10 changed files with 25 additions and 771 deletions
--- a/SOURCES/CVE-2018-18074.patch
+++ b/SOURCES/CVE-2018-18074.patch
@ -1,90 +0,0 @@
 From ffbfdb53681207b23bcf67dd76368ad6185ade24 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 16 Jan 2020 07:06:09 +0100
 Subject: [PATCH] Fix for CVE-2018-18074
 This patch contains the fix for CVE-2018-18074 and
 a subsequent regression fix combined in one.
 ---
 sessions.py | 36 +++++++++++++++++++++++++++++-------
 utils.py    |  1 +
 2 files changed, 30 insertions(+), 7 deletions(-)
 diff --git a/sessions.py b/sessions.py
 index 6570e73..4038047 100644
 --- a/sessions.py
 +++ b/sessions.py
@@ -29,7 +29,7 @@ from .adapters import HTTPAdapter
 from .utils import (
     requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies,
 -    get_auth_from_url, rewind_body
 +    get_auth_from_url, rewind_body, DEFAULT_PORTS
 )
 from .status_codes import codes
@@ -116,6 +116,32 @@ class SessionRedirectMixin(object):
             return to_native_string(location, 'utf8')
         return None
 +
 +    def should_strip_auth(self, old_url, new_url):
 +        """Decide whether Authorization header should be removed when redirecting"""
 +        old_parsed = urlparse(old_url)
 +        new_parsed = urlparse(new_url)
 +        if old_parsed.hostname != new_parsed.hostname:
 +            return True
 +        # Special case: allow http -> https redirect when using the standard
 +        # ports. This isn't specified by RFC 7235, but is kept to avoid
 +        # breaking backwards compatibility with older versions of requests
 +        # that allowed any redirects on the same host.
 +        if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
 +                and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
 +            return False
 +
 +        # Handle default port usage corresponding to scheme.
 +        changed_port = old_parsed.port != new_parsed.port
 +        changed_scheme = old_parsed.scheme != new_parsed.scheme
 +        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
 +        if (not changed_scheme and old_parsed.port in default_port
 +                and new_parsed.port in default_port):
 +            return False
 +
 +        # Standard case: root URI must match
 +        return changed_port or changed_scheme
 +
     def resolve_redirects(self, resp, req, stream=False, timeout=None,
                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
         """Receives a Response. Returns a generator of Responses or Requests."""
@@ -232,14 +258,10 @@ class SessionRedirectMixin(object):
         headers = prepared_request.headers
         url = prepared_request.url
 -        if 'Authorization' in headers:
 +        if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
             # If we get redirected to a new host, we should strip out any
             # authentication headers.
 -            original_parsed = urlparse(response.request.url)
 -            redirect_parsed = urlparse(url)
 -
 -            if (original_parsed.hostname != redirect_parsed.hostname):
 -                del headers['Authorization']
 +            del headers['Authorization']
         # .netrc might have more auth for us on our new host.
         new_auth = get_netrc_auth(url) if self.trust_env else None
 diff --git a/utils.py b/utils.py
 index 5c47de9..5695ab0 100644
 --- a/utils.py
 +++ b/utils.py
@@ -38,6 +38,7 @@ NETRC_FILES = ('.netrc', '_netrc')
 DEFAULT_CA_BUNDLE_PATH = certs.where()
 +DEFAULT_PORTS = {'http': 80, 'https': 443}
 if platform.system() == 'Windows':
     # provide a proxy_bypass version on Windows without DNS lookups
 -- 
 2.24.1
--- a/SOURCES/CVE-2018-20060.patch
+++ b/SOURCES/CVE-2018-20060.patch
@ -1,94 +0,0 @@
 From c734f873270cf9ca414832423f7aad98443c379f Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 9 Jan 2020 11:26:24 +0100
 Subject: [PATCH] CVE-2018-20060
 ---
 poolmanager.py | 11 ++++++++++-
 util/retry.py  | 12 +++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)
 diff --git a/poolmanager.py b/poolmanager.py
 index 4ae9174..bfa5115 100644
 --- a/poolmanager.py
 +++ b/poolmanager.py
@@ -312,8 +312,9 @@ class PoolManager(RequestMethods):
         kw['assert_same_host'] = False
         kw['redirect'] = False
 +
         if 'headers' not in kw:
 -            kw['headers'] = self.headers
 +            kw['headers'] = self.headers.copy()
         if self.proxy is not None and u.scheme == "http":
             response = conn.urlopen(method, url, **kw)
@@ -335,6 +336,14 @@ class PoolManager(RequestMethods):
         if not isinstance(retries, Retry):
             retries = Retry.from_int(retries, redirect=redirect)
 +        # Strip headers marked as unsafe to forward to the redirected location.
