Upgrade builds to OpenSSL 1.1.1u.
This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.
The Mac/BuildScript/build-installer.py was already updated.
Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.
Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).
(cherry picked from commit ede89af).
(cherry picked from commit a5d2b546c1)
(cherry picked from commit f90d3f68db)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
GH-25309 enabled SSL_OP_IGNORE_UNEXPECTED_EOF by default, with a comment
that it restores OpenSSL 1.1.1 behavior, but this wasn't quite right.
That option causes OpenSSL to treat transport EOF as the same as
close_notify (i.e. SSL_ERROR_ZERO_RETURN), whereas Python actually has
distinct SSLEOFError and SSLZeroReturnError exceptions. (The latter is
usually mapped to a zero return from read.) In OpenSSL 1.1.1, the ssl
module would raise them for transport EOF and close_notify,
respectively. In OpenSSL 3.0, both act like close_notify.
Fix this by, instead, just detecting SSL_R_UNEXPECTED_EOF_WHILE_READING
and mapping that to the other exception type.
There doesn't seem to have been any unit test of this error, so fill in
the missing one. This had to be done with the BIO path because it's
actually slightly tricky to simulate a transport EOF with Python's fd
based APIs. (If you instruct the server to close the socket, it gets
confused, probably because the server's SSL object is still referencing
the now dead fd?)
(cherry picked from commit 420bbb783b)
Co-authored-by: David Benjamin <davidben@google.com>
gh-102027: Fix macro name (GH-102124)
This fixes the ssse3 / sse2 detection when sse4 is available.
(cherry picked from commit ea93bde4ec)
Co-authored-by: Max Bachmann <kontakt@maxbachmann.de>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
GH-102397: Fix segfault from race condition in signal handling (GH-102399)
(cherry picked from commit 1a84cc007e)
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Fix missing 'is' in cmath.log() docstring.
(cherry picked from commit 71f614ef2a)
Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
[3.11] gh-99952: [ctypes] fix refcount issues in from_param() result. (GH-100169)
Fixes a reference counting issue with `ctypes.Structure` when a `from_param()` method call is used and the structure size is larger than a C pointer `sizeof(void*)`.
This problem existed for a very long time, but became more apparent in 3.8+ by change likely due to garbage collection cleanup timing changes..
(cherry picked from commit dfad678d70)
(cherry picked from commit fa7c37af49)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Yukihiro Nakadaira <yukihiro.nakadaira@gmail.com>
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
When getaddrinfo returns an error, the output pointer is in an unknown state
Don't call freeaddrinfo on it. See the issue for discussion and details with
links to reasoning. _Most_ libc getaddrinfo implementations never modify the
output pointer unless they are returning success.
(cherry picked from commit b724ac2fe7)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Sergey G. Brester <github@sebres.de>
Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
gh-76963: PEP3118 itemsize of an empty ctypes array should not be 0 (GH-5576)
The itemsize returned in a memoryview of a ctypes array is now computed from the item type, instead of dividing the total size by the length and assuming that the length is not zero.
(cherry picked from commit 84bc6a4f25)
Co-authored-by: Eric Wieser <wieser.eric@gmail.com>
It no longer emits a deprecation warning if the current event loop was set.
(cherry picked from commit 3fae04b10e)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
In case if only True/False be supported as boolean arguments in future,
we should continue to support 1/0 here.
(cherry picked from commit 922a6cf6c2)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
In multiprocessing.shared_memory.SharedMemory(), the temporary view
returned by MapViewOfFile() should be unmapped when it is no longer
needed.
(cherry picked from commit 85c128e34d)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Without releasing the GIL calls to termios APIs might block the entire interpreter..
(cherry picked from commit 959ba45d75)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
In very rare circumstances the JUMP opcode could be confused with the
argument of the opcode in the "then" part which doesn't end with the
JUMP opcode. This led to incorrect detection of the final JUMP opcode
and incorrect calculation of the size of the subexpression.
NOTE: Changed return value of functions _validate_inner() and
_validate_charset() in Modules/_sre/sre.c. Now they return 0 on success,
-1 on failure, and 1 if the last op is JUMP (which usually is a failure).
Previously they returned 1 on success and 0 on failure.
(cherry picked from commit e9ac890c02)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].
[1]: fdc6fef075
[2]: https://mouha.be/sha-3-buffer-overflow/
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
On macOS, fix a crash in syslog.syslog() in multi-threaded
applications. On macOS, the libc syslog() function is not
thread-safe, so syslog.syslog() no longer releases the GIL to call
it.
(cherry picked from commit d4b9166385)
Co-authored-by: Victor Stinner <vstinner@python.org>
The macOS 13 SDK includes support for the `mkfifoat` and `mknodat` system calls.
Using the `dir_fd` option with either `os.mkfifo` or `os.mknod` could result in a
segfault if cpython is built with the macOS 13 SDK but run on an earlier
version of macOS. Prevent this by adding runtime support for detection of
these system calls ("weaklinking") as is done for other newer syscalls on
macOS.
(cherry picked from commit 6d0a0191a4)
Co-authored-by: Ned Deily <nad@python.org>
