diff --git a/SOURCES/CVE-2022-40898.patch b/SOURCES/CVE-2022-40898.patch new file mode 100644 index 0000000..60d79ee --- /dev/null +++ b/SOURCES/CVE-2022-40898.patch @@ -0,0 +1,82 @@ +From 6c17cfae46efc6ff71bb58c8d1c87b86fdb3c668 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= +Date: Thu, 20 Oct 2022 17:13:23 +0300 +Subject: [PATCH 1/2] Fixed potential DoS attack via WHEEL_INFO_RE + +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 3ee97dd..3c3d9f5 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode, + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P(?P.+?)-(?P.+?))(-(?P\d[^-]*))? +- -(?P.+?)-(?P.+?)-(?P.+?)\.whl$""", ++ r"""^(?P(?P[^-]+?)-(?P[^-]+?))(-(?P\d[^-]*))? ++ -(?P[^-]+?)-(?P[^-]+?)-(?P[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.39.2 + + +From 22dcf5ec8f17771117f512b48d46c92a95f2d109 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= +Date: Sat, 5 Nov 2022 01:17:22 +0200 +Subject: [PATCH 2/2] Fixed parsing of wheel file names with multiple platform + tags + +Fixes #485. +--- + src/wheel/wheelfile.py | 4 ++-- + tests/test_wheelfile.py | 13 ++++++++++--- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 3c3d9f5..bce7ab3 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode, + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P(?P[^-]+?)-(?P[^-]+?))(-(?P\d[^-]*))? +- -(?P[^-]+?)-(?P[^-]+?)-(?P[^.]+?)\.whl$""", ++ r"""^(?P(?P[^\s-]+?)-(?P[^\s-]+?))(-(?P\d[^\s-]*))? ++ -(?P[^\s-]+?)-(?P[^\s-]+?)-(?P\S+)\.whl$""", + re.VERBOSE) + + +diff --git a/tests/test_wheelfile.py b/tests/test_wheelfile.py +index db11bcd..69225f8 100644 +--- a/tests/test_wheelfile.py ++++ b/tests/test_wheelfile.py +@@ -16,9 +16,16 @@ def wheel_path(tmpdir): + return str(tmpdir.join('test-1.0-py2.py3-none-any.whl')) + + +-def test_wheelfile_re(tmpdir): +- # Regression test for #208 +- path = tmpdir.join('foo-2-py3-none-any.whl') ++@pytest.mark.parametrize( ++ "filename", ++ [ ++ "foo-2-py3-none-any.whl", ++ "foo-2-py2.py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", ++ ], ++) ++def test_wheelfile_re(filename, tmpdir): ++ # Regression test for #208 and #485 ++ path = tmpdir.join(filename) + with WheelFile(str(path), 'w') as wf: + assert wf.parsed_filename.group('namever') == 'foo-2' + +-- +2.39.2 + diff --git a/SPECS/python-wheel.spec b/SPECS/python-wheel.spec index 8e7a3fd..c2ee916 100644 --- a/SPECS/python-wheel.spec +++ b/SPECS/python-wheel.spec @@ -18,7 +18,7 @@ Name: python-%{pypi_name} Version: 0.36.2 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 1 Summary: Built-package format for Python @@ -28,6 +28,13 @@ URL: https://github.com/pypa/wheel Source0: %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz BuildArch: noarch +# Security fix for CVE-2022-40898 +# Regex Fix which causes regression in wheel filename parsing: +# https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0 +# Wheel filename regression fix: +# https://github.com/pypa/wheel/commit/44193907eb308930de05deed863fb4d157c5c866 +Patch: CVE-2022-40898.patch + BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools @@ -136,6 +143,10 @@ rm setup.cfg # to drop pytest coverage options configured there %endif %changelog +* Tue Apr 25 2023 Ryan Erickson - 1:0.36.2-8 +- Security fix for CVE-2022-40898 +- Resolves: rhbz#2178881 + * Tue Feb 08 2022 Tomáš Hrnčiar - 1:0.36.2-7 - Add automatically generated Obsoletes tag with the python39- prefix for smoother upgrade from RHEL8