From: Narpat Mali <narpat.m...@windriver.com> Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE: CVE-2022-40897 Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] Signed-off-by: Narpat Mali <narpat.m...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- ...-of-whitespace-to-search-backtrack.-.patch | 31 +++++++++++++++++++ .../python/python3-setuptools_59.5.0.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch @@ -0,0 +1,31 @@ +From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.m...@windriver.com> +Date: Mon, 9 Jan 2023 14:45:05 +0000 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] + +Signed-off-by: Narpat Mali <narpat.m...@windriver.com> +--- + setuptools/package_index.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 270e7f3..e93fcc6 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index f2810e18d3..5f2676a04a 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e SRC_URI += "\ file://0001-change-shebang-to-python3.patch \ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ + file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#176040): https://lists.openembedded.org/g/openembedded-core/message/176040 Mute This Topic: https://lists.openembedded.org/mt/96330190/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-