!12 [sync] PR-9: Fix CVE-2022-40899

From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

CVE-2022-40899.patch

@@ -0,0 +1,52 @@
+From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001
+From: Will Shanks <wshaos@posteo.net>
+Date: Fri, 23 Dec 2022 13:38:26 -0500
+Subject: [PATCH] Backport fix for bpo-38804
+
+The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
+expression denial of service (REDoS). The regex contained multiple
+overlapping \s* capture groups. A long sequence of spaces can trigger
+bad performance.
+
+See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
+---
+ src/future/backports/http/cookiejar.py | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py
+index af3ef415..0ad80a02 100644
+--- a/src/future/backports/http/cookiejar.py
++++ b/src/future/backports/http/cookiejar.py
+@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz):
+        (?::(\d\d))?    # optional seconds
+     )?                 # optional clock
+        \s*
+-    ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
++    (?:
++       ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
++       \s*
++    )?
++    (?:
++       \(\w+\)         # ASCII representation of timezone in parens.
+        \s*
+-    (?:\(\w+\))?       # ASCII representation of timezone in parens.
+-       \s*$""", re.X | re.ASCII)
++    )?$""", re.X | re.ASCII)
+ def http2time(text):
+     """Returns time in seconds since epoch of time represented by a string.
+ 
+@@ -298,9 +302,11 @@ def http2time(text):
+       (?::?(\d\d(?:\.\d*)?))?  # optional seconds (and fractional)
+    )?                    # optional clock
+       \s*
+-   ([-+]?\d\d?:?(:?\d\d)?
+-    |Z|z)?               # timezone  (Z is "zero meridian", i.e. GMT)
+-      \s*$""", re.X | re. ASCII)
++   (?:
++      ([-+]?\d\d?:?(:?\d\d)?
++       |Z|z)             # timezone  (Z is "zero meridian", i.e. GMT)
++      \s*
++   )?$""", re.X | re. ASCII)
+ def iso2time(text):
+     """
+     As for http2time, but parses the ISO 8601 formats:

README.en.md

@@ -1,36 +0,0 @@
-# future
-
-#### Description
-{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
-
-#### Software Architecture
-Software architecture description
-
-#### Installation
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Instructions
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Contribution
-
-1.  Fork the repository
-2.  Create Feat_xxx branch
-3.  Commit your code
-4.  Create Pull Request
-
-
-#### Gitee Feature
-
-1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
-2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
-3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
-4.  The most valuable open source project [GVP](https://gitee.com/gvp)
-5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
-6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

README.md

@@ -1,39 +0,0 @@
-# future
-
-#### 介绍
-{**以下是码云平台说明，您可以替换此简介**
-码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
-无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
-
-#### 软件架构
-软件架构说明
-
-
-#### 安装教程
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 使用说明
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 参与贡献
-
-1.  Fork 本仓库
-2.  新建 Feat_xxx 分支
-3.  提交代码
-4.  新建 Pull Request
-
-
-#### 码云特技
-
-1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
-2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
-3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
-4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
-5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
-6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

future.spec

@@ -1,36 +1,28 @@
+%global with_tests 0%{?_with_tests:0}
 %global desc \
 This package intends to provides a compatibility layer for Python between its \
 two version release. The future and past packages are both provides for backports \
 and forwards, in which you are able to use a single, clean codebase to run under \
-Python2/3 environmets easily. With also providing futurize and pasteurize scripts, \
+Python3 environmets easily. With also providing futurize and pasteurize scripts, \
 you can convert you Python code to support both version.
 
-
-%{!?python2_shortver: %global python2_shortver %(%{__python2} -c 'import sys; print(str(sys.version_info.major) + "." + str(sys.version_info.minor))')}
 %{!?python3_shortver: %global python3_shortver %(%{__python3} -c 'import sys; print(str(sys.version_info.major) + "." + str(sys.version_info.minor))')}
 
 Name:           future
-Version:        0.16.0
+Version:        0.18.2
-Release:        11
+Release:        2
-Summary:        Missing compatibility layer between Python 2 and Python 3
+Summary:        Missing compatibility layer on Python 3
 License:        MIT
 URL:            http://python-future.org/
-Source0:        https://github.com/PythonCharmers/python-future/archive/v%{version}.tar.gz#/python-future-%{version}.tar.gz
+Source0:        https://files.pythonhosted.org/packages/45/0b/38b06fd9b92dc2b68d58b75f900e97884c45bedd2ff83203d933cf5851c9/future-0.18.2.tar.gz
+Patch0:         CVE-2022-40899.patch
 BuildArch:      noarch
 
 %description
 %{desc}
 
-%package        -n python2-future
-Summary:        Missing compatibility layer between Python 2 and Python 3
-%{?python_provide:%python_provide python2-future}
-BuildRequires:  python2-devel python2-setuptools python2-numpy python2-requests python2-pytest
-Provides:       future = 0:%{version}-%{release}
-%description    -n python2-future
-%{desc}
-
 %package        -n python3-future
-Summary:        Missing compatibility layer between Python 2 and Python 3
+Summary:        Missing compatibility layer on Python 3
 %{?python_provide:%python_provide python3-future}
 BuildRequires:  python3-devel python3-setuptools python3-numpy python3-requests python3-pytest
 
@@ -38,28 +30,12 @@ BuildRequires:  python3-devel python3-setuptools python3-numpy python3-requests
 %{desc}
 
 %prep
-%autosetup -c -p1
+%autosetup -p1
-
-mv python-future-%{version} python2
-cd python2
-find -name '*.py' | xargs sed -i '1s|^#!python|#!%{__python2}|'
-cd ..
-
-cp -a python2 python3
-find python3 -name '*.py' | xargs sed -i '1s|^#!python|#!%{__python3}|'
 
 %build
-cd python2
-CFLAGS="%{optflags}" %{__python2} setup.py build --executable="%{__python2} -s"
-cd ..
-
-cd python3
 CFLAGS="%{optflags}" %{__python3} setup.py build --executable="%{__python3} -s"
-cd ..
 
