diff --git a/debian_iso_image.inc b/debian_iso_image.inc index 24b6296d1..cb7a84e99 100644 --- a/debian_iso_image.inc +++ b/debian_iso_image.inc @@ -366,6 +366,9 @@ python3-nsenter python3-pkg-resources python3-setuptools +#wheel +python3-wheel + #python3.9 python3.9 diff --git a/debian_pkg_dirs b/debian_pkg_dirs index 53766d128..629711d5f 100644 --- a/debian_pkg_dirs +++ b/debian_pkg_dirs @@ -100,6 +100,7 @@ python/python-nss python/python3-nsenter python/python3-setuptools python/python3-zmq +python/python3-wheel python/python3.9 python/zerorpc-python security/efitools diff --git a/python/python3-wheel/debian/meta_data.yaml b/python/python3-wheel/debian/meta_data.yaml new file mode 100644 index 000000000..45e7f1724 --- /dev/null +++ b/python/python3-wheel/debian/meta_data.yaml @@ -0,0 +1,7 @@ +--- +debver: 0.34.2-1 +debname: wheel +archive: https://snapshot.debian.org/archive/debian/20200320T222820Z/pool/main/w/wheel/ +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true diff --git a/python/python3-wheel/debian/patches/0001-Debian-fix-CVE-2022-40898.patch b/python/python3-wheel/debian/patches/0001-Debian-fix-CVE-2022-40898.patch new file mode 100644 index 000000000..033bf6646 --- /dev/null +++ b/python/python3-wheel/debian/patches/0001-Debian-fix-CVE-2022-40898.patch @@ -0,0 +1,42 @@ +From b4bd57a8e5422f2283b052c86402913d90e5f960 Mon Sep 17 00:00:00 2001 +From: Peng Zhang +Date: Wed, 23 Apr 2025 13:46:25 +0800 +Subject: [PATCH] Debian: fix CVE-2022-40898 + +Fixed potential DoS attack via WHEEL_INFO_RE + +Signed-off-by: Alex Grönholm + +For currently in debian, there is no fix for CVE-2022-40898. So add +source package and backport commit which is: +88f02bc335d5404991e532e7f3b0fc80437bf4e0 in +https://github.com/pypa/wheel/commit/. + +It will fix potential DoS attack via the ``WHEEL_INFO_RE`` regular +expression. + +(Adapt for context change) +Signed-off-by: Peng Zhang +(cherry picked from commit 88f02bc335d5404991e532e7f3b0fc80437bf4e0) +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index acc5dab..bc4e8d7 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode, + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P(?P.+?)-(?P.+?))(-(?P\d[^-]*))? +- -(?P.+?)-(?P.+?)-(?P.+?)\.whl$""", ++ r"""^(?P(?P[^-]+?)-(?P[^-]+?))(-(?P\d[^-]*))? ++ -(?P[^-]+?)-(?P[^-]+?)-(?P[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.34.1 + diff --git a/python/python3-wheel/debian/patches/0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch b/python/python3-wheel/debian/patches/0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch new file mode 100644 index 000000000..5587dbd76 --- /dev/null +++ b/python/python3-wheel/debian/patches/0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch @@ -0,0 +1,62 @@ +From 8c765cb3755e9b5bae8554362f7ff943e78da954 Mon Sep 17 00:00:00 2001 +From: Peng Zhang +Date: Mon, 28 Apr 2025 06:14:56 +0000 +Subject: [PATCH] Fixed parsing of wheel file names with multiple platform tags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes #485. + +Signed-off-by: Alex Grönholm +(cherry picked from commit 44193907eb308930de05deed863fb4d157c5c866) +--- + src/wheel/wheelfile.py | 4 ++-- + tests/test_wheelfile.py | 13 ++++++++++--- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index bc4e8d7..81804ae 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode, + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P(?P[^-]+?)-(?P[^-]+?))(-(?P\d[^-]*))? +- -(?P[^-]+?)-(?P[^-]+?)-(?P[^.]+?)\.whl$""", ++ r"""^(?P(?P[^\s-]+?)-(?P[^\s-]+?))(-(?P\d[^\s-]*))? ++ -(?P[^\s-]+?)-(?P[^\s-]+?)-(?P\S+)\.whl$""", + re.VERBOSE) + + +diff --git a/tests/test_wheelfile.py b/tests/test_wheelfile.py +index db11bcd..69225f8 100644 +--- a/tests/test_wheelfile.py ++++ b/tests/test_wheelfile.py +@@ -16,9 +16,16 @@ def wheel_path(tmpdir): + return str(tmpdir.join('test-1.0-py2.py3-none-any.whl')) + + +-def test_wheelfile_re(tmpdir): +- # Regression test for #208 +- path = tmpdir.join('foo-2-py3-none-any.whl') ++@pytest.mark.parametrize( ++ "filename", ++ [ ++ "foo-2-py3-none-any.whl", ++ "foo-2-py2.py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", ++ ], ++) ++def test_wheelfile_re(filename, tmpdir): ++ # Regression test for #208 and #485 ++ path = tmpdir.join(filename) + with WheelFile(str(path), 'w') as wf: + assert wf.parsed_filename.group('namever') == 'foo-2' + +-- +2.30.2 + diff --git a/python/python3-wheel/debian/patches/series b/python/python3-wheel/debian/patches/series new file mode 100644 index 000000000..a567d8319 --- /dev/null +++ b/python/python3-wheel/debian/patches/series @@ -0,0 +1,2 @@ +0001-Debian-fix-CVE-2022-40898.patch +0001-Fixed-parsing-of-wheel-file-names-with-multiple-plat.patch