A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1
allows for remote code execution via its download functions. These functions, which
are used to download packages from URLs provided by users or retrieved from package
index servers, are susceptible to code injection. If these functions are exposed to
user-controlled inputs, such as package URLs, they can execute arbitrary commands on
the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345https://ubuntu.com/security/CVE-2024-6345
Upstream patch:
88807c7062
(From OE-Core rev: 238c305ba2c513a070818de4b6ad4316b54050a7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers
to cause a denial of service via HTML in a crafted package or custom PackageIndex
page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE: CVE-2022-40897
Upstream-Status: Backport [43a9c9bfa6]
(From OE-Core rev: f574d8d57ff3fbc38e350e7a90913993081c4fdf)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rename this class to be python-prefixed to match the other new Python
build system classes.
(From OE-Core rev: 25d6bf8079797906bde7c0cf63a0466c981ba5bb)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Instead of battling pip to install a wheel, use installer. Installer
does one thing, so it's faster and easier to work with.
This means setuptools, pip, and wheel are no longer part of the
bootstrap phase, so they can be built normally. To avoid sysroot file
conflicts these three recipes can't install .pyc files to the native
sysroot.
We currently patch pypa/installer to allow us to override the interpreter
used, which means we can drop the interpreter seding.
We don't need to recompile any Python which is found in $bindir as
Python doesn't actually load those files.
Across a build of oe-core, the only differences between using pip and
installer are:
- the .dist-info/RECORD files are ordered differently
- the .dist-info/REQUESTED and INSTALLER files are not created
- the hashbang in native scripts is "/usr/bin/env nativepython" instead
of pointing directly at the native sysroot python3.
(From OE-Core rev: f780f6d920d8bbfb674d6066a8b899417decf8d2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pip_install_wheel shouldn't restricted to just using Pip to install
wheels (the installer module is simplier and likely a better option),
and in the future may be extended to also provide do_compile() using
the build module.
(From OE-Core rev: 3bdf64b97facce9706cc579bdbc9a80e0d48428f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several recipes are duplicating the same bootstrap logic for installing
a wheel without using any tools. Add an implementation to
pip_install_wheel to centralise the code, and remove the duplicated code
from the following recipes:
- python3-flit-core
- python3-pip
- python3-setuptools
- python3-wheel
(From OE-Core rev: d5d702a2cd06f863340f8e4cdce0904c9d86384d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There's no need to set PYPA_WHEEL as the default is sufficient.
Remove the use of PYPA_WHEEL in the native do_install() as this variable
will be disappearing shortly.
Remove the bbfatal_log in the native do_install(), if this breaks then
something has gone very wrong and the user is not expected to fix it.
(From OE-Core rev: c0a24279c740555a06a5c57e2a01ca7b20f8e668)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream provides a pyproject.toml which declares the
setuptools.build_meta backend for PEP-517 packaging.
We need to bootstrap python3-setuptools-native, simply installing by
unzipping the built wheel. This avoids a dependency loop.
[YOCTO #14638]
(From OE-Core rev: 889c05e5b4ce9a36b4ac3ac869c1ef55c2f8b566)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
No longer depend on python3-distutils, current versions of setuptools
vendor as _distutils.
[YOCTO #14610]
(From OE-Core rev: 2b6735f648744c42484afec6edab6d5e130111e2)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
