Security fix for CVE-2022-40897

Fixes: rhbz#2158677
Utilize the bootstrap.egg-info from the github tarball
2023-04-19 16:37:29 +02:00 · 2023-04-19 15:34:08 +02:00
3 changed files with 74 additions and 6 deletions
--- a/CVE-2022-40897.patch
+++ b/CVE-2022-40897.patch
@ -0,0 +1,52 @@
+diff --git a/setup.cfg b/setup.cfg
+index 1578d5b..9b33a05 100644
+--- a/setup.cfg
+++ b/setup.cfg
+@@ -49,6 +49,7 @@ testing =
+ 	build[virtualenv]
+ 	ini2toml[lite]>=0.9
+ 	tomli-w>=1.0.0
+	pytest-timeout
+ testing-integration = 
+ 	pytest
+ 	pytest-xdist
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 14881d2..63fdb05 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -1,4 +1,5 @@
+-"""PyPI and direct package downloading"""
+"""PyPI and direct package downloading."""
+
+ import sys
+ import os
+ import re
+@@ -197,8 +198,10 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+-# this line is here to fix emacs' cruddy broken syntax highlighting
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+"""
+Regex for an HTML tag with 'rel="val"' attributes.
+"""
+ 
+ 
+ @unique_values
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..fc544c0 100644
+--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
+@@ -308,3 +308,11 @@ class TestPyPIConfig:
+         cred = cfg.creds_by_repository['https://pypi.org']
+         assert cred.username == 'jaraco'
+         assert cred.password == 'pity%'
+
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@ -25,7 +25,7 @@
 Name:           python-setuptools
 # When updating, update the bundled libraries versions bellow!
 Version:        62.6.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
@ -43,11 +43,21 @@ Summary:        Easily build and distribute Python packages
 # the setuptools logo is MIT
 License:        MIT and ASL 2.0 and (BSD or ASL 2.0) and Python
 URL:            https://pypi.python.org/pypi/%{srcname}
+# We require the sdist from PyPI to build the package and the
+# github tarball only for the bootstrap.egg-info directory.
 Source0:        %{pypi_source %{srcname} %{version}}
+Source1:        https://github.com/pypa/%{srcname}/archive/v%{version}/%{srcname}-%{version}-github.tar.gz

 # Some test deps are optional and either not desired or not available in Fedora, thus this patch removes them.
 Patch:          Remove-optional-or-unpackaged-test-deps.patch

+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream:
+# https://github.com/pypa/setuptools/commit/579134321d4d9397c886a5cb50cc26d0e3fa4279
+# https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Patch:          CVE-2022-40897.patch
+
 BuildArch:      noarch

 BuildRequires:  python%{python3_pkgversion}-devel
@ -129,12 +139,13 @@ A Python wheel of setuptools to use with venv.

 %prep
 %autosetup -p1 -n %{srcname}-%{version}
-%if %{without bootstrap}
-# If we don't have setuptools installed yet, we use the pre-generated .egg-info
-# See https://github.com/pypa/setuptools/pull/2543
-# And https://github.com/pypa/setuptools/issues/2550
+# Removing the egg-info directory breaks the build since Python 3.11.1,
+# but we workaround the issue by utilizing the bootstrap.egg-info
+# directory from the github tarball.
+#          see https://github.com/pypa/setuptools/issues/3761
 rm -r %{srcname}.egg-info
-%endif
+# Extract the bootstrap.egg-info from the github tarball
+tar -xzf %{SOURCE1} --strip=1 setuptools-%{version}/bootstrap.egg-info

 # Strip shbang
 find setuptools pkg_resources -name \*.py | xargs sed -i -e '1 {/^#!\//d}'
@ -231,6 +242,10 @@ PYTHONPATH=$(pwd) %pytest \


 %changelog
+* Wed Apr 19 2023 Charalampos Stratakis <cstratak@redhat.com> - 62.6.0-3
+- Security fix for CVE-2022-40897
+- Fixes: rhbz#2158677
+
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 62.6.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

--- a/1
+++ b/1
@ -1 +1,2 @@
+SHA512 (setuptools-62.6.0-github.tar.gz) = 7fcd4e2d8ee7c070f46633a5804ecb328420e4e40ad6835591a11e0ad8842bddb5e4bb8b83b136d32116645070123ac3daeb318d290314e77a409b2fb39554e5
 SHA512 (setuptools-62.6.0.tar.gz) = d67c438d507fc7959162b5e8c2a15e9c36d37e5cd7052e16eeb58d8a9bcf19b725a0e7b840e101500799d725bbc4c1872d0f79eead66a538e891cc7cfbe3d979