From 162833cd0a41d9f545622c949c1898c8099823e6 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 6 Apr 2023 20:02:05 +0200 Subject: [PATCH] Security fix for CVE-2022-40897 Fixes: rhbz#2158677 --- CVE-2022-40897.patch | 52 ++++++++++++++++++++++++++++++++++++++++++ python-setuptools.spec | 13 ++++++++++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-40897.patch diff --git a/CVE-2022-40897.patch b/CVE-2022-40897.patch new file mode 100644 index 0000000..48535ef --- /dev/null +++ b/CVE-2022-40897.patch @@ -0,0 +1,52 @@ +diff --git a/setup.cfg b/setup.cfg +index 1578d5b..9b33a05 100644 +--- a/setup.cfg ++++ b/setup.cfg +@@ -49,6 +49,7 @@ testing = + build[virtualenv] + ini2toml[lite]>=0.9 + tomli-w>=1.0.0 ++ pytest-timeout + testing-integration = + pytest + pytest-xdist +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 14881d2..63fdb05 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -1,4 +1,5 @@ +-"""PyPI and direct package downloading""" ++"""PyPI and direct package downloading.""" ++ + import sys + import os + import re +@@ -197,8 +198,10 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) +-# this line is here to fix emacs' cruddy broken syntax highlighting ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) ++""" ++Regex for an HTML tag with 'rel="val"' attributes. ++""" + + + @unique_values +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 8e9435e..fc544c0 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -308,3 +308,11 @@ class TestPyPIConfig: + cred = cfg.creds_by_repository['https://pypi.org'] + assert cred.username == 'jaraco' + assert cred.password == 'pity%' ++ ++ ++@pytest.mark.timeout(1) ++def test_REL_DoS(): ++ """ ++ REL should not hang on a contrived attack string. ++ """ ++ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12) diff --git a/python-setuptools.spec b/python-setuptools.spec index 667e409..17c7c0d 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -25,7 +25,7 @@ Name: python-setuptools # When updating, update the bundled libraries versions bellow! Version: 62.6.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Easily build and distribute Python packages # setuptools is MIT # appdirs is MIT @@ -51,6 +51,13 @@ Source1: https://github.com/pypa/%{srcname}/archive/v%{version}/%{srcname # Some test deps are optional and either not desired or not available in Fedora, thus this patch removes them. Patch: Remove-optional-or-unpackaged-test-deps.patch +# Security fix for CVE-2022-40897 +# Regular Expression Denial of Service (ReDoS) in package_index.py +# Resolved upstream: +# https://github.com/pypa/setuptools/commit/579134321d4d9397c886a5cb50cc26d0e3fa4279 +# https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be +Patch: CVE-2022-40897.patch + BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel @@ -235,6 +242,10 @@ PYTHONPATH=$(pwd) %pytest \ %changelog +* Wed Apr 19 2023 Charalampos Stratakis - 62.6.0-3 +- Security fix for CVE-2022-40897 +- Fixes: rhbz#2158677 + * Fri Jul 22 2022 Fedora Release Engineering - 62.6.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild