
On Wed, 2020-09-09 at 12:41 +0300, Matti Picus wrote:
On 9/9/20 9:55 AM, Michał Górny wrote:
On Tue, 2020-09-08 at 23:15 +0300, Matti Picus wrote:
I have uploaded rc1 of pypy v7.3.2 to https://buildbot.pypy.org/pypy/ (note the trailing slash) which should be mirrored soon to https://downloads.python.org/pypy/
The hashes are here https://foss.heptapod.net/pypy/pypy.org/-/blob/branch/default/pages/download...
The release note is here https://doc.pypy.org/en/latest/release-v7.3.2.html
This release does include a 3.7 alpha.
Please try them out, especially on windows (extra points for non-english interfaces and install paths) and macos (extra points for machines that run without homebrew stuff installed), to make sure you can run your project with them.
Any comments are welcome.
What's the vulnerability status of stdlib?
I've tested pypy2.7 and pypy3.6 so far and neither seems to contain CVE- 2019-20907 fix (it was never backported to py2.7), the patch from [1] seems to apply cleanly to both.
pypy3.6 seems to be missing bpo-39603, and the patch from [2] doesn't apply cleanly (does pypy3 contain outdated version or modified?).
CVE-2020-14422 is also unresolved.
Could you please either update stdlib of pypy3.6 or look through CPython changes and backport the security fixes? For pypy2.7, please backport [1] directly since upstream is no longer maintaining that branch.
[1] https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f... [2] https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78...
Thanks for looking at this.We ship stdlib 2.7.13, 3.6.9, 3.7.4 with some slight modifications, including backporting some fixes.
I fixed CVE-2019-20907 for pypy2.7, pypy3,6, and CVE-2020-14422 for py3.6, 3.7
bpo-39603 is part of 3.6.12, 3.7.9 which were shipped 25 days ago, and that file has changed significantly since the versions we ship.
Updating the stdlib is a large undertaking, help welcome for py2.7 and py3.7. I don't think it is worth the effort for py3.6.
Is this something to be done just before the release? Would you accept fixes rebased specifically on top of current pypy code? Unless I'm mistaken, bpo-39603 should be trivial to fix. I can submit a merge request if you want. However, it's so trivial it'd probably take you less time to fix it yourself than me to recall how to use mercurial again ;-). -- Best regards, Michał Górny