diff --git a/0001-CVE-2017-18342-1.patch b/0001-CVE-2017-18342-1.patch deleted file mode 100644 index 565de1c..0000000 --- a/0001-CVE-2017-18342-1.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 7b68405c81db889f83c32846462b238ccae5be80 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Sat, 26 Aug 2017 09:26:59 -0400 -Subject: [PATCH 1/2] Make pyyaml safe by default. - -Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes. - -(python2 only at this moment) - -Refs #5 ---- - lib/yaml/__init__.py | 41 +++++++++++++++++++++-------------- - lib/yaml/cyaml.py | 15 +++++++------ - lib/yaml/dumper.py | 8 +++---- - lib/yaml/loader.py | 8 +++---- - tests/lib/test_constructor.py | 5 ++--- - tests/lib/test_recursive.py | 7 +++--- - 6 files changed, 46 insertions(+), 38 deletions(-) - -diff --git a/lib/yaml/__init__.py b/lib/yaml/__init__.py -index 87c15d3..153a74d 100644 ---- a/lib/yaml/__init__.py -+++ b/lib/yaml/__init__.py -@@ -65,17 +65,24 @@ def load(stream, Loader=Loader): - """ - Parse the first YAML document in a stream - and produce the corresponding Python object. -+ -+ By default resolve only basic YAML tags, if an alternate Loader is -+ provided, may be dangerous. - """ - loader = Loader(stream) - try: - return loader.get_single_data() - finally: - loader.dispose() -+safe_load = load - - def load_all(stream, Loader=Loader): - """ - Parse all YAML documents in a stream - and produce corresponding Python objects. -+ -+ By default resolve only basic YAML tags, if an alternate Loader is -+ provided, may be dangerous. - """ - loader = Loader(stream) - try: -@@ -83,22 +90,23 @@ def load_all(stream, Loader=Loader): - yield loader.get_data() - finally: - loader.dispose() -+safe_load_all = load_all - --def safe_load(stream): -+def danger_load(stream): - """ - Parse the first YAML document in a stream - and produce the corresponding Python object. -- Resolve only basic YAML tags. -+ When used on untrusted input, can result in arbitrary code execution. - """ -- return load(stream, SafeLoader) -+ return load(stream, DangerLoader) - --def safe_load_all(stream): -+def danger_load_all(stream): - """ - Parse all YAML documents in a stream - and produce corresponding Python objects. -- Resolve only basic YAML tags. -+ When used on untrusted input, can result in arbitrary code execution. - """ -- return load_all(stream, SafeLoader) -+ return load_all(stream, DangerLoader) - - def emit(events, stream=None, Dumper=Dumper, - canonical=None, indent=None, width=None, -@@ -193,29 +201,31 @@ def dump_all(documents, stream=None, Dumper=Dumper, - dumper.dispose() - if getvalue: - return getvalue() -+safe_dump_all = dump_all - --def dump(data, stream=None, Dumper=Dumper, **kwds): -+def danger_dump_all(documents, stream=None, **kwds): - """ -- Serialize a Python object into a YAML stream. -+ Serialize a sequence of Python objects into a YAML stream. -+ Produce only basic YAML tags. - If stream is None, return the produced string instead. - """ -- return dump_all([data], stream, Dumper=Dumper, **kwds) -+ return dump_all(documents, stream, Dumper=DangerDumper, **kwds) - --def safe_dump_all(documents, stream=None, **kwds): -+def dump(data, stream=None, Dumper=Dumper, **kwds): - """ -- Serialize a sequence of Python objects into a YAML stream. -- Produce only basic YAML tags. -+ Serialize a Python object into a YAML stream. - If stream is