 +        # Check remove_headers_on_redirect to avoid a potential network call within
 +        # conn.is_same_host() which may use socket.gethostbyname() in the future.
 +        if (retries.remove_headers_on_redirect
 +                and not conn.is_same_host(redirect_location)):
 +            for header in retries.remove_headers_on_redirect:
 +                kw['headers'].pop(header, None)
 +
         try:
             retries = retries.increment(method, url, response=response, _pool=conn)
         except MaxRetryError:
 diff --git a/util/retry.py b/util/retry.py
 index c603cb4..0b83963 100644
 --- a/util/retry.py
 +++ b/util/retry.py
@@ -126,6 +126,11 @@ class Retry(object):
         exhausted, to raise a MaxRetryError, or to return a response with a
         response code in the 3xx range.
 +    :param iterable remove_headers_on_redirect:
 +        Sequence of headers to remove from the request when a response
 +        indicating a redirect is returned before firing off the redirected
 +        request
 +
     :param bool raise_on_status: Similar meaning to ``raise_on_redirect``:
         whether we should raise an exception, or return a response,
         if status falls in ``status_forcelist`` range and retries have
@@ -144,6 +149,8 @@ class Retry(object):
     DEFAULT_METHOD_WHITELIST = frozenset([
         'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
 +    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
 +
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Maximum backoff time.
@@ -152,7 +159,8 @@ class Retry(object):
     def __init__(self, total=10, connect=None, read=None, redirect=None, status=None,
                  method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
                  backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
 -                 history=None, respect_retry_after_header=True):
 +                 history=None, respect_retry_after_header=True,
 +                 remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
         self.total = total
         self.connect = connect
@@ -171,6 +179,7 @@ class Retry(object):
         self.raise_on_status = raise_on_status
         self.history = history or tuple()
         self.respect_retry_after_header = respect_retry_after_header
 +        self.remove_headers_on_redirect = remove_headers_on_redirect
     def new(self, **kw):
         params = dict(
@@ -182,6 +191,7 @@ class Retry(object):
             raise_on_redirect=self.raise_on_redirect,
             raise_on_status=self.raise_on_status,
             history=self.history,
 +            remove_headers_on_redirect=self.remove_headers_on_redirect,
         )
         params.update(kw)
         return type(self)(**params)
 -- 
 2.24.1
--- a/SOURCES/CVE-2019-11236.patch
+++ b/SOURCES/CVE-2019-11236.patch
@ -1,43 +0,0 @@
 From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 9 Jan 2020 11:14:58 +0100
 Subject: [PATCH] CVE-2019-9740
 ---
 util/url.py | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/util/url.py b/util/url.py
 index 6b6f996..2784c85 100644
 --- a/util/url.py
 +++ b/util/url.py
@@ -1,5 +1,6 @@
 from __future__ import absolute_import
 from collections import namedtuple
 +import re
 from ..exceptions import LocationParseError
@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
 # urllib3 infers URLs without a scheme (None) to be http.
 NORMALIZABLE_SCHEMES = ('http', 'https', None)
 +_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
 +from ..packages.six.moves.urllib.parse import quote
 class Url(namedtuple('Url', url_attrs)):
     """
@@ -155,6 +158,10 @@ def parse_url(url):
         # Empty
         return Url()
 +    # Prevent CVE-2019-9740.
