[AUTO-CHERRYPICK] Fix CVE-2022-40898 for python-wheel - branch main (#10423)

CBL-Mariner-Bot · realsdx · web-flow · commit f27ba146cbff · 2024-09-13T17:45:50.000-04:00
Co-authored-by: Sudipta Pandit &lt;sudpandit@microsoft.com&gt;
diff --git a/SPECS/python-wheel/CVE-2022-40898.patch b/SPECS/python-wheel/CVE-2022-40898.patch
@@ -0,0 +1,31 @@
+From 56341b35080dfa25d28039ff7f0e774a6f56876d Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Fri, 6 Sep 2024 15:31:24 +0530
+Subject: [PATCH] [PATCH] Backport upstream patch for CVE-2022-40898
+
+Backported from https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0
+---
+ wheel/wheelfile.py | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/wheel/wheelfile.py b/wheel/wheelfile.py
+index ddf8509..ddb753c 100644
+--- a/wheel/wheelfile.py
++++ b/wheel/wheelfile.py
+@@ -16,9 +16,10 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
+ # Non-greedy matching of an optional build number may be too clever (more
+ # invalid wheel filenames will match). Separate regex for .dist-info?
+ WHEEL_INFO_RE = re.compile(
+-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
+-     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+-    re.VERBOSE)
++    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
++     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
++    re.VERBOSE,
++)
+ 
+ 
+ def get_zipinfo_datetime(timestamp=None):
+-- 
+2.34.1
+
diff --git a/SPECS/python-wheel/python-wheel.spec b/SPECS/python-wheel/python-wheel.spec
@@ -3,12 +3,13 @@
 Summary:        Built-package format for Python
 Name:           python-%{pypi_name}
 Version:        0.33.6
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/pypa/wheel
 Source0:        %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz
+Patch0:         CVE-2022-40898.patch
 %global pypi_name wheel
 %global python_wheelname %{pypi_name}-%{version}-py2.py3-none-any.whl
 %global python_wheeldir %{_datadir}/python-wheels
@@ -102,6 +103,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test3 -v --ignore build
 %endif
 
 %changelog
+* Fri Sep 09 2024 Sudipta Pandit <sudpandit@microsoft.com> - 0.33.6-8
+- Backport CVE-2022-40898 fix from upstream
+
 * Thu Mar 03 2022 Bala <balakumaran.kannan@microsoft.com> - 0.33.6-7
 - BR multiple python3 modules for PTest
 - pip3 install additional modules which not available as RPM
