Security fix for CVE-2022-40897

Fixes: rhbz#2158677
2023-04-06 20:02:05 +02:00 · 2023-04-06 20:02:05 +02:00 · 162833cd0a
commit 162833cd0a
parent b3c9e12e27
2 changed files with 64 additions and 1 deletions
--- a/CVE-2022-40897.patch
+++ b/CVE-2022-40897.patch
@ -0,0 +1,52 @@
+diff --git a/setup.cfg b/setup.cfg
+index 1578d5b..9b33a05 100644
+--- a/setup.cfg
+++ b/setup.cfg
+@@ -49,6 +49,7 @@ testing =
+ 	build[virtualenv]
+ 	ini2toml[lite]>=0.9
+ 	tomli-w>=1.0.0
+	pytest-timeout
+ testing-integration = 
+ 	pytest
+ 	pytest-xdist
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 14881d2..63fdb05 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -1,4 +1,5 @@
+-"""PyPI and direct package downloading"""
+"""PyPI and direct package downloading."""
+
+ import sys
+ import os
+ import re
+@@ -197,8 +198,10 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+-# this line is here to fix emacs' cruddy broken syntax highlighting
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+"""
+Regex for an HTML tag with 'rel="val"' attributes.
+"""
+ 
+ 
+ @unique_values
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..fc544c0 100644
+--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
+@@ -308,3 +308,11 @@ class TestPyPIConfig:
+         cred = cfg.creds_by_repository['https://pypi.org']
+         assert cred.username == 'jaraco'
+         assert cred.password == 'pity%'
+
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@ -25,7 +25,7 @@
 Name:           python-setuptools
 # When updating, update the bundled libraries versions bellow!
 Version:        62.6.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
@ -51,6 +51,13 @@ Source1:        https://github.com/pypa/%{srcname}/archive/v%{version}/%{srcname
 # Some test deps are optional and either not desired or not available in Fedora, thus this patch removes them.
 Patch:          Remove-optional-or-unpackaged-test-deps.patch

+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream:
+# https://github.com/pypa/setuptools/commit/579134321d4d9397c886a5cb50cc26d0e3fa4279
+# https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Patch:          CVE-2022-40897.patch
+
 BuildArch:      noarch

 BuildRequires:  python%{python3_pkgversion}-devel
@ -235,6 +242,10 @@ PYTHONPATH=$(pwd) %pytest \


 %changelog
+* Wed Apr 19 2023 Charalampos Stratakis <cstratak@redhat.com> - 62.6.0-3
+- Security fix for CVE-2022-40897
+- Fixes: rhbz#2158677
+
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 62.6.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild