projects / platform / upstream / python.git / log
? search:
summary | shortlog | log | commit | commitdiff | tree
first ⋅ prev ⋅ next
platform/upstream/python.git
13 months ago[CVE-2022-0391] bpo-43882 - urllib.parse should sanitize urls containing ASCII newlin... 24/294624/1
commit | commitdiff | tree
JinWang An [Thu, 22 Jun 2023 01:41:38 +0000 (10:41 +0900)]
[CVE-2022-0391] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595) (GH-25726)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
(cherry picked from commit 515a7bc)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Change-Id: Ia736aa48623abda5b1f8d10c9512dcbb139db492
Signed-off-by: JinWang An <jinwang.an@samsung.com>
13 months ago[CVE-2022-45061] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99232) 66/294566/1
commit | commitdiff | tree
JinWang An [Wed, 21 Jun 2023 07:46:23 +0000 (16:46 +0900)]
[CVE-2022-45061] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99232)

From b0b590be9597fd5919228d251812dd54145f70a7 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Mon, 7 Nov 2022 19:22:14 -0800

There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.

(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Change-Id: I9a1277f3b3c6d07f04787402400a859a015fab21
Signed-off-by: JinWang An <jinwang.an@samsung.com>
3 years agoFix infinite loop in the tarfile module submit/tizen_6.0_base/20210419.041633
commit | commitdiff | tree
JinWang An [Tue, 13 Apr 2021 12:13:54 +0000 (21:13 +0900)]
Fix infinite loop in the tarfile module

In Lib/tarfile.py in Python through 3.8.3, an attacker
is able to craft a TAR archive leading to an infinite
loop when opened by tarfile.open, because _proc_pax
lacks header validation.

Change-Id: I3834647b15fc334cdd2d878c6cb4f368844edbb0
Signed-off-by: JinWang An <jinwang.an@samsung.com>
3 years ago[CVE-2019-18348] Disallow control characters in hostnames in http.client 79/256779/1
commit | commitdiff | tree
JinWang An [Tue, 13 Apr 2021 02:23:10 +0000 (11:23 +0900)]
[CVE-2019-18348] Disallow control characters in hostnames in http.client

An issue was discovered in urllib2 in Python 2.x through 2.7.17
and urllib in Python 3.x through 3.8.0. CRLF injection
is possible if the attacker controls a url parameter,
as demonstrated by the first argument to urllib.request.
urlopen with \r\n (specifically in the host component
of a URL) followed by an HTTP header.

Change-Id: I733ec1d4986c5b638865ed70530f70a3ea0bd524
Signed-off-by: JinWang An <jinwang.an@samsung.com>
3 years ago[CVE-2017-18207]Improve exceptions in aifc, wave and sunau. 41/256741/1 submit/tizen_6.0_base/20210412.113806
commit | commitdiff | tree
JinWang An [Mon, 12 Apr 2021 07:10:22 +0000 (16:10 +0900)]
[CVE-2017-18207]Improve exceptions in aifc, wave and sunau.

** DISPUTED ** The Wave_read._read_fmt_chunk function
in Lib/wave.py in Python through 3.6.4 does not ensure
a nonzero channel value, which allows attackers to cause
a denial of service (divide-by-zero and exception) via
a crafted wav format audio file. NOTE: the vendor disputes
this issue because Python applications "need
to be prepared to handle a wide variety of exceptions."

Change-Id: Ia7b958c4d95596552802eda52f257fcc3fcc7469
Signed-off-by: JinWang An <jinwang.an@samsung.com>
3 years ago[CVE-2020-8492] Fix AbstractBasicAuthHandler 86/256686/1 accepted/tizen/6.0/base/tool/20210420.072003 submit/tizen_6.0_base/20210409.074611
commit | commitdiff | tree
JinWang An [Fri, 9 Apr 2021 07:37:41 +0000 (16:37 +0900)]
[CVE-2020-8492] Fix AbstractBasicAuthHandler

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10,
3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server
to conduct Regular Expression Denial of Service (ReDoS) attacks
against a client because of urllib.request.AbstractBasicAuthHandler
catastrophic backtracking.

