.gitignore

@@ -1 +1 @@
-SOURCES/setuptools-41.6.0.zip
+SOURCES/setuptools-50.3.2.zip

.python3x-setuptools.metadata

@@ -1 +1 @@
-79f4ba0be27967d8f02b0d21a1e34fba9432481d SOURCES/setuptools-41.6.0.zip
+2c9279e6b2d521f6799294200a432925113177dc SOURCES/setuptools-50.3.2.zip

SOURCES/CVE-2022-40897.patch

@@ -0,0 +1,13 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 

SOURCES/CVE-2024-6345.patch

@@ -0,0 +1,159 @@
+From 39a1aa65fb4163d917131b4814d4c2dd2bf19677 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Wed, 24 Jul 2024 12:43:20 +0200
+Subject: [PATCH] CVE-2024-6345
+
+---
+ setuptools/package_index.py           | 23 +++++++++-------------
+ setuptools/tests/test_packageindex.py | 28 +++++++++++++--------------
+ 2 files changed, 23 insertions(+), 28 deletions(-)
+
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e9582b..07cc8924b 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -1,4 +1,5 @@
+ """PyPI and direct package downloading"""
++import subprocess
+ import sys
+ import os
+ import re
+@@ -860,7 +861,7 @@ class PackageIndex(Environment):
+     def _download_svn(self, url, filename):
+         warnings.warn("SVN download support is deprecated", UserWarning)
+         url = url.split('#', 1)[0]  # remove any fragment for svn's sake
+-        creds = ''
++        creds = []
+         if url.lower().startswith('svn:') and '@' in url:
+             scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
+             if not netloc and path.startswith('//') and '/' in path[2:]:
+@@ -869,14 +870,14 @@ class PackageIndex(Environment):
+                 if auth:
+                     if ':' in auth:
+                         user, pw = auth.split(':', 1)
+-                        creds = " --username=%s --password=%s" % (user, pw)
++                        creds = [f"--username={user}", f"--password={pw}"]
+                     else:
+-                        creds = " --username=" + auth
++                        creds = [f"--username={auth}"]
+                     netloc = host
+                     parts = scheme, netloc, url, p, q, f
+                     url = urllib.parse.urlunparse(parts)
+         self.info("Doing subversion checkout from %s to %s", url, filename)
+-        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
++        subprocess.check_call(["svn", "checkout"] + creds + ["-q", url, filename])
+         return filename
+ 
+     @staticmethod
+@@ -902,14 +903,11 @@ class PackageIndex(Environment):
+         url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+ 
+         self.info("Doing git clone from %s to %s", url, filename)
+-        os.system("git clone --quiet %s %s" % (url, filename))
++        subprocess.check_call(["git", "clone", "--quiet", url, filename])
+ 
+         if rev is not None:
+             self.info("Checking out %s", rev)
+-            os.system("git -C %s checkout --quiet %s" % (
+-                filename,
+-                rev,
+-            ))
++            subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev])
+ 
+         return filename
+ 
+@@ -918,14 +916,11 @@ class PackageIndex(Environment):
+         url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+ 
+         self.info("Doing hg clone from %s to %s", url, filename)
+-        os.system("hg clone --quiet %s %s" % (url, filename))
++        subprocess.check_call(["hg", "clone", "--quiet", url, filename])
+ 
+         if rev is not None:
+             self.info("Updating to %s", rev)
+-            os.system("hg --cwd %s up -C -r %s -q" % (
+-                filename,
+-                rev,
+-            ))
++            subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"])
+ 
+         return filename
+ 
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 8e9435efe..9289b9032 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -197,56 +197,56 @@ class TestPackageIndex:
+         url = 'git+https://github.example/group/project@master#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+-        with mock.patch("os.system") as os_system_mock:
++        with mock.patch("subprocess.check_call") as subprocess_check_call_mock:
+             result = index.download(url, str(tmpdir))
+ 
+-        os_system_mock.assert_called()
++        subprocess_check_call_mock.assert_called()
+ 
+         expected_dir = str(tmpdir / 'project@master')
+         expected = (
+             'git clone --quiet '
+             'https://github.example/group/project {expected_dir}'
+-        ).format(**locals())
+-        first_call_args = os_system_mock.call_args_list[0][0]
++        ).format(**locals()).split()
++        first_call_args = subprocess_check_call_mock.call_args_list[0][0]
+         assert first_call_args == (expected,)
+ 
+         tmpl = 'git -C {expected_dir} checkout --quiet master'
+-        expected = tmpl.format(**locals())
+-        assert os_system_mock.call_args_list[1][0] == (expected,)
++        expected = tmpl.format(**locals()).split()
++        assert subprocess_check_call_mock.call_args_list[1][0] == (expected,)
+         assert result == expected_dir
+ 
+     def test_download_git_no_rev(self, tmpdir):
+         url = 'git+https://github.example/group/project#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+-        with mock.patch("os.system") as os_system_mock:
++        with mock.patch("subprocess.check_call") as subprocess_check_call_mock:
+             result = index.download(url, str(tmpdir))
+ 
+-        os_system_mock.assert_called()
++        subprocess_check_call_mock.assert_called()
+ 
+         expected_dir = str(tmpdir / 'project')
+         expected = (
+             'git clone --quiet '
+             'https://github.example/group/project {expected_dir}'
+-        ).format(**locals())
+-        os_system_mock.assert_called_once_with(expected)
++        ).format(**locals()).split()
++        subprocess_check_call_mock.assert_called_once_with(expected)
+ 
+     def test_download_svn(self, tmpdir):
+         url = 'svn+https://svn.example/project#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+         with pytest.warns(UserWarning):
+-            with mock.patch("os.system") as os_system_mock:
++            with mock.patch("subprocess.check_call") as subprocess_check_call_mock:
+                 result = index.download(url, str(tmpdir))
+ 
+-        os_system_mock.assert_called()
++        subprocess_check_call_mock.assert_called()
+ 
+         expected_dir = str(tmpdir / 'project')
+         expected = (
+             'svn checkout -q '
+             'svn+https://svn.example/project {expected_dir}'
+-        ).format(**locals())
+-        os_system_mock.assert_called_once_with(expected)
++        ).format(**locals()).split()
++        subprocess_check_call_mock.assert_called_once_with(expected)
+ 
+ 
+ class TestContentCheckers:
+-- 
+2.45.2
+

