From 1fe935ff809978a62357e1a404300a21850b15f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Mon, 16 Jun 2025 12:34:47 +0200
Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 python-setuptools
 revision 8f713d70e2cd213c4451008075e07558

---
 CVE-2025-47273.patch      | 26 ++++++++++++++++++++++++++
 python-setuptools.changes |  7 +++++++
 python-setuptools.spec    |  2 ++
 3 files changed, 35 insertions(+)
 create mode 100644 CVE-2025-47273.patch

diff --git a/CVE-2025-47273.patch b/CVE-2025-47273.patch
new file mode 100644
index 0000000..e6628b4
--- /dev/null
+++ b/CVE-2025-47273.patch
@@ -0,0 +1,26 @@
+From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Sat, 19 Apr 2025 13:03:47 -0400
+Subject: [PATCH] Add a check to ensure the name resolves relative to the
+ tmpdir.
+
+Closes #4946
+---
+ setuptools/package_index.py | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+Index: setuptools-69.0.2/setuptools/package_index.py
+===================================================================
+--- setuptools-69.0.2.orig/setuptools/package_index.py
++++ setuptools-69.0.2/setuptools/package_index.py
+@@ -828,6 +828,10 @@ class PackageIndex(Environment):
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+     @staticmethod
diff --git a/python-setuptools.changes b/python-setuptools.changes
index 9b09779..270de5e 100644
--- a/python-setuptools.changes
+++ b/python-setuptools.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue May 20 08:31:06 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add patch CVE-2025-47273.patch to fix A path traversal
+  vulnerability.
+  (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
+
 -------------------------------------------------------------------
 Mon Aug 12 04:29:42 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
 
diff --git a/python-setuptools.spec b/python-setuptools.spec
index 444891a..3dbf6c9 100644
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@@ -51,6 +51,8 @@ Patch2:         fix-get-python-lib-python38.patch
 Patch3:         allow-only-direct-compilation.patch
 # PATCH-FIX-UPSTREAM CVE-2024-6345 bsc#1228105
 Patch4:         CVE-2024-6345-code-execution-via-download-funcs.patch
+# PATCH-FIX-UPSTREAM CVE-2025-47273.patch bsc#1243313, gh#pypa/setuptools@250a6d17978f
+Patch5:         CVE-2025-47273.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros