From 13be3bc23d6c6cbb1fa2a4d4a4faa8368a5f4607 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Wed, 14 Feb 2024 11:52:36 +0100
Subject: [PATCH] Require Python with tarfile filters

Resolves: RHEL-25446
---
 python-pip.spec | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/python-pip.spec b/python-pip.spec
index bd4a082..f14ccf0 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -14,7 +14,7 @@
 Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        23%{?dist}
+Release:        24%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -171,6 +171,9 @@ Requires:  platform-python-setuptools
 
 BuildRequires:  ca-certificates
 Requires:       ca-certificates
+# pip has to require explicit version of platform-python that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires:       platform-python >= 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # See the python2 list above for instructions.
@@ -223,6 +226,8 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package -n python3-%{srcname}-wheel
 Summary:        The pip wheel
+# Older Python does not provide tarfile filters (fix for CVE-2007-4559).
+Conflicts:      platform-python < 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # You can find the versions in pip/_vendor/vendor.txt file.
@@ -394,6 +399,10 @@ py.test-%{python3_version} -m 'not network'
 %endif
 
 %changelog
+* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-24
+- Require Python with tarfile filters
+Resolves: RHEL-25446
+
 * Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 9.0.3-23
 - Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
 Resolves: RHBZ#2218241