diff mbox series

[kirkstone,1/1] python3-mako: upgrade 1.1.6 -> 1.2.0

Message ID 20221027083541.1757707-1-narpat.mali@windriver.com
State New, archived
Headers show
Series [kirkstone,1/1] python3-mako: upgrade 1.1.6 -> 1.2.0 | expand

Commit Message

nmali Oct. 27, 2022, 8:35 a.m. UTC 
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>

Upstream master commit:
https://git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
 .../python/{python3-mako_1.1.6.bb => python3-mako_1.2.0.bb} | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3-mako_1.1.6.bb => python3-mako_1.2.0.bb} (59%)

Comments

Tim Orling Nov. 1, 2022, 3:17 p.m. UTC | #1 
This would break stable policy as it includes new features:

https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0

1.2.0 <https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0>
Released: Thu Mar 10 2022 changed
<https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0-changed>

   -

   *[changed] [py3k]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-0dbd75123f8119e63fdcc0a442bc5113>

   Corrected “universal wheel” directive in setup.cfg so that building a
   wheel does not target Python 2.

   References: #351 <https://github.com/sqlalchemy/mako/issues/351>

   -

   *[changed] [py3k]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-8485f890cb72df59b5f3f4bf19db2252>

   The bytestring_passthrough template argument is removed, as this flag
   only applied to Python 2.

   -

   *[changed] [py3k]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-2ce5a2bc81c4690be5216769085a6721>

   With the removal of Python 2’s cStringIO, Mako now uses its own internal
   FastEncodingBuffer exclusively.

   -

   *[changed] [py3k]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-54c870bfa9e0a339f1334434165e87ea>

   Removed disable_unicode flag, that’s no longer used in Python 3.

   -

   *[changed]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-0900c0303cb688a6d1702244e22320b2>

   Refactored test utilities into mako.testing module. Removed
   unittest.TestCase dependency in favor of pytest.

   References: #349 <https://github.com/sqlalchemy/mako/issues/349>

   -

   *[changed] [setup]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-0007ecb822c473326561cd0f9d7cb35c>

   Replaced the use of pkg_resources with the importlib library. For Python
   < 3.8 the library importlib_metadata is used.

   -

   *[changed] [py3k]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-e9b48a2c87837a89fc445f43f2ea0b62>

   Removed support for Python 2 and Python 3.6. Mako now requires Python >=
   3.7.


bug
<https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0-bug>

   -

   *[bug] [py3k]*
   <https://docs.makotemplates.org/en/latest/changelog.html#change-cc67f729bc0307e8fae39f27e355c7aa>

   Mako now performs exception chaining using raise from, correctly
   identifying underlying exception conditions when it raises its own
   exceptions. Pull request courtesy Ram Rachum.


On Thu, Oct 27, 2022 at 1:38 AM Narpat Mali <narpat.mali@windriver.com>
wrote:

> License-Update: copyright years
> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
>
> Upstream master commit:
>
> https://git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e
>
> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> ---
>  .../python/{python3-mako_1.1.6.bb => python3-mako_1.2.0.bb} | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>  rename meta/recipes-devtools/python/{python3-mako_1.1.6.bb =>
> python3-mako_1.2.0.bb} (59%)
>
> diff --git a/meta/recipes-devtools/python/python3-mako_1.1.6.bb
> b/meta/recipes-devtools/python/python3-mako_1.2.0.bb
> similarity index 59%
> rename from meta/recipes-devtools/python/python3-mako_1.1.6.bb
> rename to meta/recipes-devtools/python/python3-mako_1.2.0.bb
> index 71e5d96ba1..11e5f326bd 100644
> --- a/meta/recipes-devtools/python/python3-mako_1.1.6.bb
> +++ b/meta/recipes-devtools/python/python3-mako_1.2.0.bb
> @@ -2,16 +2,18 @@ SUMMARY = "Templating library for Python"
>  HOMEPAGE = "http://www.makotemplates.org/"
>  SECTION = "devel/python"
>  LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=b32291f107a8f1ea94c4a41e00a6a18d"
>
>  PYPI_PACKAGE = "Mako"
>
>  inherit pypi python_setuptools_build_meta
>
> -SRC_URI[sha256sum] =
> "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2"
> +SRC_URI[sha256sum] =
> "9a7c7e922b87db3686210cf49d5d767033a41d4010b284e747682c92bddd8b39"
>
>  RDEPENDS:${PN} = "${PYTHON_PN}-html \
> +                  ${PYTHON_PN}-markupsafe \
>                    ${PYTHON_PN}-netclient \
> +                  ${PYTHON_PN}-pygments \
>                    ${PYTHON_PN}-threading \
>  "
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#172188):
> https://lists.openembedded.org/g/openembedded-core/message/172188
> Mute This Topic: https://lists.openembedded.org/mt/94600007/924729
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
nmali Nov. 2, 2022, 3:21 p.m. UTC | #2 
Hi Tim,

