From nobody Thu Jun 22 13:24:19 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qn1LC31hqz4gnw5; Thu, 22 Jun 2023 13:24:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qn1LC2SLkz41np; Thu, 22 Jun 2023 13:24:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687440259; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=a7PrRyFrCX5CTpvSOcoz8BgzU3IEt8gZmGzsSHpHVSM=; b=SS6MA9EkzCW3qgvepCcZdmQLeB+JvKpg7fe+kWsR5VngCtRQnpwO/ljJ8r3gdkom0hvzxr 5iSYmeL//w7P9o/3GFH7pxbrVGQ7f5dIjtAr0D8W8rYtB8kM9uMwFmaDKEJe2ZvAdKozsp fze35DeXPnCTMSVdSsJ7c4DwJaqPiFcrYhByG/fVobj/BeooeWAYVqwbzXbw5jUJh5kxLq 7cRVzYmCrLHYqh7nnAq10jPy7q/NyH+QAPTLrSp9gY8E5dQ+99MMDgz3VLjwIj1Q0+JKUb UmDU8D5asmUvBI83Ubu7b45U9jr6uFq2K9Kep78oAW8SWpsj6Gq24xGfNIyrpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687440259; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=a7PrRyFrCX5CTpvSOcoz8BgzU3IEt8gZmGzsSHpHVSM=; b=osgFIr54XwCMisn4ZcWxCRb2rXzJvFRRvYB2q3n0zY3wp6+74lBZi6OaFA59r7zWYXekPm Bniu6suP9Gw4vAT0Eapa/avCIJkTtIzQv7aZD3uyWyaWNwsCuhOIPzc889HUi0sjU0RgCA 5uIkWdKcnBg/JhodyYamRcpLkdzrK5H/t5B5aiCgI43qncmTZNtxNFaQQdGhKRHb1cB1FU OGE9Yvlh70nxsgnjD2arB6ryXhnacO00fUQ8rMDleOG+cWBMkXXFBGI25gW/e2+LK+zdra D7bD/qCaBD6glVwLvDT5lbOqONuK9/rukaePkHj4zWGrexr27b+AsXYsNVP8bw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687440259; a=rsa-sha256; cv=none; b=Wt5Z9fKIOcwoXfdxzHmIuC0TwNXXQfCOlGs1fA+FCaXX+Nl5ckEpL1b7gSjI44P03fmJWS +b6Y7fFcQourVRy2wpoGVO5VBV2uJmd9fQJzhZqjugui7znKpnEsgptv4n8/u2lDCEJaj8 HrvT88kurTj/tAO7kubK0wwFc+V6u606upuBXeO9HPmRcCRXtr4VnprBFtKMgPJlXiFICJ +HumoLP+PMIcZJnTQpfZU+q8TstqlkuN9ZpVHKC2pbUbE/Qg+sfensigQC+cSPShstFCtg r/fgIr/iymIpzlHmkD3atNQ1mjJT/mRAROHhv/8asx9nHlQE2MbliH7A/DDWTw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qn1LC1WXyzPvL; Thu, 22 Jun 2023 13:24:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35MDOJaU099565; Thu, 22 Jun 2023 13:24:19 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35MDOJJO099564; Thu, 22 Jun 2023 13:24:19 GMT (envelope-from git) Date: Thu, 22 Jun 2023 13:24:19 GMT Message-Id: <202306221324.35MDOJJO099564@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Eugene Grosbein Subject: git: 3dda704910d4 - main - devel/py-setuptools: fix CVE-2022-40897 backporting a patch List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eugen X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3dda704910d48411e072f7c58b8530dcd56bc5a9 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/ports/commit/?id=3dda704910d48411e072f7c58b8530dcd56bc5a9 commit 3dda704910d48411e072f7c58b8530dcd56bc5a9 Author: Eugene Grosbein AuthorDate: 2023-06-22 13:13:03 +0000 Commit: Eugene Grosbein CommitDate: 2023-06-22 13:24:12 +0000 devel/py-setuptools: fix CVE-2022-40897 backporting a patch This commit integrates one-line upstream fix for the problem: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be.diff Our port has not been fixed for several months making users unhappy. It's upto the maintainer to update the port, this commit does not update it. Bump PORTREVISION and adjust VuXML entry. Due to the nature of the problem and fix there is no need in updating consumers. --- devel/py-setuptools/Makefile | 1 + devel/py-setuptools/files/patch-setuptools_package__index.py | 11 +++++++++++ security/vuxml/vuln/2023.xml | 4 ++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/devel/py-setuptools/Makefile b/devel/py-setuptools/Makefile index 8afe4e675887..7e8cff683e8c 100644 --- a/devel/py-setuptools/Makefile +++ b/devel/py-setuptools/Makefile @@ -1,5 +1,6 @@ PORTNAME= setuptools PORTVERSION= 63.1.0 +PORTREVISION= 1 CATEGORIES= devel python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/devel/py-setuptools/files/patch-setuptools_package__index.py b/devel/py-setuptools/files/patch-setuptools_package__index.py new file mode 100644 index 000000000000..85b8319a0b09 --- /dev/null +++ b/devel/py-setuptools/files/patch-setuptools_package__index.py @@ -0,0 +1,11 @@ +--- setuptools/package_index.py.orig 2022-07-04 02:25:25 UTC ++++ setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index bee1ce17a636..388fb3f656d9 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -2833,7 +2833,7 @@ py39-setuptools - 65.5.1 + 63.1.0_1 @@ -2842,7 +2842,7 @@

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

-

This has been patched in version 65.5.1.

+

This has been patched in version 65.5.1. The patch backported to the revision 63.1.0_1.