rpms
/
python-setuptools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-setuptools-39.2.0-6.el8_7.1

This commit is contained in:
CentOS Sources 2023-02-21 08:47:25 +00:00 committed by Stepan Oksanichenko
parent e4b1c3a079
commit 09fe8bbefb
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
SOURCES/CVE-2022-40897.patch Normal file
View File

@ -0,0 +1,30 @@
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index b6407be..bdcf4a6 100755
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -212,7 +212,7 @@ def unique_values(func):
return wrapper
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
# this line is here to fix emacs' cruddy broken syntax highlighting
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
index 63b9294..49bd819 100644
--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
@@ -223,6 +223,12 @@ class TestPackageIndex:
assert dists[0].version == ''
assert dists[1].version == vc
+ def test_REL_DoS(self):
+ """
+ REL should not hang on a contrived attack string.
+ """
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
+
class TestContentCheckers:
def test_md5(self):

11
SPECS/python-setuptools.spec
View File

@ -35,7 +35,7 @@
Name: python-setuptools
Version: 39.2.0
Release: 6%{?dist}
Release: 6%{?dist}.1
Summary: Easily build and distribute Python packages
Group: Applications/System
@ -49,6 +49,11 @@ Source0: https://files.pythonhosted.org/packages/source/s/%{srcname}/%{sr
# https://bugzilla.redhat.com/show_bug.cgi?id=1576924
Patch0: create-site-packages.patch
# Security fix for CVE-2022-40897
# Regular Expression Denial of Service (ReDoS) in package_index.py
# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
Patch1: CVE-2022-40897.patch
BuildArch: noarch
BuildRequires: gcc
@ -304,6 +309,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
%changelog
* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-6.1
- Security fix for CVE-2022-40897
Resolves: rhbz#2158559
* Wed Mar 25 2020 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-6
- Create /usr/local/lib/pythonX.Y when needed
Resolves: rhbz#1808301