diff --git a/CVE-2025-47273.patch b/CVE-2025-47273.patch new file mode 100644 index 0000000..1311119 --- /dev/null +++ b/CVE-2025-47273.patch @@ -0,0 +1,30 @@ +From ff1c62ede76e29a9d00bbbad266afa59ee153e51 Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 13:03:47 -0400 +Subject: [PATCH] Add a check to ensure the name resolves relative to the + tmpdir. + +Closes #4946 + +--- + setuptools/package_index.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 1d3e5b4..79953f8 100755 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -808,6 +808,10 @@ class PackageIndex(Environment): + + filename = os.path.join(tmpdir, name) + ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError("Invalid filename {filename}".format(filename = filename)) ++ + # Download the file + # + if scheme == 'svn' or scheme.startswith('svn+'): +-- +2.49.0 + diff --git a/python-setuptools.spec b/python-setuptools.spec index fc13514..ac5d07a 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -35,7 +35,7 @@ Name: python-setuptools Version: 39.2.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Easily build and distribute Python packages Group: Applications/System @@ -61,6 +61,12 @@ Patch1: CVE-2022-40897.patch # Patch simplified because upstream doesn't support SVN anymore. Patch2: CVE-2024-6345.patch +# Security fix for CVE-2025-47273 +# Path traversal in PackageIndex.download leads to Arbitrary File Write +# Upstream solution: https://github.com/pypa/setuptools/pull/4951/ +Patch3: CVE-2025-47273.patch + + BuildArch: noarch BuildRequires: gcc @@ -316,6 +322,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore= %changelog +* Wed Jun 18 2025 Tomáš Hrnčiar - 39.2.0-9 +- Security fix for CVE-2025-47273 +Resolves: RHEL-96802 + * Wed Jul 24 2024 Lumír Balhar - 39.2.0-8 - Security fix for CVE-2024-6345 Resolves: RHEL-50470