Python Security Updates for 3.7.12 (#97)

* Security Patch updates for python 3.7.12 (Windows)

- Bump rev to rev2
- Added git clone step to pull expat (2.4.6) from  https://github.com/libexpat/libexpat.git
- Updates to cpython patch
  - Change source location of expat from the internal cpython/Modules folder to the external github source from 2.4.6 (above)
  - Update bzip version from 1.0.6 to 1.0.8 for windows
  - Removed pip-20.1.1 wheel reference from Lib/ensurepip/__init__.py
- Update windows batch to remove any bundled pip-*.whl file (pip will already be installed so no need to bootstrap here)

* Security Patch updates for python 3.7.12 (Linux)

- Bump rev to rev2
- Added git clone step to pull expat (2.4.6) from https://github.com/libexpat/libexpat.git
- Added git clone step to pull bzip2 (1.0.8) from git://sourceware.org/git/bzip2.git
- Updates to cpython patch
  - Change source location of expat from the internal cpython/Modules folder to the external github source from 2.4.6 (above)
  - Update bzip version from 1.0.6 to 1.0.8 for windows
  - Removed pip-20.1.1 wheel reference from Lib/ensurepip/__init__.py
- Updates to make-python.sh
  - Build bzip2 from source
  - Add built bzip2 to the configuration for cpython (instead of relying on system bzip2 lib)
  - Remove any bundled pip-*.whl file and references from ensurepip (pip will already be installed so no need to bootstrap here)

* Security Patch updates for python 3.7.12 (Mac)

    - Bump rev to rev2
    - Added git clone step to pull expat (2.4.6) from https://github.com/libexpat/libexpat.git
    - Updates to cpython patch
      - Change source location of expat from the internal cpython/Modules folder to the external github source from 2.4.6 (above)
      - Update bzip version from 1.0.6 to 1.0.8 for Mac
    - Updates to make-python.sh
      - Apply libexpat 2.4.6 into expat src in cpython
      - Remove any bundled pip-*.whl file and references from ensurepip (pip will already be installed so no need to bootstrap here)

* Script cleanup for make-python.sh for Mac

- Replaced method for updating expat to an overlay instead
- make-python.sh clean

* Update libexpat update method to apply onto of previous embedded source instead

* Update Linux build script to fetch and compile libffi and have cpython link to the static version instead of using the system one


Signed-off-by: Steve Pham <[email protected]>

package-system/python/darwin_x64/PackageInfo.json

@@ -1,5 +1,5 @@
 {
-    "PackageName" : "python-3.7.12-rev1-darwin",
+    "PackageName" : "python-3.7.12-rev2-darwin",
     "License"     : "PSF-2.0",
     "URL"         : "https://python.org",
     "LicenseFile" : "LICENSE"

package-system/python/darwin_x64/make-python.sh

@@ -17,7 +17,9 @@
 # * Fetches python from the official python repository
 # * patches python with open3d_python.patch to shortcut the package building process (we don't need)
 #   a full installer, just the framework.
+# * Fetches expat 2.4.6 to patch a security vulnerability as part of python 3.7.x
 # * Ensures you have the necessary environment vars set and pip packages installed in a pip virtualenv
+# * Upgrades PIP to the latest version
 # * builds python using python.org official mac package builder we've patched.
 # * Uses the relocatable-python script to generate a 'package' folder containing real python but
 #    with rpaths patched to be relocatable.
@@ -25,6 +27,7 @@
 # * Deploys the finished framework to a the package layout folder using rsync.
 # * Copies the license files inside python to the package layout folder
 # * Copies the other package system file (json and cmake) to the pacakge layout folder.
+# * Removes older PIP (20.0.3) whl file from ensurepip since PIP will already be installed in this package
 #
 # The result is a 'package' subfolder containing the package files such as PackageInfo.json
 # and a subfolder containing the official python but patched so that they work in that folder structure
@@ -34,7 +37,7 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd $SCRIPT_DIR
 
 echo ""
-echo "------------------ PYTHON PACKAGE BUILD SCRIPT -------------------"
+echo "--------------- PYTHON PACKAGE BUILD SCRIPT ----------------"
 echo ""
 echo "BASIC REQUIREMENTS:"
 echo "   - git installed and in PATH"
@@ -42,26 +45,44 @@ echo "   - XCODE and xcode command line tools installed: xcode-select --install"
 echo "   - python3 installed and in PATH."
 echo ""
 
-echo "--------------- Clearing any previous package folder -------------"
+echo "--------------- Clearing any previous package folder ----------------"
+echo ""
 rm -rf package
 
