[infra] Upgrade Python to 3.10.14 in base-builder & base-runner Images

infra/base-images/base-builder/Dockerfile

@@ -19,9 +19,9 @@ FROM gcr.io/oss-fuzz-base/base-clang
 COPY install_deps.sh /
 RUN /install_deps.sh && rm /install_deps.sh
 
-# Build and install latest Python 3 (3.8.3).
-ENV PYTHON_VERSION 3.8.3
-RUN export PYTHON_DEPS="\
+# Build and install latest Python 3.10.
+ENV PYTHON_VERSION 3.10.14
+RUN PYTHON_DEPS="\
  zlib1g-dev \
  libncurses5-dev \
  libgdbm-dev \
@@ -39,12 +39,14 @@ RUN export PYTHON_DEPS="\
  tar -xvf Python-$PYTHON_VERSION.tar.xz && \
  cd Python-$PYTHON_VERSION && \
  ./configure --enable-optimizations --enable-shared && \
- make -j install && \
+ make -j$(nproc) install && \
  ldconfig && \
- ln -s /usr/bin/python3 /usr/bin/python && \
+ ln -s /usr/local/bin/python3 /usr/local/bin/python && \
  cd .. && \
  rm -r /tmp/Python-$PYTHON_VERSION.tar.xz /tmp/Python-$PYTHON_VERSION && \
- rm -rf /usr/local/lib/python3.8/test && \
+ rm -rf /usr/local/lib/python${PYTHON_VERSION%.*}/test && \
+ python3 -m ensurepip && \
+ python3 -m pip install --upgrade pip && \
  apt-get remove -y $PYTHON_DEPS # https:/google/oss-fuzz/issues/3888
 
 # Install six for Bazel rules.

infra/base-images/base-builder/compile_python_fuzzer

@@ -32,7 +32,7 @@ if [[ $SANITIZER = *introspector* ]]; then
  # we enter the virtual environment in the following lines because we need
  # to use the same python environment that installed the fuzzer dependencies.
  python3 /fuzz-introspector/frontends/python/prepare_fuzz_imports.py $fuzzer_path isossfuzz
- 
+
  # We must ensure python3.9, this is because we use certain
  # AST logic from there.
  # The below should probably be refined
@@ -84,7 +84,7 @@ then
  if [[ ! -d "/pysecsan" ]];
  then
  pushd /usr/local/lib/sanitizers/pysecsan
- python3 setup.py install
+ python3 -m pip install .
  popd
  fi
 

infra/base-images/base-builder/install_python.sh

@@ -19,5 +19,5 @@ echo "ATHERIS INSTALL"
 unset CFLAGS CXXFLAGS
 # PYI_STATIC_ZLIB=1 is needed for installing pyinstaller 5.0
 export PYI_STATIC_ZLIB=1
-LIBFUZZER_LIB=$( echo /usr/local/lib/clang/*/lib/x86_64-unknown-linux-gnu/libclang_rt.fuzzer_no_main.a ) pip3 install -v --no-cache-dir "atheris>=2.1.1" "pyinstaller==5.0.1" "setuptools==42.0.2" "coverage==6.3.2"
+LIBFUZZER_LIB=$( echo /usr/local/lib/clang/*/lib/x86_64-unknown-linux-gnu/libclang_rt.fuzzer_no_main.a ) pip3 install -v --no-cache-dir "atheris>=2.3.0" "pyinstaller==6.10.0" "setuptools==72.1.0" "coverage==6.3.2"
 rm -rf /tmp/*

infra/base-images/base-builder/sanitizers/pysecsan/pysecsan/command_injection.py

@@ -98,7 +98,7 @@ def hook_pre_exec_os_system(cmd):
  'Command injection')
 
 
-def hook_pre_exec_eval(cmd):
+def hook_pre_exec_eval(cmd, *args, **kwargs):
  """Hook for eval. Experimental atm."""
  res = check_code_injection_match(cmd, check_unquoted=True)
  if res is not None:

infra/base-images/base-builder/sanitizers/pysecsan/pysecsan/sanlib.py

@@ -22,7 +22,7 @@
 import functools
 import subprocess
 import traceback
-import importlib
+import importlib.util
 
 from typing import Any, Callable, Optional
 from pysecsan import command_injection, redos, yaml_deserialization
@@ -54,7 +54,7 @@ def sanitizer_log_always(msg, log_prefix=True):
 def is_module_present(mod_name):
  """Identify if module is importable."""
  # pylint: disable=deprecated-method
- return importlib.find_loader(mod_name) is not None
+ return importlib.util.find_spec(mod_name) is not None
 
 
 def _log_bug(bug_title):

infra/base-images/base-runner/Dockerfile

@@ -25,6 +25,11 @@ RUN cargo install rustfilt
 FROM gcr.io/oss-fuzz-base/base-clang AS base-clang
 FROM gcr.io/oss-fuzz-base/base-builder-ruby AS base-ruby
 
+# The base builder image compiles a specific Python version. Using a multi-stage build
+# to copy that same Python interpreter into the runner image saves build time and keeps
+# the Python versions in sync.
+FROM gcr.io/oss-fuzz-base/base-builder AS base-builder
+
 # Real image that will be used later.
 FROM gcr.io/oss-fuzz-base/base-image
 
@@ -36,6 +41,18 @@ COPY --from=base-clang /usr/local/bin/llvm-cov \
  /usr/local/bin/llvm-symbolizer \
  /usr/local/bin/
 
+# Copy the pre-compiled Python binaries and libraries
+COPY --from=base-builder /usr/local/bin/python3.10 /usr/local/bin/python3.10
+COPY --from=base-builder /usr/local/lib/libpython3.10.so.1.0 /usr/local/lib/libpython3.10.so.1.0
+COPY --from=base-builder /usr/local/include/python3.10 /usr/local/include/python3.10
+COPY --from=base-builder /usr/local/lib/python3.10 /usr/local/lib/python3.10
+COPY --from=base-builder /usr/local/bin/pip3 /usr/local/bin/pip3
+
+# Create symbolic links to ensure compatibility
+RUN ldconfig && \
+ ln -s /usr/local/bin/python3.10 /usr/local/bin/python3 && \
+ ln -s /usr/local/bin/python3.10 /usr/local/bin/python
+
 COPY install_deps.sh /
 RUN /install_deps.sh && rm /install_deps.sh
 
@@ -46,8 +63,11 @@ RUN git clone https://chromium.googlesource.com/chromium/src/tools/code_coverage
  cd /opt/code_coverage && \
  git checkout edba4873b5e8a390e977a64c522db2df18a8b27d && \
  pip3 install wheel && \
+ # If version "Jinja2==2.10" is in requirements.txt, bump it to a patch version that
+ # supports upgrading its MarkupSafe dependency to a Python 3.10 compatible release:
+ sed -i 's/Jinja2==2.10/Jinja2==2.10.3/' requirements.txt && \
  pip3 install -r requirements.txt && \
- pip3 install MarkupSafe==0.23 && \
+ pip3 install MarkupSafe==2.0.1 && \
  pip3 install coverage==6.3.2
 
 # Default environment options for various sanitizers.

infra/base-images/base-runner/install_deps.sh

@@ -20,12 +20,10 @@
 apt-get update && apt-get install -y \
  binutils \
  file \
+ ca-certificates \
  fonts-dejavu \
  git \
  libcap2 \
- python3 \
- python3-pip \
- python3-setuptools \
  rsync \
  unzip \
  wget \