SOURCES/CVE-2024-6345.patch

@@ -1,83 +0,0 @@
-From 8af1b3e03edc8a38565558aff3bf1689c1ca3545 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Fri, 26 Jul 2024 13:49:11 +0200
-Subject: [PATCH] CVE-2024-6345
-
----
- setuptools/package_index.py | 23 +++++++++--------------
- 1 file changed, 9 insertions(+), 14 deletions(-)
-
-diff --git a/setuptools/package_index.py b/setuptools/package_index.py
-index bdcf4a6..1d3e5b4 100755
---- a/setuptools/package_index.py
-+++ b/setuptools/package_index.py
-@@ -1,4 +1,5 @@
- """PyPI and direct package downloading"""
-+import subprocess
- import sys
- import os
- import re
-@@ -848,7 +849,7 @@ class PackageIndex(Environment):
- 
-     def _download_svn(self, url, filename):
-         url = url.split('#', 1)[0]  # remove any fragment for svn's sake
--        creds = ''
-+        creds = []
-         if url.lower().startswith('svn:') and '@' in url:
-             scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
-             if not netloc and path.startswith('//') and '/' in path[2:]:
-@@ -857,14 +858,14 @@ class PackageIndex(Environment):
-                 if auth:
-                     if ':' in auth:
-                         user, pw = auth.split(':', 1)
--                        creds = " --username=%s --password=%s" % (user, pw)
-+                        creds = ["--username=" + user, "--password=" + pw]
-                     else:
--                        creds = " --username=" + auth
-+                        creds = ["--username=" + auth]
-                     netloc = host
-                     parts = scheme, netloc, url, p, q, f
-                     url = urllib.parse.urlunparse(parts)
-         self.info("Doing subversion checkout from %s to %s", url, filename)
--        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
-+        subprocess.check_call(["svn", "checkout"] + creds + ["-q", url, filename])
-         return filename
- 
-     @staticmethod
-@@ -890,14 +891,11 @@ class PackageIndex(Environment):
-         url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
- 
-         self.info("Doing git clone from %s to %s", url, filename)
--        os.system("git clone --quiet %s %s" % (url, filename))
-+        subprocess.check_call(["git", "clone", "--quiet", url, filename])
- 
-         if rev is not None:
-             self.info("Checking out %s", rev)
--            os.system("(cd %s && git checkout --quiet %s)" % (
--                filename,
--                rev,
--            ))
-+            subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev])
- 
-         return filename
- 
-@@ -906,14 +904,11 @@ class PackageIndex(Environment):
-         url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
- 
-         self.info("Doing hg clone from %s to %s", url, filename)
--        os.system("hg clone --quiet %s %s" % (url, filename))
-+        subprocess.check_call(["hg", "clone", "--quiet", url, filename])
- 
-         if rev is not None:
-             self.info("Updating to %s", rev)
--            os.system("(cd %s && hg up -C -r %s -q)" % (
--                filename,
--                rev,
--            ))
-+            subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"])
- 
-         return filename
- 
--- 
-2.45.2
-

SOURCES/CVE-2025-47273.patch

@@ -1,30 +0,0 @@
-From ff1c62ede76e29a9d00bbbad266afa59ee153e51 Mon Sep 17 00:00:00 2001
-From: "Jason R. Coombs" <jaraco@jaraco.com>
-Date: Sat, 19 Apr 2025 13:03:47 -0400
-Subject: [PATCH] Add a check to ensure the name resolves relative to     the
- tmpdir.
-
-Closes #4946
-
----
- setuptools/package_index.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/setuptools/package_index.py b/setuptools/package_index.py
-index 1d3e5b4..79953f8 100755
---- a/setuptools/package_index.py
-+++ b/setuptools/package_index.py
-@@ -808,6 +808,10 @@ class PackageIndex(Environment):
- 
-         filename = os.path.join(tmpdir, name)
- 
-+        # ensure path resolves within the tmpdir
-+        if not filename.startswith(str(tmpdir)):
-+            raise ValueError("Invalid filename {filename}".format(filename = filename))
-+
-         # Download the file
-         #
-         if scheme == 'svn' or scheme.startswith('svn+'):
--- 
-2.49.0
-

SPECS/python-setuptools.spec

@@ -35,7 +35,7 @@
 
 Name:           python-setuptools
 Version:        39.2.0
-Release:        9%{?dist}
+Release:        7%{?dist}
 Summary:        Easily build and distribute Python packages
 
 Group:          Applications/System
@@ -54,19 +54,6 @@ Patch0:         create-site-packages.patch
 # Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
 Patch1:         CVE-2022-40897.patch
 
-# Security fix for CVE-2024-6345
-# Remote code execution via download functions in the package_index module
-# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771
-# Upstream solution: https://github.com/pypa/setuptools/pull/4332
-# Patch simplified because upstream doesn't support SVN anymore.
-Patch2:         CVE-2024-6345.patch
-
-# Security fix for CVE-2025-47273
-# Path traversal in PackageIndex.download leads to Arbitrary File Write
-# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
-Patch3:         CVE-2025-47273.patch
-
-
 BuildArch:      noarch
 
 BuildRequires:  gcc
@@ -322,14 +309,6 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
 
 
 %changelog
-* Wed Jun 18 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 39.2.0-9
-- Security fix for CVE-2025-47273
-Resolves: RHEL-96802
-
-* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 39.2.0-8
-- Security fix for CVE-2024-6345
-Resolves: RHEL-50470
-
 * Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 39.2.0-7
 - Security fix for CVE-2022-40897
 Resolves: rhbz#2158559