From bb3b2705612e8d3af312e0e5e8b6d82c7da6ce8d703c3e4774816455ccaef984 Mon Sep 17 00:00:00 2001
From: Daniel Garcia <daniel.garcia@suse.com>
Date: Wed, 22 Oct 2025 05:57:02 +0000
Subject: [PATCH] - update to 0.9.5 (bsc#1252399, CVE-2025-62518)   This
 release contains an upgrade to astral-tokio-tar, which addresses   a
 vulnerability in tar extraction on malformed archives with   mismatching size
 information between the ustar header and PAX   extensions. While the
 astral-tokio-tar advisory has been graded as   "high" due its potential
 broader impact, the specific impact to uv is   low due to a lack of novel
 attacker capability. Specifically, uv only   processes tar archives from
 source distributions, which already   possess the capability for full
 arbitrary code execution by design,   meaning that an attacker gains no
 additional capabilities through   astral-tokio-tar.   Regardless, we take the
 hypothetical risk of parser differentials very   seriously. Out of an
 abundance of caution, we have assigned this   upgrade an advisory:  
 https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9   *
 Security     * Upgrade astral-tokio-tar to 0.5.6 to address a parsing      
 differential (#16387)   * Enhancements     * Add required environment marker
 example to hint (#16244)     * Fix typo in MissingTopLevel warning (#16351)  
   * Improve 403 Forbidden error message to indicate package may not      
 exist (#16353)     * Add a hint on uv pip install failure if the --system
 flag is       used to select an externally managed interpreter (#16318)   *
 Bug fixes     * Fix backtick escaping for PowerShell (#16307)   *
 Documentation     * Document metadata consistency expectation (#15683)     *
 Remove outdated aarch64 musl note (#16385)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-uv?expand=0&rev=137
---
 python-uv-0.9.4.tar.gz |  3 ---
 python-uv-0.9.5.tar.gz |  3 +++
 python-uv.changes      | 36 ++++++++++++++++++++++++++++++++++++
 python-uv.spec         |  3 +--
 vendor.tar.zst         |  4 ++--
 5 files changed, 42 insertions(+), 7 deletions(-)
 delete mode 100644 python-uv-0.9.4.tar.gz
 create mode 100644 python-uv-0.9.5.tar.gz

diff --git a/python-uv-0.9.4.tar.gz b/python-uv-0.9.4.tar.gz
deleted file mode 100644
index 3b3c3f7..0000000
--- a/python-uv-0.9.4.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ceb34b1fe1dff6802b966c283e8bcba48d57f15adf60baf630c4c556f8d3d7bb
-size 4749319
diff --git a/python-uv-0.9.5.tar.gz b/python-uv-0.9.5.tar.gz
new file mode 100644
index 0000000..af26706
--- /dev/null
+++ b/python-uv-0.9.5.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9fd1dd030b37b51dcf79b582ea77a911eeb4015a00669bd3047d3b6adea37ba8
+size 4752059
diff --git a/python-uv.changes b/python-uv.changes
index 641c96d..8a9634d 100644
--- a/python-uv.changes
+++ b/python-uv.changes
@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Wed Oct 22 05:48:12 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- update to 0.9.5 (bsc#1252399, CVE-2025-62518)
+  This release contains an upgrade to astral-tokio-tar, which addresses
+  a vulnerability in tar extraction on malformed archives with
+  mismatching size information between the ustar header and PAX
+  extensions. While the astral-tokio-tar advisory has been graded as
+  "high" due its potential broader impact, the specific impact to uv is
+  low due to a lack of novel attacker capability. Specifically, uv only
+  processes tar archives from source distributions, which already
+  possess the capability for full arbitrary code execution by design,
+  meaning that an attacker gains no additional capabilities through
+  astral-tokio-tar.
+
+  Regardless, we take the hypothetical risk of parser differentials very
+  seriously. Out of an abundance of caution, we have assigned this
+  upgrade an advisory:
+  https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9
+
+  * Security
+    * Upgrade astral-tokio-tar to 0.5.6 to address a parsing
+      differential (#16387)
+  * Enhancements
+    * Add required environment marker example to hint (#16244)
+    * Fix typo in MissingTopLevel warning (#16351)
+    * Improve 403 Forbidden error message to indicate package may not
+      exist (#16353)
+    * Add a hint on uv pip install failure if the --system flag is
+      used to select an externally managed interpreter (#16318)
+  * Bug fixes
+    * Fix backtick escaping for PowerShell (#16307)
+  * Documentation
+    * Document metadata consistency expectation (#15683)
+    * Remove outdated aarch64 musl note (#16385)
+
 -------------------------------------------------------------------
 Sun Oct 19 22:01:08 UTC 2025 - Ondřej Súkup <mimi.vx@gmail.com>
 
diff --git a/python-uv.spec b/python-uv.spec
index 0276f5a..d610156 100644
--- a/python-uv.spec
+++ b/python-uv.spec
@@ -1,7 +1,6 @@
 #
 # spec file for package python-uv
 #
-# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
@@ -34,7 +33,7 @@
 %bcond_without libalternatives
 %{?sle15_python_module_pythons}
 Name:           python-uv
-Version:        0.9.4
+Version:        0.9.5
 Release:        0
 Summary:        A Python package installer and resolver, written in Rust
 License:        Apache-2.0 OR MIT
diff --git a/vendor.tar.zst b/vendor.tar.zst
index f6de1ee..254efce 100644
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:95c1d3d5085d266f7c4fe79e3c0901243f69042ac9beb4b56547feea56477ef7
-size 66216742
+oid sha256:e7450717b1b2bd0f0918060ed77a8d654a6da002f3d0e066b1c971f0c7a13366
+size 65628991