Details:
https://lists.nongnu.org/archive/html/chicken-announce/2022-11/msg00000.html
> Vasilij found a security issue with the way egg-information
> files are created during installation of an extension package.
> Currently, escape characters in the .egg file may be used to
> perform arbitrary OS command injection due to the method the
> egg metadata is created and installed in the local egg repository
> during the install-stage of an egg.
diff from MAINTAINER Timo Myyrä, thanks!
with Python 3.9+'s definition of PyMODINIT_FUNC and our readline headers
https://github.com/openbsd/src/blob/master/gnu/lib/libreadline/rlstdc.h#L41
(Due to some other strangeness in the build system, on 3.9 it rebuilt a
working version after the first attempt failed and the file was moved out
of the way, but that no longer happens with 3.10+ where readline just
failed).
Fix up PLISTs and WANTLIB for Python 3.11 while there.
Joint work with landry@ tb@ kmos@, ok tb kmos
This unbreaks the powerpc package of lang/pcc/pcc-libs and puts enough
fixes in lang/pcc/pcc for powerpc to compile the simplest C program,
$ cat hello.c
#include <stdio.h>
int main(void) { puts("Hello, BSD!"); return 0; }
$ pcc -O2 -o hello hello.c
It can't compile much more; pcc's powerpc code generator still fails
with static function calls and with floating-point literals.
ok sthen@
version in -stable of the previous release when plist is changed etc
(e.g. backporting updates to -stable after swotching the default
Python version during a release cycle means that -current needs
to keep ahead of -stable, to avoid problems with -stable packages
at the next release)
https://docs.python.org/release/3.9.15/whatsnew/changelog.html
gh-97616: Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor
Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer
uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
Also a couple non-security fixes.
ok sthen
gh-97616: Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor
Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer
uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text
(filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act as
if a match was not found (or for test commands, as if the test
failed).
ok sthen
the rust std library is changed to not try to reallocate
a guard page on the stack.
the bootstraps needs to be regenerate. this commit includes
only amd64 and i386 for now. others archs are marked BROKEN
for now.
