folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[AUTO-CHERRYPICK] Fix CVE-2022-40898 for python-wheel - branch main (#10423) 

Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot 2024-09-13 14:45:50 -07:00 committed by GitHub
parent 31e961bbcc
commit f27ba146cb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
SPECS/python-wheel/CVE-2022-40898.patch Normal file
View File

@ -0,0 +1,31 @@
From 56341b35080dfa25d28039ff7f0e774a6f56876d Mon Sep 17 00:00:00 2001
From: Sudipta Pandit <sudpandit@microsoft.com>
Date: Fri, 6 Sep 2024 15:31:24 +0530
Subject: [PATCH] [PATCH] Backport upstream patch for CVE-2022-40898
Backported from https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0
---
wheel/wheelfile.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/wheel/wheelfile.py b/wheel/wheelfile.py
index ddf8509..ddb753c 100644
--- a/wheel/wheelfile.py
+++ b/wheel/wheelfile.py
@@ -16,9 +16,10 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
# Non-greedy matching of an optional build number may be too clever (more
# invalid wheel filenames will match). Separate regex for .dist-info?
WHEEL_INFO_RE = re.compile(
- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
- re.VERBOSE)
+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+ re.VERBOSE,
+)
def get_zipinfo_datetime(timestamp=None):
--
2.34.1

6
SPECS/python-wheel/python-wheel.spec
View File

@ -3,12 +3,13 @@
Summary: Built-package format for Python
Name: python-%{pypi_name}
Version: 0.33.6
Release: 7%{?dist}
Release: 8%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/pypa/wheel
Source0: %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz
Patch0: CVE-2022-40898.patch
%global pypi_name wheel
%global python_wheelname %{pypi_name}-%{version}-py2.py3-none-any.whl
%global python_wheeldir %{_datadir}/python-wheels
@ -102,6 +103,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test3 -v --ignore build
%endif
%changelog
* Fri Sep 09 2024 Sudipta Pandit <sudpandit@microsoft.com> - 0.33.6-8
- Backport CVE-2022-40898 fix from upstream
* Thu Mar 03 2022 Bala <balakumaran.kannan@microsoft.com> - 0.33.6-7
- BR multiple python3 modules for PTest
- pip3 install additional modules which not available as RPM