Security fix for CVE-2025-47273
Resolves: RHEL-104339
This commit is contained in:
Tomáš Hrnčiar
parent
a9b1f79180
commit
230f932703
30
CVE-2025-47273.patch
Normal file
30
CVE-2025-47273.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From ff1c62ede76e29a9d00bbbad266afa59ee153e51 Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Sat, 19 Apr 2025 13:03:47 -0400
|
||||
Subject: [PATCH] Add a check to ensure the name resolves relative to the
|
||||
tmpdir.
|
||||
|
||||
Closes #4946
|
||||
|
||||
---
|
||||
setuptools/package_index.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
||||
index 1d3e5b4..79953f8 100755
|
||||
--- a/setuptools/package_index.py
|
||||
+++ b/setuptools/package_index.py
|
||||
@@ -808,6 +808,10 @@ class PackageIndex(Environment):
|
||||
|
||||
filename = os.path.join(tmpdir, name)
|
||||
|
||||
+ # ensure path resolves within the tmpdir
|
||||
+ if not filename.startswith(str(tmpdir)):
|
||||
+ raise ValueError("Invalid filename {filename}".format(filename = filename))
|
||||
+
|
||||
# Download the file
|
||||
#
|
||||
if scheme == 'svn' or scheme.startswith('svn+'):
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
Name: python3x-setuptools
|
||||
# When updating, update the bundled libraries versions bellow!
|
||||
Version: 50.3.2
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: Easily build and distribute Python packages
|
||||
# setuptools is MIT
|
||||
# appdirs is MIT
|
||||
@ -40,6 +40,11 @@ Patch1: CVE-2022-40897.patch
|
||||
# Patch simplified because upstream doesn't support SVN anymore.
|
||||
Patch2: CVE-2024-6345.patch
|
||||
|
||||
# Security fix for CVE-2025-47273
|
||||
# Path traversal in PackageIndex.download leads to Arbitrary File Write
|
||||
# Upstream solution: https://github.com/pypa/setuptools/pull/4951/
|
||||
Patch3: CVE-2025-47273.patch
|
||||
|
||||
BuildArch: noarch
|
||||
# Exclude i686 arch. Due to a modularity issue it's being added to the
|
||||
# x86_64 compose of CRB, but we don't want to ship it at all.
|
||||
@ -220,6 +225,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 50.3.2-7
|
||||
- Security fix for CVE-2025-47273
|
||||
Resolves: RHEL-104339
|
||||
|
||||
* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 50.3.2-6
|
||||
- Security fix for CVE-2024-6345
|
||||
Resolves: RHEL-50493
|
||||
|
||||
Loading…
Reference in New Issue
Block a user