import UBI python-pip-21.3.1-1.el9

This commit is contained in:
eabdullin 2024-11-12 10:46:01 +00:00
parent 6b400f4d72
commit a4973eddaf
5 changed files with 97 additions and 83 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/pip-21.2.3.tar.gz
SOURCES/pip-21.3.1.tar.gz

View File

@ -1 +1 @@
c899dfeece28336424046e097bc48783a5d4264b SOURCES/pip-21.2.3.tar.gz
5f98a502c4ae2fec713eda155bf5994196d97cd9 SOURCES/pip-21.3.1.tar.gz

View File

@ -1,9 +1,20 @@
Minimal patch for pip
From 1819805f2019c731bcaefd6b12fd814790f88fcd Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Tue, 19 Mar 2024 12:43:07 +0100
Subject: [PATCH] cve-2007-4559-tarfile
diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py
--- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100
+++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200
@@ -184,6 +184,13 @@
Minimal patch for pip
---
src/pip/_internal/utils/unpacking.py | 7 +++++++
src/pip/_vendor/distlib/util.py | 13 +++++++++++++
tests/unit/test_utils_unpacking.py | 17 +++++++++++++++++
3 files changed, 37 insertions(+)
diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
index 5f63f97..c31542f 100644
--- a/src/pip/_internal/utils/unpacking.py
+++ b/src/pip/_internal/utils/unpacking.py
@@ -184,6 +184,13 @@ def untar_file(filename: str, location: str) -> None:
"outside target directory ({})"
)
raise InstallationError(message.format(filename, path, location))
@ -17,15 +28,36 @@ diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/ut
if member.isdir():
ensure_dir(path)
elif member.issym():
Test from https://github.com/pypa/pip/pull/12214
diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py
--- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100
+++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200
@@ -167,6 +167,23 @@
test_tar = self.make_tar_file('test_tar.tar', files)
diff --git a/src/pip/_vendor/distlib/util.py b/src/pip/_vendor/distlib/util.py
index 80bfc86..7e0941a 100644
--- a/src/pip/_vendor/distlib/util.py
+++ b/src/pip/_vendor/distlib/util.py
@@ -1249,6 +1249,19 @@ def unarchive(archive_filename, dest_dir, format=None, check=True):
for tarinfo in archive.getmembers():
if not isinstance(tarinfo.name, text_type):
tarinfo.name = tarinfo.name.decode('utf-8')
+
+ # Limit extraction of dangerous items, if this Python
+ # allows it easily. If not, just trust the input.
+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
+ def extraction_filter(member, path):
+ """Run tarfile.tar_fillter, but raise the expected ValueError"""
+ # This is only called if the current Python has tarfile filters
+ try:
+ return tarfile.tar_filter(member, path)
+ except tarfile.FilterError as exc:
+ raise ValueError(str(exc))
+ archive.extraction_filter = extraction_filter
+
archive.extractall(dest_dir)
finally:
diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
index ccb7a30..05324ad 100644
--- a/tests/unit/test_utils_unpacking.py
+++ b/tests/unit/test_utils_unpacking.py
@@ -171,6 +171,23 @@ class TestUnpackArchives:
test_tar = self.make_tar_file("test_tar.tar", files)
untar_file(test_tar, self.tempdir)
+ def test_unpack_tar_filter(self) -> None:
@ -46,33 +78,8 @@ diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_
+
+
def test_unpack_tar_unicode(tmpdir):
def test_unpack_tar_unicode(tmpdir: Path) -> None:
test_tar = tmpdir / "test.tar"
--
2.44.0
Patch for vendored distlib from https://github.com/pypa/distlib/pull/201
diff --git a/distlib/util.py b/distlib/util.py
index e0622e4..4349d0b 100644
--- a/src/pip/_vendor/distlib/util.py
+++ b/src/pip/_vendor/distlib/util.py
@@ -1249,6 +1249,19 @@ def check_path(path):
for tarinfo in archive.getmembers():
if not isinstance(tarinfo.name, text_type):
tarinfo.name = tarinfo.name.decode('utf-8')
+
+ # Limit extraction of dangerous items, if this Python
+ # allows it easily. If not, just trust the input.
+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
+ def extraction_filter(member, path):
+ """Run tarfile.tar_fillter, but raise the expected ValueError"""
+ # This is only called if the current Python has tarfile filters
+ try:
+ return tarfile.tar_filter(member, path)
+ except tarfile.FilterError as exc:
+ raise ValueError(str(exc))
+ archive.extraction_filter = extraction_filter
+
archive.extractall(dest_dir)
finally:

