Several security fixes:
Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
This adds more details on the PYTHON[3]_PKG_SETUP_* variables, the
filespec format, and the build/install processes in general.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
- COPYING as a license is no longer available. It's LICENSE
- Add PKG_CPE_ID
- Add a description
- Add Python sources
- Add me as maintainer as the previous maintainer is inactive in OpenWrt
- Changed URL to Git repository, where you can find more details
- Moved TITLE to Default
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Some packages (PyYAML,
https://github.com/openwrt/packages/pull/8482#discussion_r270692276)
recognize "global" options to setup.py; these must appear before the
"install" command on the command line.
This adds PYTHON[3]_PKG_SETUP_GLOBAL_ARGS, which let packages set these
global options.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The LIBDIR and INCDIR assignments are duplicate of the original
Makefile, changing LIB_PATH and INC_PATH to LDFLAGS and CPPFLAGS.
Setting LIB_PATH and INC_PATH to empty strings will do the same
without duplicating the flags.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
"python -m compileall" has a default maximum recursion level of 10, i.e.
it will descend up to 10 levels of subdirectories when looking for
source files to compile. This is usually sufficient but there are
packages that include more than 10 levels (botocore,
https://github.com/openwrt/packages/pull/8214#discussion_r270056741).
This adds the "-r" command line option to the call to compileall to
increase the max recursion level (currently set to 20).
This also patches Python 2's compileall.py to add this max recursion
level option. (Python 3's compileall.py already supports this option.)
This also applies some related changes to python-package-install.sh:
* Use the "-delete" option with find instead of exec'ing rm / rmdir. For
the case of removing empty directories (in delete_empty_dirs()), this
has the added benefit of simplifying the code, as the "-delete" option
implies "-depth", and thus find "does the right thing" (removing empty
directories depth-first).
* Remove the backslash in "-name" patterns (for find), as they are not
regular expression but glob patterns.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Linking with ld is not portable and was causing problems for some
targets, e.g. i386_pentium4:
i486-openwrt-linux-musl-ld: x509.o: in function `push_asn1_objname':
x509.c:(.text+0x61): undefined reference to `__stack_chk_fail_local'
...
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Currently, all files in usr/bin (presumably all Python scripts) are run
through sed to replace the shebang; sed will overwrite the file whether
or not a match is found. This causes symlinks to be overridden and made
into copies of their targets. python[3]-base and python[3]-dev are
affected by this.
This adds the --follow-symlinks flag to sed, in addition to using
$(SED), so that symlinks are not overridden.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Currently i386 and the PPC targets have issues linking issues.
https://github.com/openwrt/packages/issues/3319
says that replacing -fPIC with -fpic works.
Patch added to avoid package overriding settings set by toolchain and make
compilation less noisy
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This is causing linking errors on i386 and ppc.
Also removed custom warnings an optimization levels that override stock
settings.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- Use mbedTLS as default and add patches for it
- Use files.pythonhosted.org in PKG_SOURCE_URL
- Changed description
- Reordered things in Makefile
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This installs python{2.7,3.7}-config in $(STAGING_DIR)/usr/bin as part
of Build/InstallDev, to be used by other packages to get build
configuration for target Python.
The treatment for Python 2 and 3 are a bit different:
* For Python 2, python-config is a Python script that is expected to be
run with, and return data for, the installed Python interpreter. This
installs a modified version of this script, to be run using host
Python, and read/return data for target Python.
* Python 3 includes a shell script version of python-config (expected to
be used in cross-compilation scenarios). This simply installs the
script into the right place.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
These patches address issue:
CVE-2019-9636: urlsplit does not handle NFKC normalization
Link to Python issue:
https://bugs.python.org/issue36216
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Packages such as Perl, Lua, shell scripts don't generate binary files.
Add PKGARCH:=all to them.
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
This changes Build/InstallDev for both Python 2 and 3 to only copy files
from target Python, not from host Python, since InstallDev files are
used for target packages to link to other target packages.
