What's New in Python 2.4.6?
===========================
*Release date: 19-Dec-2008*
What's New in Python 2.4.6c1?
=============================
*Release date: 13-Dec-2008*
Core and builtins
-----------------
- Issue #4469: Prevent expandtabs() on string and unicode
objects from causing a segfault when a large width is passed
on 32-bit platforms. CVE-2008-5031.
- Issue #4317: Fixed a crash in the imageop.rgb2rgb8() function.
- Issue #4230: Fix a crash when a class has a custom __getattr__ and an
__getattribute__ method that deletes the __getattr__ attribute.
- Apply security patches from Apple. CVE-2008-2315.
- Issue #2620: Overflow checking when allocating or reallocating memory
was not always being done properly in some python types and extension
modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
all been updated to perform better checks and places in the code that
would previously leak memory on the error path when such an allocation
failed have been fixed.
- Issue #1179: Fix CVE-2007-4965 and CVE-2008-1679, multiple integer
overflows in the imageop and rgbimgmodule modules.
- Issue #2586: Fix CVE-2008-1721, zlib crash from
zlib.decompressobj().flush(val) when val is not positive.
- Issues #2588, #2589: Fix potential integer underflow and overflow
conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.
- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
parameter but was not verifying that it was greater than zero. Values
less than zero will now raise a SystemError and return NULL to indicate a
bug in the calling C code. CVE-2008-1887.
- Security Issue #2: imageop did not validate arguments correctly and could
segfault as a result. CVE-2008-4864.
Extension Modules
-----------------
Library
-------
Tests
-----
Build
-----
Tools/Demos
-----------
- Tools/faqwiz/move-faqwiz.sh: Fix unsecure use of temporary files.
definitions which do things behind the client pkgs back, in particular
manipulate the library search path
It is well possible that this causes some fallout, but I hope it
will be small and can be dealt with on a per-pkg basis.
(partly) suggested by Mark Davies on tech-pkg
earlier, but there became no-ops due to my change to db4/bl3 and thus
didn't do harm. Now that part of that change was backed out they became
harmful again and thus need to go.
changes. The "dbm" module could fail to build correctly, erroring out with:
*** WARNING: renaming "dbm" since importing it failed: build/lib.linux-i686-2.4/dbm.so: undefined symbol: dbm_firstkey
In this case, the "dbm" module has accidentally linked with "databases/gdbm",
which happens to be installed, but was never buildlinked in. It may be
relevant that /usr/include/gdbm/ndbm.h is installed on this system.
Remove the "gdbm" test from the "dbm" module configuration, leaving the "ndbm"
support, and the fall-back "bdb" support (which will likely fall back to db4).
Bump PKGREVISION - the package would still install, but with missing
functionality.
on Linux one can't build some extensions against an old Python (with
spurious -ldb4 linkage) anymore
also sync the bl3 files of the non-default versions with python25
for consistency
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
$PYTHON -c "from distutils import sysconfig; print sysconfig.get_config_var('SHLIBS');"
... where bdb.buildlink.mk has been used and it satisfied the requirement from
Pkgsrc (E.g. via databases/db4) would fail to build because the required -ldb4
library was not itself buildlinked.
To rectify this, pull in bdb.buildlink.mk in python??/buildlink3.mk under the
same conditions as it is pulled in in the package's own makefile.
No revision bump required, this almost certainly only affects packages and
environments that simply wouldn't build at all prior to the fix.
Fixes the build of py-ORBit on Linux (Python 2.4 or 2.5), and PR39377.
integer overflow in the vsnprintf replacement function.
This is likely not a real problem, and the patch wasn't pulled to
the upstream 2.4 branch, but so we can formally declare our 2.4
as not vulnerable now.
We are pleased to announce the release of Python 2.4.4 (FINAL), a
bugfix release of Python 2.4, on October 18, 2006.
Important: 2.4.4 includes a security fix (PSF-2006-001) for the
repr() of unicode strings in wide unicode builds (UCS-4) [does not
affect pkgsrc]
Python 2.4 is now in bugfix-only mode; no new features are being
added. At least 80 bugs have been squished since Python 2.4.3,
including a number of bugs and potential bugs found by with the
Coverity and Klocwork static analysis tools. We'd like to offer
our thanks to both these firms for making this available for open
source projects - see their websites if you're interested.
The NIS module is not available in that case.
Call the regen script with RUNSHARED, so that it finds libpython.so,
even in the DESTDIR case.
XXX The call to regen should be moved to the build phase.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
only build certain modules if the platform is *not* 64-bit. Correct
the PLIST for those cases. This should fix the build on non-64bit,
non-x86 platforms, e.g. powerpc.