Actually, our product is based on “kirkstone” branch in which the current version of python3-mako is 1.1.6 version.
The CVE-2022-40023 has been fixed in python3-mako 1.2.2 version and this is the patch available on GitHub https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c

In master branch python3-mako is already been upgraded to 1.2.2 version. We want the CVE-2022-40023 fix to be available on kirkstone branch so, I have sent patch request to upgrade python3-mako from 1.1.6 -> 1.2.0 , 1.2.0 -> 1.2.1 , & 1.2.1 -> 1.2.2 version.

Have also found that the version 1.2.2 doesn’t include any new feature as below.
1.2.2
Released: Mon Aug 29 2022
bug

  *   [bug] [lexer]
Fixed issue in lexer where the regexp used to match tags would not correctly interpret quoted sections individually. While this parsing issue still produced the same expected tag structure later on, the mis-handling of quoted sections was also subject to a regexp crash if a tag had a large number of quotes within its quoted sections. Credit to Sebastian Chnelik for locating the issue.
As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input.
References: #366<https://github.com/sqlalchemy/mako/issues/366>


Shall I just backport this CVE-2022-40023 fix given in 1.2.2 version on python3-mako 1.1.6 version or what shall I do in this case ?

Best Regards,
Narpat
Tim Orling Nov. 2, 2022, 10:40 p.m. UTC | #3 
On Wed, Nov 2, 2022 at 8:21 AM Narpat Mali <narpat.mali@windriver.com>
wrote:

> Hi Tim,
>
>
>
> Actually, our product is based on “kirkstone” branch in which the current
> version of python3-mako is 1.1.6 version.
>
> The* CVE-2022-40023 *has been fixed in python3-mako 1.2.2 version and
> this is the patch available on GitHub
> https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
>
>
>
> In *master* branch python3-mako is already been upgraded to 1.2.2
> version. We want the *CVE-2022-40023 *fix to be available on *kirkstone*
> branch so, I have sent patch request to upgrade python3-mako from 1.1.6 ->
> 1.2.0 , 1.2.0 -> 1.2.1 , & 1.2.1 -> 1.2.2 version.
>
>
It is the 1.1.6 to 1.2.0 upgrade that adds new “changes”. So either you
make a strong case that the changes do not break ABI or you backport a fix
for the CVEs.

