6 changed files with 65 additions and 303 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/setuptools-50.3.2.zip
+SOURCES/setuptools-41.6.0.zip
--- a/.python3x-setuptools.metadata
+++ b/.python3x-setuptools.metadata
@ -1 +1 @@
-2c9279e6b2d521f6799294200a432925113177dc SOURCES/setuptools-50.3.2.zip
+79f4ba0be27967d8f02b0d21a1e34fba9432481d SOURCES/setuptools-41.6.0.zip
--- a/SOURCES/CVE-2022-40897.patch
+++ b/SOURCES/CVE-2022-40897.patch
@ -1,13 +0,0 @@
 diff --git a/setuptools/package_index.py b/setuptools/package_index.py
 index 123e958..a90b810 100644
 --- a/setuptools/package_index.py
 +++ b/setuptools/package_index.py
@@ -215,7 +215,7 @@ def unique_values(func):
     return wrapper
 -REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
 +REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
 # this line is here to fix emacs' cruddy broken syntax highlighting
--- a/SOURCES/CVE-2024-6345.patch
+++ b/SOURCES/CVE-2024-6345.patch
@ -1,159 +0,0 @@
 From 39a1aa65fb4163d917131b4814d4c2dd2bf19677 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Wed, 24 Jul 2024 12:43:20 +0200
 Subject: [PATCH] CVE-2024-6345
 ---
 setuptools/package_index.py           | 23 +++++++++-------------
 setuptools/tests/test_packageindex.py | 28 +++++++++++++--------------
 2 files changed, 23 insertions(+), 28 deletions(-)
 diff --git a/setuptools/package_index.py b/setuptools/package_index.py
 index 123e9582b..07cc8924b 100644
 --- a/setuptools/package_index.py
 +++ b/setuptools/package_index.py
@@ -1,4 +1,5 @@
 """PyPI and direct package downloading"""
 +import subprocess
 import sys
 import os
 import re
@@ -860,7 +861,7 @@ class PackageIndex(Environment):
     def _download_svn(self, url, filename):
         warnings.warn("SVN download support is deprecated", UserWarning)
         url = url.split('#', 1)[0]  # remove any fragment for svn's sake
 -        creds = ''
 +        creds = []
         if url.lower().startswith('svn:') and '@' in url:
             scheme, netloc, path, p, q, f = urllib.parse.urlparse(url)
             if not netloc and path.startswith('//') and '/' in path[2:]:
@@ -869,14 +870,14 @@ class PackageIndex(Environment):
                 if auth:
                     if ':' in auth:
                         user, pw = auth.split(':', 1)
 -                        creds = " --username=%s --password=%s" % (user, pw)
 +                        creds = [f"--username={user}", f"--password={pw}"]
                     else:
 -                        creds = " --username=" + auth
 +                        creds = [f"--username={auth}"]
                     netloc = host
                     parts = scheme, netloc, url, p, q, f
                     url = urllib.parse.urlunparse(parts)
         self.info("Doing subversion checkout from %s to %s", url, filename)
 -        os.system("svn checkout%s -q %s %s" % (creds, url, filename))
 +        subprocess.check_call(["svn", "checkout"] + creds + ["-q", url, filename])
         return filename
     @staticmethod
@@ -902,14 +903,11 @@ class PackageIndex(Environment):
         url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
         self.info("Doing git clone from %s to %s", url, filename)
 -        os.system("git clone --quiet %s %s" % (url, filename))
 +        subprocess.check_call(["git", "clone", "--quiet", url, filename])
         if rev is not None:
             self.info("Checking out %s", rev)
 -            os.system("git -C %s checkout --quiet %s" % (
 -                filename,
 -                rev,
 -            ))
 +            subprocess.check_call(["git", "-C", filename, "checkout", "--quiet", rev])
         return filename
@@ -918,14 +916,11 @@ class PackageIndex(Environment):
         url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
         self.info("Doing hg clone from %s to %s", url, filename)
 -        os.system("hg clone --quiet %s %s" % (url, filename))
 +        subprocess.check_call(["hg", "clone", "--quiet", url, filename])
         if rev is not None:
             self.info("Updating to %s", rev)
