1From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001 2From: Narpat Mali <narpat.mali@windriver.com> 3Date: Wed, 11 Jan 2023 07:45:57 +0000 4Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE 5 6CVE: CVE-2022-40898 7 8Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] 9 10Signed-off-by: Narpat Mali <narpat.mali@windriver.com> 11--- 12 src/wheel/wheelfile.py | 4 ++-- 13 1 file changed, 2 insertions(+), 2 deletions(-) 14 15diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py 16index 21e7361..ff06edf 100644 17--- a/src/wheel/wheelfile.py 18+++ b/src/wheel/wheelfile.py 19@@ -27,8 +27,8 @@ else: 20 # Non-greedy matching of an optional build number may be too clever (more 21 # invalid wheel filenames will match). Separate regex for .dist-info? 22 WHEEL_INFO_RE = re.compile( 23- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))? 24- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""", 25+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))? 26+ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""", 27 re.VERBOSE) 28 29 30-- 312.32.0 32 33