diff options
| author |   Narpat Mali <narpat.mali@windriver.com> | 2023-01-12 14:55:32 +0000 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2023-01-16 04:41:29 -1000 |
| commit | 0974291e545aec68755dfb634c75dca37cca1ea9 (patch) | |
| tree | 307d87d75a3392bb2b8e8dd480bc40c3b180e88f | |
| parent | f574d8d57ff3fbc38e350e7a90913993081c4fdf (diff) | |
| download | openembedded-core-contrib-0974291e545aec68755dfb634c75dca37cca1ea9.tar.gz | |
python3-wheel: fix for CVE-2022-40898
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1
and earlier allows remote attackers to cause a denial of service via
attacker controlled input to wheel cli.
CVE: CVE-2022-40898
Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
| -rw-r--r-- | meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch | 32 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python3-wheel_0.37.1.bb | 4 |
2 files changed, 35 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch new file mode 100644 index 0000000000..bdaae7dd10 --- /dev/null +++ b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch @@ -0,0 +1,32 @@ +From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 11 Jan 2023 07:45:57 +0000 +Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE + +CVE: CVE-2022-40898 + +Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 21e7361..ff06edf 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -27,8 +27,8 @@ else: + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))? +- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""", ++ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))? ++ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.32.0 + diff --git a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb index 2f7dd122ba..3ee03ddd36 100644 --- a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb +++ b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb @@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495 inherit python_flit_core pypi -SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch" +SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \ + file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \ + " BBCLASSEXTEND = "native nativesdk" |