Updates from Fedora 34:

- Backport security fixes from pip 21.1.1 - Resolve rpmlint warnings & fix changelog typos Mainly to fix CVE-2021-3572. Resolves: rhbz#1962856
2021-05-17 11:48:32 +02:00 · 2021-05-17 11:48:32 +02:00 · 73f5d1f9c1
commit 73f5d1f9c1
parent 9c5f9aa61e
3 changed files with 162 additions and 7 deletions
--- a/9760.patch
+++ b/9760.patch
@ -0,0 +1,111 @@
+From 960c01adce491de00ef7a8d02a32fea31b15a1dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Fri, 2 Apr 2021 02:39:11 +0200
+Subject: [PATCH] Update urllib3 to 1.26.4 to fix CVE-2021-28363
+
+---
+ news/CVE-2021-28363.vendor.rst        |  1 +
+ src/pip/_vendor/urllib3/_version.py   |  2 +-
+ src/pip/_vendor/urllib3/connection.py |  8 ++++++--
+ src/pip/_vendor/urllib3/exceptions.py | 12 +++++++++++-
+ src/pip/_vendor/urllib3/util/retry.py |  1 +
+ src/pip/_vendor/vendor.txt            |  2 +-
+ 6 files changed, 21 insertions(+), 5 deletions(-)
+ create mode 100644 news/CVE-2021-28363.vendor.rst
+
+diff --git a/news/CVE-2021-28363.vendor.rst b/news/CVE-2021-28363.vendor.rst
+new file mode 100644
+index 00000000000..29700ab7469
+--- /dev/null
+++ b/news/CVE-2021-28363.vendor.rst
+@@ -0,0 +1 @@
+Update urllib3 to 1.26.4 to fix CVE-2021-28363
+diff --git a/src/pip/_vendor/urllib3/_version.py b/src/pip/_vendor/urllib3/_version.py
+index 2dba29e3fbe..97c983300b0 100644
+--- a/src/pip/_vendor/urllib3/_version.py
+++ b/src/pip/_vendor/urllib3/_version.py
+@@ -1,2 +1,2 @@
+ # This file is protected via CODEOWNERS
+-__version__ = "1.26.2"
+__version__ = "1.26.4"
+diff --git a/src/pip/_vendor/urllib3/connection.py b/src/pip/_vendor/urllib3/connection.py
+index 660d679c361..45580b7e1ea 100644
+--- a/src/pip/_vendor/urllib3/connection.py
+++ b/src/pip/_vendor/urllib3/connection.py
+@@ -67,7 +67,7 @@ class BrokenPipeError(Exception):
+ 
+ # When it comes time to update this value as a part of regular maintenance
+ # (ie test_recent_date is failing) update it to ~6 months before the current date.
+-RECENT_DATE = datetime.date(2019, 1, 1)
+RECENT_DATE = datetime.date(2020, 7, 1)
+ 
+ _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
+ 
+@@ -215,7 +215,7 @@ def putrequest(self, method, url, *args, **kwargs):
+ 
+     def putheader(self, header, *values):
+         """"""
+-        if SKIP_HEADER not in values:
+        if not any(isinstance(v, str) and v == SKIP_HEADER for v in values):
+             _HTTPConnection.putheader(self, header, *values)
+         elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS:
+             raise ValueError(
+@@ -490,6 +490,10 @@ def _connect_tls_proxy(self, hostname, conn):
+             self.ca_cert_dir,
+             self.ca_cert_data,
+         )
+        # By default urllib3's SSLContext disables `check_hostname` and uses
+        # a custom check. For proxies we're good with relying on the default
+        # verification.
+        ssl_context.check_hostname = True
+ 
+         # If no cert was provided, use only the default options for server
+         # certificate validation
+diff --git a/src/pip/_vendor/urllib3/exceptions.py b/src/pip/_vendor/urllib3/exceptions.py
+index d69958d5dfc..cba6f3f560f 100644
+--- a/src/pip/_vendor/urllib3/exceptions.py
+++ b/src/pip/_vendor/urllib3/exceptions.py
+@@ -289,7 +289,17 @@ class ProxySchemeUnknown(AssertionError, URLSchemeUnknown):
+     # TODO(t-8ch): Stop inheriting from AssertionError in v2.0.
+ 
+     def __init__(self, scheme):
+-        message = "Not supported proxy scheme %s" % scheme
+        # 'localhost' is here because our URL parser parses
+        # localhost:8080 -> scheme=localhost, remove if we fix this.
+        if scheme == "localhost":
+            scheme = None
+        if scheme is None:
+            message = "Proxy URL had no scheme, should start with http:// or https://"
+        else:
+            message = (
+                "Proxy URL had unsupported scheme %s, should use http:// or https://"
+                % scheme
+            )
+         super(ProxySchemeUnknown, self).__init__(message)
+ 
+ 
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index ee51f922f84..d25a41b42ea 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
+++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -253,6 +253,7 @@ def __init__(
+                 "Using 'method_whitelist' with Retry is deprecated and "
+                 "will be removed in v2.0. Use 'allowed_methods' instead",
+                 DeprecationWarning,
+                stacklevel=2,
+             )
+             allowed_methods = method_whitelist
+         if allowed_methods is _Default:
+diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
+index 51a5508479e..868baba6f01 100644
+--- a/src/pip/_vendor/vendor.txt
+++ b/src/pip/_vendor/vendor.txt
+@@ -13,7 +13,7 @@ requests==2.25.1
+     certifi==2020.12.05
+     chardet==4.0.0
+     idna==2.10
+-    urllib3==1.26.2
+    urllib3==1.26.4
+ resolvelib==0.5.4
+ retrying==1.3.3
+ setuptools==44.0.0
--- a/don-t-split-git-references-on-unicode-separators.patch
+++ b/don-t-split-git-references-on-unicode-separators.patch
@ -0,0 +1,33 @@
+From ca24e4bfa60cec8341ccf40000a41bc9592713df Mon Sep 17 00:00:00 2001
+From: Karolina Surma <ksurma@redhat.com>
+Date: Mon, 17 May 2021 11:34:30 +0200
+Subject: [PATCH] Don't split git references on unicode separators
+
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index cc22cd7..308e857 100644
+--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
+@@ -147,9 +147,15 @@ class Git(VersionControl):
+             on_returncode='ignore',
+         )
+         refs = {}
+-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
+             try:
+-                sha, ref = line.split()
+                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+--
+2.31.1
+
--- a/python-pip.spec
+++ b/python-pip.spec
@ -22,7 +22,7 @@

