Fix CVE-2018-1000802:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Taken from upstream commit (sans NEWS):
https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435

diff --git a/Lib/shutil.py b/Lib/shutil.py
index 3462f7c5e9..0ab1a06f52 100644
--- a/Lib/shutil.py
+++ b/Lib/shutil.py
@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
 
     return archive_name
 
-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
     # XXX see if we want to keep an external call here
     if verbose:
         zipoptions = "-r"
     else:
         zipoptions = "-rq"
-    from distutils.errors import DistutilsExecError
-    from distutils.spawn import spawn
+    cmd = ["zip", zipoptions, zip_filename, base_dir]
+    if logger is not None:
+        logger.info(' '.join(cmd))
+    if dry_run:
+        return
+    import subprocess
     try:
-        spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
-    except DistutilsExecError:
+        subprocess.check_call(cmd)
+    except subprocess.CalledProcessError:
         # XXX really should distinguish between "couldn't find
         # external 'zip' command" and "zip failed".
         raise ExecError, \
@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
         zipfile = None
 
     if zipfile is None:
-        _call_external_zip(base_dir, zip_filename, verbose, dry_run)
+        _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
     else:
         if logger is not None:
             logger.info("creating '%s' and adding '%s' to it",
n>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=58d129c460fec60642b46f3fd32956d4bf7d9296'>root</a>/<a href='/guix/log/etc?id=58d129c460fec60642b46f3fd32956d4bf7d9296'>etc</a>/<a href='/guix/log/etc/completion?id=58d129c460fec60642b46f3fd32956d4bf7d9296'>completion</a>/<a href='/guix/log/etc/completion/bash?id=58d129c460fec60642b46f3fd32956d4bf7d9296'>bash</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/etc/completion/bash?id=58d129c460fec60642b46f3fd32956d4bf7d9296&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2022-05-29 02:00:20 +0200'>2022-05-29</span></td><td><a href='/guix/commit/etc/completion/bash?id=dc6d92ac93cedd65f6c99daa530b69f43f6039ec'>bash completion: Fix &amp; unify option parsing.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2022-01-17 19:05:48 +0100'>2022-01-17</span></td><td><a href='/guix/commit/etc/completion/bash?id=93d3a2b23cb264ae95e4478c28e3abd9ddcadd2d'>bash completion: Complete "guix home" sub-commands.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2022-01-16 23:56:56 +0100'>2022-01-16</span></td><td><a href='/guix/commit/etc/completion/bash?id=e35deac9e7379605c0e3918e74a6d153861a4aa2'>bash completion: Fix options completion.</a><span class='msg-avail'>...</span></td><td>Fulbert</td></tr>
<tr><td><span title='2021-12-08 21:09:55 +0100'>2021-12-08</span></td><td><a href='/guix/commit/etc/completion/bash?id=f3af1fb0bcbcbe18ab773374efe606e90107cfb6'>bash completion: Complete ‘guix shell -f’.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-31 00:57:07 +0200'>2021-10-31</span></td><td><a href='/guix/commit/etc/completion/bash?id=8e6989fcaf4a6de00e799777e2a0ccb90fc05e59'>bash completion: Complete top-level options.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-31 00:57:07 +0200'>2021-10-31</span></td><td><a href='/guix/commit/etc/completion/bash?id=0987a0eba4e8220e98e93686a4ad3ef87433fb2f'>bash completion: Don't hard-code "guix" binary name.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-25 18:58:18 +0200'>2021-10-25</span></td><td><a href='/guix/commit/etc/completion/bash?id=80edb7df6586464aa40e84e103f0045452de95db'>Add 'guix shell'.