>
>
> Have also found that the version 1.2.2 doesn’t include any new feature as
> below.
> 1.2.2
>
> Released: Mon Aug 29 2022
> bug
>
>    - [bug] [lexer]
>
> Fixed issue in lexer where the regexp used to match tags would not
> correctly interpret quoted sections individually. While this parsing issue
> still produced the same expected tag structure later on, the mis-handling
> of quoted sections was also subject to a regexp crash if a tag had a large
> number of quotes within its quoted sections. Credit to Sebastian Chnelik
> for locating the issue.
>
> As Mako templates inherently render and directly invoke arbitrary Python
> code from the template source, it is never appropriate to create
> templates that contain untrusted input.
>
> References: #366 <https://github.com/sqlalchemy/mako/issues/366>
>
>
>
>
>
> Shall I just backport this CVE-2022-40023 fix given in 1.2.2 version on
> python3-mako 1.1.6 version or what shall I do in this case ?
>
>
>
> Best Regards,
>
> Narpat
>
>
> ------------------------------
> *From:* Tim Orling <ticotimo@gmail.com>
> *Sent:* Tuesday, November 1, 2022 8:47:47 PM
> *To:* Mali, Narpat <Narpat.Mali@windriver.com>
> *Cc:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>; Polampalli, Archana <
> Archana.Polampalli@windriver.com>; G Pillai, Hari <
> Hari.GPillai@windriver.com>; Alexander Kanavin <alex@linutronix.de>; Luca
> Ceresoli <luca.ceresoli@bootlin.com>
> *Subject:* Re: [OE-core][kirkstone][PATCH 1/1] python3-mako: upgrade
> 1.1.6 -> 1.2.0
>
>
> [Please note: This e-mail is from an EXTERNAL e-mail address]
> This would break stable policy as it includes new features:
>
> https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0
> <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-1.2.0__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABi7HzfhJ$>
>
> 1.2.0
> <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-1.2.0__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABi7HzfhJ$>
> Released: Thu Mar 10 2022 changed
> <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-1.2.0-changed__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABktopqva$>
>
>    -
>
>    *[changed] [py3k]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-0dbd75123f8119e63fdcc0a442bc5113__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABggEv0XL$>
>
>    Corrected “universal wheel” directive in setup.cfg so that building a
>    wheel does not target Python 2.
>
>    References: #351
>    <https://urldefense.com/v3/__https://github.com/sqlalchemy/mako/issues/351__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABkYd7YO7$>
>
>    -
>
>    *[changed] [py3k]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-8485f890cb72df59b5f3f4bf19db2252__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqMiAt5y$>
>
>    The bytestring_passthrough template argument is removed, as this flag
>    only applied to Python 2.
>
>    -
>
>    *[changed] [py3k]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-2ce5a2bc81c4690be5216769085a6721__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABoffi0Hd$>
>
>    With the removal of Python 2’s cStringIO, Mako now uses its own
>    internal FastEncodingBuffer exclusively.
>
>    -
>
>    *[changed] [py3k]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-54c870bfa9e0a339f1334434165e87ea__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtghA8MK$>
>
>    Removed disable_unicode flag, that’s no longer used in Python 3.
>
>    -
>
>    *[changed]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-0900c0303cb688a6d1702244e22320b2__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqaskz-O$>
>
>    Refactored test utilities into mako.testing module. Removed
>    unittest.TestCase dependency in favor of pytest.
>
>    References: #349
>    <https://urldefense.com/v3/__https://github.com/sqlalchemy/mako/issues/349__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABkPlQz9_$>
>
>    -
>
>    *[changed] [setup]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-0007ecb822c473326561cd0f9d7cb35c__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABnq_f2Pr$>
>
>    Replaced the use of pkg_resources with the importlib library. For
>    Python < 3.8 the library importlib_metadata is used.
>
>    -
>
>    *[changed] [py3k]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-e9b48a2c87837a89fc445f43f2ea0b62__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABpS8HLCK$>
>
>    Removed support for Python 2 and Python 3.6. Mako now requires Python
>    >= 3.7.
>
>
> bug
> <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-1.2.0-bug__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABjjk2I2H$>
>
>    -
>
>    *[bug] [py3k]*
>    <https://urldefense.com/v3/__https://docs.makotemplates.org/en/latest/changelog.html*change-cc67f729bc0307e8fae39f27e355c7aa__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABn1Bv5pn$>
>
>    Mako now performs exception chaining using raise from, correctly
>    identifying underlying exception conditions when it raises its own
>    exceptions. Pull request courtesy Ram Rachum.
>
>
> On Thu, Oct 27, 2022 at 1:38 AM Narpat Mali <narpat.mali@windriver.com>
> wrote:
>
> License-Update: copyright years
> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
>
> Upstream master commit:
>
> https://git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e
> <https://urldefense.com/v3/__https://git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABiU1UtWG$>
>
> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> ---
>  .../python/{python3-mako_1.1.6.bb
> <https://urldefense.com/v3/__http://python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
> => python3-mako_1.2.0.bb
> <https://urldefense.com/v3/__http://python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>}
> | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>  rename meta/recipes-devtools/python/{python3-mako_1.1.6.bb
> <https://urldefense.com/v3/__http://python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
> => python3-mako_1.2.0.bb
> <https://urldefense.com/v3/__http://python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>}
> (59%)
>
> diff --git a/meta/recipes-devtools/python/python3-mako_1.1.6.bb
> <https://urldefense.com/v3/__http://python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
> b/meta/recipes-devtools/python/python3-mako_1.2.0.bb
> <https://urldefense.com/v3/__http://python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>
> similarity index 59%
> rename from meta/recipes-devtools/python/python3-mako_1.1.6.bb
> <https://urldefense.com/v3/__http://python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
> rename to meta/recipes-devtools/python/python3-mako_1.2.0.bb
> <https://urldefense.com/v3/__http://python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>
> index 71e5d96ba1..11e5f326bd 100644
> --- a/meta/recipes-devtools/python/python3-mako_1.1.6.bb
> <https://urldefense.com/v3/__http://python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
> +++ b/meta/recipes-devtools/python/python3-mako_1.2.0.bb
> <https://urldefense.com/v3/__http://python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>
> @@ -2,16 +2,18 @@ SUMMARY = "Templating library for Python"
>  HOMEPAGE = "http://www.makotemplates.org/
> <https://urldefense.com/v3/__http://www.makotemplates.org/__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABgBvHIC8$>
> "
>  SECTION = "devel/python"
>  LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=b32291f107a8f1ea94c4a41e00a6a18d"
>
>  PYPI_PACKAGE = "Mako"
>
>  inherit pypi python_setuptools_build_meta
>
> -SRC_URI[sha256sum] =
> "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2"
> +SRC_URI[sha256sum] =
> "9a7c7e922b87db3686210cf49d5d767033a41d4010b284e747682c92bddd8b39"
>
>  RDEPENDS:${PN} = "${PYTHON_PN}-html \
> +                  ${PYTHON_PN}-markupsafe \
>                    ${PYTHON_PN}-netclient \
> +                  ${PYTHON_PN}-pygments \
>                    ${PYTHON_PN}-threading \
>  "
>
> --
> 2.34.1
>
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#172593):
> https://lists.openembedded.org/g/openembedded-core/message/172593
> Mute This Topic: https://lists.openembedded.org/mt/94600007/924729
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
nmali Nov. 10, 2022, 2:30 p.m. UTC | #4 
Hi Tim,

