Compare commits

..

No commits in common. "c8-beta" and "c8" have entirely different histories.
c8-beta ... c8

2 changed files with 95 additions and 1 deletions

View File

@ -0,0 +1,83 @@
From 8af1b3e03edc8a38565558aff3bf1689c1ca3545 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 26 Jul 2024 13:49:11 +0200
Subject: [PATCH] CVE-2024-6345
---
setuptools/package_index.py | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index bdcf4a6..1d3e5b4 100755
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -1,4 +1,5 @@
"""PyPI and direct package downloading"""
+import subprocess
import sys
import os
import re
@@ -848,7 +849,7 @@ class PackageIndex(Environment):
def _download_svn(self, url, filename):
url = url.split('#', 1)[0] # remove any fragment for svn's sake
- creds = ''
+ creds = []
if url.lower().startswith('svn:') and '@' in url:
scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
if not netloc and path.startswith('//') and '/' in path[2:]:
@@ -857,14 +858,14 @@ class PackageIndex(Environment):
if auth:
if ':' in auth:
user, pw = auth.split(':', 1)
- creds = " --username=%s --password=%s" % (user, pw)
+ creds = ["--username=" + user, "--password=" + pw]
else:
- creds = " --username=" + auth
+ creds = ["--username=" + auth]
netloc = host
parts = scheme, netloc, url, p, q, f
url = urllib.parse.urlunparse(parts)
self.info("Doing subversion checkout from %s to %s", url, filename)
- os.system("svn checkout%s -q %s %s" % (creds, url, filename))
+ subprocess.check_call(["svn", "checkout"] + creds + ["-q", url, filename])
return filename
@staticmethod
@@ -890,14 +891,11 @@ class PackageIndex(Environment):
url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
self.info("Doing git clone from %s to %s", url, filename)
- os.system("git clone --quiet %s %s" % (url, filename))
+ subprocess.check_call(["git", "clone", "--quiet", url, filename])
if rev is not None:
self.info("Checking out %s", rev)
- os.system("(cd %s && git checkout --quiet %s)" % (
- filename,
- rev,
- ))
+ subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev])
return filename
@@ -906,14 +904,11 @@ class PackageIndex(Environment):
url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
self.info("Doing hg clone from %s to %s", url, filename)
- os.system("hg clone --quiet %s %s" % (url, filename))
+ subprocess.check_call(["hg", "clone", "--quiet", url, filename])
if rev is not None:
self.info("Updating to %s", rev)
- os.system("(cd %s && hg up -C -r %s -q)" % (
- filename,
- rev,
- ))
+ subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"])
return filename
--
2.45.2

View File

@ -35,7 +35,7 @@
Name: python-setuptools Name: python-setuptools
Version: 39.2.0 Version: 39.2.0
Release: 7%{?dist} Release: 8%{?dist}
Summary: Easily build and distribute Python packages Summary: Easily build and distribute Python packages
Group: Applications/System Group: Applications/System
@ -54,6 +54,13 @@ Patch0: create-site-packages.patch
# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be # Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
Patch1: CVE-2022-40897.patch Patch1: CVE-2022-40897.patch
# Security fix for CVE-2024-6345
# Remote code execution via download functions in the package_index module
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771
# Upstream solution: https://github.com/pypa/setuptools/pull/4332
# Patch simplified because upstream doesn't support SVN anymore.
Patch2: CVE-2024-6345.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: gcc BuildRequires: gcc
@ -309,6 +316,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
%changelog %changelog
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 39.2.0-8
- Security fix for CVE-2024-6345
Resolves: RHEL-50470
* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-7 * Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-7
- Security fix for CVE-2022-40897 - Security fix for CVE-2022-40897
Resolves: rhbz#2158559 Resolves: rhbz#2158559