Merge pull request #376 from microsoft/jslobodzian/off-cycle-merge-to…

…-fix-cves-and-community-build-issues Jslobodzian/off cycle merge to fix cves and community build issues
microsoft · Nov 14, 2020 · 4967c2d · 4967c2d
2 parents 5bc8fa1 + 7180b15
commit 4967c2d
Show file tree

Hide file tree

Showing 14 changed files with 350 additions and 202 deletions.
diff --git a/.github/workflows/validate-cg-manifest.sh b/.github/workflows/validate-cg-manifest.sh
@@ -19,6 +19,8 @@ ignore_list=" \
   mariner-rpm-macros \
   moby-buildx \
   moby-containerd \
+  python-markupsafe \
+  python-zope-interface \
   qt5-rpm-macros \
   runc \
   grub2-efi-binary-signed-aarch64 \

diff --git a/SPECS/bond/bond.signatures.json b/SPECS/bond/bond.signatures.json
@@ -1,7 +1,7 @@
 {
-    "Signatures": {
-        "bond-8.0.1.tar.gz" : "d22428a40ab158813c6b0d6548a9a4c1304c1873bd4f2f62a0f36c0ba2855a8b",
-        "gbc-0.11.0.3-aarch64" : "2fa232b3ceb79ff2e002ad06f8da93bd59f81599102f95258b4dadb84d6b847d",
-        "gbc-0.11.0.3-x86_64" : "c64f9db841b8cccad4c8ec0bd724e52d28b51a15af145fe40223cd92d7356d71"
-    }
-}
+ "Signatures": {
+  "bond-8.0.1.tar.gz": "d22428a40ab158813c6b0d6548a9a4c1304c1873bd4f2f62a0f36c0ba2855a8b",
+  "gbc-0.11.0.3-aarch64": "2fa232b3ceb79ff2e002ad06f8da93bd59f81599102f95258b4dadb84d6b847d",
+  "gbc-0.11.0.3-x86_64": "c64f9db841b8cccad4c8ec0bd724e52d28b51a15af145fe40223cd92d7356d71"
+ }
+}
diff --git a/SPECS/bond/bond.spec b/SPECS/bond/bond.spec
@@ -1,22 +1,22 @@
-Name:           bond
 Summary:        Microsoft Bond Library
+Name:           bond
 Version:        8.0.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/microsoft/bond
 #Source0:       %{url}/archive/%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
-Source1:        gbc-0.11.0.3-%{_arch}
-
+Source1:        gbc-0.11.0.3-aarch64
+Source2:        gbc-0.11.0.3-x86_64
+BuildRequires:  boost-devel
 BuildRequires:  clang
 BuildRequires:  cmake
-BuildRequires:  zlib-devel
-BuildRequires:  boost-devel
+BuildRequires:  gmp-devel
 BuildRequires:  ncurses-devel
 BuildRequires:  rapidjson-devel
-BuildRequires:  gmp-devel
+BuildRequires:  zlib-devel
 
 %description
 Bond is an open-source, cross-platform framework for working with schematized data.
@@ -39,7 +39,11 @@ CMAKE_OPTS="\
     -DBOND_FIND_RAPIDJSON=TRUE \
     -DBOND_SKIP_CORE_TESTS=TRUE \
     -DBOND_SKIP_GBC_TESTS=TRUE \
+%ifarch aarch64
     -DBOND_GBC_PATH=%{SOURCE1} \
+%else
+    -DBOND_GBC_PATH=%{SOURCE2} \
+%endif
     -DCMAKE_INSTALL_PREFIX=%{_prefix} \
 "
 
