import UBI python-setuptools-53.0.0-13.el9_6.1

This commit is contained in:
eabdullin 2025-07-07 15:28:55 +00:00
parent 58d080a4a0
commit 1af50a3ce4
2 changed files with 40 additions and 1 deletions

View File

@ -0,0 +1,29 @@
From 19d6fa7fcb22aef8192dcbc0adb920c12cb6a648 Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Sat, 19 Apr 2025 13:03:47 -0400
Subject: [PATCH] Add a check to ensure the name resolves relative to the
tmpdir.
Closes #4946
---
setuptools/package_index.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index f52592a..ebafe9f 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -828,6 +828,10 @@ class PackageIndex(Environment):
filename = os.path.join(tmpdir, name)
+ # ensure path resolves within the tmpdir
+ if not filename.startswith(str(tmpdir)):
+ raise ValueError(f"Invalid filename {filename}")
+
# Download the file
#
if scheme == 'svn' or scheme.startswith('svn+'):
--
2.49.0

View File

@ -28,7 +28,7 @@
Name: python-setuptools
# When updating, update the bundled libraries versions bellow!
Version: 53.0.0
Release: 13%{?dist}
Release: 13%{?dist}.1
Summary: Easily build and distribute Python packages
# setuptools is MIT
# appdirs is MIT
@ -71,6 +71,12 @@ Patch3: CVE-2022-40897.patch
# Patch simplified because upstream doesn't support SVN anymore.
Patch4: CVE-2024-6345.patch
# Security fix for CVE-2025-47273
# Path traversal in PackageIndex.download leads to Arbitrary File Write
# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
Patch5: CVE-2025-47273.patch
BuildArch: noarch
BuildRequires: python%{python3_pkgversion}-devel
@ -241,6 +247,10 @@ PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
%changelog
* Thu Jun 19 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 53.0.0-13.1
- Security fix for CVE-2025-47273
Resolves: RHEL-96807
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 53.0.0-13
- Security fix for CVE-2024-6345
Resolves: RHEL-49978