python3-zipp: fix CVE-2024-5569

According to [1] which provided the fix link [2], but upstream author reworked it later [3][4][5] Backport and rebase all the patches for tracing [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5569 [2] https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd [3] https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876 [4] https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48 [5] https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09 (From OE-Core rev: 13bd99e17f0aca108839e81e9aa0b14351116fdf) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-05-31 12:49:46 +00:00 · 2024-11-28 15:46:44 +08:00
parent e8c505f7a4
commit af06cbf82b
6 changed files with 300 additions and 0 deletions
@@ -9,6 +9,14 @@ DEPENDS += "${PYTHON_PN}-setuptools-scm-native"

 inherit pypi python_setuptools_build_meta

+SRC_URI += " \
+    file://0001-Add-SanitizedNames-mixin.patch \
+    file://0002-Employ-SanitizedNames-in-CompleteDirs.-Fixes-broken-.patch \
+    file://0003-Removed-SanitizedNames.patch \
+    file://0004-Address-infinite-loop-when-zipfile-begins-with-more-.patch \
+    file://0005-Prefer-simpler-path.rstrip-to-consolidate-checks-for.patch \
+"
+
 DEPENDS += "${PYTHON_PN}-toml-native"

 RDEPENDS:${PN} += "${PYTHON_PN}-compression \