Have sent the patch to backport the CVE fix on python3-mako 1.1.6 version.

Best Regards,
Narpat

From: Tim Orling<mailto:ticotimo@gmail.com>
Sent: 03 November 2022 04:11
To: Mali, Narpat<mailto:Narpat.Mali@windriver.com>
Cc: Alexander Kanavin<mailto:alex@linutronix.de>; G Pillai, Hari<mailto:Hari.GPillai@windriver.com>; Luca Ceresoli<mailto:luca.ceresoli@bootlin.com>; Polampalli, Archana<mailto:Archana.Polampalli@windriver.com>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][kirkstone][PATCH 1/1] python3-mako: upgrade 1.1.6 -> 1.2.0

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.


On Wed, Nov 2, 2022 at 8:21 AM Narpat Mali <narpat.mali@windriver.com<mailto:narpat.mali@windriver.com>> wrote:
Hi Tim,

Actually, our product is based on “kirkstone” branch in which the current version of python3-mako is 1.1.6 version.
The CVE-2022-40023 has been fixed in python3-mako 1.2.2 version and this is the patch available on GitHub https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1nnqKl0H$>

In master branch python3-mako is already been upgraded to 1.2.2 version. We want the CVE-2022-40023 fix to be available on kirkstone branch so, I have sent patch request to upgrade python3-mako from 1.1.6 -> 1.2.0 , 1.2.0 -> 1.2.1 , & 1.2.1 -> 1.2.2 version.

It is the 1.1.6 to 1.2.0 upgrade that adds new “changes”. So either you make a strong case that the changes do not break ABI or you backport a fix for the CVEs.

