poky: subtree update:03d4d9d68f..52a625582e
Alejandro Enedino Hernandez Samaniego (2):
documentation: Update multiconfig syntax and explanation on BBMULTICONFIG
bitbake: bitbake-user-manual: Update multiconfig syntax and explanation of BBMULTICONFIG
Alexander Kanavin (27):
ethtool, libcap: fix upstream version check
socat: turn hard readline dependency into an option
perl: make gdbm optional
python3: make gdbm optional
python3: un-break disabling the readline PACKAGECONFIG
libcheck: split /usr/bin/checkmk into its own package
iproute2: make elfutils support optional
bind: do not RDEPEND on bash
elfutils: do not depend on target libtool
license.bbclass: split incompatible license check into a helper function
license_image.bbclass: check and reject packages which have incompatible licenses
runqemu: unset another environment variable for 'egl-headless'
gobject-introspection: update to 1.62.0
glib-2.0: upgrade to 2.62.1
glib-networking: update to 2.62.1
epiphany: upgrade 3.32.4 -> 3.34.1
webkitgtk: update 2.24.4 -> 2.26.1
gtk-doc: upgrade 1.31 -> 1.32
libdazzle: upgrade 3.32.3 -> 3.34.1
libsecret: upgrade 0.19.0 -> 0.19.1
mpg123: upgrade 1.25.11 -> 1.25.12
p11-kit: upgrade 0.23.16.1 -> 0.23.18.1
vala: upgrade 0.44.7 -> 0.46.3
meson: update to 0.52.0
libmodulemd-v1: introduce the recipe
libmodulemd: remove the recipe
createrepo-c: upgrade to 0.15.1
Alistair Francis (1):
gdb: Bump from 8.3 to 8.3.1
Bruce Ashfield (2):
linux-yocto-rt/5.2: update to -rt9
linux-yocto/5.2: fix strace/ptrace long runtime issues
Changqing Li (1):
llvm: remove -mlongcall from CXXFLAGS for powerpc
Chen Qi (2):
python: CVE-2019-16056
python3: CVE-2019-16056
Christophe PRIOUZEAU (23):
ovmf: Clarify BSD license variant
wpa-supplicant: Clarify BSD license variant
cmake: Clarify BSD license variant
flex: Clarify BSD license variant
file: Clarify BSD license variant
python-async: Clarify BSD license variant
python-smmap: Clarify BSD license variant
libtirpc: Clarify BSD license variant
libarchive: Clarify BSD license variant
pbzip2: Clarify BSD license variant
lighttpd: Clarify BSD license variant
rpcbind: Clarify BSD license variant
tcp-wrappers: Clarify BSD license variant
libxpm: Clarify BSD license variant
libogg: Clarify BSD license variant
libvorbis: Clarify BSD license variant
libtheora: Clarify BSD license variant
speex: Clarify BSD license variant
speexdsp: Clarify BSD license variant
libwebp: Clarify BSD license variant
libpcre: Clarify BSD license variant
p11-kit: Clarify BSD license variant
libpcap: Clarify BSD license variant
David Reyna (1):
bitbake: toaster: Enable Zeus branch in place of Thud
Jaewon Lee (1):
devtool/standard.py: Not filtering devtool workspace for devtool finish
Joerg Vehlow (1):
runqemu: Remove disabling of high resolution timer
Kai Kang (1):
dnf.py: check busybox for case test_dnf_installroot
Khem Raj (7):
musl: Update to latest
qemu: Add ppc64 to QEMU_TARGETS
ghostscript: Disable libpaper
perl: Handle PACKAGES_DYNAMIC for perl-native
gnu-efi: Do not use gcc-only options when building with clang
llvm: Update to 9.0.0
glib-2.0: Fix build with clang compiler
Martin Jansa (1):
kernel-devicetree.bbclass: add missing backslash
Maxime Roussin-BĂ©langer (4):
meta: add missing some description in devtools
meta: simplify over descriptive descriptions in devtools
shadow: update homepage and bugtracker
meta: add missing description in recipes-extended
Michael Cooper (1):
wic/direct: Partition numbering is broken for MBR primary partition #4
Michael Halstead (1):
uninative: Update to 2.7 release
Peiran Hong (1):
dbus: Change path of system_bus_socket from /var/run/dbus/ to /run/dbus/
Philip Balister (1):
oe.svg: Copy artwork from openembedded-classic.
