From d1e4c81bfc56e5f7eefd26b18f0b22a7ecd954ca Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Fri, 8 Dec 2023 11:04:53 +0800
Subject: [PATCH] Fix CVE-2022-40898

(cherry picked from commit c576c8ddb08af186a84af8b838ef584c06b6a1e7)
---
 CVE-2022-40898.patch | 25 +++++++++++++++++++++++++
 python-wheel.spec    |  6 +++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-40898.patch

diff --git a/CVE-2022-40898.patch b/CVE-2022-40898.patch
new file mode 100644
index 0000000..392b62a
--- /dev/null
+++ b/CVE-2022-40898.patch
@@ -0,0 +1,25 @@
+From 88f02bc335d5404991e532e7f3b0fc80437bf4e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 20 Oct 2022 17:13:23 +0300
+Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
+
+Refer: https://github.com/pypa/wheel/issues/498
+
+---
+ wheel/install.py | 4 ++--
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wheel/install.py b/wheel/install.py
+index a0c9d2a5..b985774e 100644
+--- a/wheel/install.py
++++ b/wheel/install.py
+@@ -16,8 +16,8 @@
+ # Non-greedy matching of an optional build number may be too clever (more
+ # invalid wheel filenames will match). Separate regex for .dist-info?
+ WHEEL_INFO_RE = re.compile(
+-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>\d.*?))(-(?P<build>\d.*?))?
+-     -(?P<pyver>[a-z].+?)-(?P<abi>.+?)-(?P<plat>.+?)(\.whl|\.dist-info)$""",
++    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>\d[^-]*?))(-(?P<build>\d[^-]*?))?
++     -(?P<pyver>[a-z][^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)(\.whl|\.dist-info)$""",
+     re.VERBOSE).match
+ 
diff --git a/python-wheel.spec b/python-wheel.spec
index efd6ecd..ed836f4 100644
--- a/python-wheel.spec
+++ b/python-wheel.spec
@@ -1,7 +1,7 @@
 %bcond_with bootstrap
 Name:           python-wheel
 Version:        0.31.1
-Release:        5
+Release:        6
 Epoch:          1
 Summary:        Built-package format for Python
 License:        MIT
@@ -11,6 +11,7 @@ BuildArch:      noarch
 
 Patch0000:      remove-keyrings.alt-dependency.patch
 Patch0001:      0001-Enabled-Intersphinx-linking-to-Python-documentation.patch
+Patch0002:      CVE-2022-40898.patch
 
 %description
 A built-package format for Python.
@@ -117,6 +118,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-3 -v --ignore build
 %endif
 
 %changelog
+* Fri Dec 08 2023 wangkai <13474090681@163.com> - 1:0.31.1-6
+- Fix CVE-2022-40898
+
 * Mon Nov 27 2023 liubo <liubo1@xfusion.com> - 1:0.31.1-5
 - Enabled Intersphinx linking to Python documentation
 
-- 
Gitee