rpms/python3.12-setuptools
14
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI python3.12-setuptools-68.2.2-5.el8_10

Browse Source
This commit is contained in:
eabdullin 2025-07-15 07:51:46 +00:00
parent db26c79588
commit 0f97befaba
2 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
SOURCES/CVE-2025-47273.patch Normal file
View File

@ -0,0 +1,30 @@
From ff1c62ede76e29a9d00bbbad266afa59ee153e51 Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Sat, 19 Apr 2025 13:03:47 -0400
Subject: [PATCH] Add a check to ensure the name resolves relative to the
tmpdir.
Closes #4946
---
setuptools/package_index.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index 1d3e5b4..79953f8 100755
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -808,6 +808,10 @@ class PackageIndex(Environment):
filename = os.path.join(tmpdir, name)
+ # ensure path resolves within the tmpdir
+ if not filename.startswith(str(tmpdir)):
+ raise ValueError("Invalid filename {filename}".format(filename = filename))
+
# Download the file
#
if scheme == 'svn' or scheme.startswith('svn+'):
--
2.49.0

14
SPECS/python3.12-setuptools.spec
View File

@ -24,7 +24,7 @@
Name: python%{python3_pkgversion}-setuptools Name: python%{python3_pkgversion}-setuptools
# When updating, update the bundled libraries versions bellow! # When updating, update the bundled libraries versions bellow!
Version: 68.2.2 Version: 68.2.2
Release: 4%{?dist} Release: 5%{?dist}
Summary: Easily build and distribute Python packages Summary: Easily build and distribute Python packages
# setuptools is MIT # setuptools is MIT
# platformdirs is MIT # platformdirs is MIT
@ -48,7 +48,13 @@ Source0: %{pypi_source %{srcname} %{version}}
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771
# Upstream solution: https://github.com/pypa/setuptools/pull/4332 # Upstream solution: https://github.com/pypa/setuptools/pull/4332
# Patch simplified because upstream doesn't support SVN anymore. # Patch simplified because upstream doesn't support SVN anymore.
Patch: CVE-2024-6345.patch Patch1: CVE-2024-6345.patch
# Security fix for CVE-2025-47273
# Path traversal in PackageIndex.download leads to Arbitrary File Write
# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
Patch2: CVE-2025-47273.patch
BuildArch: noarch BuildArch: noarch
@ -227,6 +233,10 @@ PYTHONPATH=$(pwd) %pytest \
%changelog %changelog
* Wed Jul 02 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 68.2.2-5
- Security fix for CVE-2025-47273
Resolves: RHEL-101131
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 68.2.2-4 * Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 68.2.2-4
- Security fix for CVE-2024-6345 - Security fix for CVE-2024-6345
Resolves: RHEL-50475 Resolves: RHEL-50475