From a6b5d7c43cf3594c762e3e3046c83d43c6ef12b2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 28 2023 07:53:56 +0000 Subject: import python-setuptools-53.0.0-10.el9_1.1 --- diff --git a/SOURCES/CVE-2022-40897.patch b/SOURCES/CVE-2022-40897.patch new file mode 100644 index 0000000..4e09c4f --- /dev/null +++ b/SOURCES/CVE-2022-40897.patch @@ -0,0 +1,28 @@ +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 123e958..a90b810 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -215,7 +215,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 8e9435e..bc1e373 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -308,3 +308,10 @@ class TestPyPIConfig: + cred = cfg.creds_by_repository['https://pypi.org'] + assert cred.username == 'jaraco' + assert cred.password == 'pity%' ++ ++@pytest.mark.timeout(1) ++def test_REL_DoS(): ++ """ ++ REL should not hang on a contrived attack string. ++ """ ++ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12) diff --git a/SPECS/python-setuptools.spec b/SPECS/python-setuptools.spec index 4e6698f..1871c67 100644 --- a/SPECS/python-setuptools.spec +++ b/SPECS/python-setuptools.spec @@ -28,7 +28,7 @@ Name: python-setuptools # When updating, update the bundled libraries versions bellow! Version: 53.0.0 -Release: 10%{?dist} +Release: 10%{?dist}.1 Summary: Easily build and distribute Python packages # setuptools is MIT # appdirs is MIT @@ -55,6 +55,11 @@ Source0: %{pypi_source %{srcname} %{version}} # depends on the previous one Patch1: license-file-metadata.patch +# Security fix for CVE-2022-40897 +# Regular Expression Denial of Service (ReDoS) in package_index.py +# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be +Patch3: CVE-2022-40897.patch + BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel @@ -225,6 +230,10 @@ PYTHONPATH=$(pwd) %pytest --ignore=pavement.py %changelog +* Wed Jan 11 2023 Charalampos Stratakis - 53.0.0-10.1 +- Security fix for CVE-2022-40897 +Resolves: rhbz#2158559 + * Tue Feb 08 2022 Tomas Orsava - 53.0.0-10 - Add automatically generated Obsoletes tag with the python39- prefix for smoother upgrade from RHEL8