View File

@ -1,10 +1,11 @@
From aca0c9df4ef54f70a3fedb07f4faac463f88a331 Mon Sep 17 00:00:00 2001
From: Karolina Surma <ksurma@redhat.com>
Date: Mon, 10 May 2021 18:16:20 +0200
From f5c7cdc676e6884580fde4689a296ff50a9847a5 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Wed, 20 Mar 2024 13:43:12 +0100
Subject: [PATCH] Prevent removing of the system packages installed under
/usr/lib
when pip install -U is executed.
/usr/lib when pip install -U is executed.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: rhbz#1550368
@ -21,10 +22,10 @@ Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
4 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py
index 4c58cdb..3570e17 100644
index 95dacab..b9679fa 100644
--- a/src/pip/_internal/req/req_install.py
+++ b/src/pip/_internal/req/req_install.py
@@ -43,6 +43,7 @@ from pip._internal.utils.misc import (
@@ -47,6 +47,7 @@ from pip._internal.utils.misc import (
ask_path_exists,
backup_dir,
display_path,
@ -32,9 +33,9 @@ index 4c58cdb..3570e17 100644
dist_in_site_packages,
dist_in_usersite,
get_distribution,
@@ -426,7 +427,7 @@ class InstallRequirement:
"lack sys.path precedence to {} in {}".format(
existing_dist.project_name, existing_dist.location)
@@ -442,7 +443,7 @@ class InstallRequirement:
existing_dist.project_name, existing_dist.location
)
)
- else:
+ elif dist_in_install_path(existing_dist):
@ -42,18 +43,18 @@ index 4c58cdb..3570e17 100644
else:
if self.editable:
diff --git a/src/pip/_internal/resolution/legacy/resolver.py b/src/pip/_internal/resolution/legacy/resolver.py
index 4df8f7e..dda2292 100644
index 09caaa6..c1542ec 100644
--- a/src/pip/_internal/resolution/legacy/resolver.py
+++ b/src/pip/_internal/resolution/legacy/resolver.py
@@ -42,6 +42,7 @@ from pip._internal.resolution.base import BaseResolver, InstallRequirementProvid
@@ -44,6 +44,7 @@ from pip._internal.resolution.base import BaseResolver, InstallRequirementProvid
from pip._internal.utils.compatibility_tags import get_supported
from pip._internal.utils.logging import indent_log
from pip._internal.utils.misc import dist_in_usersite, normalize_version_info
+from pip._internal.utils.misc import dist_in_install_path
from pip._internal.utils.packaging import check_requires_python, get_requires_python
from pip._internal.utils.packaging import check_requires_python
logger = logging.getLogger(__name__)
@@ -194,7 +195,9 @@ class Resolver(BaseResolver):
@@ -203,7 +204,9 @@ class Resolver(BaseResolver):
"""
# Don't uninstall the conflict if doing a user install and the
# conflict is not a user install.
@ -65,7 +66,7 @@ index 4df8f7e..dda2292 100644
req.satisfied_by = None
diff --git a/src/pip/_internal/resolution/resolvelib/factory.py b/src/pip/_internal/resolution/resolvelib/factory.py
index e7fd344..555e657 100644
index 766dc26..baf61ba 100644
--- a/src/pip/_internal/resolution/resolvelib/factory.py
+++ b/src/pip/_internal/resolution/resolvelib/factory.py
@@ -1,6 +1,7 @@
@ -76,7 +77,7 @@ index e7fd344..555e657 100644
from typing import (
TYPE_CHECKING,
Dict,
@@ -34,6 +35,7 @@ from pip._internal.exceptions import (
@@ -33,6 +34,7 @@ from pip._internal.exceptions import (
UnsupportedWheel,
)
from pip._internal.index.package_finder import PackageFinder
@ -84,15 +85,15 @@ index e7fd344..555e657 100644
from pip._internal.metadata import BaseDistribution, get_default_environment
from pip._internal.models.link import Link
from pip._internal.models.wheel import Wheel
@@ -46,6 +48,7 @@ from pip._internal.req.req_install import (
@@ -45,6 +47,7 @@ from pip._internal.req.req_install import (
from pip._internal.resolution.base import InstallRequirementProvider
from pip._internal.utils.compatibility_tags import get_supported
from pip._internal.utils.hashes import Hashes
+from pip._internal.utils.misc import dist_location
from pip._internal.utils.packaging import get_requirement
from pip._internal.utils.virtualenv import running_under_virtualenv
from .base import Candidate, CandidateVersion, Constraint, Requirement
@@ -525,6 +528,13 @@ class Factory:
@@ -526,6 +529,13 @@ class Factory:
if dist is None: # Not installed, no uninstallation required.
return None
@ -107,18 +108,18 @@ index e7fd344..555e657 100644
# be uninstalled, no matter it's in global or user site, because the
# user site installation has precedence over global.
diff --git a/src/pip/_internal/utils/misc.py b/src/pip/_internal/utils/misc.py
index 99ebea3..5901687 100644
index d3e9053..d25d1c3 100644
--- a/src/pip/_internal/utils/misc.py
+++ b/src/pip/_internal/utils/misc.py
@@ -40,6 +40,7 @@ from pip._vendor.tenacity import retry, stop_after_delay, wait_fixed
@@ -38,6 +38,7 @@ from pip._vendor.tenacity import retry, stop_after_delay, wait_fixed
from pip import __version__
from pip._internal.exceptions import CommandError
from pip._internal.locations import get_major_minor_version, site_packages, user_site
+from pip._internal.locations import get_scheme
from pip._internal.utils.compat import WINDOWS, stdlib_pkgs
from pip._internal.utils.virtualenv import (
running_under_virtualenv,
@@ -382,6 +383,16 @@ def dist_in_site_packages(dist):
from pip._internal.utils.compat import WINDOWS
from pip._internal.utils.egg_link import egg_link_path_from_location
from pip._internal.utils.virtualenv import running_under_virtualenv
@@ -354,6 +355,16 @@ def dist_in_site_packages(dist: Distribution) -> bool:
return dist_location(dist).startswith(normalize_path(site_packages))
@ -132,9 +133,9 @@ index 99ebea3..5901687 100644
+ get_scheme("").purelib.split('python')[0]))
+
+
def dist_is_editable(dist):
# type: (Distribution) -> bool
"""
def get_distribution(req_name: str) -> Optional[Distribution]:
"""Given a requirement name, return the installed Distribution object.
--
2.32.0
2.44.0

