From 09fe8bbefb5ce85e6699a51844564dbbd8959aa6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 21 Feb 2023 08:47:25 +0000
Subject: [PATCH] import python-setuptools-39.2.0-6.el8_7.1

---
 SOURCES/CVE-2022-40897.patch | 30 ++++++++++++++++++++++++++++++
 SPECS/python-setuptools.spec | 11 ++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/CVE-2022-40897.patch

diff --git a/SOURCES/CVE-2022-40897.patch b/SOURCES/CVE-2022-40897.patch
new file mode 100644
index 0000000..ab0612d
--- /dev/null
+++ b/SOURCES/CVE-2022-40897.patch
@@ -0,0 +1,30 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index b6407be..bdcf4a6 100755
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -212,7 +212,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 63b9294..49bd819 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -223,6 +223,12 @@ class TestPackageIndex:
+             assert dists[0].version == ''
+             assert dists[1].version == vc
+ 
++    def test_REL_DoS(self):
++        """
++        REL should not hang on a contrived attack string.
++        """
++        setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
++
+ 
+ class TestContentCheckers:
+     def test_md5(self):
diff --git a/SPECS/python-setuptools.spec b/SPECS/python-setuptools.spec
index 202ffcd..7a158b7 100644
--- a/SPECS/python-setuptools.spec
+++ b/SPECS/python-setuptools.spec
@@ -35,7 +35,7 @@
 
 Name:           python-setuptools
 Version:        39.2.0
-Release:        6%{?dist}
+Release:        6%{?dist}.1
 Summary:        Easily build and distribute Python packages
 
 Group:          Applications/System
@@ -49,6 +49,11 @@ Source0:        https://files.pythonhosted.org/packages/source/s/%{srcname}/%{sr
 # https://bugzilla.redhat.com/show_bug.cgi?id=1576924
 Patch0:         create-site-packages.patch
 
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Patch1:         CVE-2022-40897.patch
+
 BuildArch:      noarch
 
 BuildRequires:  gcc
@@ -304,6 +309,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
 
 
 %changelog
+* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-6.1
+- Security fix for CVE-2022-40897
+Resolves: rhbz#2158559
+
 * Wed Mar 25 2020 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-6
 - Create /usr/local/lib/pythonX.Y when needed
 Resolves: rhbz#1808301