Change-Id: I44694a5b63583e554fcb6c6ec0b78c1c640d8f85
Signed-off-by: JinWang An <jinwang.an@samsung.com>
4 years agoRemove gcc_version macro at spec file 19/225019/1 accepted/tizen_6.0_base_tool_hotfix sandbox/backup/python2-2.7.17_20201214 tizen_6.0_base_hotfix accepted/tizen/6.0/base/20201029.105523 accepted/tizen/6.0/base/tool/20201029.111500 accepted/tizen/6.0/base/tool/hotfix/20201030.124235 accepted/tizen/6.0/base/tool/hotfix/20201102.085337 accepted/tizen/base/20200224.070713 submit/tizen_6.0_base/20201029.184802 submit/tizen_6.0_base_hotfix/20201030.192502 submit/tizen_6.0_base_hotfix/20201102.162702 submit/tizen_base/20200217.003401 submit/tizen_base/20201207.055733 submit/tizen_base/20201208.051733 tizen_6.0.m2_release
commit | commitdiff | tree
DongHun Kwak [Sun, 16 Feb 2020 23:47:44 +0000 (08:47 +0900)]
Remove gcc_version macro at spec file

Change-Id: If74f7d4bd5deff2d60fa4051e09bc20f648353d4

4 years agoFix build error 71/220871/1 accepted/tizen/base/20200113.064827 submit/tizen_base/20191226.001204 submit/tizen_base/20200106.075848 submit/tizen_base/20200106.080633 submit/tizen_base/20200108.035402
commit | commitdiff | tree
DongHun Kwak [Tue, 24 Dec 2019 06:55:54 +0000 (15:55 +0900)]
Fix build error

Add gcc version check logic for nis.so

Change-Id: I9ea2b37545e0c4aaf5a96cdbfc00a7c9bd58f721

4 years agoMerge "[Tizen 6.0] Enable build" into tizen_base submit/tizen_base/20191223.230854
commit | commitdiff | tree
Donghun Kwak [Mon, 23 Dec 2019 23:02:22 +0000 (23:02 +0000)]
Merge "[Tizen 6.0] Enable build" into tizen_base

4 years ago[Tizen 6.0] Enable build 43/220043/1 sandbox/mkashkarov/tizen_6.0_build
commit | commitdiff | tree
Mikhail Kashkarov [Mon, 2 Dec 2019 17:17:52 +0000 (20:17 +0300)]
[Tizen 6.0] Enable build

The NIS(+) name service modules are deprecated since glibc 2.27 and will not be
built or installed by default.

Change-Id: I7837dcd2b8fe52c210d01510a1f2fc3e58554073
Signed-off-by: Mikhail Kashkarov <m.kashkarov@partner.samsung.com>
4 years agoBump to python 2.7.17 50/218550/2 accepted/tizen/base/20191204.042000 submit/tizen_5.5_base/20191209.051255 submit/tizen_base/20191126.074843 submit/tizen_base/20191126.080944
commit | commitdiff | tree
Hyunjee Kim [Mon, 25 Nov 2019 08:25:49 +0000 (17:25 +0900)]
Bump to python 2.7.17

Change-Id: I2fd8a054291e106d15ec215436225e05f1892bce
Signed-off-by: Hyunjee Kim <hj0426.kim@samsung.com>
4 years agoMerge branch 'tizen_base' of ssh://review.tizen.org:29418/platform/upstream/python... 49/218549/1
commit | commitdiff | tree
Hyunjee Kim [Mon, 25 Nov 2019 08:13:55 +0000 (17:13 +0900)]
Merge branch 'tizen_base' of ssh://review.tizen.org:29418/platform/upstream/python into tizen_base

Change-Id: I9fd2ad642ab1efbdb407fcbf5c7401346ecf8076
Signed-off-by: Hyunjee Kim <hj0426.kim@samsung.com>
4 years agoRebase for python 2.7.17 48/218548/1
commit | commitdiff | tree
DongHun Kwak [Thu, 27 Dec 2018 04:47:48 +0000 (13:47 +0900)]
Rebase for python 2.7.17