SOURCES/create-site-packages.patch

@@ -1,17 +0,0 @@
-diff --git a/setuptools/command/easy_install.py b/setuptools/command/easy_install.py
-index 91c48b3..0c9b0f4 100755
---- a/setuptools/command/easy_install.py
-+++ b/setuptools/command/easy_install.py
-@@ -446,6 +446,12 @@ class easy_install(Command):
-         instdir = normalize_path(self.install_dir)
-         pth_file = os.path.join(instdir, 'easy-install.pth')
- 
-+        if not os.path.exists(instdir):
-+            try:
-+                os.makedirs(instdir)
-+            except (OSError, IOError):
-+                self.cant_write_to_target()
-+
-         # Is it a configured, PYTHONPATH, implicit, or explicit site dir?
-         is_site_dir = instdir in self.all_site_dirs
- 

SPECS/python3x-setuptools.spec

@@ -6,29 +6,39 @@
 %bcond_with tests
 
 %if %{without bootstrap}
-%global python_wheelname %{srcname}-%{version}-py2.py3-none-any.whl
+%global python_wheelname %{srcname}-%{version}-py3-none-any.whl
 %global python3_record %{python3_sitelib}/%{srcname}-%{version}.dist-info/RECORD
 %endif
-%global python_wheeldir %{_datadir}/python38-wheels
+%global python_wheeldir %{_datadir}/python%{python3_pkgversion}-wheels
 
