diff --git a/CVE-2022-40898.patch b/CVE-2022-40898.patch new file mode 100644 index 0000000000000000000000000000000000000000..3149c727eacc900f30dd954a14c2c7e2d658109b --- /dev/null +++ b/CVE-2022-40898.patch @@ -0,0 +1,25 @@ +From 88f02bc335d5404991e532e7f3b0fc80437bf4e0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= +Date: Thu, 20 Oct 2022 17:13:23 +0300 +Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE + +Refer: https://github.com/pypa/wheel/issues/498 + +--- + src/wheel/wheelfile.py | 4 ++-- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index a0c9d2a5..b985774e 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -16,8 +16,8 @@ + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P(?P.+?)-(?P.+?))(-(?P\d[^-]*))? +- -(?P.+?)-(?P.+?)-(?P.+?)\.whl$""", ++ r"""^(?P(?P[^-]+?)-(?P[^-]+?))(-(?P\d[^-]*))? ++ -(?P[^-]+?)-(?P[^-]+?)-(?P[^.]+?)\.whl$""", + re.VERBOSE) + diff --git a/python-wheel.spec b/python-wheel.spec index 749a71cc2ce6a55905469c057595d9ac40625fe0..8255db405466aa8eb2b0f132a182c84ba1518eda 100644 --- a/python-wheel.spec +++ b/python-wheel.spec @@ -1,7 +1,7 @@ %bcond_with bootstrap Name: python-wheel Version: 0.37.0 -Release: 5 +Release: 6 Epoch: 1 Summary: Built-package format for Python License: MIT @@ -11,6 +11,7 @@ BuildArch: noarch Patch01: 0001-Fixed-wheel-pack-duplicating-WHEEL-contents-on-build.patch Patch02: 0001-Support-unpacking-wheels-that-contain-files-with-com.patch +Patch03: CVE-2022-40898.patch %description A built-package format for Python. @@ -82,6 +83,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-3 -v --ignore build %endif %changelog +* Thu Dec 07 2023 wangkai <13474090681@163.com> - 1:0.37.0-6 +- Fix CVE-2022-40898 + * Wed Nov 8 2023 liubo - 1:0.37.0-5 - Support unpacking wheels that contain files with commas in their names