Security fix for CVE-2022-40897

Fixes: rhbz#2158677
Don't measure wheel size with du
2023-04-11 19:31:39 +02:00 · 2023-04-06 19:14:06 +02:00 · 2022-11-16 17:33:36 +01:00 · 2022-11-16 16:07:08 +01:00
4 changed files with 115 additions and 3 deletions
--- a/0002-Default-to-local-distutils-on-Python-3.12.patch
+++ b/0002-Default-to-local-distutils-on-Python-3.12.patch
@ -0,0 +1,26 @@
+From 1d0f6dca621a405bae4204e7af7a3fd8d7f8e201 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Wed, 16 Nov 2022 16:03:55 +0100
+Subject: [PATCH] Default to local distutils on Python 3.12+
+
+---
+ _distutils_hack/__init__.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/_distutils_hack/__init__.py b/_distutils_hack/__init__.py
+index f707416..52a7690 100644
+--- a/_distutils_hack/__init__.py
+++ b/_distutils_hack/__init__.py
+@@ -42,7 +42,8 @@ def enabled():
+     """
+     Allow selection of distutils by environment variable.
+     """
+-    which = os.environ.get('SETUPTOOLS_USE_DISTUTILS', 'stdlib')
+    default = 'stdlib' if sys.version_info < (3, 12) else 'local'
+    which = os.environ.get('SETUPTOOLS_USE_DISTUTILS', default)
+     return which == 'local'
+ 
+ 
+-- 
+2.38.1
+
--- a/0003-CVE-2022-40897.patch
+++ b/0003-CVE-2022-40897.patch
@ -0,0 +1,52 @@
+diff --git a/setup.cfg b/setup.cfg
+index fc4ad5b..9dcc0e3 100644
+--- a/setup.cfg
+++ b/setup.cfg
+@@ -47,6 +47,7 @@ testing =
+ 	pytest-xdist
+ 	sphinx
+ 	jaraco.path>=3.2.0
+	pytest-timeout
+ docs = 
+ 	sphinx
+ 	jaraco.packaging >= 8.2
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 270e7f3..8b6ff64 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -1,4 +1,5 @@
+-"""PyPI and direct package downloading"""
+"""PyPI and direct package downloading."""
+
+ import sys
+ import os
+ import re
+@@ -197,8 +198,10 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+-# this line is here to fix emacs' cruddy broken syntax highlighting
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+"""
+Regex for an HTML tag with 'rel="val"' attributes.
+"""
+ 
+ 
+ @unique_values
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..fc544c0 100644
+--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
+@@ -308,3 +308,11 @@ class TestPyPIConfig:
+         cred = cfg.creds_by_repository['https://pypi.org']
+         assert cred.username == 'jaraco'
+         assert cred.password == 'pity%'
+
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@ -25,7 +25,7 @@
 Name:           python-setuptools
 # When updating, update the bundled libraries versions bellow!
 Version:        59.6.0
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
@ -42,6 +42,19 @@ Source0:        %{pypi_source %{srcname} %{version}}
 # For future reference, these packages were removed: pytest-(checkdocs|black|cov|mypy|enabler), flake8-2020, paver
 Patch1:         0001-Remove-optional-or-unpackaged-test-deps.patch

+# Normally, setuptools < 60 defaults to "stdlib" distutils.
+# Python 3.12 removed the standard library distutils module.
+# In order to be able to use python-setuptools-wheel with Python 3.12,
+# we flip the default to "local", but only on Python 3.12+.
+Patch2:         0002-Default-to-local-distutils-on-Python-3.12.patch
+
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream:
+# https://github.com/pypa/setuptools/commit/579134321d4d9397c886a5cb50cc26d0e3fa4279
+# https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Patch3:         0003-CVE-2022-40897.patch
+
 BuildArch:      noarch

