From 5e2bf3fc7347da7773e11a5dfe9e243979450bbb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 09:03:29 +0000 Subject: [PATCH] import python-setuptools-39.2.0-7.el8 --- SOURCES/CVE-2022-40897.patch | 30 ++++++++++++++++++++++++++++++ SPECS/python-setuptools.spec | 11 ++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2022-40897.patch diff --git a/SOURCES/CVE-2022-40897.patch b/SOURCES/CVE-2022-40897.patch new file mode 100644 index 0000000..ab0612d --- /dev/null +++ b/SOURCES/CVE-2022-40897.patch @@ -0,0 +1,30 @@ +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index b6407be..bdcf4a6 100755 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -212,7 +212,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 63b9294..49bd819 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -223,6 +223,12 @@ class TestPackageIndex: + assert dists[0].version == '' + assert dists[1].version == vc + ++ def test_REL_DoS(self): ++ """ ++ REL should not hang on a contrived attack string. ++ """ ++ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12) ++ + + class TestContentCheckers: + def test_md5(self): diff --git a/SPECS/python-setuptools.spec b/SPECS/python-setuptools.spec index 202ffcd..38b5848 100644 --- a/SPECS/python-setuptools.spec +++ b/SPECS/python-setuptools.spec @@ -35,7 +35,7 @@ Name: python-setuptools Version: 39.2.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Easily build and distribute Python packages Group: Applications/System @@ -49,6 +49,11 @@ Source0: https://files.pythonhosted.org/packages/source/s/%{srcname}/%{sr # https://bugzilla.redhat.com/show_bug.cgi?id=1576924 Patch0: create-site-packages.patch +# Security fix for CVE-2022-40897 +# Regular Expression Denial of Service (ReDoS) in package_index.py +# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be +Patch1: CVE-2022-40897.patch + BuildArch: noarch BuildRequires: gcc @@ -304,6 +309,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore= %changelog +* Wed Jan 11 2023 Charalampos Stratakis - 39.2.0-7 +- Security fix for CVE-2022-40897 +Resolves: rhbz#2158559 + * Wed Mar 25 2020 Charalampos Stratakis - 39.2.0-6 - Create /usr/local/lib/pythonX.Y when needed Resolves: rhbz#1808301