From 5ff1c6e9f435ea18f1a2f50af85480f61fdc89b2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Feb 2023 07:53:56 +0000
Subject: [PATCH] import python-setuptools-53.0.0-10.el9_1.1

---
 SOURCES/CVE-2022-40897.patch | 28 ++++++++++++++++++++++++++++
 SPECS/python-setuptools.spec | 11 ++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/CVE-2022-40897.patch

diff --git a/SOURCES/CVE-2022-40897.patch b/SOURCES/CVE-2022-40897.patch
new file mode 100644
index 0000000..4e09c4f
--- /dev/null
+++ b/SOURCES/CVE-2022-40897.patch
@@ -0,0 +1,28 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..bc1e373 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -308,3 +308,10 @@ class TestPyPIConfig:
+         cred = cfg.creds_by_repository['https://pypi.org']
+         assert cred.username == 'jaraco'
+         assert cred.password == 'pity%'
++
++@pytest.mark.timeout(1)
++def test_REL_DoS():
++    """
++    REL should not hang on a contrived attack string.
++    """
++    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
diff --git a/SPECS/python-setuptools.spec b/SPECS/python-setuptools.spec
index 4e6698f..1871c67 100644
--- a/SPECS/python-setuptools.spec
+++ b/SPECS/python-setuptools.spec
@@ -28,7 +28,7 @@
 Name:           python-setuptools
 # When updating, update the bundled libraries versions bellow!
 Version:        53.0.0
-Release:        10%{?dist}
+Release:        10%{?dist}.1
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
@@ -55,6 +55,11 @@ Source0:        %{pypi_source %{srcname} %{version}}
 # depends on the previous one
 Patch1:         license-file-metadata.patch
 
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Patch3:         CVE-2022-40897.patch
+
 BuildArch:      noarch
 
 BuildRequires:  python%{python3_pkgversion}-devel
@@ -225,6 +230,10 @@ PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
 
 
 %changelog
+* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 53.0.0-10.1
+- Security fix for CVE-2022-40897
+Resolves: rhbz#2158559
+
 * Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 53.0.0-10
 - Add automatically generated Obsoletes tag with the python39- prefix
   for smoother upgrade from RHEL8