From bdf141d8173c1fde13203151743298a73b3b12af Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 30 Sep 2024 16:26:51 +0000 Subject: [PATCH] import CS python-pip-21.3.1-1.el9 --- .gitignore | 2 +- .python-pip.metadata | 2 +- SOURCES/cve-2007-4559-tarfile.patch | 91 ++++++++++--------- ...existing-dist-only-if-path-conflicts.patch | 61 +++++++------ SPECS/python-pip.spec | 24 +++-- 5 files changed, 97 insertions(+), 83 deletions(-) diff --git a/.gitignore b/.gitignore index 17f25ed..e7ee0f7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pip-21.2.3.tar.gz +SOURCES/pip-21.3.1.tar.gz diff --git a/.python-pip.metadata b/.python-pip.metadata index 5bc4c55..9c63b24 100644 --- a/.python-pip.metadata +++ b/.python-pip.metadata @@ -1 +1 @@ -c899dfeece28336424046e097bc48783a5d4264b SOURCES/pip-21.2.3.tar.gz +5f98a502c4ae2fec713eda155bf5994196d97cd9 SOURCES/pip-21.3.1.tar.gz diff --git a/SOURCES/cve-2007-4559-tarfile.patch b/SOURCES/cve-2007-4559-tarfile.patch index 4a27a8b..4b15642 100644 --- a/SOURCES/cve-2007-4559-tarfile.patch +++ b/SOURCES/cve-2007-4559-tarfile.patch @@ -1,9 +1,20 @@ -Minimal patch for pip +From 1819805f2019c731bcaefd6b12fd814790f88fcd Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Tue, 19 Mar 2024 12:43:07 +0100 +Subject: [PATCH] cve-2007-4559-tarfile -diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py ---- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 -+++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 -@@ -184,6 +184,13 @@ +Minimal patch for pip +--- + src/pip/_internal/utils/unpacking.py | 7 +++++++ + src/pip/_vendor/distlib/util.py | 13 +++++++++++++ + tests/unit/test_utils_unpacking.py | 17 +++++++++++++++++ + 3 files changed, 37 insertions(+) + +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 5f63f97..c31542f 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -184,6 +184,13 @@ def untar_file(filename: str, location: str) -> None: "outside target directory ({})" ) raise InstallationError(message.format(filename, path, location)) @@ -17,15 +28,36 @@ diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/ut if member.isdir(): ensure_dir(path) elif member.issym(): - - -Test from https://github.com/pypa/pip/pull/12214 - -diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py ---- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 -+++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 -@@ -167,6 +167,23 @@ - test_tar = self.make_tar_file('test_tar.tar', files) +diff --git a/src/pip/_vendor/distlib/util.py b/src/pip/_vendor/distlib/util.py +index 80bfc86..7e0941a 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def unarchive(archive_filename, dest_dir, format=None, check=True): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py +index ccb7a30..05324ad 100644 +--- a/tests/unit/test_utils_unpacking.py ++++ b/tests/unit/test_utils_unpacking.py +@@ -171,6 +171,23 @@ class TestUnpackArchives: + test_tar = self.make_tar_file("test_tar.tar", files) untar_file(test_tar, self.tempdir) + def test_unpack_tar_filter(self) -> None: @@ -46,33 +78,8 @@ diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_ + + - def test_unpack_tar_unicode(tmpdir): + def test_unpack_tar_unicode(tmpdir: Path) -> None: test_tar = tmpdir / "test.tar" +-- +2.44.0 - -Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 - -diff --git a/distlib/util.py b/distlib/util.py -index e0622e4..4349d0b 100644 ---- a/src/pip/_vendor/distlib/util.py -+++ b/src/pip/_vendor/distlib/util.py -@@ -1249,6 +1249,19 @@ def check_path(path): - for tarinfo in archive.getmembers(): - if not isinstance(tarinfo.name, text_type): - tarinfo.name = tarinfo.name.decode('utf-8') -+ -+ # Limit extraction of dangerous items, if this Python -+ # allows it easily. If not, just trust the input. -+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters -+ def extraction_filter(member, path): -+ """Run tarfile.tar_fillter, but raise the expected ValueError""" -+ # This is only called if the current Python has tarfile filters -+ try: -+ return tarfile.tar_filter(member, path) -+ except tarfile.FilterError as exc: -+ raise ValueError(str(exc)) -+ archive.extraction_filter = extraction_filter -+ - archive.extractall(dest_dir) - - finally: diff --git a/SOURCES/remove-existing-dist-only-if-path-conflicts.patch b/SOURCES/remove-existing-dist-only-if-path-conflicts.patch index e68e892..1d5a27e 100644 --- a/SOURCES/remove-existing-dist-only-if-path-conflicts.patch +++ b/SOURCES/remove-existing-dist-only-if-path-conflicts.patch @@ -1,10 +1,11 @@ -From aca0c9df4ef54f70a3fedb07f4faac463f88a331 Mon Sep 17 00:00:00 2001 -From: Karolina Surma -Date: Mon, 10 May 2021 18:16:20 +0200 +From f5c7cdc676e6884580fde4689a296ff50a9847a5 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 20 Mar 2024 13:43:12 +0100 Subject: [PATCH] Prevent removing of the system packages installed under - /usr/lib - -when pip install -U is executed. + /usr/lib when pip install -U is executed. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit Resolves: rhbz#1550368 @@ -21,10 +22,10 @@ Co-Authored-By: Miro Hrončok 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py -index 4c58cdb..3570e17 100644 +index 95dacab..b9679fa 100644 --- a/src/pip/_internal/req/req_install.py +++ b/src/pip/_internal/req/req_install.py -@@ -43,6 +43,7 @@ from pip._internal.utils.misc import ( +@@ -47,6 +47,7 @@ from pip._internal.utils.misc import ( ask_path_exists, backup_dir, display_path, @@ -32,9 +33,9 @@ index 4c58cdb..3570e17 100644 dist_in_site_packages, dist_in_usersite, get_distribution, -@@ -426,7 +427,7 @@ class InstallRequirement: - "lack sys.path precedence to {} in {}".format( - existing_dist.project_name, existing_dist.location) +@@ -442,7 +443,7 @@ class InstallRequirement: + existing_dist.project_name, existing_dist.location + ) ) - else: + elif dist_in_install_path(existing_dist): @@ -42,18 +43,18 @@ index 4c58cdb..3570e17 100644 else: if self.editable: diff --git a/src/pip/_internal/resolution/legacy/resolver.py b/src/pip/_internal/resolution/legacy/resolver.py -index 4df8f7e..dda2292 100644 +index 09caaa6..c1542ec 100644 --- a/src/pip/_internal/resolution/legacy/resolver.py +++ b/src/pip/_internal/resolution/legacy/resolver.py -@@ -42,6 +42,7 @@ from pip._internal.resolution.base import BaseResolver, InstallRequirementProvid +@@ -44,6 +44,7 @@ from pip._internal.resolution.base import BaseResolver, InstallRequirementProvid from pip._internal.utils.compatibility_tags import get_supported from pip._internal.utils.logging import indent_log from pip._internal.utils.misc import dist_in_usersite, normalize_version_info +from pip._internal.utils.misc import dist_in_install_path - from pip._internal.utils.packaging import check_requires_python, get_requires_python + from pip._internal.utils.packaging import check_requires_python logger = logging.getLogger(__name__) -@@ -194,7 +195,9 @@ class Resolver(BaseResolver): +@@ -203,7 +204,9 @@ class Resolver(BaseResolver): """ # Don't uninstall the conflict if doing a user install and the # conflict is not a user install. @@ -65,7 +66,7 @@ index 4df8f7e..dda2292 100644 req.satisfied_by = None diff --git a/src/pip/_internal/resolution/resolvelib/factory.py b/src/pip/_internal/resolution/resolvelib/factory.py -index e7fd344..555e657 100644 +index 766dc26..baf61ba 100644 --- a/src/pip/_internal/resolution/resolvelib/factory.py +++ b/src/pip/_internal/resolution/resolvelib/factory.py @@ -1,6 +1,7 @@ @@ -76,7 +77,7 @@ index e7fd344..555e657 100644 from typing import ( TYPE_CHECKING, Dict, -@@ -34,6 +35,7 @@ from pip._internal.exceptions import ( +@@ -33,6 +34,7 @@ from pip._internal.exceptions import ( UnsupportedWheel, ) from pip._internal.index.package_finder import PackageFinder @@ -84,15 +85,15 @@ index e7fd344..555e657 100644 from pip._internal.metadata import BaseDistribution, get_default_environment from pip._internal.models.link import Link from pip._internal.models.wheel import Wheel -@@ -46,6 +48,7 @@ from pip._internal.req.req_install import ( +@@ -45,6 +47,7 @@ from pip._internal.req.req_install import ( from pip._internal.resolution.base import InstallRequirementProvider from pip._internal.utils.compatibility_tags import get_supported from pip._internal.utils.hashes import Hashes +from pip._internal.utils.misc import dist_location + from pip._internal.utils.packaging import get_requirement from pip._internal.utils.virtualenv import running_under_virtualenv - from .base import Candidate, CandidateVersion, Constraint, Requirement -@@ -525,6 +528,13 @@ class Factory: +@@ -526,6 +529,13 @@ class Factory: if dist is None: # Not installed, no uninstallation required. return None @@ -107,18 +108,18 @@ index e7fd344..555e657 100644 # be uninstalled, no matter it's in global or user site, because the # user site installation has precedence over global. diff --git a/src/pip/_internal/utils/misc.py b/src/pip/_internal/utils/misc.py -index 99ebea3..5901687 100644 +index d3e9053..d25d1c3 100644 --- a/src/pip/_internal/utils/misc.py +++ b/src/pip/_internal/utils/misc.py -@@ -40,6 +40,7 @@ from pip._vendor.tenacity import retry, stop_after_delay, wait_fixed +@@ -38,6 +38,7 @@ from pip._vendor.tenacity import retry, stop_after_delay, wait_fixed from pip import __version__ from pip._internal.exceptions import CommandError from pip._internal.locations import get_major_minor_version, site_packages, user_site +from pip._internal.locations import get_scheme - from pip._internal.utils.compat import WINDOWS, stdlib_pkgs - from pip._internal.utils.virtualenv import ( - running_under_virtualenv, -@@ -382,6 +383,16 @@ def dist_in_site_packages(dist): + from pip._internal.utils.compat import WINDOWS + from pip._internal.utils.egg_link import egg_link_path_from_location + from pip._internal.utils.virtualenv import running_under_virtualenv +@@ -354,6 +355,16 @@ def dist_in_site_packages(dist: Distribution) -> bool: return dist_location(dist).startswith(normalize_path(site_packages)) @@ -132,9 +133,9 @@ index 99ebea3..5901687 100644 + get_scheme("").purelib.split('python')[0])) + + - def dist_is_editable(dist): - # type: (Distribution) -> bool - """ + def get_distribution(req_name: str) -> Optional[Distribution]: + """Given a requirement name, return the installed Distribution object. + -- -2.32.0 +2.44.0 diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index c458aa1..2ebc63c 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -13,7 +13,7 @@ %endif %global srcname pip -%global base_version 21.2.3 +%global base_version 21.3.1 %global upstream_version %{base_version}%{?prerel} %global python_wheel_name %{srcname}-%{upstream_version}-py3-none-any.whl @@ -21,7 +21,7 @@ Name: python-%{srcname} Version: %{base_version}%{?prerel:~%{prerel}} -Release: 8%{?dist} +Release: 1%{?dist} Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -128,27 +128,27 @@ Packages" or "Pip Installs Python". # You can generate it with: # %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{1}dist' src/pip/_vendor/vendor.txt %global bundled() %{expand: -Provides: bundled(python%{1}dist(appdirs)) = 1.4.4 Provides: bundled(python%{1}dist(cachecontrol)) = 0.12.6 Provides: bundled(python%{1}dist(certifi)) = 2021.5.30 Provides: bundled(python%{1}dist(chardet)) = 4 Provides: bundled(python%{1}dist(colorama)) = 0.4.4 -Provides: bundled(python%{1}dist(distlib)) = 0.3.2 -Provides: bundled(python%{1}dist(distro)) = 1.5 +Provides: bundled(python%{1}dist(distlib)) = 0.3.3 +Provides: bundled(python%{1}dist(distro)) = 1.6 Provides: bundled(python%{1}dist(html5lib)) = 1.1 Provides: bundled(python%{1}dist(idna)) = 3.2 Provides: bundled(python%{1}dist(msgpack)) = 1.0.2 Provides: bundled(python%{1}dist(packaging)) = 21 -Provides: bundled(python%{1}dist(pep517)) = 0.11 -Provides: bundled(python%{1}dist(progress)) = 1.5 +Provides: bundled(python%{1}dist(pep517)) = 0.12 +Provides: bundled(python%{1}dist(platformdirs)) = 2.4 +Provides: bundled(python%{1}dist(progress)) = 1.6 Provides: bundled(python%{1}dist(pyparsing)) = 2.4.7 Provides: bundled(python%{1}dist(requests)) = 2.26 -Provides: bundled(python%{1}dist(resolvelib)) = 0.7.1 +Provides: bundled(python%{1}dist(resolvelib)) = 0.8 Provides: bundled(python%{1}dist(setuptools)) = 44 Provides: bundled(python%{1}dist(six)) = 1.16 Provides: bundled(python%{1}dist(tenacity)) = 8.0.1 Provides: bundled(python%{1}dist(tomli)) = 1.0.3 -Provides: bundled(python%{1}dist(urllib3)) = 1.26.6 +Provides: bundled(python%{1}dist(urllib3)) = 1.26.7 Provides: bundled(python%{1}dist(webencodings)) = 0.5.1 } @@ -375,11 +375,13 @@ pytest_k='not completion and not test_from_link_vcs_without_source_dir and not test_should_cache_git_sha' +# test_pep517 and test_pep660 are ignored entirely, as they import tomli_w and we don't have that packaged yet # --deselect'ed tests are not compatible with the latest virtualenv # These files contain almost 500 tests so we should enable them back # as soon as pip will be compatible upstream # https://github.com/pypa/pip/pull/8441 %pytest -m 'not network' -k "$(echo $pytest_k)" \ + --ignore tests/functional/test_pep660.py --ignore tests/functional/test_pep517.py \ --deselect tests/functional --deselect tests/lib/test_lib.py --deselect tests/unit/test_build_env.py %endif @@ -416,6 +418,10 @@ pytest_k='not completion and %{python_wheel_dir}/%{python_wheel_name} %changelog +* Tue Mar 19 2024 Lumír Balhar - 21.3.1-1 +- Update to 21.3.1 +Resolves: RHEL-29310 + * Wed Feb 14 2024 Lumír Balhar - 21.2.3-8 - Require Python with tarfile filters Resolves: RHEL-25451