rpms/python-wheel
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI python-wheel-0.36.2-8.el9

Browse Source
This commit is contained in:
eabdullin 2023-11-07 11:42:43 +00:00
parent d5885009c1
commit d297d44dbb
2 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
SOURCES/CVE-2022-40898.patch Normal file
View File

@ -0,0 +1,82 @@
From 6c17cfae46efc6ff71bb58c8d1c87b86fdb3c668 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
Date: Thu, 20 Oct 2022 17:13:23 +0300
Subject: [PATCH 1/2] Fixed potential DoS attack via WHEEL_INFO_RE
---
src/wheel/wheelfile.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
index 3ee97dd..3c3d9f5 100644
--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
# Non-greedy matching of an optional build number may be too clever (more
# invalid wheel filenames will match). Separate regex for .dist-info?
WHEEL_INFO_RE = re.compile(
- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
re.VERBOSE)
--
2.39.2
From 22dcf5ec8f17771117f512b48d46c92a95f2d109 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
Date: Sat, 5 Nov 2022 01:17:22 +0200
Subject: [PATCH 2/2] Fixed parsing of wheel file names with multiple platform
tags
Fixes #485.
---
src/wheel/wheelfile.py | 4 ++--
tests/test_wheelfile.py | 13 ++++++++++---
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
index 3c3d9f5..bce7ab3 100644
--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
# Non-greedy matching of an optional build number may be too clever (more
# invalid wheel filenames will match). Separate regex for .dist-info?
WHEEL_INFO_RE = re.compile(
- r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
- -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+ r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]+?))(-(?P<build>\d[^\s-]*))?
+ -(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>\S+)\.whl$""",
re.VERBOSE)
diff --git a/tests/test_wheelfile.py b/tests/test_wheelfile.py
index db11bcd..69225f8 100644
--- a/tests/test_wheelfile.py
+++ b/tests/test_wheelfile.py
@@ -16,9 +16,16 @@ def wheel_path(tmpdir):
return str(tmpdir.join('test-1.0-py2.py3-none-any.whl'))
-def test_wheelfile_re(tmpdir):
- # Regression test for #208
- path = tmpdir.join('foo-2-py3-none-any.whl')
+@pytest.mark.parametrize(
+ "filename",
+ [
+ "foo-2-py3-none-any.whl",
+ "foo-2-py2.py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
+ ],
+)
+def test_wheelfile_re(filename, tmpdir):
+ # Regression test for #208 and #485
+ path = tmpdir.join(filename)
with WheelFile(str(path), 'w') as wf:
assert wf.parsed_filename.group('namever') == 'foo-2'
--
2.39.2

13
SPECS/python-wheel.spec
View File

@ -18,7 +18,7 @@
Name: python-%{pypi_name}
Version: 0.36.2
Release: 7%{?dist}
Release: 8%{?dist}
Epoch: 1
Summary: Built-package format for Python
@ -28,6 +28,13 @@ URL: https://github.com/pypa/wheel
Source0: %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz
BuildArch: noarch
# Security fix for CVE-2022-40898
# Regex Fix which causes regression in wheel filename parsing:
# https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0
# Wheel filename regression fix:
# https://github.com/pypa/wheel/commit/44193907eb308930de05deed863fb4d157c5c866
Patch: CVE-2022-40898.patch
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
@ -136,6 +143,10 @@ rm setup.cfg # to drop pytest coverage options configured there
%endif
%changelog
* Tue Apr 25 2023 Ryan Erickson <rerickso@redhat.com> - 1:0.36.2-8
- Security fix for CVE-2022-40898
- Resolves: rhbz#2178881
* Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 1:0.36.2-7
- Add automatically generated Obsoletes tag with the python39- prefix
for smoother upgrade from RHEL8