 %install
-
-cd python3
 CFLAGS="%{optflags}" %{__python3} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT
 mv $RPM_BUILD_ROOT%{_bindir}/futurize $RPM_BUILD_ROOT%{_bindir}/python3-futurize
 mv $RPM_BUILD_ROOT%{_bindir}/pasteurize $RPM_BUILD_ROOT%{_bindir}/python3-pasteurize
@@ -74,52 +50,16 @@ touch pasteurize-3 pasteurize-%{?python3_shortver}
 install -p pasteurize-3 pasteurize-%{?python3_shortver} $RPM_BUILD_ROOT%{_bindir}
 ln -sf %{_bindir}/python3-pasteurize $RPM_BUILD_ROOT%{_bindir}/pasteurize-3
 ln -sf %{_bindir}/python3-pasteurize $RPM_BUILD_ROOT%{_bindir}/pasteurize-%{?python3_shortver}
-cd ..
-
-cd python2
-CFLAGS="%{optflags}" %{__python2} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT
-cp -p $RPM_BUILD_ROOT%{_bindir}/futurize $RPM_BUILD_ROOT%{_bindir}/python%{python2_version}-futurize
-cp -p $RPM_BUILD_ROOT%{_bindir}/pasteurize $RPM_BUILD_ROOT%{_bindir}/python%{python2_version}-pasteurize
-
-touch futurize futurize-2 futurize-%{python2_version}
-install -p futurize futurize-2 futurize-%{python2_version} $RPM_BUILD_ROOT%{_bindir}
-ln -sf %{_bindir}/python%{python2_version}-futurize $RPM_BUILD_ROOT%{_bindir}/futurize
-ln -sf %{_bindir}/python%{python2_version}-futurize $RPM_BUILD_ROOT%{_bindir}/futurize-2
-ln -sf %{_bindir}/python%{python2_version}-futurize $RPM_BUILD_ROOT%{_bindir}/futurize-%{python2_version}
-
-touch pasteurize pasteurize-2 pasteurize-%{python2_version}
-install -p pasteurize pasteurize-2 pasteurize-%{python2_version} $RPM_BUILD_ROOT%{_bindir}
-ln -sf %{_bindir}/python%{python2_version}-pasteurize $RPM_BUILD_ROOT%{_bindir}/pasteurize
-ln -sf %{_bindir}/python%{python2_version}-pasteurize $RPM_BUILD_ROOT%{_bindir}/pasteurize-2
-ln -sf %{_bindir}/python%{python2_version}-pasteurize $RPM_BUILD_ROOT%{_bindir}/pasteurize-%{python2_version}
-sed -i -e '/^#!\//, 1d' $RPM_BUILD_ROOT%{python2_sitelib}/future/backports/test/pystone.py
-cd ..
 
 %check
-cd python2
+%if %{with_tests}
-PYTHONPATH=$PWD/build/lib py.test -v
-cd ..
-
-cd python3
 PYTHONPATH=$PWD/build/lib py.test-3 -v
-cd ..
+%endif
-
-%files          -n python2-future
-%{!?_licensedir:%global license %doc}
-%doc python2/README.rst
-%license python2/LICENSE.txt
-%{_bindir}/futurize
-%{_bindir}/futurize-2*
-%{_bindir}/pasteurize
-%{_bindir}/pasteurize-2*
-%{_bindir}/python%{python2_version}-futurize
-%{_bindir}/python%{python2_version}-pasteurize
-%{python2_sitelib}/*
 
 %files          -n python3-future
 %{!?_licensedir:%global license %doc}
-%license python3/LICENSE.txt
+%license LICENSE.txt
-%doc python3/README.rst
+%doc README.rst
 %{_bindir}/futurize-3
 %{_bindir}/futurize-%{?python3_shortver}
 %{_bindir}/pasteurize-3
@@ -129,6 +69,15 @@ cd ..
 %{python3_sitelib}/*
 
 %changelog
+* Fri Mar 10 2023 yaoxin <yaoxin30@h-partners.com> - 0.18.2-2
+- Fix CVE-2022-40899
+
+* Wed Jul 14 2021 liksh <liks11@chinaunicom.cn> - 0.18.2-1
+- update package from 0.16.0 to 0.18.2
+
+* Wed Oct 21 2020 leiju <leiju4@huawei.com> - 0.16.0-12
+- remove python2 subpackage
+
 * Thu Jan 09 2020 lihao <lihao129@huawei.com> - 0.16.0-11
 - Package Init
 

future.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: PythonCharmers/python-future
+tag_prefix: ^v
+seperator: .