There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".
Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.
Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2
Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.
(From OE-Core rev: 8659e3537facbf3f5f5a5080137be4d9faf9c970)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
libnsl2 and libtirpc were build dependencies for the nis module.
The nis module was deprecated in Python 3.11 and removed in Python 3.13
(From OE-Core rev: cbc7b1ed7747ef69d8bcbaee27c90560ded713d6)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273
Upstream-patch:
d8390feaa9250a6d1797
(From OE-Core rev: cfb2d77f841ae21cae0ba7d6263dc3e1e0280400)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
urllib3 is a user-friendly HTTP client library for Python. Prior
to 2.5.0, urllib3 does not control redirects in browsers and
Node.js. urllib3 supports being used in a Pyodide runtime utilizing
the JavaScript Fetch API or falling back on XMLHttpRequest. This
means Python libraries can be used to make HTTP requests from a
browser or Node.js. Additionally, urllib3 provides a mechanism to
control redirects, but the retries and redirect parameters are
ignored with Pyodide; the runtime itself determines redirect
behavior. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50182
Upstream patch:
7eb4a2aafe
(From OE-Core rev: 082b865d9814e7e7aca4466551a035199aa8b563)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181
Upstream patch:
f05b132912
(From OE-Core rev: 819273b5b8b9279c01035cb72377fd8cbb51a198)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Refresh patches.
* https://www.python.org/downloads/release/python-3134/
Security content in this release
* gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
[CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
tarfile extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
* gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
non-“strict” error handler.
* gh-128840: Short-circuit the processing of long IPv6 addresses early
in ipaddress to prevent excessive memory consumption and a minor
denial-of-service.
gh-133767 got meawhile CVE-2025-4516 assigned.
(From OE-Core rev: 55a9cd748531c75d46f5d6d53af692a38c6b6716)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Even with our fixes in deterministic_imports.patch the
importlib.metadata package scan was still returning Distribution objects
for empty directories. This interacts badly with rebuilds when recipes
are changing as when a recipe is removed from the sysroot directories
are not removed[1].
In particular this breaks python3-meson-python-native rebuilds when
Meson upgrades from 1.7 to 1.8: the site-packages directory has an empty
meson-1.7.dist-info/ and populated meson-1.8.dist-info/. Whilst it's
deterministic to return the empty 1.7 first, this breaks pypa/build as
it looks through the distributions in order.
We had discussed this with upstream previously and there's a more
comprehensive fix upstream (actually in importlib_metadata, not cpython)
which ensures that valid distribution objects are listed first. So we
can drop our patch and replace it with a backport to fix these rebuilds.
[1] oe-core 4f94d929639 ("sstate/staging: Handle directory creation race issue")
(From OE-Core rev: 73de8daa6293403f5b92d313af32882c47bce396)
(From OE-Core rev: 1c1b651038e15445c495d87c38beeb92f00d9919)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since 3.51.0, python3-pygobject depends on libgirepository 2.0 provided
by glib-2.0 instead of libgirepository 1.0 provided by
gobject-introspection[1]. It still needs the typelib files from
libgirepository-1.0 package. Add gobject-introspection as a runtime
dependency.
Fixes:
$ python3
Python 3.13.2 (main, Feb 4 2025, 14:51:09) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gi
>>> from gi.repository import Gtk
Traceback (most recent call last):
File "/usr/lib64/python3.13/site-packages/gi/importer.py", line 139, in create_module
introspection_module = get_introspection_module(namespace)
File "/usr/lib64/python3.13/site-packages/gi/module.py", line 243, in get_introspection_module
module = IntrospectionModule(namespace, version)
File "/usr/lib64/python3.13/site-packages/gi/module.py", line 111, in __init__
repository.require(namespace, version)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
gi.RepositoryError: Typelib file for namespace 'xlib', version '2.0' not found
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<python-input-1>", line 1, in <module>
from gi.repository import Gtk
File "/usr/lib64/python3.13/site-packages/gi/importer.py", line 141, in create_module
raise ImportError(e) from e
ImportError: Typelib file for namespace 'xlib', version '2.0' not found
[1] https://gitlab.gnome.org/GNOME/pygobject/-/merge_requests/320
(From OE-Core rev: 6f9e02292c9305e795f2651c3bb6ef5b671e1c74)
(From OE-Core rev: e3fa9ef3239e8bc113e211f5258f84d08284872a)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0d5f241eee19c0dff9f9f59949485414935edaa2)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Here is one testcase:
For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1],
do_configure[network] = "1"
and it will git clone some repos in CMakeLists.txt
When buildtools is used and nativesdk-git is installed into sdk,
do_configure failed with error:
[1/9] Performing download step (git clone) for 'protobuf-populate'
Cloning into 'protobuf'...
fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt
Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that
user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their
do_configure:prepend() to fix above do_configure failure
CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add
into BB_ENV_PASSTHROUGH_ADDITIONS
[1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb
(From OE-Core rev: 5fa8cb40395977722d0d5a2271c8044598fb1f01)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5c915fcada5868bdbb8aa3e28c18a26cfc41914f)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Replace the UTF8 character for right single quotation mark with
ASCII single quotation mark in SUMMARY variable.
(From OE-Core rev: 941e610631c3a1f611eb38134c88aa0468661137)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
============
- Dropped support for Python 3.7.
- We now support free-threaded Python 3.13.
- We now support PyPy 3.11.
- We now publish wheels for free-threaded Python 3.13, for PyPy 3.11 on manylinux, and for ARMv7l on manylinux.
(From OE-Core rev: 691453d3eefbc310ec91a02b0a51cfcdd635e292)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ctypes.util.find_library depend on run external programs(ldconfig, gcc,
objdump or ld) to get the pathname, if none of above are installed, None
is returned. Previously, RDEPENDS to ldconfig is added to ensure it
always work when installed.
This commit change it to RRECOMMENDS, this allows user who don't use
function find_library could remove ldconfig from image by
PACKAGE_EXCLUDE
Refer:
https://docs.python.org/3/library/ctypes.html
(From OE-Core rev: 404e7c65499c58d2a6a760b5f0994fadd2ff74d0)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
roman-numerals-py is a module providing utilities for working with
well-formed Roman numerals. python3-sphinx relies on this now, so add it
as a recipe.
(From OE-Core rev: 43b4e995769de54e47b0a98ce841b143a877f87d)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch '0001-respect-GIT_CEILING_DIRECTORIES.patch' is no longer required
as it's upstream in 979d79301da6.
Changelog (https://github.com/pypa/setuptools-scm/blob/main/CHANGELOG.md):
Added
- fix#960: add a --force-write-version-files flag for the cli
Changed
- fix#950: ensure to pass encodings to io usage
- fix#957: add subprocess timeout control env var
- add sp-repo-review pre-commit hook
Fixed
- fix#1018: allow non-normalized versions for semver
- fix#1103: respect GIT_CEILING_DIRECTORIES when trying to find git toplevels
- fix#1081: add name normalized pipx entrypoint
- fix#1080: clean pdm from PYTHONPATH to protect mercurial
(From OE-Core rev: 6bab759c00b44fc2793e095f991975b7eebf360f)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This update is required for latest versions of packages such as sphinx
to build with flit, otherwise you encounter errors like:
| File "/home/tgamblin/workspace/yocto/poky/build/tmp/work/core2-64-poky-linux/python3-sphinx/8.2.1/recipe-sysroot-native/usr/lib/python3.13/site-packages/flit_core/config.py", line 444, in _check_type
| raise ConfigError(
| "{} field should be {}, not {}".format(field_name, cls, type(d[field_name]))
| )
| flit_core.config.ConfigError: license field should be <class 'dict'>, not <class 'str'>
|
| ERROR Backend subprocess exited when trying to invoke get_requires_for_build_wheel
Changelog (https://github.com/pypa/flit/blob/main/doc/history.rst#version-311):
- Support for SPDX license expressions and multiple license files, as
detailed in PEP 639:
license = "BSD-3-Clause"
license-files = ["LICENSE"]
For now, only a single license identifier is allowed. More complex
expressions describing multiple licenses & expressions may be
supported in a future version.
- The metadata format in produced packages is now version 2.4, to
support the expanded license information.