None, return the produced string instead. - """ -- return dump_all(documents, stream, Dumper=SafeDumper, **kwds) -+ return dump_all([data], stream, Dumper=Dumper, **kwds) -+safe_dump = dump - --def safe_dump(data, stream=None, **kwds): -+def danger_dump(data, stream=None, **kwds): - """ - Serialize a Python object into a YAML stream. - Produce only basic YAML tags. - If stream is None, return the produced string instead. - """ -- return dump_all([data], stream, Dumper=SafeDumper, **kwds) -+ return dump_all([data], stream, Dumper=DangerDumper, **kwds) - - def add_implicit_resolver(tag, regexp, first=None, - Loader=Loader, Dumper=Dumper): -@@ -312,4 +322,3 @@ class YAMLObject(object): - return dumper.represent_yaml_object(cls.yaml_tag, data, cls, - flow_style=cls.yaml_flow_style) - to_yaml = classmethod(to_yaml) -- -diff --git a/lib/yaml/cyaml.py b/lib/yaml/cyaml.py -index 68dcd75..5371f63 100644 ---- a/lib/yaml/cyaml.py -+++ b/lib/yaml/cyaml.py -@@ -1,6 +1,6 @@ - --__all__ = ['CBaseLoader', 'CSafeLoader', 'CLoader', -- 'CBaseDumper', 'CSafeDumper', 'CDumper'] -+__all__ = ['CBaseLoader', 'CSafeLoader', 'CLoader', 'CDangerLoader', -+ 'CBaseDumper', 'CSafeDumper', 'CDumper', 'CDangerDumper'] - - from _yaml import CParser, CEmitter - -@@ -18,14 +18,15 @@ class CBaseLoader(CParser, BaseConstructor, BaseResolver): - BaseConstructor.__init__(self) - BaseResolver.__init__(self) - --class CSafeLoader(CParser, SafeConstructor, Resolver): -+class CLoader(CParser, SafeConstructor, Resolver): - - def __init__(self, stream): - CParser.__init__(self, stream) - SafeConstructor.__init__(self) - Resolver.__init__(self) -+CSafeLoader = CLoader - --class CLoader(CParser, Constructor, Resolver): -+class CDangerLoader(CParser, Constructor, Resolver): - - def __init__(self, stream): - CParser.__init__(self, stream) -@@ -49,7 +50,7 @@ class CBaseDumper(CEmitter, BaseRepresenter, BaseResolver): - default_flow_style=default_flow_style) - Resolver.__init__(self) - --class CSafeDumper(CEmitter, SafeRepresenter, Resolver): -+class CDumper(CEmitter, SafeRepresenter, Resolver): - - def __init__(self, stream, - default_style=None, default_flow_style=None, -@@ -65,8 +66,9 @@ class CSafeDumper(CEmitter, SafeRepresenter, Resolver): - SafeRepresenter.__init__(self, default_style=default_style, - default_flow_style=default_flow_style) - Resolver.__init__(self) -+CSafeDumper = CDumper - --class CDumper(CEmitter, Serializer, Representer, Resolver): -+class CDangerDumper(CEmitter, Serializer, Representer, Resolver): - - def __init__(self, stream, - default_style=None, default_flow_style=None, -@@ -82,4 +84,3 @@ class CDumper(CEmitter, Serializer, Representer, Resolver): - Representer.__init__(self, default_style=default_style, - default_flow_style=default_flow_style) - Resolver.__init__(self) -- -diff --git a/lib/yaml/dumper.py b/lib/yaml/dumper.py -index f811d2c..fcf1f28 100644 ---- a/lib/yaml/dumper.py -+++ b/lib/yaml/dumper.py -@@ -1,5 +1,5 @@ - --__all__ = ['BaseDumper', 'SafeDumper', 'Dumper'] -+__all__ = ['BaseDumper', 'SafeDumper', 'Dumper', 'DangerDumper'] - - from emitter import * - from serializer import * -@@ -24,7 +24,7 @@ class BaseDumper(Emitter, Serializer, BaseRepresenter, BaseResolver): - default_flow_style=default_flow_style) - Resolver.