In particular, usr/lib/python{2.7,3.7}/_sysconfigdata.py holds system
configuration data generated at build time, and is different for target
Python and host Python.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
Maintainer: myself ( Jeronimo Pellegrini <j_p@aleph0.info> )
Compile tested: compiles on x86_64, target mips (AR7xxx), OpenWRT master
and OpenWRT 18.06.2
Run tested: on AR7xxx (TP-Link Archer C7 v.4)
Description:
This is an efficient Scheme interpreter, which comes with several
modules for networking, filesystem access, and other useful tasks.
It can be used as scripting language for automating tasks, by users
who prefer dynamic functional languages over imperative or
object-oriented ones.
This adds several variables for Go package Makefiles:
* GO_PKG_GCFLAGS - go tool compile arguments
* GO_PKG_LDFLAGS - go tool link arguments
* GO_PKG_LDFLAGS_X - go tool link -X definitions
Settings these will add the corresponding flags to the go install
command line. (Other command line arguments can still be added by
passing them as the first argument to GoPackage/Build/Compile.)
This also adds Go's runtime environment variables (GOGC, GOMAXPROCS,
GOTRACEBACK) to the unexport list.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Fixes: https://github.com/openwrt/packages/issues/8399
These 2 patches cause some breakage for other packages.
For now, we drop them and wait for upstream to finalize a fix.
We can live with deprecated SSL APIs for a while. No need to hurry, since
this doesn't seem to help.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Bug fixes and a security update of the bundled RubyGems:
CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Removing python3 conditional DEPENDS to avoid a circular dependency.
Fixes a typo in Makefile.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This updates the Python 2 and 3 versions of each package to share the
same title field.
This also updates the package title, url and source urls.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The package was missing dependencies on pillow and python-setuptools.
The Makefile was simplified.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Package is rewritten to be current type of python package with variants
but for backward compatibility the simplejson package name was left as
is and new Python3 specific package was named correctly as
python3-simplejson.
Signed-off-by: Karel Kočí <cynerd@email.cz>
This change updates Python to version 2.7.16, which is a bugfix release
in the Python 2.7 series.
This also removes patches back-ported from upstream.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
As it was suggested in PR from the current package maintainer, I have become a new maintainer.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Version 2.6 includes OpenSSL no-engine support.
This also removes python-idna as a dependency. idna became optional with
version 2.5 (https://cryptography.io/en/latest/changelog/#v2-5).
This also updates the package title field and updates both Python 2 and
3 versions to use the same field.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
For a while now, Jeffery has helped quite a lot with Python, and is now
unofficial go-to guy [for problems] with Python packages.
This change adds him as co-maintainer [if he also agrees].
I'm not going away; I'll be still doing the same work for Python.
This change serves to recognize Jeffery in an official way, since he's
already taking on these things. And 2 co-maintainers is better in case one
kicks the bucket [by accident].
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Fixes: https://github.com/openwrt/packages/issues/8301
This seems to have slipped for some time. No idea if it ever worked.
It could be that this worked at some point.
In any case, the shebang is properly updated now.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This is the result of this discussion:
https://github.com/openwrt/packages/issues/8285
`urllib.request` requires the `email` module/lib, which was part of
python3-light.
This change moves the Lib/urllib folder from the python3-light into it's
own package, making it lighter. At least this way, users that want `urllib`
(on top of `python3-light`) will be forced to install it via opkg and this
will make sure `python3-email` gets installed as well.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
If users want to define these before including python[3]-package.mk, these
vars will be overridden during the include.
So, override these vars if they haven't been defined.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This adds a variable (PYTHON_PKG_SETUP_DIR / PYTHON3_PKG_SETUP_DIR) that
allows a Python package Makefile to control the directory where setup.py
is called (as part of PyBuild/Compile/Default /
Py3Build/Compile/Default).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Thanks to fix 200a5a2eec all base packages
now contain all binaries that are generated as part of python
installation. That causes collision between those packages with package
managers that consider this such as Turris updater-ng. This is also just
wrong. Those binaries were not included and should not be after
mentioned fix as well.
This just adds empty install definition. The idea is to override the
default one that is otherwise used.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
This updates the Python 2 and 3 versions of each package to share the
same title field. (For packages that only had this change, their
PKG_RELEASE were not incremented.)
This also updates the package title, url and source urls, where
necessary.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