 Name:           python3x-setuptools
 # When updating, update the bundled libraries versions bellow!
-Version:        41.6.0
-Release:        4%{?dist}
+Version:        50.3.2
+Release:        6%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
+# appdirs is MIT
 # packaging is BSD or ASL 2.0
 # pyparsing is MIT
-# six is MIT
+# the setuptools logo has unknown license and possible TM problems,
+# but the sdist **does not** contain it,
+# see https://github.com/pypa/setuptools/issues/2227
 License:        MIT and (BSD or ASL 2.0)
 URL:            https://pypi.python.org/pypi/%{srcname}
 Source0:        %{pypi_source %{srcname} %{version} zip}
 
-# In Fedora, sudo setup.py install installs to /usr/local/lib/pythonX.Y/site-packages
-# But pythonX doesn't own that dir, that would be against FHS
-# We need to create it if it doesn't exist
-# https://bugzilla.redhat.com/show_bug.cgi?id=1576924
-Patch0:         create-site-packages.patch
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+# The patch is backported without test because that requires pytest.timeout.
+Patch1:         CVE-2022-40897.patch
+
+# Security fix for CVE-2024-6345
+# Remote code execution via download functions in the package_index module
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771
+# Upstream solution: https://github.com/pypa/setuptools/pull/4332
+# Patch simplified because upstream doesn't support SVN anymore.
+Patch2:         CVE-2024-6345.patch
 
 BuildArch:      noarch
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@@ -36,20 +46,23 @@ BuildArch:      noarch
 # See: https://projects.engineering.redhat.com/browse/RCM-72605
 ExcludeArch:    i686
 
-BuildRequires:  gcc
-
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-rpm-macros
 %if %{with tests}
+BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-pytest
 BuildRequires:  python%{python3_pkgversion}-mock
 BuildRequires:  python%{python3_pkgversion}-pytest-fixture-config
 BuildRequires:  python%{python3_pkgversion}-pytest-virtualenv
+BuildRequires:  python%{python3_pkgversion}-jaraco-envs
 %endif # with tests
 %if %{without bootstrap}
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-wheel
+# python3 bootstrap: this is built before the final build of python3, which
+# adds the dependency on python3-rpm-generators, so we require it manually
+BuildRequires:  python3-rpm-generators
 %endif # without bootstrap
 
 %description
@@ -58,29 +71,31 @@ you to more easily build and distribute Python packages, especially ones that
 have dependencies on other packages.
 
 This package also contains the runtime components of setuptools, necessary to
-execute the software that requires pkg_resources.py.
+execute the software that requires pkg_resources.
 
 # Virtual provides for the packages bundled by setuptools.
-# You can find the versions in setuptools/setuptools/_vendor/vendored.txt
-%global bundled() %{expand:
-Provides: bundled(python%{1}dist(packaging)) = 16.8
-Provides: bundled(python%{1}dist(pyparsing)) = 2.2.1
-Provides: bundled(python%{1}dist(six)) = 1.10.0
+# Copied from Fedora where you can generate it with:
+# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{python3_pkgversion}dist' pkg_resources/_vendor/vendored.txt
+%global bundled %{expand:
+Provides: bundled(python%{python3_version}dist(appdirs)) = 1.4.3
+Provides: bundled(python%{python3_version}dist(packaging)) = 20.4
+Provides: bundled(python%{python3_version}dist(pyparsing)) = 2.2.1
 }
 
 %package -n python%{python3_pkgversion}-setuptools
 Summary:        Easily build and distribute Python 3 packages
-%{?python_provide:%python_provide python%{python3_pkgversion}-setuptools}
-%{bundled 3.8}
+%{bundled}
 
 %if %{with bootstrap}
 Provides:       python%{python3_version}dist(setuptools) = %{version}
 %endif
 
-# python38 installs the alternatives master symlink to which we attach a slave
-Requires: python38
-Requires(post): python38
-Requires(postun): python38
+# Require alternatives version that implements the --keep-foreign flag
+Requires(postun): alternatives >= 1.19.1-1
+# python39 installs the alternatives master symlink to which we attach a slave
+Requires: python%{python3_pkgversion}
+Requires(post): python%{python3_pkgversion}
+Requires(postun): python%{python3_pkgversion}
 
 
 %description -n python%{python3_pkgversion}-setuptools
@@ -89,12 +104,12 @@ you to more easily build and distribute Python 3 packages, especially ones that
 have dependencies on other packages.
 