Change-Id: Icff2d8252c3fa81efa45f009602a6088c27f47c4
Signed-off-by: Hyunjee Kim <hj0426.kim@samsung.com>
4 years agoImported Upstream version 2.7.17 upstream/2.7.17
commit | commitdiff | tree
Hyunjee Kim [Mon, 25 Nov 2019 08:02:02 +0000 (17:02 +0900)]
Imported Upstream version 2.7.17

4 years agoImported Upstream version 2.7.16 upstream/2.7.16
commit | commitdiff | tree
Hyunjee Kim [Mon, 25 Nov 2019 08:01:31 +0000 (17:01 +0900)]
Imported Upstream version 2.7.16

4 years ago[CVE-2019-16935] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447) 99/215299/1 accepted/tizen_5.5_base accepted/tizen_5.5_base_mobile_hotfix accepted/tizen_5.5_base_wearable_hotfix sandbox/backup/tizen_5.5_base/python_2.7.15_20191209 tizen_5.5_base_mobile_hotfix tizen_5.5_base_wearable_hotfix tizen_5.5_tv accepted/tizen/5.5/base/20191030.083110 accepted/tizen/5.5/base/mobile/hotfix/20201023.084940 accepted/tizen/5.5/base/wearable/hotfix/20201023.081305 accepted/tizen/base/20191008.101327 submit/tizen_5.5_base/20191030.000001 submit/tizen_5.5_base_mobile_hotfix/20201023.171501 submit/tizen_5.5_base_wearable_hotfix/20201023.155601 submit/tizen_base/20191007.022254 tizen_5.5.m2_release
commit | commitdiff | tree
Dong-hee Na [Tue, 1 Oct 2019 10:58:01 +0000 (19:58 +0900)]
[CVE-2019-16935] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)

Escape the server title of DocXMLRPCServer.DocXMLRPCServer
when rendering the document page as HTML.

Change-Id: Id7e5a2c440b9a2e9bc832bd321740ce0c1581edf
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
4 years agobpo-34155: Dont parse domains containing @ (GH-13079) (GH-16006) 18/214118/1 accepted/tizen/base/20190921.035853 submit/tizen_base/20190918.081111
commit | commitdiff | tree
Roberto C. Sánchez [Sat, 14 Sep 2019 17:26:38 +0000 (13:26 -0400)]
bpo-34155: Dont parse domains containing @ (GH-13079) (GH-16006)

This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.

(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)

Excludes changes to Lib/email/_header_value_parser.py, which did not
exist in 2.7.

Co-authored-by: jpic <jpic@users.noreply.github.com>
https://bugs.python.org/issue34155
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Change-Id: Ice4cb0bcaf4fdd4172b603d1a19def3bbbbec2ea

4 years agoMigrate to openssl 1.1 accepted/tizen/base/20190825.220805 submit/tizen_base/20190819.023757
commit | commitdiff | tree
DongHun Kwak [Mon, 19 Aug 2019 02:37:36 +0000 (11:37 +0900)]
Migrate to openssl 1.1

Change-Id: Ifefed273e76951c416b527c9ceee26c9a9df449b

5 years agoAdd PIE option at python makefile 40/202040/1 accepted/tizen/base/20190418.010732 submit/tizen_base/20190322.054226 submit/tizen_base/20190416.061515
commit | commitdiff | tree
DongHun Kwak [Fri, 22 Mar 2019 05:39:46 +0000 (14:39 +0900)]
Add PIE option at python makefile

Change-Id: I4138e7d42a195099781148100220dc1c136d5714

5 years ago[CVE-2019-9636]bpo-36216: Add check for characters in netloc that normalize to separa... 41/201441/1 accepted/tizen/base/20190324.220423 submit/tizen_base/20190314.232856
commit | commitdiff | tree
Steve Dower [Thu, 7 Mar 2019 17:08:45 +0000 (09:08 -0800)]
[CVE-2019-9636]bpo-36216: Add check for characters in netloc that normalize to separators (GH-12201)

