From b235aeaa79e9755efe3449331bea9eade7d0e8ba Mon Sep 17 00:00:00 2001
From: zhangxianting <zhangxianting@uniontech.com>
Date: Wed, 3 Jul 2024 21:30:53 +0800
Subject: [PATCH] Fix CVE-2024-5569

---
 backport-CVE-2024-5569.patch | 51 ++++++++++++++++++++++++++++++++++++
 python-zipp.spec             |  8 ++++--
 2 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2024-5569.patch

diff --git a/backport-CVE-2024-5569.patch b/backport-CVE-2024-5569.patch
new file mode 100644
index 0000000..1b1a450
--- /dev/null
+++ b/backport-CVE-2024-5569.patch
@@ -0,0 +1,51 @@
+From fd604bd34f0343472521a36da1fbd22e793e14fd Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Fri, 31 May 2024 12:31:40 -0400
+Subject: [PATCH] Merge pull request #120 from jaraco/bugfix/119-malformed-paths 
+https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd    
+version 0.5.1 don't support class FastZip(class CompleteDirs()
+
+    Sanitize malformed paths
+
+---
+ newsfragments/119.bugfix.rst |  1 +
+ test_zipp.py                 | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+ create mode 100644 newsfragments/119.bugfix.rst
+
+diff --git a/newsfragments/119.bugfix.rst b/newsfragments/119.bugfix.rst
+new file mode 100644
+index 0000000..ef6fe59
+--- /dev/null
++++ b/newsfragments/119.bugfix.rst
+@@ -0,0 +1 @@
++Improved handling of malformed zip files.
+diff --git a/test_zipp.py b/test_zipp.py
+index da68fea..1103343 100644
+--- a/test_zipp.py
++++ b/test_zipp.py
+@@ -170,3 +170,21 @@ class TestEverything(unittest.TestCase):
+             root = zipp.Path(zipfile_abcde)
+             assert (root / 'a').parent.at == ''
+             assert (root / 'a' / 'b').parent.at == 'a/'
++
++    @__import__('pytest').mark.skip(reason="infinite loop")
++    def test_malformed_paths(self):
++        """
++        Path should handle malformed paths.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr("/one-slash.txt", b"content")
++        zf.writestr("//two-slash.txt", b"content")
++        zf.writestr("../parent.txt", b"content")
++        zf.filename = ''
++        root = zipfile.Path(zf)
++        assert list(map(str, root.iterdir())) == [
++            'one-slash.txt',
++            'two-slash.txt',
++            'parent.txt',
++        ]
+-- 
+2.43.0
+
diff --git a/python-zipp.spec b/python-zipp.spec
index 458969b..d64ad36 100644
--- a/python-zipp.spec
+++ b/python-zipp.spec
@@ -1,10 +1,11 @@
 Name:           python-zipp
 Version:        0.5.1
-Release:        2
+Release:        3
 Summary:        Backport of pathlib-compatible object wrapper for zip files
 License:        MIT
 URL:            https://github.com/jaraco/zipp
 Source0:        https://files.pythonhosted.org/packages/f9/c4/15a1260171956ed4f8190962b1771c7dbca4a39360c15f9c2b77e667a489/zipp-0.5.1.tar.gz
+Patch0:         backport-CVE-2024-5569.patch
 BuildArch:      noarch
 BuildRequires:  python3-devel python3-setuptools
 BuildRequires:  python3-setuptools_scm >= 1.15.0
@@ -22,7 +23,7 @@ A pathlib-compatible Zipfile object wrapper. A backport of the Path object.
 %package_help
 
 %prep
-%autosetup -n zipp-%{version}
+%autosetup -n zipp-%{version} -p1
 
 %build
 %_bindir/python3 setup.py build '--executable=%_bindir/python3 -s'
@@ -44,6 +45,9 @@ A pathlib-compatible Zipfile object wrapper. A backport of the Path object.
 %doc README.rst
 
 %changelog
+* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 0.5.1-3
+- Fix CVE-2024-5569
+
 * Wed Dec 16 2020 zhanzhimin<zhanzhimin@huawei.com> - 0.5.1-2
 - Update Source0
 
-- 
Gitee