 -            os.system("hg --cwd %s up -C -r %s -q" % (
 -                filename,
 -                rev,
 -            ))
 +            subprocess.check_call(["hg", "--cwd", filename, "up", "-C", "-r", rev, "-q"])
         return filename
 diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
 index 8e9435efe..9289b9032 100644
 --- a/setuptools/tests/test_packageindex.py
 +++ b/setuptools/tests/test_packageindex.py
@@ -197,56 +197,56 @@ class TestPackageIndex:
         url = 'git+https://github.example/group/project@master#egg=foo'
         index = setuptools.package_index.PackageIndex()
 -        with mock.patch("os.system") as os_system_mock:
 +        with mock.patch("subprocess.check_call") as subprocess_check_call_mock:
             result = index.download(url, str(tmpdir))
 -        os_system_mock.assert_called()
 +        subprocess_check_call_mock.assert_called()
         expected_dir = str(tmpdir / 'project@master')
         expected = (
             'git clone --quiet '
             'https://github.example/group/project {expected_dir}'
 -        ).format(**locals())
 -        first_call_args = os_system_mock.call_args_list[0][0]
 +        ).format(**locals()).split()
 +        first_call_args = subprocess_check_call_mock.call_args_list[0][0]
         assert first_call_args == (expected,)
         tmpl = 'git -C {expected_dir} checkout --quiet master'
 -        expected = tmpl.format(**locals())
 -        assert os_system_mock.call_args_list[1][0] == (expected,)
 +        expected = tmpl.format(**locals()).split()
 +        assert subprocess_check_call_mock.call_args_list[1][0] == (expected,)
         assert result == expected_dir
     def test_download_git_no_rev(self, tmpdir):
         url = 'git+https://github.example/group/project#egg=foo'
         index = setuptools.package_index.PackageIndex()
 -        with mock.patch("os.system") as os_system_mock:
 +        with mock.patch("subprocess.check_call") as subprocess_check_call_mock:
             result = index.download(url, str(tmpdir))
 -        os_system_mock.assert_called()
 +        subprocess_check_call_mock.assert_called()
         expected_dir = str(tmpdir / 'project')
         expected = (
             'git clone --quiet '
             'https://github.example/group/project {expected_dir}'
 -        ).format(**locals())
 -        os_system_mock.assert_called_once_with(expected)
 +        ).format(**locals()).split()
 +        subprocess_check_call_mock.assert_called_once_with(expected)
     def test_download_svn(self, tmpdir):
         url = 'svn+https://svn.example/project#egg=foo'
         index = setuptools.package_index.PackageIndex()
         with pytest.warns(UserWarning):
 -            with mock.patch("os.system") as os_system_mock:
 +            with mock.patch("subprocess.check_call") as subprocess_check_call_mock:
                 result = index.download(url, str(tmpdir))
 -        os_system_mock.assert_called()
 +        subprocess_check_call_mock.assert_called()
         expected_dir = str(tmpdir / 'project')
         expected = (
             'svn checkout -q '
             'svn+https://svn.example/project {expected_dir}'
 -        ).format(**locals())
 -        os_system_mock.assert_called_once_with(expected)
 +        ).format(**locals()).split()
 +        subprocess_check_call_mock.assert_called_once_with(expected)
 class TestContentCheckers:
 -- 
 2.45.2
--- a/SOURCES/create-site-packages.patch
+++ b/SOURCES/create-site-packages.patch
@ -0,0 +1,17 @@
 diff --git a/setuptools/command/easy_install.py b/setuptools/command/easy_install.py
 index 91c48b3..0c9b0f4 100755
 --- a/setuptools/command/easy_install.py
 +++ b/setuptools/command/easy_install.py
@@ -446,6 +446,12 @@ class easy_install(Command):
         instdir = normalize_path(self.install_dir)
         pth_file = os.path.join(instdir, 'easy-install.pth')
 +        if not os.path.exists(instdir):
 +            try:
 +                os.makedirs(instdir)
 +            except (OSError, IOError):
 +                self.cant_write_to_target()
 +
         # Is it a configured, PYTHONPATH, implicit, or explicit site dir?
         is_site_dir = instdir in self.all_site_dirs
--- a/SPECS/python3x-setuptools.spec
+++ b/SPECS/python3x-setuptools.spec
@ -6,39 +6,29 @@
 %bcond_with tests
 %if %{without bootstrap}
-%global python_wheelname %{srcname}-%{version}-py3-none-any.whl
+%global python_wheelname %{srcname}-%{version}-py2.py3-none-any.whl
 %global python3_record %{python3_sitelib}/%{srcname}-%{version}.dist-info/RECORD
 %endif
-%global python_wheeldir %{_datadir}/python%{python3_pkgversion}-wheels
+%global python_wheeldir %{_datadir}/python38-wheels
 Name:           python3x-setuptools
 # When updating, update the bundled libraries versions bellow!
-Version:        50.3.2
+Version:        41.6.0
-Release:        6%{?dist}
+Release:        4%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
 # appdirs is MIT
 # packaging is BSD or ASL 2.0
 # pyparsing is MIT
-# the setuptools logo has unknown license and possible TM problems,
+# six is MIT
 # but the sdist **does not** contain it,
 # see https://github.com/pypa/setuptools/issues/2227
 License:        MIT and (BSD or ASL 2.0)
 URL:            https://pypi.python.org/pypi/%{srcname}
 Source0:        %{pypi_source %{srcname} %{version} zip}
-# Security fix for CVE-2022-40897
+# In Fedora, sudo setup.py install installs to /usr/local/lib/pythonX.Y/site-packages
-# Regular Expression Denial of Service (ReDoS) in package_index.py
+# But pythonX doesn't own that dir, that would be against FHS
-# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+# We need to create it if it doesn't exist
-# The patch is backported without test because that requires pytest.timeout.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1576924
-Patch1:         CVE-2022-40897.patch
+Patch0:         create-site-packages.patch
 # Security fix for CVE-2024-6345
 # Remote code execution via download functions in the package_index module
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2297771
 # Upstream solution: https://github.com/pypa/setuptools/pull/4332
 # Patch simplified because upstream doesn't support SVN anymore.
 Patch2:         CVE-2024-6345.patch
 BuildArch:      noarch
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@ -46,23 +36,20 @@ BuildArch:      noarch
 # See: https://projects.engineering.redhat.com/browse/RCM-72605
 ExcludeArch:    i686
 BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-rpm-macros
 %if %{with tests}
 BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-pytest
 BuildRequires:  python%{python3_pkgversion}-mock
 BuildRequires:  python%{python3_pkgversion}-pytest-fixture-config
 BuildRequires:  python%{python3_pkgversion}-pytest-virtualenv
 BuildRequires:  python%{python3_pkgversion}-jaraco-envs
 %endif # with tests
 %if %{without bootstrap}
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-wheel
 # python3 bootstrap: this is built before the final build of python3, which
 # adds the dependency on python3-rpm-generators, so we require it manually
 BuildRequires:  python3-rpm-generators
 %endif # without bootstrap
 %description
@ -71,31 +58,29 @@ you to more easily build and distribute Python packages, especially ones that
 have dependencies on other packages.
 This package also contains the runtime components of setuptools, necessary to
-execute the software that requires pkg_resources.
+execute the software that requires pkg_resources.py.
 # Virtual provides for the packages bundled by setuptools.
-# Copied from Fedora where you can generate it with:
+# You can find the versions in setuptools/setuptools/_vendor/vendored.txt
-# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{python3_pkgversion}dist' pkg_resources/_vendor/vendored.txt
+%global bundled() %{expand:
-%global bundled %{expand:
+Provides: bundled(python%{1}dist(packaging)) = 16.8
-Provides: bundled(python%{python3_version}dist(appdirs)) = 1.4.3
+Provides: bundled(python%{1}dist(pyparsing)) = 2.2.1
-Provides: bundled(python%{python3_version}dist(packaging)) = 20.4
+Provides: bundled(python%{1}dist(six)) = 1.10.0
 Provides: bundled(python%{python3_version}dist(pyparsing)) = 2.2.1
 }
 %package -n python%{python3_pkgversion}-setuptools
 Summary:        Easily build and distribute Python 3 packages
-%{bundled}
+%{?python_provide:%python_provide python%{python3_pkgversion}-setuptools}
 %{bundled 3.8}
 %if %{with bootstrap}
 Provides:       python%{python3_version}dist(setuptools) = %{version}
 %endif
-# Require alternatives version that implements the --keep-foreign flag
+# python38 installs the alternatives master symlink to which we attach a slave
-Requires(postun): alternatives >= 1.19.1-1
+Requires: python38
-# python39 installs the alternatives master symlink to which we attach a slave
+Requires(post): python38
-Requires: python%{python3_pkgversion}
+Requires(postun): python38
 Requires(post): python%{python3_pkgversion}
 Requires(postun): python%{python3_pkgversion}
 %description -n python%{python3_pkgversion}-setuptools
@ -104,12 +89,12 @@ you to more easily build and distribute Python 3 packages, especially ones that
 have dependencies on other packages.
