python-pyinstaller/backport-CVE-2023-49797-pre.patch

From 709262381451878dadb9e9d26190167a2ab5e67c Mon Sep 17 00:00:00 2001
From: Rok Mandeljc <rok.mandeljc@gmail.com>
Date: Thu, 3 Aug 2023 13:49:03 +0200
Subject: [PATCH] rthooks: win32com: fully isolate the genpy cache

Instead of extending the `win32.com.gen_py` sub-module search paths
(the `__path__` attribute) with the new location of the isolated
cache, override it completely. This prevents the global cache from
being accessed, which might result in errors when the global cache
contains some, but not all, required modules.
---
 .../hooks/rthooks/pyi_rth_win32comgenpy.py    | 44 +++++++------------
 news/6257.bugfix.rst                          |  3 ++
 2 files changed, 18 insertions(+), 29 deletions(-)
 create mode 100644 news/6257.bugfix.rst

diff --git a/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py b/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py
index 3671c3ab2e..aed2515b08 100644
--- a/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py
+++ b/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py
@@ -9,12 +9,12 @@
 # SPDX-License-Identifier: Apache-2.0
 #-----------------------------------------------------------------------------
 
-# The win32.client.gencache code must be allowed to create the cache in %temp% (user's temp). It is necessary to get the
-# gencache code to use a suitable directory other than the default in lib\site-packages\win32com\client\gen_py.
-# PyInstaller does not provide this directory structure and the frozen executable could be placed in a non-writable
-# directory like 'C:\Program Files. That's the reason for %temp% directory.
-#
-# http://www.py2exe.org/index.cgi/UsingEnsureDispatch
+# Put the cache generated by `win32com.client.gencache` into isolated temporary directory. Historically, this was
+# required due to earlier versions of `pywin32` using the `site-packages\win32com\client\gen_py`  directory for
+# the cache by default. Nowadays, the default location for the cache seems to be in the configured temporary directory
+# (pointed to by TEMP or TMP, for example %LOCALAPPDATA%\Temp), so strictly speaking, the relocation is not necessary
+# anymore. But for the time being, we are keeping it around to isolate the frozen application from the rest of the
+# system.
 
 
 def _pyi_rthook():
@@ -23,36 +23,22 @@ def _pyi_rthook():
     import shutil
     import tempfile
 
-    # Put gen_py cache in temp directory.
+    import win32com
+
+    # Create temporary directory. The actual cache directory needs to be named `gen_py`, so create a sub-directory.
     supportdir = tempfile.mkdtemp()
-    # gen_py has to be put into directory 'gen_py'.
+
     genpydir = os.path.join(supportdir, 'gen_py')
+    os.makedirs(genpydir, exist_ok=True)
 
-    # Create 'gen_py' directory. This directory does not need to contain '__init__.py' file.
-    try:
-        # win32com gencache cannot be put directly to 'supportdir' with any random name. It has to be put in a directory
-        # called 'gen_py'. This is the reason why to create this directory in supportdir'.
-        os.makedirs(genpydir)
-        # Remove temp directory at application exit and ignore any errors.
-        atexit.register(shutil.rmtree, supportdir, ignore_errors=True)
-    except OSError:
-        pass
+    # Remove the teporary directory at application exit, ignoring errors.
+    atexit.register(shutil.rmtree, supportdir, ignore_errors=True)
 
     # Override the default path to gen_py cache.
-    import win32com  # noqa: E402
-
     win32com.__gen_path__ = genpydir
 
-    # The attribute __loader__ makes module 'pkg_resources' working but On Windows it breaks pywin32 (win32com) and test
-    # 'basic/test_pyttsx' will fail. Just removing that attribute for win32com fixes that and gencache is created
-    # properly.
-    if hasattr(win32com, '__loader__'):
-        del win32com.__loader__
-
-    # Ensure genpydir is in 'gen_py' module paths.
-    import win32com.gen_py  # noqa: E402
-
-    win32com.gen_py.__path__.insert(0, genpydir)
+    # Override the sub-module paths for win32com.gen_py run-time sub-package.
+    win32com.gen_py.__path__ = [genpydir]
 
 
 _pyi_rthook()
diff --git a/news/6257.bugfix.rst b/news/6257.bugfix.rst
new file mode 100644
index 0000000000..3cb746a332
--- /dev/null
+++ b/news/6257.bugfix.rst
@@ -0,0 +1,3 @@
+(Windows) Fix ``win32com`` run-time hook to fully isolate the ``gen_py``
+cache. This prevents the access to global cache, which results in errors
+when the global cache contains some, but not all, required modules.
\ No newline at end of file
Fix CVE-2023-49797 2024-06-18 16:48:05 +08:00			`From 709262381451878dadb9e9d26190167a2ab5e67c Mon Sep 17 00:00:00 2001`
			`From: Rok Mandeljc <rok.mandeljc@gmail.com>`
			`Date: Thu, 3 Aug 2023 13:49:03 +0200`
			`Subject: [PATCH] rthooks: win32com: fully isolate the genpy cache`

