[AUTO-CHERRYPICK] Patch python-setuptools for CVE-2025-47273 [High]. - branch 3.0-dev (#13909)

Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: mayankfz <mayankfz@gmail.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>

Author: 4 people

SPECS/python-setuptools/CVE-2025-47273.patch

@@ -0,0 +1,64 @@
+From 28da95e0be5197aa84708aa0696c70c42be80439 Mon Sep 17 00:00:00 2001
+From: Mayank Singh <mayansingh@microsoft.com>
+Date: Mon, 26 May 2025 06:42:09 +0000
+Subject: [PATCH] Patch CVE-2025-47273
+
+Upstream Patch Reference: https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b
+---
+ setuptools/package_index.py | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index cf25f83..d8f350e 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -813,10 +813,25 @@ class PackageIndex(Environment):
+             else:
+                 raise DistutilsError("Download error for %s: %s" % (url, v)) from v
+ 
+-    def _download_url(self, url, tmpdir):
+-        # Determine download filename
+-        #
+-        name, fragment = egg_info_for_url(url)
++    @staticmethod
++    def _resolve_download_filename(url, tmpdir):
++        """
++        >>> import pathlib
++        >>> du = PackageIndex._resolve_download_filename
++        >>> root = getfixture('tmp_path')
++        >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
++        >>> str(pathlib.Path(du(url, root)).relative_to(root))
++        'setuptools-78.1.0.tar.gz'
++
++        Ensures the target is always in tmpdir.
++
++        >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys'
++        >>> du(url, root)
++        Traceback (most recent call last):
++        ...
++        ValueError: Invalid filename...
++        """
++        name, _fragment = egg_info_for_url(url)
+         if name:
+             while '..' in name:
+                 name = name.replace('..', '.').replace('\\', '_')
+@@ -828,6 +843,16 @@ class PackageIndex(Environment):
+ 
+         filename = os.path.join(tmpdir, name)
+ 
++        # ensure path resolves within the tmpdir
++        if not filename.startswith(str(tmpdir)):
++            raise ValueError(f"Invalid filename {filename}")
++
++        return filename
++
++    def _download_url(self, url, tmpdir):
++        # Determine download filename
++        #
++        filename = self._resolve_download_filename(url, tmpdir)
+         return self._download_vcs(url, filename) or self._download_other(url, filename)
+ 
+     @staticmethod
+-- 
+2.45.3
+

SPECS/python-setuptools/python-setuptools.spec

@@ -6,14 +6,15 @@ Setuptools is a fully-featured, actively-maintained, and stable library designed
 Summary:        Easily build and distribute Python packages
 Name:           python-setuptools
 Version:        69.0.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://pypi.python.org/pypi/setuptools
 Source0:        https://pypi.org/packages/source/s/setuptools/setuptools-%{version}.tar.gz
 Patch0:         CVE-2024-6345.patch
+Patch1:         CVE-2025-47273.patch
 
 %description    %{_description}
 
@@ -58,6 +59,9 @@ EOF
 %{python3_sitelib}/setuptools-%{version}.dist-info/*
 
 %changelog
+* Mon May 26 2025 <mayansingh@microsoft.com> - 69.0.3-5
+- Fix CVE-2025-47273 with an upstream patch
+
 * Tue Sep 10 2024 <lakarri@microsoft.com> - 69.0.3-4
 - Fix CVE-2024-6345 with a patch
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -247,7 +247,7 @@ unzip-6.0-22.azl3.aarch64.rpm
 python3-3.12.9-1.azl3.aarch64.rpm
 python3-devel-3.12.9-1.azl3.aarch64.rpm
 python3-libs-3.12.9-1.azl3.aarch64.rpm
-python3-setuptools-69.0.3-4.azl3.noarch.rpm
+python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.aarch64.rpm
 libselinux-3.6-3.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -247,7 +247,7 @@ unzip-6.0-22.azl3.x86_64.rpm
 python3-3.12.9-1.azl3.x86_64.rpm
 python3-devel-3.12.9-1.azl3.x86_64.rpm
 python3-libs-3.12.9-1.azl3.x86_64.rpm
-python3-setuptools-69.0.3-4.azl3.noarch.rpm
+python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.x86_64.rpm
 libselinux-3.6-3.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -553,7 +553,7 @@ python3-pip-24.2-2.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
-python3-setuptools-69.0.3-4.azl3.noarch.rpm
+python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-test-3.12.9-1.azl3.aarch64.rpm
 python3-tools-3.12.9-1.azl3.aarch64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -561,7 +561,7 @@ python3-pip-24.2-2.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
-python3-setuptools-69.0.3-4.azl3.noarch.rpm
+python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-test-3.12.9-1.azl3.x86_64.rpm
 python3-tools-3.12.9-1.azl3.x86_64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm