Skip to content

Backport CVE-47273 fix from 78.1.1 to 75.3.2#5100

Closed
UladzimirTrehubenka wants to merge 333 commits intopypa:maint/75.3from
UladzimirTrehubenka:backport_cve_47273
Closed

Backport CVE-47273 fix from 78.1.1 to 75.3.2#5100
UladzimirTrehubenka wants to merge 333 commits intopypa:maint/75.3from
UladzimirTrehubenka:backport_cve_47273

Conversation

@UladzimirTrehubenka
Copy link
Contributor

@UladzimirTrehubenka UladzimirTrehubenka commented Oct 25, 2025
edited
Loading

Fix #4946, allow to use upcoming (I hope) 75.3.3 against Python 3.8 (which is still widely used) and prevent issues with vulnerability scanning tools.

abravalheri and others added 30 commits November 11, 2024 15:58
@abravalheri
Extract convenience wrapper of rmtree to setuptools._shutil for reuse
d9975c6
@abravalheri
Extract common pattern to remove dir if exists to setuptools._shutil
1678730
@abravalheri
Attempt to solve typechecking problems
b9be144
@abravalheri
Ignore some lines for coverage
6ddac39
@abravalheri
Refactor usage of shutil.rmtree in other parts of setuptools
8272bc3
@abravalheri
Add docstring
bb93502
@abravalheri
Extract test for shutil.rmtree callback to its own file
db2b206
@abravalheri
Refactor/unify/extract shutil.rmtree callbacks (and avoid repetitio…
c9d980f 
…n) (pypa#4682)
@carsonyl @abravalheri
Omit ruff config from distribution.
49726ca
@carsonyl @abravalheri
Include ruff.toml in sdist but not wheel.
68ac812
@dependabot @abravalheri
Update mypy requirement from ==1.12.* to >=1.12,<1.14
748c851 
Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@abravalheri
Update mypy requirement from ==1.12.* to >=1.12,<1.14 (pypa#4700)
6cc5f08
@abravalheri
Bump version: 75.3.0 → 75.4.0
8f5559c
@abravalheri
Revert "Allow user to skip validation of pyproject.toml via env var"
f6c9fdb 
This reverts commit 913d50a.
@abravalheri
Add news fragment
36e945e
@abravalheri
Revert "Allow user to skip validation of pyproject.toml via env var" (p…
57ed6f0 
…ypa#4746)
@abravalheri
Add note about removed variable in NEWS.rst
01b9f20
@abravalheri
Bump version: 75.4.0 → 75.5.0
5400015
@abravalheri
Test compatibility between setuptools and wheel metadata for real use…
2b6dfd0 
… cases
@abravalheri
Test metadata roundtrip when using pypa/wheel parsing techniques
48fd9ba
@abravalheri
Preserve original PKG-INFO as METADATA in bdist_wheel
fbbfbfb
@abravalheri
Avoid newline problems on windows
33f9796
@abravalheri
Ignore coverage in test code
089aca9
@abravalheri
Add news fragment
a4fa01d
@abravalheri
Mark tests that may depend on external network
0b5b417
@abravalheri
Preserve original PKG-INFO contents when creating wheel (instead of…
e622859 
… calling `wheel.metadata.pkginfo_to_metadata`) (pypa#4701)
@Avasam
Runtime typing fixes for typeshed return type merge
9a4c8d4
@abravalheri
Runtime typing fixes for typeshed return type merge (pypa#4753
2c77cd2
@Avasam
Changed the WindowsSdkVersion, FrameworkVersion32 and ``Frame…
2b471c2 
…workVersion64`` properties of ``setuptools.msvc.PlatformInfo`` to return an empty `tuple` instead of `None` as a fallthrough case
@abravalheri
Rename news fragment
50d671b
jaraco and others added 24 commits March 8, 2025 18:06
@jaraco
Remove Python version gate in _make_strs.
618a98b
@jaraco
Remove _make_strs and update msvc to accept WindowsPath.
6b5fd8c
@jaraco
Merge pull request pypa/distutils#333 from pypa/debt/make-strs
82780b7 
Remove Python version gate in _make_strs.
@jaraco
Always rewrite a Python shebang to #!python.
c712663 
Closes pypa#4863
@jaraco
👹 Feed the hobgoblins (delint).
eecd653
@jaraco
Merge pull request pypa/distutils#330 from Avasam/Make-sdist.metadata…
baf62ad 
…_check-an-actual-boolean

Make `sdist.metadata_check` an actual boolean
@jaraco
Reword note.
3817ded
@jaraco
Merge branch 'main' into merge-typeshed-annotations
c60aec1
@jaraco
Merge pull request pypa/distutils#329 from Avasam/merge-typeshed-anno…
250c300 
…tations

Merge typeshed's `setuptools._distutils` annotations
@jaraco
Merge pull request pypa/distutils#332 from pypa/debt/unify-shebang
5589d75 
In build_scripts, unconditionally set shebang to #!python.
@jaraco
Bump version: 75.8.2 → 75.9.0
0cffd61
@jaraco
Merge with pypa/distutils@5589d7527
c7e97a0
@jaraco
Add news fragment.
5cc2927
@jaraco
In config command, move to eager imports. Restore LinkError to ccompi…
6d7cc0f 
…lers module.

Closes pypa#4866
@jaraco
Merge commit '6d7cc0ff9' into bugfix/distutils-6d7cc0ff9
149a28a
@jaraco
Add news fragment.
7cff740
@jaraco
Merge pull request pypa#4867 from pypa/bugfix/distutils-6d7cc0ff9
d8620a8 
In config command, move to eager imports. Restore LinkError to ccompilers module.
@jaraco
Bump version: 75.9.0 → 75.9.1
7530d69
@jaraco
Merge pull request pypa#4865 from pypa/feature/distutils-5589d7527
427babb 
Merge with distutils @ 5589d75
@jaraco
Bump version: 75.9.1 → 76.0.0
c11a494
@Avasam @abravalheri
Reduce Ruff configs that duplicates upstream after skeleton merge
45375cd
@abravalheri
Reduce Ruff configs that duplicates upstream after skeleton merge (py…
b10fa52 
…pa#4857)
@jaraco
Merge tag 'v75.3.1'
1148613
@UladzimirTrehubenka
Backport CVE-47273 fix from 78.1.1 to 75.3.2
8942672
@UladzimirTrehubenka
Copy link
Contributor Author

UladzimirTrehubenka commented Oct 25, 2025

@jaraco Please reopen #4946

@jaraco
Copy link
Member

jaraco commented Jan 19, 2026

I recently moved the maint/75.3 branch around because it was pointing at the wrong commit. Sorry if that messed this PR up. Please consider cherry-picking your change against the latest maint/75.3 branch and either open a new PR or ask and I can re-open this one.

@jaraco jaraco closed this Jan 19, 2026
@UladzimirTrehubenka UladzimirTrehubenka mentioned this pull request Jan 20, 2026
Merged
@UladzimirTrehubenka
Copy link
Contributor Author

UladzimirTrehubenka commented Jan 22, 2026

@jaraco see #5150

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.