From 9769cd99c32faf7d95a7cab07b8550b438ccaf0c Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Thu, 5 Jun 2025 12:44:10 +0530 Subject: [PATCH] python3-setuptools: Fix CVE-2025-47273 Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../CVE-2025-47273-pre1.patch | 54 +++++++++++++++++ .../python3-setuptools/CVE-2025-47273.patch | 59 +++++++++++++++++++ .../python/python3-setuptools_69.1.1.bb | 2 + 3 files changed, 115 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch new file mode 100644 index 00000000000..72bcaea435a --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch @@ -0,0 +1,54 @@ +From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 12:49:55 -0400 +Subject: [PATCH] Extract _resolve_download_filename with test. + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a] +CVE: CVE-2025-47273 #Dependency Patch +Signed-off-by: Vijay Anusuri +--- + setuptools/package_index.py | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 00a972d..d460fcb 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -815,9 +815,16 @@ class PackageIndex(Environment): + else: + raise DistutilsError("Download error for %s: %s" % (url, v)) from v + +- def _download_url(self, url, tmpdir): +- # Determine download filename +- # ++ @staticmethod ++ def _resolve_download_filename(url, tmpdir): ++ """ ++ >>> du = PackageIndex._resolve_download_filename ++ >>> root = getfixture('tmp_path') ++ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' ++ >>> import pathlib ++ >>> str(pathlib.Path(du(url, root)).relative_to(root)) ++ 'setuptools-78.1.0.tar.gz' ++ """ + name, fragment = egg_info_for_url(url) + if name: + while '..' in name: +@@ -828,8 +835,13 @@ class PackageIndex(Environment): + if name.endswith('.egg.zip'): + name = name[:-4] # strip the extra .zip before download + +- filename = os.path.join(tmpdir, name) ++ return os.path.join(tmpdir, name) + ++ def _download_url(self, url, tmpdir): ++ """ ++ Determine the download filename. ++ """ ++ filename = self._resolve_download_filename(url, tmpdir) + return self._download_vcs(url, filename) or self._download_other(url, filename) + + @staticmethod +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch new file mode 100644 index 00000000000..be6617e0f6f --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273.patch @@ -0,0 +1,59 @@ +From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Sat, 19 Apr 2025 13:03:47 -0400 +Subject: [PATCH] Add a check to ensure the name resolves relative to the + tmpdir. + +Closes #4946 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b] +CVE: CVE-2025-47273 +Signed-off-by: Vijay Anusuri +--- + setuptools/package_index.py | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index d460fcb..6c7874d 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -818,12 +818,20 @@ class PackageIndex(Environment): + @staticmethod + def _resolve_download_filename(url, tmpdir): + """ ++ >>> import pathlib + >>> du = PackageIndex._resolve_download_filename + >>> root = getfixture('tmp_path') + >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' +- >>> import pathlib + >>> str(pathlib.Path(du(url, root)).relative_to(root)) + 'setuptools-78.1.0.tar.gz' ++ ++ Ensures the target is always in tmpdir. ++ ++ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys' ++ >>> du(url, root) ++ Traceback (most recent call last): ++ ... ++ ValueError: Invalid filename... + """ + name, fragment = egg_info_for_url(url) + if name: +@@ -835,7 +843,13 @@ class PackageIndex(Environment): + if name.endswith('.egg.zip'): + name = name[:-4] # strip the extra .zip before download + +- return os.path.join(tmpdir, name) ++ filename = os.path.join(tmpdir, name) ++ ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError(f"Invalid filename {filename}") ++ ++ return filename + + def _download_url(self, url, tmpdir): + """ +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb index 7663101f234..46b2f0ab008 100644 --- a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb +++ b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb @@ -13,6 +13,8 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e SRC_URI += " \ file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \ file://CVE-2024-6345.patch \ + file://CVE-2025-47273-pre1.patch \ + file://CVE-2025-47273.patch \ " SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8" -- 2.47.2