7 files changed, 250 insertions, 0 deletions
diff --git a/dev-java/jython/files/CVE-2016-4000.patch b/dev-java/jython/files/CVE-2016-4000.patch
new file mode 100644
index 000000000000..81785eb05b07
--- /dev/null
+++ b/dev-java/jython/files/CVE-2016-4000.patch
@@ -0,0 +1,158 @@
+
+# HG changeset patch
+# User Jim Baker <jim.baker@rackspace.com>
+# Date 1454384221 25200
+# Node ID d06e29d100c04576735e86c75a26c5f33669bb72
+# Parent  b6735606c13df95f770527e629954407f82808c5
+Do not deserialize PyFunction objects. Fixes #2454
+
+Instead use standard Python pickling; or subclass PyFunction.
+
+diff --git a/Lib/test/test_java_integration.py b/Lib/test/test_java_integration.py
+--- a/Lib/test/test_java_integration.py
++++ b/Lib/test/test_java_integration.py
+@@ -14,8 +14,9 @@ import re
+ from collections import deque
+ from test import test_support
+ 
+-from java.lang import (ClassCastException, ExceptionInInitializerError, String, Runnable, System,
+-        Runtime, Math, Byte)
++from java.lang import (
++    ClassCastException, ExceptionInInitializerError, UnsupportedOperationException,
++    String, Runnable, System, Runtime, Math, Byte)
+ from java.math import BigDecimal, BigInteger
+ from java.net import URI
+ from java.io import (ByteArrayInputStream, ByteArrayOutputStream, File, FileInputStream,
+@@ -656,13 +657,30 @@ class SerializationTest(unittest.TestCas
+         self.assertEqual(date_list, roundtrip_serialization(date_list))
+ 
+     def test_java_serialization_pycode(self):
+-
+         def universal_answer():
+             return 42
+ 
+         serialized_code = roundtrip_serialization(universal_answer.func_code)
+         self.assertEqual(eval(serialized_code), universal_answer())
+ 
++    def test_java_serialization_pyfunction(self):
++        # Not directly supported due to lack of general utility
++        # (globals will usually be in the function object in
++        # func_globals), and problems with unserialization
++        # vulnerabilities. Users can always subclass from PyFunction
++        # for specific cases, as seen in PyCascading
++        import new
++        def f():
++            return 6 * 7 + max(0, 1, 2)
++        # However, using the new module, it's possible to create a
++        # function with no globals, which means the globals will come
++        # from the current context
++        g = new.function(f.func_code, {}, "g")
++        # But still forbid Java deserialization of this function
++        # object. Use pickling or other support instead.
++        with self.assertRaises(UnsupportedOperationException):
++            roundtrip_serialization(g)
++
+     def test_builtin_names(self):
+         import __builtin__
+         names = [x for x in dir(__builtin__)]
+@@ -872,7 +890,7 @@ class SingleMethodInterfaceTest(unittest
+         future.get()
+         self.assertEqual(x, [42])
+ 
+-    @unittest.skip("FIXME: not working")
++    @unittest.skip("FIXME: not working; see http://bugs.jython.org/issue2115")
+     def test_callable_object(self):
+         callable_obj = CallableObject()
+         future = self.executor.submit(callable_obj)
+diff --git a/Lib/test/test_new.py b/Lib/test/test_new.py
+--- a/Lib/test/test_new.py
++++ b/Lib/test/test_new.py
+@@ -24,18 +24,10 @@ class NewTest(unittest.TestCase):
+         c = new.instance(C, {'yolks': 3})
+ 
+         o = new.instance(C)
+-
+-        # __dict__ is a non dict mapping in Jython
+-        if test_support.is_jython:
+-            self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty")
+-        else:
+-            self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
++        self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
+         del o
+         o = new.instance(C, None)
+-        if test_support.is_jython:
+-            self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty")
+-        else:
+-            self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
++        self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
+         del o
+ 
+         def break_yolks(self):
+@@ -109,7 +101,14 @@ class NewTest(unittest.TestCase):
+         test_closure(g, (1, 1), ValueError) # closure is wrong size
+         test_closure(f, g.func_closure, ValueError) # no closure needed
+ 
+-    if hasattr(new, 'code') and not test_support.is_jython:
++    # [Obsolete] Note: Jython will never have new.code()
++    #
++    # Who said that?!!! guess what, we do! :)
++    # 
++    # Unfortunately we still need a way to compile to Python bytecode,
++    # so support is still incomplete, as seen in the fact that we need
++    # to get values from CPython 2.7.
