rpms/python-setuptools
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2022-40897

Browse Source 
Resolves: rhbz#2158559
This commit is contained in:
Charalampos Stratakis 2023-01-11 22:43:11 +01:00
parent 9885e7f7bf
commit 60833643c5
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2022-40897.patch Normal file
View File

@ -0,0 +1,28 @@
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index 123e958..a90b810 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -215,7 +215,7 @@ def unique_values(func):
return wrapper
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
# this line is here to fix emacs' cruddy broken syntax highlighting
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
index 8e9435e..bc1e373 100644
--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
@@ -308,3 +308,10 @@ class TestPyPIConfig:
cred = cfg.creds_by_repository['https://pypi.org']
assert cred.username == 'jaraco'
assert cred.password == 'pity%'
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+ """
+ REL should not hang on a contrived attack string.
+ """
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)

11
python-setuptools.spec
View File

@ -28,7 +28,7 @@
Name: python-setuptools Name: python-setuptools
# When updating, update the bundled libraries versions bellow! # When updating, update the bundled libraries versions bellow!
Version: 53.0.0 Version: 53.0.0
Release: 11%{?dist} Release: 12%{?dist}
Summary: Easily build and distribute Python packages Summary: Easily build and distribute Python packages
# setuptools is MIT # setuptools is MIT
# appdirs is MIT # appdirs is MIT
@ -59,6 +59,11 @@ Patch1: license-file-metadata.patch
# Fixes https://bugzilla.redhat.com/2124281 # Fixes https://bugzilla.redhat.com/2124281
Patch2: https://github.com/pypa/setuptools/pull/2580.patch Patch2: https://github.com/pypa/setuptools/pull/2580.patch
# Security fix for CVE-2022-40897
# Regular Expression Denial of Service (ReDoS) in package_index.py
# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
Patch3: CVE-2022-40897.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-devel
@ -229,6 +234,10 @@ PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
%changelog %changelog
* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 53.0.0-12
- Security fix for CVE-2022-40897
Resolves: rhbz#2158559
* Wed Sep 07 2022 Miro Hrončok <mhroncok@redhat.com> - 53.0.0-11 * Wed Sep 07 2022 Miro Hrončok <mhroncok@redhat.com> - 53.0.0-11
- Fix case sensitivity of entry point names and keys in setup.cfg - Fix case sensitivity of entry point names and keys in setup.cfg
- Resolves: rhbz#2124281 - Resolves: rhbz#2124281