From 4070346b309fe279e562ccbebd6e30181000e008 Mon Sep 17 00:00:00 2001
From: Bo Ren <rb01097748@alibaba-inc.com>
Date: Tue, 12 Aug 2025 10:03:01 +0800
Subject: [PATCH] [CVE] add patch to Fix CVE-2025-47273 to #ICSH5E add patch to
 Fix CVE-2025-47273 Project: TC2024080204

Signed-off-by: Bo Ren <rb01097748@alibaba-inc.com>
---
 CVE-2025-47273.patch   | 28 ++++++++++++++++++++++++++++
 python-setuptools.spec |  7 ++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-47273.patch

diff --git a/CVE-2025-47273.patch b/CVE-2025-47273.patch
new file mode 100644
index 0000000..65e23e4
--- /dev/null
+++ b/CVE-2025-47273.patch
@@ -0,0 +1,28 @@
+From 08536b9b318a81818295a421636c82a63c775a79 Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Mon, 11 Aug 2025 17:58:04 +0800
+Subject: [PATCH] Add a check to ensure the name resolves relative to
+ the tmpdir.
+
+---
+ setuptools/package_index.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 3130ace..3d6cd7a 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -828,6 +828,10 @@ class PackageIndex(Environment):
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
+         # Download the file
+         #
+         if scheme == 'svn' or scheme.startswith('svn+'):
+-- 
+2.43.0
+
diff --git a/python-setuptools.spec b/python-setuptools.spec
index 38f978a..174aed0 100644
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 %bcond_with tests
 
 %global srcname setuptools
@@ -12,6 +12,8 @@ Summary:        Easily build and distribute Python packages
 License:        MIT and ASL 2.0 and (BSD or ASL 2.0) and Python
 URL:            https://pypi.python.org/pypi/%{srcname}
 Source0:        %{pypi_source %{srcname} %{version}}
+# https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b
+Patch1:         CVE-2025-47273.patch
 
 BuildArch:       noarch
 BuildRequires:   python3-devel
@@ -133,6 +135,9 @@ PYTHONPATH=$(pwd) %pytest \
 %doc CHANGES.rst README.rst
 
 %changelog
+* Mon Aug 11 2025 Bo Ren <rb01097748@alibaba-inc.com> - - 68.0.0-3
+- fix CVE-2025-47273
+
 * Mon Mar 11 2024 Zhao Hang <wb-zh951434@alibaba-inc.com> - 68.0.0-2
 - Rebuild with python3.11
 
-- 
Gitee