 +    # adapted from https://github.com/python/cpython/pull/12755
 +    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
 +
     scheme = None
     auth = None
     host = None
 -- 
 2.24.1
--- a/SOURCES/CVE-2019-11324.patch
+++ b/SOURCES/CVE-2019-11324.patch
@ -1,26 +0,0 @@
 From 54e768a6dbe3cadeb456dea37bbeaf6e1e17e87c Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 9 Jan 2020 10:47:27 +0100
 Subject: [PATCH] CVE-2019-11324 Certification mishandle when error should be
 thrown
 ---
 util/ssl_.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/util/ssl_.py b/util/ssl_.py
 index 32fd9ed..f9f12ff 100644
 --- a/util/ssl_.py
 +++ b/util/ssl_.py
@@ -319,7 +319,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
             if e.errno == errno.ENOENT:
                 raise SSLError(e)
             raise
 -    elif getattr(context, 'load_default_certs', None) is not None:
 +    elif ssl_context is None and hasattr(context, 'load_default_certs'):
         # try to load OS default certs; works well on Windows (require Python3.4+)
         context.load_default_certs()
 -- 
 2.24.1
--- a/SOURCES/CVE-2021-3572.patch
+++ b/SOURCES/CVE-2021-3572.patch
@ -1,53 +0,0 @@
 Backport of https://github.com/pypa/pip/pull/9827 with parts of
 https://github.com/pypa/pip/pull/4690 to make it work with pip v9.0.1
 diff --git a/pip/vcs/git.py b/pip/vcs/git.py
 index 2187dd8..d1502f8 100644
 --- a/pip/vcs/git.py
 +++ b/pip/vcs/git.py
@@ -81,7 +81,7 @@ class Git(VersionControl):
         and branches may need origin/ as a prefix.
         Returns the SHA1 of the branch or tag if found.
         """
 -        revisions = self.get_short_refs(dest)
 +        revisions = self.get_short_refs(dest, rev)
         origin_rev = 'origin/%s' % rev
         if origin_rev in revisions:
@@ -171,12 +171,20 @@ class Git(VersionControl):
             ['rev-parse', 'HEAD'], show_stdout=False, cwd=location)
         return current_rev.strip()
 -    def get_full_refs(self, location):
 +    def get_full_refs(self, location, pattern=''):
         """Yields tuples of (commit, ref) for branches and tags"""
 -        output = self.run_command(['show-ref'],
 +        output = self.run_command(['show-ref', pattern],
                                   show_stdout=False, cwd=location)
 -        for line in output.strip().splitlines():
 -            commit, ref = line.split(' ', 1)
 +        for line in output.split("\n"):
 +            line = line.rstrip("\r")
 +            if not line:
 +                continue
 +            try:
 +                commit, ref = line.split(' ', 1)
 +            except ValueError:
 +                # Include the offending line to simplify troubleshooting if
 +                # this error ever occurs.
 +                raise ValueError(f'unexpected show-ref line: {line!r}')
             yield commit.strip(), ref.strip()
     def is_ref_remote(self, ref):
@@ -200,10 +208,10 @@ class Git(VersionControl):
     def get_refs(self, location):
         return self.get_short_refs(location)
 -    def get_short_refs(self, location):
 +    def get_short_refs(self, location, pattern=''):
         """Return map of named refs (branches or tags) to commit hashes."""
         rv = {}
 -        for commit, ref in self.get_full_refs(location):
 +        for commit, ref in self.get_full_refs(location, pattern):
             ref_name = None
             if self.is_ref_remote(ref):
                 ref_name = ref[len('refs/remotes/'):]
--- a/SOURCES/cve-2007-4559-tarfile.patch
+++ b/SOURCES/cve-2007-4559-tarfile.patch
@ -1,47 +0,0 @@
 Minimal patch for pip
 diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py
 --- a/pip/utils/__init__.py	2022-11-05 16:25:43.000000000 +0100
 +++ b/pip/utils/__init__.py	2023-08-08 13:17:47.705613554 +0200
@@ -559,6 +559,13 @@
             if leading:
                 fn = split_leading_dir(fn)[1]
             path = os.path.join(location, fn)
 +
 +            # Call the `data` filter for its side effect (raising exception)
 +            try:
 +                tarfile.data_filter(member.replace(name=fn), location)
 +            except tarfile.LinkOutsideDestinationError:
 +                pass
 +
             if member.isdir():
                 ensure_dir(path)
             elif member.issym():
 Patch for vendored distlib from https://github.com/pypa/distlib/pull/201
 diff --git a/distlib/util.py b/distlib/util.py
 index e0622e4..4349d0b 100644
 --- a/pip/_vendor/distlib/util.py
 +++ b/pip/_vendor/distlib/util.py
@@ -1249,6 +1249,19 @@ def check_path(path):
             for tarinfo in archive.getmembers():
                 if not isinstance(tarinfo.name, text_type):
                     tarinfo.name = tarinfo.name.decode('utf-8')
 +
 +        # Limit extraction of dangerous items, if this Python
 +        # allows it easily. If not, just trust the input.
