6 files changed, 300 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-zipp/0001-Add-SanitizedNames-mixin.patch b/meta/recipes-devtools/python/python3-zipp/0001-Add-SanitizedNames-mixin.patch
new file mode 100644
index 0000000000..a352e7b9bd
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-zipp/0001-Add-SanitizedNames-mixin.patch
@@ -0,0 +1,89 @@
+From ef2227e35d1ae833b7bfa1674a45f58c732ae1a6 Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Wed, 27 Nov 2024 23:27:57 -0800
+Subject: [PATCH 1/5] Add SanitizedNames mixin.
+Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/564fcc10cdbfdaecdb33688e149827465931c9e0]
+CVE: CVE-2024-5569
+Rebase to v3.7.0
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ zipp.py | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 62 insertions(+)
+diff --git a/zipp.py b/zipp.py
+index 26b723c..8f0950f 100644
+--- a/zipp.py
+++ b/zipp.py
+@@ -68,6 +68,68 @@ def _difference(minuend, subtrahend):
+     return itertools.filterfalse(set(subtrahend).__contains__, minuend)
+ 
+ 
+class SanitizedNames:
+    """
+    ZipFile mix-in to ensure names are sanitized.
+    """
+
+    def namelist(self):
+        return list(map(self._sanitize, super().namelist()))
+
+    @staticmethod
+    def _sanitize(name):
+        r"""
+        Ensure a relative path with posix separators and no dot names.
+
+        Modeled after
+        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
+        but provides consistent cross-platform behavior.
+
+        >>> san = SanitizedNames._sanitize
+        >>> san('/foo/bar')
+        'foo/bar'
+        >>> san('//foo.txt')
+        'foo.txt'
+        >>> san('foo/.././bar.txt')
+        'foo/bar.txt'
+        >>> san('foo../.bar.txt')
+        'foo../.bar.txt'
+        >>> san('\\foo\\bar.txt')
+        'foo/bar.txt'
+        >>> san('D:\\foo.txt')
+        'D/foo.txt'
+        >>> san('\\\\server\\share\\file.txt')
+        'server/share/file.txt'
+        >>> san('\\\\?\\GLOBALROOT\\Volume3')
+        '?/GLOBALROOT/Volume3'
+        >>> san('\\\\.\\PhysicalDrive1\\root')
+        'PhysicalDrive1/root'
+
+        Retain any trailing slash.
+        >>> san('abc/')
+        'abc/'
+
+        Raises a ValueError if the result is empty.
+        >>> san('../..')
+        Traceback (most recent call last):
+        ...
+        ValueError: Empty filename
+        """
+
+        def allowed(part):
+            return part and part not in {'..', '.'}
+
+        # Remove the drive letter.
+        # Don't use ntpath.splitdrive, because that also strips UNC paths
+        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
+        clean = bare.replace('\\', '/')
+        parts = clean.split('/')
+        joined = '/'.join(filter(allowed, parts))
+        if not joined:
+            raise ValueError("Empty filename")
+        return joined + '/' * name.endswith('/')
+
+
+ class CompleteDirs(zipfile.ZipFile):
+     """
+     A ZipFile subclass that ensures that implied directories
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-zipp/0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch b/meta/recipes-devtools/python/python3-zipp/0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch
new file mode 100644
index 0000000000..d2ea4d49a1
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-zipp/0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch
@@ -0,0 +1,30 @@
+From 8b09dbf95b3ba78a63f220941e31ac92f4ad192c Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Wed, 27 Nov 2024 23:31:57 -0800
+Subject: [PATCH 2/5] Employ SanitizedNames in CompleteDirs. Fixes broken test.
+Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/58115d2be968644ce71ce6bcc9b79826c82a1806]
+Remove test code
+Rebase to v3.7.0
+CVE: CVE-2024-5569
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ zipp.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/zipp.py b/zipp.py
+index 8f0950f..29d2572 100644
+--- a/zipp.py
+++ b/zipp.py
+@@ -130,7 +130,7 @@ class SanitizedNames:
+         return joined + '/' * name.endswith('/')
+ 
+ 
+-class CompleteDirs(zipfile.ZipFile):
+class CompleteDirs(SanitizedNames, zipfile.ZipFile):
+     """
+     A ZipFile subclass that ensures that implied directories
+     are always included in the namelist.
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch b/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch
new file mode 100644
index 0000000000..45a7dc5bb1
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch
@@ -0,0 +1,95 @@
+From b52b8af403e64607ae8d5e4cd18d4099d63e7264 Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Wed, 27 Nov 2024 23:33:11 -0800
+Subject: [PATCH 3/5] Removed SanitizedNames.
+Restores expectations around special characters in zipfiles, but also restores the infinite loop.
+Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876]
+Remove test codes
+Rebase to v3.7.0
+CVE: CVE-2024-5569
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ zipp.py | 64 +--------------------------------------------------------
+ 1 file changed, 1 insertion(+), 63 deletions(-)
+diff --git a/zipp.py b/zipp.py
+index 29d2572..26b723c 100644
+--- a/zipp.py
+++ b/zipp.py
+@@ -68,69 +68,7 @@ def _difference(minuend, subtrahend):
+     return itertools.filterfalse(set(subtrahend).__contains__, minuend)
+ 
+ 
+-class SanitizedNames:
+-    """
+-    ZipFile mix-in to ensure names are sanitized.
+-    """
+-
+-    def namelist(self):
+-        return list(map(self._sanitize, super().namelist()))
+-
+-    @staticmethod
+-    def _sanitize(name):
+-        r"""
+-        Ensure a relative path with posix separators and no dot names.
+-
+-        Modeled after
+-        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
+-        but provides consistent cross-platform behavior.
+-
+-        >>> san = SanitizedNames._sanitize
+-        >>> san('/foo/bar')
+-        'foo/bar'
+-        >>> san('//foo.txt')
+-        'foo.txt'
+-        >>> san('foo/.././bar.txt')
+-        'foo/bar.txt'
+-        >>> san('foo../.bar.txt')
+-        'foo../.bar.txt'
+-        >>> san('\\foo\\bar.txt')
+-        'foo/bar.txt'
+-        >>> san('D:\\foo.txt')
+-        'D/foo.txt'
+-        >>> san('\\\\server\\share\\file.txt')
+-        'server/share/file.txt'
+-        >>> san('\\\\?\\GLOBALROOT\\Volume3')
+-        '?/GLOBALROOT/Volume3'
+-        >>> san('\\\\.\\PhysicalDrive1\\root')
+-        'PhysicalDrive1/root'
+-
+-        Retain any trailing slash.
+-        >>> san('abc/')
+-        'abc/'
+-
+-        Raises a ValueError if the result is empty.
+-        >>> san('../..')
+-        Traceback (most recent call last):
+-        ...
+-        ValueError: Empty filename
+-        """
+-
+-        def allowed(part):
+-            return part and part not in {'..', '.'}
+-
+-        # Remove the drive letter.
+-        # Don't use ntpath.splitdrive, because that also strips UNC paths
+-        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
+-        clean = bare.replace('\\', '/')
+-        parts = clean.split('/')
+-        joined = '/'.join(filter(allowed, parts))
+-        if not joined:
+-            raise ValueError("Empty filename")
+-        return joined + '/' * name.endswith('/')
+-
+-
+-class CompleteDirs(SanitizedNames, zipfile.ZipFile):
+class CompleteDirs(zipfile.ZipFile):
+     """
+     A ZipFile subclass that ensures that implied directories
+     are always included in the namelist.
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-zipp/0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch b/meta/recipes-devtools/python/python3-zipp/0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch
new file mode 100644
index 0000000000..46871122a9
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-zipp/0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch
@@ -0,0 +1,48 @@
+From ef4ee19919bd49a9c1207ff8d87f83dd48aed436 Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Wed, 27 Nov 2024 23:35:28 -0800
+Subject: [PATCH 4/5] Address infinite loop when zipfile begins with more than
+ one leading slash.