-echo "---------------- Clearing any previous temp folder ---------------"
+echo ""
+echo "--------------- Clearing any previous temp folder ----------------"
+echo ""
 rm -rf temp
-
 mkdir temp
 cd temp
 
 mkdir $SCRIPT_DIR/package
 
-echo "-------------- Cloning python from git --------------"
+echo ""
+echo "---------------- Cloning python 3.7.12 from git ----------------"
+echo ""
 git clone https://github.com/python/cpython.git --branch "v3.7.12" --depth 1
 retVal=$?
 if [ $retVal -ne 0 ]; then
-    echo "Error cloning python!"
+    echo "Error cloning python from https://github.com/python/cpython.git"
     exit $retVal
 fi
 
-echo "-------------- Cloning relocatable-python from git --------------"
+echo ""
+echo "---------------- Cloning libexpat 2.4.6 from git and applying update ----------------"
+echo ""
+git clone https://github.com/libexpat/libexpat.git --branch "R_2_4_6" --depth 1
+if [ $retVal -ne 0 ]; then
+    echo "Was unable to create libexpat dir via git clone.  Is git installed?"
+    exit 1
+fi
+cp -f -v libexpat/expat/lib/*.h cpython/Modules/expat/
+cp -f -v libexpat/expat/lib/*.c cpython/Modules/expat/
+
+
+echo ""
+echo "---------------- Cloning relocatable-python from git ----------------"
+echo ""
 git clone https://github.com/gregneagle/relocatable-python.git
 retVal=$?
 if [ $retVal -ne 0 ]; then
@@ -72,17 +93,24 @@ fi
 PYTHON_SRC_DIR=$SCRIPT_DIR/temp/cpython
 RELOC_SRC_DIR=$SCRIPT_DIR/temp/relocatable-python
 
-echo "------------- creating python virtual environment ----------"
+echo ""
+echo "---------------- creating python virtual environment ----------------"
+echo ""
 cd $SCRIPT_DIR/temp
 python3 -m venv py_venv
 VENV_BIN_DIR=$SCRIPT_DIR/temp/py_venv/bin
 PYTHONNOUSERSITE=1
 
-echo "------ Installing spinx documentation tool into the v-env -----"
+echo ""
+echo "---------------- Installing spinx documentation tool into the v-env ----------------"
+echo ""
 $VENV_BIN_DIR/python3 -m pip install sphinx
 
 cd $RELOC_SRC_DIR
-echo "----- Checking out specific commit hash of relocatable-python -----"
+
+echo ""
+echo "---------------- Checking out specific commit hash of relocatable-python ----------------"
+echo ""
 # the hash is a known good commit hash.  This also causes it to fail if someone
 # tampers the repo!
 git reset --hard 5e459c3ccea0daaf181f3b1ef2773dbefce1a563
@@ -92,7 +120,9 @@ if [ $retVal -ne 0 ]; then
     exit $retVal
 fi
 
-echo "------------------- patching the relocator -----------------------"
+echo ""
+echo "---------------- patching the relocator ----------------"
+echo ""
 echo Currently in `pwd`
 echo patch -p1 $SCRIPT_DIR/open3d_patch.patch
 patch -p1 < $SCRIPT_DIR/open3d_patch.patch
@@ -104,7 +134,9 @@ fi
 
 
 cd $PYTHON_SRC_DIR
-echo "------------------- patching the python Mac package-maker -----------------------"
+echo ""
+echo "---------------- patching the python source ----------------"
+echo ""
 patch -p1 < $SCRIPT_DIR/open3d_python.patch
 retVal=$?
 if [ $retVal -ne 0 ]; then
@@ -112,7 +144,9 @@ if [ $retVal -ne 0 ]; then
     exit $retVal
 fi
 
-echo "-------------- Building a Mac python package from official sources ----------"
+echo ""
+echo "---------------- Building a Mac python package from official source ----------------"
+echo ""
 cd $PYTHON_SRC_DIR
 cd Mac
 cd BuildScript
@@ -130,7 +164,9 @@ fi
 FRAMEWORK_OUTPUT_FOLDER=$SCRIPT_DIR/temp/python_build/_root/Library/Frameworks
 echo Framework output folder: $FRAMEWORK_OUTPUT_FOLDER
 cd $RELOC_SRC_DIR
-echo "---------- Altering the produced framework folder to be relocatable ---------"
+echo ""
+echo "---------------- Altering the produced framework folder to be relocatable ----------------"
+echo ""
 echo $VENV_BIN_DIR/python3 ./make_relocatable_python_framework.py --install-wheel --upgrade-pip --python-version 3.7.12 --use-existing-framework $FRAMEWORK_OUTPUT_FOLDER/Python.framework
 $VENV_BIN_DIR/python3 ./make_relocatable_python_framework.py --install-wheel --upgrade-pip --python-version 3.7.12 --use-existing-framework $FRAMEWORK_OUTPUT_FOLDER/Python.framework
 retVal=$?
@@ -139,7 +175,9 @@ if [ $retVal -ne 0 ]; then
     exit $retVal
 fi
 
