From 470819d59a595abd6eb89f98c675ac3141f7728c Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Wed, 17 Feb 2021 13:56:52 +0100 Subject: python3: upgrade to release 3.7.10 Fixes CVE-2021-3177 plus these less important ones: CVE-2021-23336 CVE-2020-27619 CVE-2020-14422 CVE-2020-26116 CVE-2019-20907 CVE-2020-8492 CVE-2019-18348 Change-Id: I8e83395bd3e871eb2ed030a03827b7d261c96049 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111069 Tested-by: Michael Stahl Reviewed-by: Michael Stahl --- configure.ac | 2 +- download.lst | 4 +- ...-Disable-external-entities-in-SAX-parse.patch.1 | 59 ---------------------- external/python3/python-3.3.0-darwin.patch.1 | 2 +- 4 files changed, 4 insertions(+), 63 deletions(-) delete mode 100644 external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 diff --git a/configure.ac b/configure.ac index 0b7415549198..a8056fdeaa6f 100644 --- a/configure.ac +++ b/configure.ac @@ -8789,7 +8789,7 @@ internal) SYSTEM_PYTHON= PYTHON_VERSION_MAJOR=3 PYTHON_VERSION_MINOR=7 - PYTHON_VERSION=${PYTHON_VERSION_MAJOR}.${PYTHON_VERSION_MINOR}.7 + PYTHON_VERSION=${PYTHON_VERSION_MAJOR}.${PYTHON_VERSION_MINOR}.10 if ! grep -q -i python.*${PYTHON_VERSION} ${SRC_ROOT}/download.lst; then AC_MSG_ERROR([PYTHON_VERSION ${PYTHON_VERSION} but no matching file in download.lst]) fi diff --git a/download.lst b/download.lst index bdbed280f3e0..702a921e929b 100644 --- a/download.lst +++ b/download.lst @@ -212,8 +212,8 @@ export POPPLER_SHA256SUM := 016dde34e5f868ea98a32ca99b643325a9682281500942b7113f export POPPLER_TARBALL := poppler-21.01.0.tar.xz export POSTGRESQL_SHA256SUM := 12345c83b89aa29808568977f5200d6da00f88a035517f925293355432ffe61f export POSTGRESQL_TARBALL := postgresql-13.1.tar.bz2 -export PYTHON_SHA256SUM := 06a0a9f1bf0d8cd1e4121194d666c4e28ddae4dd54346de6c343206599f02136 -export PYTHON_TARBALL := Python-3.7.7.tar.xz +export PYTHON_SHA256SUM := f8d82e7572c86ec9d55c8627aae5040124fd2203af400c383c821b980306ee6b +export PYTHON_TARBALL := Python-3.7.10.tar.xz export QRCODEGEN_SHA256SUM := fcdf9fd69fde07ae4dca2351d84271a9de8093002f733b77c70f52f1630f6e4a export QRCODEGEN_TARBALL := QR-Code-generator-1.4.0.tar.gz export QXP_SHA256SUM := e137b6b110120a52c98edd02ebdc4095ee08d0d5295a94316a981750095a945c diff --git a/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 deleted file mode 100644 index 489e5d0e89ee..000000000000 --- a/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 +++ /dev/null @@ -1,59 +0,0 @@ -From 582d188e6e3487180891f1fc457a80dec8be26a8 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 24 Sep 2018 14:38:31 +0200 -Subject: [PATCH] [3.6] bpo-17239: Disable external entities in SAX parser - (GH-9217) (GH-9512) - -The SAX parser no longer processes general external entities by default -to increase security. Before, the parser created network connections -to fetch remote files or loaded local files from the file system for DTD -and entities. - -Signed-off-by: Christian Heimes - -https://bugs.python.org/issue17239. -(cherry picked from commit 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45) - -Co-authored-by: Christian Heimes - - - -https://bugs.python.org/issue17239 ---- - Doc/library/xml.dom.pulldom.rst | 14 +++++ - Doc/library/xml.rst | 6 +- - Doc/library/xml.sax.rst | 8 +++ - Doc/whatsnew/3.6.rst | 18 +++++- - Lib/test/test_pulldom.py | 7 +++ - Lib/test/test_sax.py | 60 ++++++++++++++++++- - Lib/test/test_xml_etree.py | 13 ++++ - Lib/xml/sax/expatreader.py | 2 +- - .../2018-09-11-18-30-55.bpo-17239.kOpwK2.rst | 3 + - 9 files changed, 125 insertions(+), 6 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst - -diff --git a/Lib/xml/sax/expatreader.py b/Lib/xml/sax/expatreader.py -index 421358fa5b..5066ffc2fa 100644 ---- a/Lib/xml/sax/expatreader.py -+++ b/Lib/xml/sax/expatreader.py -@@ -95,7 +95,7 @@ class ExpatParser(xmlreader.IncrementalParser, xmlreader.Locator): - self._lex_handler_prop = None - self._parsing = 0 - self._entity_stack = [] -- self._external_ges = 1 -+ self._external_ges = 0 - self._interning = None - - # XMLReader methods -diff --git a/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst -new file mode 100644 -index 0000000000..8dd0fe8c1b ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst -@@ -0,0 +1,3 @@ -+The xml.sax and xml.dom.minidom parsers no longer processes external -+entities by default. External DTD and ENTITY declarations no longer -+load files or create network connections. --- -2.20.1 - diff --git a/external/python3/python-3.3.0-darwin.patch.1 b/external/python3/python-3.3.0-darwin.patch.1 index d5cb17e339a2..10a696aa6e93 100644 --- a/external/python3/python-3.3.0-darwin.patch.1 +++ b/external/python3/python-3.3.0-darwin.patch.1 @@ -49,7 +49,7 @@ diff -ru python3.orig/Mac/Resources/app/Info.plist.in python3/Mac/Resources/app/ - Python + LibreOfficePython CFBundleGetInfoString - %version%, (c) 2001-2016 Python Software Foundation. + %version%, (c) 2001-2020 Python Software Foundation. CFBundleHelpBookFolder diff -ru python3.orig/Mac/Resources/framework/Info.plist.in python3/Mac/Resources/framework/Info.plist.in --- python3.orig/Mac/Resources/framework/Info.plist.in 2015-07-05 18:50:07.000000000 +0200 -- cgit