Security fix for CVE-2025-47273
Resolves: RHEL-96808
This commit is contained in:
parent
a05861aa91
commit
47ef17954e
29
CVE-2025-47273.patch
Normal file
29
CVE-2025-47273.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 19d6fa7fcb22aef8192dcbc0adb920c12cb6a648 Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Sat, 19 Apr 2025 13:03:47 -0400
|
||||
Subject: [PATCH] Add a check to ensure the name resolves relative to the
|
||||
tmpdir.
|
||||
|
||||
Closes #4946
|
||||
---
|
||||
setuptools/package_index.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
||||
index f52592a..ebafe9f 100644
|
||||
--- a/setuptools/package_index.py
|
||||
+++ b/setuptools/package_index.py
|
||||
@@ -828,6 +828,10 @@ class PackageIndex(Environment):
|
||||
|
||||
filename = os.path.join(tmpdir, name)
|
||||
|
||||
+ # ensure path resolves within the tmpdir
|
||||
+ if not filename.startswith(str(tmpdir)):
|
||||
+ raise ValueError(f"Invalid filename {filename}")
|
||||
+
|
||||
# Download the file
|
||||
#
|
||||
if scheme == 'svn' or scheme.startswith('svn+'):
|
||||
--
|
||||
2.49.0
|
||||
|
@ -28,7 +28,7 @@
|
||||
Name: python-setuptools
|
||||
# When updating, update the bundled libraries versions bellow!
|
||||
Version: 53.0.0
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
Summary: Easily build and distribute Python packages
|
||||
# setuptools is MIT
|
||||
# appdirs is MIT
|
||||
@ -71,6 +71,12 @@ Patch3: CVE-2022-40897.patch
|
||||
# Patch simplified because upstream doesn't support SVN anymore.
|
||||
Patch4: CVE-2024-6345.patch
|
||||
|
||||
# Security fix for CVE-2025-47273
|
||||
# Path traversal in PackageIndex.download leads to Arbitrary File Write
|
||||
# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
|
||||
Patch5: CVE-2025-47273.patch
|
||||
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: python%{python3_pkgversion}-devel
|
||||
@ -245,6 +251,10 @@ PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jun 18 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 53.0.0-15
|
||||
- Security fix for CVE-2025-47273
|
||||
Resolves: RHEL-96808
|
||||
|
||||
* Fri Mar 07 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 53.0.0-14
|
||||
- Make sure the INSTALLER is not pip and remove RECORD
|
||||
- Resolves: RHEL-82609
|
||||
|
Loading…
Reference in New Issue
Block a user