 +        # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
 +        def extraction_filter(member, path):
 +            """Run tarfile.tar_fillter, but raise the expected ValueError"""
 +            # This is only called if the current Python has tarfile filters
 +            try:
 +                return tarfile.tar_filter(member, path)
 +            except tarfile.FilterError as exc:
 +                raise ValueError(str(exc))
 +        archive.extraction_filter = extraction_filter
 +
         archive.extractall(dest_dir)
     finally:
--- a/SOURCES/pip-directory-traversal-security-issue-tests.patch
+++ b/SOURCES/pip-directory-traversal-security-issue-tests.patch
@ -1,122 +0,0 @@
 From 7917dbda14ef64a5e7fdea48383a266577484ac8 Mon Sep 17 00:00:00 2001
 From: Tomas Orsava <torsava@redhat.com>
 Date: Wed, 19 Aug 2020 12:51:16 +0200
 Subject: [PATCH 2/2] FIX #6413 pip install <url> allow directory traversal
 (tests)
 ---
 tests/unit/test_download.py | 85 +++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 diff --git a/tests/unit/test_download.py b/tests/unit/test_download.py
 index ee4b11c..15f99ec 100644
 --- a/tests/unit/test_download.py
 +++ b/tests/unit/test_download.py
@@ -1,5 +1,6 @@
 import hashlib
 import os
 +import sys
 from io import BytesIO
 from shutil import rmtree, copy
 from tempfile import mkdtemp
@@ -13,6 +14,7 @@ import pip
 from pip.exceptions import HashMismatch
 from pip.download import (
     PipSession, SafeFileCache, path_to_url, unpack_http_url, url_to_path,
 +    _download_http_url, parse_content_disposition, sanitize_content_filename,
     unpack_file_url,
 )
 from pip.index import Link
@@ -123,6 +125,89 @@ def test_unpack_http_url_bad_downloaded_checksum(mock_unpack_file):
         rmtree(download_dir)
 +@pytest.mark.parametrize("filename, expected", [
 +    ('dir/file', 'file'),
 +    ('../file', 'file'),
 +    ('../../file', 'file'),
 +    ('../', ''),
 +    ('../..', '..'),
 +    ('/', ''),
 +])
 +def test_sanitize_content_filename(filename, expected):
 +    """
 +    Test inputs where the result is the same for Windows and non-Windows.
 +    """
 +    assert sanitize_content_filename(filename) == expected
 +
 +
 +@pytest.mark.parametrize("filename, win_expected, non_win_expected", [
 +    ('dir\\file', 'file', 'dir\\file'),
 +    ('..\\file', 'file', '..\\file'),
 +    ('..\\..\\file', 'file', '..\\..\\file'),
 +    ('..\\', '', '..\\'),
 +    ('..\\..', '..', '..\\..'),
 +    ('\\', '', '\\'),
 +])
 +def test_sanitize_content_filename__platform_dependent(
 +    filename,
 +    win_expected,
 +    non_win_expected
 +):
 +    """
 +    Test inputs where the result is different for Windows and non-Windows.
