import python-setuptools-53.0.0-12.el9

2023-03-28 09:26:10 +00:00 · 2023-03-28 09:26:10 +00:00 · 4f855ff72f
parent 81a9de9a2c
commit 4f855ff72f
3 changed files with 216 additions and 1 deletions
--- a/SOURCES/2580.patch
+++ b/SOURCES/2580.patch
@ -0,0 +1,170 @@
+From 21b122e06969a9d85c65ce8276519d34da7dc747 Mon Sep 17 00:00:00 2001
+From: Melissa Li <li.melissa.kun@gmail.com>
+Date: Tue, 23 Feb 2021 21:23:35 -0500
+Subject: [PATCH 1/6] Preserve case-sensitive keys in setup.cfg
+
+---
+ setuptools/dist.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/setuptools/dist.py b/setuptools/dist.py
+index 050388de16..c31020f0c4 100644
+--- a/setuptools/dist.py
+++ b/setuptools/dist.py
+@@ -583,6 +583,7 @@ def _parse_config_files(self, filenames=None):  # noqa: C901
+             self.announce("Distribution.parse_config_files():")
+ 
+         parser = ConfigParser()
+        parser.optionxform = str
+         for filename in filenames:
+             with io.open(filename, encoding='utf-8') as reader:
+                 if DEBUG:
+
+From 90d8740c353ddf20c1c76d8c06cd923c19b8cc84 Mon Sep 17 00:00:00 2001
+From: Melissa Li <li.melissa.kun@gmail.com>
+Date: Tue, 23 Feb 2021 21:06:55 -0500
+Subject: [PATCH 2/6] Add case-sensitive entry point name test
+
+---
+ setuptools/tests/test_config.py | 34 +++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/setuptools/tests/test_config.py b/setuptools/tests/test_config.py
+index 1dee12718f..6cc1d0a46b 100644
+--- a/setuptools/tests/test_config.py
+++ b/setuptools/tests/test_config.py
+@@ -802,6 +802,40 @@ def test_entry_points(self, tmpdir):
+         with get_dist(tmpdir) as dist:
+             assert dist.entry_points == expected
+ 
+    def test_case_sensitive_entry_points(self, tmpdir):
+        _, config = fake_env(
+            tmpdir,
+            '[options.entry_points]\n'
+            'GROUP1 = point1 = pack.module:func, '
+            '.point2 = pack.module2:func_rest [rest]\n'
+            'group2 = point3 = pack.module:func2\n'
+        )
+
+        with get_dist(tmpdir) as dist:
+            assert dist.entry_points == {
+                'GROUP1': [
+                    'point1 = pack.module:func',
+                    '.point2 = pack.module2:func_rest [rest]',
+                ],
+                'group2': ['point3 = pack.module:func2']
+            }
+
+        expected = (
+            '[blogtool.parsers]\n'
+            '.rst = some.nested.module:SomeClass.some_classmethod[reST]\n'
+        )
+
+        tmpdir.join('entry_points').write(expected)
+
+        # From file.
+        config.write(
+            '[options]\n'
+            'entry_points = file: entry_points\n'
+        )
+
+        with get_dist(tmpdir) as dist:
+            assert dist.entry_points == expected
+
+     def test_data_files(self, tmpdir):
+         fake_env(
+             tmpdir,
+
+From 39659040bda0664ee08588ecd2faa41b4ea406a1 Mon Sep 17 00:00:00 2001
+From: Melissa Li <li.melissa.kun@gmail.com>
+Date: Wed, 24 Feb 2021 00:31:16 -0500
+Subject: [PATCH 3/6] Add change note
+
+---
+ changelog.d/1937.breaking.rst | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 changelog.d/1937.breaking.rst
+
+diff --git a/changelog.d/1937.breaking.rst b/changelog.d/1937.breaking.rst
+new file mode 100644
+index 0000000000..94dc739ab6
+--- /dev/null
+++ b/changelog.d/1937.breaking.rst
+@@ -0,0 +1 @@
+Preserved case-sensitivity of keys in setup.cfg so that entry point names are case-sensitive. Changed sensitivity of configparser -- by :user:`melissa-kun-li`
+\ No newline at end of file
+
+From 7f3e6d688e5ff080ee6bd7ccc6bd81a87c05cfd7 Mon Sep 17 00:00:00 2001
+From: Melissa Li <li.melissa.kun@gmail.com>
+Date: Wed, 24 Feb 2021 23:57:59 -0500
+Subject: [PATCH 4/6] Update test for case-sensitive entry point names
+
+---
+ setuptools/tests/test_config.py | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/setuptools/tests/test_config.py b/setuptools/tests/test_config.py
+index 6cc1d0a46b..649075609a 100644
+--- a/setuptools/tests/test_config.py
