From 158c2ed9dd228548b250d0afb8df24ed04ef0c7e Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Tue, 20 Aug 2024 03:30:55 +0300 Subject: [PATCH] import python3.12-setuptools-68.2.2-3.el9_4.1 --- .gitignore | 1 + .python3.12-setuptools.metadata | 1 + ...setup.py-install-deprecation-message.patch | 41 +++ SOURCES/CVE-2024-6345.patch | 116 ++++++++ SPECS/python3.12-setuptools.spec | 271 ++++++++++++++++++ 5 files changed, 430 insertions(+) create mode 100644 .gitignore create mode 100644 .python3.12-setuptools.metadata create mode 100644 SOURCES/Adjust-the-setup.py-install-deprecation-message.patch create mode 100644 SOURCES/CVE-2024-6345.patch create mode 100644 SPECS/python3.12-setuptools.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d243350 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/setuptools-68.2.2.tar.gz diff --git a/.python3.12-setuptools.metadata b/.python3.12-setuptools.metadata new file mode 100644 index 0000000..9d698f5 --- /dev/null +++ b/.python3.12-setuptools.metadata @@ -0,0 +1 @@ +b0c9b16863c57d70adc22651906eea7eaee09803 SOURCES/setuptools-68.2.2.tar.gz diff --git a/SOURCES/Adjust-the-setup.py-install-deprecation-message.patch b/SOURCES/Adjust-the-setup.py-install-deprecation-message.patch new file mode 100644 index 0000000..62e5c56 --- /dev/null +++ b/SOURCES/Adjust-the-setup.py-install-deprecation-message.patch @@ -0,0 +1,41 @@ +From 58f33f0aef5b137287e6f425b922a03123735a77 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 20 Sep 2023 17:18:47 +0200 +Subject: [PATCH] Adjust the setup.py install deprecation message and URL + +But only when building RPM packages. +--- + setuptools/command/install.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/setuptools/command/install.py b/setuptools/command/install.py +index 606cce9..0af1631 100644 +--- a/setuptools/command/install.py ++++ b/setuptools/command/install.py +@@ -1,6 +1,7 @@ + from distutils.errors import DistutilsArgError + import inspect + import glob ++import os + import platform + import distutils.command.install as orig + +@@ -40,8 +41,13 @@ class install(orig.install): + Please avoid running ``setup.py`` directly. + Instead, use pypa/build, pypa/installer or other + standards-based tools. +- """, +- see_url="https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html", ++ """ ++ + (""" ++ Follow the current Python packaging guidelines when building ++ Python RPM packages. ++ """ if "RPM_BUILD_ROOT" in os.environ else ""), ++ see_url=("https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html" + ++ ("\nand https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/" if "RPM_BUILD_ROOT" in os.environ else "")), + # TODO: Document how to bootstrap setuptools without install + # (e.g. by unziping the wheel file) + # and then add a due_date to this warning. +-- +2.41.0 + diff --git a/SOURCES/CVE-2024-6345.patch b/SOURCES/CVE-2024-6345.patch new file mode 100644 index 0000000..d3f5074 --- /dev/null +++ b/SOURCES/CVE-2024-6345.patch @@ -0,0 +1,116 @@ +From 472528deea4063f20c5d9525f0faf64ae0cd0a90 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 24 Jul 2024 14:26:09 +0200 +Subject: [PATCH] CVE-2024-6345 + +--- + setuptools/package_index.py | 21 +++++---------------- + setuptools/tests/test_packageindex.py | 20 ++++++++++---------- + 2 files changed, 15 insertions(+), 26 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 7095585..1368bde 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -1,5 +1,6 @@ + """PyPI and direct package downloading.""" + ++import subprocess + import sys + import os + import re +@@ -881,17 +882,11 @@ class PackageIndex(Environment): + url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) + + self.info("Doing git clone from %s to %s", url, filename) +- os.system("git clone --quiet %s %s" % (url, filename)) ++ subprocess.check_call(["git", "clone", "--quiet", url, filename]) + + if