From f8ec9d0568ecb2934fabd27b016c365b8d945a3a Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 30 May 2024 15:45:50 +0000
Subject: [PATCH] Import from AlmaLinux stable repository

---
 .python3x-setuptools.metadata  |  1 -
 SOURCES/CVE-2022-40897.patch   | 13 +++++++++++++
 SPECS/python3x-setuptools.spec | 12 +++++++++++-
 3 files changed, 24 insertions(+), 2 deletions(-)
 delete mode 100644 .python3x-setuptools.metadata
 create mode 100644 SOURCES/CVE-2022-40897.patch

diff --git a/.python3x-setuptools.metadata b/.python3x-setuptools.metadata
deleted file mode 100644
index 2057cb8..0000000
--- a/.python3x-setuptools.metadata
+++ /dev/null
@@ -1 +0,0 @@
-2c9279e6b2d521f6799294200a432925113177dc SOURCES/setuptools-50.3.2.zip
diff --git a/SOURCES/CVE-2022-40897.patch b/SOURCES/CVE-2022-40897.patch
new file mode 100644
index 0000000..c9c4f5f
--- /dev/null
+++ b/SOURCES/CVE-2022-40897.patch
@@ -0,0 +1,13 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
\ No newline at end of file
diff --git a/SPECS/python3x-setuptools.spec b/SPECS/python3x-setuptools.spec
index f4eec0b..b9c29cb 100644
--- a/SPECS/python3x-setuptools.spec
+++ b/SPECS/python3x-setuptools.spec
@@ -14,7 +14,7 @@
 Name:           python3x-setuptools
 # When updating, update the bundled libraries versions bellow!
 Version:        50.3.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
@@ -27,6 +27,12 @@ License:        MIT and (BSD or ASL 2.0)
 URL:            https://pypi.python.org/pypi/%{srcname}
 Source0:        %{pypi_source %{srcname} %{version} zip}
 
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+# The patch is backported without test because that requires pytest.timeout.
+Patch1:         CVE-2022-40897.patch
+
 BuildArch:      noarch
 # Exclude i686 arch. Due to a modularity issue it's being added to the
 # x86_64 compose of CRB, but we don't want to ship it at all.
@@ -207,6 +213,10 @@ fi
 
 
 %changelog
+* Tue Oct 03 2023 Lumír Balhar <lbalhar@redhat.com> - 50.3.2-5
+- Fix for CVE-2022-40897
+Resolves: RHEL-9764
+
 * Thu Aug 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-4
 - Adjusted the postun scriptlets to enable upgrading to RHEL 9
 - Resolves: rhbz#1933055