Updating liguros repo

6 files changed, 405 insertions, 0 deletions

diff --git a/dev-lang/python/files/pydoc.conf b/dev-lang/python/files/pydoc.conf
new file mode 100644
index 000000000000..3c6920cc96c4
--- /dev/null
+++ b/dev-lang/python/files/pydoc.conf
@@ -0,0 +1,6 @@
+# /etc/init.d/pydoc.conf
+
+# This file contains the configuration for pydoc's internal webserver.
+
+# Default port for Python's pydoc server.
+@PYDOC_PORT_VARIABLE@="7464"
diff --git a/dev-lang/python/files/pydoc.init b/dev-lang/python/files/pydoc.init
new file mode 100644
index 000000000000..f8e05636da4e
--- /dev/null
+++ b/dev-lang/python/files/pydoc.init
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public Licence v2
+
+start() {
+	local pydoc_port="${@PYDOC_PORT_VARIABLE@-${PYDOC_PORT}}"
+
+	if [ -z "${pydoc_port}" ]; then
+		eerror "Port not set"
+		return 1
+	fi
+
+	ebegin "Starting pydoc server on port ${pydoc_port}" 
+	start-stop-daemon --start --background --make-pidfile \
+			  --pidfile /var/run/@PYDOC@.pid \
+			  --exec /usr/bin/@PYDOC@ -- -p "${pydoc_port}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping pydoc server"
+	start-stop-daemon --stop --quiet --pidfile /var/run/@PYDOC@.pid
+	eend $?
+}
diff --git a/dev-lang/python/files/python-2.7.15-PGO-r1.patch b/dev-lang/python/files/python-2.7.15-PGO-r1.patch
new file mode 100644
index 000000000000..75c976702a50
--- /dev/null
+++ b/dev-lang/python/files/python-2.7.15-PGO-r1.patch
@@ -0,0 +1,79 @@
+diff -ur Python-2.7.16.orig/Lib/distutils/ccompiler.py Python-2.7.16/Lib/distutils/ccompiler.py
+--- Python-2.7.16.orig/Lib/distutils/ccompiler.py	2019-03-02 19:17:42.000000000 +0100
++++ Python-2.7.16/Lib/distutils/ccompiler.py	2019-03-09 16:30:09.036803900 +0100
+@@ -14,7 +14,7 @@
+ from distutils.spawn import spawn
+ from distutils.file_util import move_file
+ from distutils.dir_util import mkpath
+-from distutils.dep_util import newer_group
++from distutils.dep_util import newer_group, newer
+ from distutils.util import split_quoted, execute
+ from distutils import log
+ # following import is for backward compatibility
+@@ -571,7 +571,9 @@
+                 src, ext = build[obj]
+             except KeyError:
+                 continue
+-            self._compile(obj, src, ext, cc_args, extra_postargs, pp_opts)
++            if newer(src, obj):
++                # some extensions share source files so we need to avoid compiling the same source multiple times
++                self._compile(obj, src, ext, cc_args, extra_postargs, pp_opts)
+ 
+         # Return *all* object filenames, not just the ones we just built.
+         return objects
+diff -ur Python-2.7.16.orig/Lib/distutils/dep_util.py Python-2.7.16/Lib/distutils/dep_util.py
+--- Python-2.7.16.orig/Lib/distutils/dep_util.py	2019-03-02 19:17:42.000000000 +0100
++++ Python-2.7.16/Lib/distutils/dep_util.py	2019-03-09 16:30:09.036803900 +0100
+@@ -11,7 +11,7 @@
+ from distutils.errors import DistutilsFileError
+ 
+ def newer(source, target):
+-    """Tells if the target is newer than the source.
++    """Tells if the source is newer than the target.
+ 
+     Return true if 'source' exists and is more recently modified than
+     'target', or if 'source' exists and 'target' doesn't.
+diff -ur Python-2.7.16.orig/Makefile.pre.in Python-2.7.16/Makefile.pre.in
+--- Python-2.7.16.orig/Makefile.pre.in	2019-03-09 16:29:29.004188933 +0100
++++ Python-2.7.16/Makefile.pre.in	2019-03-09 16:33:30.788823762 +0100
+@@ -209,9 +209,9 @@
+ TCLTK_LIBS=	@TCLTK_LIBS@
+ 
+ # The task to run while instrument when building the profile-opt target
+-# We exclude unittests with -x that take a rediculious amount of time to
+-# run in the instrumented training build or do not provide much value.
+-PROFILE_TASK=-m test.regrtest --pgo -x test_asyncore test_gdb test_multiprocessing test_subprocess
++# We exclude unittests with -x that take a ridiculous amount of time to
++# run in the instrumented training build or do not provide much value
++PROFILE_TASK=-m test.regrtest --pgo $(EXTRATESTOPTS) -x test_asyncore test_gdb test_multiprocessing test_subprocess test_xpickle
+ 
+ # report files for gcov / lcov coverage report
+ COVERAGE_INFO=	$(abs_builddir)/coverage.info
+@@ -437,7 +437,7 @@
+ 
+ run_profile_task:
+ 	: # FIXME: can't run for a cross build
+-	$(LLVM_PROF_FILE) $(RUNSHARED) ./$(BUILDPYTHON) $(PROFILE_TASK) || true
++	$(LLVM_PROF_FILE) _PYTHONNOSITEPACKAGES=1 $(RUNSHARED) ./$(BUILDPYTHON) -E $(PROFILE_TASK) || true # allow failures here
+ 
+ build_all_merge_profile:
+ 	$(LLVM_PROF_MERGER)
+diff -ur Python-2.7.16.orig/setup.py Python-2.7.16/setup.py
+--- Python-2.7.16.orig/setup.py	2019-03-09 16:29:29.028188103 +0100
++++ Python-2.7.16/setup.py	2019-03-09 16:30:09.037803866 +0100
+@@ -269,11 +269,13 @@
+         # those environment variables passed into the setup.py phase.  Here's
+         # a small set of useful ones.
+         compiler = os.environ.get('CC')
++        # it's important to get CFLAGS from the environment for proper extension PGO support
++        cflags = os.environ.get('CFLAGS', sysconfig.get_config_vars('CFLAGS')[0])
+         args = {}
+         # unfortunately, distutils doesn't let us provide separate C and C++
+         # compilers
+         if compiler is not None:
+-            (ccshared,cflags) = sysconfig.get_config_vars('CCSHARED','CFLAGS')
++            (ccshared,) = sysconfig.get_config_vars('CCSHARED')
+             args['compiler_so'] = compiler + ' ' + ccshared + ' ' + cflags
+         self.compiler.set_executables(**args)
+ 
+
diff --git a/dev-lang/python/files/python-3.5-CVE-2020-8492.patch b/dev-lang/python/files/python-3.5-CVE-2020-8492.patch
new file mode 100644
index 000000000000..924a3a69ac4c
--- /dev/null
+++ b/dev-lang/python/files/python-3.5-CVE-2020-8492.patch
@@ -0,0 +1,239 @@
+From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 2 Apr 2020 02:52:20 +0200
+Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
+ (GH-18284)
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking. Vulnerability reported by Ben Caller
+and Matt Schwager.
+
+AbstractBasicAuthHandler of urllib.request now parses all
+WWW-Authenticate HTTP headers and accepts multiple challenges per
+header: use the realm of the first Basic challenge.
+
+Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/test/test_urllib2.py                      | 90 ++++++++++++-------
+ Lib/urllib/request.py                         | 69 ++++++++++----
+ .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst  |  3 +
+ .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst  |  5 ++
+ 4 files changed, 115 insertions(+), 52 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 8abedaac9850a..e69ac3e2136a2 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -1446,40 +1446,64 @@ def test_osx_proxy_bypass(self):
+         bypass = {'exclude_simple': True, 'exceptions': []}
+         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
+ 
+-    def test_basic_auth(self, quote_char='"'):
+-        opener = OpenerDirector()
+-        password_manager = MockPasswordManager()
+-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+-        realm = "ACME Widget Store"
+-        http_handler = MockHTTPHandler(
+-            401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
+-            (quote_char, realm, quote_char))
+-        opener.add_handler(auth_handler)
+-        opener.add_handler(http_handler)
+-        self._test_basic_auth(opener, auth_handler, "Authorization",
+-                              realm, http_handler, password_manager,
+-                              "http://acme.example.com/protected",
+-                              "http://acme.example.com/protected",
+-                              )
+-
+-    def test_basic_auth_with_single_quoted_realm(self):
+-        self.test_basic_auth(quote_char="'")
+-
+-    def test_basic_auth_with_unquoted_realm(self):
+-        opener = OpenerDirector()
+-        password_manager = MockPasswordManager()
+-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+-        realm = "ACME Widget Store"
+-        http_handler = MockHTTPHandler(
+-            401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
+-        opener.add_handler(auth_handler)
+-        opener.add_handler(http_handler)
+-        with self.assertWarns(UserWarning):
++    def check_basic_auth(self, headers, realm):
++        with self.subTest(realm=realm, headers=headers):
++            opener = OpenerDirector()
++            password_manager = MockPasswordManager()
++            auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
++            body = '\r\n'.join(headers) + '\r\n\r\n'
++            http_handler = MockHTTPHandler(401, body)
++            opener.add_handler(auth_handler)
++            opener.add_handler(http_handler)
+             self._test_basic_auth(opener, auth_handler, "Authorization",
+-                                realm, http_handler, password_manager,
+-                                "http://acme.example.com/protected",
