7 changed files with 27 additions and 93 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,91 +1 @@
-/svn17_example.zip
-/svn18_example.zip
-/setuptools-1.3.1.tar.gz
-/setuptools-1.4.tar.gz
-/setuptools-2.0.tar.gz
-/setuptools-6.0.2.tar.gz
-/setuptools-6.1.tar.gz
-/setuptools-7.0.tar.gz
-/setuptools-8.2.1.tar.gz
-/setuptools-11.0.tar.gz
-/setuptools-11.3.1.tar.gz
-/setuptools-12.0.3.tar.gz
-/setuptools-12.3.tar.gz
-/setuptools-12.4.tar.gz
-/setuptools-13.0.2.tar.gz
-/setuptools-14.1.1.tar.gz
-/setuptools-14.2.tar.gz
-/setuptools-14.3.tar.gz
-/setuptools-14.3.1.tar.gz
-/python-setuptools-15.0-1.fc21.src.rpm
-/setuptools-15.0.tar.gz
-/setuptools-15.2.tar.gz
-/setuptools-16.0.tar.gz
-/setuptools-17.0.tar.gz
-/setuptools-17.1.tar.gz
-/setuptools-17.1.1.tar.gz
-/setuptools-18.0.1.tar.gz
-/setuptools-18.1.tar.gz
-/setuptools-18.3.1.tar.gz
-/setuptools-18.3.2.tar.gz
-/setuptools-18.4.tar.gz
-/setuptools-18.5.tar.gz
-/setuptools-18.6.1.tar.gz
-/setuptools-18.7.1.tar.gz
-/setuptools-18.8.tar.gz
-/setuptools-18.8.1.tar.gz
-/setuptools-19.1.1.tar.gz
-/setuptools-19.2.tar.gz
-/setuptools-19.4.tar.gz
-/setuptools-19.5.tar.gz
-/setuptools-19.6.tar.gz
-/setuptools-19.6.2.tar.gz
-/setuptools-19.7.tar.gz
-/setuptools-20.0.tar.gz
-/setuptools-20.1.tar.gz
-/setuptools-20.1.1.tar.gz
-/setuptools-20.3.tar.gz
-/setuptools-20.4.tar.gz
-/setuptools-20.6.7.tar.gz
-/setuptools-20.8.1.tar.gz
-/setuptools-20.9.0.tar.gz
-/setuptools-20.10.1.tar.gz
-/setuptools-21.2.2.tar.gz
-/setuptools-22.0.0.tar.gz
-/setuptools-22.0.5.tar.gz
-/setuptools-23.0.0.tar.gz
-/setuptools-24.0.1.tar.gz
-/setuptools-24.2.0.tar.gz
-/setuptools-25.0.0.tar.gz
-/setuptools-25.1.0.tar.gz
-/setuptools-25.1.1.tar.gz
-/setuptools-25.1.6.tar.gz
-/setuptools-26.0.0.tar.gz
-/setuptools-27.1.2.tar.gz
-/setuptools-27.3.0.tar.gz
-/setuptools-28.0.0.tar.gz
-/setuptools-28.1.0.tar.gz
-/setuptools-28.2.0.tar.gz
-/setuptools-28.3.0.tar.gz
-/setuptools-28.6.0.tar.gz
-/setuptools-28.6.1.tar.gz
-/setuptools-28.7.1.tar.gz
-/setuptools-28.8.0.tar.gz
-/setuptools-30.4.0.tar.gz
-/v32.2.0.tar.gz
-/setuptools-32.2.0.zip
-/setuptools-32.3.0.zip
-/setuptools-32.3.1.zip
-/setuptools-34.1.1.zip
-/setuptools-34.2.0.zip
-/setuptools-34.3.0.zip
-/setuptools-34.3.2.zip
-/setuptools-35.0.1.zip
-/setuptools-35.0.2.zip
-/setuptools-36.0.1.zip
-/setuptools-36.2.0.zip
-/setuptools-36.5.0.zip
-/setuptools-37.0.0.zip
-/setuptools-38.2.5.zip
-/setuptools-38.4.0.zip
-/setuptools-39.0.1.zip
+SOURCES/setuptools-39.0.1.zip
--- a/.python2-setuptools.metadata
+++ b/.python2-setuptools.metadata
@ -0,0 +1 @@
+a8af7ca9ddedd3ea046ecf72dd4dcb8592bd3fb7 SOURCES/setuptools-39.0.1.zip
--- a/SOURCES/CVE-2022-40897.patch
+++ b/SOURCES/CVE-2022-40897.patch
@ -0,0 +1,13 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
--- a/SOURCES/fix-wheel-tests-compatibility.patch
+++ b/SOURCES/fix-wheel-tests-compatibility.patch
--- a/SOURCES/skip-internet-requiring-tests.patch
+++ b/SOURCES/skip-internet-requiring-tests.patch
--- a/SPECS/python2-setuptools.spec
+++ b/SPECS/python2-setuptools.spec
@ -28,7 +28,7 @@

 Name:           python2-setuptools
 Version:        39.0.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        Easily build and distribute Python packages

 Group:          Applications/System
@ -44,6 +44,12 @@ Patch0:         skip-internet-requiring-tests.patch
 # Resolved upstream: https://github.com/pypa/setuptools/pull/1319/
 Patch1:         fix-wheel-tests-compatibility.patch

+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+# The patch is backported without test because that requires pytest.timeout.
+Patch2:         CVE-2022-40897.patch
+
 BuildArch:      noarch

 BuildRequires:  gcc
@ -111,6 +117,7 @@ rm setuptools/tests/test_integration.py

 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 %build
 %if %{with python2}
@ -200,6 +207,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python2_version} --ignore=
 %endif #with bootstrap

 %changelog
+* Tue Oct 03 2023 Lumír Balhar <lbalhar@redhat.com> - 39.0.1-14
+- Fix for CVE-2022-40897
+Resolves: RHEL-9763
+
 * Wed Jan 13 2021 Charalampos Stratakis <cstratak@redhat.com> - 39.0.1-13
 - When building for Flatpak inclusion, build in bootstrap mode
 Resolves: rhbz#1907597
--- a/1
+++ b/1
@ -1 +0,0 @@
-SHA512 (setuptools-39.0.1.zip) = 1f8a579b18944146ccf34c8daccdecd3595591c94fe8d43a329aca8188100b97049d0a4f5083c5c7c616b260eb379153929a2a1ed7225df88de17414d394fed1
				`@ -0,0 +1 @@`
				`a8af7ca9ddedd3ea046ecf72dd4dcb8592bd3fb7 SOURCES/setuptools-39.0.1.zip`
				`@ -1 +0,0 @@`
				`SHA512 (setuptools-39.0.1.zip) = 1f8a579b18944146ccf34c8daccdecd3595591c94fe8d43a329aca8188100b97049d0a4f5083c5c7c616b260eb379153929a2a1ed7225df88de17414d394fed1`