__init__(self) - --class SafeDumper(Emitter, Serializer, SafeRepresenter, Resolver): -+class Dumper(Emitter, Serializer, SafeRepresenter, Resolver): - - def __init__(self, stream, - default_style=None, default_flow_style=None, -@@ -41,8 +41,9 @@ class SafeDumper(Emitter, Serializer, SafeRepresenter, Resolver): - SafeRepresenter.__init__(self, default_style=default_style, - default_flow_style=default_flow_style) - Resolver.__init__(self) -+SafeDumper = Dump - --class Dumper(Emitter, Serializer, Representer, Resolver): -+class DangerDumper(Emitter, Serializer, Representer, Resolver): - - def __init__(self, stream, - default_style=None, default_flow_style=None, -@@ -59,4 +60,3 @@ class Dumper(Emitter, Serializer, Representer, Resolver): - Representer.__init__(self, default_style=default_style, - default_flow_style=default_flow_style) - Resolver.__init__(self) -- -diff --git a/lib/yaml/loader.py b/lib/yaml/loader.py -index 293ff46..6b18527 100644 ---- a/lib/yaml/loader.py -+++ b/lib/yaml/loader.py -@@ -1,5 +1,5 @@ - --__all__ = ['BaseLoader', 'SafeLoader', 'Loader'] -+__all__ = ['BaseLoader', 'SafeLoader', 'Loader', 'DangerLoader'] - - from reader import * - from scanner import * -@@ -18,7 +18,7 @@ class BaseLoader(Reader, Scanner, Parser, Composer, BaseConstructor, BaseResolve - BaseConstructor.__init__(self) - BaseResolver.__init__(self) - --class SafeLoader(Reader, Scanner, Parser, Composer, SafeConstructor, Resolver): -+class Loader(Reader, Scanner, Parser, Composer, SafeConstructor, Resolver): - - def __init__(self, stream): - Reader.__init__(self, stream) -@@ -27,8 +27,9 @@ class SafeLoader(Reader, Scanner, Parser, Composer, SafeConstructor, Resolver): - Composer.__init__(self) - SafeConstructor.__init__(self) - Resolver.__init__(self) -+SafeLoader = Loader - --class Loader(Reader, Scanner, Parser, Composer, Constructor, Resolver): -+class DangerLoader(Reader, Scanner, Parser, Composer, Constructor, Resolver): - - def __init__(self, stream): - Reader.__init__(self, stream) -@@ -37,4 +38,3 @@ class Loader(Reader, Scanner, Parser, Composer, Constructor, Resolver): - Composer.__init__(self) - Constructor.__init__(self) - Resolver.__init__(self) -- -diff --git a/tests/lib/test_constructor.py b/tests/lib/test_constructor.py -index beee7b0..12d5391 100644 ---- a/tests/lib/test_constructor.py -+++ b/tests/lib/test_constructor.py -@@ -19,9 +19,9 @@ def _make_objects(): - NewArgs, NewArgsWithState, Reduce, ReduceWithState, MyInt, MyList, MyDict, \ - FixedOffset, today, execute - -- class MyLoader(yaml.Loader): -+ class MyLoader(yaml.DangerLoader): - pass -- class MyDumper(yaml.Dumper): -+ class MyDumper(yaml.DangerDumper): - pass - - class MyTestClass1: -@@ -272,4 +272,3 @@ if __name__ == '__main__': - sys.modules['test_constructor'] = sys.modules['__main__'] - import test_appliance - test_appliance.run(globals()) -- -diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py -index 6707fd4..c67c170 100644 ---- a/tests/lib/test_recursive.py -+++ b/tests/lib/test_recursive.py -@@ -29,9 +29,9 @@ def test_recursive(recursive_filename, verbose=False): - value2 = None - output2 = None - try: -- output1 = yaml.dump(value1) -- value2 = yaml.load(output1) -- output2 = yaml.dump(value2) -+ output1 = yaml.danger_dump(value1) -+ value2 = yaml.danger_load(output1) -+ output2 = yaml.danger_dump(value2) - assert output1 == output2, (output1, output2) - finally: - if verbose: -@@ -47,4 +47,3 @@ test_recursive.unittest = ['.recursive'] - if __name__ == '__main__': - import test_appliance - test_appliance.run(globals()) -- --- -2.20.1 - diff --git a/0002-CVE-2017-18342-2.patch b/0002-CVE-2017-18342-2.patch deleted file mode 100644 index 5053dc5..0000000 --- a/0002-CVE-2017-18342-2.