A Denial of Service (DoS) vulnerability exists in the jaraco/zipp
library, affecting all versions prior to 3.19.1. The vulnerability is
triggered when processing a specially crafted zip file that leads to an
infinite loop. This issue also impacts the zipfile module of CPython, as
features from the third-party zipp library are later merged into
CPython, and the affected code is identical in both projects. The
infinite loop can be initiated through the use of functions affecting
the `Path` module in both zipp and zipfile, such as `joinpath`, the
overloaded division operator, and `iterdir`. Although the infinite loop
is not resource exhaustive, it prevents the application from responding.
The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-5569
Upstream patches:
79a309fe54564fcc10cd58115d2be9c18417ed29
(From OE-Core rev: ec77cfe12f0790c7e3cf2d9bf00e47b4c653997c)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
python 2 is gone and we don't need the abstraction now, drop the remaining usage
of this variable.
The definition in python3-dir.bbclass is left for now for other layers.
(From OE-Core rev: b566b1e32c7993d1ab7795562f648e52ce186a70)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
-Added CompleteDirs.inject classmethod to make available for use elsewhere.
-Avoid matching path separators for '?' in glob.
(From OE-Core rev: fdd3f2ad01ac6ac33f788afc806ad3c25dfd8b53)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
