From 422fdc45f4f1721e9cfe169be4df4751fddc82bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= Date: Wed, 18 Jun 2025 15:18:44 +0200 Subject: [PATCH] Security fix for CVE-2025-47273 Resolves: RHEL-96800 --- CVE-2025-47273.patch | 29 +++++++++++++++++++++++++++++ python-setuptools.spec | 6 ++++++ 2 files changed, 35 insertions(+) create mode 100644 CVE-2025-47273.patch diff --git a/CVE-2025-47273.patch b/CVE-2025-47273.patch new file mode 100644 index 0000000..b06b59a --- /dev/null +++ b/CVE-2025-47273.patch @@ -0,0 +1,29 @@ +From 19d6fa7fcb22aef8192dcbc0adb920c12cb6a648 Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 13:03:47 -0400 +Subject: [PATCH] Add a check to ensure the name resolves relative to the + tmpdir. + +Closes #4946 +--- + setuptools/package_index.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index f52592a..ebafe9f 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -828,6 +828,10 @@ class PackageIndex(Environment): + + filename = os.path.join(tmpdir, name) + ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError(f"Invalid filename {filename}") ++ + # Download the file + # + if scheme == 'svn' or scheme.startswith('svn+'): +-- +2.49.0 + diff --git a/python-setuptools.spec b/python-setuptools.spec index ba45fa2..f4a1eb3 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -52,6 +52,12 @@ Patch: Adjust-the-setup.py-install-deprecation-message.patch # Patch simplified because upstream doesn't support SVN anymore. Patch: CVE-2024-6345.patch +# Security fix for CVE-2025-47273 +# Path traversal in PackageIndex.download leads to Arbitrary File Write +# Upstream solution: https://github.com/pypa/setuptools/pull/4951/ +Patch: CVE-2025-47273.patch + + BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel