diff options
| author | Narpat Mali <narpat.mali@windriver.com> | 2023-01-10 08:18:05 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-01-26 23:37:05 +0000 |
| commit | 92b150b9f3f006542c869543b95ceb46986e5416 (patch) | |
| tree | fa058e1e763543e3eafeb7b26eee3232bd80fc33 /meta/recipes-devtools/python/python3-setuptools | |
| parent | da271d70f0491f81f567874282c8b57275171436 (diff) | |
| download | poky-92b150b9f3f006542c869543b95ceb46986e5416.tar.gz | |
python3-setuptools: fix for CVE-2022-40897
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers
to cause a denial of service via HTML in a crafted package or custom PackageIndex
page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE: CVE-2022-40897
Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be]
(From OE-Core rev: f574d8d57ff3fbc38e350e7a90913993081c4fdf)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python/python3-setuptools')
| -rw-r--r-- | meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Narpat Mali <narpat.mali@windriver.com> | ||
| 3 | Date: Mon, 9 Jan 2023 14:45:05 +0000 | ||
| 4 | Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes | ||
| 5 | #3659. | ||
| 6 | |||
| 7 | CVE: CVE-2022-40897 | ||
| 8 | |||
| 9 | Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] | ||
| 10 | |||
| 11 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
| 12 | --- | ||
| 13 | setuptools/package_index.py | 2 +- | ||
| 14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 15 | |||
| 16 | diff --git a/setuptools/package_index.py b/setuptools/package_index.py | ||
| 17 | index 270e7f3..e93fcc6 100644 | ||
| 18 | --- a/setuptools/package_index.py | ||
| 19 | +++ b/setuptools/package_index.py | ||
| 20 | @@ -197,7 +197,7 @@ def unique_values(func): | ||
| 21 | return wrapper | ||
| 22 | |||
| 23 | |||
| 24 | -REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) | ||
| 25 | +REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) | ||
| 26 | # this line is here to fix emacs' cruddy broken syntax highlighting | ||
| 27 | |||
| 28 | |||
| 29 | -- | ||
| 30 | 2.34.1 | ||
| 31 | |||