Merge "Debian: wheel: fix CVE-2022-40898"

2025-04-28 15:20:54 +00:00
parent e2992798b5 cfcbd4d6e2
commit 6b6b254062
6 changed files with 117 additions and 0 deletions
--- a/debian_iso_image.inc
+++ b/debian_iso_image.inc
@@ -366,6 +366,9 @@ python3-nsenter
 python3-pkg-resources
 python3-setuptools

+#wheel
+python3-wheel
+
 #python3.9
 python3.9

--- a/1
+++ b/1
@@ -100,6 +100,7 @@ python/python-nss
 python/python3-nsenter
 python/python3-setuptools
 python/python3-zmq
+python/python3-wheel
 python/python3.9
 python/zerorpc-python
 security/efitools
--- a/python/python3-wheel/debian/meta_data.yaml
+++ b/python/python3-wheel/debian/meta_data.yaml
@@ -0,0 +1,7 @@
+---
+debver: 0.34.2-1
+debname: wheel
+archive: https://snapshot.debian.org/archive/debian/20200320T222820Z/pool/main/w/wheel/
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
--- a/python/python3-wheel/debian/patches/0001-Debian-fix-CVE-2022-40898.patch
+++ b/python/python3-wheel/debian/patches/0001-Debian-fix-CVE-2022-40898.patch
@@ -0,0 +1,42 @@
+From b4bd57a8e5422f2283b052c86402913d90e5f960 Mon Sep 17 00:00:00 2001
+From: Peng Zhang <Peng.Zhang2@windriver.com>
+Date: Wed, 23 Apr 2025 13:46:25 +0800
+Subject: [PATCH] Debian: fix CVE-2022-40898
+
+Fixed potential DoS attack via WHEEL_INFO_RE
+
+Signed-off-by: Alex Grönholm <alex.gronholm@nextday.fi>
+
+For currently in debian, there is no fix for CVE-2022-40898. So add
+source package and backport commit which is:
+88f02bc335d5404991e532e7f3b0fc80437bf4e0 in
+https://github.com/pypa/wheel/commit/.
+
+It will fix potential DoS attack via the ``WHEEL_INFO_RE`` regular
+expression.
+
+(Adapt for context change)
+Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
+(cherry picked from commit 88f02bc335d5404991e532e7f3b0fc80437bf4e0)
+---
+ src/wheel/wheelfile.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
+index acc5dab..bc4e8d7 100644
+--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
+@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
+ # Non-greedy matching of an optional build number may be too clever (more
+ # invalid wheel filenames will match). Separate regex for .dist-info?
+ WHEEL_INFO_RE = re.compile(
+-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
+-     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+     re.VERBOSE)
+ 
+ 
+-- 
+2.34.1
+
--- a/python/python3-wheel/debian/patches/0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch
+++ b/python/python3-wheel/debian/patches/0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch
@@ -0,0 +1,62 @@
+From 8c765cb3755e9b5bae8554362f7ff943e78da954 Mon Sep 17 00:00:00 2001
+From: Peng Zhang <Peng.Zhang2@windriver.com>
+Date: Mon, 28 Apr 2025 06:14:56 +0000
+Subject: [PATCH] Fixed parsing of wheel file names with multiple platform tags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes #485.
+
+Signed-off-by: Alex Grönholm <alex.gronholm@nextday.fi
+
+(Adapt for context change)
+Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
+(cherry picked from commit 44193907eb308930de05deed863fb4d157c5c866)
+---
+ src/wheel/wheelfile.py  |  4 ++--
+ tests/test_wheelfile.py | 13 ++++++++++---
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
+index bc4e8d7..81804ae 100644
+--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
+@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
+ # Non-greedy matching of an optional build number may be too clever (more
+ # invalid wheel filenames will match). Separate regex for .dist-info?
+ WHEEL_INFO_RE = re.compile(
+-    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+-     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+    r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]+?))(-(?P<build>\d[^\s-]*))?
+     -(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>\S+)\.whl$""",
+     re.VERBOSE)
+ 
+ 
+diff --git a/tests/test_wheelfile.py b/tests/test_wheelfile.py
+index db11bcd..69225f8 100644
+--- a/tests/test_wheelfile.py
+++ b/tests/test_wheelfile.py
+@@ -16,9 +16,16 @@ def wheel_path(tmpdir):
+     return str(tmpdir.join('test-1.0-py2.py3-none-any.whl'))
+ 
+ 
+-def test_wheelfile_re(tmpdir):
+-    # Regression test for #208
+-    path = tmpdir.join('foo-2-py3-none-any.whl')
+@pytest.mark.parametrize(
+    "filename",
+    [
+        "foo-2-py3-none-any.whl",
+        "foo-2-py2.py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
+    ],
+)
+def test_wheelfile_re(filename, tmpdir):
+    # Regression test for #208 and #485
+    path = tmpdir.join(filename)
+     with WheelFile(str(path), 'w') as wf:
+         assert wf.parsed_filename.group('namever') == 'foo-2'
+ 
+-- 
+2.30.2
+
--- a/python/python3-wheel/debian/patches/series
+++ b/python/python3-wheel/debian/patches/series
@@ -0,0 +1,2 @@
+0001-Debian-fix-CVE-2022-40898.patch
+0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch