From aafe5fe0939cc1c5fa258ec7abaf037dca367b4e Mon Sep 17 00:00:00 2001
From: zhuofeng <zhuofeng2@huawei.com>
Date: Wed, 4 Jan 2023 11:14:03 +0800
Subject: [PATCH] fix CVE-2022-40897

---
 backport-CVE-2022-40897.patch | 43 +++++++++++++++++++++++++++++++++++
 python-setuptools.spec        | 11 ++++++++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-40897.patch

diff --git a/backport-CVE-2022-40897.patch b/backport-CVE-2022-40897.patch
new file mode 100644
index 0000000..8061000
--- /dev/null
+++ b/backport-CVE-2022-40897.patch
@@ -0,0 +1,43 @@
+From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Fri, 4 Nov 2022 13:47:53 -0400
+Subject: [PATCH] Limit the amount of whitespace to search/backtrack.Fixes
+ #3659.
+
+---
+ setuptools/package_index.py           | 2 +-
+ setuptools/tests/test_packageindex.py | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 270e7f3..e93fcc6 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -197,7 +197,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435e..fc544c0 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -308,3 +308,11 @@ class TestPyPIConfig:
+         cred = cfg.creds_by_repository['https://pypi.org']
+         assert cred.username == 'jaraco'
+         assert cred.password == 'pity%'
++
++
++@pytest.mark.timeout(1)
++def test_REL_DoS():
++    """
++    REL should not hang on a contrived attack string.
++    """
++    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
+-- 
+2.27.0
+
diff --git a/python-setuptools.spec b/python-setuptools.spec
index e801ee3..1a9664e 100644
--- a/python-setuptools.spec
+++ b/python-setuptools.spec
@@ -8,12 +8,15 @@
 
 Name: python-setuptools
 Version: 59.4.0
-Release: 4
+Release: 5
 Summary: Easily build and distribute Python packages
 
 License: MIT and (BSD or ASL 2.0)
 URL: https://pypi.python.org/pypi/setuptools
 Source0: %{pypi_source setuptools %{version}}
+
+Patch6000: backport-CVE-2022-40897.patch
+
 Patch9000: bugfix-eliminate-random-order-in-metadata.patch
 
 BuildArch: noarch
@@ -110,6 +113,12 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python3_version} --ignore=
 
 
 %changelog
+* Wed Jan 04 2023 zhuofeng <zhuofeng2@huawei.com> - 59.4.0-5                                     
+- Type:CVE
+- CVE:CVE-2022-40897
+- SUG:NA
+- DESC:fix CVE-2022-40897
+
 * Thu Oct 27 2022 zhangruifang <zhangruifang1@h-partners.com> - 59.4.0-4
 - Rebuild for next release
 
-- 
Gitee