 This package also contains the runtime components of setuptools, necessary to
-execute the software that requires pkg_resources.
+execute the software that requires pkg_resources.py.
 %if %{without bootstrap}
 %package -n python%{python3_pkgversion}-setuptools-wheel
 Summary:        The setuptools wheel
-%{bundled}
+%{bundled 3.8}
 %description -n python%{python3_pkgversion}-setuptools-wheel
 A Python wheel of setuptools to use with venv.
@ -126,9 +111,8 @@ find setuptools pkg_resources -name \*.py | xargs sed -i -e '1 {/^#!\//d}'
 rm -f setuptools/*.exe
 # These tests require internet connection
 rm setuptools/tests/test_integration.py 
-# We don't do linting or coverage here
+# Spurious executable perm https://github.com/pypa/setuptools/pull/1441
-sed -i pytest.ini -e 's/ --flake8//' \
+chmod -x README.rst
                  -e 's/ --cov//'
 %build
 # Warning, different bootstrap meaning here, has nothing to do with our bcond
@ -150,9 +134,7 @@ sed -i pytest.ini -e 's/ --flake8//' \
 %py3_install
 %endif
-# This is not installed (in 45.2.0 anyway), but better be safe than sorry
+rm -rf %{buildroot}%{python3_sitelib}/setuptools/tests
 rm -rf %{buildroot}%{python3_sitelib}/{setuptools,pkg_resources}/tests
 %if %{without bootstrap}
 sed -i '/^setuptools\/tests\//d' %{buildroot}%{python3_record}
 %endif
@ -160,7 +142,7 @@ sed -i '/^setuptools\/tests\//d' %{buildroot}%{python3_record}
 find %{buildroot}%{python3_sitelib} -name '*.exe' | xargs rm -f
 # Don't ship these
-rm -r docs/{conf.py,_*}
+rm -r docs/{Makefile,conf.py,_*}
 %if %{without bootstrap}
 mkdir -p %{buildroot}%{python_wheeldir}
@ -177,23 +159,26 @@ touch %{buildroot}%{_bindir}/easy_install-3
 %if %{with tests}
 %check
-# Upstream tests
+# --ignore=pavement.py: No python3-paver in Fedora
 # --ignore=pavement.py:
 #   pavement.py is only used by upstream to do releases and vendoring, we don't ship it
-PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
+# --deselect=setuptools/tests/test_setuptools.py::TestDepends::testRequire
 #   Test failure reported upstream: https://github.com/pypa/setuptools/issues/1896
 PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) pytest-%{python3_version} \
    --ignore=pavement.py \
    --deselect=setuptools/tests/test_setuptools.py::TestDepends::testRequire
 %endif # with tests
 %post -n python%{python3_pkgversion}-setuptools
-alternatives --add-slave python3 %{_bindir}/python%{python3_version} \
+alternatives --add-slave python3 %{_bindir}/python3.8 \
    %{_bindir}/easy_install-3 \
    easy_install-3 \
-    %{_bindir}/easy_install-%{python3_version} \
+    %{_bindir}/easy_install-3.8 \
 %postun -n python%{python3_pkgversion}-setuptools
 # Do this only during uninstall process (not during update)
 if [ $1 -eq 0 ]; then
-    alternatives --keep-foreign --remove-slave python3 %{_bindir}/python%{python3_version} \
+    alternatives --remove-slave python3 %{_bindir}/python3.8 \
        easy_install-3
 fi
@ -204,8 +189,6 @@ fi
 %{python3_sitelib}/easy_install.py
 %{python3_sitelib}/pkg_resources/
 %{python3_sitelib}/setuptools*/
 %{python3_sitelib}/_distutils_hack/
 %{python3_sitelib}/distutils-precedence.pth
 %{python3_sitelib}/__pycache__/*
 %{_bindir}/easy_install-3.*
 %ghost %{_bindir}/easy_install-3
@ -220,81 +203,15 @@ fi
 %changelog
-* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 50.3.2-6