Have also found that the version 1.2.2 doesn’t include any new feature as below.
1.2.2
Released: Mon Aug 29 2022
bug

  *   [bug] [lexer]
Fixed issue in lexer where the regexp used to match tags would not correctly interpret quoted sections individually. While this parsing issue still produced the same expected tag structure later on, the mis-handling of quoted sections was also subject to a regexp crash if a tag had a large number of quotes within its quoted sections. Credit to Sebastian Chnelik for locating the issue.
As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is never appropriate to create templates that contain untrusted input.
References: #366<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/issues/366__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1ue7GW-n$>


Shall I just backport this CVE-2022-40023 fix given in 1.2.2 version on python3-mako 1.1.6 version or what shall I do in this case ?

Best Regards,
Narpat


From: Tim Orling <ticotimo@gmail.com<mailto:ticotimo@gmail.com>>
Sent: Tuesday, November 1, 2022 8:47:47 PM
To: Mali, Narpat <Narpat.Mali@windriver.com<mailto:Narpat.Mali@windriver.com>>
Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>>; Polampalli, Archana <Archana.Polampalli@windriver.com<mailto:Archana.Polampalli@windriver.com>>; G Pillai, Hari <Hari.GPillai@windriver.com<mailto:Hari.GPillai@windriver.com>>; Alexander Kanavin <alex@linutronix.de<mailto:alex@linutronix.de>>; Luca Ceresoli <luca.ceresoli@bootlin.com<mailto:luca.ceresoli@bootlin.com>>
Subject: Re: [OE-core][kirkstone][PATCH 1/1] python3-mako: upgrade 1.1.6 -> 1.2.0


[Please note: This e-mail is from an EXTERNAL e-mail address]
This would break stable policy as it includes new features:

https://docs.makotemplates.org/en/latest/changelog.html#change-1.2.0<https://urldefense.com/v3/__https:/docs.makotemplates.org/en/latest/changelog.html*change-1.2.0__;Iw!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABi7HzfhJ$>

1.2.0
Released: Thu Mar 10 2022
changed

  *   [changed] [py3k]

Corrected “universal wheel” directive in setup.cfg so that building a wheel does not target Python 2.

References: #351<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/issues/351__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABkYd7YO7$>

  *   [changed] [py3k]

The bytestring_passthrough template argument is removed, as this flag only applied to Python 2.

  *   [changed] [py3k]

With the removal of Python 2’s cStringIO, Mako now uses its own internal FastEncodingBuffer exclusively.

  *   [changed] [py3k]

Removed disable_unicode flag, that’s no longer used in Python 3.

  *   [changed]

Refactored test utilities into mako.testing module. Removed unittest.TestCase dependency in favor of pytest.

References: #349<https://urldefense.com/v3/__https:/github.com/sqlalchemy/mako/issues/349__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABkPlQz9_$>

  *   [changed] [setup]

Replaced the use of pkg_resources with the importlib library. For Python < 3.8 the library importlib_metadata is used.

  *   [changed] [py3k]

Removed support for Python 2 and Python 3.6. Mako now requires Python >= 3.7.

bug

  *   [bug] [py3k]

Mako now performs exception chaining using raise from, correctly identifying underlying exception conditions when it raises its own exceptions. Pull request courtesy Ram Rachum.

On Thu, Oct 27, 2022 at 1:38 AM Narpat Mali <narpat.mali@windriver.com<mailto:narpat.mali@windriver.com>> wrote:
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alex@linutronix.de<mailto:alex@linutronix.de>>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com<mailto:luca.ceresoli@bootlin.com>>

Upstream master commit:
https://git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e<https://urldefense.com/v3/__https:/git.openembedded.org/openembedded-core/commit/?id=f273900e846b8ac416c9d579db32a08c2f34141e__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABiU1UtWG$>

