From bae5d708ed4f2d67eba62fa83e7e02818526e731 Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Wed, 4 Jan 2023 10:59:49 +0800 Subject: [PATCH] fix CVE-2022-40897 (cherry picked from commit d4cbd5602bca5bd17406c3aac5b96594a046bc4b) --- backport-CVE-2022-40897.patch | 43 +++++++++++++++++++++++++++++++++++ python-setuptools.spec | 10 +++++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-40897.patch diff --git a/backport-CVE-2022-40897.patch b/backport-CVE-2022-40897.patch new file mode 100644 index 0000000..aab68d2 --- /dev/null +++ b/backport-CVE-2022-40897.patch @@ -0,0 +1,43 @@ +From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Fri, 4 Nov 2022 13:47:53 -0400 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack.Fixes + #3659. + +--- + setuptools/package_index.py | 2 +- + setuptools/tests/test_packageindex.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index f419d47..9a2da9d 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -214,7 +214,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 60d968f..05820be 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -337,3 +337,11 @@ class TestPyPIConfig: + cred = cfg.creds_by_repository['https://pypi.org'] + assert cred.username == 'jaraco' + assert cred.password == 'pity%' ++ ++ ++@pytest.mark.timeout(1) ++def test_REL_DoS(): ++ """ ++ REL should not hang on a contrived attack string. ++ """ ++ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12) +-- +2.27.0 + diff --git a/python-setuptools.spec b/python-setuptools.spec index 8b30cdd..f446129 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -11,13 +11,15 @@ Name: python-setuptools Version: 44.1.1 -Release: 1 +Release: 2 Summary: Easily build and distribute Python packages License: MIT and (BSD or ASL 2.0) URL: https://pypi.python.org/pypi/setuptools Source0: %{pypi_source setuptools %{version} zip} Patch0: create-site-packages.patch +Patch6000: backport-CVE-2022-40897.patch + Patch9000: bugfix-eliminate-random-order-in-metadata.patch BuildArch: noarch @@ -144,6 +146,12 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore= %changelog +* Wed Jan 04 2023 zhuofeng - 44.1.1-2 +- Type:CVE +- CVE:CVE-2022-40897 +- SUG:NA +- DESC:fix CVE-2022-40897 + * Mon Aug 31 2020 shixuantong - 44.1.1-1 - update version 44.1.1 -- Gitee