Fix CVE-2024-6345 in python3 (#9904)

Author: sindhu-karri

SPECS/python3/CVE-2024-6345.patch

@@ -0,0 +1,137 @@
+From a537ec061cdfb9f39ef721111bf6927627fe91ec Mon Sep 17 00:00:00 2001
+From: Sindhu Karri <lakarri@microsoft.com>
+Date: Mon, 22 Jul 2024 12:23:41 +0000
+Subject: [PATCH] Fix CVE-2024-6345 in package_index.py
+
+---
+ setuptools/package_index.py | 175 +++++++++++++++++-------------------
+ 1 file changed, 83 insertions(+), 92 deletions(-)
+
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index c998160..85d7cfe 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -812,96 +812,45 @@ class PackageIndex(Environment):
+     def _attempt_download(self, url, filename):
+         headers = self._download_to(url, filename)
+         if 'html' in headers.get('content-type', '').lower():
+-            return self._download_html(url, headers, filename)
++            return self._invalid_download_html(url, headers, filename)
+         else:
+             return filename
+ 
+-    def _download_html(self, url, headers, filename):
+-        file = open(filename)
+-        for line in file:
+-            if line.strip():
+-                # Check for a subversion index page
+-                if re.search(r'<title>([^- ]+ - )?Revision \d+:', line):
+-                    # it's a subversion index page:
+-                    file.close()
+-                    os.unlink(filename)
+-                    return self._download_svn(url, filename)
+-                break  # not an index page
+-        file.close()
++    def _invalid_download_html(self, url, headers, filename):
+         os.unlink(filename)
+-        raise DistutilsError("Unexpected HTML page found at " + url)
+-
+-    def _download_svn(self, url, filename):
+-        warnings.warn("SVN download support is deprecated", UserWarning)
+-        url = url.split('#', 1)[0]  # remove any fragment for svn's sake
+-        creds = ''
+-        if url.lower().startswith('svn:') and '@' in url:
+-            scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
+-            if not netloc and path.startswith('//') and '/' in path[2:]:
+-                netloc, path = path[2:].split('/', 1)
+-                auth, host = _splituser(netloc)
+-                if auth:
+-                    if ':' in auth:
+-                        user, pw = auth.split(':', 1)
+-                        creds = " --username=%s --password=%s" % (user, pw)
+-                    else:
+-                        creds = " --username=" + auth
+-                    netloc = host
+-                    parts = scheme, netloc, url, p, q, f
+-                    url = urllib.parse.urlunparse(parts)
+-        self.info("Doing subversion checkout from %s to %s", url, filename)
+-        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
+-        return filename
++        raise DistutilsError(f"Unexpected HTML page found at {url}")
+ 
+     @staticmethod
+-    def _vcs_split_rev_from_url(url, pop_prefix=False):
+-        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
++    def _vcs_split_rev_from_url(url):
++        """
++        Given a possible VCS URL, return a clean URL and resolved revision if any.
++
++        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
++        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
++        ('https://github.com/pypa/setuptools', 'v69.0.0')
++        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
++        ('https://github.com/pypa/setuptools', None)
++        >>> vsrfu('http://foo/bar')
++        ('http://foo/bar', None)
++        """
++        parts = urllib.parse.urlsplit(url)
+ 
+-        scheme = scheme.split('+', 1)[-1]
++        clean_scheme = parts.scheme.split('+', 1)[-1]
+ 
+         # Some fragment identification fails
+-        path = path.split('#', 1)[0]
+-
+-        rev = None
+-        if '@' in path:
+-            path, rev = path.rsplit('@', 1)
+-
+-        # Also, discard fragment
+-        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
+-
+-        return url, rev
+-
+-    def _download_git(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+-        self.info("Doing git clone from %s to %s", url, filename)
+-        os.system("git clone --quiet %s %s" % (url, filename))
+-
+-        if rev is not None:
+-            self.info("Checking out %s", rev)
+-            os.system("git -C %s checkout --quiet %s" % (
+-                filename,
+-                rev,
+-            ))
+-
+-        return filename
+-
+-    def _download_hg(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
++        no_fragment_path, _, _ = parts.path.partition('#')
+ 
+-        self.info("Doing hg clone from %s to %s", url, filename)
+-        os.system("hg clone --quiet %s %s" % (url, filename))
++        pre, sep, post = no_fragment_path.rpartition('@')
++        clean_path, rev = (pre, post) if sep else (post, None)
+ 
+-        if rev is not None:
+-            self.info("Updating to %s", rev)
+-            os.system("hg --cwd %s up -C -r %s -q" % (
+-                filename,
+-                rev,
+-            ))
++        resolved = parts._replace(
++            scheme=clean_scheme,
++            path=clean_path,
++            # discard the fragment
++            fragment='',
++        ).geturl()
+ 
+-        return filename
++        return resolved, rev
+ 
+     def debug(self, msg, *args):
+         log.debug(msg, *args)