 Name:           python-%{srcname}
 Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A tool for installing and managing Python packages

 # We bundle a lot of libraries with pip, which itself is under MIT license.
@ -93,6 +93,17 @@ Patch5:         nowarn-pip._internal.main.patch
 # Upstream issue: https://github.com/pypa/packaging/issues/368
 Patch6:         no-version-warning.patch

+# Update vendored urrlib3 to 1.26.4 to fix CVE-2021-28363
+# Security patch backported from pip 21.1
+Patch7:         https://github.com/pypa/pip/pull/9760.patch
+
+# Don't split git references on unicode separators,
+# which could be maliciously used to install a different revision on the
+# repository.
+# Security patch backported from pip 21.1.1
+# Upstream PR: https://github.com/pypa/pip/pull/9827
+Patch8:         don-t-split-git-references-on-unicode-separators.patch
+
 # Downstream only patch
 # Users might have local installations of pip from using
 # `pip install --user --upgrade pip` on older/newer versions.
@ -149,7 +160,7 @@ Provides: bundled(python%{1}dist(retrying)) = 1.3.3
 Provides: bundled(python%{1}dist(setuptools)) = 44
 Provides: bundled(python%{1}dist(six)) = 1.15
 Provides: bundled(python%{1}dist(toml)) = 0.10.2
-Provides: bundled(python%{1}dist(urllib3)) = 1.26.2
+Provides: bundled(python%{1}dist(urllib3)) = 1.26.4
 Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
 }

@ -396,6 +407,9 @@ pytest_k='not completion and
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Mon May 17 2021 Karolina Surma <ksurma@redhat.com> - 21.0.1-4
+- Backport security fixes from pip 21.1.1
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com>
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

@ -419,9 +433,6 @@ Resolves: rhbz#1922592
 - New resolver
 - Fixes: rhbz#1893470

-* Fri Dec 04 2020 Miro Hrončok <mhroncok@redhat.com> - 20.2.4-2
- Disable tests and documentation in Fedora ELN (and RHEL)
-
 * Mon Oct 19 2020 Lumír Balhar <lbalhar@redhat.com> - 20.2.4-1
 - Update to 20.2.4 (#1889112)

@ -535,7 +546,7 @@ Resolves: rhbz#1922592
 - Create python-pip-wheel package with the wheel

 * Tue Jul 31 2018 Miro Hrončok <mhroncok@redhat.com> - 18.0-2
- Remove redundant "Unicode"" from License
+- Remove redundant "Unicode" from License

 * Mon Jul 23 2018 Marcel Plch <mplch@redhat.com> - 18.0-7
 - Update to 18.0
@ -752,7 +763,7 @@ Resolves: rhbz#1406922
 * Fri Jan 1 2010 Peter Halliday <phalliday@excelsiorsystems.net> - 0.6.1.4
 - fix dependency issue
 * Fri Dec 18 2009 Peter Halliday <phalliday@excelsiorsystems.net> - 0.6.1-2
- fix spec file 
+- fix spec file
 * Thu Dec 17 2009 Peter Halliday <phalliday@excelsiorsystems.net> - 0.6.1-1
 - upgrade to 0.6.1 of pip
 * Mon Aug 31 2009 Peter Halliday <phalliday@excelsiorsystems.net> - 0.4-1