python3-setuptools: Fix CVE-2025-47273

Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (From OE-Core rev: 9769cd99c32faf7d95a7cab07b8550b438ccaf0c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-06-05 12:44:10 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-11 08:17:34 -0700
commit: 6ba8b8a487f61d511904dd7263a58a794d3d3bb5 (patch)
tree: ea4c0f124496df75fc42928253e9f53adf22eb6c
parent: bf752e4e25e251cf550c1406afef682530b6ceb5 (diff)
download: poky-6ba8b8a487f61d511904dd7263a58a794d3d3bb5.tar.gz
3 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
new file mode 100644
index 0000000000..72bcaea435
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
@@ -0,0 +1,54 @@
+From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Sat, 19 Apr 2025 12:49:55 -0400
+Subject: [PATCH] Extract _resolve_download_filename with test.
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a]
+CVE: CVE-2025-47273 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ setuptools/package_index.py | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 00a972d..d460fcb 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -815,9 +815,16 @@ class PackageIndex(Environment):
+             else:
+                 raise DistutilsError("Download error for %s: %s" % (url, v)) from v
+ 
+-    def _download_url(self, url, tmpdir):
+-        # Determine download filename
+-        #
+    @staticmethod
+    def _resolve_download_filename(url, tmpdir):
+        """
+        >>> du = PackageIndex._resolve_download_filename
+        >>> root = getfixture('tmp_path')
+        >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
+        >>> import pathlib
+        >>> str(pathlib.Path(du(url, root)).relative_to(root))
+        'setuptools-78.1.0.tar.gz'
+        """
+         name, fragment = egg_info_for_url(url)
+         if name:
+             while '..' in name:
+@@ -828,8 +835,13 @@ class PackageIndex(Environment):
+         if name.endswith('.egg.zip'):
+             name = name[:-4]  # strip the extra .zip before download
+ 
+-        filename = os.path.join(tmpdir, name)
+        return os.path.join(tmpdir, name)
+ 
+    def _download_url(self, url, tmpdir):
+        """
+        Determine the download filename.
+        """
+        filename = self._resolve_download_filename(url, tmpdir)
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+     @staticmethod
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
new file mode 100644
index 0000000000..be6617e0f6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
@@ -0,0 +1,59 @@
+From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Sat, 19 Apr 2025 13:03:47 -0400
+Subject: [PATCH] Add a check to ensure the name resolves relative to the
+ tmpdir.
+Closes #4946
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b]
+CVE: CVE-2025-47273
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ setuptools/package_index.py | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index d460fcb..6c7874d 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -818,12 +818,20 @@ class PackageIndex(Environment):
+     @staticmethod
+     def _resolve_download_filename(url, tmpdir):
+         """
+        >>> import pathlib
+         >>> du = PackageIndex._resolve_download_filename
+         >>> root = getfixture('tmp_path')
+         >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
+-        >>> import pathlib
+         >>> str(pathlib.Path(du(url, root)).relative_to(root))
+         'setuptools-78.1.0.tar.gz'
+
+        Ensures the target is always in tmpdir.
+
+        >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
+        >>> du(url, root)
+        Traceback (most recent call last):
+        ...
+        ValueError: Invalid filename...
+         """
+         name, fragment = egg_info_for_url(url)
+         if name:
+@@ -835,7 +843,13 @@ class PackageIndex(Environment):
+         if name.endswith('.egg.zip'):
+             name = name[:-4]  # strip the extra .zip before download
+ 
+-        return os.path.join(tmpdir, name)
+        filename = os.path.join(tmpdir, name)
+
+        # ensure path resolves within the tmpdir
+        if not filename.startswith(str(tmpdir)):
+            raise ValueError(f"Invalid filename {filename}")
+
+        return filename
+ 
+     def _download_url(self, url, tmpdir):
+         """
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
index 7663101f23..46b2f0ab00 100644
--- a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
@@ -13,6 +13,8 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e
 SRC_URI += " \
            file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
            file://CVE-2024-6345.patch \
+            file://CVE-2025-47273-pre1.patch \
+            file://CVE-2025-47273.patch \
 "
 SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-06-05 12:44:10 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-11 08:17:34 -0700
commit	6ba8b8a487f61d511904dd7263a58a794d3d3bb5 (patch)
tree	ea4c0f124496df75fc42928253e9f53adf22eb6c
parent	bf752e4e25e251cf550c1406afef682530b6ceb5 (diff)
download	poky-6ba8b8a487f61d511904dd7263a58a794d3d3bb5.tar.gz

diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch new file mode 100644 index 0000000000..72bcaea435 --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
@@ -0,0 +1,54 @@
		1	From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Sat, 19 Apr 2025 12:49:55 -0400
		4	Subject: [PATCH] Extract _resolve_download_filename with test.
		5
		6	Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a]
		7	CVE: CVE-2025-47273 #Dependency Patch
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	setuptools/package_index.py \| 20 ++++++++++++++++----
		11	1 file changed, 16 insertions(+), 4 deletions(-)
		12
		13	diff --git a/setuptools/package_index.py b/setuptools/package_index.py
		14	index 00a972d..d460fcb 100644
		15	--- a/setuptools/package_index.py
		16	+++ b/setuptools/package_index.py
		17	@@ -815,9 +815,16 @@ class PackageIndex(Environment):
		18	else:
		19	raise DistutilsError("Download error for %s: %s" % (url, v)) from v
		20
		21	- def _download_url(self, url, tmpdir):
		22	- # Determine download filename
		23	- #
		24	+ @staticmethod
		25	+ def _resolve_download_filename(url, tmpdir):
		26	+ """
		27	+ >>> du = PackageIndex._resolve_download_filename
		28	+ >>> root = getfixture('tmp_path')
		29	+ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
		30	+ >>> import pathlib
		31	+ >>> str(pathlib.Path(du(url, root)).relative_to(root))
		32	+ 'setuptools-78.1.0.tar.gz'
		33	+ """
		34	name, fragment = egg_info_for_url(url)
		35	if name:
		36	while '..' in name:
		37	@@ -828,8 +835,13 @@ class PackageIndex(Environment):
		38	if name.endswith('.egg.zip'):
		39	name = name[:-4] # strip the extra .zip before download
		40
		41	- filename = os.path.join(tmpdir, name)
		42	+ return os.path.join(tmpdir, name)
		43
		44	+ def _download_url(self, url, tmpdir):
		45	+ """
		46	+ Determine the download filename.
		47	+ """
		48	+ filename = self._resolve_download_filename(url, tmpdir)
		49	return self._download_vcs(url, filename) or self._download_other(url, filename)
		50
		51	@staticmethod
		52	--
		53	2.25.1
		54


diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch new file mode 100644 index 0000000000..be6617e0f6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
@@ -0,0 +1,59 @@
		1	From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Sat, 19 Apr 2025 13:03:47 -0400
		4	Subject: [PATCH] Add a check to ensure the name resolves relative to the
		5	tmpdir.
		6
		7	Closes #4946
		8
		9	Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b]
		10	CVE: CVE-2025-47273
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	setuptools/package_index.py \| 18 ++++++++++++++++--
		14	1 file changed, 16 insertions(+), 2 deletions(-)
		15
		16	diff --git a/setuptools/package_index.py b/setuptools/package_index.py
		17	index d460fcb..6c7874d 100644
		18	--- a/setuptools/package_index.py
		19	+++ b/setuptools/package_index.py
		20	@@ -818,12 +818,20 @@ class PackageIndex(Environment):
		21	@staticmethod
		22	def _resolve_download_filename(url, tmpdir):
		23	"""
		24	+ >>> import pathlib
		25	>>> du = PackageIndex._resolve_download_filename
		26	>>> root = getfixture('tmp_path')
		27	>>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
		28	- >>> import pathlib
		29	>>> str(pathlib.Path(du(url, root)).relative_to(root))
		30	'setuptools-78.1.0.tar.gz'
		31	+
		32	+ Ensures the target is always in tmpdir.
		33	+
		34	+ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
		35	+ >>> du(url, root)
		36	+ Traceback (most recent call last):
		37	+ ...
		38	+ ValueError: Invalid filename...
		39	"""
		40	name, fragment = egg_info_for_url(url)
		41	if name:
		42	@@ -835,7 +843,13 @@ class PackageIndex(Environment):
		43	if name.endswith('.egg.zip'):
		44	name = name[:-4] # strip the extra .zip before download
		45
		46	- return os.path.join(tmpdir, name)
		47	+ filename = os.path.join(tmpdir, name)
		48	+
		49	+ # ensure path resolves within the tmpdir
		50	+ if not filename.startswith(str(tmpdir)):
		51	+ raise ValueError(f"Invalid filename {filename}")
		52	+
		53	+ return filename
		54
		55	def _download_url(self, url, tmpdir):
		56	"""
		57	--
		58	2.25.1
		59


diff --git a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb index 7663101f23..46b2f0ab00 100644 --- a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb +++ b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
@@ -13,6 +13,8 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e
13	SRC_URI += " \	13	SRC_URI += " \
14	file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \	14	file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
15	file://CVE-2024-6345.patch \	15	file://CVE-2024-6345.patch \
		16	file://CVE-2025-47273-pre1.patch \
		17	file://CVE-2025-47273.patch \
16	"	18	"
17		19
18	SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"	20	SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"