			Instead of extending the `win32.com.gen_py` sub-module search paths
			(the `__path__` attribute) with the new location of the isolated
			`cache, override it completely. This prevents the global cache from`
			`being accessed, which might result in errors when the global cache`
			`contains some, but not all, required modules.`
			`---`
			`.../hooks/rthooks/pyi_rth_win32comgenpy.py \| 44 +++++++------------`
			`news/6257.bugfix.rst \| 3 ++`
			`2 files changed, 18 insertions(+), 29 deletions(-)`
			`create mode 100644 news/6257.bugfix.rst`

			`diff --git a/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py b/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py`
			`index 3671c3ab2e..aed2515b08 100644`
			`--- a/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py`
			`+++ b/PyInstaller/hooks/rthooks/pyi_rth_win32comgenpy.py`
			`@@ -9,12 +9,12 @@`
			`# SPDX-License-Identifier: Apache-2.0`
			`#-----------------------------------------------------------------------------`

			`-# The win32.client.gencache code must be allowed to create the cache in %temp% (user's temp). It is necessary to get the`
			`-# gencache code to use a suitable directory other than the default in lib\site-packages\win32com\client\gen_py.`
			`-# PyInstaller does not provide this directory structure and the frozen executable could be placed in a non-writable`
			`-# directory like 'C:\Program Files. That's the reason for %temp% directory.`
			`-#`
			`-# http://www.py2exe.org/index.cgi/UsingEnsureDispatch`
			+# Put the cache generated by `win32com.client.gencache` into isolated temporary directory. Historically, this was
			+# required due to earlier versions of `pywin32` using the `site-packages\win32com\client\gen_py` directory for
			`+# the cache by default. Nowadays, the default location for the cache seems to be in the configured temporary directory`
			`+# (pointed to by TEMP or TMP, for example %LOCALAPPDATA%\Temp), so strictly speaking, the relocation is not necessary`
			`+# anymore. But for the time being, we are keeping it around to isolate the frozen application from the rest of the`
			`+# system.`


			`def _pyi_rthook():`
			`@@ -23,36 +23,22 @@ def _pyi_rthook():`
			`import shutil`
			`import tempfile`

			`- # Put gen_py cache in temp directory.`
			`+ import win32com`
			`+`
			+ # Create temporary directory. The actual cache directory needs to be named `gen_py`, so create a sub-directory.
			`supportdir = tempfile.mkdtemp()`
			`- # gen_py has to be put into directory 'gen_py'.`
			`+`
			`genpydir = os.path.join(supportdir, 'gen_py')`
			`+ os.makedirs(genpydir, exist_ok=True)`

			`- # Create 'gen_py' directory. This directory does not need to contain '__init__.py' file.`
			`- try:`
			`- # win32com gencache cannot be put directly to 'supportdir' with any random name. It has to be put in a directory`
			`- # called 'gen_py'. This is the reason why to create this directory in supportdir'.`
			`- os.makedirs(genpydir)`
			`- # Remove temp directory at application exit and ignore any errors.`
			`- atexit.register(shutil.rmtree, supportdir, ignore_errors=True)`
			`- except OSError:`
			`- pass`
			`+ # Remove the teporary directory at application exit, ignoring errors.`
			`+ atexit.register(shutil.rmtree, supportdir, ignore_errors=True)`

			`# Override the default path to gen_py cache.`
			`- import win32com # noqa: E402`
			`-`
			`win32com.__gen_path__ = genpydir`

			`- # The attribute __loader__ makes module 'pkg_resources' working but On Windows it breaks pywin32 (win32com) and test`
			`- # 'basic/test_pyttsx' will fail. Just removing that attribute for win32com fixes that and gencache is created`
			`- # properly.`
			`- if hasattr(win32com, '__loader__'):`
			`- del win32com.__loader__`
			`-`
			`- # Ensure genpydir is in 'gen_py' module paths.`
			`- import win32com.gen_py # noqa: E402`
			`-`
			`- win32com.gen_py.__path__.insert(0, genpydir)`
			`+ # Override the sub-module paths for win32com.gen_py run-time sub-package.`
			`+ win32com.gen_py.__path__ = [genpydir]`


			`_pyi_rthook()`
			`diff --git a/news/6257.bugfix.rst b/news/6257.bugfix.rst`
			`new file mode 100644`
			`index 0000000000..3cb746a332`
			`--- /dev/null`
			`+++ b/news/6257.bugfix.rst`
			`@@ -0,0 +1,3 @@`
			+(Windows) Fix ``win32com`` run-time hook to fully isolate the ``gen_py``
			`+cache. This prevents the access to global cache, which results in errors`
			`+when the global cache contains some, but not all, required modules.`
			`\ No newline at end of file`