From 8fe4223eaccdce16dce26f6fb67cb18fe92915e3 Mon Sep 17 00:00:00 2001
From: Jake Jackson <jljacks93@gmail.com>
Date: Tue, 19 Aug 2025 11:59:24 -0400
Subject: [PATCH] [AAP-47384] CVE 2025 47273 (#7054)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Update requirements for setuptools

* first pass and need to commit

* update makefile and run updater script

* updated makefile per readme
* ran updater script

* Patch irc backend to avoid namespace collision w/ jaraco

When importing the IRC backend, jaraco resolves to
the version vendored inside setuptools:

1) importing irc backend…
irc_backend ERROR: ModuleNotFoundError("No module named 'jaraco.stream'")

2) sys.modules['jaraco'] after failure:
present: True
type: <class 'module'>
__file__: /var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py
__path__: ['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco']
__spec__: ModuleSpec(name='jaraco',
loader=<_frozen_importlib_external.SourceFileLoader object at 0x7f006a0eccd0>,
origin='/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py',
submodule_search_locations=['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco'])

Since setuptools does not vendor jaraco.stream, it blew up. This patch ensures
jaraco.stream gets imported *before* attempting to import the irc modules.

* Revert "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027)

This reverts commit e8b2920aec95de2c51308ce2fb14773ef676d01a.

* reformatted irc backend with black

* ran black to fix linting issues

* Reapply "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027)

This reverts commit 0c6df9b13398a93569fae7558e1a0e72cbe8fb6c.

* add flake8 ignore since jaraco.stream is needed

* jaraco.stream is not directly called in the file but is needed by irc
  so ignore the linter failure

---------

Co-authored-by: Shane McDonald <me@shanemcd.com>
---
 Makefile                              |  2 +-
 awx/main/notifications/irc_backend.py | 29 ++++++++++++++++++++-------
 requirements/requirements.in          |  2 +-
 requirements/requirements.txt         |  6 ++++--
 4 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/Makefile b/Makefile
index 7cfdcdad6e..0148bfdeaa 100644
--- a/Makefile
+++ b/Makefile
@@ -77,7 +77,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
 SRC_ONLY_PKGS ?= cffi,pycparser,psycopg,twilio
 # These should be upgraded in the AWX and Ansible venv before attempting
 # to install the actual requirements
-VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==69.0.2 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37
+VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==78.1.1 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37
 
 NAME ?= awx
 
diff --git a/awx/main/notifications/irc_backend.py b/awx/main/notifications/irc_backend.py
index 44693e0865..83327e99aa 100644
--- a/awx/main/notifications/irc_backend.py
+++ b/awx/main/notifications/irc_backend.py
@@ -5,8 +5,6 @@ import time
 import ssl
 import logging
 
-import irc.client
-
 from django.utils.encoding import smart_str
 from django.utils.translation import gettext_lazy as _
 
@@ -16,6 +14,19 @@ from awx.main.notifications.custom_notification_base import CustomNotificationBa
 logger = logging.getLogger('awx.main.notifications.irc_backend')
 
 
+def _irc():
+    """
+    Prime the real jaraco namespace before importing irc.* so that
+    setuptools' vendored 'setuptools._vendor.jaraco' doesn't shadow
+    external 'jaraco.*' packages (e.g., jaraco.stream).
+    """
+    import jaraco.stream  # ensure the namespace package is established  # noqa: F401
+    import irc.client as irc_client
+    import irc.connection as irc_connection
+
+    return irc_client, irc_connection
+
+
 class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
     init_parameters = {
         "server": {"label": "IRC Server Address", "type": "string"},
@@ -40,12 +51,15 @@ class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
     def open(self):
         if self.connection is not None:
             return False
+
+        irc_client, irc_connection = _irc()
+
         if self.use_ssl:
-            connection_factory = irc.connection.Factory(wrapper=ssl.wrap_socket)
+            connection_factory = irc_connection.Factory(wrapper=ssl.wrap_socket)
         else:
-            connection_factory = irc.connection.Factory()
+            connection_factory = irc_connection.Factory()
         try:
-            self.reactor = irc.client.Reactor()
+            self.reactor = irc_client.Reactor()
             self.connection = self.reactor.server().connect(
                 self.server,
                 self.port,
@@ -53,7 +67,7 @@ class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
                 password=self.password,
                 connect_factory=connection_factory,
             )
-        except irc.client.ServerConnectionError as e:
+        except irc_client.ServerConnectionError as e:
             logger.error(smart_str(_("Exception connecting to irc server: {}").format(e)))
             if not self.fail_silently:
                 raise
@@ -65,8 +79,9 @@ class IrcBackend(AWXBaseEmailBackend, CustomNotificationBase):
         self.connection = None
 
     def on_connect(self, connection, event):
+        irc_client, _ = _irc()
         for c in self.channels:
-            if irc.client.is_channel(c):
+            if irc_client.is_channel(c):
                 connection.join(c)
             else:
                 for m in self.channels[c]:
diff --git a/requirements/requirements.in b/requirements/requirements.in
index 5c9e56fca9..ddb7e0d2f4 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -73,7 +73,7 @@ uWSGI>=2.0.28
 uwsgitop
 wheel>=0.38.1  # CVE-2022-40898
 pip==21.2.4  # see UPGRADE BLOCKERs
-setuptools  # see UPGRADE BLOCKERs
+setuptools==78.1.1  # see UPGRADE BLOCKERs
 setuptools_scm[toml]  # see UPGRADE BLOCKERs, xmlsec build dep
 setuptools-rust>=0.11.4  # cryptography build dep
 pkgconfig>=1.5.1  # xmlsec build dep - needed for offline build
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index ac18560493..46aa707501 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -190,7 +190,9 @@ djangorestframework-yaml==2.0.0
 docutils==0.20.1
     # via python-daemon
 dynaconf==3.2.10
-    # via django-ansible-base
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   django-ansible-base
 enum-compat==0.0.3
     # via asn1
 filelock==3.13.1
@@ -610,7 +612,7 @@ zope-interface==6.2
 # The following packages are considered to be unsafe in a requirements file:
 pip==21.2.4
     # via -r /awx_devel/requirements/requirements.in
-setuptools==69.0.2
+setuptools==78.1.1
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   asciichartpy