Change-Id: I728d96130c1208753eae3f0646aa9cab2b76dd9b
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
5 years agoBump to python 2.7.15 accepted/tizen/base/20190308.035731 submit/tizen_base/20190113.235929 submit/tizen_base/20190114.010229 submit/tizen_base/20190224.234314
commit | commitdiff | tree
DongHun Kwak [Thu, 27 Dec 2018 04:47:48 +0000 (13:47 +0900)]
Bump to python 2.7.15

[Model] All
[BinType] AP
[Customer] OPEN

[Issue#] N/A
[Request] N/A
[Occurrence Version] N/A

[Problem] python version upgrade
[Cause & Measure]
[Checking Method]

[Team] Open Source Management and Setting Part
[Developer] dh0128.kwak
[Solution company] Samsung
[Change Type] N/A

Change-Id: I28e8832b87b20556efd740ce95c0be11c94bc206
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
5 years agoImported Upstream version 2.7.15 50/187350/1 upstream/2.7.15
commit | commitdiff | tree
DongHun Kwak [Wed, 22 Aug 2018 06:55:41 +0000 (15:55 +0900)]
Imported Upstream version 2.7.15

Change-Id: Id9c63619cb3e0b8e0af22357474f6f6429c63c61
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
5 years agoImported Upstream version 2.7.14 49/187349/1 upstream/2.7.14
commit | commitdiff | tree
DongHun Kwak [Wed, 22 Aug 2018 06:55:10 +0000 (15:55 +0900)]
Imported Upstream version 2.7.14

Change-Id: Icfe8dc39f6e866f9cdf059cfd57789fed01f9469
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
7 years agoImported Upstream version 2.7.13 51/138351/1 upstream/2.7.13
commit | commitdiff | tree
DongHun Kwak [Wed, 12 Jul 2017 02:06:20 +0000 (11:06 +0900)]
Imported Upstream version 2.7.13

Change-Id: Ide143efb88a819e2d9b350dbcbbfa75b890f0667
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
7 years agoImported Upstream version 2.7.12 50/138350/1 upstream/2.7.12
commit | commitdiff | tree
DongHun Kwak [Wed, 12 Jul 2017 02:05:55 +0000 (11:05 +0900)]
Imported Upstream version 2.7.12

Change-Id: Id086dcc8e315c8ad61502768ef9b92372461e560
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
7 years agoImported Upstream version 2.7.11 49/138349/1 upstream/2.7.11
commit | commitdiff | tree
DongHun Kwak [Wed, 12 Jul 2017 02:05:38 +0000 (11:05 +0900)]
Imported Upstream version 2.7.11

Change-Id: I6fd1d4f1828aa56cf9e1ece97699852529157243
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
7 years agoImported Upstream version 2.7.10 48/138348/1 upstream/2.7.10
commit | commitdiff | tree
DongHun Kwak [Wed, 12 Jul 2017 02:05:23 +0000 (11:05 +0900)]
Imported Upstream version 2.7.10

Change-Id: I71e04a6e83b31198e3aff21913814359e60b7843
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
7 years agoImported Upstream version 2.7.9 47/138347/1 upstream/2.7.9
commit | commitdiff | tree
DongHun Kwak [Wed, 12 Jul 2017 02:04:35 +0000 (11:04 +0900)]
Imported Upstream version 2.7.9

Change-Id: If7320cd9a5b047aa0471ec569221ef7d9bc978b4
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
9 years agoImported Upstream version 2.7.8 upstream/2.7.8
commit | commitdiff | tree
Chanho Park [Tue, 19 Aug 2014 10:35:08 +0000 (19:35 +0900)]
Imported Upstream version 2.7.8

11 years agoImported Upstream version 2.7.3 upstream/2.7.3
commit | commitdiff | tree
Anas Nashif [Wed, 7 Nov 2012 15:15:08 +0000 (07:15 -0800)]
Imported Upstream version 2.7.3

Domain: System / Base;