Signed-off-by: Narpat Mali <narpat.mali@windriver.com<mailto:narpat.mali@windriver.com>>
---
 .../python/{python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> => python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>} | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/python/{python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> => python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>} (59%)

diff --git a/meta/recipes-devtools/python/python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$> b/meta/recipes-devtools/python/python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>
similarity index 59%
rename from meta/recipes-devtools/python/python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
rename to meta/recipes-devtools/python/python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>
index 71e5d96ba1..11e5f326bd 100644
--- a/meta/recipes-devtools/python/python3-mako_1.1.6.bb<https://urldefense.com/v3/__http:/python3-mako_1.1.6.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABqRMx25E$>
+++ b/meta/recipes-devtools/python/python3-mako_1.2.0.bb<https://urldefense.com/v3/__http:/python3-mako_1.2.0.bb__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABtTOsCS_$>
@@ -2,16 +2,18 @@ SUMMARY = "Templating library for Python"
 HOMEPAGE = "http://www.makotemplates.org/<https://urldefense.com/v3/__http:/www.makotemplates.org/__;!!AjveYdw8EvQ!dSMZxnosWE-wgFxB5aSur9eKyaZ5bLKErqH3phODyQ_jGnDIa09o0b7fl0FewZr1UlMEFq79SSZABgBvHIC8$>"
 SECTION = "devel/python"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b32291f107a8f1ea94c4a41e00a6a18d"

 PYPI_PACKAGE = "Mako"

 inherit pypi python_setuptools_build_meta

-SRC_URI[sha256sum] = "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2"
+SRC_URI[sha256sum] = "9a7c7e922b87db3686210cf49d5d767033a41d4010b284e747682c92bddd8b39"

 RDEPENDS:${PN} = "${PYTHON_PN}-html \
+                  ${PYTHON_PN}-markupsafe \
                   ${PYTHON_PN}-netclient \
+                  ${PYTHON_PN}-pygments \
                   ${PYTHON_PN}-threading \
 "

--
2.34.1




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#172593): https://lists.openembedded.org/g/openembedded-core/message/172593<https://urldefense.com/v3/__https:/lists.openembedded.org/g/openembedded-core/message/172593__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1lXqeEXU$>
Mute This Topic: https://lists.openembedded.org/mt/94600007/924729<https://urldefense.com/v3/__https:/lists.openembedded.org/mt/94600007/924729__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1lInCKnh$>
Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub<https://urldefense.com/v3/__https:/lists.openembedded.org/g/openembedded-core/unsub__;!!AjveYdw8EvQ!cp5_at5LQwcAN2n-5SkkRsIMXCm-NnlpfsskzuKFjA9ZTJT-P6eRqeSaouMiXJlkvgqxIrLP0s3Y1vrEiIBt$> [ticotimo@gmail.com<mailto:ticotimo@gmail.com>]
-=-=-=-=-=-=-=-=-=-=-=-
diff mbox series

Patch

diff --git a/meta/recipes-devtools/python/python3-mako_1.1.6.bb b/meta/recipes-devtools/python/python3-mako_1.2.0.bb
similarity index 59%
rename from meta/recipes-devtools/python/python3-mako_1.1.6.bb
rename to meta/recipes-devtools/python/python3-mako_1.2.0.bb
index 71e5d96ba1..11e5f326bd 100644
--- a/meta/recipes-devtools/python/python3-mako_1.1.6.bb
+++ b/meta/recipes-devtools/python/python3-mako_1.2.0.bb
@@ -2,16 +2,18 @@  SUMMARY = "Templating library for Python"
 HOMEPAGE = "http://www.makotemplates.org/"
 SECTION = "devel/python"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b32291f107a8f1ea94c4a41e00a6a18d"
 
 PYPI_PACKAGE = "Mako"
 
 inherit pypi python_setuptools_build_meta
 
-SRC_URI[sha256sum] = "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2"
+SRC_URI[sha256sum] = "9a7c7e922b87db3686210cf49d5d767033a41d4010b284e747682c92bddd8b39"
 
 RDEPENDS:${PN} = "${PYTHON_PN}-html \
+                  ${PYTHON_PN}-markupsafe \
                   ${PYTHON_PN}-netclient \
+                  ${PYTHON_PN}-pygments \
                   ${PYTHON_PN}-threading \
 "