From 3b6a7a098dba32076be7901b13ddf230c48f9000 Mon Sep 17 00:00:00 2001
From: abushwang <abushwang@tencent.com>
Date: Fri, 23 May 2025 17:44:59 +0800
Subject: [PATCH] fix CVE-2025-47273

Signed-off-by: abushwang <abushwang@tencent.com>
---
 ...nsure-the-name-resolves-relative-to-.patch | 29 +++++++++++++++++++
 python-setuptools.spec                        |  7 ++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-47273-Add-a-check-to-ensure-the-name-resolves-relative-to-.patch

diff --git a/CVE-2025-47273-Add-a-check-to-ensure-the-name-resolves-relative-to-.patch b/CVE-2025-47273-Add-a-check-to-ensure-the-name-resolves-relative-to-.patch
new file mode 100644
index 0000000..bf8acad
--- /dev/null
+++ b/CVE-2025-47273-Add-a-check-to-ensure-the-name-resolves-relative-to-.patch
@@ -0,0 +1,29 @@
+From 250a6d17978f9f6ac3ac887091f2d32886fbbb0b Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Sat, 19 Apr 2025 13:03:47 -0400
+Subject: [PATCH] Add a check to ensure the name resolves relative to the
+ tmpdir.
+
+Closes #4946
+---
+ setuptools/package_index.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index ae50db5..f278018 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -829,6 +829,10 @@ class PackageIndex(Environment):
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+ 
+-- 
+2.39.3
+
diff --git a/python-setuptools.spec b/python-setuptools.spec
index 8411224..65b0e38 100644
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@@ -12,12 +12,13 @@
 Summary:        Easily download, build, install, upgrade, and uninstall Python packages
 Name:           python-setuptools
 Version:        68.0.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT and (BSD or ASL 2.0)
 URL:            https://github.com/pypa/setuptools
 Source0:        %{pypi_source %{srcname} %{version}}
 
 Patch0001:      backport-CVE-2024-6345.patch
+Patch0002:      CVE-2025-47273-Add-a-check-to-ensure-the-name-resolves-relative-to-.patch
 Patch3001:      Remove-optional-or-unpackaged-test-deps.patch
 Patch3002:      Adjust-the-setup.py-install-deprecation-message.patch
 
@@ -170,6 +171,10 @@ PYTHONPATH=$(pwd) %pytest \
 %endif
 
 %changelog
+* Fri May 23 2025 Shuo Wang <abushwang@tencent.com> - 68.0.0-5
+- fix CVE-2025-47273
+- Add a check to ensure the name resolves relative to the tmpdir
+
 * Thu Sep 26 2024 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 68.0.0-4
 - Rebuilt for clarifying the packages requirement in BaseOS and AppStream
 
-- 
Gitee