python3-setuptools: Fix CVE-2025-47273

Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (From OE-Core rev: 6b6e556a226100205427c85e8064f7640a9da25e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-06-05 17:20:15 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-13 08:42:35 -0700
commit: 87267b3370b28e9ad352a88d8f01a67965f60715 (patch)
tree: 8f94374d1431b2ea45df62acdb73ea44fe1a4485
parent: 775ca31829595a1931cc3a392e9827f20335f618 (diff)
download: poky-87267b3370b28e9ad352a88d8f01a67965f60715.tar.gz
3 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
new file mode 100644
index 0000000000..b273551ffc
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
@@ -0,0 +1,54 @@
+From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Sat, 19 Apr 2025 12:49:55 -0400
+Subject: [PATCH] Extract _resolve_download_filename with test.
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a]
+CVE: CVE-2025-47273 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ setuptools/package_index.py | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 3a893df..f350e11 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -786,9 +786,16 @@ class PackageIndex(Environment):
+                 raise DistutilsError("Download error for %s: %s"
+                                      % (url, v)) from v
+ 
+-    def _download_url(self, url, tmpdir):
+-        # Determine download filename
+-        #
+    @staticmethod
+    def _resolve_download_filename(url, tmpdir):
+        """
+        >>> du = PackageIndex._resolve_download_filename
+        >>> root = getfixture('tmp_path')
+        >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
+        >>> import pathlib
+        >>> str(pathlib.Path(du(url, root)).relative_to(root))
+        'setuptools-78.1.0.tar.gz'
+        """
+         name, fragment = egg_info_for_url(url)
+         if name:
+             while '..' in name:
+@@ -799,8 +806,13 @@ class PackageIndex(Environment):
+         if name.endswith('.egg.zip'):
+             name = name[:-4]  # strip the extra .zip before download
+ 
+-        filename = os.path.join(tmpdir, name)
+        return os.path.join(tmpdir, name)
+ 
+    def _download_url(self, url, tmpdir):
+        """
+        Determine the download filename.
+        """
+        filename = self._resolve_download_filename(url, tmpdir)
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+     @staticmethod
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
new file mode 100644
index 0000000000..4b1a01cd34
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
@@ -0,0 +1,59 @@
+From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Sat, 19 Apr 2025 13:03:47 -0400
+Subject: [PATCH] Add a check to ensure the name resolves relative to the
+ tmpdir.
+Closes #4946
+Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b]
+CVE: CVE-2025-47273
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ setuptools/package_index.py | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index f350e11..86bf851 100644
+--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
+@@ -789,12 +789,20 @@ class PackageIndex(Environment):
+     @staticmethod
+     def _resolve_download_filename(url, tmpdir):
+         """
+        >>> import pathlib
+         >>> du = PackageIndex._resolve_download_filename
+         >>> root = getfixture('tmp_path')
+         >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
+-        >>> import pathlib
+         >>> str(pathlib.Path(du(url, root)).relative_to(root))
+         'setuptools-78.1.0.tar.gz'
+
+        Ensures the target is always in tmpdir.
+
+        >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
+        >>> du(url, root)
+        Traceback (most recent call last):
+        ...
+        ValueError: Invalid filename...
+         """
+         name, fragment = egg_info_for_url(url)
+         if name:
+@@ -806,7 +814,13 @@ class PackageIndex(Environment):
+         if name.endswith('.egg.zip'):
+             name = name[:-4]  # strip the extra .zip before download
+ 
+-        return os.path.join(tmpdir, name)
+        filename = os.path.join(tmpdir, name)
+
+        # ensure path resolves within the tmpdir
+        if not filename.startswith(str(tmpdir)):
+            raise ValueError(f"Invalid filename {filename}")
+
+        return filename
+ 
+     def _download_url(self, url, tmpdir):
+         """
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
index 0c0f1e9d81..b106b188f3 100644
--- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
+++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
@@ -13,6 +13,8 @@ SRC_URI += "\
    file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \
    file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \
    file://CVE-2024-6345.patch \
+    file://CVE-2025-47273-pre1.patch \
+    file://CVE-2025-47273.patch \
 "
 SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-06-05 17:20:15 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-13 08:42:35 -0700
commit	87267b3370b28e9ad352a88d8f01a67965f60715 (patch)
tree	8f94374d1431b2ea45df62acdb73ea44fe1a4485
parent	775ca31829595a1931cc3a392e9827f20335f618 (diff)
download	poky-87267b3370b28e9ad352a88d8f01a67965f60715.tar.gz

diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch new file mode 100644 index 0000000000..b273551ffc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch
@@ -0,0 +1,54 @@
		1	From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Sat, 19 Apr 2025 12:49:55 -0400
		4	Subject: [PATCH] Extract _resolve_download_filename with test.
		5
		6	Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a]
		7	CVE: CVE-2025-47273 #Dependency Patch
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	setuptools/package_index.py \| 20 ++++++++++++++++----
		11	1 file changed, 16 insertions(+), 4 deletions(-)
		12
		13	diff --git a/setuptools/package_index.py b/setuptools/package_index.py
		14	index 3a893df..f350e11 100644
		15	--- a/setuptools/package_index.py
		16	+++ b/setuptools/package_index.py
		17	@@ -786,9 +786,16 @@ class PackageIndex(Environment):
		18	raise DistutilsError("Download error for %s: %s"
		19	% (url, v)) from v
		20
		21	- def _download_url(self, url, tmpdir):
		22	- # Determine download filename
		23	- #
		24	+ @staticmethod
		25	+ def _resolve_download_filename(url, tmpdir):
		26	+ """
		27	+ >>> du = PackageIndex._resolve_download_filename
		28	+ >>> root = getfixture('tmp_path')
		29	+ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
		30	+ >>> import pathlib
		31	+ >>> str(pathlib.Path(du(url, root)).relative_to(root))
		32	+ 'setuptools-78.1.0.tar.gz'
		33	+ """
		34	name, fragment = egg_info_for_url(url)
		35	if name:
		36	while '..' in name:
		37	@@ -799,8 +806,13 @@ class PackageIndex(Environment):
		38	if name.endswith('.egg.zip'):
		39	name = name[:-4] # strip the extra .zip before download
		40
		41	- filename = os.path.join(tmpdir, name)
		42	+ return os.path.join(tmpdir, name)
		43
		44	+ def _download_url(self, url, tmpdir):
		45	+ """
		46	+ Determine the download filename.
		47	+ """
		48	+ filename = self._resolve_download_filename(url, tmpdir)
		49	return self._download_vcs(url, filename) or self._download_other(url, filename)
		50
		51	@staticmethod
		52	--
		53	2.25.1
		54


diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch new file mode 100644 index 0000000000..4b1a01cd34 --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch
@@ -0,0 +1,59 @@
		1	From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Sat, 19 Apr 2025 13:03:47 -0400
		4	Subject: [PATCH] Add a check to ensure the name resolves relative to the
		5	tmpdir.
		6
		7	Closes #4946
		8
		9	Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b]
		10	CVE: CVE-2025-47273
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	setuptools/package_index.py \| 18 ++++++++++++++++--
		14	1 file changed, 16 insertions(+), 2 deletions(-)
		15
		16	diff --git a/setuptools/package_index.py b/setuptools/package_index.py
		17	index f350e11..86bf851 100644
		18	--- a/setuptools/package_index.py
		19	+++ b/setuptools/package_index.py
		20	@@ -789,12 +789,20 @@ class PackageIndex(Environment):
		21	@staticmethod
		22	def _resolve_download_filename(url, tmpdir):
		23	"""
		24	+ >>> import pathlib
		25	>>> du = PackageIndex._resolve_download_filename
		26	>>> root = getfixture('tmp_path')
		27	>>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
		28	- >>> import pathlib
		29	>>> str(pathlib.Path(du(url, root)).relative_to(root))
		30	'setuptools-78.1.0.tar.gz'
		31	+
		32	+ Ensures the target is always in tmpdir.
		33	+
		34	+ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
		35	+ >>> du(url, root)
		36	+ Traceback (most recent call last):
		37	+ ...
		38	+ ValueError: Invalid filename...
		39	"""
		40	name, fragment = egg_info_for_url(url)
		41	if name:
		42	@@ -806,7 +814,13 @@ class PackageIndex(Environment):
		43	if name.endswith('.egg.zip'):
		44	name = name[:-4] # strip the extra .zip before download
		45
		46	- return os.path.join(tmpdir, name)
		47	+ filename = os.path.join(tmpdir, name)
		48	+
		49	+ # ensure path resolves within the tmpdir
		50	+ if not filename.startswith(str(tmpdir)):
		51	+ raise ValueError(f"Invalid filename {filename}")
		52	+
		53	+ return filename
		54
		55	def _download_url(self, url, tmpdir):
		56	"""
		57	--
		58	2.25.1
		59


diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index 0c0f1e9d81..b106b188f3 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
@@ -13,6 +13,8 @@ SRC_URI += "\
13	file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \	13	file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \
14	file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \	14	file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \
15	file://CVE-2024-6345.patch \	15	file://CVE-2024-6345.patch \
		16	file://CVE-2025-47273-pre1.patch \
		17	file://CVE-2025-47273.patch \
16	"	18	"
17		19
18	SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"	20	SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"