mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-05 16:28:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
8208d973b908a3d4b0162534b7168f4e22590e7e
poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb
Soumya Sambu 8208d973b9 python3-setuptools: Fix CVE-2024-6345 
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1
allows for remote code execution via its download functions. These functions, which
are used to download packages from URLs provided by users or retrieved from package
index servers, are susceptible to code injection. If these functions are exposed to
user-controlled inputs, such as package URLs, they can execute arbitrary commands on
the system. The issue is fixed in version 70.0.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
https://ubuntu.com/security/CVE-2024-6345

Upstream patch:
88807c7062

(From OE-Core rev: 238c305ba2c513a070818de4b6ad4316b54050a7)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-05-02 08:12:41 -07:00

60 lines
2.0 KiB
BlitzBasic
Raw Blame History

SUMMARY = "Download, build, install, upgrade, and uninstall Python packages"
HOMEPAGE = "https://pypi.org/project/setuptools"
SECTION = "devel/python"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=19;md5=7a7126e068206290f3fe9f8d6c713ea6"
inherit pypi python_setuptools_build_meta
SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
SRC_URI += "\
file://0001-change-shebang-to-python3.patch \
file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \
file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \
file://CVE-2024-6345.patch \
"
SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0"
DEPENDS += "${PYTHON_PN}"
RDEPENDS:${PN} = "\
${PYTHON_PN}-2to3 \
${PYTHON_PN}-compile \
${PYTHON_PN}-compression \
${PYTHON_PN}-ctypes \
${PYTHON_PN}-email \
${PYTHON_PN}-html \
${PYTHON_PN}-json \
${PYTHON_PN}-netserver \
${PYTHON_PN}-numbers \
${PYTHON_PN}-pickle \
${PYTHON_PN}-pkg-resources \
${PYTHON_PN}-pkgutil \
${PYTHON_PN}-plistlib \
${PYTHON_PN}-shell \
${PYTHON_PN}-stringold \
${PYTHON_PN}-threading \
${PYTHON_PN}-unittest \
${PYTHON_PN}-xml \
"
BBCLASSEXTEND = "native nativesdk"
# The pkg-resources module can be used by itself, without the package downloader
# and easy_install. Ship it in a separate package so that it can be used by
# minimal distributions.
PACKAGES =+ "${PYTHON_PN}-pkg-resources "
FILES:${PYTHON_PN}-pkg-resources = "${PYTHON_SITEPACKAGES_DIR}/pkg_resources/*"
RDEPENDS:${PYTHON_PN}-pkg-resources = "\
${PYTHON_PN}-compression \
${PYTHON_PN}-email \
${PYTHON_PN}-plistlib \
${PYTHON_PN}-pprint \
"
# This used to use the bootstrap install which didn't compile. Until we bump the
# tmpdir version we can't compile the native otherwise the sysroot unpack fails
INSTALL_WHEEL_COMPILE_BYTECODE:class-native = "--no-compile-bytecode"
Reference in New Issue View Git Blame Copy Permalink