-echo "------------------ Final RPATH update --------------"
+echo ""
+echo "---------------- Final RPATH update ----------------"
+echo ""
 # The filename of the main python dylib is 'Python'.
 # It is located at ./package/Python.framework/Versions/3.7
 # This, despite just being called 'Python' with no extension is actually the main python 
@@ -155,19 +193,34 @@ echo "------------------ Final RPATH update --------------"
 # whether a python native plugin is being located from the framework in some subfolder.
 install_name_tool -id @rpath/Python $FRAMEWORK_OUTPUT_FOLDER/Python.framework/Versions/3.7/Python
 
-echo "-------------- rsync package layout into $SCRIPT_DIR/package ------------"
+echo ""
+echo "---------------- rsync package layout into $SCRIPT_DIR/package ----------------"
+echo ""
 mdkir $SCRIPT_DIR/package
 rsync -avu --delete "$FRAMEWORK_OUTPUT_FOLDER/" "$SCRIPT_DIR/package"
 
-echo "---------- Copying Open3DEngine package metadata and license file ------------"
+echo ""
+echo "---------------- Copying Open3DEngine package metadata and license file ----------------"
+echo ""
 # the tar contains a 'Python.framework' sub folder
 cd $SCRIPT_DIR/package
 cp $SCRIPT_DIR/package/Python.framework/Versions/3.7/lib/python3.7/LICENSE.txt ./LICENSE
 cp $SCRIPT_DIR/PackageInfo.json .
 cp $SCRIPT_DIR/*.cmake .
 
-echo "--------------  Cleaning temp folder -----------------"
+echo ""
+echo "---------------- Removing pip references from ensurepip ----------------"
+echo ""
+rm -f $SCRIPT_DIR/package/Python.framework/Versions/3.7/lib/python3.7/ensurepip/_bundled/pip-20*.whl
+cat $SCRIPT_DIR/package/Python.framework/Versions/3.7/lib/python3.7/ensurepip/__init__.py | sed 's/"20.1.1"/"22.0.3"/g' | sed 's/("pip", _PIP_VERSION, "py2.py3"),//g' > $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py_temp
+rm $SCRIPT_DIR/package/Python.framework/Versions/3.7/lib/python3.7/ensurepip/__init__.py
+mv $SCRIPT_DIR/package/Python.framework/Versions/3.7/lib/python3.7/ensurepip/__init__.py_temp $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py
+
+echo ""
+echo "----------------  Cleaning temp folder ----------------"
+echo ""
 rm -rf $SCRIPT_DIR/temp
 
+echo ""
 echo "DONE! Package layout folder has been created in $SCRIPT_DIR/package"
 exit 0

package-system/python/darwin_x64/open3d_python.patch

@@ -1,5 +1,5 @@
 diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
-index 4fab488..1c9621b 100755
+index 4fab488..2f1bd81 100755
 --- a/Mac/BuildScript/build-installer.py
 +++ b/Mac/BuildScript/build-installer.py
 @@ -209,9 +209,9 @@ def library_recipes():
@@ -74,10 +74,12 @@ index 4fab488..1c9621b 100755
 -    if getDeptargetTuple() < (10, 5):
 -        result.extend([
            dict(
-               name="Bzip2 1.0.6",
+-              name="Bzip2 1.0.6",
 -              url="http://bzip.org/1.0.6/bzip2-1.0.6.tar.gz",
-+              url="https://sourceware.org/pub/bzip2/bzip2-1.0.6.tar.gz",
-               checksum='00b516f4704d4a7cb50a1d97e6e8e15b',
+-              checksum='00b516f4704d4a7cb50a1d97e6e8e15b',
++              name="Bzip2 1.0.8",
++              url="https://sourceware.org/pub/bzip2/bzip2-1.0.8.tar.gz",
++              checksum='67e051268d0c475ea773822f7500d0e5',
                configure=None,
                install='make install CC=%s CXX=%s, PREFIX=%s/usr/local/ CFLAGS="-arch %s"'%(
                    CC, CXX,
@@ -188,4 +190,3 @@ index 4fab488..1c9621b 100755
 +
      for recipe in pkg_recipes():
          packageFromRecipe(pkgcontents, recipe)
-

