From db5b7780123615780d75f4d62d3deed1b921f297 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 14 Nov 2023 19:02:14 +0000 Subject: [PATCH] import UBI python-pip-9.0.3-23.el8 --- SOURCES/cve-2007-4559-tarfile.patch | 47 +++++++++++++++++++++++++++++ SPECS/python-pip.spec | 18 ++++++++++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 SOURCES/cve-2007-4559-tarfile.patch diff --git a/SOURCES/cve-2007-4559-tarfile.patch b/SOURCES/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000..5530e5e --- /dev/null +++ b/SOURCES/cve-2007-4559-tarfile.patch @@ -0,0 +1,47 @@ +Minimal patch for pip + +diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py +--- a/pip/utils/__init__.py 2022-11-05 16:25:43.000000000 +0100 ++++ b/pip/utils/__init__.py 2023-08-08 13:17:47.705613554 +0200 +@@ -559,6 +559,13 @@ + if leading: + fn = split_leading_dir(fn)[1] + path = os.path.join(location, fn) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/pip/_vendor/distlib/util.py ++++ b/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index 9ad42c0..bd4a082 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -14,7 +14,7 @@ Name: python-%{srcname} # When updating, update the bundled libraries versions bellow! Version: 9.0.3 -Release: 22%{?dist} +Release: 23%{?dist} Summary: A tool for installing and managing Python packages Group: Development/Libraries @@ -129,6 +129,13 @@ Patch11: CVE-2021-3572.patch # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135 Patch12: skip_yanked_releases.patch +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch13: cve-2007-4559-tarfile.patch + %global _description \ pip is a package management system used to install and manage software packages \ written in Python. Many packages can be found in the Python Package Index \ @@ -272,6 +279,7 @@ popd %endif %patch11 -p1 %patch12 -p1 +%patch13 -p1 # this goes together with patch4 rm pip/_vendor/certifi/*.pem @@ -287,6 +295,10 @@ rm pip/_vendor/ordereddict.py rm -v pip/_vendor/distlib/*.exe sed -i '/\.exe/d' setup.py +# Backports for Python 2 +rm pip/_vendor/distlib/_backport/tarfile.py +rm pip/_vendor/distlib/_backport/shutil.py + %build %if %{without bootstrap} %py3_build_wheel @@ -382,6 +394,10 @@ py.test-%{python3_version} -m 'not network' %endif %changelog +* Tue Aug 08 2023 Petr Viktorin - 9.0.3-23 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHBZ#2218241 + * Wed Oct 06 2021 Charalampos Stratakis - 9.0.3-22 - Remove bundled windows executables - Resolves: rhbz#2006788