Richard Purdie (8):
layer.conf: Update for zeus series
layer.conf: Update for zeus series
bitbake: bitbake: Update to version 1.44.0
poky.conf: Bump version for 3.0 zeus release
build-appliance-image: Update to master head revision
scripts/gen-lockedsig-cache: Don't list paths which don't exist
readline-native: Fix builds on tumbleweed
build-appliance-image: Update to master head revision
Ross Burton (15):
meson: fix RDEPENDS
meson: update patch status
meson: fix cross detection
systemd: don't install udev.pc manually
systemd: don't install systemd-hwdb-update.service
insane: add check for perllocal.pod
ref-system-requirements: update support distribution list
toolchain-scripts: export READELF
harfbuzz: add PACKAGECONFIGs for all the optional dependencies
oeqa/sdk: improve Meson test
pango: remove obsolete libtool FILES
bluez5: add needed character encoding for ptests
oeqa/selftest/imagefeatures: improve test_hypervisor_fmts
poky: add Ubuntu 19.04 as a supported distribution
kernel-dev: don't use _append +=
Trevor Gamblin (3):
watchdog: fix PIDFile path in existing patch
lib/oe/terminal.py: fix gnome-terminal start behavior
systemd.bbclass: add RMINITDIR for nativesdk builds
Zang Ruochen (8):
libpcap:upgrade 1.9.0 -> 1.9.1
sqlite3:upgrade 3.29 -> 3.30
expat:upgrade 2.2.8 -> 2.2.9
librepo:upgrade 1.10.5 -> 1.10.6
msmtp:upgrade 1.8.5 -> 1.8.6
libxfont2:upgrade 2.0.3 -> 2.0.4
fribidi:upgrade 1.0.5 -> 1.0.7
iso-codes:upgrade 4.3 -> 4.4
Change-Id: I15802c5814d0dbfd90f16d392dbd975f917a8032
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/poky/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
new file mode 100644
index 0000000..319e7ed
--- /dev/null
+++ b/poky/meta/recipes-devtools/python/python3/0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
@@ -0,0 +1,132 @@
+From 90d56127ae15b1e452755e62c77dc475dedf7161 Mon Sep 17 00:00:00 2001
+From: jpic <jpic@users.noreply.github.com>
+Date: Wed, 17 Jul 2019 23:54:25 +0200
+Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079)
+
+Before:
+
+ >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
+ (Address(display_name='', username='a', domain='malicious.org'),)
+
+ >>> parseaddr('a@malicious.org@important.com')
+ ('', 'a@malicious.org')
+
+ After:
+
+ >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
+ (Address(display_name='', username='', domain=''),)
+
+ >>> parseaddr('a@malicious.org@important.com')
+ ('', 'a@')
+
+https://bugs.python.org/issue34155
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
+
+CVE: CVE-2019-16056
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ Lib/email/_header_value_parser.py | 2 ++
+ Lib/email/_parseaddr.py | 11 ++++++++++-
+ Lib/test/test_email/test__header_value_parser.py | 10 ++++++++++
+ Lib/test/test_email/test_email.py | 14 ++++++++++++++
+ .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
+ 5 files changed, 37 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+
+diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
+index fc00b4a098..bbc026ec71 100644
+--- a/Lib/email/_header_value_parser.py
++++ b/Lib/email/_header_value_parser.py
+@@ -1582,6 +1582,8 @@ def get_domain(value):
+ token, value = get_dot_atom(value)
+ except errors.HeaderParseError:
+ token, value = get_atom(value)
++ if value and value[0] == '@':
++ raise errors.HeaderParseError('Invalid Domain')
+ if leader is not None:
+ token[:0] = [leader]
+ domain.append(token)
+diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
+index cdfa3729ad..41ff6f8c00 100644
+--- a/Lib/email/_parseaddr.py
++++ b/Lib/email/_parseaddr.py
+@@ -379,7 +379,12 @@ class AddrlistClass:
+ aslist.append('@')
+ self.pos += 1
+ self.gotonext()
+- return EMPTYSTRING.join(aslist) + self.getdomain()
++ domain = self.getdomain()
++ if not domain:
++ # Invalid domain, return an empty address instead of returning a
++ # local part to denote failed parsing.
++ return EMPTYSTRING
++ return EMPTYSTRING.join(aslist) + domain
+
+ def getdomain(self):
+ """Get the complete domain name from an address."""
+@@ -394,6 +399,10 @@ class AddrlistClass:
+ elif self.field[self.pos] == '.':
+ self.pos += 1
+ sdlist.append('.')
++ elif self.field[self.pos] == '@':
++ # bpo-34155: Don't parse domains with two `@` like
++ # `a@malicious.org@important.com`.
++ return EMPTYSTRING
+ elif self.field[self.pos] in self.atomends:
+ break
+ else:
+diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
+index 693487bc96..7dc4de1b7b 100644
+--- a/Lib/test/test_email/test__header_value_parser.py
++++ b/Lib/test/test_email/test__header_value_parser.py
+@@ -1438,6 +1438,16 @@ class TestParser(TestParserMixin, TestEmailBase):
+ self.assertEqual(addr_spec.domain, 'example.com')
+ self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')
+
++ def test_get_addr_spec_multiple_domains(self):
++ with self.assertRaises(errors.HeaderParseError):
++ parser.get_addr_spec('star@a.star@example.com')
++
++ with self.assertRaises(errors.HeaderParseError):
++ parser.get_addr_spec('star@a@example.com')
++
++ with self.assertRaises(errors.HeaderParseError):
++ parser.get_addr_spec('star@172.17.0.1@example.com')
++
+ # get_obs_route
+
+ def test_get_obs_route_simple(self):
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
+index c29cc56203..aa775881c5 100644
+--- a/Lib/test/test_email/test_email.py
++++ b/Lib/test/test_email/test_email.py
+@@ -3041,6 +3041,20 @@ class TestMiscellaneous(TestEmailBase):
+ self.assertEqual(utils.parseaddr('<>'), ('', ''))
+ self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')
+
++ def test_parseaddr_multiple_domains(self):
++ self.assertEqual(
++ utils.parseaddr('a@b@c'),
++ ('', '')
++ )
++ self.assertEqual(
++ utils.parseaddr('a@b.c@c'),
++ ('', '')
++ )
++ self.assertEqual(
++ utils.parseaddr('a@172.17.0.1@c'),
++ ('', '')
++ )
++
+ def test_noquote_dump(self):
+ self.assertEqual(
+ utils.formataddr(('A Silly Person', 'person@dom.ain')),
+diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+new file mode 100644
+index 0000000000..50292e29ed
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+@@ -0,0 +1 @@
++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.