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 517e83e8058e9d6850ab432ef22d84c2ac2bba5a Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Sat, 26 Aug 2017 09:29:39 -0400 -Subject: [PATCH 2/2] wtf, how did this typo happen - ---- - lib/yaml/dumper.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/yaml/dumper.py b/lib/yaml/dumper.py -index fcf1f28..22fd927 100644 ---- a/lib/yaml/dumper.py -+++ b/lib/yaml/dumper.py -@@ -41,7 +41,7 @@ class Dumper(Emitter, Serializer, SafeRepresenter, Resolver): - SafeRepresenter.__init__(self, default_style=default_style, - default_flow_style=default_flow_style) - Resolver.__init__(self) --SafeDumper = Dump -+SafeDumper = Dumper - - class DangerDumper(Emitter, Serializer, Representer, Resolver): - --- -2.20.1 - diff --git a/ChangeLog b/ChangeLog index b1b1c8a..91f0255 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,21 +1,50 @@ -For a complete changelog, see https://github.com/yaml/pyyaml/commits/ +For a complete changelog, see: + +* https://github.com/yaml/pyyaml/commits/ +* https://bitbucket.org/xi/pyyaml/commits/ + +5.1 (2019-03-13) +---------------- + +* https://github.com/yaml/pyyaml/pull/35 -- Some modernization of the test running +* https://github.com/yaml/pyyaml/pull/42 -- Install tox in a virtualenv +* https://github.com/yaml/pyyaml/pull/45 -- Allow colon in a plain scalar in a flow context +* https://github.com/yaml/pyyaml/pull/48 -- Fix typos +* https://github.com/yaml/pyyaml/pull/55 -- Improve RepresenterError creation +* https://github.com/yaml/pyyaml/pull/59 -- Resolves #57, update readme issues link +* https://github.com/yaml/pyyaml/pull/60 -- Document and test Python 3.6 support +* https://github.com/yaml/pyyaml/pull/61 -- Use Travis CI built in pip cache support +* https://github.com/yaml/pyyaml/pull/62 -- Remove tox workaround for Travis CI +* https://github.com/yaml/pyyaml/pull/63 -- Adding support to Unicode characters over codepoint 0xffff +* https://github.com/yaml/pyyaml/pull/65 -- Support unicode literals over codepoint 0xffff +* https://github.com/yaml/pyyaml/pull/75 -- add 3.12 changelog +* https://github.com/yaml/pyyaml/pull/76 -- Fallback to Pure Python if Compilation fails +* https://github.com/yaml/pyyaml/pull/84 -- Drop unsupported Python 3.3 +* https://github.com/yaml/pyyaml/pull/102 -- Include license file in the generated wheel package +* https://github.com/yaml/pyyaml/pull/105 -- Removed Python 2.6 & 3.3 support +* https://github.com/yaml/pyyaml/pull/111 -- Remove commented out Psyco code +* https://github.com/yaml/pyyaml/pull/129 -- Remove call to `ord` in lib3 emitter code +* https://github.com/yaml/pyyaml/pull/143 -- Allow to turn off sorting keys in Dumper +* https://github.com/yaml/pyyaml/pull/149 -- Test on Python 3.7-dev +* https://github.com/yaml/pyyaml/pull/158 -- Support escaped slash in double quotes "\/" +* https://github.com/yaml/pyyaml/pull/181 -- Import Hashable from collections.abc +* https://github.com/yaml/pyyaml/pull/256 -- Make default_flow_style=False +* https://github.com/yaml/pyyaml/pull/257 -- Deprecate yaml.load and add FullLoader and UnsafeLoader classes +* https://github.com/yaml/pyyaml/pull/263 -- Windows Appveyor build 3.13 (2018-07-05) ----------------- -* Rebuilt with the latest Cython to support the new Python 3.7 release. -* No functionality is different from PyYAML 3.12 in this release. +* Resolved issues around PyYAML working in Python 3.7. 