+++ b/setuptools/tests/test_config.py
+@@ -820,22 +820,6 @@ def test_case_sensitive_entry_points(self, tmpdir):
+                 'group2': ['point3 = pack.module:func2']
+             }
+ 
+-        expected = (
+-            '[blogtool.parsers]\n'
+-            '.rst = some.nested.module:SomeClass.some_classmethod[reST]\n'
+-        )
+-
+-        tmpdir.join('entry_points').write(expected)
+-
+-        # From file.
+-        config.write(
+-            '[options]\n'
+-            'entry_points = file: entry_points\n'
+-        )
+-
+-        with get_dist(tmpdir) as dist:
+-            assert dist.entry_points == expected
+-
+     def test_data_files(self, tmpdir):
+         fake_env(
+             tmpdir,
+
+From 11529db0de4081404b37fab17711660faa85abb8 Mon Sep 17 00:00:00 2001
+From: Melissa Li <li.melissa.kun@gmail.com>
+Date: Thu, 25 Feb 2021 00:00:23 -0500
+Subject: [PATCH 5/6] Update change log
+
+---
+ changelog.d/1937.change.rst | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 changelog.d/1937.change.rst
+
+diff --git a/changelog.d/1937.change.rst b/changelog.d/1937.change.rst
+new file mode 100644
+index 0000000000..acd4305968
+--- /dev/null
+++ b/changelog.d/1937.change.rst
+@@ -0,0 +1 @@
+Preserved case-sensitivity of keys in setup.cfg so that entry point names are case-sensitive. Changed sensitivity of configparser. NOTE: Any projects relying on case-insensitivity will need to adapt to accept the original case as published. -- by :user:`melissa-kun-li`
+\ No newline at end of file
+
+From 898a0b59427f143efe0bcc0cabf69007fb3ee439 Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Thu, 25 Feb 2021 08:57:04 -0500
+Subject: [PATCH 6/6] Remove 'breaking' changelog, superseded by 'change'.
+
+---
+ changelog.d/1937.breaking.rst | 1 -
+ 1 file changed, 1 deletion(-)
+ delete mode 100644 changelog.d/1937.breaking.rst
+
+diff --git a/changelog.d/1937.breaking.rst b/changelog.d/1937.breaking.rst
+deleted file mode 100644
+index 94dc739ab6..0000000000
+--- a/changelog.d/1937.breaking.rst
+++ /dev/null
+@@ -1 +0,0 @@
+-Preserved case-sensitivity of keys in setup.cfg so that entry point names are case-sensitive. Changed sensitivity of configparser -- by :user:`melissa-kun-li`
+\ No newline at end of file
--- a/SOURCES/CVE-2022-40897.patch
+++ b/SOURCES/CVE-2022-40897.patch
@ -0,0 +1,28 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..bc1e373 100644
+--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
+@@ -308,3 +308,10 @@ class TestPyPIConfig:
+         cred = cfg.creds_by_repository['https://pypi.org']
+         assert cred.username == 'jaraco'
+         assert cred.password == 'pity%'
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
--- a/SPECS/python-setuptools.spec
+++ b/SPECS/python-setuptools.spec
@ -28,7 +28,7 @@
 Name:           python-setuptools
 # When updating, update the bundled libraries versions bellow!
 Version:        53.0.0
-Release:        10%{?dist}
+Release:        12%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
@ -55,6 +55,15 @@ Source0:        %{pypi_source %{srcname} %{version}}
 # depends on the previous one
 Patch1:         license-file-metadata.patch

+# Fix case sensitivity of entry point names and keys in setup.cfg
+# Fixes https://bugzilla.redhat.com/2124281
+Patch2:         https://github.com/pypa/setuptools/pull/2580.patch
+
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Patch3:         CVE-2022-40897.patch
+
 BuildArch:      noarch

 BuildRequires:  python%{python3_pkgversion}-devel
@ -225,6 +234,14 @@ PYTHONPATH=$(pwd) %pytest --ignore=pavement.py


 %changelog
+* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 53.0.0-12
+- Security fix for CVE-2022-40897
+Resolves: rhbz#2158559
+
+* Wed Sep 07 2022 Miro Hrončok <mhroncok@redhat.com> - 53.0.0-11
+- Fix case sensitivity of entry point names and keys in setup.cfg
+- Resolves: rhbz#2124281
+
 * Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 53.0.0-10
 - Add automatically generated Obsoletes tag with the python39- prefix
  for smoother upgrade from RHEL8