packages/python-setuptools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-40897

Browse Source 
(cherry picked from commit d4cbd5602bca5bd17406c3aac5b96594a046bc4b)
This commit is contained in:
zhuofeng 2023-01-04 10:59:49 +08:00 committed by openeuler-sync-bot
parent 2789913b29
commit bae5d708ed
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-CVE-2022-40897.patch Normal file
View File

@ -0,0 +1,43 @@
From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Fri, 4 Nov 2022 13:47:53 -0400
Subject: [PATCH] Limit the amount of whitespace to search/backtrack.Fixes
#3659.
---
setuptools/package_index.py | 2 +-
setuptools/tests/test_packageindex.py | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index f419d47..9a2da9d 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -214,7 +214,7 @@ def unique_values(func):
return wrapper
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
# this line is here to fix emacs' cruddy broken syntax highlighting
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
index 60d968f..05820be 100644
--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
@@ -337,3 +337,11 @@ class TestPyPIConfig:
cred = cfg.creds_by_repository['https://pypi.org']
assert cred.username == 'jaraco'
assert cred.password == 'pity%'
+
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+ """
+ REL should not hang on a contrived attack string.
+ """
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
--
2.27.0

10
python-setuptools.spec
View File

@ -11,13 +11,15 @@
Name: python-setuptools
Version: 44.1.1
Release: 1
Release: 2
Summary: Easily build and distribute Python packages
License: MIT and (BSD or ASL 2.0)
URL: https://pypi.python.org/pypi/setuptools
Source0: %{pypi_source setuptools %{version} zip}
Patch0: create-site-packages.patch
Patch6000: backport-CVE-2022-40897.patch
Patch9000: bugfix-eliminate-random-order-in-metadata.patch
BuildArch: noarch
@ -144,6 +146,12 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
%changelog
* Wed Jan 04 2023 zhuofeng <zhuofeng2@huawei.com> - 44.1.1-2
- Type:CVE
- CVE:CVE-2022-40897
- SUG:NA
- DESC:fix CVE-2022-40897
* Mon Aug 31 2020 shixuantong<shixuantong@huawei.com> - 44.1.1-1
- update version 44.1.1