diff options
author | Narpat Mali <narpat.mali@windriver.com> | 2023-03-23 21:39:07 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-03-29 05:41:20 -1000 |
commit | f2230ead6c145efc902336b2b9d5a4f0ecb749de (patch) | |
tree | db04ebd4ed3806ac7e0fcaa60ebc8edd72a0d8ab | |
parent | a0ef4386d37f84e8f169cbe3cfa9307010b89bbd (diff) | |
download | openembedded-core-f2230ead6c145efc902336b2b9d5a4f0ecb749de.tar.gz |
python3-setuptools: fix for CVE-2022-40897
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers
to cause a denial of service via HTML in a crafted package or custom PackageIndex
page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE: CVE-2022-40897
Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be]
cherry-pick and modify from OE-Core rev: f574d8d57ff3fbc38e350e7a90913993081c4fdf
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch | 31 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3-setuptools_65.0.2.bb | 4 |
2 files changed, 34 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch @@ -0,0 +1,31 @@ +From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 9 Jan 2023 14:45:05 +0000 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + setuptools/package_index.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 270e7f3..e93fcc6 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_65.0.2.bb b/meta/recipes-devtools/python/python3-setuptools_65.0.2.bb index 1a639ea333..d7cbb99c9d 100644 --- a/meta/recipes-devtools/python/python3-setuptools_65.0.2.bb +++ b/meta/recipes-devtools/python/python3-setuptools_65.0.2.bb @@ -9,7 +9,9 @@ inherit pypi python_setuptools_build_meta SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" SRC_URI += "file://0001-change-shebang-to-python3.patch \ - file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch" + file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \ + file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ +" SRC_URI[sha256sum] = "101bf15ca723beef42c8db91a761f3748d4d697e17fae904db60c0b619d8d094" |