rev is not None: + self.info("Checking out %s", rev) +- os.system( +- "git -C %s checkout --quiet %s" +- % ( +- filename, +- rev, +- ) +- ) ++ subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev]) + + return filename + +@@ -900,17 +895,11 @@ class PackageIndex(Environment): + url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) + + self.info("Doing hg clone from %s to %s", url, filename) +- os.system("hg clone --quiet %s %s" % (url, filename)) ++ subprocess.check_call(["hg", "clone", "--quiet", url, filename]) + + if rev is not None: + self.info("Updating to %s", rev) +- os.system( +- "hg --cwd %s up -C -r %s -q" +- % ( +- filename, +- rev, +- ) +- ) ++ subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"]) + + return filename + +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 0287063..c136e8d 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -190,37 +190,37 @@ class TestPackageIndex: + url = 'git+https://github.example/group/project@master#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: ++ with mock.patch("subprocess.check_call") as subprocess_check_call_mock: + result = index.download(url, str(tmpdir)) + +- os_system_mock.assert_called() ++ subprocess_check_call_mock.assert_called() + + expected_dir = str(tmpdir / 'project@master') + expected = ( + 'git clone --quiet ' 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- first_call_args = os_system_mock.call_args_list[0][0] ++ ).format(**locals()).split() ++ first_call_args = subprocess_check_call_mock.call_args_list[0][0] + assert first_call_args == (expected,) + + tmpl = 'git -C {expected_dir} checkout --quiet master' +- expected = tmpl.format(**locals()) +- assert os_system_mock.call_args_list[1][0] == (expected,) ++ expected = tmpl.format(**locals()).split() ++ assert subprocess_check_call_mock.call_args_list[1][0] == (expected,) + assert result == expected_dir + + def test_download_git_no_rev(self, tmpdir): + url = 'git+https://github.example/group/project#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: ++ with mock.patch("subprocess.check_call") as subprocess_check_call_mock: + result = index.download(url, str(tmpdir)) + +- os_system_mock.assert_called() ++ subprocess_check_call_mock.assert_called() + + expected_dir = str(tmpdir / 'project') + expected = ( + 'git clone --quiet ' 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- os_system_mock.assert_called_once_with(expected) ++ ).format(**locals()).split() ++ subprocess_check_call_mock.assert_called_once_with(expected) + + def test_download_svn(self, tmpdir): + url = 'svn+https://svn.example/project#egg=foo' +-- +2.45.2 + diff --git a/SPECS/python3.12-setuptools.spec b/SPECS/python3.12-setuptools.spec new file mode 100644 index 0000000..1be1209 --- /dev/null +++ b/SPECS/python3.12-setuptools.spec @@ -0,0 +1,271 @@ +%global __python3 /usr/bin/python3.12 +%global python3_pkgversion 3.12 + +%global srcname setuptools + +# used when bootstrapping new Python versions +%bcond_with bootstrap + +# Similar to what we have in pythonX.Y.spec files. +# If enabled, provides unversioned executables and other stuff. +# Disable it if you build this package in an alternative stack. +%bcond_with main_python + +# Some dependencies are missing on RHEL, hence tests are disabled by default +%bcond_with tests + +%global python_wheel_name %{srcname}-%{version}-py3-none-any.whl + +Name: python%{python3_pkgversion}-setuptools +# When updating, update the bundled libraries versions bellow! +Version: 68.2.2 +Release: 3%{?dist}.1 +Summary: Easily build and distribute Python packages +# setuptools is MIT +# platformdirs is MIT +# more-itertools is MIT +# ordered-set is MIT +# packaging is BSD or ASL 2.0 +# importlib-metadata is ASL 2.0 +# importlib-resources is ASL 2.0 +# jaraco.text is MIT +# typing-extensions is Python +# zipp is MIT +# nspektr