mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

python3-wheel: fix for CVE-2022-40898

Browse Source 
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1
and earlier allows remote attackers to cause a denial of service via
attacker controlled input to wheel cli.

CVE: CVE-2022-40898

Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0]

(From OE-Core rev: 0974291e545aec68755dfb634c75dca37cca1ea9)

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Narpat Mali
2023-01-12 14:55:32 +00:00
committed by Richard Purdie
parent 92b150b9f3
commit fd36d262b8
2 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
+32
View File
@@ -0,0 +1,32 @@
From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001
From: Narpat Mali <narpat.mali@windriver.com>
Date: Wed, 11 Jan 2023 07:45:57 +0000
Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
CVE: CVE-2022-40898
Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
src/wheel/wheelfile.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
index 21e7361..ff06edf 100644
--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
@@ -27,8 +27,8 @@ else:
# Non-greedy matching of an optional build number may be too clever (more
# invalid wheel filenames will match). Separate regex for .dist-info?
WHEEL_INFO_RE = re.compile(
- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
re.VERBOSE)
--
2.32.0
meta/recipes-devtools/python/python3-wheel_0.37.1.bb
+3 -1
View File
@@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495
inherit python_flit_core pypi inherit python_flit_core pypi
SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch" SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \
file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \
"
BBCLASSEXTEND = "native nativesdk" BBCLASSEXTEND = "native nativesdk"