++    if hasattr(new, 'code'):
+         def test_code(self):
+             # bogus test of new.code()
+             def f(a): pass
+@@ -117,16 +116,16 @@ class NewTest(unittest.TestCase):
+             c = f.func_code
+             argcount = c.co_argcount
+             nlocals = c.co_nlocals
+-            stacksize = c.co_stacksize
++            stacksize = 1  # TODO c.co_stacksize
+             flags = c.co_flags
+-            codestring = c.co_code
+-            constants = c.co_consts
+-            names = c.co_names
++            codestring = 'd\x00\x00S'  # TODO c.co_code
++            constants = (None,)  # TODO c.co_consts
++            names = ()  # TODO c.co_names
+             varnames = c.co_varnames
+             filename = c.co_filename
+             name = c.co_name
+             firstlineno = c.co_firstlineno
+-            lnotab = c.co_lnotab
++            lnotab = '' # TODO c.co_lnotab, but also see http://bugs.jython.org/issue1638
+             freevars = c.co_freevars
+             cellvars = c.co_cellvars
+ 
+diff --git a/src/org/python/core/PyBytecode.java b/src/org/python/core/PyBytecode.java
+--- a/src/org/python/core/PyBytecode.java
++++ b/src/org/python/core/PyBytecode.java
+@@ -66,6 +66,12 @@ public class PyBytecode extends PyBaseCo
+ 
+         debug = defaultDebug;
+ 
++        if (argcount < 0) {
++            throw Py.ValueError("code: argcount must not be negative");
++        } else if (nlocals < 0) {
++            throw Py.ValueError("code: nlocals must not be negative");
++        }
++
+         co_argcount = nargs = argcount;
+         co_varnames = varnames;
+         co_nlocals = nlocals; // maybe assert = varnames.length;
+diff --git a/src/org/python/core/PyFunction.java b/src/org/python/core/PyFunction.java
+--- a/src/org/python/core/PyFunction.java
++++ b/src/org/python/core/PyFunction.java
+@@ -545,6 +545,9 @@ public class PyFunction extends PyObject
+     @Override
+     public boolean isSequenceType() { return false; }
+ 
++    private Object readResolve() {
++        throw new UnsupportedOperationException();
++    }
+ 
+     /* Traverseproc implementation */
+     @Override
+
diff --git a/dev-java/jython/files/jython-2.5.2-distutils_scripts_location.patch b/dev-java/jython/files/jython-2.5.2-distutils_scripts_location.patch
new file mode 100644
index 000000000000..fc9a95be89f9
--- /dev/null
+++ b/dev-java/jython/files/jython-2.5.2-distutils_scripts_location.patch
@@ -0,0 +1,11 @@
+--- a/Lib/distutils/command/install.py
++++ b/Lib/distutils/command/install.py
+@@ -70,7 +70,7 @@
+         'purelib': '$base/Lib/site-packages',
+         'platlib': '$base/Lib/site-packages',
+         'headers': '$base/Include/$dist_name',
+-        'scripts': '$base/bin',
++        'scripts': '/usr/bin',
+         'data'   : '$base',
+         }
+     }
diff --git a/dev-java/jython/files/jython-2.5.2-respect_PYTHONPATH.patch b/dev-java/jython/files/jython-2.5.2-respect_PYTHONPATH.patch
new file mode 100644
index 000000000000..e695122ba1d6
--- /dev/null
+++ b/dev-java/jython/files/jython-2.5.2-respect_PYTHONPATH.patch
@@ -0,0 +1,15 @@
+--- a/src/org/python/core/PySystemState.java
++++ b/src/org/python/core/PySystemState.java
+@@ -646,6 +646,12 @@
+             if (jythonpath != null) {
+                 registry.setProperty("python.path", jythonpath);
+             }
++            else {
++                jythonpath = System.getenv("PYTHONPATH");
++                if (jythonpath != null) {
++                    registry.setProperty("python.path", jythonpath);
++                }
++            }
+         } catch (SecurityException e) {
+         }
+         registry.putAll(postProperties);
diff --git a/dev-java/jython/files/jython-2.7.0-build.xml.patch b/dev-java/jython/files/jython-2.7.0-build.xml.patch
new file mode 100644
index 000000000000..1f0be614dbe5
--- /dev/null
+++ b/dev-java/jython/files/jython-2.7.0-build.xml.patch
@@ -0,0 +1,11 @@
+--- a/build.xml.orig	2015-06-27 16:12:08.442000000 +0000
++++ b/build.xml	2015-06-27 16:12:15.684000000 +0000
+@@ -448,7 +448,7 @@
+     </target>
+ 
+     <target name="antlr_gen" depends="prepare-output" unless="antlr.notneeded">
+-        <java classname="org.antlr.Tool" failonerror="true" fork="true" dir="${jython.base.dir}">
++        <java classname="org.antlr.Tool" failonerror="false" fork="true" dir="${jython.base.dir}">
+             <jvmarg value="-Xmx512m"/>
+             <arg value="-Xconversiontimeout"/>
+             <arg value="2000"/>
diff --git a/dev-java/jython/files/jython-2.7_beta1-ant.patch b/dev-java/jython/files/jython-2.7_beta1-ant.patch
new file mode 100644
index 000000000000..c86cae894a92
--- /dev/null
+++ b/dev-java/jython/files/jython-2.7_beta1-ant.patch
@@ -0,0 +1,28 @@
+--- jython-2.7-b1-sources/build.xml
++++ jython-2.7-b1-sources/build.xml
+@@ -508,6 +509,7 @@
+         </javac>
+ 
+         <!-- java files used by tests -->
++<!--
+         <javac srcdir="${test.source.dir}"
+                destdir="${compile.dir}"
+                target="${jdk.target.version}"
+@@ -529,6 +531,7 @@
+             <compilerarg line="${javac.Xlint}"/>
+             <classpath refid="test.classpath" />
+         </javac>
++-->
+         <copy file="${source.dir}/org/python/modules/ucnhash.dat"
+               todir="${compile.dir}/org/python/modules"
+               preservelastmodified="true" />
+@@ -826,9 +829,6 @@
+ 
+     <target name="copy-javalib" unless="full-build">
+         <copy todir="${dist.dir}/javalib">
+-            <fileset dir="${jython.base.dir}/extlibs">
+-                <exclude name="profile.properties"/>
+-            </fileset>
+             <fileset dir="${work.dir}/build">
+                 <include name="*.jar"/>
+                 <include name="*.properties"/>
diff --git a/dev-java/jython/files/jython-2.7_beta1-dont-always-recompile-classes.patch b/dev-java/jython/files/jython-2.7_beta1-dont-always-recompile-classes.patch
new file mode 100644
index 000000000000..326ef7f62afa
--- /dev/null
+++ b/dev-java/jython/files/jython-2.7_beta1-dont-always-recompile-classes.patch
@@ -0,0 +1,11 @@
+--- a/src/org/python/core/imp.java
++++ b/src/org/python/core/imp.java
+@@ -228,7 +228,7 @@
+         }
+         if (testing && mtime != NO_MTIME) {
+             long time = ar.getMTime();
+-            if (mtime != time) {
++            if (mtime < time) {
+                 return null;
+             }
+         }
diff --git a/dev-java/jython/files/jython-2.7_beta2-maxrepeat-import.patch b/dev-java/jython/files/jython-2.7_beta2-maxrepeat-import.patch
new file mode 100644
index 000000000000..944bb195cb38
--- /dev/null
+++ b/dev-java/jython/files/jython-2.7_beta2-maxrepeat-import.patch
@@ -0,0 +1,16 @@
+diff -r 035eded55c4d lib-python/2.7/sre_constants.py
+--- a/lib-python/2.7/sre_constants.py	Wed Apr 16 18:30:13 2014 -0600
++++ b/lib-python/2.7/sre_constants.py	Fri Jul 25 10:31:27 2014 -0700
+@@ -15,7 +15,11 @@
+ 
+ MAGIC = 20031017
+ 
+-from _sre import MAXREPEAT
++try:
++    from _sre import MAXREPEAT
++except ImportError:
++    import _sre
++    MAXREPEAT = _sre.MAXREPEAT = 65535
+ 
+ # SRE standard exception (access as sre.error)
+ # should this really be here?