diff --git a/backport-CVE-2022-40897.patch b/backport-CVE-2022-40897.patch deleted file mode 100644 index 8061000214d26d909548419e738795f34a357092..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-40897.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001 -From: "Jason R. Coombs" -Date: Fri, 4 Nov 2022 13:47:53 -0400 -Subject: [PATCH] Limit the amount of whitespace to search/backtrack.Fixes - #3659. - ---- - setuptools/package_index.py | 2 +- - setuptools/tests/test_packageindex.py | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/setuptools/package_index.py b/setuptools/package_index.py -index 270e7f3..e93fcc6 100644 ---- a/setuptools/package_index.py -+++ b/setuptools/package_index.py -@@ -197,7 +197,7 @@ def unique_values(func): - return wrapper - - --REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) -+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) - # this line is here to fix emacs' cruddy broken syntax highlighting - - -diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py -index 8e9435e..fc544c0 100644 ---- a/setuptools/tests/test_packageindex.py -+++ b/setuptools/tests/test_packageindex.py -@@ -308,3 +308,11 @@ class TestPyPIConfig: - cred = cfg.creds_by_repository['https://pypi.org'] - assert cred.username == 'jaraco' - assert cred.password == 'pity%' -+ -+ -+@pytest.mark.timeout(1) -+def test_REL_DoS(): -+ """ -+ REL should not hang on a contrived attack string. -+ """ -+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12) --- -2.27.0 - diff --git a/python-setuptools.spec b/python-setuptools.spec index 458add6a9d9de5e89e99c1d748667258941578ce..467cf70a39db94dd16c0053a91962b2bac1f8820 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -7,16 +7,14 @@ %global python_whlname setuptools-%{version}-py3-none-any.whl Name: python-setuptools -Version: 60.9.3 -Release: 2 +Version: 66.0.0 +Release: 1 Summary: Easily build and distribute Python packages License: MIT and (BSD or ASL 2.0) URL: https://pypi.python.org/pypi/setuptools Source0: %{pypi_source setuptools %{version}} -Patch6000: backport-CVE-2022-40897.patch - Patch9000: bugfix-eliminate-random-order-in-metadata.patch BuildArch: noarch @@ -113,6 +111,9 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore= %changelog +* Sat Jan 28 2023 zhuofeng - 66.0.0-1 +- update version to 66.0.0 + * Wed Jan 04 2023 zhuofeng - 60.9.3-2 - Type:CVE - CVE:CVE-2022-40897 diff --git a/setuptools-60.9.3.tar.gz b/setuptools-60.9.3.tar.gz deleted file mode 100644 index 2d98ba9b4fafa2d1f5922cb8fcebb4b950048810..0000000000000000000000000000000000000000 Binary files a/setuptools-60.9.3.tar.gz and /dev/null differ diff --git a/setuptools-66.0.0.tar.gz b/setuptools-66.0.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7ac46c30de8e82739192881191631c5fa7aef42e Binary files /dev/null and b/setuptools-66.0.0.tar.gz differ