View File

@ -13,7 +13,7 @@
%endif
%global srcname pip
%global base_version 21.2.3
%global base_version 21.3.1
%global upstream_version %{base_version}%{?prerel}
%global python_wheel_name %{srcname}-%{upstream_version}-py3-none-any.whl
@ -21,7 +21,7 @@
Name: python-%{srcname}
Version: %{base_version}%{?prerel:~%{prerel}}
Release: 8%{?dist}
Release: 1%{?dist}
Summary: A tool for installing and managing Python packages
# We bundle a lot of libraries with pip, which itself is under MIT license.
@ -128,27 +128,27 @@ Packages" or "Pip Installs Python".
# You can generate it with:
# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{1}dist' src/pip/_vendor/vendor.txt
%global bundled() %{expand:
Provides: bundled(python%{1}dist(appdirs)) = 1.4.4
Provides: bundled(python%{1}dist(cachecontrol)) = 0.12.6
Provides: bundled(python%{1}dist(certifi)) = 2021.5.30
Provides: bundled(python%{1}dist(chardet)) = 4
Provides: bundled(python%{1}dist(colorama)) = 0.4.4
Provides: bundled(python%{1}dist(distlib)) = 0.3.2
Provides: bundled(python%{1}dist(distro)) = 1.5
Provides: bundled(python%{1}dist(distlib)) = 0.3.3
Provides: bundled(python%{1}dist(distro)) = 1.6
Provides: bundled(python%{1}dist(html5lib)) = 1.1
Provides: bundled(python%{1}dist(idna)) = 3.2
Provides: bundled(python%{1}dist(msgpack)) = 1.0.2
Provides: bundled(python%{1}dist(packaging)) = 21
Provides: bundled(python%{1}dist(pep517)) = 0.11
Provides: bundled(python%{1}dist(progress)) = 1.5
Provides: bundled(python%{1}dist(pep517)) = 0.12
Provides: bundled(python%{1}dist(platformdirs)) = 2.4
Provides: bundled(python%{1}dist(progress)) = 1.6
Provides: bundled(python%{1}dist(pyparsing)) = 2.4.7
Provides: bundled(python%{1}dist(requests)) = 2.26
Provides: bundled(python%{1}dist(resolvelib)) = 0.7.1
Provides: bundled(python%{1}dist(resolvelib)) = 0.8
Provides: bundled(python%{1}dist(setuptools)) = 44
Provides: bundled(python%{1}dist(six)) = 1.16
Provides: bundled(python%{1}dist(tenacity)) = 8.0.1
Provides: bundled(python%{1}dist(tomli)) = 1.0.3
Provides: bundled(python%{1}dist(urllib3)) = 1.26.6
Provides: bundled(python%{1}dist(urllib3)) = 1.26.7
Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
}
@ -375,11 +375,13 @@ pytest_k='not completion and
not test_from_link_vcs_without_source_dir and
not test_should_cache_git_sha'
# test_pep517 and test_pep660 are ignored entirely, as they import tomli_w and we don't have that packaged yet
# --deselect'ed tests are not compatible with the latest virtualenv
# These files contain almost 500 tests so we should enable them back
# as soon as pip will be compatible upstream
# https://github.com/pypa/pip/pull/8441
%pytest -m 'not network' -k "$(echo $pytest_k)" \
--ignore tests/functional/test_pep660.py --ignore tests/functional/test_pep517.py \
--deselect tests/functional --deselect tests/lib/test_lib.py --deselect tests/unit/test_build_env.py
%endif
@ -416,6 +418,10 @@ pytest_k='not completion and
%{python_wheel_dir}/%{python_wheel_name}
%changelog
* Tue Mar 19 2024 Lumír Balhar <lbalhar@redhat.com> - 21.3.1-1
- Update to 21.3.1
Resolves: RHEL-29310
* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 21.2.3-8
- Require Python with tarfile filters
Resolves: RHEL-25451