Fix CVE-2022-40898

CVE-2022-40898.patch

@@ -0,0 +1,25 @@
+From 88f02bc335d5404991e532e7f3b0fc80437bf4e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 20 Oct 2022 17:13:23 +0300
+Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
+
+Refer: https://github.com/pypa/wheel/issues/498
+
+---
+ src/wheel/wheelfile.py | 4 ++--
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
+index a0c9d2a5..b985774e 100644
+--- a/src/wheel/wheelfile.py
++++ b/src/wheel/wheelfile.py
+@@ -16,8 +16,8 @@
+ # Non-greedy matching of an optional build number may be too clever (more
+ # invalid wheel filenames will match). Separate regex for .dist-info?
+ WHEEL_INFO_RE = re.compile(
+-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
+-     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
++    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
++     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+     re.VERBOSE)
+ 

python-wheel.spec

@@ -1,7 +1,7 @@
 %bcond_with bootstrap
 Name:           python-wheel
 Version:        0.37.0
-Release:        5
+Release:        6
 Epoch:          1
 Summary:        Built-package format for Python
 License:        MIT
@@ -11,6 +11,7 @@ BuildArch:      noarch
 
 Patch01:        0001-Fixed-wheel-pack-duplicating-WHEEL-contents-on-build.patch
 Patch02:        0001-Support-unpacking-wheels-that-contain-files-with-com.patch
+Patch03:        CVE-2022-40898.patch
 
 %description
 A built-package format for Python.
@@ -82,6 +83,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-3 -v --ignore build
 %endif
 
 %changelog
+* Thu Dec 07 2023 wangkai <13474090681@163.com> - 1:0.37.0-6
+- Fix CVE-2022-40898
+
 * Wed Nov 8 2023 liubo <liubo1@xfusion.com> - 1:0.37.0-5
 - Support unpacking wheels that contain files with commas in their names