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-10-03 19:23:49 +0200'>2021-10-03</span></td><td><a href='/guix/commit/etc/completion/bash?id=ed14bc298470f77f4ffacdc315ae87939f81c765'>bash completion: Fix ‘system’ &amp; ‘container’ subcommands.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-03 19:23:49 +0200'>2021-10-03</span></td><td><a href='/guix/commit/etc/completion/bash?id=d71cfaea3006bc02dc6d309d916809e1f799f04e'>bash completion: Complete ‘guix size’ file names.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-03 19:23:48 +0200'>2021-10-03</span></td><td><a href='/guix/commit/etc/completion/bash?id=9e3355d2a35796276d17af13ac45814dbf6c4203'>bash completion: Complete ‘guix build’ file names.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-03 19:23:48 +0200'>2021-10-03</span></td><td><a href='/guix/commit/etc/completion/bash?id=ee5e4779e21b6eaf3229ab4201e731d8dde7e4b2'>bash completion: Complete ‘guix weather’ packages.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-03 19:23:48 +0200'>2021-10-03</span></td><td><a href='/guix/commit/etc/completion/bash?id=17f76b209ceca9972dcd375d2a0f869abc6d1f26'>bash completion: Append to $COMPREPLY where possible.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-10-03 19:23:48 +0200'>2021-10-03</span></td><td><a href='/guix/commit/etc/completion/bash?id=6fba67df1928a62abc7939bd8ff020e998ad8d6b'>bash completion: Consolidate similar $command ‘if’ branches.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-06-16 12:13:39 +0200'>2021-06-16</span></td><td><a href='/guix/commit/etc/completion/bash?id=fa0dc1229c0dc44a7358d183e54d9e02d1199e39'>bash_completion: Complete options for ‘guix environment’.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-06-16 12:13:39 +0200'>2021-06-16</span></td><td><a href='/guix/commit/etc/completion/bash?id=dc3ba8c83602d69294e21d1b0c066f0d89890b56'>bash completion: Complete options for the right command.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2021-06-16 12:13:39 +0200'>2021-06-16</span></td><td><a href='/guix/commit/etc/completion/bash?id=80a17aae7991c6df061a98bb71734485f4ca17e2'>bash completion: Really support subcommands.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2020-12-04 23:45:08 +0100'>2020-12-04</span></td><td><a href='/guix/commit/etc/completion/bash?id=611ae310f4ca1d93600c280e940a69b07e20c350'>bash completion: Complete file names after '-f' and '-l'.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2022-05-29	bash completion: Fix & unify option parsing....	Tobias Geerinckx-Rice
2022-01-17	bash completion: Complete "guix home" sub-commands....	Ludovic Courtès
2022-01-16	bash completion: Fix options completion....	Fulbert
2021-12-08	bash completion: Complete ‘guix shell -f’....	Tobias Geerinckx-Rice
2021-10-31	bash completion: Complete top-level options....	Tobias Geerinckx-Rice
2021-10-31	bash completion: Don't hard-code "guix" binary name....	Tobias Geerinckx-Rice
2021-10-25	Add 'guix shell'....	Ludovic Courtès
2021-10-03	bash completion: Fix ‘system’ & ‘container’ subcommands....	Tobias Geerinckx-Rice
2021-10-03	bash completion: Complete ‘guix size’ file names....	Tobias Geerinckx-Rice
2021-10-03	bash completion: Complete ‘guix build’ file names....	Tobias Geerinckx-Rice
2021-10-03	bash completion: Complete ‘guix weather’ packages....	Tobias Geerinckx-Rice
2021-10-03	bash completion: Append to $COMPREPLY where possible....	Tobias Geerinckx-Rice
2021-10-03	bash completion: Consolidate similar $command ‘if’ branches....	Tobias Geerinckx-Rice
2021-06-16	bash_completion: Complete options for ‘guix environment’....	Tobias Geerinckx-Rice
2021-06-16	bash completion: Complete options for the right command....	Tobias Geerinckx-Rice
2021-06-16	bash completion: Really support subcommands....	Tobias Geerinckx-Rice
2020-12-04	bash completion: Complete file names after '-f' and '-l'....	Ludovic Courtès