rpms/python-setuptools
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2025-47273

Browse Source 
Resolves: RHEL-96802
This commit is contained in:
Tomáš Hrnčiar 2025-06-18 15:18:44 +02:00
parent c7ec50811c
commit 1dc86c5770
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
CVE-2025-47273.patch Normal file
View File

@ -0,0 +1,30 @@
From ff1c62ede76e29a9d00bbbad266afa59ee153e51 Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Sat, 19 Apr 2025 13:03:47 -0400
Subject: [PATCH] Add a check to ensure the name resolves relative to the
tmpdir.
Closes #4946
---
setuptools/package_index.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index 1d3e5b4..79953f8 100755
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -808,6 +808,10 @@ class PackageIndex(Environment):
filename = os.path.join(tmpdir, name)
+ # ensure path resolves within the tmpdir
+ if not filename.startswith(str(tmpdir)):
+ raise ValueError("Invalid filename {filename}".format(filename = filename))
+
# Download the file
#
if scheme == 'svn' or scheme.startswith('svn+'):
--
2.49.0

12
python-setuptools.spec
View File

@ -35,7 +35,7 @@
Name: python-setuptools Name: python-setuptools
Version: 39.2.0 Version: 39.2.0
Release: 8%{?dist} Release: 9%{?dist}
Summary: Easily build and distribute Python packages Summary: Easily build and distribute Python packages
Group: Applications/System Group: Applications/System
@ -61,6 +61,12 @@ Patch1: CVE-2022-40897.patch
# Patch simplified because upstream doesn't support SVN anymore. # Patch simplified because upstream doesn't support SVN anymore.
Patch2: CVE-2024-6345.patch Patch2: CVE-2024-6345.patch
# Security fix for CVE-2025-47273
# Path traversal in PackageIndex.download leads to Arbitrary File Write
# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
Patch3: CVE-2025-47273.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: gcc BuildRequires: gcc
@ -316,6 +322,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
%changelog %changelog
* Wed Jun 18 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 39.2.0-9
- Security fix for CVE-2025-47273
Resolves: RHEL-96802
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 39.2.0-8 * Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 39.2.0-8
- Security fix for CVE-2024-6345 - Security fix for CVE-2024-6345
Resolves: RHEL-50470 Resolves: RHEL-50470