is MIT +# tomli is MIT +# the setuptools logo is MIT +License: MIT and ASL 2.0 and (BSD or ASL 2.0) and Python +URL: https://pypi.python.org/pypi/%{srcname} +Source0: %{pypi_source %{srcname} %{version}} + +# The `setup.py install` deprecation notice might be confusing for RPM packagers +# adjust it, but only when $RPM_BUILD_ROOT is set +Patch: Adjust-the-setup.py-install-deprecation-message.patch + +# Security fix for CVE-2024-6345 +# Remote code execution via download functions in the package_index module +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771 +# Upstream solution: https://github.com/pypa/setuptools/pull/4332 +# Patch simplified because upstream doesn't support SVN anymore. +Patch: CVE-2024-6345.patch + +BuildArch: noarch + +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-rpm-macros + +%if %{with tests} +BuildRequires: gcc +%endif + +# python3 bootstrap: this is built before the final build of python3, which +# adds the dependency on python3-rpm-generators, so we require it manually +BuildRequires: python3-rpm-generators + +%if %{without bootstrap} +BuildRequires: python%{python3_pkgversion}-pip +BuildRequires: python%{python3_pkgversion}-wheel +# Not to use the pre-generated egg-info, we use setuptools from previous build to generate it +BuildRequires: python%{python3_pkgversion}-setuptools +%endif + +# Virtual provides for the packages bundled by setuptools. +# Bundled packages are defined in multiple files. Generate the list with: +# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{python3_pkgversion}dist' */_vendor/vendored.txt +%global bundled %{expand: +Provides: bundled(python%{python3_pkgversion}dist(platformdirs)) = 2.6.2 +Provides: bundled(python%{python3_pkgversion}dist(importlib-metadata)) = 6 +Provides: bundled(python%{python3_pkgversion}dist(importlib-resources)) = 5.10.2 +Provides: bundled(python%{python3_pkgversion}dist(jaraco-text)) = 3.7 +Provides: bundled(python%{python3_pkgversion}dist(more-itertools)) = 8.8 +Provides: bundled(python%{python3_pkgversion}dist(ordered-set)) = 3.1.1 +Provides: bundled(python%{python3_pkgversion}dist(packaging)) = 23.1 +Provides: bundled(python%{python3_pkgversion}dist(typing-extensions)) = 4.4 +Provides: bundled(python%{python3_pkgversion}dist(typing-extensions)) = 4.0.1 +Provides: bundled(python%{python3_pkgversion}dist(zipp)) = 3.7 +Provides: bundled(python%{python3_pkgversion}dist(tomli)) = 2.0.1 +} + +%{bundled} + +# For users who might see ModuleNotFoundError: No module named 'pkg_resoureces' +# NB: Those are two different provides: one contains underscore, the other hyphen +%py_provides python%{python3_pkgversion}-pkg_resources +%py_provides python%{python3_pkgversion}-pkg-resources + +%description +Setuptools is a collection of enhancements to the Python 3 distutils that allow +you to more easily build and distribute Python 3 packages, especially ones that +have dependencies on other packages. + +This package also contains the runtime components of setuptools, necessary to +execute the software that requires pkg_resources. + +%if %{without bootstrap} +%package -n %{python_wheel_pkg_prefix}-%{srcname}-wheel +Summary: The setuptools wheel +%{bundled} + +%description -n %{python_wheel_pkg_prefix}-%{srcname}-wheel +A Python wheel of setuptools to use with venv. +%endif + + +%prep +%autosetup -p1 -n %{srcname}-%{version} +%if %{without bootstrap} +# If we don't have setuptools installed yet, we use the pre-generated .egg-info +# See https://github.com/pypa/setuptools/pull/2543 +# And https://github.com/pypa/setuptools/issues/2550 +# WARNING: We cannot remove this folder since Python 3.11.1, +# see https://github.com/pypa/setuptools/issues/3761 +#rm -r %%{srcname}.egg-info +%endif + +# Strip shbang +find setuptools pkg_resources -name \*.py | xargs sed -i -e '1 {/^#!\//d}' +# Remove bundled exes +rm -f setuptools/*.exe +# Don't ship these +rm -r docs/conf.py + + +%build +%if %{with bootstrap} +%py3_build +%else +%py3_build_wheel +%endif + +%install +%if %{with bootstrap} +# The setup.py install command tries to import distutils +# but the distutils-precedence.pth file is not yet respected +# and Python 3.12+ no longer has distutils in the standard library. +ln -s setuptools/_distutils distutils +PYTHONPATH=$PWD %py3_install +unlink distutils +%else +%py3_install_wheel %{python_wheel_name} +%endif + +# https://github.com/pypa/setuptools/issues/2709 +rm -rf %{buildroot}%{python3_sitelib}/pkg_resources/tests/ + +%if %{without bootstrap} +# Install the wheel for the python-setuptools-wheel package +mkdir -p %{buildroot}%{python_wheel_dir} +install -p dist/%{python_wheel_name} -t %{buildroot}%{python_wheel_dir} +%endif + + +%check + +# Regression tests + +%if 0%{?rhel} >= 9 +# The test cannot run on RHEL8 due to the test script missing from RPM. +# Verify bundled provides are up to date + +cat */_vendor/vendored.txt > vendored.txt +%{_rpmconfigdir}/pythonbundles.py vendored.txt --namespace 'python%{python3_pkgversion}dist' --compare-with '%{bundled}' +%endif + +# Regression test, the tests are not supposed to be installed +test ! -d %{buildroot}%{python3_sitelib}/pkg_resources/tests +test ! -d %{buildroot}%{python3_sitelib}/setuptools/tests + +%if %{without bootstrap} +# Regression test, the wheel should not be larger than 900 kB +# https://bugzilla.redhat.com/show_bug.cgi?id=1914481#c3 +test $(stat --format %%s dist/%{python_wheel_name}) -lt 900000 + +%py3_check_import setuptools pkg_resources +%endif + +# Upstream test suite + +%if %{with tests} +# https://github.com/pypa/setuptools/discussions/2607 +rm pyproject.toml + +# Upstream tests +# --ignore=setuptools/tests/test_integration.py +# --ignore=setuptools/tests/integration/ +# --ignore=setuptools/tests/config/test_apply_pyprojecttoml.py +# -k "not test_pip_upgrade_from_source" +# the tests require internet connection +# --ignore=setuptools/tests/test_editable_install.py +# the tests require pip-run which we don't have in Fedora +PRE_BUILT_SETUPTOOLS_WHEEL=dist/%{python_wheel_name} \ +PYTHONPATH=$(pwd) %pytest \ + --ignore=setuptools/tests/test_integration.py \ + --ignore=setuptools/tests/integration/ \ + --ignore=setuptools/tests/test_editable_install.py \ + --ignore=setuptools/tests/config/test_apply_pyprojecttoml.py \ + --ignore=tools/finalize.py \ + -k "not test_pip_upgrade_from_source and not test_setup_requires_honors_fetch_params" +%endif # with tests + + +%files -n python%{python3_pkgversion}-setuptools +%license LICENSE +%doc docs/* NEWS.rst README.rst +%{python3_sitelib}/distutils-precedence.pth +%{python3_sitelib}/pkg_resources/ +%{python3_sitelib}/setuptools*/ +%{python3_sitelib}/_distutils_hack/ + +%if %{without bootstrap} +%files -n %{python_wheel_pkg_prefix}-%{srcname}-wheel +%license LICENSE +# we own the dir for simplicity +%dir %{python_wheel_dir}/ +%{python_wheel_dir}/%{python_wheel_name} +%endif + + +%changelog +* Wed Jul 24 2024 Lumír Balhar - 68.2.2-3.1 +- Security fix for CVE-2024-6345 +Resolves: RHEL-50481 + +* Tue Jan 23 2024 Miro Hrončok - 68.2.2-3 +- Rebuilt for timestamp .pyc invalidation mode + +* Mon Nov 13 2023 Charalampos Stratakis - 68.2.2-2 +- Disable bootstrap + +* Thu Oct 05 2023 Tomáš Hrnčiar - 68.2.2-1 + +- Initial package +- Fedora contributions by: + Bill Nottingham + Charalampos Stratakis + David Malcolm + Dennis Gilmore + Haikel Guemar + Ignacio Vazquez-Abrams + Jesse Keating + Karolina Surma + Kevin Fenzi + Konstantin Ryabitsev + Lumir Balhar + Matej Stuchlik + Michal Cyprian + Miro Hrončok + Nils Philippsen + Orion Poplawski + Petr Viktorin + Pierre-Yves Chibon + Ralph Bean + Randy Barlow + Robert Kuska + Thomas Spura + Tomáš Hrnčiar + Tomas Orsava + Tomas Radej + Toshio Kuratomi + Troy Dawson + Ville Skyttä +