diff --git a/SPECS/python-setuptools/CVE-2025-47273.patch b/SPECS/python-setuptools/CVE-2025-47273.patch new file mode 100644 index 00000000000..1f0f7070c25 --- /dev/null +++ b/SPECS/python-setuptools/CVE-2025-47273.patch @@ -0,0 +1,64 @@ +From 28da95e0be5197aa84708aa0696c70c42be80439 Mon Sep 17 00:00:00 2001 +From: Mayank Singh +Date: Mon, 26 May 2025 06:42:09 +0000 +Subject: [PATCH] Patch CVE-2025-47273 + +Upstream Patch Reference: https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b +--- + setuptools/package_index.py | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index cf25f83..d8f350e 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -813,10 +813,25 @@ class PackageIndex(Environment): + else: + raise DistutilsError("Download error for %s: %s" % (url, v)) from v + +- def _download_url(self, url, tmpdir): +- # Determine download filename +- # +- name, fragment = egg_info_for_url(url) ++ @staticmethod ++ def _resolve_download_filename(url, tmpdir): ++ """ ++ >>> import pathlib ++ >>> du = PackageIndex._resolve_download_filename ++ >>> root = getfixture('tmp_path') ++ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' ++ >>> str(pathlib.Path(du(url, root)).relative_to(root)) ++ 'setuptools-78.1.0.tar.gz' ++ ++ Ensures the target is always in tmpdir. ++ ++ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys' ++ >>> du(url, root) ++ Traceback (most recent call last): ++ ... ++ ValueError: Invalid filename... ++ """ ++ name, _fragment = egg_info_for_url(url) + if name: + while '..' in name: + name = name.replace('..', '.').replace('\\', '_') +@@ -828,6 +843,16 @@ class PackageIndex(Environment): + + filename = os.path.join(tmpdir, name) + ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError(f"Invalid filename {filename}") ++ ++ return filename ++ ++ def _download_url(self, url, tmpdir): ++ # Determine download filename ++ # ++ filename = self._resolve_download_filename(url, tmpdir) + return self._download_vcs(url, filename) or self._download_other(url, filename) + + @staticmethod +-- +2.45.3 + diff --git a/SPECS/python-setuptools/python-setuptools.spec b/SPECS/python-setuptools/python-setuptools.spec index 8ca1bb0c481..e5c3d11dd2d 100644 --- a/SPECS/python-setuptools/python-setuptools.spec +++ b/SPECS/python-setuptools/python-setuptools.spec @@ -6,7 +6,7 @@ Setuptools is a fully-featured, actively-maintained, and stable library designed Summary: Easily build and distribute Python packages Name: python-setuptools Version: 69.0.3 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,6 +14,7 @@ Group: Development/Tools URL: https://pypi.python.org/pypi/setuptools Source0: https://pypi.org/packages/source/s/setuptools/setuptools-%{version}.tar.gz Patch0: CVE-2024-6345.patch +Patch1: CVE-2025-47273.patch %description %{_description} @@ -58,6 +59,9 @@ EOF %{python3_sitelib}/setuptools-%{version}.dist-info/* %changelog +* Mon May 26 2025 - 69.0.3-5 +- Fix CVE-2025-47273 with an upstream patch + * Tue Sep 10 2024 - 69.0.3-4 - Fix CVE-2024-6345 with a patch diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 60369465915..dbde9ef6e65 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -247,7 +247,7 @@ unzip-6.0-22.azl3.aarch64.rpm python3-3.12.9-1.azl3.aarch64.rpm python3-devel-3.12.9-1.azl3.aarch64.rpm python3-libs-3.12.9-1.azl3.aarch64.rpm -python3-setuptools-69.0.3-4.azl3.noarch.rpm +python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm which-2.21-8.azl3.aarch64.rpm libselinux-3.6-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index a6e3e3548fd..ecba208404e 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -247,7 +247,7 @@ unzip-6.0-22.azl3.x86_64.rpm python3-3.12.9-1.azl3.x86_64.rpm python3-devel-3.12.9-1.azl3.x86_64.rpm python3-libs-3.12.9-1.azl3.x86_64.rpm -python3-setuptools-69.0.3-4.azl3.noarch.rpm +python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm which-2.21-8.azl3.x86_64.rpm libselinux-3.6-3.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 1683d00f123..132b8e9299d 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -553,7 +553,7 @@ python3-pip-24.2-2.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.aarch64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm -python3-setuptools-69.0.3-4.azl3.noarch.rpm +python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-test-3.12.9-1.azl3.aarch64.rpm python3-tools-3.12.9-1.azl3.aarch64.rpm python3-wheel-0.43.0-1.azl3.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 86a97749adf..08b1119cbf2 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -561,7 +561,7 @@ python3-pip-24.2-2.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.x86_64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm -python3-setuptools-69.0.3-4.azl3.noarch.rpm +python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-test-3.12.9-1.azl3.x86_64.rpm python3-tools-3.12.9-1.azl3.x86_64.rpm python3-wheel-0.43.0-1.azl3.noarch.rpm