-
-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
year 2038 problem in compileall.py #79171
Comments
To reproduce: File "/usr/lib64/python3.6/compileall.py", line 198, in compile_path It could use either |
With 3.8a Traceback (most recent call last):
File "/home/stephane/src/github.com/python/cpython/Lib/runpy.py", line 192, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/home/stephane/src/github.com/python/cpython/Lib/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/home/stephane/src/github.com/python/cpython/Lib/compileall.py", line 326, in <module>
exit_status = int(not main())
File "/home/stephane/src/github.com/python/cpython/Lib/compileall.py", line 303, in main
if not compile_file(dest, args.ddir, args.force, args.rx,
File "/home/stephane/src/github.com/python/cpython/Lib/compileall.py", line 142, in compile_file
expect = struct.pack('<4sll', importlib.util.MAGIC_NUMBER,
struct.error: 'l' format requires -2147483648 <= number <= 2147483647 |
But until 2038, maybe there will be a new format for the .pyc file. We should keep this issue and try to fix it for 3.8 or 3.9? |
It does not need to be fixed tomorrow, but 2037 is too late, because by then there will be a lot of legacy systems around. |
Timestamp with year >= 2038 are accepted: importlib._bootstrap_external._code_to_timestamp_pyc() uses (int(x) & 0xFFFFFFFF). It's not a bug, but by design. compileall should just do the same. Sorry, I don't know if it's specified somewhere, but I know that it's done on purpose. |
So we need to fix compileall.py. maybe we could add the label 'easy' to this issue. |
A reproducer in Python that can be added to test_compileall if needed : def test_compile_all_2038(self):
with open(self.source_path, 'r') as f:
os.utime(f.name, (2147558400, 2147558400)) # Jan 20, 2038 as touch
self.assertTrue(compileall.compile_file(pathlib.Path(self.source_path))) ./python.exe -m unittest -v test.test_compileall.CompileallTestsWithSourceEpoch.test_compile_all_2038 ====================================================================== Traceback (most recent call last):
File "/Users/karthikeyansingaravelan/stuff/python/cpython/Lib/test/test_py_compile.py", line 30, in wrapper
return fxn(*args, **kwargs)
File "/Users/karthikeyansingaravelan/stuff/python/cpython/Lib/test/test_compileall.py", line 114, in test_compile_all_2038
self.assertTrue(compileall.compile_file(pathlib.Path(self.source_path)))
File "/Users/karthikeyansingaravelan/stuff/python/cpython/Lib/compileall.py", line 142, in compile_file
expect = struct.pack('<4sll', importlib.util.MAGIC_NUMBER,
struct.error: 'l' format requires -2147483648 <= number <= 2147483647 Thanks |
Victor seems there was some discussion about 2038 problem in the original PR but I don't know if it's related to this. Reference : #4575 (comment) Thanks |
ping. I'd still like to see progress on this, because this hinders my other y2038 bug discovery work. |
I would prefer to mimick importlib._bootstrap_external which uses: def _pack_uint32(x):
"""Convert a 32-bit integer to little-endian."""
return (int(x) & 0xFFFFFFFF).to_bytes(4, 'little') Using 64-bit timestamp (PR 19651), treat timestamp as unsigned (PR 9892 and PR 19708) have drawback:
"& 0xFFFFFFFF" looks dead simple, uses a fixed size of 4 bytes and doesn't have any limitation of year 2038. The timestamp doesn't have to be exact. In practice, it sounds very unlikely that two timestamps are equal when compared using (ts1 & 0xFFFFFFFF) == (ts2 & 0xFFFFFFFF). I expect file modification times to be close by a few days, not separated by 2**32 seconds (136 years). Use hash based .pyc to avoid any issuse with file modification time: it should make Python more deterministic (more "reproducible"). |
https://build.opensuse.org/request/show/1000772 by user StevenK + dimstar_suse - Add patch CVE-2021-28861-double-slash-path.patch: * http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) - Add bpo34990-2038-problem-compileall.patch making compileall.py compliant with year 2038 (bsc#1202666, gh#python/cpython#79171), backport of fix to Python 3.8. - Add conditional for requiring rpm-build-python, so we should be compilable on SLE/Leap.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: