dev-lang/python: Backport CVE-2021-3177 fix to 2.7.18

Bug: https://bugs.gentoo.org/766189
Signed-off-by: Michał Górny <mgorny@gentoo.org>

2 files changed, 348 insertions, 0 deletions

diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest
index 4abaf2aa5953..d9e3342af2ed 100644
--- a/dev-lang/python/Manifest
+++ b/dev-lang/python/Manifest
@@ -7,6 +7,7 @@ DIST Python-3.8.7.tar.xz 18261096 BLAKE2B 6ac20efef41e828cb796aabcb7808400d494b9
 DIST Python-3.9.0.tar.xz 18866140 BLAKE2B 8e12b64e187a65461473ac3b281dc489f0abac586e0755f6dbeceb236b34bdc008085eeac9ee1a19d76f5ec6a2fbda623985454c9d0164c4888a97b8cd940034 SHA512 b141039c9701a8cb0d15cd11a279153077524af4d0599e7d2c7279d4c18d05fda06b33ef82342d875de996c7117b7dc6eb154dc3669d38a1efa99801aeec6c5e
 DIST Python-3.9.1.tar.xz 18897104 BLAKE2B bcbce176510e8e7c6ba6070588bedc52121c21c5271f59b3d629dfb542c51ee62622b2ca53a6e2041f1a51b2d089368cc4de9bb749e8ebad9a2c4eb4de83538e SHA512 b90029d6825751685983e9dcf0e0ec9e46f18e6c7d37b0dd7a245a94316f8c0090308ad7c2b2b49ed2514b0b909177231dd5bcad03031bf4624e37136fcf8019
 DIST python-gentoo-patches-2.7.18-r4.tar.xz 21352 BLAKE2B d322f5afd63813d7c9280c75f942bde75ee19793e121d0406c4f229ead53324bf3996342eed9a6c1aa474894afe7f2dd70aec38aee8042993a5274abc288fd31 SHA512 1cb0be8e79d0c6c55fcbe3f3dabf8b760aea0e60d888ea39d3e69de03b55738c50b2cca06586c1cd2896956f5764eefd6d3f9fbf2de0d0ddfd8aab86837976b6
+DIST python-gentoo-patches-2.7.18-r6.tar.xz 22740 BLAKE2B 1727fcab273dfe5e5739c7ce1cd7fb3c6bd13c2bda25a2e4e0609a2e727a69318a46b7c2173ea7746f8a124e778b276408adc9968ed2025b8643e660bb3d3ea3 SHA512 975fe72c5b2f4577563e8e972c70b7eec7203790a500e6f051fab1f66c71e5ae46fcb3c571a9e6346bf3a0d1dd48594a61bf2751007e4f5e3d19f8db6146c99d
 DIST python-gentoo-patches-3.10.0a3-r1.tar.xz 10068 BLAKE2B 8b305a31cf0aab4da9e27e671b4fd48be6224ff8508ed1831ad4149761bb263cd9a694e90d52335390643a537dee2d6cab4e086bd521c99217e81845b4f9bcf1 SHA512 69c52c61dd2f1ca097fafe13c27cd1979280675bef6af8e8e300f3791d7eb50368311e3d055075f4bca01ce02d9e97a94fcd2662c78f14cfb6a37d77c39a158f
 DIST python-gentoo-patches-3.6.12-r1.tar.xz 16540 BLAKE2B 8204b6f25e1f7c6fef024933d54bfa6085158ac624a6e5a8d51576da2047b6db791be5d071c483fdec5c033b8fa8ee3d4e176a3e442defa556b34a304de3b7f3 SHA512 ad74c73b4f963427e66ac6187e1569dbfbbe3c916c24971a1eba4ad7e2f94e39c970f80e197c0498820451f036b12f3076b46cfd73bb5d6d56183ac05453d9ad
 DIST python-gentoo-patches-3.6.12-r2.tar.xz 17988 BLAKE2B c252bce5ac49b9af11174d3c974d95c24ec280230cede75a7650cb914f8acb3d41b8d575e469fe7f274c6d3bc238847b82e815bf1444c5afd7292e00248e3365 SHA512 50813fbd810c8b865c0f0f8d56780af7a9e094336ba486ddd94ba8fb0a83b5373f41274bbb10c3d732449ee5b2076b7430404c02bfac10fb9b27f92de79c25e2
diff --git a/dev-lang/python/python-2.7.18-r6.ebuild b/dev-lang/python/python-2.7.18-r6.ebuild
new file mode 100644
index 000000000000..e5cfcd3ff401
--- /dev/null
+++ b/dev-lang/python/python-2.7.18-r6.ebuild
@@ -0,0 +1,347 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+WANT_LIBTOOL="none"
+
+inherit autotools flag-o-matic pax-utils python-utils-r1 toolchain-funcs
+
+MY_P="Python-${PV}"
+PYVER=$(ver_cut 1-2)
+PATCHSET="python-gentoo-patches-2.7.18-r6"
+
+DESCRIPTION="An interpreted, interactive, object-oriented programming language"
+HOMEPAGE="https://www.python.org/"
+SRC_URI="https://www.python.org/ftp/python/${PV}/${MY_P}.tar.xz
+	https://dev.gentoo.org/~mgorny/dist/python/${PATCHSET}.tar.xz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="PSF-2"
+SLOT="${PYVER}"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="-berkdb bluetooth build elibc_uclibc examples gdbm hardened ipv6 libressl +ncurses +readline sqlite +ssl +threads tk +wide-unicode wininst +xml"
+
+# Do not add a dependency on dev-lang/python to this ebuild.
+# If you need to apply a patch which requires python for bootstrapping, please
+# run the bootstrap code on your dev box and include the results in the
+# patchset. See bug 447752.
+
+RDEPEND="app-arch/bzip2:=
+	dev-libs/libffi:=
+	>=sys-libs/zlib-1.1.3:=
+	virtual/libcrypt:=
+	virtual/libintl
+	berkdb? ( || (
+		sys-libs/db:5.3
+		sys-libs/db:5.1
+		sys-libs/db:4.8
+		sys-libs/db:4.7
+		sys-libs/db:4.6
+		sys-libs/db:4.5
+		sys-libs/db:4.4
+		sys-libs/db:4.3
+		sys-libs/db:4.2
+	) )
+	gdbm? ( sys-libs/gdbm:=[berkdb] )
+	ncurses? ( >=sys-libs/ncurses-5.2:= )
+	readline? ( >=sys-libs/readline-4.1:= )
+	sqlite? ( >=dev-db/sqlite-3.3.8:3= )
+	ssl? (
+		!libressl? ( dev-libs/openssl:= )
+		libressl? ( dev-libs/libressl:= )
+	)
+	tk? (
+		>=dev-lang/tcl-8.0:=
+		>=dev-lang/tk-8.0:=
+		dev-tcltk/blt:=
+		dev-tcltk/tix
+	)
+	xml? ( >=dev-libs/expat-2.1:= )"
+# bluetooth requires headers from bluez
+DEPEND="${RDEPEND}
+	bluetooth? ( net-wireless/bluez )
+	virtual/pkgconfig
+	!sys-devel/gcc[libffi(-)]"
+RDEPEND+="
+	!build? ( app-misc/mime-types )
+	!<=dev-lang/python-exec-2.4.6-r1"
+
+pkg_setup() {
+	if use berkdb; then
+		ewarn "'bsddb' module is out-of-date and no longer maintained inside"
+		ewarn "dev-lang/python. 'bsddb' and 'dbhash' modules have been additionally"
+		ewarn "removed in Python 3. A maintained alternative of 'bsddb3' module"
+		ewarn "is provided by dev-python/bsddb3."
+	else
+		if has_version "=${CATEGORY}/${PN}-${PV%%.*}*[berkdb]"; then
+			ewarn "You are migrating from =${CATEGORY}/${PN}-${PV%%.*}*[berkdb]"
+			ewarn "to =${CATEGORY}/${PN}-${PV%%.*}*[-berkdb]."
+			ewarn "You might need to migrate your databases."
+		fi
+	fi
+}
+
+src_prepare() {
+	# Ensure that internal copies of expat, libffi and zlib are not used.
+	rm -fr Modules/expat || die
+	rm -fr Modules/_ctypes/libffi* || die
+	rm -fr Modules/zlib || die
+
+	local PATCHES=(
+		"${WORKDIR}/${PATCHSET}"
+	)
+
+	default
+
+	sed -i -e "s:@@GENTOO_LIBDIR@@:$(get_libdir):g" \
+		Lib/distutils/command/install.py \
+		Lib/distutils/sysconfig.py \
+		Lib/site.py \
+		Lib/sysconfig.py \
+		Lib/test/test_site.py \
+		Makefile.pre.in \
+		Modules/Setup.dist \
+		Modules/getpath.c \
+		setup.py || die "sed failed to replace @@GENTOO_LIBDIR@@"
+
+	eautoreconf
+}
+
+src_configure() {
+	# dbm module can be linked against berkdb or gdbm.
+	# Defaults to gdbm when both are enabled, #204343.
+	local disable
+	use berkdb    || use gdbm || disable+=" dbm"
+	use berkdb    || disable+=" _bsddb"
+	# disable automagic bluetooth headers detection
+	use bluetooth || export ac_cv_header_bluetooth_bluetooth_h=no
+	use gdbm      || disable+=" gdbm"
+	use ncurses   || disable+=" _curses _curses_panel"
+	use readline  || disable+=" readline"
+	use sqlite    || disable+=" _sqlite3"
+	use ssl       || export PYTHON_DISABLE_SSL="1"
+	use tk        || disable+=" _tkinter"
+	use xml       || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat.
+	export PYTHON_DISABLE_MODULES="${disable}"
+
+	if ! use xml; then
+		ewarn "You have configured Python without XML support."
+		ewarn "This is NOT a recommended configuration as you"
+		ewarn "may face problems parsing any XML documents."
+	fi
+
+	if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then
+		einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}"
+	fi
+
+	if [[ "$(gcc-major-version)" -ge 4 ]]; then
+		append-flags -fwrapv
+	fi
+
+	filter-flags -malign-double
+
+	# https://bugs.gentoo.org/show_bug.cgi?id=50309
+	if is-flagq -O3; then
+		is-flagq -fstack-protector-all && replace-flags -O3 -O2
+		use hardened && replace-flags -O3 -O2
+	fi
+
+	if tc-is-cross-compiler; then
+		# Force some tests that try to poke fs paths.
+		export ac_cv_file__dev_ptc=no
+		export ac_cv_file__dev_ptmx=yes
+	fi
+
+	# Export CXX so it ends up in /usr/lib/python2.X/config/Makefile.
+	tc-export CXX
+	# The configure script fails to use pkg-config correctly.
+	# http://bugs.python.org/issue15506
+	export ac_cv_path_PKG_CONFIG=$(tc-getPKG_CONFIG)
+
+	# Set LDFLAGS so we link modules with -lpython2.7 correctly.
+	# Needed on FreeBSD unless Python 2.7 is already installed.
+	# Please query BSD team before removing this!
+	append-ldflags "-L."
+
+	local dbmliborder
+	if use gdbm; then
+		dbmliborder+="${dbmliborder:+:}gdbm"
+	fi
+	if use berkdb; then
+		dbmliborder+="${dbmliborder:+:}bdb"
+	fi
+
+	local myeconfargs=(
+		# The check is broken on clang, and gives false positive:
+		# https://bugs.gentoo.org/596798
+		# (upstream dropped this flag in 3.2a4 anyway)
+		ac_cv_opt_olimit_ok=no
+		# glibc-2.30 removes it; since we can't cleanly force-rebuild
+		# Python on glibc upgrade, remove it proactively to give
+		# a chance for users rebuilding python before glibc
+		ac_cv_header_stropts_h=no
+
+		--with-fpectl
+		--enable-shared
+		$(use_enable ipv6)
+		$(use_with threads)
+		$(use wide-unicode && echo "--enable-unicode=ucs4" || echo "--enable-unicode=ucs2")
+		--infodir='${prefix}/share/info'
+		--mandir='${prefix}/share/man'
+		--with-computed-gotos
+		--with-dbmliborder="${dbmliborder}"
+		--with-libc=
+		--enable-loadable-sqlite-extensions
+		--with-system-expat
+		--with-system-ffi
+		--without-ensurepip
+	)
+
+	OPT="" econf "${myeconfargs[@]}"
+
+	if use threads && grep -q "#define POSIX_SEMAPHORES_NOT_ENABLED 1" pyconfig.h; then
+		eerror "configure has detected that the sem_open function is broken."
+		eerror "Please ensure that /dev/shm is mounted as a tmpfs with mode 1777."
+		die "Broken sem_open function (bug 496328)"
+	fi
+}
+
+src_compile() {
+	# Ensure sed works as expected
+	# https://bugs.gentoo.org/594768
+	local -x LC_ALL=C
+
+	# Avoid invoking pgen for cross-compiles.
+	touch Include/graminit.h Python/graminit.c
+
+	emake
+
+	# Work around bug 329499. See also bug 413751 and 457194.
+	if has_version dev-libs/libffi[pax_kernel]; then
+		pax-mark E python
+	else
+		pax-mark m python
+	fi
+}
+
+src_test() {
+	# Tests will not work when cross compiling.
+	if tc-is-cross-compiler; then
+		elog "Disabling tests due to crosscompiling."
+		return
+	fi
+
+	# Skip failing tests.
