import python-pip-9.0.3-20.el8
This commit is contained in:
		
							parent
							
								
									020e1ddbea
								
							
						
					
					
						commit
						5063e29959
					
				
							
								
								
									
										53
									
								
								SOURCES/CVE-2021-3572.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								SOURCES/CVE-2021-3572.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,53 @@ | ||||
| Backport of https://github.com/pypa/pip/pull/9827 with parts of | ||||
| https://github.com/pypa/pip/pull/4690 to make it work with pip v9.0.1 | ||||
| diff --git a/pip/vcs/git.py b/pip/vcs/git.py
 | ||||
| index 2187dd8..d1502f8 100644
 | ||||
| --- a/pip/vcs/git.py
 | ||||
| +++ b/pip/vcs/git.py
 | ||||
| @@ -81,7 +81,7 @@ class Git(VersionControl):
 | ||||
|          and branches may need origin/ as a prefix. | ||||
|          Returns the SHA1 of the branch or tag if found. | ||||
|          """ | ||||
| -        revisions = self.get_short_refs(dest)
 | ||||
| +        revisions = self.get_short_refs(dest, rev)
 | ||||
|   | ||||
|          origin_rev = 'origin/%s' % rev | ||||
|          if origin_rev in revisions: | ||||
| @@ -171,12 +171,20 @@ class Git(VersionControl):
 | ||||
|              ['rev-parse', 'HEAD'], show_stdout=False, cwd=location) | ||||
|          return current_rev.strip() | ||||
|   | ||||
| -    def get_full_refs(self, location):
 | ||||
| +    def get_full_refs(self, location, pattern=''):
 | ||||
|          """Yields tuples of (commit, ref) for branches and tags""" | ||||
| -        output = self.run_command(['show-ref'],
 | ||||
| +        output = self.run_command(['show-ref', pattern],
 | ||||
|                                    show_stdout=False, cwd=location) | ||||
| -        for line in output.strip().splitlines():
 | ||||
| -            commit, ref = line.split(' ', 1)
 | ||||
| +        for line in output.split("\n"):
 | ||||
| +            line = line.rstrip("\r")
 | ||||
| +            if not line:
 | ||||
| +                continue
 | ||||
| +            try:
 | ||||
| +                commit, ref = line.split(' ', 1)
 | ||||
| +            except ValueError:
 | ||||
| +                # Include the offending line to simplify troubleshooting if
 | ||||
| +                # this error ever occurs.
 | ||||
| +                raise ValueError(f'unexpected show-ref line: {line!r}')
 | ||||
|              yield commit.strip(), ref.strip() | ||||
|   | ||||
|      def is_ref_remote(self, ref): | ||||
| @@ -200,10 +208,10 @@ class Git(VersionControl):
 | ||||
|      def get_refs(self, location): | ||||
|          return self.get_short_refs(location) | ||||
|   | ||||
| -    def get_short_refs(self, location):
 | ||||
| +    def get_short_refs(self, location, pattern=''):
 | ||||
|          """Return map of named refs (branches or tags) to commit hashes.""" | ||||
|          rv = {} | ||||
| -        for commit, ref in self.get_full_refs(location):
 | ||||
| +        for commit, ref in self.get_full_refs(location, pattern):
 | ||||
|              ref_name = None | ||||
|              if self.is_ref_remote(ref): | ||||
|                  ref_name = ref[len('refs/remotes/'):] | ||||
| @ -14,7 +14,7 @@ | ||||
| Name:           python-%{srcname} | ||||
| # When updating, update the bundled libraries versions bellow! | ||||
| Version:        9.0.3 | ||||
| Release:        19%{?dist} | ||||
| Release:        20%{?dist} | ||||
| Summary:        A tool for installing and managing Python packages | ||||
| 
 | ||||
| Group:          Development/Libraries | ||||
| @ -116,6 +116,13 @@ Patch8:         CVE-2018-18074.patch | ||||
| Patch9:         pip-directory-traversal-security-issue.patch | ||||
| Patch10:        pip-directory-traversal-security-issue-tests.patch | ||||
| 
 | ||||
| # Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references | ||||
| # The patch is adjusted for older pip where it's necessary to also switch | ||||
| # the way pip gets revisions from git | ||||
| # Upstream PR: https://github.com/pypa/pip/pull/9827 | ||||
| # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856 | ||||
| Patch11:        CVE-2021-3572.patch | ||||
| 
 | ||||
| %global _description \ | ||||
| pip is a package management system used to install and manage software packages \ | ||||
| written in Python. Many packages can be found in the Python Package Index \ | ||||
| @ -257,6 +264,7 @@ popd | ||||
| %if %{with tests} | ||||
| %patch10 -p1 | ||||
| %endif | ||||
| %patch11 -p1 | ||||
| 
 | ||||
| # this goes together with patch4 | ||||
| rm pip/_vendor/certifi/*.pem | ||||
| @ -364,6 +372,10 @@ py.test-%{python3_version} -m 'not network' | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Jun 07 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-20 | ||||
| - Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references | ||||
| Resolves: rhbz#1962856 | ||||
| 
 | ||||
| * Fri Jan 08 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-19 | ||||
| - Fix bash completion files and simplify spec | ||||
| Resolves: rhbz#1904478 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user