@@ -63,11 +67,16 @@ chmod 0755 %{buildroot}%{_bindir}/gbc
 %{_libdir}/%{name}/*
 
 %changelog
+* Tue Oct 27 2020 Joe Schmitt <[email protected]> - 8.0.1-4
+- Include all sources regardless of architecture.
+
 *   Mon Oct 19 2020 Pawel Winogrodzki <[email protected]> 8.0.1-3
 -   License verified.
 -   Added source URL.
 -   Added 'Vendor' and 'Distribution' tags.
+
 *   Tue May 19 2020 Jonathan Chiu <[email protected]> 8.0.1-2
 -   Add aarch64 support
+
 *   Mon Apr 06 2020 Jonathan Chiu <[email protected]> 8.0.1-1
 -   Original version for CBL-Mariner.
diff --git a/SPECS/python-markupsafe/python-markupsafe.signatures.json b/SPECS/python-markupsafe/python-markupsafe.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "MarkupSafe-1.0.tar.gz": "a6be69091dac236ea9c6bc7d012beab42010fa914c459791d627dad4910eb665"
+  "MarkupSafe-1.1.1.tar.gz": "29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b"
  }
 }
diff --git a/SPECS/python-markupsafe/python-markupsafe.spec b/SPECS/python-markupsafe/python-markupsafe.spec
@@ -1,22 +1,19 @@
 %{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
 %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
-
+%define pypi_name MarkupSafe
 Summary:        A XML/HTML/XHTML Markup safe string for Python.
 Name:           python-markupsafe
-Version:        1.0
-Release:        5%{?dist}
+Version:        1.1.1
+Release:        1%{?dist}
 License:        BSD
-Group:          Development/Languages/Python
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Url:            https://pypi.python.org/pypi/MarkupSafe
-Source0:        https://pypi.python.org/packages/4d/de/32d741db316d8fdb7680822dd37001ef7a448255de9699ab4bfcbdf4172b/MarkupSafe-%{version}.tar.gz
-%define sha1    MarkupSafe=9072e80a7faa0f49805737a48f3d871eb1c48728
-
+Group:          Development/Languages/Python
+URL:            https://pypi.python.org/pypi/MarkupSafe
+Source0:        https://pypi.python.org/packages/source/M/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+BuildRequires:  python-setuptools
 BuildRequires:  python2
 BuildRequires:  python2-libs
-BuildRequires:  python-setuptools
-
 Requires:       python2
 Requires:       python2-libs
 
@@ -37,7 +34,7 @@ Requires:       python3-libs
 Python 3 version.
 
 %prep
-%setup -q -n MarkupSafe-%{version}
+%setup -q -n %{pypi_name}-%{version}
 
 %build
 python2 setup.py build
@@ -54,24 +51,35 @@ python3 setup.py test
 
 %files
 %defattr(-,root,root,-)
-%license LICENSE
+%license LICENSE.rst
 %{python2_sitelib}/*
 
 %files -n python3-markupsafe
 %defattr(-,root,root,-)
 %{python3_sitelib}/*
 
 %changelog
+* Wed Nov 11 2020 Thomas Crain <[email protected]> - 1.1.1-1
+- Upgrade to 1.1.1 to fix setuptools compatibility issues
+- Change Source0
+- Correct license location
+- Remove inline sha1
+- Lint to Mariner style
+
 * Sat May 09 00:21:01 PST 2020 Nick Samson <[email protected]> - 1.0-5
 - Added %%license line automatically
 
