mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-29 12:09:36 +00:00
Code Issues Projects Releases Wiki Activity

python3-setuptools: Fix CVE-2024-6345

Browse Source 
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for
remote code execution via its download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package index servers, are susceptible
to code injection. If these functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345

Upstream-patch:
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

(From OE-Core rev: 468c5a4e12b9d38768b00151c55fd27b2b504f3b)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Soumya Sambu
2024-09-01 17:17:26 +00:00
committed by Steve Sakoman
parent 8637aa34f0
commit 67aa29393d
2 changed files with 315 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/python/python3-setuptools_69.1.1.bb
+3 -1
View File
@@ -9,7 +9,9 @@ inherit pypi python_setuptools_build_meta
SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
SRC_URI += " \
file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch"
file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
file://CVE-2024-6345.patch \
"
SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"