mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-05 16:28:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
170d5d05230f992a6b003bd15eb02cec4aef2cd9
poky/meta/recipes-devtools/python/python3-setuptools_76.0.0.bb
Praveen Kumar f53d6b5b2f python3-setuptools: fix CVE-2025-47273 
setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273

Upstream-patch:
d8390feaa9
250a6d1797

(From OE-Core rev: cfb2d77f841ae21cae0ba7d6263dc3e1e0280400)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-07-04 07:50:16 -07:00

61 lines
1.8 KiB
BlitzBasic
Raw Blame History

SUMMARY = "Download, build, install, upgrade, and uninstall Python packages"
HOMEPAGE = "https://pypi.org/project/setuptools"
SECTION = "devel/python"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=141643e11c48898150daa83802dbc65f"
inherit pypi python_setuptools_build_meta
CVE_PRODUCT = "python3-setuptools python:setuptools"
SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
SRC_URI += " \
file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \
file://CVE-2025-47273-pre1.patch \
file://CVE-2025-47273.patch \
"
SRC_URI[sha256sum] = "43b4ee60e10b0d0ee98ad11918e114c70701bc6051662a9a675a0496c1a158f4"
DEPENDS += "python3"
RDEPENDS:${PN} = "\
python3-compile \
python3-compression \
python3-ctypes \
python3-email \
python3-html \
python3-json \
python3-netserver \
python3-numbers \
python3-pickle \
python3-pkg-resources \
python3-pkgutil \
python3-plistlib \
python3-shell \
python3-stringold \
python3-threading \
python3-unittest \
python3-unixadmin \
python3-xml \
"
BBCLASSEXTEND = "native nativesdk"
# The pkg-resources module can be used by itself, without the package downloader
# and easy_install. Ship it in a separate package so that it can be used by
# minimal distributions.
PACKAGES =+ "python3-pkg-resources "
FILES:python3-pkg-resources = "${PYTHON_SITEPACKAGES_DIR}/pkg_resources/*"
RDEPENDS:python3-pkg-resources = "\
python3-compression \
python3-email \
python3-plistlib \
python3-pprint \
"
# This used to use the bootstrap install which didn't compile. Until we bump the
# tmpdir version we can't compile the native otherwise the sysroot unpack fails
INSTALL_WHEEL_COMPILE_BYTECODE:class-native = "--no-compile-bytecode"
Reference in New Issue View Git Blame Copy Permalink