SPECS/python3/python3.spec

@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -24,6 +24,7 @@ Patch0:         cgi3.patch
 Patch1:         0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch
 # Patch for setuptools, resolved in 65.5.1
 Patch1000:      CVE-2022-40897.patch
+Patch1001:      CVE-2024-6345.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@@ -212,6 +213,8 @@ popd
 # Manually patch CVE-2022-40897 which is a bundled wheel. We can only update the source code after install
 echo 'Patching CVE-2022-40897 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py'
 patch %{buildroot}%{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py < %{PATCH1000}
+echo 'Patching CVE-2024-6345 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py'
+patch -p1 %{buildroot}%{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py < %{PATCH1001}
 
 # Windows executables get installed by pip and setuptools- we don't need these.
 find %{buildroot}%{_libdir}/python%{majmin}/site-packages -name '*.exe' -delete -print
@@ -313,6 +316,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Mon Jul 22 2024 Sindhu Karri <lakarri@microsoft.com> - 3.9.19-2
+- Patch for CVE-2024-6345
+
 * Fri Mar 22 2024 Binu Philip <bphilip@microsoft.com> - 3.9.19-1
 - Upgrade to python 3.9.19 for CVE-2023-6597 and other security fixes
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-17.cm2.noarch.rpm
 ca-certificates-2.0.0-17.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-20.cm2.aarch64.rpm
-python3-3.9.19-1.cm2.aarch64.rpm
-python3-devel-3.9.19-1.cm2.aarch64.rpm
-python3-libs-3.9.19-1.cm2.aarch64.rpm
-python3-setuptools-3.9.19-1.cm2.noarch.rpm
+python3-3.9.19-2.cm2.aarch64.rpm
+python3-devel-3.9.19-2.cm2.aarch64.rpm
+python3-libs-3.9.19-2.cm2.aarch64.rpm
+python3-setuptools-3.9.19-2.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-17.cm2.noarch.rpm
 ca-certificates-2.0.0-17.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-20.cm2.x86_64.rpm
-python3-3.9.19-1.cm2.x86_64.rpm
-python3-devel-3.9.19-1.cm2.x86_64.rpm
-python3-libs-3.9.19-1.cm2.x86_64.rpm
-python3-setuptools-3.9.19-1.cm2.noarch.rpm
+python3-3.9.19-2.cm2.x86_64.rpm
+python3-devel-3.9.19-2.cm2.x86_64.rpm
+python3-libs-3.9.19-2.cm2.x86_64.rpm
+python3-setuptools-3.9.19-2.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.19-1.cm2.aarch64.rpm
+python3-3.9.19-2.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.19-1.cm2.aarch64.rpm
+python3-curses-3.9.19-2.cm2.aarch64.rpm
 python3-Cython-0.29.33-2.cm2.aarch64.rpm
-python3-debuginfo-3.9.19-1.cm2.aarch64.rpm
-python3-devel-3.9.19-1.cm2.aarch64.rpm
+python3-debuginfo-3.9.19-2.cm2.aarch64.rpm
+python3-devel-3.9.19-2.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-4.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.19-1.cm2.aarch64.rpm
+python3-libs-3.9.19-2.cm2.aarch64.rpm
 python3-libxml2-2.10.4-3.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.19-1.cm2.noarch.rpm
+python3-pip-3.9.19-2.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.19-1.cm2.noarch.rpm
-python3-test-3.9.19-1.cm2.aarch64.rpm
-python3-tools-3.9.19-1.cm2.aarch64.rpm
+python3-setuptools-3.9.19-2.cm2.noarch.rpm
+python3-test-3.9.19-2.cm2.aarch64.rpm
+python3-tools-3.9.19-2.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.19-1.cm2.x86_64.rpm
+python3-3.9.19-2.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.19-1.cm2.x86_64.rpm
+python3-curses-3.9.19-2.cm2.x86_64.rpm
 python3-Cython-0.29.33-2.cm2.x86_64.rpm
-python3-debuginfo-3.9.19-1.cm2.x86_64.rpm
-python3-devel-3.9.19-1.cm2.x86_64.rpm
+python3-debuginfo-3.9.19-2.cm2.x86_64.rpm
+python3-devel-3.9.19-2.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-4.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.19-1.cm2.x86_64.rpm
+python3-libs-3.9.19-2.cm2.x86_64.rpm
 python3-libxml2-2.10.4-3.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.19-1.cm2.noarch.rpm
+python3-pip-3.9.19-2.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.19-1.cm2.noarch.rpm
-python3-test-3.9.19-1.cm2.x86_64.rpm
-python3-tools-3.9.19-1.cm2.x86_64.rpm
+python3-setuptools-3.9.19-2.cm2.noarch.rpm
+python3-test-3.9.19-2.cm2.x86_64.rpm
+python3-tools-3.9.19-2.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm