Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update macOS installer builds to use ncurses 6.3 #91132

Open
ned-deily opened this issue Mar 10, 2022 · 4 comments
Open

Update macOS installer builds to use ncurses 6.3 #91132

ned-deily opened this issue Mar 10, 2022 · 4 comments
Assignees
@ned-deily
Labels
3.10 3.11 3.12 build The build process and cross-build OS-mac type-security A security issue

Comments

@ned-deily
Copy link
Member

BPO 46976
Nosy @ronaldoussoren, @ned-deily

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = 'https://github.com/ned-deily'
closed_at = None
created_at = <Date 2022-03-10.17:07:20.172>
labels = ['OS-mac', '3.9', '3.10', '3.11']
title = 'Update macOS installer builds to use ncurses 6.3'
updated_at = <Date 2022-03-10.17:53:11.656>
user = 'https://github.com/ned-deily'

bugs.python.org fields:

activity = <Date 2022-03-10.17:53:11.656>
actor = 'ned.deily'
assignee = 'ned.deily'
closed = False
closed_date = None
closer = None
components = ['macOS']
creation = <Date 2022-03-10.17:07:20.172>
creator = 'ned.deily'
dependencies = []
files = []
hgrepos = []
issue_num = 46976
keywords = []
message_count = 2.0
messages = ['414869', '414874']
nosy_count = 2.0
nosy_names = ['ronaldoussoren', 'ned.deily']
pr_nums = []
priority = 'high'
resolution = None
stage = 'needs patch'
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue46976'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']
@ned-deily
Copy link
Member Author

The python.org macOS installers include a private copy of the ncurses library; it has not been updated from 5.9 in a long time. The current upstream version is 6.3 and includes bug and security fixes; we should update to it.

@ned-deily
Copy link
Member Author

Assigning to myself as this will require some installer build testing.

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
@erlend-aasland erlend-aasland added the build The build process and cross-build label May 20, 2022
@gpshead gpshead added 3.12 and removed 3.9 labels Nov 2, 2022
@vstinner
Copy link
Member

vstinner commented Nov 2, 2022

The python.org macOS installers include a private copy of the ncurses library; it has not been updated from 5.9 in a long time. The current upstream version is 6.3 and includes bug and security fixes; we should update to it.

$ grep ncurses Mac/BuildScript/build-installer.py
              url="http://ftp.gnu.org/pub/gnu/ncurses/ncurses-5.9.tar.gz",
                  ("ftp://ftp.invisible-island.net/ncurses//5.9/ncurses-5.9-20120616-patch.sh.bz2",

Ah right, ncurses 5.9 is still used. This version has multiple 3 known security vulnerabilities:

ncurses-5.9-20120616-patch.sh.bz2 is a shell script updating ncurses to 5.9 (20120616).

# Use this script to patch ncurses 5.9 to 5.9 (20120616)
# Run this script inside the ncurses 5.9 source directory et voila! Updated.

@ned-deily
Copy link
Member Author

Sorry, I had planned to do an update prior to the 3.11.0 release but it didn't get done. I will get to it shortly.

@gpshead gpshead added the type-security A security issue label Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ned-deily ned-deily

Labels
3.10 3.11 3.12 build The build process and cross-build OS-mac type-security A security issue
Projects
Curses issues
Status: Build
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gpshead @vstinner @ned-deily @erlend-aasland