Security fix for CVE-2025-47273
Resolves: RHEL-101126
This commit is contained in:
Tomáš Hrnčiar
parent
3a6ec76917
commit
187f02e3fd
30
CVE-2025-47273.patch
Normal file
30
CVE-2025-47273.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From ff1c62ede76e29a9d00bbbad266afa59ee153e51 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||||
|
Date: Sat, 19 Apr 2025 13:03:47 -0400
|
||||||
|
Subject: [PATCH] Add a check to ensure the name resolves relative to the
|
||||||
|
tmpdir.
|
||||||
|
|
||||||
|
Closes #4946
|
||||||
|
|
||||||
|
---
|
||||||
|
setuptools/package_index.py | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
||||||
|
index 1d3e5b4..79953f8 100755
|
||||||
|
--- a/setuptools/package_index.py
|
||||||
|
+++ b/setuptools/package_index.py
|
||||||
|
@@ -808,6 +808,10 @@ class PackageIndex(Environment):
|
||||||
|
|
||||||
|
filename = os.path.join(tmpdir, name)
|
||||||
|
|
||||||
|
+ # ensure path resolves within the tmpdir
|
||||||
|
+ if not filename.startswith(str(tmpdir)):
|
||||||
|
+ raise ValueError("Invalid filename {filename}".format(filename = filename))
|
||||||
|
+
|
||||||
|
# Download the file
|
||||||
|
#
|
||||||
|
if scheme == 'svn' or scheme.startswith('svn+'):
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
||||||
@ -21,7 +21,7 @@
|
|||||||
Name: python%{python3_pkgversion}-setuptools
|
Name: python%{python3_pkgversion}-setuptools
|
||||||
# When updating, update the bundled libraries versions bellow!
|
# When updating, update the bundled libraries versions bellow!
|
||||||
Version: 65.5.1
|
Version: 65.5.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: Easily build and distribute Python packages
|
Summary: Easily build and distribute Python packages
|
||||||
# setuptools is MIT
|
# setuptools is MIT
|
||||||
# appdirs is MIT
|
# appdirs is MIT
|
||||||
@ -51,6 +51,12 @@ Patch0: Remove-optional-or-unpackaged-test-deps.patch
|
|||||||
# Patch simplified because upstream doesn't support SVN anymore.
|
# Patch simplified because upstream doesn't support SVN anymore.
|
||||||
Patch1: CVE-2024-6345.patch
|
Patch1: CVE-2024-6345.patch
|
||||||
|
|
||||||
|
# Security fix for CVE-2025-47273
|
||||||
|
# Path traversal in PackageIndex.download leads to Arbitrary File Write
|
||||||
|
# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
|
||||||
|
Patch2: CVE-2025-47273.patch
|
||||||
|
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
BuildRequires: python%{python3_pkgversion}-devel
|
BuildRequires: python%{python3_pkgversion}-devel
|
||||||
@ -237,6 +243,10 @@ PYTHONPATH=$(pwd) %pytest \
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 02 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 65.5.1-4
|
||||||
|
- Security fix for CVE-2025-47273
|
||||||
|
Resolves: RHEL-101126
|
||||||
|
|
||||||
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 65.5.1-3
|
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 65.5.1-3
|
||||||
- Security fix for CVE-2024-6345
|
- Security fix for CVE-2024-6345
|
||||||
Resolves: RHEL-50484
|
Resolves: RHEL-50484
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user