+Alternate and more surgical fix for jaraco/zipp#119. Ref python/cpython#123270
+Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48]
+Remove test codes
+Rebase to v3.7.0
+CVE: CVE-2024-5569
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ zipp.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+diff --git a/zipp.py b/zipp.py
+index 26b723c..236af49 100644
+--- a/zipp.py
+++ b/zipp.py
+@@ -37,7 +37,7 @@ def _parents(path):
+ def _ancestry(path):
+     """
+     Given a path with elements separated by
+-    posixpath.sep, generate all elements of that path
+    posixpath.sep, generate all elements of that path.
+ 
+     >>> list(_ancestry('b/d'))
+     ['b/d', 'b']
+@@ -49,9 +49,13 @@ def _ancestry(path):
+     ['b']
+     >>> list(_ancestry(''))
+     []
+    Multiple separators are treated like a single.
+
+    >>> list(_ancestry('//b//d///f//'))
+    ['//b//d///f', '//b//d', '//b']
+     """
+     path = path.rstrip(posixpath.sep)
+-    while path and path != posixpath.sep:
+    while path and not path.endswith(posixpath.sep):
+         yield path
+         path, tail = posixpath.split(path)
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-zipp/0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch b/meta/recipes-devtools/python/python3-zipp/0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch
new file mode 100644
index 0000000000..de91c68361
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-zipp/0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch
@@ -0,0 +1,30 @@
+From 9084bc59784cb240628996c1cb95f4f786ebedcc Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Wed, 27 Nov 2024 23:38:28 -0800
+Subject: [PATCH 5/5] Prefer simpler path.rstrip to consolidate checks for
+ empty or only paths.
+Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09]
+Rebase to v3.7.0
+CVE: CVE-2024-5569
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ zipp.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/zipp.py b/zipp.py
+index 236af49..87c4219 100644
+--- a/zipp.py
+++ b/zipp.py
+@@ -55,7 +55,7 @@ def _ancestry(path):
+     ['//b//d///f', '//b//d', '//b']
+     """
+     path = path.rstrip(posixpath.sep)
+-    while path and not path.endswith(posixpath.sep):
+    while path.rstrip(posixpath.sep):
+         yield path
+         path, tail = posixpath.split(path)
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-zipp_3.7.0.bb b/meta/recipes-devtools/python/python3-zipp_3.7.0.bb
index 495e7f51f0..d9db1b4408 100644
--- a/meta/recipes-devtools/python/python3-zipp_3.7.0.bb
+++ b/meta/recipes-devtools/python/python3-zipp_3.7.0.bb
@@ -9,6 +9,14 @@ DEPENDS += "${PYTHON_PN}-setuptools-scm-native"
 inherit pypi python_setuptools_build_meta
+SRC_URI += " \
+    file://0001-Add-SanitizedNames-mixin.patch \
+    file://0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch \
+    file://0003-Removed-SanitizedNames.patch \
+    file://0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch \
+    file://0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch \
+"
 DEPENDS += "${PYTHON_PN}-toml-native"
 RDEPENDS:${PN} += "${PYTHON_PN}-compression \

diff --git a/meta/recipes-devtools/python/python3-zipp/0001-Add-SanitizedNames-mixin.patch b/meta/recipes-devtools/python/python3-zipp/0001-Add-SanitizedNames-mixin.patch new file mode 100644 index 0000000000..a352e7b9bd --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/0001-Add-SanitizedNames-mixin.patch
@@ -0,0 +1,89 @@
		1	From ef2227e35d1ae833b7bfa1674a45f58c732ae1a6 Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Wed, 27 Nov 2024 23:27:57 -0800
		4	Subject: [PATCH 1/5] Add SanitizedNames mixin.
		5
		6	Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/564fcc10cdbfdaecdb33688e149827465931c9e0]
		7	CVE: CVE-2024-5569
		8	Rebase to v3.7.0
		9	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		10	---
		11	zipp.py \| 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
		12	1 file changed, 62 insertions(+)
		13
		14	diff --git a/zipp.py b/zipp.py
		15	index 26b723c..8f0950f 100644
		16	--- a/zipp.py
		17	+++ b/zipp.py
		18	@@ -68,6 +68,68 @@ def _difference(minuend, subtrahend):
		19	return itertools.filterfalse(set(subtrahend).__contains__, minuend)
		20
		21
		22	+class SanitizedNames:
		23	+ """
		24	+ ZipFile mix-in to ensure names are sanitized.