3.12 (2016-08-28) ----------------- * Wheel packages for Windows binaries. -* Adding an implicit resolver to a derived loader should not affect the base - loader (fixes issue #57). -* Uniform representation for OrderedDict across different versions of Python - (fixes issue #61). -* Fixed comparison to None warning (closes issue #64). +* Adding an implicit resolver to a derived loader should not affect the base loader. +* Uniform representation for OrderedDict? across different versions of Python. +* Fixed comparison to None warning. 3.11 (2014-03-26) ----------------- @@ -121,7 +150,7 @@ For a complete changelog, see https://github.com/yaml/pyyaml/commits/ as lists of pairs instead of dictionaries. No longer check for duplicate mapping keys as it didn't work correctly anyway. * Fix invalid output of single-quoted scalars in cases when a single - quote is not escaped when preceeded by whitespaces or line breaks. + quote is not escaped when preceded by whitespaces or line breaks. * To make porting easier, rewrite Parser not using generators. * Fix handling of unexpected block mapping values. * Fix a bug in Representer.represent_object: copy_reg.dispatch_table @@ -157,6 +186,6 @@ For a complete changelog, see https://github.com/yaml/pyyaml/commits/ ----------------- * Initial release. The version number reflects the codename - of the project (PyYAML 3000) and differenciates it from - the abandoned PyYaml module. + of the project (PyYAML 3000) and differentiates it from + the abandoned PyYaml module. diff --git a/Makefile b/Makefile index 5f3c483..108e98f 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ PKG_NAME := PyYAML -URL = https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz +URL = https://github.com/yaml/pyyaml/archive/5.1.tar.gz ARCHIVES = include ../common/Makefile.common diff --git a/PyYAML.spec b/PyYAML.spec index 713d1e8..3cae418 100644 --- a/PyYAML.spec +++ b/PyYAML.spec @@ -3,14 +3,13 @@ # Generated by: autospec.py # Name : PyYAML -Version : 3.13 -Release : 47 -URL : https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz -Source0 : https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz -Summary : YAML parser and emitter for Python +Version : 5.1 +Release : 48 +URL : https://github.com/yaml/pyyaml/archive/5.1.tar.gz +Source0 : https://github.com/yaml/pyyaml/archive/5.1.tar.gz +Summary : No detailed summary available Group : Development/Tools License : MIT -Requires: PyYAML-license = %{version}-%{release} Requires: PyYAML-python = %{version}-%{release} Requires: PyYAML-python3 = %{version}-%{release} BuildRequires : Cython @@ -20,20 +19,10 @@ BuildRequires : buildreq-distutils3 BuildRequires : python-dev BuildRequires : python3-dev BuildRequires : yaml-dev -Patch1: 0001-CVE-2017-18342-1.patch -Patch2: 0002-CVE-2017-18342-2.patch %description -and interaction with scripting languages. PyYAML is a YAML parser - and emitter for Python. - - PyYAML features a complete YAML 1.1 parser, Unicode support, pickle - support, capable extension API, and sensible error messages. PyYAML - supports standard YAML tags and provides Python-specific tags that - allow to represent an arbitrary Python object. - - PyYAML is applicable for a broad range of tasks from complex - configuration files to object serialization and persistance. +PyYAML - The next generation YAML parser and emitter for Python. +To install, type 'python setup.py install'. %package legacypython Summary: legacypython components for the PyYAML package. @@ -44,14 +33,6 @@ Requires: python-core legacypython components for the PyYAML package. -%package license -Summary: license components for the PyYAML package. -Group: Default - -%description license -license components for the PyYAML package. - - %package python Summary: python components for the PyYAML package. Group: Default @@ -72,16 +53,14 @@ python3 components for the PyYAML package. %prep -%setup -q -n PyYAML-3.13 -%patch1 -p1 -%patch2 -p1 +%setup -q -n pyyaml-5.1 %build export http_proxy=http://127.0.0.1:9/ export https_proxy=http://127.0.0.1:9/ export no_proxy=localhost,127.0.0.1,0.0.0.0 export LANG=C -export SOURCE_DATE_EPOCH=1551413140 +export SOURCE_DATE_EPOCH=1553297306 export LDFLAGS="${LDFLAGS} -fno-lto" python2 setup.py build -b py2 python3 setup.py build -b py3 @@ -92,10 +71,8 @@ export https_proxy=http://127.0.0.1:9/ export no_proxy=localhost,127.0.0.1,0.0.0.0 python setup.py test || : %install -export SOURCE_DATE_EPOCH=1551413140 +export SOURCE_DATE_EPOCH=1553297306 rm -rf %{buildroot} -mkdir -p %{buildroot}/usr/share/package-licenses/PyYAML -cp LICENSE %{buildroot}/usr/share/package-licenses/PyYAML/LICENSE python2 -tt setup.py build -b py2 install --root=%{buildroot} --force python3 -tt setup.py build -b py3 install --root=%{buildroot} --force echo ----[ mark ]---- @@ -109,10 +86,6 @@ echo ----[ mark ]---- %defattr(-,root,root,-) /usr/lib/python2*/* -%files license -%defattr(0644,root,root,0755) -/usr/share/package-licenses/PyYAML/LICENSE - %files python %defattr(-,root,root,-) diff --git a/buildreq_cache b/buildreq_cache index 7710762..d12f66d 100644 --- a/buildreq_cache +++ b/buildreq_cache @@ -1,2 +1,2 @@ -3.13 +5.1 python3-dev \ No newline at end of file diff --git a/options.conf b/options.conf index 07d2b34..035fef9 100644 --- a/options.conf +++ b/options.conf @@ -1,6 +1,6 @@ [package] name = PyYAML -url = https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz +url = https://github.com/yaml/pyyaml/archive/5.1.tar.gz archives = giturl = https://github.com/yaml/pyyaml.git diff --git a/release b/release index abac1ea..21e72e8 100644 --- a/release +++ b/release @@ -1 +1 @@ -47 +48 diff --git a/series b/series index cc835aa..d129b73 100644 --- a/series +++ b/series @@ -1,3 +1 @@ #forcecython.patch -0001-CVE-2017-18342-1.patch -0002-CVE-2017-18342-2.patch diff --git a/testresults b/testresults index 83c5912..15b4272 100644 --- a/testresults +++ b/testresults @@ -1,5 +1,5 @@ -Total : 2590 -Pass : 2585 +Total : 2607 +Pass : 2602 Fail : 5 Skip : 0 XFail : 0 diff --git a/upstream b/upstream index d70de24..7d5fe84 100644 --- a/upstream +++ b/upstream @@ -1 +1 @@ -22f95fe2f5ef29ab17110f92c7186e2cfde6b419/PyYAML-3.13.tar.gz +8394d3e5b5f8842056312632031059ff1cc8cdb7/5.1.tar.gz diff --git a/whatrequires b/whatrequires index c205f85..c753d6b 100644 --- a/whatrequires +++ b/whatrequires @@ -3,6 +3,7 @@ ConfigArgParse Django Keras Markdown +certbot docker-compose gabbi horizon @@ -11,5 +12,6 @@ pyaml pybtex pytorch suricata +tpm2-tools ua-parser vcstool