+	local skipped_tests="distutils gdb"
+
+	for test in ${skipped_tests}; do
+		mv "${S}"/Lib/test/test_${test}.py "${T}"
+	done
+
+	# bug 660358
+	local -x COLUMNS=80
+
+	# Daylight saving time problem
+	# https://bugs.python.org/issue22067
+	# https://bugs.gentoo.org/610628
+	local -x TZ=UTC
+
+	# Rerun failed tests in verbose mode (regrtest -w).
+	emake test EXTRATESTOPTS="-w" < /dev/tty
+	local result="$?"
+
+	for test in ${skipped_tests}; do
+		mv "${T}/test_${test}.py" "${S}"/Lib/test
+	done
+
+	elog "The following tests have been skipped:"
+	for test in ${skipped_tests}; do
+		elog "test_${test}.py"
+	done
+
+	elog "If you would like to run them, you may:"
+	elog "cd '${EPREFIX}/usr/$(get_libdir)/python${PYVER}/test'"
+	elog "and run the tests separately."
+
+	if [[ ${result} -ne 0 ]]; then
+		die "emake test failed"
+	fi
+}
+
+src_install() {
+	local libdir=${ED}/usr/$(get_libdir)/python${PYVER}
+
+	emake DESTDIR="${D}" altinstall
+
+	sed -e "s/\(LDFLAGS=\).*/\1/" -i "${libdir}/config/Makefile" || die
+
+	# Fix collisions between different slots of Python.
+	mv "${ED}/usr/bin/2to3" "${ED}/usr/bin/2to3-${PYVER}" || die
+	mv "${ED}/usr/bin/pydoc" "${ED}/usr/bin/pydoc${PYVER}" || die
+	mv "${ED}/usr/bin/idle" "${ED}/usr/bin/idle${PYVER}" || die
+	rm "${ED}/usr/bin/smtpd.py" || die
+
+	use berkdb || rm -r "${libdir}/"{bsddb,dbhash.py*,test/test_bsddb*} || die
+	use sqlite || rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die
+	use tk || rm -r "${ED}/usr/bin/idle${PYVER}" "${libdir}/"{idlelib,lib-tk} || die
+	use elibc_uclibc && rm -fr "${libdir}/"{bsddb/test,test}
+
+	use threads || rm -r "${libdir}/multiprocessing" || die
+	use wininst || rm "${libdir}/distutils/command/"wininst-*.exe || die
+
+	dodoc Misc/{ACKS,HISTORY,NEWS}
+
+	if use examples; then
+		docinto examples
+		dodoc -r Tools
+	fi
+	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
+	local libname=$(printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' | \
+		emake --no-print-directory -s -f - 2>/dev/null)
+	newins "${S}"/Tools/gdb/libpython.py "${libname}"-gdb.py
+
+	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
+	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
+	sed \
+		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
+		-e "s:@PYDOC@:pydoc${PYVER}:" \
+		-i "${ED}/etc/conf.d/pydoc-${PYVER}" \
+		"${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed"
+
+	local -x EPYTHON=python${PYVER}
+	# if not using a cross-compiler, use the fresh binary
+	if ! tc-is-cross-compiler; then
+		local -x PYTHON=./python
+		local -x LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${PWD}
+	else
+		local -x PYTHON=${EPREFIX}/usr/bin/${EPYTHON}
+	fi
+
+	echo "EPYTHON='${EPYTHON}'" > epython.py || die
+	python_domodule epython.py
+
+	# python-exec wrapping support
+	local scriptdir=${D}$(python_get_scriptdir)
+	mkdir -p "${scriptdir}" || die
+	# python
+	ln -s "../../../bin/python${PYVER}" \
+		"${scriptdir}/python" || die
+	# python-config
+	ln -s "../../../bin/python${PYVER}-config" \
+		"${scriptdir}/python-config" || die
+	# 2to3, pydoc, pyvenv
+	ln -s "../../../bin/2to3-${PYVER}" \
+		"${scriptdir}/2to3" || die
+	ln -s "../../../bin/pydoc${PYVER}" \
+		"${scriptdir}/pydoc" || die
+	# idle
+	if use tk; then
+		ln -s "../../../bin/idle${PYVER}" \
+			"${scriptdir}/idle" || die
+	fi
+
+	# python2* is no longer wrapped, so just symlink it
+	local pymajor=${PYVER%.*}
+	dosym "python${PYVER}" "/usr/bin/python${pymajor}"
+	dosym "python${PYVER}-config" "/usr/bin/python${pymajor}-config"
+}