python3-setuptools: fix for CVE-2022-40897

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. CVE: CVE-2022-40897 Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] (From OE-Core rev: f574d8d57ff3fbc38e350e7a90913993081c4fdf) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Narpat Mali <narpat.mali@windriver.com> 2023-01-10 08:18:05 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-01-26 23:37:05 +0000
commit: 92b150b9f3f006542c869543b95ceb46986e5416 (patch)
tree: fa058e1e763543e3eafeb7b26eee3232bd80fc33 /meta/recipes-devtools/python
parent: da271d70f0491f81f567874282c8b57275171436 (diff)
download: poky-92b150b9f3f006542c869543b95ceb46986e5416.tar.gz
2 files changed, 32 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
new file mode 100644
index 0000000000..20a13da7bc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
@@ -0,0 +1,31 @@
+From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001
+From: Narpat Mali <narpat.mali@windriver.com>
+Date: Mon, 9 Jan 2023 14:45:05 +0000
+Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes
+ #3659.
+CVE: CVE-2022-40897
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ setuptools/package_index.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 270e7f3..e93fcc6 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -197,7 +197,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
+-- 
+2.34.1
diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
index f2810e18d3..5f2676a04a 100644
--- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
@@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e
 SRC_URI += "\
    file://0001-change-shebang-to-python3.patch \
    file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \
+    file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \
 "
 SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"
author	Narpat Mali <narpat.mali@windriver.com>	2023-01-10 08:18:05 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-01-26 23:37:05 +0000
commit	92b150b9f3f006542c869543b95ceb46986e5416 (patch)
tree	fa058e1e763543e3eafeb7b26eee3232bd80fc33 /meta/recipes-devtools/python
parent	da271d70f0491f81f567874282c8b57275171436 (diff)
download	poky-92b150b9f3f006542c869543b95ceb46986e5416.tar.gz

diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
@@ -0,0 +1,31 @@
		1	From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001
		2	From: Narpat Mali <narpat.mali@windriver.com>
		3	Date: Mon, 9 Jan 2023 14:45:05 +0000
		4	Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes
		5	#3659.
		6
		7	CVE: CVE-2022-40897
		8
		9	Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be]
		10
		11	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		12	---
		13	setuptools/package_index.py \| 2 +-
		14	1 file changed, 1 insertion(+), 1 deletion(-)
		15
		16	diff --git a/setuptools/package_index.py b/setuptools/package_index.py
		17	index 270e7f3..e93fcc6 100644
		18	--- a/setuptools/package_index.py
		19	+++ b/setuptools/package_index.py
		20	@@ -197,7 +197,7 @@ def unique_values(func):
		21	return wrapper
		22
		23
		24	-REL = re.compile(r"""<([^>]\srel\s=\s['"]?([^'">]+)[^>])>""", re.I)
		25	+REL = re.compile(r"""<([^>]\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>])>""", re.I)
		26	# this line is here to fix emacs' cruddy broken syntax highlighting
		27
		28
		29	--
		30	2.34.1
		31


diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index f2810e18d3..5f2676a04a 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
@@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e
11	SRC_URI += "\	11	SRC_URI += "\
12	file://0001-change-shebang-to-python3.patch \	12	file://0001-change-shebang-to-python3.patch \
13	file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \	13	file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \
		14	file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \
14	"	15	"
15		16
16	SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"	17	SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"