+-                                "http://acme.example.com/protected",
+-                                )
++                                  realm, http_handler, password_manager,
++                                  "http://acme.example.com/protected",
++                                  "http://acme.example.com/protected")
++
++    def test_basic_auth(self):
++        realm = "realm2@example.com"
++        realm2 = "realm2@example.com"
++        basic = f'Basic realm="{realm}"'
++        basic2 = f'Basic realm="{realm2}"'
++        other_no_realm = 'Otherscheme xxx'
++        digest = (f'Digest realm="{realm2}", '
++                  f'qop="auth, auth-int", '
++                  f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
++                  f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
++        for realm_str in (
++            # test "quote" and 'quote'
++            f'Basic realm="{realm}"',
++            f"Basic realm='{realm}'",
++
++            # charset is ignored
++            f'Basic realm="{realm}", charset="UTF-8"',
++
++            # Multiple challenges per header
++            f'{basic}, {basic2}',
++            f'{basic}, {other_no_realm}',
++            f'{other_no_realm}, {basic}',
++            f'{basic}, {digest}',
++            f'{digest}, {basic}',
++        ):
++            headers = [f'WWW-Authenticate: {realm_str}']
++            self.check_basic_auth(headers, realm)
++
++        # no quote: expect a warning
++        with support.check_warnings(("Basic Auth Realm was unquoted",
++                                     UserWarning)):
++            headers = [f'WWW-Authenticate: Basic realm={realm}']
++            self.check_basic_auth(headers, realm)
++
++        # Multiple headers: one challenge per header.
++        # Use the first Basic realm.
++        for challenges in (
++            [basic,  basic2],
++            [basic,  digest],
++            [digest, basic],
++        ):
++            headers = [f'WWW-Authenticate: {challenge}'
++                       for challenge in challenges]
++            self.check_basic_auth(headers, realm)
+ 
+     def test_proxy_basic_auth(self):
+         opener = OpenerDirector()
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 7fe50535da138..2a3d71554f4bf 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+-                    'realm=(["\']?)([^"\']*)\\2', re.I)
++    rx = re.compile('(?:^|,)'   # start of the string or ','
++                    '[ \t]*'    # optional whitespaces
++                    '([^ \t]+)' # scheme like "Basic"
++                    '[ \t]+'    # mandatory whitespaces
++                    # realm=xxx
++                    # realm='xxx'
++                    # realm="xxx"
++                    'realm=(["\']?)([^"\']*)\\2',
++                    re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+     # end of section 2, and section 1.2 immediately after "credentials"
+@@ -950,27 +957,51 @@ def __init__(self, password_mgr=None):
+         self.passwd = password_mgr
+         self.add_password = self.passwd.add_password
+ 
++    def _parse_realm(self, header):
++        # parse WWW-Authenticate header: accept multiple challenges per header
++        found_challenge = False
++        for mo in AbstractBasicAuthHandler.rx.finditer(header):
++            scheme, quote, realm = mo.groups()
++            if quote not in ['"', "'"]:
++                warnings.warn("Basic Auth Realm was unquoted",
++                              UserWarning, 3)
++
++            yield (scheme, realm)
++
++            found_challenge = True
++
++        if not found_challenge:
++            if header:
++                scheme = header.split()[0]
++            else:
++                scheme = ''
++            yield (scheme, None)
++
+     def http_error_auth_reqed(self, authreq, host, req, headers):
+         # host may be an authority (without userinfo) or a URL with an
+         # authority
+-        # XXX could be multiple headers
+-        authreq = headers.get(authreq, None)
++        headers = headers.get_all(authreq)
++        if not headers:
++            # no header found
++            return
+ 
+-        if authreq:
+-            scheme = authreq.split()[0]
+-            if scheme.lower() != 'basic':
+-                raise ValueError("AbstractBasicAuthHandler does not"
+-                                 " support the following scheme: '%s'" %
+-                                 scheme)
+-            else:
+-                mo = AbstractBasicAuthHandler.rx.search(authreq)
+-                if mo:
+-                    scheme, quote, realm = mo.groups()
+-                    if quote not in ['"',"'"]:
+-                        warnings.warn("Basic Auth Realm was unquoted",
+-                                      UserWarning, 2)
+-                    if scheme.lower() == 'basic':
+-                        return self.retry_http_basic_auth(host, req, realm)
++        unsupported = None
++        for header in headers:
++            for scheme, realm in self._parse_realm(header):
++                if scheme.lower() != 'basic':
++                    unsupported = scheme
++                    continue
++
++                if realm is not None:
++                    # Use the first matching Basic challenge.