		25	+ """
		26	+
		27	+ def namelist(self):
		28	+ return list(map(self._sanitize, super().namelist()))
		29	+
		30	+ @staticmethod
		31	+ def _sanitize(name):
		32	+ r"""
		33	+ Ensure a relative path with posix separators and no dot names.
		34	+
		35	+ Modeled after
		36	+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
		37	+ but provides consistent cross-platform behavior.
		38	+
		39	+ >>> san = SanitizedNames._sanitize
		40	+ >>> san('/foo/bar')
		41	+ 'foo/bar'
		42	+ >>> san('//foo.txt')
		43	+ 'foo.txt'
		44	+ >>> san('foo/.././bar.txt')
		45	+ 'foo/bar.txt'
		46	+ >>> san('foo../.bar.txt')
		47	+ 'foo../.bar.txt'
		48	+ >>> san('\\foo\\bar.txt')
		49	+ 'foo/bar.txt'
		50	+ >>> san('D:\\foo.txt')
		51	+ 'D/foo.txt'
		52	+ >>> san('\\\\server\\share\\file.txt')
		53	+ 'server/share/file.txt'
		54	+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
		55	+ '?/GLOBALROOT/Volume3'
		56	+ >>> san('\\\\.\\PhysicalDrive1\\root')
		57	+ 'PhysicalDrive1/root'
		58	+
		59	+ Retain any trailing slash.
		60	+ >>> san('abc/')
		61	+ 'abc/'
		62	+
		63	+ Raises a ValueError if the result is empty.
		64	+ >>> san('../..')
		65	+ Traceback (most recent call last):
		66	+ ...
		67	+ ValueError: Empty filename
		68	+ """
		69	+
		70	+ def allowed(part):
		71	+ return part and part not in {'..', '.'}
		72	+
		73	+ # Remove the drive letter.
		74	+ # Don't use ntpath.splitdrive, because that also strips UNC paths
		75	+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
		76	+ clean = bare.replace('\\', '/')
		77	+ parts = clean.split('/')
		78	+ joined = '/'.join(filter(allowed, parts))
		79	+ if not joined:
		80	+ raise ValueError("Empty filename")
		81	+ return joined + '/' * name.endswith('/')
		82	+
		83	+
		84	class CompleteDirs(zipfile.ZipFile):
		85	"""
		86	A ZipFile subclass that ensures that implied directories
		87	--
		88	2.25.1
		89


diff --git a/meta/recipes-devtools/python/python3-zipp/0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch b/meta/recipes-devtools/python/python3-zipp/0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch new file mode 100644 index 0000000000..d2ea4d49a1 --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch
@@ -0,0 +1,30 @@
		1	From 8b09dbf95b3ba78a63f220941e31ac92f4ad192c Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Wed, 27 Nov 2024 23:31:57 -0800
		4	Subject: [PATCH 2/5] Employ SanitizedNames in CompleteDirs. Fixes broken test.
		5
		6	Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/58115d2be968644ce71ce6bcc9b79826c82a1806]
		7	Remove test code
		8	Rebase to v3.7.0
		9	CVE: CVE-2024-5569
		10	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		11	---
		12	zipp.py \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/zipp.py b/zipp.py
		16	index 8f0950f..29d2572 100644
		17	--- a/zipp.py
		18	+++ b/zipp.py
		19	@@ -130,7 +130,7 @@ class SanitizedNames:
		20	return joined + '/' * name.endswith('/')
		21
		22
		23	-class CompleteDirs(zipfile.ZipFile):
		24	+class CompleteDirs(SanitizedNames, zipfile.ZipFile):
		25	"""
		26	A ZipFile subclass that ensures that implied directories
		27	are always included in the namelist.
		28	--
		29	2.25.1
		30


diff --git a/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch b/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch new file mode 100644 index 0000000000..45a7dc5bb1 --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch
@@ -0,0 +1,95 @@
		1	From b52b8af403e64607ae8d5e4cd18d4099d63e7264 Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Wed, 27 Nov 2024 23:33:11 -0800
		4	Subject: [PATCH 3/5] Removed SanitizedNames.
		5
		6	Restores expectations around special characters in zipfiles, but also restores the infinite loop.
		7
		8	Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876]
		9	Remove test codes
		10	Rebase to v3.7.0
		11	CVE: CVE-2024-5569
		12
		13	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		14	---
		15	zipp.py \| 64 +--------------------------------------------------------
		16	1 file changed, 1 insertion(+), 63 deletions(-)
		17
		18	diff --git a/zipp.py b/zipp.py
		19	index 29d2572..26b723c 100644
		20	--- a/zipp.py
		21	+++ b/zipp.py
		22	@@ -68,69 +68,7 @@ def _difference(minuend, subtrahend):
		23	return itertools.filterfalse(set(subtrahend).__contains__, minuend)
		24
		25
		26	-class SanitizedNames:
		27	- """
		28	- ZipFile mix-in to ensure names are sanitized.
		29	- """
		30	-
		31	- def namelist(self):
		32	- return list(map(self._sanitize, super().namelist()))
		33	-
		34	- @staticmethod
		35	- def _sanitize(name):
		36	- r"""
		37	- Ensure a relative path with posix separators and no dot names.
		38	-
		39	- Modeled after
		40	- https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
		41	- but provides consistent cross-platform behavior.
		42	-
		43	- >>> san = SanitizedNames._sanitize
		44	- >>> san('/foo/bar')
		45	- 'foo/bar'
		46	- >>> san('//foo.txt')
		47	- 'foo.txt'
		48	- >>> san('foo/.././bar.txt')
		49	- 'foo/bar.txt'
		50	- >>> san('foo../.bar.txt')
		51	- 'foo../.bar.txt'
		52	- >>> san('\\foo\\bar.txt')
		53	- 'foo/bar.txt'
		54	- >>> san('D:\\foo.txt')
		55	- 'D/foo.txt'
		56	- >>> san('\\\\server\\share\\file.txt')
		57	- 'server/share/file.txt'
		58	- >>> san('\\\\?\\GLOBALROOT\\Volume3')
		59	- '?/GLOBALROOT/Volume3'
		60	- >>> san('\\\\.\\PhysicalDrive1\\root')
		61	- 'PhysicalDrive1/root'
		62	-
		63	- Retain any trailing slash.
		64	- >>> san('abc/')
		65	- 'abc/'
		66	-
		67	- Raises a ValueError if the result is empty.
		68	- >>> san('../..')
		69	- Traceback (most recent call last):
		70	- ...
		71	- ValueError: Empty filename
		72	- """
		73	-
		74	- def allowed(part):
		75	- return part and part not in {'..', '.'}
		76	-
		77	- # Remove the drive letter.
		78	- # Don't use ntpath.splitdrive, because that also strips UNC paths
		79	- bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
		80	- clean = bare.replace('\\', '/')
		81	- parts = clean.split('/')
		82	- joined = '/'.join(filter(allowed, parts))
		83	- if not joined:
		84	- raise ValueError("Empty filename")
		85	- return joined + '/' * name.endswith('/')
		86	-
		87	-
		88	-class CompleteDirs(SanitizedNames, zipfile.ZipFile):
		89	+class CompleteDirs(zipfile.ZipFile):
		90	"""
		91	A ZipFile subclass that ensures that implied directories
		92	are always included in the namelist.
		93	--
		94	2.25.1
		95


diff --git a/meta/recipes-devtools/python/python3-zipp/0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch b/meta/recipes-devtools/python/python3-zipp/0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch new file mode 100644 index 0000000000..46871122a9 --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch
@@ -0,0 +1,48 @@
		1	From ef4ee19919bd49a9c1207ff8d87f83dd48aed436 Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Wed, 27 Nov 2024 23:35:28 -0800
		4	Subject: [PATCH 4/5] Address infinite loop when zipfile begins with more than
		5	one leading slash.
		6
		7	Alternate and more surgical fix for jaraco/zipp#119. Ref python/cpython#123270
		8
		9	Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48]
		10	Remove test codes
		11	Rebase to v3.7.0
		12	CVE: CVE-2024-5569
		13	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		14	---
		15	zipp.py \| 8 ++++++--
		16	1 file changed, 6 insertions(+), 2 deletions(-)
		17
		18	diff --git a/zipp.py b/zipp.py
		19	index 26b723c..236af49 100644
		20	--- a/zipp.py
		21	+++ b/zipp.py
		22	@@ -37,7 +37,7 @@ def _parents(path):
		23	def _ancestry(path):
		24	"""
		25	Given a path with elements separated by
		26	- posixpath.sep, generate all elements of that path
		27	+ posixpath.sep, generate all elements of that path.
		28
		29	>>> list(_ancestry('b/d'))
		30	['b/d', 'b']
		31	@@ -49,9 +49,13 @@ def _ancestry(path):
		32	['b']
		33	>>> list(_ancestry(''))
		34	[]
		35	+ Multiple separators are treated like a single.
		36	+
		37	+ >>> list(_ancestry('//b//d///f//'))
		38	+ ['//b//d///f', '//b//d', '//b']
		39	"""
		40	path = path.rstrip(posixpath.sep)
		41	- while path and path != posixpath.sep:
		42	+ while path and not path.endswith(posixpath.sep):
		43	yield path
		44	path, tail = posixpath.split(path)
		45
		46	--
		47	2.25.1
		48


diff --git a/meta/recipes-devtools/python/python3-zipp/0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch b/meta/recipes-devtools/python/python3-zipp/0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch new file mode 100644 index 0000000000..de91c68361 --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch
@@ -0,0 +1,30 @@
		1	From 9084bc59784cb240628996c1cb95f4f786ebedcc Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Wed, 27 Nov 2024 23:38:28 -0800
		4	Subject: [PATCH 5/5] Prefer simpler path.rstrip to consolidate checks for
		5	empty or only paths.
		6
		7	Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09]
		8	Rebase to v3.7.0
		9	CVE: CVE-2024-5569
		10	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		11	---
		12	zipp.py \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/zipp.py b/zipp.py
		16	index 236af49..87c4219 100644
		17	--- a/zipp.py
		18	+++ b/zipp.py
		19	@@ -55,7 +55,7 @@ def _ancestry(path):
		20	['//b//d///f', '//b//d', '//b']
		21	"""
		22	path = path.rstrip(posixpath.sep)
		23	- while path and not path.endswith(posixpath.sep):
		24	+ while path.rstrip(posixpath.sep):
		25	yield path
		26	path, tail = posixpath.split(path)
		27
		28	--
		29	2.25.1
		30


diff --git a/meta/recipes-devtools/python/python3-zipp_3.7.0.bb b/meta/recipes-devtools/python/python3-zipp_3.7.0.bb index 495e7f51f0..d9db1b4408 100644 --- a/meta/recipes-devtools/python/python3-zipp_3.7.0.bb +++ b/meta/recipes-devtools/python/python3-zipp_3.7.0.bb
@@ -9,6 +9,14 @@ DEPENDS += "${PYTHON_PN}-setuptools-scm-native"
9		9
10	inherit pypi python_setuptools_build_meta	10	inherit pypi python_setuptools_build_meta
11		11
		12	SRC_URI += " \
		13	file://0001-Add-SanitizedNames-mixin.patch \
		14	file://0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch \
		15	file://0003-Removed-SanitizedNames.patch \
		16	file://0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch \
		17	file://0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch \
		18	"
		19
12	DEPENDS += "${PYTHON_PN}-toml-native"	20	DEPENDS += "${PYTHON_PN}-toml-native"
13		21
14	RDEPENDS:${PN} += "${PYTHON_PN}-compression \	22	RDEPENDS:${PN} += "${PYTHON_PN}-compression \