-*   Tue Sep 03 2019 Mateusz Malisz <[email protected]> 1.0-4
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Wed Jun 07 2017 Xiaolin Li <[email protected]> 1.0-3
--   Add python3-setuptools and python3-xml to python3 sub package Buildrequires.
-*   Thu Jun 01 2017 Dheeraj Shetty <[email protected]> 1.0-2
--   Removed erroneous version line
-*   Thu Mar 30 2017 Sarah Choi <[email protected]> 1.0-1
--   Upgrade version to 1.0
-*   Thu Mar 02 2017 Xiaolin Li <[email protected]> 0.23-1
--   Initial packaging for Photon
+* Tue Sep 03 2019 Mateusz Malisz <[email protected]> - 1.0-4
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Wed Jun 07 2017 Xiaolin Li <[email protected]> - 1.0-3
+- Add python3-setuptools and python3-xml to python3 sub package Buildrequires.
+
+* Thu Jun 01 2017 Dheeraj Shetty <[email protected]> - 1.0-2
+- Removed erroneous version line
+
+* Thu Mar 30 2017 Sarah Choi <[email protected]> - 1.0-1
+- Upgrade version to 1.0
+
+* Thu Mar 02 2017 Xiaolin Li <[email protected]> - 0.23-1
+- Initial packaging for Photon
diff --git a/SPECS/python-zope-interface/python-zope-interface.signatures.json b/SPECS/python-zope-interface/python-zope-interface.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "zope.interface-4.6.0.tar.gz": "1b3d0dcabc7c90b470e59e38a9acaa361be43b3a6ea644c0063951964717f0e5"
+  "zope.interface-4.7.2.tar.gz": "fd1101bd3fcb4f4cf3485bb20d6cb0b56909b94d3bd2a53a6cb9d381c3da3365"
  }
 }
diff --git a/SPECS/python-zope-interface/python-zope-interface.spec b/SPECS/python-zope-interface/python-zope-interface.spec
@@ -1,19 +1,19 @@
 %{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
 %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
-
-Name:           python-zope-interface
-Version:        4.6.0
-Release:        3%{?dist}
-Url:            https://github.com/zopefoundation/zope.interface
+%define pypi_name zope.interface
 Summary:        Interfaces for Python
+Name:           python-zope-interface
+Version:        4.7.2
+Release:        1%{?dist}
 License:        ZPLv2.1
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
 Group:          Development/Languages/Python
-Source0:        https://files.pythonhosted.org/packages/4e/d0/c9d16bd5b38de44a20c6dc5d5ed80a49626fafcb3db9f9efdc2a19026db6/zope.interface-%{version}.tar.gz
-
+URL:            https://github.com/zopefoundation/zope.interface
+Source0:        https://pypi.python.org/packages/source/z/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+BuildRequires:  python-setuptools
 BuildRequires:  python2-devel
 BuildRequires:  python2-libs
-BuildRequires:  python-setuptools
-
 Requires:       python2
 Requires:       python2-libs
 
@@ -37,8 +37,9 @@ Requires:       python3-libs
 %description -n python3-zope-interface
 
 Python 3 version.
+
 %prep
-%setup -q -n zope.interface-%{version}
+%setup -q -n %{pypi_name}-%{version}
 rm -rf ../p3dir
 cp -a . ../p3dir
 
@@ -71,22 +72,35 @@ popd
 %{python3_sitelib}/*
 
 %changelog
-*   Sat May 09 2020 Nick Samson <[email protected]> 4.6.0-3
--   Added %%license line automatically
-*   Wed Apr 29 2020 Emre Girgin <[email protected]> 4.6.0-2
--   Renaming python-zope.interface to python-zope-interface
-*   Wed Mar 18 2020 Henry Beberman <[email protected]> 4.6.0-1
--   Initial CBL-Mariner import from Photon (license: Apache2).
--   Update to 4.6.0. Source0 URL fixed. License verified.
-*   Fri Sep 14 2018 Tapas Kundu <[email protected]> 4.5.0-1
--   Updated to release 4.5.0
-*   Wed Jun 07 2017 Xiaolin Li <[email protected]> 4.3.3-2
--   Add python3-setuptools and python3-xml to python3 sub package Buildrequires.
-*   Mon Mar 13 2017 Xiaolin Li <[email protected]> 4.3.3-1
--   Updated to version 4.3.3.
-*   Mon Oct 04 2016 ChangLee <[email protected]> 4.1.3-3
--   Modified %check
-*   Tue May 24 2016 Priyesh Padmavilasom <[email protected]> 4.1.3-2
--   GA - Bump release of all rpms
-*   Tue Oct 27 2015 Mahmoud Bassiouny <[email protected]>
--   Initial packaging for Photon
+* Wed Nov 11 2020 Thomas Crain <[email protected]> - 4.7.2-1
+- Update to 4.7.2 to fix setuptools compatibility issues
+- Update Source0
+- Lint to Mariner style
+
+* Sat May 09 2020 Nick Samson <[email protected]> - 4.6.0-3
+- Added %%license line automatically
+
+* Wed Apr 29 2020 Emre Girgin <[email protected]> - 4.6.0-2
+- Renaming python-zope.interface to python-zope-interface
+
+* Wed Mar 18 2020 Henry Beberman <[email protected]> - 4.6.0-1
+- Initial CBL-Mariner import from Photon (license: Apache2).
+- Update to 4.6.0. Source0 URL fixed. License verified.
+
+* Fri Sep 14 2018 Tapas Kundu <[email protected]> - 4.5.0-1
+- Updated to release 4.5.0
+
+* Wed Jun 07 2017 Xiaolin Li <[email protected]> - 4.3.3-2
+- Add python3-setuptools and python3-xml to python3 sub package Buildrequires.
+
+* Mon Mar 13 2017 Xiaolin Li <[email protected]> - 4.3.3-1
+- Updated to version 4.3.3.
+
+* Mon Oct 04 2016 ChangLee <[email protected]> - 4.1.3-3
+- Modified %check
+
+* Tue May 24 2016 Priyesh Padmavilasom <[email protected]> - 4.1.3-2
+- GA - Bump release of all rpms
+
+* Tue Oct 27 2015 Mahmoud Bassiouny <[email protected]> - 4.1.3-1
+- Initial packaging for Photon
diff --git a/SPECS/python3/CVE-2020-27619.patch b/SPECS/python3/CVE-2020-27619.patch
@@ -0,0 +1,64 @@
+From 43e523103886af66d6c27cd72431b5d9d14cd2a9 Mon Sep 17 00:00:00 2001
+From: "Miss Skeleton (bot)" <[email protected]>
+Date: Mon, 19 Oct 2020 19:38:40 -0700
+Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
+ in the CJK codec tests (GH-22566) (GH-22578)
+
+(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
+
+Co-authored-by: Serhiy Storchaka <[email protected]>
+---
+ Lib/test/multibytecodec_support.py            | 22 +++++++------------
+ .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst  |  1 +
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
+
+diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
+index cca8af67d6d1d..f76c0153f5ecf 100644
+--- a/Lib/test/multibytecodec_support.py
++++ b/Lib/test/multibytecodec_support.py
+@@ -305,29 +305,23 @@ def test_mapping_file(self):
+             self._test_mapping_file_plain()
+
+     def _test_mapping_file_plain(self):
+-        unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
++        def unichrs(s):
++            return ''.join(chr(int(x, 16)) for x in s.split('+'))
++
+         urt_wa = {}
+
+         with self.open_mapping_file() as f:
+             for line in f:
+                 if not line:
+                     break
+-                data = line.split('#')[0].strip().split()
++                data = line.split('#')[0].split()
+                 if len(data) != 2:
+                     continue
+
+-                csetval = eval(data[0])
+-                if csetval <= 0x7F:
+-                    csetch = bytes([csetval & 0xff])
+-                elif csetval >= 0x1000000:
+-                    csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
+-                                    ((csetval >> 8) & 0xff), (csetval & 0xff)])
+-                elif csetval >= 0x10000:
+-                    csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
+-                                    (csetval & 0xff)])
+-                elif csetval >= 0x100:
+-                    csetch = bytes([(csetval >> 8), (csetval & 0xff)])
+-                else:
++                if data[0][:2] != '0x':
++                    self.fail(f"Invalid line: {line!r}")
++                csetch = bytes.fromhex(data[0][2:])
++                if len(csetch) == 1 and 0x80 <= csetch[0]:
+                     continue
+
+                 unich = unichrs(data[1])
+diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
+new file mode 100644
+index 0000000000000..4f9782f1c85af
+--- /dev/null
++++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
+@@ -0,0 +1 @@
++Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/SPECS/python3/python3.signatures.json b/SPECS/python3/python3.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "Python-3.7.7.tar.xz": "06a0a9f1bf0d8cd1e4121194d666c4e28ddae4dd54346de6c343206599f02136"
+  "Python-3.7.9.tar.xz": "91923007b05005b5f9bd46f3b9172248aea5abc1543e8a636d59e629c3331b01"
  }
 }