE-2019-20907: Infinite loop in the tarfile module
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This package fails to build with newer setuptools, because setuptools
removed the (deprecated) Features feature in v46.0.0[1].
This adapts a commit[2] to remove the use of this feature. (Changes to
code formatting prevent the original commit/patch to be used.)
[1]: aff64ae89e/CHANGES.rst (v4600)
[2]: 3aac426e35
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This lets the Python build process set _PYTHON_HOST_PLATFORM instead of
forcing an explicit value.
Also:
* Save the target _PYTHON_HOST_PLATFORM value during Build/InstallDev
for use when building target Python packages (in python3-package.mk).
* Use the (mostly) default PYTHON_FOR_BUILD value, instead patch
configure to remove the platform triplet from the sysconfigdata file
name.
* Remove the "CROSS_COMPILE=yes" make variable (there is no indication
that this variable is necessary).
* Force host pip to build packages from source instead of downloading
binary wheels.
Previously, host pip can download universal (platform-independent)
wheels but not platform-specific wheels, because of the custom
_PYTHON_HOST_PLATFORM value. (Packages that do not have universal
wheels would be compiled from source.)
With a correct _PYTHON_HOST_PLATFORM, host pip can install
platform-specific wheels as well. However, the pre-built shared object
(.so) files in these wheels will have the host's platform triplet in
their file names. When target Python packages are built (using the
target's _PYTHON_HOST_PLATFORM), Python will not use these shared
object files.
By forcing host pip to build packages from source, the built shared
object files will not have the platform triplet in their file names.
(Host Python has been patched to remove the platform triplet from file
names.) This allows these packages to be used when building target
Python packages.
(The net effect of this complete change is that platform-dependent
packages will continue to be compiled from source, while
platform-independent packages will now also be compiled from source.)
Fixes https://github.com/openwrt/packages/issues/12680.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The perl Configure file was matching GCC 10 against "1*" and treating it
as GCC 1, causing ABI breakage and segfaults.
Cherry-pick the upstream patch which fixes it to check against (e.g)
"1.*" instead, which will make it work for hundreds more GCC versions
to come.
https://github.com/Perl/perl5/commit/6bd6308fcea3541
"Adapt Configure to GCC version 10"
Also includes the previous commit just adding GCC 8 and 9 to one case:
https://github.com/Perl/perl5/commit/ae195500577d707
"Add gcc-8 and gcc-9 for FORTIFY_SOURCE"
Signed-off-by: Ken Wong <xinxijishuwyq@gmail.com>
(cherry picked from commit 65578a43f0)
When a Python package is installed from source (i.e. using setup.py)
into a custom location (with --home), setuptools may want to create a
site.py file in the custom location. This file is created based on the
source code of site-patch.py, a file bundled with setuptools.
Because the normal OpenWrt setuptools package does not contain Python
source code, this file is missing and the installation will end with an
error.
This copies site-patch.py to site-patch.py.txt so that it will be
included in python3-setuptools, and patches setuptools to look for this
file.
See https://github.com/openwrt/packages/issues/12223
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
When a Python package is installed from source (i.e. using setup.py)
into a custom location (with --home), setuptools may want to create a
site.py file in the custom location. This file is created based on the
source code of site-patch.py, a file bundled with setuptools.
Because the normal OpenWrt setuptools package does not contain Python
source code, this file is missing and the installation will end with an
error.
This copies site-patch.py to site-patch.py.txt so that it will be
included in python3-setuptools, and patches setuptools to look for this
file.
See https://github.com/openwrt/packages/issues/12223
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 70a7f736c5)
The ssl module assumes OpenSSL can load the default trust anchors (root
CA certificates).
From https://github.com/openwrt/packages/issues/12209
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Because the first stage for building target Go is actually a host build,
the default platform options (GO386, GOARM, etc.) are detected from the
host. These values are written to a source file and kept when building
the second stage.
This modifies this source file to set the appropriate values for the
target platform, and reset values for other platforms to their
cross-compiling / most compatible defaults.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit da3fb97b9c)
Python will record the values of CC, CXX, AR, and RANLIB (and other
configure options) used during compilation. pip will use these programs
when asked to compile extension modules on the target device.
* If ccache is used during build, CC and CXX will be ccache_cc and
ccache_cxx, respectively, which are not available on-device (#11912).
* If an external toolchain is used during build, the values of these
variables will contain the external toolchain prefix, which may not be
available on target.
* If the normal toolchain is used during build, AR and RANLIB will
contain the toolchain prefix, but the names of ar and ranlib on-device
do not contain the prefix; they are named "ar" and "ranlib".
This changes the values of these variables in Python's files to match
the names available on-device, and without any toolchain prefix.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Python will record the values of CC, CXX, AR, and READELF (and other
configure options) used during compilation. pip will use these programs
when asked to compile extension modules on the target device.
* If ccache is used during build, CC and CXX will be ccache_cc and
ccache_cxx, respectively, which are not available on-device (#11912).
* If an external toolchain is used during build, the values of these
variables will contain the external toolchain prefix, which may not be
available on target.
* If the normal toolchain is used during build, AR and READELF will
contain the toolchain prefix, but the names of ar and readelf
on-device do not contain the prefix; they are named "ar" and
"readelf".
This changes the values of these variables in Python's files to match
the names available on-device, and without any toolchain prefix.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 9f81ab895e)
When during the build the openssl extension is also selected, then
the mysqlnd extension depends on it, too.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 50b1cd3757)
This removes lines that set PKG_BUILD_DIR when the set value is no
different from the default value.
Specifically, the line is removed if the assigned value is:
* $(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
The default PKG_BUILD_DIR was updated[1] to incorporate BUILD_VARIANT
if it is set, so now this is identical to the default value.
* $(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR)
if PKG_SOURCE_SUBDIR is set to $(PKG_NAME)-$(PKG_VERSION), making it
the same as the previous case
* $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
This is the same as the default PKG_BUILD_DIR when there is no
BUILD_VARIANT.
* $(BUILD_DIR)/[name]-$(PKG_VERSION)
where [name] is a string that is identical to PKG_NAME
[1]: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=e545fac8d968864a965edb9e50c6f90940b0a6c9
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 53e1692ae9)
Package python-idna was updated 2 weeks ago in OpenWrt 19.07.
It causes an issue:
pkg_resources.ContextualVersionConflict: (idna 2.9 (/usr/lib/python3.7/site-packages), Requirement.parse('idna<2.9,>=2.5'), {'requests'})
This is fixed in 2.23.0.
Signed-off-by: Javier Marcet <javier@marcet.info>
(cherry picked from commit d62e8b9f3c)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add commit message]
This backports a patch[1] to fix several request smuggling attacks.
This includes fixes for:
* CVE-2020-10108
* CVE-2020-10109
[1]: 4a7d22e490
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* Set GOENV=off when building Go compiler and packages, to ignore user's
environment configuration file
* Set GOCACHE when building host Go
* Unset GOTMPDIR, to use the buildroot temp directory instead of temp
directories in build_dir
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from 3b5f1c73fb)
