SOURCES/cve-2007-4559-tarfile.patch

@@ -1,47 +0,0 @@
-Minimal patch for pip
-
-diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py
---- a/pip/utils/__init__.py	2022-11-05 16:25:43.000000000 +0100
-+++ b/pip/utils/__init__.py	2023-08-08 13:17:47.705613554 +0200
-@@ -559,6 +559,13 @@
-             if leading:
-                 fn = split_leading_dir(fn)[1]
-             path = os.path.join(location, fn)
-+
-+            # Call the `data` filter for its side effect (raising exception)
-+            try:
-+                tarfile.data_filter(member.replace(name=fn), location)
-+            except tarfile.LinkOutsideDestinationError:
-+                pass
-+
-             if member.isdir():
-                 ensure_dir(path)
-             elif member.issym():
-
-
-Patch for vendored distlib from https://github.com/pypa/distlib/pull/201
-
-diff --git a/distlib/util.py b/distlib/util.py
-index e0622e4..4349d0b 100644
---- a/pip/_vendor/distlib/util.py
-+++ b/pip/_vendor/distlib/util.py
-@@ -1249,6 +1249,19 @@ def check_path(path):
-             for tarinfo in archive.getmembers():
-                 if not isinstance(tarinfo.name, text_type):
-                     tarinfo.name = tarinfo.name.decode('utf-8')
-+
-+        # Limit extraction of dangerous items, if this Python
-+        # allows it easily. If not, just trust the input.
-+        # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
-+        def extraction_filter(member, path):
-+            """Run tarfile.tar_fillter, but raise the expected ValueError"""
-+            # This is only called if the current Python has tarfile filters
-+            try:
-+                return tarfile.tar_filter(member, path)
-+            except tarfile.FilterError as exc:
-+                raise ValueError(str(exc))
-+        archive.extraction_filter = extraction_filter
-+
-         archive.extractall(dest_dir)
- 
-     finally:

SPECS/python-pip.spec

@@ -14,7 +14,7 @@
 Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        24%{?dist}
+Release:        22%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -129,13 +129,6 @@ Patch11:        CVE-2021-3572.patch
 # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135
 Patch12:        skip_yanked_releases.patch
 
-# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
-# - Minimal downstream-only patch, to be replaced by upstream solution
-#   proposed in https://github.com/pypa/pip/pull/12214
-# - Patch for vendored distlib, accepted upstream:
-#   https://github.com/pypa/distlib/pull/201
-Patch13:         cve-2007-4559-tarfile.patch
-
 %global _description \
 pip is a package management system used to install and manage software packages \
 written in Python. Many packages can be found in the Python Package Index \
@@ -171,9 +164,6 @@ Requires:  platform-python-setuptools
 
 BuildRequires:  ca-certificates
 Requires:       ca-certificates
-# pip has to require explicit version of platform-python that provides
-# filters in tarfile module (fix for CVE-2007-4559).
-Requires:       platform-python >= 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # See the python2 list above for instructions.
@@ -226,8 +216,6 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package -n python3-%{srcname}-wheel
 Summary:        The pip wheel
-# Older Python does not provide tarfile filters (fix for CVE-2007-4559).
-Conflicts:      platform-python < 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # You can find the versions in pip/_vendor/vendor.txt file.
@@ -284,7 +272,6 @@ popd
 %endif
 %patch11 -p1
 %patch12 -p1
-%patch13 -p1
 
 # this goes together with patch4
 rm pip/_vendor/certifi/*.pem
@@ -300,10 +287,6 @@ rm pip/_vendor/ordereddict.py
 rm -v pip/_vendor/distlib/*.exe
 sed -i '/\.exe/d' setup.py
 
-# Backports for Python 2
-rm pip/_vendor/distlib/_backport/tarfile.py
-rm pip/_vendor/distlib/_backport/shutil.py
-
 %build
 %if %{without bootstrap}
 %py3_build_wheel
@@ -399,14 +382,6 @@ py.test-%{python3_version} -m 'not network'
 %endif
 
 %changelog
-* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-24
-- Require Python with tarfile filters
-Resolves: RHEL-25446
-
-* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 9.0.3-23
-- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
-Resolves: RHBZ#2218241
-
 * Wed Oct 06 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-22
 - Remove bundled windows executables
 - Resolves: rhbz#2006788