poky/meta/recipes-devtools/python/python3-setuptools/CVE-2025-47273-pre1.patch

From d8390feaa99091d1ba9626bec0e4ba7072fc507a Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Sat, 19 Apr 2025 12:49:55 -0400
Subject: [PATCH] Extract _resolve_download_filename with test.

CVE: CVE-2025-47273 #Dependency Patch

Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a]

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
 setuptools/package_index.py | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index 1a6abeb..b317735 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -807,9 +807,16 @@ class PackageIndex(Environment):
             else:
                 raise DistutilsError(f"Download error for {url}: {v}") from v

-    def _download_url(self, url, tmpdir):
-        # Determine download filename
-        #
+    @staticmethod
+    def _resolve_download_filename(url, tmpdir):
+        """
+        >>> du = PackageIndex._resolve_download_filename
+        >>> root = getfixture('tmp_path')
+        >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz'
+        >>> import pathlib
+        >>> str(pathlib.Path(du(url, root)).relative_to(root))
+        'setuptools-78.1.0.tar.gz'
+        """
         name, _fragment = egg_info_for_url(url)
         if name:
             while '..' in name:
@@ -820,8 +827,13 @@ class PackageIndex(Environment):
         if name.endswith('.egg.zip'):
             name = name[:-4]  # strip the extra .zip before download

-        filename = os.path.join(tmpdir, name)
+        return os.path.join(tmpdir, name)

+    def _download_url(self, url, tmpdir):
+        """
+        Determine the download filename.
+        """
+        filename = self._resolve_download_filename(url, tmpdir)
         return self._download_vcs(url, filename) or self._download_other(url, filename)

     @staticmethod
--
2.40.0