Compare commits
2 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
162833cd0a | ||
|
b3c9e12e27 |
52
CVE-2022-40897.patch
Normal file
52
CVE-2022-40897.patch
Normal file
@ -0,0 +1,52 @@
|
||||
diff --git a/setup.cfg b/setup.cfg
|
||||
index 1578d5b..9b33a05 100644
|
||||
--- a/setup.cfg
|
||||
+++ b/setup.cfg
|
||||
@@ -49,6 +49,7 @@ testing =
|
||||
build[virtualenv]
|
||||
ini2toml[lite]>=0.9
|
||||
tomli-w>=1.0.0
|
||||
+ pytest-timeout
|
||||
testing-integration =
|
||||
pytest
|
||||
pytest-xdist
|
||||
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
||||
index 14881d2..63fdb05 100644
|
||||
--- a/setuptools/package_index.py
|
||||
+++ b/setuptools/package_index.py
|
||||
@@ -1,4 +1,5 @@
|
||||
-"""PyPI and direct package downloading"""
|
||||
+"""PyPI and direct package downloading."""
|
||||
+
|
||||
import sys
|
||||
import os
|
||||
import re
|
||||
@@ -197,8 +198,10 @@ def unique_values(func):
|
||||
return wrapper
|
||||
|
||||
|
||||
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
|
||||
-# this line is here to fix emacs' cruddy broken syntax highlighting
|
||||
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
|
||||
+"""
|
||||
+Regex for an HTML tag with 'rel="val"' attributes.
|
||||
+"""
|
||||
|
||||
|
||||
@unique_values
|
||||
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
|
||||
index 8e9435e..fc544c0 100644
|
||||
--- a/setuptools/tests/test_packageindex.py
|
||||
+++ b/setuptools/tests/test_packageindex.py
|
||||
@@ -308,3 +308,11 @@ class TestPyPIConfig:
|
||||
cred = cfg.creds_by_repository['https://pypi.org']
|
||||
assert cred.username == 'jaraco'
|
||||
assert cred.password == 'pity%'
|
||||
+
|
||||
+
|
||||
+@pytest.mark.timeout(1)
|
||||
+def test_REL_DoS():
|
||||
+ """
|
||||
+ REL should not hang on a contrived attack string.
|
||||
+ """
|
||||
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
|
@ -25,7 +25,7 @@
|
||||
Name: python-setuptools
|
||||
# When updating, update the bundled libraries versions bellow!
|
||||
Version: 62.6.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Easily build and distribute Python packages
|
||||
# setuptools is MIT
|
||||
# appdirs is MIT
|
||||
@ -43,11 +43,21 @@ Summary: Easily build and distribute Python packages
|
||||
# the setuptools logo is MIT
|
||||
License: MIT and ASL 2.0 and (BSD or ASL 2.0) and Python
|
||||
URL: https://pypi.python.org/pypi/%{srcname}
|
||||
# We require the sdist from PyPI to build the package and the
|
||||
# github tarball only for the bootstrap.egg-info directory.
|
||||
Source0: %{pypi_source %{srcname} %{version}}
|
||||
Source1: https://github.com/pypa/%{srcname}/archive/v%{version}/%{srcname}-%{version}-github.tar.gz
|
||||
|
||||
# Some test deps are optional and either not desired or not available in Fedora, thus this patch removes them.
|
||||
Patch: Remove-optional-or-unpackaged-test-deps.patch
|
||||
|
||||
# Security fix for CVE-2022-40897
|
||||
# Regular Expression Denial of Service (ReDoS) in package_index.py
|
||||
# Resolved upstream:
|
||||
# https://github.com/pypa/setuptools/commit/579134321d4d9397c886a5cb50cc26d0e3fa4279
|
||||
# https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
|
||||
Patch: CVE-2022-40897.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: python%{python3_pkgversion}-devel
|
||||
@ -129,12 +139,13 @@ A Python wheel of setuptools to use with venv.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{srcname}-%{version}
|
||||
%if %{without bootstrap}
|
||||
# If we don't have setuptools installed yet, we use the pre-generated .egg-info
|
||||
# See https://github.com/pypa/setuptools/pull/2543
|
||||
# And https://github.com/pypa/setuptools/issues/2550
|
||||
# Removing the egg-info directory breaks the build since Python 3.11.1,
|
||||
# but we workaround the issue by utilizing the bootstrap.egg-info
|
||||
# directory from the github tarball.
|
||||
# see https://github.com/pypa/setuptools/issues/3761
|
||||
rm -r %{srcname}.egg-info
|
||||
%endif
|
||||
# Extract the bootstrap.egg-info from the github tarball
|
||||
tar -xzf %{SOURCE1} --strip=1 setuptools-%{version}/bootstrap.egg-info
|
||||
|
||||
# Strip shbang
|
||||
find setuptools pkg_resources -name \*.py | xargs sed -i -e '1 {/^#!\//d}'
|
||||
@ -231,6 +242,10 @@ PYTHONPATH=$(pwd) %pytest \
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Apr 19 2023 Charalampos Stratakis <cstratak@redhat.com> - 62.6.0-3
|
||||
- Security fix for CVE-2022-40897
|
||||
- Fixes: rhbz#2158677
|
||||
|
||||
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 62.6.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
|
1
sources
1
sources
@ -1 +1,2 @@
|
||||
SHA512 (setuptools-62.6.0-github.tar.gz) = 7fcd4e2d8ee7c070f46633a5804ecb328420e4e40ad6835591a11e0ad8842bddb5e4bb8b83b136d32116645070123ac3daeb318d290314e77a409b2fb39554e5
|
||||
SHA512 (setuptools-62.6.0.tar.gz) = d67c438d507fc7959162b5e8c2a15e9c36d37e5cd7052e16eeb58d8a9bcf19b725a0e7b840e101500799d725bbc4c1872d0f79eead66a538e891cc7cfbe3d979
|
||||
|
Loading…
Reference in New Issue
Block a user