diff --git a/CVE-2024-6345.patch b/CVE-2024-6345.patch new file mode 100644 index 0000000000000000000000000000000000000000..415531db61a6dc9006520cb0bf93393ef40981f5 --- /dev/null +++ b/CVE-2024-6345.patch @@ -0,0 +1,81 @@ +From 3f9e3419bb55666cdfcf2743972d463c9bfa6575 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Wed, 25 Sep 2024 18:43:15 +0800 +Subject: [PATCH] test + +--- + setuptools/package_index.py | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index b641d21..aa5df2d 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -1,4 +1,5 @@ + """PyPI and direct package downloading""" ++import subprocess + import sys + import os + import re +@@ -791,7 +792,7 @@ class PackageIndex(Environment): + + def _download_svn(self, url, filename): + url = url.split('#',1)[0] # remove any fragment for svn's sake +- creds = '' ++ creds = [] + if url.lower().startswith('svn:') and '@' in url: + scheme, netloc, path, p, q, f = urlparse(url) + if not netloc and path.startswith('//') and '/' in path[2:]: +@@ -800,13 +801,13 @@ class PackageIndex(Environment): + if auth: + if ':' in auth: + user, pw = auth.split(':',1) +- creds = " --username=%s --password=%s" % (user, pw) ++ creds = ["--username=" + user, "--password=" + pw] + else: +- creds = " --username="+auth ++ creds = ["--username=" + auth] + netloc = host + url = urlunparse((scheme, netloc, url, p, q, f)) + self.info("Doing subversion checkout from %s to %s", url, filename) +- os.system("svn checkout%s -q %s %s" % (creds, url, filename)) ++ subprocess.check_call(["svn", "checkout"] + creds + ["-q", url, filename]) + return filename + + @staticmethod +@@ -832,14 +833,10 @@ class PackageIndex(Environment): + url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) + + self.info("Doing git clone from %s to %s", url, filename) +- os.system("git clone --quiet %s %s" % (url, filename)) ++ subprocess.check_call(["git", "clone", "--quiet", url, filename]) + + if rev is not None: +- self.info("Checking out %s", rev) +- os.system("(cd %s && git checkout --quiet %s)" % ( +- filename, +- rev, +- )) ++ subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev]) + + return filename + +@@ -848,14 +845,11 @@ class PackageIndex(Environment): + url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) + + self.info("Doing hg clone from %s to %s", url, filename) +- os.system("hg clone --quiet %s %s" % (url, filename)) ++ subprocess.check_call(["hg", "clone", "--quiet", url, filename]) + + if rev is not None: + self.info("Updating to %s", rev) +- os.system("(cd %s && hg up -C -r %s >&-)" % ( +- filename, +- rev, +- )) ++ subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"]) + + return filename + +-- +2.27.0 diff --git a/python-setuptools.spec b/python-setuptools.spec index ab78c923b2fa337db2379a7c557832a37e1a1471..aee31b8e7b0bea9ad0bb784d41a965f7cf1367e4 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -1,8 +1,9 @@ +%define anolis_release .0.1 %global srcname setuptools Name: python-setuptools Version: 0.9.8 -Release: 7%{?dist} +Release: 7%{anolis_release}%{?dist} Summary: Easily build and distribute Python packages Group: Applications/System @@ -23,6 +24,7 @@ Patch2: work-properly-with-path-separators.patch # Fix easy_install in FIPS mode Patch3: easy_install-fips-mode.patch +Patch4: CVE-2024-6345.patch BuildArch: noarch BuildRequires: python2-devel @@ -59,6 +61,7 @@ sed -i '1s|^#!python|#!%{__python}|' setuptools/command/easy_install.py %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build @@ -84,6 +87,9 @@ LANG=en_US.utf8 %{__python} setup.py test %{_bindir}/easy_install-2.* %changelog +* Fri Sep 20 2024 zhuhongbo - 0.9.8-7.0.1 +- cve: CVE-2024-6345 + * Wed Feb 15 2017 Charalampos Stratakis - 0.9.8-7 - Fix easy_install in fips mode Resolves: rhbz#966970