ALP-pool/python-setuptools
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 python-setuptools revision 8f713d70e2cd213c4451008075e07558

Browse Source
This commit is contained in:
Adrian Schröter
2025-06-16 12:34:47 +02:00
parent 45a07ee547
commit 1fe935ff80
3 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
CVE-2025-47273.patch Normal file
View File

@@ -0,0 +1,26 @@
From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Sat, 19 Apr 2025 13:03:47 -0400
Subject: [PATCH] Add a check to ensure the name resolves relative to the
tmpdir.
Closes #4946
---
setuptools/package_index.py | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
Index: setuptools-69.0.2/setuptools/package_index.py
===================================================================
--- setuptools-69.0.2.orig/setuptools/package_index.py
+++ setuptools-69.0.2/setuptools/package_index.py
@@ -828,6 +828,10 @@ class PackageIndex(Environment):
filename = os.path.join(tmpdir, name)
+ # ensure path resolves within the tmpdir
+ if not filename.startswith(str(tmpdir)):
+ raise ValueError(f"Invalid filename {filename}")
+
return self._download_vcs(url, filename) or self._download_other(url, filename)
@staticmethod

7
python-setuptools.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue May 20 08:31:06 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Add patch CVE-2025-47273.patch to fix A path traversal
vulnerability.
(bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
-------------------------------------------------------------------
Mon Aug 12 04:29:42 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

2
python-setuptools.spec
View File

@@ -51,6 +51,8 @@ Patch2: fix-get-python-lib-python38.patch
Patch3: allow-only-direct-compilation.patch
# PATCH-FIX-UPSTREAM CVE-2024-6345 bsc#1228105
Patch4: CVE-2024-6345-code-execution-via-download-funcs.patch
# PATCH-FIX-UPSTREAM CVE-2025-47273.patch bsc#1243313, gh#pypa/setuptools@250a6d17978f
Patch5: CVE-2025-47273.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: fdupes
BuildRequires: python-rpm-macros