Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-98739: Update libexpat from 2.4.9 to 2.5.0 #98742

Merged
merged 2 commits into from Oct 27, 2022
Merged

gh-98739: Update libexpat from 2.4.9 to 2.5.0 #98742

merged 2 commits into from Oct 27, 2022

Conversation

scdub
Copy link
Contributor

@scdub scdub commented Oct 26, 2022
edited

Based this PR on the recent earlier upgrade at #97006 by @corona10

@bedevere-bot
Copy link

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@scdub
Copy link
Contributor Author

scdub commented Oct 27, 2022

@hartwork I'm not sure if there are other changes that you think would be necessary for Python to upgrade to your latest release, but here's a first attempt at to get Python synced up. I believe there is a constellation of security fixes which Python will be requiring in the near term (SQLite, OpenSSL, ...) and this could potentially tag along for one of those releases.

@hartwork
Copy link
Contributor

@scdub I don't really understand your message. Can you maybe rephrase your question for me to better understand?

@hartwork hartwork mentioned this pull request Oct 27, 2022
Closed
27 tasks
hartwork
hartwork approved these changes Oct 27, 2022
View reviewed changes
Copy link
Contributor

@hartwork hartwork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified using this Dockerfile:

# Copyright (c) 2022 Sebastian Pipping <sebastian@pipping.org>
# Licensed under the Apache License version 2.0

FROM alpine
RUN apk add --update \
            diffutils \
            git \
            sed \
        && \
    git clone --depth 1 https://github.com/python/cpython cpython-main \
        && \
    ( cd cpython-main && git rev-parse HEAD ) \
        && \
    git clone --depth 1 --branch expat-2.5.0 https://github.com/scdub/cpython scdub-expat-2-5-0 \
        && \
    ( cd scdub-expat-2-5-0 && git rev-parse HEAD ) \
        && \
    git config --global advice.detachedHead false \
        && \
    git clone --depth 1 --branch R_2_4_9 https://github.com/libexpat/libexpat libexpat_2_4_9 \
        && \
    git clone --depth 1 --branch R_2_5_0 https://github.com/libexpat/libexpat libexpat_2_5_0 \
        && \
    diff -r -u libexpat_2_4_9/expat/lib/ cpython-main/Modules/expat/ | tee 2-4-9.diff \
        && \
    diff -r -u libexpat_2_5_0/expat/lib/ scdub-expat-2-5-0/Modules/expat/ | tee 2-5-0.diff \
        && \
    sed -e '/^Only in /d' -e '/^\(+++\|---\) /d' -e '/^diff /d' -i 2-4-9.diff 2-5-0.diff \
        && \
    diff -u 2-4-9.diff 2-5-0.diff \
        && \
    echo 'Diff is good.'

@scdub
Copy link
Contributor Author

scdub commented Oct 27, 2022

@scdub I don't really understand your message. Can you maybe rephrase your question for me to better understand?

I applogize, I wasn't clear. I noticed that with 2.5.0, there is a new EXPAT_CONFIG_H definition for preventing multiple inclusions and wasn't sure if there was any changes required for pyexpatns.h or they can remain independent approaches.

@hartwork
Copy link
Contributor

@scdub thanks for elaborating. The added EXPAT_CONFIG_H protection originally came up in relation to refactoring the test suite that triggered compiler warnings on redefining existing macros. I think it can safely be ignored in context of CPython.

@scdub
Copy link
Contributor Author

scdub commented Oct 27, 2022

@gpshead I'm not sure if this PR is of interest to you, but saw that you did initiate the work for the previous expat upgrade to 2.4.9.

@gpshead gpshead self-assigned this Oct 27, 2022
@gpshead
Copy link
Member

gpshead commented Oct 27, 2022

Confirmed that these match the libexpat 2.5.0 upstream sources from SHA256(expat-2.5.0.tar.xz)= ef2420f0232c087801abf705e89ae65f6257df6b7931d37846a193ef2e8cdcbe

with our pyexpatns.h addition and that this adds no new C APIs that need including in that "namespace" header hack.

@gpshead gpshead merged commit 3e07f82 into python:main Oct 27, 2022
@miss-islington
Copy link
Contributor

Thanks @scdub for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10, 3.11.
🐍🍒⛏🤖

@bedevere-bot
Copy link

GH-98784 is a backport of this pull request to the 3.11 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.11 only security fixes label Oct 27, 2022
@bedevere-bot
Copy link

GH-98785 is a backport of this pull request to the 3.10 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Oct 27, 2022
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
372517c 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
ebcf8c5 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
0daf8bf 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
@bedevere-bot
Copy link

GH-98786 is a backport of this pull request to the 3.9 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label Oct 27, 2022
@bedevere-bot
Copy link