+* Mon Mar 09 2020 Tomas Orsava <torsava@redhat.com> - 41.6.0-4
- Security fix for CVE-2024-6345
+- Implement the alternatives system for the executables
-Resolves: RHEL-50493
+- Resolves: rhbz#1807041
 * Tue Oct 03 2023 Lumír Balhar <lbalhar@redhat.com> - 50.3.2-5
 - Fix for CVE-2022-40897
 Resolves: RHEL-9764
 * Thu Aug 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-4
 - Adjusted the postun scriptlets to enable upgrading to RHEL 9
 - Resolves: rhbz#1933055
 * Tue Jan 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-3
 - Convert from Fedora to the python39 module in RHEL8
 - Resolves: rhbz#1877430
 * Fri Dec  4 2020 Miro Hrončok <mhroncok@redhat.com> - 50.3.2-2
 - Disable tests in Fedora ELN (and RHEL)
 * Tue Oct 20 2020 Tomas Hrnciar <thrnciar@redhat.com> - 50.3.2-1
 - Update to 50.3.2 (#1889093)
 * Fri Sep 04 2020 Tomas Hrnciar <thrnciar@redhat.com> - 50.1.0-1
 - Update to 50.1.0 (#1873889)
 * Fri Aug 21 2020 Petr Viktorin <pviktori@redhat.com> - 49.6.0-1
 - Update to 49.6.0 (#1862791)
 * Wed Jul 29 2020 Miro Hrončok <mhroncok@redhat.com> - 49.1.3-1
 - Update to 49.1.3 (#1853597)
 - https://setuptools.readthedocs.io/en/latest/history.html#v49-1-3
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 47.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Fri Jun 26 2020 Miro Hrončok <mhroncok@redhat.com> - 47.3.1-1
 - Update to 47.3.1 (#1847049)
 - https://setuptools.readthedocs.io/en/latest/history.html#v47-3-1
 * Mon Jun 01 2020 Charalampos Stratakis <cstratak@redhat.com> - 47.1.1-1
 - Update to 47.1.1 (#1841123)
 - https://setuptools.readthedocs.io/en/latest/history.html#v47-1-1
 * Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-4
 - Rebuilt for Python 3.9
 * Thu May 21 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-3
 - Bootstrap for Python 3.9
 * Thu May 21 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-2
 - Bootstrap for Python 3.9
 * Mon May 18 2020 Tomas Hrnciar <thrnciar@redhat.com> - 46.4.0-1
 - Update to 46.4.0 (#1835411)
 - https://setuptools.readthedocs.io/en/latest/history.html#v46-4-0
 * Tue May 12 2020 Tomas Hrnciar <thrnciar@redhat.com> - 46.2.0-1
 - Update to 46.2.0 (#1833826)
 - https://setuptools.readthedocs.io/en/latest/history.html#v46-2-0
 * Thu Mar 26 2020 Miro Hrončok <mhroncok@redhat.com> - 46.1.3-1
 - Upgrade to 46.1.3 (#1817189)
 - https://setuptools.readthedocs.io/en/latest/history.html#v46-1-3
 * Tue Mar 10 2020 Miro Hrončok <mhroncok@redhat.com> - 46.0.0-1
 - Upgrade to 46.0.0 (#1811340)
 - https://setuptools.readthedocs.io/en/latest/history.html#v46-0-0
-* Tue Feb 11 2020 Miro Hrončok <mhroncok@redhat.com> - 45.2.0-1
+* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-3
- Upgrade to 45.2.0 (#1775943)
+- Exclude unsupported i686 arch
 - https://setuptools.readthedocs.io/en/latest/history.html#v45-2-0
 - No longer supports Python 2
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 41.6.0-2
+* Mon Nov 18 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+- Convert to RHEL8 python38 module
 * Mon Nov 04 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-1
 - Upgrade to 41.6.0 (#1758945).
`@ -1 +1 @@`
	`SOURCES/setuptools-50.3.2.zip`	`SOURCES/setuptools-41.6.0.zip`
`@ -1 +1 @@`
	`2c9279e6b2d521f6799294200a432925113177dc SOURCES/setuptools-50.3.2.zip`	`79f4ba0be27967d8f02b0d21a1e34fba9432481d SOURCES/setuptools-41.6.0.zip`