++                    # Ignore following challenges even if they use the Basic
++                    # scheme.
++                    return self.retry_http_basic_auth(host, req, realm)
++
++        if unsupported is not None:
++            raise ValueError("AbstractBasicAuthHandler does not "
++                             "support the following scheme: %r"
++                             % (scheme,))
+ 
+     def retry_http_basic_auth(self, host, req, realm):
+         user, pw = self.passwd.find_user_password(realm, host)
+diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+new file mode 100644
+index 0000000000000..be80ce79d91ed
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+@@ -0,0 +1,3 @@
++:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
++now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
++per header: use the realm of the first Basic challenge.
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+new file mode 100644
+index 0000000000000..9f2800581ca5e
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,5 @@
++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
++:mod:`urllib.request` module uses an inefficient regular expression which can
++be exploited by an attacker to cause a denial of service. Fix the regex to
++prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
++and Matt Schwager.
diff --git a/dev-lang/python/files/test.support.unlink-ignore-EPERM.patch b/dev-lang/python/files/test.support.unlink-ignore-EPERM.patch
new file mode 100644
index 000000000000..49f815daaac0
--- /dev/null
+++ b/dev-lang/python/files/test.support.unlink-ignore-EPERM.patch
@@ -0,0 +1,29 @@
+From 789c61e1a1966241d274012cdbd5fb9716448952 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Fri, 3 Apr 2020 10:37:56 -0400
+Subject: [PATCH] test.support.unlink: ignore EPERM
+
+Resolves test errors when running in the Gentoo sandbox environment.
+
+Bug: https://bugs.gentoo.org/679628
+---
+ Lib/test/support/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
+index ccc11c1b4b0..c5ec06bb420 100644
+--- a/Lib/test/support/__init__.py
++++ b/Lib/test/support/__init__.py
+@@ -291,7 +291,7 @@ def unlink(filename):
+     try:
+         _unlink(filename)
+     except OSError as exc:
+-        if exc.errno not in (errno.ENOENT, errno.ENOTDIR):
++        if exc.errno not in (errno.ENOENT, errno.ENOTDIR, errno.EPERM):
+             raise
+
+ def rmdir(dirname):
+-- 
+2.26.0
+
+
diff --git a/dev-lang/python/files/test.support.unlink-ignore-PermissionError.patch b/dev-lang/python/files/test.support.unlink-ignore-PermissionError.patch
new file mode 100644
index 000000000000..bdf74e0edcb1
--- /dev/null
+++ b/dev-lang/python/files/test.support.unlink-ignore-PermissionError.patch
@@ -0,0 +1,28 @@
+From 6e6402caa7962a9c9f7c5327f3c802545824f7f9 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Fri, 3 Apr 2020 10:37:56 -0400
+Subject: [PATCH] test.support.unlink: ignore PermissionError
+
+Resolves test errors when running in the Gentoo sandbox environment.
+
+Bug: https://bugs.gentoo.org/679628
+---
+ Lib/test/support/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
+index 1f792d8514d..a0772480eb4 100644
+--- a/Lib/test/support/__init__.py
++++ b/Lib/test/support/__init__.py
+@@ -488,7 +488,7 @@ else:
+ def unlink(filename):
+     try:
+         _unlink(filename)
+-    except (FileNotFoundError, NotADirectoryError):
++    except (FileNotFoundError, NotADirectoryError, PermissionError):
+         pass
+
+ def rmdir(dirname):
+-- 
+2.26.0
+