From 87267b3370b28e9ad352a88d8f01a67965f60715 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Thu, 5 Jun 2025 17:20:15 +0530 Subject: python3-setuptools: Fix CVE-2025-47273 Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (From OE-Core rev: 6b6e556a226100205427c85e8064f7640a9da25e) Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../python3-setuptools/CVE-2025-47273-pre1.patch | 54 ++++++++++++++++++++ .../python/python3-setuptools/CVE-2025-47273.patch | 59 ++++++++++++++++++++++ .../python/python3-setuptools_59.5.0.bb | 2 + 3 files changed, 115 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch new file mode 100644 index 0000000000..b273551ffc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch @@ -0,0 +1,54 @@ +From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 12:49:55 -0400 +Subject: [PATCH] Extract _resolve_download_filename with test. + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a] +CVE: CVE-2025-47273 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + setuptools/package_index.py | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 3a893df..f350e11 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -786,9 +786,16 @@ class PackageIndex(Environment): + raise DistutilsError("Download error for %s: %s" + % (url, v)) from v + +- def _download_url(self, url, tmpdir): +- # Determine download filename +- # ++ @staticmethod ++ def _resolve_download_filename(url, tmpdir): ++ """ ++ >>> du = PackageIndex._resolve_download_filename ++ >>> root = getfixture('tmp_path') ++ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' ++ >>> import pathlib ++ >>> str(pathlib.Path(du(url, root)).relative_to(root)) ++ 'setuptools-78.1.0.tar.gz' ++ """ + name, fragment = egg_info_for_url(url) + if name: + while '..' in name: +@@ -799,8 +806,13 @@ class PackageIndex(Environment): + if name.endswith('.egg.zip'): + name = name[:-4] # strip the extra .zip before download + +- filename = os.path.join(tmpdir, name) ++ return os.path.join(tmpdir, name) + ++ def _download_url(self, url, tmpdir): ++ """ ++ Determine the download filename. ++ """ ++ filename = self._resolve_download_filename(url, tmpdir) + return self._download_vcs(url, filename) or self._download_other(url, filename) + + @staticmethod +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch new file mode 100644 index 0000000000..4b1a01cd34 --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch @@ -0,0 +1,59 @@ +From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 13:03:47 -0400 +Subject: [PATCH] Add a check to ensure the name resolves relative to the + tmpdir. + +Closes #4946 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b] +CVE: CVE-2025-47273 +Signed-off-by: Vijay Anusuri +--- + setuptools/package_index.py | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index f350e11..86bf851 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -789,12 +789,20 @@ class PackageIndex(Environment): + @staticmethod + def _resolve_download_filename(url, tmpdir): + """ ++ >>> import pathlib + >>> du = PackageIndex._resolve_download_filename + >>> root = getfixture('tmp_path') + >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' +- >>> import pathlib + >>> str(pathlib.Path(du(url, root)).relative_to(root)) + 'setuptools-78.1.0.tar.gz' ++ ++ Ensures the target is always in tmpdir. ++ ++ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys' ++ >>> du(url, root) ++ Traceback (most recent call last): ++ ... ++ ValueError: Invalid filename... + """ + name, fragment = egg_info_for_url(url) + if name: +@@ -806,7 +814,13 @@ class PackageIndex(Environment): + if name.endswith('.egg.zip'): + name = name[:-4] # strip the extra .zip before download + +- return os.path.join(tmpdir, name) ++ filename = os.path.join(tmpdir, name) ++ ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError(f"Invalid filename {filename}") ++ ++ return filename + + def _download_url(self, url, tmpdir): + """ +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index 0c0f1e9d81..b106b188f3 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -13,6 +13,8 @@ SRC_URI += "\ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ file://CVE-2024-6345.patch \ + file://CVE-2025-47273-pre1.patch \ + file://CVE-2025-47273.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" -- cgit v1.2.3-54-g00ecf