mirror of
git://git.yoctoproject.org/poky.git
synced 2025-07-19 12:59:02 +02:00
python3-setuptools: Fix CVE-2025-47273
Upstream-Status: Backport fromd8390feaa9&250a6d1797(From OE-Core rev: 9769cd99c32faf7d95a7cab07b8550b438ccaf0c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
Steve Sakoman
parent
bf752e4e25
commit
6ba8b8a487
|
|
@ -0,0 +1,54 @@
|
|||
From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Sat, 19 Apr 2025 12:49:55 -0400
|
||||
Subject: [PATCH] Extract _resolve_download_filename with test.
|
||||
|
||||
Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a]
|
||||
CVE: CVE-2025-47273 #Dependency Patch
|
||||
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||
---
|
||||
setuptools/package_index.py | 20 ++++++++++++++++----
|
||||
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
||||
index 00a972d..d460fcb 100644
|
||||
--- a/setuptools/package_index.py
|
||||
+++ b/setuptools/package_index.py
|
||||
@@ -815,9 +815,16 @@ class PackageIndex(Environment):
|
||||
else:
|
||||
raise DistutilsError("Download error for %s: %s" % (url, v)) from v
|
||||
|
||||
- def _download_url(self, url, tmpdir):
|
||||
- # Determine download filename
|
||||
- #
|
||||
+ @staticmethod
|
||||
+ def _resolve_download_filename(url, tmpdir):
|
||||
+ """
|
||||
+ >>> du = PackageIndex._resolve_download_filename
|
||||
+ >>> root = getfixture('tmp_path')
|
||||
+ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
|
||||
+ >>> import pathlib
|
||||
+ >>> str(pathlib.Path(du(url, root)).relative_to(root))
|
||||
+ 'setuptools-78.1.0.tar.gz'
|
||||
+ """
|
||||
name, fragment = egg_info_for_url(url)
|
||||
if name:
|
||||
while '..' in name:
|
||||
@@ -828,8 +835,13 @@ class PackageIndex(Environment):
|
||||
if name.endswith('.egg.zip'):
|
||||
name = name[:-4] # strip the extra .zip before download
|
||||
|
||||
- filename = os.path.join(tmpdir, name)
|
||||
+ return os.path.join(tmpdir, name)
|
||||
|
||||
+ def _download_url(self, url, tmpdir):
|
||||
+ """
|
||||
+ Determine the download filename.
|
||||
+ """
|
||||
+ filename = self._resolve_download_filename(url, tmpdir)
|
||||
return self._download_vcs(url, filename) or self._download_other(url, filename)
|
||||
|
||||
@staticmethod
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Sat, 19 Apr 2025 13:03:47 -0400
|
||||
Subject: [PATCH] Add a check to ensure the name resolves relative to the
|
||||
tmpdir.
|
||||
|
||||
Closes #4946
|
||||
|
||||
Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b]
|
||||
CVE: CVE-2025-47273
|
||||
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
||||
---
|
||||
setuptools/package_index.py | 18 ++++++++++++++++--
|
||||
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
||||
index d460fcb..6c7874d 100644
|
||||
--- a/setuptools/package_index.py
|
||||
+++ b/setuptools/package_index.py
|
||||
@@ -818,12 +818,20 @@ class PackageIndex(Environment):
|
||||
@staticmethod
|
||||
def _resolve_download_filename(url, tmpdir):
|
||||
"""
|
||||
+ >>> import pathlib
|
||||
>>> du = PackageIndex._resolve_download_filename
|
||||
>>> root = getfixture('tmp_path')
|
||||
>>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
|
||||
- >>> import pathlib
|
||||
>>> str(pathlib.Path(du(url, root)).relative_to(root))
|
||||
'setuptools-78.1.0.tar.gz'
|
||||
+
|
||||
+ Ensures the target is always in tmpdir.
|
||||
+
|
||||
+ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
|
||||
+ >>> du(url, root)
|
||||
+ Traceback (most recent call last):
|
||||
+ ...
|
||||
+ ValueError: Invalid filename...
|
||||
"""
|
||||
name, fragment = egg_info_for_url(url)
|
||||
if name:
|
||||
@@ -835,7 +843,13 @@ class PackageIndex(Environment):
|
||||
if name.endswith('.egg.zip'):
|
||||
name = name[:-4] # strip the extra .zip before download
|
||||
|
||||
- return os.path.join(tmpdir, name)
|
||||
+ filename = os.path.join(tmpdir, name)
|
||||
+
|
||||
+ # ensure path resolves within the tmpdir
|
||||
+ if not filename.startswith(str(tmpdir)):
|
||||
+ raise ValueError(f"Invalid filename {filename}")
|
||||
+
|
||||
+ return filename
|
||||
|
||||
def _download_url(self, url, tmpdir):
|
||||
"""
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -13,6 +13,8 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e
|
|||
SRC_URI += " \
|
||||
file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
|
||||
file://CVE-2024-6345.patch \
|
||||
file://CVE-2025-47273-pre1.patch \
|
||||
file://CVE-2025-47273.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user