(From OE-Core rev: 268f1c96c70334d6a882d00e895e1f0c72cfa36f)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In oe-core, function ldconfig_postinst_fragment use exist of
/sbin/ldconfig to decide if ldconfig is runned to generate the cache,
and function _run_ldconfig will run ldconfig to generate cache during
generate rootfs. ldconfig.service is actually not used since we have
generate ld.so.cache during do_rootfs, refer[1][2][3]. ldconfig
dependency is necessary when ldconfig not in DISTRO_FEATURES.
The reverted commit causes regression when ldconfig not in
DISTRO_FEATURES, before, without ldconfig in DISTRO_FEATURES,
ctypes.util.find_library(name) can find the lib if it is installed, now,
since ldconfig is not installed, ctypes.util.find_library(name) cannot
find the lib even if it is installed.
Here is one usecase(gtk+3 lib is installed, ctypes.util.find_library
used to find the lib):
import wx.lib.wxcairo as wxcairo
File "/usr/lib/python3.13/site-packages/wx/lib/wxcairo/{}init{}.py", line 59, in <module>
from .wx_cairocffi import _ContextFromDC, _FontFaceFromFont
File "/usr/lib/python3.13/site-packages/wx/lib/wxcairo/wx_cairocffi.py", line 189, in <module>
gdkLib = _findGDKLib()
File "/usr/lib/python3.13/site-packages/wx/lib/wxcairo/wx_cairocffi.py", line 181, in _findGDKLib
return _findHelper([libname], 'gdk',
"Unable to find the GDK shared library")
File "/usr/lib/python3.13/site-packages/wx/lib/wxcairo/wx_cairocffi.py", line 170, in _findHelper
raise RuntimeError(msg)
RuntimeError: Unable to find the GDK shared library
[1] https://git.openembedded.org/openembedded-core/tree/meta/classes-global/package.bbclass#n394
[2] https://git.openembedded.org/openembedded-core/tree/meta/lib/oe/rootfs.py#n316
[3] https://github.com/systemd/systemd-stable/blob/v255-stable/units/ldconfig.service
(From OE-Core rev: f98299ec2fa65804ceeff634fa50c8d154e1c153)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We use editline by default and test_write_read_append also fails especially on musl
since this needs to be fixed upstream, extend the skip for test_write_read_append along
with other history manipulation tests being skipped.
(From OE-Core rev: fbafd942e6c78d1298fa64129149ff311b61fcf8)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
- net_if_addrs() also returns the broadcast address instead of None.
- Python 2.7 is no longer supported. Latest version supporting Python 2.7 is
psutil 6.1.X. Install it with: pip2 install psutil==6.1.*.
- removed long deprecated Process.memory_info_ex() method. It was deprecated in
psutil 4.0.0, released 8 years ago. Substitute is Process.memory_full_info().
- Avoid segfault (a cPython bug) on Process.memory_maps() for processes that use
hundreds of GBs of memory.
- virtual_memory() now relies on host_statistics64 instead of host_statistics.
This is the same approach used by vm_stat CLI tool, and should grant more accurate results.
- Python 2.7 is no longer supported.
- removed long deprecated Process.memory_info_ex() method.
(From OE-Core rev: 78a89c7cb3165ba7bf1c31292389ea05944a91a3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
- Pass a local version label to the build backend interface
- Expose build-system dependencies via the poetry instance
- Add has_upper_bound method to VersionConstraint
- Improve performance of calculating intersections and unions of extra markers
- Improve performance of calculating intersections and unions of complex markers
- Improve performance of marker operations by simplifying python_version markers
- Improve performance by caching parsed requirements
- Improve error message when a referenced license file is missing
- Fix an issue where inclusive ordering with post releases was inconsistent with PEP 440
- Fix an issue where invalid URI tokens in PEP 508 requirement strings were silently discarded
- Fix an issue where wrong markers were calculated when removing parts covered by the project's python constraint
- Fix an issue where optional dependencies that are not part of an extra were included in the wheel metadata
- Fix an issue where the __pycache__ directory and *.pyc files were included in sdists and wheels
- Fix an issue where simplifying a python_version marker resulted in an invalid marker
(From OE-Core rev: 98cb445ff59d863e5962fb84ab3161193d7419ae)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