 BuildRequires:  python%{python3_pkgversion}-devel
@ -167,9 +180,9 @@ install -p %{_pyproject_wheeldir}/%{python_wheel_name} -t %{buildroot}%{python_w
 cat pkg_resources/_vendor/vendored.txt setuptools/_vendor/vendored.txt > allvendor.txt
 %{_rpmconfigdir}/pythonbundles.py allvendor.txt --namespace 'python%{python3_pkgversion}dist' --compare-with '%{bundled}'

-# Regression test, the wheel should not be larger than 600 KiB
+# Regression test, the wheel should not be larger than 900 kB
 # https://bugzilla.redhat.com/show_bug.cgi?id=1914481#c3
-test $(du %{_pyproject_wheeldir}/%{python_wheel_name} | cut -f1) -lt 600
+test $(stat --format %%s %{_pyproject_wheeldir}/%{python_wheel_name}) -lt 900000

 # Regression test, the tests are not supposed to be installed
 test ! -d %{buildroot}%{python3_sitelib}/pkg_resources/tests
@ -208,6 +221,13 @@ PYTHONPATH=$(pwd) %pytest --ignore=setuptools/tests/test_integration.py --ignore


 %changelog
+* Thu Apr 06 2023 Charalampos Stratakis <cstratak@redhat.com> - 59.6.0-4
+- Security fix for CVE-2022-40897
+- Fixes: rhbz#2158677
+
+* Wed Nov 16 2022 Miro Hrončok <mhroncok@redhat.com> - 59.6.0-3
+- Make python-setuptools-wheel compatible with Python 3.12.0a2+
+
 * Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 59.6.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -28,6 +28,12 @@
    - smoke310:
        dir: python/smoke
        run: VERSION=3.10 ./venv.sh
+    - smoke311:
+        dir: python/smoke
+        run: VERSION=3.11 ./venv.sh
+    - smoke312:
+        dir: python/smoke
+        run: VERSION=3.12 ./venv.sh
    - smoke27:
        dir: python/smoke
        run: VERSION=2.7 METHOD=virtualenv ./venv.sh
@ -49,6 +55,12 @@
    - smoke310_virtualenv:
        dir: python/smoke
        run: VERSION=3.10 METHOD=virtualenv ./venv.sh
+    - smoke311_virtualenv:
+        dir: python/smoke
+        run: VERSION=3.11 METHOD=virtualenv ./venv.sh
+    - smoke312_virtualenv:
+        dir: python/smoke
+        run: VERSION=3.12 METHOD=virtualenv ./venv.sh
    - pyproject_pytest:
        dir: pyproject-rpm-macros/tests
        run: ./mocktest.sh python-pytest
@ -64,6 +76,8 @@
    - python3.8
    - python3.9
    - python3.10
+    - python3.11-devel
+    - python3.12-devel
    - python3-devel
    - python3-tox
    - mock
Author	SHA1	Message	Date
Charalampos Stratakis	b6581b68a8	Security fix for CVE-2022-40897 Fixes: rhbz#2158677	2023-04-11 19:31:39 +02:00
Miro Hrončok	f1ecc048df	Don't measure wheel size with du The `du` tool estimates disk usage, so filesystem settings (block size, compression, holes, etc.) might change the result. Use `stat` instead for a more reproducible result. Note that I've changed 900 (KiB) to 900000 (bytes) which is in fact not correct (900 KiB is 921600 bytes), but I assumed a human-readable round number works better here. I've updated the comment to say kB instead of KiB. Fixes https://bugzilla.redhat.com/2143393	2023-04-06 19:14:06 +02:00
Miro Hrončok	72c544c1fb	CI: Add Python 3.11 and 3.12	2022-11-16 17:33:36 +01:00
Miro Hrončok	8673e04614	Make python-setuptools-wheel compatible with Python 3.12.0a2+ Make SETUPTOOLS_USE_DISTUTILS=local the default for Python 3.12+	2022-11-16 16:07:08 +01:00