gentoo auto-resync : 26:06:2024 - 00:12:24

4 files changed, 97 insertions, 10 deletions

diff --git a/dev-python/js2py/Manifest b/dev-python/js2py/Manifest
index 6704bc4fad61..cdbfe14ac320 100644
--- a/dev-python/js2py/Manifest
+++ b/dev-python/js2py/Manifest
@@ -1,3 +1,5 @@
+AUX js2py-0.74-CVE-2024-28397.patch 849 BLAKE2B feaa93b95dd0e25f91346257a151b8f00b6b1fd5ff6c97a9f2a6a55920c533cbf31277b4be87ee96e7efaf2898f635a3eb1d8ee23abc5c843a927771569f7c16 SHA512 539c763ba00f4d56490ac65d8d3cda52c5db0ef1b4a0193e95250847ee07a8829492e7358fd0b817c6be326ebeb9a0c5ba7328348483595cff6810b314f80670
+AUX js2py-0.74-py312-load_attr.patch 2542 BLAKE2B c5fa386e509f0040f6461a72d4a4fe0efc8d74ab2913ec399d688f8ac752d076f5e189d009b5d54347104c7ca7af6d11e4202a0e4be08e1c1753adc56ed7e0a1 SHA512 0d9d77461c3f95d561230473a83155ea7e202db2837dac0f989731dfe74d4c5d9bbbd625e6991ec30eadb6b6d6c16a4980ab3e17e189575bcaa431aac6492c3d
 DIST Js2Py-0.74.tar.gz 2504984 BLAKE2B 1e4f34ad94947118aeaf84ff438f9bec5b2a8ca3c722d907d3b8015acfcaafe1f229cfe401ae0f3d07c0f074ecf2f9ca3aeb94ef9c394b7ed6d90f1279c1ffa2 SHA512 cb2f42c2bec0c15dadc301ee0a7ac452cc8c4bba4669e95f1155863590d6d00781883b54d4dab755a0f66eb6e30990fedca732494b1f8b6c07dc29f5203a8c8c
-EBUILD js2py-0.74.ebuild 1000 BLAKE2B 44b679221947f130feaa0ad888cc4d006af45b7ad785e12b0386b117ae0c2a93e1ab5a0ad864ac85c76921f32f866c331557d01b87324c2462297a562bf65ffd SHA512 a86a708b0654a5b6fada0734a43243e31207175ca644474e8c66ff919fc26ee1684c8fccadfc0ba2b85b51c7145f02286492cfdac25c416746f334acfd730c39
+EBUILD js2py-0.74-r2.ebuild 1176 BLAKE2B 53c0a1993f1119db6e194e1526f4aad6eed0fc38d111d8c6137b6e9de6267547a22178577d77c8e61a288fdfb96c11f853303bffaaa0e6a3c1dcf57ffa6e5bed SHA512 e31922cba4fd5ab14bd92052d6f563acdba5c7c89f37eade072b2a186f475814f4a491226c7405311ea728a9e49263c74ab66bb4de2a734f7982e4540b57dc87
 MISC metadata.xml 385 BLAKE2B 145afe58273b407d1ba1f3859de0d79a3bdd4307575d043a8b574a8bac26c2d577efec841c6c3a9424ca7970dac33517df48c0f287c18bf4e1cc5faa5125ba6e SHA512 7e48c836578bcbb4abf0d99f0f2b870ab15158f05d5c402e2d84c9f9de7d2c994127eba26897e406b6c7d77c962867d39a37bf7ce78ca09d39b78d64f9d8d68d
diff --git a/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch b/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch
new file mode 100644
index 000000000000..c8ecfab22485
--- /dev/null
+++ b/dev-python/js2py/files/js2py-0.74-CVE-2024-28397.patch
@@ -0,0 +1,21 @@
+# https://nvd.nist.gov/vuln/detail/CVE-2024-28397
+# https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/patch.txt
+# https://github.com/PiotrDabkowski/Js2Py/pull/323
+# https://github.com/Marven11/Js2Py/commit/56e244eb
+
+Author: Marven11 <110723864+Marven11@users.noreply.github.com>
+Date: Fri, 1 Mar 2024 12:53:58 +0800
+
+diff --git a/js2py/constructors/jsobject.py b/js2py/constructors/jsobject.py
+index c4e0ada3..b1806ea6 100644
+--- a/js2py/constructors/jsobject.py
++++ b/js2py/constructors/jsobject.py
+@@ -49,7 +49,7 @@ def getOwnPropertyNames(obj):
+             raise MakeError(
+                 'TypeError',
+                 'Object.getOwnPropertyDescriptor called on non-object')
+-        return obj.own.keys()
++        return list(obj.own.keys())
+ 
+     def create(obj):
+         if not (obj.is_object() or obj.is_null()):
diff --git a/dev-python/js2py/files/js2py-0.74-py312-load_attr.patch b/dev-python/js2py/files/js2py-0.74-py312-load_attr.patch
new file mode 100644
index 000000000000..6dfa467cc41f
--- /dev/null
+++ b/dev-python/js2py/files/js2py-0.74-py312-load_attr.patch
@@ -0,0 +1,57 @@
+From fd7df4a91fb08060914c7b1d9e94583d18f3371b Mon Sep 17 00:00:00 2001
+From: Felix Yan <felixonmars@archlinux.org>
+Date: Wed, 17 Apr 2024 16:47:47 +0300
+Subject: [PATCH] Fix bytecode for Python 3.12
+
+`LOAD_ATTR` has been changed in Python 3.12 and it seems reusing the
+`LOAD_GLOBAL` logic makes the simple tests passing.
+
+I am not sure if this is correct since I'm pretty new to the code, but
+maybe it's still helpful.
+---
+ js2py/translators/translating_nodes.py | 2 +-
+ js2py/utils/injector.py                | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/js2py/translators/translating_nodes.py b/js2py/translators/translating_nodes.py
+index 4e2b5760..a780ba73 100644
+--- a/js2py/translators/translating_nodes.py
++++ b/js2py/translators/translating_nodes.py
+@@ -543,7 +543,7 @@ def TryStatement(type, block, handler, handlers, guardedHandlers, finalizer):
+     if handler:
+         identifier = handler['param']['name']
+         holder = 'PyJsHolder_%s_%d' % (to_hex(identifier),
+-                                       random.randrange(1e8))
++                                       random.randrange(six.integer_types[-1](1e8)))
+         identifier = repr(identifier)
+         result += 'except PyJsException as PyJsTempException:\n'
+         # fill in except ( catch ) block and remember to recover holder variable to its previous state
+diff --git a/js2py/utils/injector.py b/js2py/utils/injector.py
+index 88e0d93e..835229f0 100644
+--- a/js2py/utils/injector.py
++++ b/js2py/utils/injector.py
+@@ -14,6 +14,7 @@
+ # Opcode constants used for comparison and replacecment
+ LOAD_FAST = opcode.opmap['LOAD_FAST']
+ LOAD_GLOBAL = opcode.opmap['LOAD_GLOBAL']
++LOAD_ATTR = opcode.opmap['LOAD_ATTR']
+ STORE_FAST = opcode.opmap['STORE_FAST']
+ 
+ 
+@@ -79,6 +80,7 @@ def append_arguments(code_obj, new_locals):
+         (co_names.index(name), varnames.index(name)) for name in new_locals)
+ 
+     is_new_bytecode = sys.version_info >= (3, 11)
++    is_new_load_attr = sys.version_info >= (3, 12)
+     # Now we modify the actual bytecode
+     modified = []
+     drop_future_cache = False
+@@ -97,7 +99,7 @@ def append_arguments(code_obj, new_locals):
+         # it's one of the globals that we are replacing. Either way,
+         # update its arg using the appropriate dict.
+         drop_future_cache = False
+-        if inst.opcode == LOAD_GLOBAL:
++        if inst.opcode == LOAD_GLOBAL or (is_new_load_attr and inst.opcode == LOAD_ATTR):
+             idx = inst.arg
+             if is_new_bytecode:
+                 idx = idx // 2
diff --git a/dev-python/js2py/js2py-0.74.ebuild b/dev-python/js2py/js2py-0.74-r2.ebuild
index 22032fcf8e3b..025770effe38 100644
--- a/dev-python/js2py/js2py-0.74.ebuild
+++ b/dev-python/js2py/js2py-0.74-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -6,18 +6,19 @@ EAPI=8
 DISTUTILS_USE_PEP517=setuptools
 PYPI_NO_NORMALIZE=1
 PYPI_PN="Js2Py"
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..12} )
 
 inherit distutils-r1 pypi
 
 DESCRIPTION="JavaScript to Python Translator & JavaScript interpreter in Python"
-HOMEPAGE="http://piter.io/projects/js2py/
-	https://github.com/PiotrDabkowski/Js2Py/
+HOMEPAGE="http://piter.io/projects/js2py
+	https://github.com/PiotrDabkowski/Js2Py
 	https://pypi.org/project/Js2Py/"
 
 LICENSE="MIT"
 SLOT="0"
 KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
+RESTRICT="test"
 
 RDEPEND="
 	>=dev-python/pyjsparser-2.5.1[${PYTHON_USEDEP}]
@@ -25,15 +26,21 @@ RDEPEND="
 	>=dev-python/six-1.10.0[${PYTHON_USEDEP}]
 "
 
+PATCHES=(
+	"${FILESDIR}/${PN}-0.74-CVE-2024-28397.patch"
+	"${FILESDIR}/${PN}-0.74-py312-load_attr.patch"
+)
+
 python_test() {
 	pushd ./tests >/dev/null || die
 
-	# Tests require "node_failed.txt" file where the logs are kept
-	if [[ -f ./node_failed.txt ]] ; then
-		rm ./node_failed.txt || die
-	fi
-
+	# run.py requires "node_failed.txt" file
 	touch ./node_failed.txt || die
+
+	# https://bugs.gentoo.org/831356
+	# make run.py return a non-zero exit code if any test failed
+	echo 'sys.exit(len(FAILING))' >> ./run.py || die
+
 	"${EPYTHON}" ./run.py || die "tests failed with ${EPYTHON}"
 
 	popd >/dev/null || die