diff --git a/backport-CVE-2024-5569.patch b/backport-CVE-2024-5569.patch deleted file mode 100644 index e2fc422d017a27a51e32ffa3250a96d3f32b69a0..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-5569.patch +++ /dev/null @@ -1,110 +0,0 @@ -From fd604bd34f0343472521a36da1fbd22e793e14fd Mon Sep 17 00:00:00 2001 -From: "Jason R. Coombs" -Date: Fri, 31 May 2024 12:31:40 -0400 -Subject: [PATCH] Merge pull request #120 from jaraco/bugfix/119-malformed-paths - - Sanitize malformed paths - ---- - tests/test_path.py | 18 +++++++++++ - zipp/__init__.py | 58 +++++++++++++++++++++++++++++++++++- - 2 files changed, 75 insertions(+), 1 deletion(-) - -diff --git a/tests/test_path.py b/tests/test_path.py -index 03fd2aa..53664d4 100644 ---- a/tests/test_path.py -+++ b/tests/test_path.py -@@ -574,3 +574,21 @@ class TestPath(unittest.TestCase): - zipp.Path(alpharep) - with self.assertRaises(KeyError): - alpharep.getinfo('does-not-exist') -+ -+ @__import__('pytest').mark.skip(reason="infinite loop") -+ def test_malformed_paths(self): -+ """ -+ Path should handle malformed paths. -+ """ -+ data = io.BytesIO() -+ zf = zipfile.ZipFile(data, "w") -+ zf.writestr("/one-slash.txt", b"content") -+ zf.writestr("//two-slash.txt", b"content") -+ zf.writestr("../parent.txt", b"content") -+ zf.filename = '' -+ root = zipfile.Path(zf) -+ assert list(map(str, root.iterdir())) == [ -+ 'one-slash.txt', -+ 'two-slash.txt', -+ 'parent.txt', -+ ] -diff --git a/zipp/__init__.py b/zipp/__init__.py -index 6d05d9a..f78c272 100644 ---- a/zipp/__init__.py -+++ b/zipp/__init__.py -@@ -85,7 +85,63 @@ class InitializedState: - super().__init__(*args, **kwargs) - - --class CompleteDirs(InitializedState, zipfile.ZipFile): -+class SanitizedNames: -+ """ -+ ZipFile mix-in to ensure names are sanitized. -+ """ -+ -+ def namelist(self): -+ return list(map(self._sanitize, super().namelist())) -+ -+ @staticmethod -+ def _sanitize(name): -+ r""" -+ Ensure a relative path with posix separators and no dot names. -+ Modeled after -+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 -+ but provides consistent cross-platform behavior. -+ >>> san = SanitizedNames._sanitize -+ >>> san('/foo/bar') -+ 'foo/bar' -+ >>> san('//foo.txt') -+ 'foo.txt' -+ >>> san('foo/.././bar.txt') -+ 'foo/bar.txt' -+ >>> san('foo../.bar.txt') -+ 'foo../.bar.txt' -+ >>> san('\\foo\\bar.txt') -+ 'foo/bar.txt' -+ >>> san('D:\\foo.txt') -+ 'D/foo.txt' -+ >>> san('\\\\server\\share\\file.txt') -+ 'server/share/file.txt' -+ >>> san('\\\\?\\GLOBALROOT\\Volume3') -+ '?/GLOBALROOT/Volume3' -+ >>> san('\\\\.\\PhysicalDrive1\\root') -+ 'PhysicalDrive1/root' -+ >>> san('abc/') -+ 'abc/' -+ >>> san('../..') -+ Traceback (most recent call last): -+ ... -+ ValueError: Empty filename -+ """ -+ -+ def allowed(part): -+ return part and part not in {'..', '.'} -+ -+ # Remove the drive letter. -+ # Don't use ntpath.splitdrive, because that also strips UNC paths -+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) -+ clean = bare.replace('\\', '/') -+ parts = clean.split('/') -+ joined = '/'.join(filter(allowed, parts)) -+ if not joined: -+ raise ValueError("Empty filename") -+ return joined + '/' * name.endswith('/') -+ -+ -+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): - """ - A ZipFile subclass that ensures that implied directories - are always included in the namelist. --- -2.43.0 - diff --git a/python-zipp.spec b/python-zipp.spec index 0241bfb942cc0c717dfb1ce3c228dc2c14a13b4f..2663d0ef03115e1889d25d8a5800f0d625ba189a 100644 --- a/python-zipp.spec +++ b/python-zipp.spec @@ -1,12 +1,11 @@ %global _empty_manifest_terminate_build 0 Name: python-zipp -Version: 3.18.1 -Release: 2 +Version: 3.20.2 +Release: 1 Summary: Backport of pathlib-compatible object wrapper for zip files License: MIT URL: https://github.com/jaraco/zipp Source0: https://pypi.io/packages/source/z/zipp/zipp-%{version}.tar.gz -Patch3000: backport-CVE-2024-5569.patch BuildArch: noarch %description @@ -37,14 +36,12 @@ A pathlib-compatible Zipfile object wrapper. A backport of the Path object. %prep %autosetup -n zipp-%{version} -p1 -# Skip tests that depend on jaraco.itertools -sed -i "/import jaraco.itertools/d" tests/test_path.py %build %pyproject_build %install -%pyproject_install zipp==%{version} +%pyproject_install install -d -m755 %{buildroot}/%{_pkgdocdir} if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi @@ -54,9 +51,6 @@ if [ -f README.rst ]; then cp -af README.rst %{buildroot}/%{_pkgdocdir}; fi if [ -f README.md ]; then cp -af README.md %{buildroot}/%{_pkgdocdir}; fi if [ -f README.txt ]; then cp -af README.txt %{buildroot}/%{_pkgdocdir}; fi -%check -pytest -k "not test_joinpath_constant_time" - %files -n python3-zipp %defattr(-,root,root) %{python3_sitelib}/* @@ -66,6 +60,9 @@ pytest -k "not test_joinpath_constant_time" %{_docdir}/* %changelog +* Tue Oct 15 2024 xu_ping <707078654@qq.com> - 3.20.2-1 +- Upgrade version to 3.20.2 + * Tue Jul 09 2024 zhangxianting - 3.18.1-2 - Fix CVE-2024-5569 diff --git a/zipp-3.18.1.tar.gz b/zipp-3.18.1.tar.gz deleted file mode 100644 index 2b6bbc231fb0407affce0b9785d2715be4680854..0000000000000000000000000000000000000000 Binary files a/zipp-3.18.1.tar.gz and /dev/null differ diff --git a/zipp-3.20.2.tar.gz b/zipp-3.20.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..8f6ac52b8b262e1bea0d44c16ce2c09b9b4084d3 Binary files /dev/null and b/zipp-3.20.2.tar.gz differ