git: 3dda704910d4 - main - devel/py-setuptools: fix CVE-2022-40897 backporting a patch

Reply: Charlie Li : "Re: git: 3dda704910d4 - main - devel/py-setuptools: fix CVE-2022-40897 backporting a patch"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Eugene Grosbein <eugen_at_FreeBSD.org>
Date: Thu, 22 Jun 2023 13:24:19 UTC
The branch main has been updated by eugen:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3dda704910d48411e072f7c58b8530dcd56bc5a9

commit 3dda704910d48411e072f7c58b8530dcd56bc5a9
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2023-06-22 13:13:03 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2023-06-22 13:24:12 +0000

    devel/py-setuptools: fix CVE-2022-40897 backporting a patch
    
    This commit integrates one-line upstream fix for the problem:
    https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be.diff
    
    Our port has not been fixed for several months making users unhappy.
    It's upto the maintainer to update the port, this commit does not update it.
    
    Bump PORTREVISION and adjust VuXML entry.
    Due to the nature of the problem and fix there is no need in updating consumers.
---
 devel/py-setuptools/Makefile                                 |  1 +
 devel/py-setuptools/files/patch-setuptools_package__index.py | 11 +++++++++++
 security/vuxml/vuln/2023.xml                                 |  4 ++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/devel/py-setuptools/Makefile b/devel/py-setuptools/Makefile
index 8afe4e675887..7e8cff683e8c 100644
--- a/devel/py-setuptools/Makefile
+++ b/devel/py-setuptools/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	setuptools
 PORTVERSION=	63.1.0
+PORTREVISION=	1
 CATEGORIES=	devel python
 MASTER_SITES=	PYPI
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
diff --git a/devel/py-setuptools/files/patch-setuptools_package__index.py b/devel/py-setuptools/files/patch-setuptools_package__index.py
new file mode 100644
index 000000000000..85b8319a0b09
--- /dev/null
+++ b/devel/py-setuptools/files/patch-setuptools_package__index.py
@@ -0,0 +1,11 @@
+--- setuptools/package_index.py.orig	2022-07-04 02:25:25 UTC
++++ setuptools/package_index.py
+@@ -197,7 +197,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index bee1ce17a636..388fb3f656d9 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -2833,7 +2833,7 @@
     <affects>
       <package>
     <name>py39-setuptools</name>
-    <range><lt>65.5.1</lt></range>
+    <range><lt>63.1.0_1</lt></range>
       </package>
     </affects>
     <description>
@@ -2842,7 +2842,7 @@
     <blockquote cite="https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579">
       <p>Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.</p>
       <p>Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.</p>
-      <p>This has been patched in version 65.5.1.</p>
+      <p>This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.</p>
     </blockquote>
       </body>
     </description>