git: a3d611120fcc - main - devel/py-setuptools{44,58}: fix CVE-2022-40897 backporting a patch

From: Eugene Grosbein <eugen_at_FreeBSD.org>
Date: Thu, 22 Jun 2023 13:48:14 UTC 
The branch main has been updated by eugen:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a3d611120fccf3b51b3dc62ec9246588e7d7a8ac

commit a3d611120fccf3b51b3dc62ec9246588e7d7a8ac
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2023-06-22 13:45:10 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2023-06-22 13:45:10 +0000

    devel/py-setuptools{44,58}: fix CVE-2022-40897 backporting a patch
    
    Follow recent commit to devel/py-setuptools and fix old versions same way.
    
    Reported-by:    vishwin
---
 devel/py-setuptools44/Makefile                                |  1 +
 .../py-setuptools44/files/patch-setuptools_package__index.py  | 11 +++++++++++
 devel/py-setuptools58/Makefile                                |  2 +-
 .../py-setuptools58/files/patch-setuptools_package__index.py  | 11 +++++++++++
 security/vuxml/vuln/2023.xml                                  |  2 ++
 5 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/devel/py-setuptools44/Makefile b/devel/py-setuptools44/Makefile
index 673af0627c0b..cc1003bdc7f3 100644
--- a/devel/py-setuptools44/Makefile
+++ b/devel/py-setuptools44/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	setuptools
 PORTVERSION=	44.1.1
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
diff --git a/devel/py-setuptools44/files/patch-setuptools_package__index.py b/devel/py-setuptools44/files/patch-setuptools_package__index.py
new file mode 100644
index 000000000000..85b8319a0b09
--- /dev/null
+++ b/devel/py-setuptools44/files/patch-setuptools_package__index.py
@@ -0,0 +1,11 @@
+--- setuptools/package_index.py.orig	2022-07-04 02:25:25 UTC
++++ setuptools/package_index.py
+@@ -197,7 +197,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
diff --git a/devel/py-setuptools58/Makefile b/devel/py-setuptools58/Makefile
index c6e1695a54d1..40e9a8c756d6 100644
--- a/devel/py-setuptools58/Makefile
+++ b/devel/py-setuptools58/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	setuptools
 PORTVERSION=	58.5.3
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
diff --git a/devel/py-setuptools58/files/patch-setuptools_package__index.py b/devel/py-setuptools58/files/patch-setuptools_package__index.py
new file mode 100644
index 000000000000..85b8319a0b09
--- /dev/null
+++ b/devel/py-setuptools58/files/patch-setuptools_package__index.py
@@ -0,0 +1,11 @@
+--- setuptools/package_index.py.orig	2022-07-04 02:25:25 UTC
++++ setuptools/package_index.py
+@@ -197,7 +197,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 388fb3f656d9..5cd8ec24d829 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -2833,6 +2833,8 @@
     <affects>
       <package>
     <name>py39-setuptools</name>
+    <range><lt>44.1.1</lt></range>
+    <range><ge>57.0.0</ge><lt>58.5.3_3</lt></range>
     <range><lt>63.1.0_1</lt></range>
       </package>
     </affects>