From ad571f1517ee4b546fb6a7436ee4208b2cd1e48b Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 7 Jun 2024 11:41:57 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- SOURCES/CVE-2022-40897.patch | 13 +++++++++++++ SPECS/python2-setuptools.spec | 13 ++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2022-40897.patch diff --git a/SOURCES/CVE-2022-40897.patch b/SOURCES/CVE-2022-40897.patch new file mode 100644 index 0000000..c9c4f5f --- /dev/null +++ b/SOURCES/CVE-2022-40897.patch @@ -0,0 +1,13 @@ +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 123e958..a90b810 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -215,7 +215,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + \ No newline at end of file diff --git a/SPECS/python2-setuptools.spec b/SPECS/python2-setuptools.spec index 761e9a6..5d5ce84 100644 --- a/SPECS/python2-setuptools.spec +++ b/SPECS/python2-setuptools.spec @@ -28,7 +28,7 @@ Name: python2-setuptools Version: 39.0.1 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Easily build and distribute Python packages Group: Applications/System @@ -44,6 +44,12 @@ Patch0: skip-internet-requiring-tests.patch # Resolved upstream: https://github.com/pypa/setuptools/pull/1319/ Patch1: fix-wheel-tests-compatibility.patch +# Security fix for CVE-2022-40897 +# Regular Expression Denial of Service (ReDoS) in package_index.py +# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be +# The patch is backported without test because that requires pytest.timeout. +Patch2: CVE-2022-40897.patch + BuildArch: noarch BuildRequires: gcc @@ -111,6 +117,7 @@ rm setuptools/tests/test_integration.py %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %if %{with python2} @@ -200,6 +207,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python2_version} --ignore= %endif #with bootstrap %changelog +* Tue Oct 03 2023 Lumír Balhar - 39.0.1-14 +- Fix for CVE-2022-40897 +Resolves: RHEL-9763 + * Wed Jan 13 2021 Charalampos Stratakis - 39.0.1-13 - When building for Flatpak inclusion, build in bootstrap mode Resolves: rhbz#1907597