[Buildroot] [git commit branch/2023.05.x] package/python3: security bump version to 3.11.4

Peter Korsgaard peter at korsgaard.com
Thu Jul 6 09:24:45 UTC 2023 

commit: https://git.buildroot.net/buildroot/commit/?id=442e7cab3a9881e082279cb48cb8df6905bdb6e5
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2023.05.x

Rebased two patches.

Changelog:
https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4

Fixes the following security problems:

- gh-99889: Fixed a security in flaw in uu.decode() that could allow for
  directory traversal based on the input if no out_file was specified.

- gh-104049: Do not expose the local on-disk location in directory
  indexes   produced by http.client.SimpleHTTPRequestHandler.

- gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
  space characters following the specification for URLs defined by WHATWG
  in response to CVE-2023-24329. Patch by Illia Volochii.

Signed-off-by: Bernd Kuhls <bernd.kuhls at t-online.de>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
(cherry picked from commit b7b11d7e94e316632fcc8ec49831e7b372cc055a)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 .../python3/0012-Add-an-option-to-disable-lib2to3.patch   |  8 +++++---
 .../0014-Add-an-option-to-disable-the-tk-module.patch     | 15 +++++++++------
 package/python3/python3.hash                              |  2 +-
 package/python3/python3.mk                                |  2 +-
 4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/package/python3/0012-Add-an-option-to-disable-lib2to3.patch b/package/python3/0012-Add-an-option-to-disable-lib2to3.patch
index 0085d5a63f..228b86a90b 100644
--- a/package/python3/0012-Add-an-option-to-disable-lib2to3.patch
+++ b/package/python3/0012-Add-an-option-to-disable-lib2to3.patch
@@ -12,6 +12,8 @@ Signed-off-by: Samuel Martin <s.martin49 at gmail.com>
 Signed-off-by: Andrey Smirnov <andrew.smirnov at gmail.com>
 [ Adam Duskett: ported to Python 3.10.0 ]
 Signed-off-by: Adam Duskett <aduskett at gmail.com>
+[ Bernd Kuhls: ported to Python 3.11.4]
+Signed-off-by: Bernd Kuhls <bernd.kuhls at t-online.de>
 ---
  Makefile.pre.in | 17 ++++++++++++-----
  configure.ac    |  6 ++++++
@@ -48,9 +50,9 @@ index 403380e181..f5d0573067 100644
 -		lib2to3/tests/data \
 -		lib2to3/tests/data/fixers \
 -		lib2to3/tests/data/fixers/myfixes \
- 		test test/audiodata \
- 		test/capath test/cjkencodings \
- 		test/data test/decimaltestdata \
+ 		test \
+ 		test/audiodata \
+ 		test/capath \
 @@ -2013,6 +2010,14 @@ ifeq (@PYDOC@,yes)
  LIBSUBDIRS += pydoc_data
  endif
diff --git a/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch b/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch
index 04f7e34435..b89e1d27bc 100644
--- a/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch
+++ b/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch
@@ -9,6 +9,8 @@ Signed-off-by: Samuel Martin <s.martin49 at gmail.com>
 Signed-off-by: Andrey Smirnov <andrew.smirnov at gmail.com>
 [ Adam Duskett: ported to Python 3.10.0 ]
 Signed-off-by: Adam Duskett <aduskett at gmail.com>
+[ Bernd Kuhls: ported to Python 3.11.4]
+Signed-off-by: Bernd Kuhls <bernd.kuhls at t-online.de>
 ---
  Makefile.pre.in | 10 +++++++---
  configure.ac    |  9 +++++++++
@@ -26,14 +28,15 @@ index 9f4cdf14cf..4f83911200 100644
  		tomllib \
  		turtledemo \
  		unittest \
-@@ -2001,8 +2000,6 @@ TESTSUBDIRS=	ctypes/test \
- 		test/tracedmodules \
- 		test/xmltestdata test/xmltestdata/c14n-20 \
+@@ -2038,9 +2038,6 @@
+ 		test/xmltestdata \
+ 		test/xmltestdata/c14n-20 \
  		test/ziptestdata \
--		tkinter/test tkinter/test/test_tkinter \
+-		tkinter/test \
+-		tkinter/test/test_tkinter \
 -		tkinter/test/test_ttk \
- 		unittest/test unittest/test/testmock
- 
+ 		unittest/test \
+ 		unittest/test/testmock
  ifeq (@PYDOC@,yes)
 @@ -2021,6 +2018,13 @@ ifeq (@SQLITE3@,yes)
  LIBSUBDIRS += sqlite3
diff --git a/package/python3/python3.hash b/package/python3/python3.hash
index b04ee7fa2c..6c43e01a44 100644
--- a/package/python3/python3.hash
+++ b/package/python3/python3.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  8a5db99c961a7ecf27c75956189c9602c968751f11dbeae2b900dbff1c085b5e  Python-3.11.3.tar.xz
+sha256  2f0e409df2ab57aa9fc4cbddfb976af44e4e55bf6f619eee6bc5c2297264a7f6  Python-3.11.4.tar.xz
 sha256  3b2f81fe21d181c499c59a256c8e1968455d6689d269aa85373bfb6af41da3bf  LICENSE
diff --git a/package/python3/python3.mk b/package/python3/python3.mk
index ece5cad93e..bdb7cfd22f 100644
--- a/package/python3/python3.mk
+++ b/package/python3/python3.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 PYTHON3_VERSION_MAJOR = 3.11
-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).3
+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).4
 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
 PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
 PYTHON3_LICENSE = Python-2.0, others

More information about the buildroot mailing list