From c7b786c4dcaaa3c1636686d65b56b7afdaba84bf Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 19 Aug 2024 02:18:15 +0000 Subject: [PATCH] import UBI python3.12-setuptools-68.2.2-3.el9_4.1 --- ...setup.py-install-deprecation-message.patch | 41 +++++++ SOURCES/CVE-2024-6345.patch | 116 ++++++++++++++++++ SPECS/python3.12-setuptools.spec | 22 +++- 3 files changed, 173 insertions(+), 6 deletions(-) create mode 100644 SOURCES/Adjust-the-setup.py-install-deprecation-message.patch create mode 100644 SOURCES/CVE-2024-6345.patch diff --git a/SOURCES/Adjust-the-setup.py-install-deprecation-message.patch b/SOURCES/Adjust-the-setup.py-install-deprecation-message.patch new file mode 100644 index 0000000..62e5c56 --- /dev/null +++ b/SOURCES/Adjust-the-setup.py-install-deprecation-message.patch @@ -0,0 +1,41 @@ +From 58f33f0aef5b137287e6f425b922a03123735a77 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 20 Sep 2023 17:18:47 +0200 +Subject: [PATCH] Adjust the setup.py install deprecation message and URL + +But only when building RPM packages. +--- + setuptools/command/install.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/setuptools/command/install.py b/setuptools/command/install.py +index 606cce9..0af1631 100644 +--- a/setuptools/command/install.py ++++ b/setuptools/command/install.py +@@ -1,6 +1,7 @@ + from distutils.errors import DistutilsArgError + import inspect + import glob ++import os + import platform + import distutils.command.install as orig + +@@ -40,8 +41,13 @@ class install(orig.install): + Please avoid running ``setup.py`` directly. + Instead, use pypa/build, pypa/installer or other + standards-based tools. +- """, +- see_url="https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html", ++ """ ++ + (""" ++ Follow the current Python packaging guidelines when building ++ Python RPM packages. ++ """ if "RPM_BUILD_ROOT" in os.environ else ""), ++ see_url=("https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html" + ++ ("\nand https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/" if "RPM_BUILD_ROOT" in os.environ else "")), + # TODO: Document how to bootstrap setuptools without install + # (e.g. by unziping the wheel file) + # and then add a due_date to this warning. +-- +2.41.0 + diff --git a/SOURCES/CVE-2024-6345.patch b/SOURCES/CVE-2024-6345.patch new file mode 100644 index 0000000..d3f5074 --- /dev/null +++ b/SOURCES/CVE-2024-6345.patch @@ -0,0 +1,116 @@ +From 472528deea4063f20c5d9525f0faf64ae0cd0a90 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 24 Jul 2024 14:26:09 +0200 +Subject: [PATCH] CVE-2024-6345 + +--- + setuptools/package_index.py | 21 +++++---------------- + setuptools/tests/test_packageindex.py | 20 ++++++++++---------- + 2 files changed, 15 insertions(+), 26 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 7095585..1368bde 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -1,5 +1,6 @@ + """PyPI and direct package downloading.""" + ++import subprocess + import sys + import os + import re +@@ -881,17 +882,11 @@ class PackageIndex(Environment): + url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) + + self.info("Doing git clone from %s to %s", url, filename) +- os.system("git clone --quiet %s %s" % (url, filename)) ++ subprocess.check_call(["git", "clone", "--quiet", url, filename]) + + if rev is not None: + self.info("Checking out %s", rev) +- os.system( +- "git -C %s checkout --quiet %s" +- % ( +- filename, +- rev, +- ) +- ) ++ subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev]) + + return filename + +@@ -900,17 +895,11 @@ class PackageIndex(Environment): + url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) + + self.info("Doing hg clone from %s to %s", url, filename) +- os.system("hg clone --quiet %s %s" % (url, filename)) ++ subprocess.check_call(["hg", "clone", "--quiet", url, filename]) + + if rev is not None: + self.info("Updating to %s", rev) +- os.system( +- "hg --cwd %s up -C -r %s -q" +- % ( +- filename, +- rev, +- ) +- ) ++ subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"]) + + return filename + +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 0287063..c136e8d 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -190,37 +190,37 @@ class TestPackageIndex: + url = 'git+https://github.example/group/project@master#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: ++ with mock.patch("subprocess.check_call") as subprocess_check_call_mock: + result = index.download(url, str(tmpdir)) + +- os_system_mock.assert_called() ++ subprocess_check_call_mock.assert_called() + + expected_dir = str(tmpdir / 'project@master') + expected = ( + 'git clone --quiet ' 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- first_call_args = os_system_mock.call_args_list[0][0] ++ ).format(**locals()).split() ++ first_call_args = subprocess_check_call_mock.call_args_list[0][0] + assert first_call_args == (expected,) + + tmpl = 'git -C {expected_dir} checkout --quiet master' +- expected = tmpl.format(**locals()) +- assert os_system_mock.call_args_list[1][0] == (expected,) ++ expected = tmpl.format(**locals()).split() ++ assert subprocess_check_call_mock.call_args_list[1][0] == (expected,) + assert result == expected_dir + + def test_download_git_no_rev(self, tmpdir): + url = 'git+https://github.example/group/project#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: ++ with mock.patch("subprocess.check_call") as subprocess_check_call_mock: + result = index.download(url, str(tmpdir)) + +- os_system_mock.assert_called() ++ subprocess_check_call_mock.assert_called() + + expected_dir = str(tmpdir / 'project') + expected = ( + 'git clone --quiet ' 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- os_system_mock.assert_called_once_with(expected) ++ ).format(**locals()).split() ++ subprocess_check_call_mock.assert_called_once_with(expected) + + def test_download_svn(self, tmpdir): + url = 'svn+https://svn.example/project#egg=foo' +-- +2.45.2 + diff --git a/SPECS/python3.12-setuptools.spec b/SPECS/python3.12-setuptools.spec index 2f02580..1be1209 100644 --- a/SPECS/python3.12-setuptools.spec +++ b/SPECS/python3.12-setuptools.spec @@ -3,11 +3,6 @@ %global srcname setuptools -# Workaround for https://issues.redhat.com/browse/CS-1907 -# By defining the %%{__bootstrap} value, -# we prevent misconfigured Koji putting a literal %%{__bootstrap} in %%dist. -%{!?__bootstrap:%global __bootstrap %{nil}} - # used when bootstrapping new Python versions %bcond_with bootstrap @@ -24,7 +19,7 @@ Name: python%{python3_pkgversion}-setuptools # When updating, update the bundled libraries versions bellow! Version: 68.2.2 -Release: 3%{?dist} +Release: 3%{?dist}.1 Summary: Easily build and distribute Python packages # setuptools is MIT # platformdirs is MIT @@ -43,6 +38,17 @@ License: MIT and ASL 2.0 and (BSD or ASL 2.0) and Python URL: https://pypi.python.org/pypi/%{srcname} Source0: %{pypi_source %{srcname} %{version}} +# The `setup.py install` deprecation notice might be confusing for RPM packagers +# adjust it, but only when $RPM_BUILD_ROOT is set +Patch: Adjust-the-setup.py-install-deprecation-message.patch + +# Security fix for CVE-2024-6345 +# Remote code execution via download functions in the package_index module +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771 +# Upstream solution: https://github.com/pypa/setuptools/pull/4332 +# Patch simplified because upstream doesn't support SVN anymore. +Patch: CVE-2024-6345.patch + BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel @@ -220,6 +226,10 @@ PYTHONPATH=$(pwd) %pytest \ %changelog +* Wed Jul 24 2024 Lumír Balhar - 68.2.2-3.1 +- Security fix for CVE-2024-6345 +Resolves: RHEL-50481 + * Tue Jan 23 2024 Miro Hrončok - 68.2.2-3 - Rebuilt for timestamp .pyc invalidation mode