Fix CVE-2018-1000802:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Taken from upstream commit (sans NEWS):
https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435

diff --git a/Lib/shutil.py b/Lib/shutil.py
index 3462f7c5e9..0ab1a06f52 100644
--- a/Lib/shutil.py
+++ b/Lib/shutil.py
@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
 
     return archive_name
 
-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
     # XXX see if we want to keep an external call here
     if verbose:
         zipoptions = "-r"
     else:
         zipoptions = "-rq"
-    from distutils.errors import DistutilsExecError
-    from distutils.spawn import spawn
+    cmd = ["zip", zipoptions, zip_filename, base_dir]
+    if logger is not None:
+        logger.info(' '.join(cmd))
+    if dry_run:
+        return
+    import subprocess
     try:
-        spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
-    except DistutilsExecError:
+        subprocess.check_call(cmd)
+    except subprocess.CalledProcessError:
         # XXX really should distinguish between "couldn't find
         # external 'zip' command" and "zip failed".
         raise ExecError, \
@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
         zipfile = None
 
     if zipfile is None:
-        _call_external_zip(base_dir, zip_filename, verbose, dry_run)
+        _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
     else:
         if logger is not None:
             logger.info("creating '%s' and adding '%s' to it",
option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=7eb9176a6e5b116bc244a08ddd72d15cfeeb3ba0'>root</a>/<a href='/guix/log/gnu?id=7eb9176a6e5b116bc244a08ddd72d15cfeeb3ba0'>gnu</a>/<a href='/guix/log/gnu/packages?id=7eb9176a6e5b116bc244a08ddd72d15cfeeb3ba0'>packages</a>/<a href='/guix/log/gnu/packages/axoloti.scm?id=7eb9176a6e5b116bc244a08ddd72d15cfeeb3ba0'>axoloti.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/axoloti.scm?id=7eb9176a6e5b116bc244a08ddd72d15cfeeb3ba0&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2021-12-23 20:27:48 +0100'>2021-12-23</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=56478abbd0a46ac086e19a2aecc2985fd96798ed'>gnu: axoloti-patcher-next: Fix file names.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/axoloti.scm (axoloti-patcher-next)[arguments]: Add missing
slash.
</span></span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-12-23 20:27:48 +0100'>2021-12-23</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=14697c93c84db1046d57179ef68651ff28b7fa36'>gnu: axoloti-patcher-next: Remove trailing #T.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/axoloti.scm (axoloti-patcher-next)[source]: Remove trailing #T
from snippet.
[arguments]: Remove trailing #T from build phase.
</span></span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-12-13 17:48:25 +0100'>2021-12-13</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=8394619baceb118df92e355377fd543bb1aa501a'>gnu: Simplify package inputs.</a><span class='msg-avail'>...<span class='msg-tooltip'>This commit was obtained by running:

  ./pre-inst-env guix style

without any additional argument.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-07-24 16:23:24 +0200'>2021-07-24</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=d468a03a00738bb0742148e056f7a557aae08f2f'>gnu: Use 'search-input-directory' and 'search-input-file' where appropriate.</a><span class='msg-avail'>...<span class='msg-tooltip'>This changes some of the remaining uses of this idiom:

  (string-append (assoc-ref inputs "LABEL") "FILE")

to one of:

  (search-input-file inputs "FILE")
  (search-input-directory inputs "FILE")

* gnu/packages/axoloti.scm (axoloti-patcher): Use
'search-input-directory'.
(axoloti-patcher-next): Likewise.
* gnu/packages/bioinformatics.scm (java-picard): Likewise.
* gnu/packages/bootloaders.scm (grub-hybrid): Likewise.
(u-boot-puma-rk3399): Likewise.
(u-boot-rock64-rk3328): Likewise.
(u-boot-firefly-rk3399): Likewise.
(u-boot-rockpro64-rk3399): Likewise.
(u-boot-pinebook-pro-rk3399): Likewise.
* gnu/packages/cran.scm (r-shiny): Likewise.
(r-shinytree): Likewise.
* gnu/packages/education.scm (anki): Likewise.
* gnu/packages/emacs-xyz.scm (emacs-flycheck-grammalecte): Likewise.
(emacs-rime): Likewise.
* gnu/packages/emulators.scm (dolphin-emu): Likewise.
* gnu/packages/games.scm (bsd-games): Likewise.
(seahorse-adventures): Likewise.
(einstein): Likewise.
* gnu/packages/gimp.scm (gimp-fourier): Likewise.
* gnu/packages/gnome.scm (gspell): Likewise.
* gnu/packages/guile-xyz.scm (guile-libyaml): Likewise.
* gnu/packages/java.scm (icedtea-7): Likewise.
* gnu/packages/language.scm (nimf): Likewise.
* gnu/packages/lxde.scm (spacefm): Likewise.
* gnu/packages/mail.scm (claws-mail): Likewise.
* gnu/packages/netpbm.scm (netpbm): Likewise.
* gnu/packages/networking.scm (blueman): Likewise.
* gnu/packages/scheme.scm (scm): Likewise.
* gnu/packages/security-token.scm (python-fido2): Likewise.
* gnu/packages/syndication.scm (rtv): Likewise.
* gnu/packages/tls.scm (acme-client): Likewise.
* gnu/packages/web.scm (netsurf): Likewise.
* gnu/packages/wine.scm (wine-staging): Likewise.
* gnu/packages/wxwidgets.scm (wxwidgets): Likewise.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-05-30 14:51:04 +0200'>2021-05-30</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=17ace33aa61a10225e24691e1d0fd1b5b9c07804'>gnu: axoloti-runtime: Patch firmware Makefile.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/axoloti.scm (axoloti-runtime)[arguments]: Patch out whitespace
substitution.
</span></span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2021-04-08 11:00:05 +0300'>2021-04-08</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=bb4f47a7f614eea78a8c8a0d3e5fc55bf4e52646'>gnu: axoloti-runtime: Simplify build.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/axoloti.scm (axoloti-runtime)[arguments]: Remove
unnecessary environment variable assignments in custom 'build phase.

Signed-off-by: Efraim Flashner &lt;efraim@flashner.co.il&gt;
</span></span></td><td>Morgan Smith</td></tr>
<tr><td><span title='2021-03-15 12:05:50 +0100'>2021-03-15</span></td><td><a href='/guix/commit/gnu/packages/axoloti.scm?id=1daedaa8646696783c88553e03035d547fd001ca'>gnu: libusb-for-axoloti: Revert to 1.0.23.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/axoloti.scm (libusb-for-axoloti): Revert to 1.0.23, because the
patch does not apply to the latest version.
</span></span></td><td>Ricardo Wurmus</td></tr>