GH-98787 is a backport of this pull request to the 3.8 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
478d221 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
@bedevere-bot bedevere-bot removed the needs backport to 3.8 only security fixes label Oct 27, 2022
@bedevere-bot
Copy link

GH-98788 is a backport of this pull request to the 3.7 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2022
@scdub @miss-islington
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (pythonGH-98742)
1112262 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington added a commit that referenced this pull request Oct 27, 2022
@miss-islington @scdub
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742)
c5f3f29 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
miss-islington added a commit that referenced this pull request Oct 27, 2022
@miss-islington @scdub
gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742)
e77af82 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)

Co-authored-by: Shaun Walbridge <46331011+scdub@users.noreply.github.com>
@bedevere-bot
Copy link

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot aarch64 Fedora Stable Clang Installed 3.11 has failed when building commit c5f3f29.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/1004/builds/393) and take a look at the build logs.
  4. Check if the failure is related to this commit (c5f3f29) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/1004/builds/393

Failed tests:

  • test_nntplib

Failed subtests:

  • setUpClass - test.test_nntplib.NetworkedNNTP_SSLTests
  • test_with_statement - test.test_nntplib.NetworkedNNTP_SSLTests.test_with_statement

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

416 tests OK.

1 test failed:
test_nntplib

17 tests skipped:
test_asdl_parser test_check_c_globals test_clinic test_devpoll
test_gdb test_ioctl test_kqueue test_launcher test_msilib
test_startfile test_tix test_tk test_ttk_guionly test_winconsoleio
test_winreg test_winsound test_zipfile64

1 re-run test:
test_nntplib

Total duration: 2 min 41 sec

Click to see traceback logs 
Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/test/test_nntplib.py", line 252, in wrapped
    meth(self)
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/test/test_nntplib.py", line 298, in test_with_statement
    if re.search(r'(?i)KEY.TOO.SMALL', ssl_err.reason):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/re/__init__.py", line 176, in search
    return _compile(pattern, flags).search(string)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: expected string or bytes-like object, got 'NoneType'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/test/test_nntplib.py", line 286, in test_with_statement
    server = self.NNTP_CLASS(self.NNTP_HOST, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 1028, in __init__
    super().__init__(host, port, user, password, readermode,
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 337, in __init__
    self.sock = self._create_socket(timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 1034, in _create_socket
    sock = _encrypt_on(sock, self.ssl_context, self.host)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 295, in _encrypt_on
    return context.wrap_socket(sock, server_hostname=hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/ssl.py", line 1075, in _create
    self.do_handshake()
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:992)


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/multiprocessing/resource_tracker.py", line 209, in main
    cache[rtype].remove(name)
KeyError: '/psm_d193db14'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/multiprocessing/resource_tracker.py", line 209, in main
    cache[rtype].remove(name)
KeyError: '/psm_f4548318'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/test/test_nntplib.py", line 335, in setUpClass
    if re.search(r'(?i)KEY.TOO.SMALL', ssl_err.reason):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/re/__init__.py", line 176, in search
    return _compile(pattern, flags).search(string)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: expected string or bytes-like object, got 'NoneType'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/multiprocessing/resource_tracker.py", line 209, in main
    cache[rtype].remove(name)
KeyError: '/psm_5be85ea9'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/test/test_nntplib.py", line 332, in setUpClass
    cls.server = cls.NNTP_CLASS(cls.NNTP_HOST, **kwargs)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 1028, in __init__
    super().__init__(host, port, user, password, readermode,
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 337, in __init__
    self.sock = self._create_socket(timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 1034, in _create_socket
    sock = _encrypt_on(sock, self.ssl_context, self.host)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/nntplib.py", line 295, in _encrypt_on
    return context.wrap_socket(sock, server_hostname=hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/ssl.py", line 1075, in _create
    self.do_handshake()
  File "/home/buildbot/buildarea/3.11.cstratak-fedora-stable-aarch64.clang-installed/build/target/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:992)

ambv pushed a commit that referenced this pull request Oct 28, 2022
@miss-islington
[3.7] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98788)
64e95f2 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)
ambv pushed a commit that referenced this pull request Oct 28, 2022
@miss-islington
[3.8] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98787)
0037d46 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)
ambv pushed a commit that referenced this pull request Oct 28, 2022
@miss-islington
[3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786)
71a075a 
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f82)
gvanrossum pushed a commit to gvanrossum/cpython that referenced this pull request Oct 28, 2022
@scdub @scw @gvanrossum
pythongh-98739: Update libexpat from 2.4.9 to 2.5.0 (python#98742)
8f4ca21 
* Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
@illia-v illia-v mentioned this pull request Dec 26, 2022
Open
This was referenced Feb 13, 2024
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@hartwork hartwork hartwork approved these changes

Assignees

@gpshead gpshead

Labels
release-blocker topic-XML type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@scdub @bedevere-bot @hartwork @gpshead @miss-islington @scw