 This package also contains the runtime components of setuptools, necessary to
-execute the software that requires pkg_resources.py.
+execute the software that requires pkg_resources.
 
 %if %{without bootstrap}
 %package -n python%{python3_pkgversion}-setuptools-wheel
 Summary:        The setuptools wheel
-%{bundled 3.8}
+%{bundled}
 
 %description -n python%{python3_pkgversion}-setuptools-wheel
 A Python wheel of setuptools to use with venv.
@@ -111,8 +126,9 @@ find setuptools pkg_resources -name \*.py | xargs sed -i -e '1 {/^#!\//d}'
 rm -f setuptools/*.exe
 # These tests require internet connection
 rm setuptools/tests/test_integration.py 
-# Spurious executable perm https://github.com/pypa/setuptools/pull/1441
-chmod -x README.rst
+# We don't do linting or coverage here
+sed -i pytest.ini -e 's/ --flake8//' \
+                  -e 's/ --cov//'
 
 %build
 # Warning, different bootstrap meaning here, has nothing to do with our bcond
@@ -134,7 +150,9 @@ chmod -x README.rst
 %py3_install
 %endif
 
-rm -rf %{buildroot}%{python3_sitelib}/setuptools/tests
+# This is not installed (in 45.2.0 anyway), but better be safe than sorry
+rm -rf %{buildroot}%{python3_sitelib}/{setuptools,pkg_resources}/tests
+
 %if %{without bootstrap}
 sed -i '/^setuptools\/tests\//d' %{buildroot}%{python3_record}
 %endif
@@ -142,7 +160,7 @@ sed -i '/^setuptools\/tests\//d' %{buildroot}%{python3_record}
 find %{buildroot}%{python3_sitelib} -name '*.exe' | xargs rm -f
 
 # Don't ship these
-rm -r docs/{Makefile,conf.py,_*}
+rm -r docs/{conf.py,_*}
 
 %if %{without bootstrap}
 mkdir -p %{buildroot}%{python_wheeldir}
@@ -159,26 +177,23 @@ touch %{buildroot}%{_bindir}/easy_install-3
 
 %if %{with tests}
 %check
-# --ignore=pavement.py: No python3-paver in Fedora
+# Upstream tests
+# --ignore=pavement.py:
 #   pavement.py is only used by upstream to do releases and vendoring, we don't ship it
-# --deselect=setuptools/tests/test_setuptools.py::TestDepends::testRequire
-#   Test failure reported upstream: https://github.com/pypa/setuptools/issues/1896
-PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) pytest-%{python3_version} \
-    --ignore=pavement.py \
-    --deselect=setuptools/tests/test_setuptools.py::TestDepends::testRequire
+PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
 %endif # with tests
 
 
 %post -n python%{python3_pkgversion}-setuptools
-alternatives --add-slave python3 %{_bindir}/python3.8 \
+alternatives --add-slave python3 %{_bindir}/python%{python3_version} \
     %{_bindir}/easy_install-3 \
     easy_install-3 \
-    %{_bindir}/easy_install-3.8 \
+    %{_bindir}/easy_install-%{python3_version} \
 
 %postun -n python%{python3_pkgversion}-setuptools
 # Do this only during uninstall process (not during update)
 if [ $1 -eq 0 ]; then
-    alternatives --remove-slave python3 %{_bindir}/python3.8 \
+    alternatives --keep-foreign --remove-slave python3 %{_bindir}/python%{python3_version} \
         easy_install-3
 fi
 
