Add also references to CVE-2025-58160 and bsc#1249011

CVE-2025-54368.patch

@@ -38,7 +38,6 @@ In rare cases, this validation can be disabled by setting
 `UV_INSECURE_NO_ZIP_VALIDATION=1`. Any validations should be reported to
 the uv issue tracker and to the upstream package maintainer.
 ---
- Cargo.lock                        |   7 +-
  Cargo.toml                        |   2 +-
  crates/uv-dev/Cargo.toml          |   7 +-
  crates/uv-dev/src/lib.rs          |   5 +
@@ -57,45 +56,6 @@ the uv issue tracker and to the upstream package maintainer.
  create mode 100644 crates/uv-dev/src/validate_zip.rs
  create mode 100644 crates/uv/tests/it/extract.rs
 
-Index: uv-0.7.18/Cargo.lock
-===================================================================
---- uv-0.7.18.orig/Cargo.lock
-+++ uv-0.7.18/Cargo.lock
-@@ -4658,6 +4658,7 @@ dependencies = [
-  "textwrap",
-  "thiserror 2.0.12",
-  "tokio",
-+ "tokio-util",
-  "toml",
-  "toml_edit",
-  "tracing",
-@@ -5041,6 +5042,7 @@ dependencies = [
-  "anyhow",
-  "clap",
-  "fs-err",
-+ "futures",
-  "itertools 0.14.0",
-  "markdown",
-  "owo-colors",
-@@ -5053,8 +5055,10 @@ dependencies = [
-  "serde_json",
-  "serde_yaml",
-  "tagu",
-+ "tempfile",
-  "textwrap",
-  "tokio",
-+ "tokio-util",
-  "tracing",
-  "tracing-durations-export",
-  "tracing-subscriber",
-@@ -5247,6 +5251,7 @@ dependencies = [
-  "uv-configuration",
-  "uv-distribution-filename",
-  "uv-pypi-types",
-+ "uv-static",
-  "xz2",
-  "zip",
- ]
 Index: uv-0.7.18/Cargo.toml
 ===================================================================
 --- uv-0.7.18.orig/Cargo.toml

python-uv.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Oct 22 06:22:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update vendor.tar.zst to update astral-tokio-tar to 0.5.6, and
+  tracing-subscriber
+  (bsc#1252399, CVE-2025-62518, bsc#1249011, CVE-2025-58160)
+- Remove Cargo.lock modifications from CVE-2025-54368.patch to avoid
+  conflict with vendored version.
+- Add revendor.sh script to help with patching Cargo.toml and
+  revendoring.
+
 -------------------------------------------------------------------
 Mon Aug 11 09:19:24 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
 

python-uv.spec

@@ -39,7 +39,11 @@ Summary:        A Python package installer and resolver, written in Rust
 License:        Apache-2.0 OR MIT
 URL:            https://github.com/astral-sh/uv
 Source0:        https://github.com/astral-sh/uv/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# When revendoring, make sure to to apply all the patches to the
+# Cargo.toml vebore calling "osc service mr".
+# Use the revendor.sh script to regenerate this file.
 Source1:        vendor.tar.zst
+Source99:       revendor.sh
 # PATCH-FIX-UPSTREAM CVE-2025-54368.patch bsc#1247829
 Patch0:         CVE-2025-54368.patch
 BuildRequires:  %{python_module maturin}
@@ -105,6 +109,7 @@ drop-in replacement for common pip and pip-tools workflows.
 
 %prep
 %autosetup -p1 -a1 -n uv-%{version}
+
 %ifnarch x86_64
 # Reduce memory consumption for non x86 arches
 sed -i '/lto = "fat"/d' Cargo.toml

revendor.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+VERSION=0.7.18
+
+quilt setup python-uv.spec
+
+pushd python-uv-$VERSION-build
+
+pushd uv-$VERSION
+quilt push -a
+rm -rf vendor
+rm -rf .cargo/config.toml
+popd
+
+tar czvf python-uv-$VERSION.tar.gz uv-$VERSION
+popd
+
+cp python-uv-$VERSION.tar.gz python-uv-$VERSION.tar.gz.bak
+mv python-uv-$VERSION-build/python-uv-$VERSION.tar.gz .
+osc service mr cargo_vendor
+mv python-uv-$VERSION.tar.gz.bak python-uv-$VERSION.tar.gz