package-system/python/linux_x64/PackageInfo.json

@@ -1,5 +1,5 @@
 {
-    "PackageName" : "python-3.7.12-rev1-linux",
+    "PackageName" : "python-3.7.12-rev2-linux",
     "License"     : "PSF-2.0",
     "URL"         : "https://python.org",
     "LicenseFile" : "python/LICENSE"

package-system/python/linux_x64/make-python.sh

@@ -12,18 +12,18 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd $SCRIPT_DIR
 
 echo ""
-echo "------ BUILDING PYTHON FROM SOURCE ------"
+echo "--------------- PYTHON PACKAGE BUILD SCRIPT ----------------"
 echo ""
 echo "BASIC REQUIREMENTS in case something goes wrong:"
 echo "   - git installed and in PATH"
-echo "   - packages installed: apt-get dev-essential tk8.6-dev python3 libssl-dev tcl8.6-dev libbz2-dev libgdbm-compat-dev liblzma-dev libsqlite3-dev libreadline-dev"
+echo "   - packages installed: apt-get dev-essential tk8.6-dev python3 libssl-dev tcl8.6-dev libgdbm-compat-dev liblzma-dev libsqlite3-dev libreadline-dev texinfo"
 echo "   - python3 with pip in PATH! (i.e. sudo apt install python3 and sudo apt install python3-pip"
 echo "   - Note: This script is currently written for buildng on Ubuntu Linux only."
 echo "   - Note: installing binaries with pip must result with them being on PATH."
 echo ""
 
 # Make sure we have all the required dev packages
-REQUIRED_DEV_PACKAGES="tk8.6-dev python3 libssl-dev tcl8.6-dev libbz2-dev libgdbm-compat-dev liblzma-dev libsqlite3-dev libreadline-dev"
+REQUIRED_DEV_PACKAGES="tk8.6-dev python3 libssl-dev tcl8.6-dev libgdbm-compat-dev liblzma-dev libsqlite3-dev libreadline-dev texinfo"
 ALL_PACKAGES=`apt list 2>/dev/null`
 for req_package in $REQUIRED_DEV_PACKAGES
 do
@@ -46,7 +46,9 @@ echo ""
 mkdir -p temp
 
 
-echo ------------------------ GIT CLONE python 3.7 --------------------
+echo ""
+echo "--------------- Cloning python 3.7.12 from git ---------------"
+echo ""
 cd temp
 git clone https://github.com/python/cpython.git --branch v3.7.12 --depth 1
 
@@ -54,10 +56,90 @@ if [[ ! -d "cpython" ]]; then
     echo "Was unable to create cpython dir via git clone.  Is git installed?"
     exit 1
 fi
+
+echo ""
+echo "--------------- Cloning libexpat 2.4.6 from git and applying update ---------------"
+echo ""
+git clone https://github.com/libexpat/libexpat.git --branch "R_2_4_6" --depth 1
+
+if [[ ! -d "libexpat" ]]; then
+    echo "Was unable to create libexpat dir via git clone.  Is git installed?"
+    exit 1
+fi
+
+cp -f -v libexpat/expat/lib/*.h cpython/Modules/expat/
+cp -f -v libexpat/expat/lib/*.c cpython/Modules/expat/
+
+
+echo ""
+echo "--------------- Cloning bzip2 1.0.8 and building ---------------"
+echo ""
+git clone git://sourceware.org/git/bzip2.git --branch "bzip2-1.0.8" --depth 1
+if [[ ! -d "bzip2" ]]; then
+    echo "Was unable to create bzip2 dir via git clone.  Is git installed?"
+    exit 1
+fi
+
+pushd bzip2
+
+PATCH_FILE=$SCRIPT_DIR/open3d_bzip2.patch
+echo Applying patch file $PATCH_FILE
+git apply --ignore-whitespace $PATCH_FILE
+if [ $retVal -ne 0 ]; then
+    echo "Git apply failed"
+    exit $retVal
+fi
+
+make bzip2
+
+make install PREFIX=install
+
+popd
+
+echo ""
+echo "--------------- Cloning libffi 1.0.8 and building static version ---------------"
+echo ""
+git clone https://github.com/libffi/libffi.git --branch "v3.4.2" --depth 1
+if [[ ! -d "libffi" ]]; then
+    echo "Was unable to create libffi dir via git clone."
+    exit 1
+fi
+
+pushd libffi
+
+# According to the README.md for libffi, we need to run autogen.sh first
+./autogen.sh
+retVal=$?
+if [ $retVal -ne 0 ]; then
+    echo "Error running autogen.sh for libffi"
+    exit $retVal
+fi
+ 
+./configure --prefix=$SCRIPT_DIR/temp/ffi_lib --enable-shared=no --with-fpic=yes CFLAGS='-fPIC' CPPFLAGS='-fPIC'
+retVal=$?
+if [ $retVal -ne 0 ]; then
+    echo "Error running configuring for libffi"
+    exit $retVal
+fi
+
+make install
+retVal=$?
+if [ $retVal -ne 0 ]; then
+    echo "Error building libffi"
+    exit $retVal
+fi
+
+popd
+
+
 cd cpython
 
-# Build from the source with optimizations and shared libs enabled , and override the RPATH
-./configure --prefix=$SCRIPT_DIR/package/python --enable-optimizations --enable-shared LDFLAGS='-Wl,-rpath=\$$ORIGIN:\$$ORIGIN/../lib:\$$ORIGIN/../..'
+echo ""
+echo "--------------- Building cpython from source ---------------"
+echo ""
+
+# Build from the source with optimizations and shared libs enabled , and override the RPATH and bzip include/lib paths
+./configure --prefix=$SCRIPT_DIR/package/python --enable-optimizations --enable-shared LDFLAGS='-Wl,-rpath=\$$ORIGIN:\$$ORIGIN/../lib:\$$ORIGIN/../.. -L../bzip2/install/lib -L../ffi_lib/lib' CPPFLAGS='-I../bzip2/install/include -I../ffi_lib/include' CFLAGS='-I../temp/bzip2/install/include -I../ffi_lib/include'
 retVal=$?
 if [ $retVal -ne 0 ]; then
     echo "Error running configuring optimized build"
@@ -98,7 +180,9 @@ cd $SCRIPT_DIR/package/python/bin
 ln -s python3 python
 cd $SCRIPT_DIR/package
 
-echo "----------------------------- Upgrading pip ----------------"
+echo ""
+echo "--------------- Upgrading pip ---------------"
+echo ""
 # the pip that may come from the above repo can be broken, so we'll use get-pip
 # and then upgrade it.
 curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
@@ -124,8 +208,16 @@ sed -i "2i\\
 echo "Removing wininst*.exe files"
 rm -v $SCRIPT_DIR/package/python/lib/python3.7/distutils/command/wininst-*.exe
 
+echo "Removing out of date pip*.whl"
+rm -v $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/_bundled/pip-*.whl
+
+echo "Removing pip references from ensurepip"
+cat $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py | sed 's/"20.1.1"/"22.0.3"/g' | sed 's/("pip", _PIP_VERSION, "py2.py3"),//g' > $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py_temp
+rm $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py
+mv $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py_temp $SCRIPT_DIR/package/python/lib/python3.7/ensurepip/__init__.py
+
 echo ""
-echo "------ PYTHON WAS BUILT FROM SOURCE -----"
+echo "--------------- PYTHON WAS BUILT FROM SOURCE ---------------"
 echo ""
 
 echo "Package has completed building, and is now in $SCRIPT_DIR/package"

package-system/python/linux_x64/open3d_bzip2.patch

@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index f8a1772..56de40c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -21,7 +21,7 @@ RANLIB=ranlib
+ LDFLAGS=
+ 
+ BIGFILES=-D_FILE_OFFSET_BITS=64
+-CFLAGS=-Wall -Winline -O2 -g $(BIGFILES)
++CFLAGS=-Wall -Winline -fPIC -O2 -g $(BIGFILES)
+ 
+ # Where you want it installed when you do 'make install'
+ PREFIX=/usr/local

package-system/python/win_x64/PackageInfo.json

@@ -1,5 +1,5 @@
 {
-    "PackageName" : "python-3.7.12-rev1-windows",
+    "PackageName" : "python-3.7.12-rev2-windows",
     "URL"         : "https://python.org",
     "License"     : "PSF-2.0",
     "LicenseFile" : "python/LICENSE.txt"

package-system/python/win_x64/build_python.bat

@@ -56,6 +56,15 @@ if %ERRORLEVEL% NEQ 0 (
     exit /B 1
 )
 
