python3-wheel: fix for CVE-2022-40898

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. CVE: CVE-2022-40898 Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] (From OE-Core rev: 0974291e545aec68755dfb634c75dca37cca1ea9) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Narpat Mali <narpat.mali@windriver.com> 2023-01-12 14:55:32 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-26 23:37:05 +0000
commit: fd36d262b86192bbc547f9a1e7aada5e94dccb8d (patch)
tree: 8b28034cec5a6877fc3780aba59f36cd42406aa1
parent: 92b150b9f3f006542c869543b95ceb46986e5416 (diff)
download: poky-fd36d262b86192bbc547f9a1e7aada5e94dccb8d.tar.gz
2 files changed, 35 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
new file mode 100644
index 0000000000..bdaae7dd10
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
@@ -0,0 +1,32 @@
+From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001
+From: Narpat Mali <narpat.mali@windriver.com>
+Date: Wed, 11 Jan 2023 07:45:57 +0000
+Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
+CVE: CVE-2022-40898
+Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ src/wheel/wheelfile.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
+index 21e7361..ff06edf 100644
+--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
+@@ -27,8 +27,8 @@ else:
+ # Non-greedy matching of an optional build number may be too clever (more
+ # invalid wheel filenames will match). Separate regex for .dist-info?
+ WHEEL_INFO_RE = re.compile(
+-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
+-     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+     re.VERBOSE)
+ 
+ 
+-- 
+2.32.0
diff --git a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb
index 2f7dd122ba..3ee03ddd36 100644
--- a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb
+++ b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb
@@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495
 inherit python_flit_core pypi
-SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch"
+SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \
+            file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \
+           "
 BBCLASSEXTEND = "native nativesdk"
author	Narpat Mali <narpat.mali@windriver.com>	2023-01-12 14:55:32 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-26 23:37:05 +0000
commit	fd36d262b86192bbc547f9a1e7aada5e94dccb8d (patch)
tree	8b28034cec5a6877fc3780aba59f36cd42406aa1
parent	92b150b9f3f006542c869543b95ceb46986e5416 (diff)
download	poky-fd36d262b86192bbc547f9a1e7aada5e94dccb8d.tar.gz

diff --git a/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch new file mode 100644 index 0000000000..bdaae7dd10 --- /dev/null +++ b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
@@ -0,0 +1,32 @@
		1	From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001
		2	From: Narpat Mali <narpat.mali@windriver.com>
		3	Date: Wed, 11 Jan 2023 07:45:57 +0000
		4	Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
		5
		6	CVE: CVE-2022-40898
		7
		8	Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0]
		9
		10	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		11	---
		12	src/wheel/wheelfile.py \| 4 ++--
		13	1 file changed, 2 insertions(+), 2 deletions(-)
		14
		15	diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
		16	index 21e7361..ff06edf 100644
		17	--- a/src/wheel/wheelfile.py
		18	+++ b/src/wheel/wheelfile.py
		19	@@ -27,8 +27,8 @@ else:
		20	# Non-greedy matching of an optional build number may be too clever (more
		21	# invalid wheel filenames will match). Separate regex for .dist-info?
		22	WHEEL_INFO_RE = re.compile(
		23	- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
		24	- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
		25	+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
		26	+ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
		27	re.VERBOSE)
		28
		29
		30	--
		31	2.32.0
		32


diff --git a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb index 2f7dd122ba..3ee03ddd36 100644 --- a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb +++ b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb
@@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495
8		8
9	inherit python_flit_core pypi	9	inherit python_flit_core pypi
10		10
11	SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch"	11	SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \
		12	file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \
		13	"
12		14
13	BBCLASSEXTEND = "native nativesdk"	15	BBCLASSEXTEND = "native nativesdk"
14		16