From a2923a2e4d38649ba88fea39e3d1b28860f684e3 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 3 Feb 2023 16:36:04 -0800 Subject: [PATCH] Patch CVE-2022-40897 in python3-setuptools (#4754) * Patch CVE-2022-40897 in python3-setuptools --- SPECS/python3/CVE-2022-40897.patch | 12 ++++++++++ SPECS/python3/python3.spec | 23 +++++++++++++++++-- .../manifests/package/pkggen_core_aarch64.txt | 8 +++---- .../manifests/package/pkggen_core_x86_64.txt | 8 +++---- .../manifests/package/toolchain_aarch64.txt | 18 +++++++-------- .../manifests/package/toolchain_x86_64.txt | 18 +++++++-------- 6 files changed, 59 insertions(+), 28 deletions(-) create mode 100644 SPECS/python3/CVE-2022-40897.patch diff --git a/SPECS/python3/CVE-2022-40897.patch b/SPECS/python3/CVE-2022-40897.patch new file mode 100644 index 0000000000..a8629b22aa --- /dev/null +++ b/SPECS/python3/CVE-2022-40897.patch @@ -0,0 +1,12 @@ +diff -ru setuptools-40.2.0/setuptools/package_index.py setuptools-40.2.0-mod/setuptools/package_index.py +--- setuptools-40.2.0/setuptools/package_index.py 2018-08-21 13:04:36.000000000 -0700 ++++ setuptools-40.2.0-mod/setuptools/package_index.py 2023-01-03 15:00:04.313117605 -0800 +@@ -213,7 +213,7 @@ + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index f042b35d37..e899bc03c0 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -12,7 +12,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.9.14 -Release: 5%{?dist} +Release: 6%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -26,6 +26,8 @@ Patch2: 0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch Patch3: CVE-2022-37454.patch Patch4: CVE-2022-45061.patch Patch5: CVE-2022-42919.patch +# Patch for setuptools, resolved in 65.5.1 +Patch1000: CVE-2022-40897.patch BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 @@ -155,7 +157,17 @@ Provides: python%{majmin_nodots}-test = %{version}-%{release} The test package contains all regression tests for Python as well as the modules test.support and test.regrtest. test.support is used to enhance your tests while test.regrtest drives the testing suite. %prep -%autosetup -p1 -n Python-%{version} +# We need to patch setuptools later, so manually manage patches with -N +%autosetup -p1 -n Python-%{version} -N + +# Ideally we would use '%%autopatch -p1 -M 999', but unfortunately the GitHub CI pipelines use a very old version of rpm which doesn't support it. +# We use the CI to validate the toolchain manifests, which means we need to parse this .spec file +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build # Remove GCC specs and build environment linker scripts @@ -205,6 +217,10 @@ pip3 install --no-cache-dir --no-index --ignore-installed \ pip-%{pip_version}-py3-none-any.whl popd +# Manually patch CVE-2022-40897 which is a bundled wheel. We can only update the source code after install +echo 'Patching CVE-2022-40897 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py' +patch %{buildroot}%{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py < %{PATCH1000} + # Windows executables get installed by pip and setuptools- we don't need these. find %{buildroot}%{_libdir}/python%{majmin}/site-packages -name '*.exe' -delete -print @@ -305,6 +321,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Thu Feb 02 2023 Daniel McIlvaney - 3.9.14-6 +- Patch CVE-2022-40897 in the bundled setuptools wheel + * Wed Dec 07 2022 Henry Beberman - 3.9.14-5 - Add CVE-2022-42919 patch from upstream. diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 0671c6872e..84f3ba7f2b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -234,10 +234,10 @@ ca-certificates-base-2.0.0-9.cm2.noarch.rpm ca-certificates-2.0.0-9.cm2.noarch.rpm dwz-0.14-1.cm2.aarch64.rpm unzip-6.0-20.cm2.aarch64.rpm -python3-3.9.14-5.cm2.aarch64.rpm -python3-devel-3.9.14-5.cm2.aarch64.rpm -python3-libs-3.9.14-5.cm2.aarch64.rpm -python3-setuptools-3.9.14-5.cm2.noarch.rpm +python3-3.9.14-6.cm2.aarch64.rpm +python3-devel-3.9.14-6.cm2.aarch64.rpm +python3-libs-3.9.14-6.cm2.aarch64.rpm +python3-setuptools-3.9.14-6.cm2.noarch.rpm which-2.21-8.cm2.aarch64.rpm libselinux-3.2-1.cm2.aarch64.rpm slang-2.3.2-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 206fad8394..a7fab2f66b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -234,10 +234,10 @@ ca-certificates-base-2.0.0-9.cm2.noarch.rpm ca-certificates-2.0.0-9.cm2.noarch.rpm dwz-0.14-1.cm2.x86_64.rpm unzip-6.0-20.cm2.x86_64.rpm -python3-3.9.14-5.cm2.x86_64.rpm -python3-devel-3.9.14-5.cm2.x86_64.rpm -python3-libs-3.9.14-5.cm2.x86_64.rpm -python3-setuptools-3.9.14-5.cm2.noarch.rpm +python3-3.9.14-6.cm2.x86_64.rpm +python3-devel-3.9.14-6.cm2.x86_64.rpm +python3-libs-3.9.14-6.cm2.x86_64.rpm +python3-setuptools-3.9.14-6.cm2.noarch.rpm which-2.21-8.cm2.x86_64.rpm libselinux-3.2-1.cm2.x86_64.rpm slang-2.3.2-4.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index e61ec71262..72df177c7d 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -507,28 +507,28 @@ procps-ng-devel-3.3.17-1.cm2.aarch64.rpm procps-ng-lang-3.3.17-1.cm2.aarch64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm -python3-3.9.14-5.cm2.aarch64.rpm +python3-3.9.14-6.cm2.aarch64.rpm python3-audit-3.0.6-7.cm2.aarch64.rpm python3-cracklib-2.9.7-5.cm2.aarch64.rpm -python3-curses-3.9.14-5.cm2.aarch64.rpm +python3-curses-3.9.14-6.cm2.aarch64.rpm python3-Cython-0.29.32-1.cm2.aarch64.rpm -python3-debuginfo-3.9.14-5.cm2.aarch64.rpm -python3-devel-3.9.14-5.cm2.aarch64.rpm +python3-debuginfo-3.9.14-6.cm2.aarch64.rpm +python3-devel-3.9.14-6.cm2.aarch64.rpm python3-gpg-1.16.0-1.cm2.aarch64.rpm python3-jinja2-3.0.3-2.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm -python3-libs-3.9.14-5.cm2.aarch64.rpm +python3-libs-3.9.14-6.cm2.aarch64.rpm python3-libxml2-2.10.3-1.cm2.aarch64.rpm python3-lxml-4.9.1-1.cm2.aarch64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.aarch64.rpm python3-newt-0.52.21-4.cm2.aarch64.rpm -python3-pip-3.9.14-5.cm2.noarch.rpm +python3-pip-3.9.14-6.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-2.cm2.aarch64.rpm -python3-setuptools-3.9.14-5.cm2.noarch.rpm -python3-test-3.9.14-5.cm2.aarch64.rpm -python3-tools-3.9.14-5.cm2.aarch64.rpm +python3-setuptools-3.9.14-6.cm2.noarch.rpm +python3-test-3.9.14-6.cm2.aarch64.rpm +python3-tools-3.9.14-6.cm2.aarch64.rpm readline-8.1-1.cm2.aarch64.rpm readline-debuginfo-8.1-1.cm2.aarch64.rpm readline-devel-8.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index fdbf1d6a4e..dc49415976 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -507,28 +507,28 @@ procps-ng-devel-3.3.17-1.cm2.x86_64.rpm procps-ng-lang-3.3.17-1.cm2.x86_64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm -python3-3.9.14-5.cm2.x86_64.rpm +python3-3.9.14-6.cm2.x86_64.rpm python3-audit-3.0.6-7.cm2.x86_64.rpm python3-cracklib-2.9.7-5.cm2.x86_64.rpm -python3-curses-3.9.14-5.cm2.x86_64.rpm +python3-curses-3.9.14-6.cm2.x86_64.rpm python3-Cython-0.29.32-1.cm2.x86_64.rpm -python3-debuginfo-3.9.14-5.cm2.x86_64.rpm -python3-devel-3.9.14-5.cm2.x86_64.rpm +python3-debuginfo-3.9.14-6.cm2.x86_64.rpm +python3-devel-3.9.14-6.cm2.x86_64.rpm python3-gpg-1.16.0-1.cm2.x86_64.rpm python3-jinja2-3.0.3-2.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm -python3-libs-3.9.14-5.cm2.x86_64.rpm +python3-libs-3.9.14-6.cm2.x86_64.rpm python3-libxml2-2.10.3-1.cm2.x86_64.rpm python3-lxml-4.9.1-1.cm2.x86_64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.x86_64.rpm python3-newt-0.52.21-4.cm2.x86_64.rpm -python3-pip-3.9.14-5.cm2.noarch.rpm +python3-pip-3.9.14-6.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-2.cm2.x86_64.rpm -python3-setuptools-3.9.14-5.cm2.noarch.rpm -python3-test-3.9.14-5.cm2.x86_64.rpm -python3-tools-3.9.14-5.cm2.x86_64.rpm +python3-setuptools-3.9.14-6.cm2.noarch.rpm +python3-test-3.9.14-6.cm2.x86_64.rpm +python3-tools-3.9.14-6.cm2.x86_64.rpm readline-8.1-1.cm2.x86_64.rpm readline-debuginfo-8.1-1.cm2.x86_64.rpm readline-devel-8.1-1.cm2.x86_64.rpm