+echo Cloning expat from git using v2.4.6
+git clone https://github.com/libexpat/libexpat.git --branch "R_2_4_6" --depth 1
+if %ERRORLEVEL% NEQ 0 (
+    echo "Git clone failed"
+    exit /B 1
+)
+copy /Y /V libexpat/expat/lib/*.h cpython/Modules/expat/
+copy /Y /V libexpat/expat/lib/*.c cpython/Modules/expat/
+
 cd /d %python_src%
 
 set patch_file=%ScriptDir%\open3d_python.patch
@@ -97,14 +106,17 @@ if %ERRORLEVEL% NEQ 0 (
 )
 
 cd /d %python_src%
-echo installing PIP...
+echo installing PIP... (Based on the cpython v3.7.12)
 %outputdir%\python\Python.exe  -m ensurepip --root %outputdir%\python --upgrade
 if %ERRORLEVEL% NEQ 0 (
   echo Failed to ensure pip is present.
   exit /B 1
 )
-%outputdir%\python\Python.exe -m pip install --target %outputdir%\python\lib\site-packages --upgrade pip 
+echo upgrading PIP... 
+%outputdir%\python\Python.exe -m pip install --target %outputdir%\python\Lib\site-packages --upgrade pip 
 
+rem Now that PIP is part of the package, remove the wheel file of the pre-upgrade version from the package
+del /F /Q %outputdir%\python\Lib\ensurepip\_bundled\pip-*.whl
 
 echo copying package metadata and cmake files...
 rem But we do add our own few things...

package-system/python/win_x64/open3d_python.patch

@@ -1,15 +1,95 @@
+diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
+index 94d40b0..fea685b 100644
+--- a/Lib/ensurepip/__init__.py
++++ b/Lib/ensurepip/__init__.py
+@@ -11,11 +11,10 @@ __all__ = ["version", "bootstrap"]
+ 
+ _SETUPTOOLS_VERSION = "47.1.0"
+ 
+-_PIP_VERSION = "20.1.1"
++_PIP_VERSION = "22.0.3"
+ 
+ _PROJECTS = [
+-    ("setuptools", _SETUPTOOLS_VERSION, "py3"),
+-    ("pip", _PIP_VERSION, "py2.py3"),
++    ("setuptools", _SETUPTOOLS_VERSION, "py3")
+ ]
+ 
+ 
+diff --git a/PCbuild/_bz2.vcxproj.filters b/PCbuild/_bz2.vcxproj.filters
+index eac64dd..b3fedcf 100644
+--- a/PCbuild/_bz2.vcxproj.filters
++++ b/PCbuild/_bz2.vcxproj.filters
+@@ -4,10 +4,10 @@
+     <Filter Include="Source Files">
+       <UniqueIdentifier>{f53a859d-dad2-4d5b-ae41-f28d8b571f5a}</UniqueIdentifier>
+     </Filter>
+-    <Filter Include="bzip2 1.0.6 Header Files">
++    <Filter Include="bzip2 1.0.8 Header Files">
+       <UniqueIdentifier>{7e0bed05-ae33-43b7-8797-656455bbb7f3}</UniqueIdentifier>
+     </Filter>
+-    <Filter Include="bzip2 1.0.6 Source Files">
++    <Filter Include="bzip2 1.0.8 Source Files">
+       <UniqueIdentifier>{ed574b89-6983-4cdf-9f98-fe7048d9e89c}</UniqueIdentifier>
+     </Filter>
+   </ItemGroup>
+@@ -16,33 +16,33 @@
+       <Filter>Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\blocksort.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\bzlib.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\compress.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\crctable.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\decompress.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\huffman.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+     <ClCompile Include="$(bz2Dir)\randtable.c">
+-      <Filter>bzip2 1.0.6 Source Files</Filter>
++      <Filter>bzip2 1.0.8 Source Files</Filter>
+     </ClCompile>
+   </ItemGroup>
+   <ItemGroup>
+     <ClInclude Include="$(bz2Dir)\bzlib.h">
+-      <Filter>bzip2 1.0.6 Header Files</Filter>
++      <Filter>bzip2 1.0.8 Header Files</Filter>
+     </ClInclude>
+     <ClInclude Include="$(bz2Dir)\bzlib_private.h">
+-      <Filter>bzip2 1.0.6 Header Files</Filter>
++      <Filter>bzip2 1.0.8 Header Files</Filter>
+     </ClInclude>
+   </ItemGroup>
+ </Project>
 diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
-index 38fc275..a2fc80e 100644
+index 38fc275..59d7a73 100644
 --- a/PCbuild/get_externals.bat
 +++ b/PCbuild/get_externals.bat
-@@ -49,10 +49,10 @@ echo.Fetching external libraries...
+@@ -48,11 +48,11 @@ if NOT DEFINED PYTHON (
+ echo.Fetching external libraries...
  
  set libraries=
- set libraries=%libraries%                                       bzip2-1.0.6
+-set libraries=%libraries%                                       bzip2-1.0.6
 -if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1g
 -set libraries=%libraries%                                       sqlite-3.31.1.0
 -if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.9.0
 -if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.9.0
++set libraries=%libraries%                                       bzip2-1.0.8
 +if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1m
 +set libraries=%libraries%                                       sqlite-3.37.2.0
 +if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.12.0
@@ -29,7 +109,7 @@ index 38fc275..a2fc80e 100644
  
  for %%b in (%binaries%) do (
 diff --git a/PCbuild/python.props b/PCbuild/python.props
-index 1034e7f..b74977d 100644
+index 1034e7f..df0911a 100644
 --- a/PCbuild/python.props
 +++ b/PCbuild/python.props
 @@ -46,11 +46,11 @@
@@ -37,8 +117,9 @@ index 1034e7f..b74977d 100644
      <ExternalsDir Condition="$(ExternalsDir) == ''">$([System.IO.Path]::GetFullPath(`$(PySourcePath)externals`))</ExternalsDir>
      <ExternalsDir Condition="!HasTrailingSlash($(ExternalsDir))">$(ExternalsDir)\</ExternalsDir>
 -    <sqlite3Dir>$(ExternalsDir)sqlite-3.31.1.0\</sqlite3Dir>
+-    <bz2Dir>$(ExternalsDir)bzip2-1.0.6\</bz2Dir>
 +    <sqlite3Dir>$(ExternalsDir)sqlite-3.37.2.0\</sqlite3Dir>
-     <bz2Dir>$(ExternalsDir)bzip2-1.0.6\</bz2Dir>
++    <bz2Dir>$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
      <lzmaDir>$(ExternalsDir)xz-5.2.2\</lzmaDir>
 -    <opensslDir>$(ExternalsDir)openssl-1.1.1g\</opensslDir>
 -    <opensslOutDir>$(ExternalsDir)openssl-bin-1.1.1g\$(ArchName)\</opensslOutDir>
@@ -47,6 +128,19 @@ index 1034e7f..b74977d 100644
      <opensslIncludeDir>$(opensslOutDir)include</opensslIncludeDir>
      <nasmDir>$(ExternalsDir)\nasm-2.11.06\</nasmDir>
      <zlibDir>$(ExternalsDir)\zlib-1.2.11\</zlibDir>
+diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
+index 9c521fa..5e57a95 100644
+--- a/PCbuild/readme.txt
++++ b/PCbuild/readme.txt
+@@ -157,7 +157,7 @@ interpreter, but they do implement several major features.  See the
+ about getting the source for building these libraries.  The sub-projects
+ are:
+ _bz2
+-    Python wrapper for version 1.0.6 of the libbzip2 compression library
++    Python wrapper for version 1.0.8 of the libbzip2 compression library
+     Homepage:
+         http://www.bzip.org/
+ _lzma
 diff --git a/PCbuild/tcltk.props b/PCbuild/tcltk.props
 index b185cb7..a901998 100644
 --- a/PCbuild/tcltk.props

package_build_list_host_darwin.json

@@ -37,7 +37,7 @@
         "astc-encoder-3.2-rev5-mac": "Scripts/extras/pull_and_build_from_git.py ../../package-system/astc-encoder --platform-name Mac --package-root ../../package-system --clean",
         "DirectXShaderCompilerDxc-1.6.2112-o3de-rev1-mac": "Scripts/extras/pull_and_build_from_git.py ../../package-system/DirectXShaderCompiler --platform-name Mac --package-root ../../package-system --clean",
         "azslc-1.7.35-rev1-mac": "Scripts/extras/pull_and_build_from_git.py ../../package-system/azslc --platform-name Mac --package-root ../../package-system --clean",
-        "python-3.7.12-rev1-darwin": "package-system/python/build_package_image.py",
+        "python-3.7.12-rev2-darwin": "package-system/python/build_package_image.py",
         "mcpp-2.7.2_az.2-rev1-mac": "package-system/mcpp/get_and_build_mcpp.py mcpp-2.7.2_az.2-rev1",
         "mikkelsen-1.0.0.4-mac": "package-system/mikkelsen/build_package_image.py --platform mac",
         "mikkelsen-1.0.0.4-ios": "package-system/mikkelsen/build_package_image.py --platform ios",
@@ -75,7 +75,7 @@
         "OpenEXR-3.1.3-rev2-mac": "package-system/OpenEXR-mac",
         "tiff-4.2.0.15-rev3-mac": "package-system/tiff-mac",
         "tiff-4.2.0.15-rev3-ios": "package-system/tiff-ios",
-        "python-3.7.12-rev1-darwin": "package-system/python/darwin_x64/package",
+        "python-3.7.12-rev2-darwin": "package-system/python/darwin_x64/package",
         "asn1-0.9.27-rev2-ios": "package-system/asn1-ios",
         "PhysX-4.1.2.29882248-rev5-mac": "package-system/PhysX-mac",
         "PhysX-4.1.2.29882248-rev5-ios": "package-system/PhysX-ios",

package_build_list_host_linux.json

@@ -31,7 +31,7 @@
         "DirectXShaderCompilerDxc-1.6.2112-o3de-rev1-linux": "Scripts/extras/pull_and_build_from_git.py ../../package-system/DirectXShaderCompiler --platform-name Linux --package-root ../../package-system --clean",
         "azslc-1.7.35-rev1-linux": "Scripts/extras/pull_and_build_from_git.py ../../package-system/azslc --platform-name Linux --package-root ../../package-system --clean",
         "tiff-4.2.0.15-rev3-linux": "Scripts/extras/pull_and_build_from_git.py ../../package-system/tiff --platform-name Linux --package-root ../../package-system --clean",
-        "python-3.7.12-rev1-linux": "package-system/python/build_package_image.py",
+        "python-3.7.12-rev2-linux": "package-system/python/build_package_image.py",
         "mikkelsen-1.0.0.4-linux": "package-system/mikkelsen/build_package_image.py",
         "qt-5.15.2-rev5-linux": "Scripts/extras/pull_and_build_from_git.py ../../package-system/Qt --platform-name Linux --package-root ../../package-system --clean",
         "zlib-1.2.11-rev5-linux": "Scripts/extras/pull_and_build_from_git.py ../../package-system/zlib --platform-name Linux --package-root ../../package-system --clean",
@@ -61,7 +61,7 @@
         "DirectXShaderCompilerDxc-1.6.2112-o3de-rev1-linux": "package-system/DirectXShaderCompilerDxc-linux",
         "azslc-1.7.35-rev1-linux": "package-system/azslc-linux",
         "tiff-4.2.0.15-rev3-linux": "package-system/tiff-linux",
-        "python-3.7.12-rev1-linux": "package-system/python/linux_x64/package",
+        "python-3.7.12-rev2-linux": "package-system/python/linux_x64/package",
         "PhysX-4.1.2.29882248-rev5-linux": "package-system/PhysX-linux",
         "NvCloth-v1.1.6-4-gd243404-pr58-rev1-linux": "package-system/NvCloth-linux",
         "mikkelsen-1.0.0.4-linux": "package-system/mikkelsen-linux",

package_build_list_host_windows.json

@@ -44,7 +44,7 @@
         "PhysX-4.1.2.29882248-rev5-windows": "package-system/PhysX/build_package_image.py --platform windows",
         "poly2tri-7f0487a-rev1-windows": "package-system/poly2tri/build_package_image.py --platform-name windows",
         "pybind11-2.4.3-rev3-multiplatform": "Scripts/extras/pull_and_build_from_git.py ../../package-system/pybind11 --platform-name multiplatform --package-root ../../package-system --clean",
-        "python-3.7.12-rev1-windows": "package-system/python/build_package_image.py",
+        "python-3.7.12-rev2-windows": "package-system/python/build_package_image.py",
         "qt-5.15.2-rev4-windows": "Scripts/extras/pull_and_build_from_git.py ../../package-system/Qt --platform-name Windows --package-root ../../package-system --clean",
         "RapidJSON-1.1.0-rev1-multiplatform": "Scripts/extras/pull_and_build_from_git.py ../../package-system/RapidJSON --platform-name multiplatform --package-root ../../package-system",
         "SPIRVCross-2021.04.29-rev1-windows": "Scripts/extras/pull_and_build_from_git.py ../../package-system/SPIRVCross --platform-name Windows --package-root ../../package-system --clean",
@@ -109,7 +109,7 @@
     "PVRTexTool-4.24.0-rev4-multiplatform": "package-system/PVRTexTool-multiplatform",
     "pybind11-2.4.3-rev3-multiplatform": "package-system/pybind11-multiplatform",
     "pyside2-qt-5.15.1-rev2-windows": "package-system/pyside2-windows",
-    "python-3.7.12-rev1-windows": "package-system/python/win_x64/package",
+    "python-3.7.12-rev2-windows": "package-system/python/win_x64/package",
     "qt-5.15.2-rev4-windows": "package-system/qt-windows",
     "RapidJSON-1.1.0-rev1-multiplatform": "package-system/RapidJSON-multiplatform",
     "RapidXML-1.13-rev1-multiplatform": "package-system/RapidXML-multiplatform",