@@ -189,6 +204,8 @@ fi
 %{python3_sitelib}/easy_install.py
 %{python3_sitelib}/pkg_resources/
 %{python3_sitelib}/setuptools*/
+%{python3_sitelib}/_distutils_hack/
+%{python3_sitelib}/distutils-precedence.pth
 %{python3_sitelib}/__pycache__/*
 %{_bindir}/easy_install-3.*
 %ghost %{_bindir}/easy_install-3
@@ -203,15 +220,81 @@ fi
 
 
 %changelog
-* Mon Mar 09 2020 Tomas Orsava <torsava@redhat.com> - 41.6.0-4
-- Implement the alternatives system for the executables
-- Resolves: rhbz#1807041
+* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 50.3.2-6
+- Security fix for CVE-2024-6345
+Resolves: RHEL-50493
+
+* Tue Oct 03 2023 Lumír Balhar <lbalhar@redhat.com> - 50.3.2-5
+- Fix for CVE-2022-40897
+Resolves: RHEL-9764
+
+* Thu Aug 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-4
+- Adjusted the postun scriptlets to enable upgrading to RHEL 9
+- Resolves: rhbz#1933055
+
+* Tue Jan 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-3
+- Convert from Fedora to the python39 module in RHEL8
+- Resolves: rhbz#1877430
+
+* Fri Dec  4 2020 Miro Hrončok <mhroncok@redhat.com> - 50.3.2-2
+- Disable tests in Fedora ELN (and RHEL)
+
+* Tue Oct 20 2020 Tomas Hrnciar <thrnciar@redhat.com> - 50.3.2-1
+- Update to 50.3.2 (#1889093)
+
+* Fri Sep 04 2020 Tomas Hrnciar <thrnciar@redhat.com> - 50.1.0-1
+- Update to 50.1.0 (#1873889)
+
+* Fri Aug 21 2020 Petr Viktorin <pviktori@redhat.com> - 49.6.0-1
+- Update to 49.6.0 (#1862791)
+
+* Wed Jul 29 2020 Miro Hrončok <mhroncok@redhat.com> - 49.1.3-1
+- Update to 49.1.3 (#1853597)
+- https://setuptools.readthedocs.io/en/latest/history.html#v49-1-3
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 47.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jun 26 2020 Miro Hrončok <mhroncok@redhat.com> - 47.3.1-1
+- Update to 47.3.1 (#1847049)
+- https://setuptools.readthedocs.io/en/latest/history.html#v47-3-1
+
+* Mon Jun 01 2020 Charalampos Stratakis <cstratak@redhat.com> - 47.1.1-1
+- Update to 47.1.1 (#1841123)
+- https://setuptools.readthedocs.io/en/latest/history.html#v47-1-1
+
+* Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-4
+- Rebuilt for Python 3.9
+
+* Thu May 21 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-3
+- Bootstrap for Python 3.9
+
+* Thu May 21 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-2
+- Bootstrap for Python 3.9
+
+* Mon May 18 2020 Tomas Hrnciar <thrnciar@redhat.com> - 46.4.0-1
+- Update to 46.4.0 (#1835411)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-4-0
+
+* Tue May 12 2020 Tomas Hrnciar <thrnciar@redhat.com> - 46.2.0-1
+- Update to 46.2.0 (#1833826)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-2-0
+
+* Thu Mar 26 2020 Miro Hrončok <mhroncok@redhat.com> - 46.1.3-1
+- Upgrade to 46.1.3 (#1817189)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-1-3
+
+* Tue Mar 10 2020 Miro Hrončok <mhroncok@redhat.com> - 46.0.0-1
+- Upgrade to 46.0.0 (#1811340)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-0-0
 
-* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-3
-- Exclude unsupported i686 arch
+* Tue Feb 11 2020 Miro Hrončok <mhroncok@redhat.com> - 45.2.0-1
+- Upgrade to 45.2.0 (#1775943)
+- https://setuptools.readthedocs.io/en/latest/history.html#v45-2-0
+- No longer supports Python 2
 
-* Mon Nov 18 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-2
-- Convert to RHEL8 python38 module
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 41.6.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
 * Mon Nov 04 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-1
 - Upgrade to 41.6.0 (#1758945).