 +    """
 +    if sys.platform == 'win32':
 +        expected = win_expected
 +    else:
 +        expected = non_win_expected
 +    assert sanitize_content_filename(filename) == expected
 +
 +
 +@pytest.mark.parametrize("content_disposition, default_filename, expected", [
 +    ('attachment;filename="../file"', 'df', 'file'),
 +])
 +def test_parse_content_disposition(
 +    content_disposition,
 +    default_filename,
 +    expected
 +):
 +    actual = parse_content_disposition(content_disposition, default_filename)
 +    assert actual == expected
 +
 +
 +def test_download_http_url__no_directory_traversal(tmpdir):
 +    """
 +    Test that directory traversal doesn't happen on download when the
 +    Content-Disposition header contains a filename with a ".." path part.
 +    """
 +    mock_url = 'http://www.example.com/whatever.tgz'
 +    contents = b'downloaded'
 +    link = Link(mock_url)
 +
 +    session = Mock()
 +    resp = MockResponse(contents)
 +    resp.url = mock_url
 +    resp.headers = {
 +        # Set the content-type to a random value to prevent
 +        # mimetypes.guess_extension from guessing the extension.
 +        'content-type': 'random',
 +        'content-disposition': 'attachment;filename="../out_dir_file"'
 +    }
 +    session.get.return_value = resp
 +
 +    download_dir = tmpdir.join('download')
 +    os.mkdir(download_dir)
 +    file_path, content_type = _download_http_url(
 +        link,
 +        session,
 +        download_dir,
 +        hashes=None,
 +    )
 +    # The file should be downloaded to download_dir.
 +    actual = os.listdir(download_dir)
 +    assert actual == ['out_dir_file']
 +
 +
 @pytest.mark.skipif("sys.platform == 'win32'")
 def test_path_to_url_unix():
     assert path_to_url('/tmp/file') == 'file:///tmp/file'
 -- 
 2.25.4
--- a/SOURCES/pip-directory-traversal-security-issue.patch
+++ b/SOURCES/pip-directory-traversal-security-issue.patch
@ -1,79 +0,0 @@
 From 8044d9f2fbcb09f09a62b26ac1d8a134976bb2ac Mon Sep 17 00:00:00 2001
 From: gzpan123 <gzpan123@gmail.com>
 Date: Wed, 17 Apr 2019 21:25:45 +0800
 Subject: [PATCH 1/2] FIX #6413 pip install <url> allow directory traversal
 ---
 news/6413.bugfix |  3 +++
 pip/download.py  | 31 ++++++++++++++++++++++++++-----
 2 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 news/6413.bugfix
 diff --git a/news/6413.bugfix b/news/6413.bugfix
 new file mode 100644
 index 0000000..68d0a72
 --- /dev/null
 +++ b/news/6413.bugfix
@@ -0,0 +1,3 @@
 +Prevent ``pip install <url>`` from permitting directory traversal if e.g.
 +a malicious server sends a ``Content-Disposition`` header with a filename
 +containing ``../`` or ``..\\``.
 diff --git a/pip/download.py b/pip/download.py
 index 039e55a..b3d169b 100644
 --- a/pip/download.py
 +++ b/pip/download.py
@@ -54,7 +54,8 @@ __all__ = ['get_file_content',
            'is_url', 'url_to_path', 'path_to_url',
            'is_archive_file', 'unpack_vcs_link',
            'unpack_file_url', 'is_vcs_url', 'is_file_url',
 -           'unpack_http_url', 'unpack_url']
 +           'unpack_http_url', 'unpack_url',
 +           'parse_content_disposition', 'sanitize_content_filename']
 logger = logging.getLogger(__name__)
@@ -824,6 +825,29 @@ def unpack_url(link, location, download_dir=None,
         write_delete_marker_file(location)
 +def sanitize_content_filename(filename):
 +    # type: (str) -> str
 +    """
 +    Sanitize the "filename" value from a Content-Disposition header.
 +    """
 +    return os.path.basename(filename)
 +
 +
 +def parse_content_disposition(content_disposition, default_filename):
 +    # type: (str, str) -> str
 +    """
 +    Parse the "filename" value from a Content-Disposition header, and
 +    return the default filename if the result is empty.
 +    """
 +    _type, params = cgi.parse_header(content_disposition)
 +    filename = params.get('filename')
 +    if filename:
 +        # We need to sanitize the filename to prevent directory traversal
 +        # in case the filename contains ".." path parts.
 +        filename = sanitize_content_filename(filename)
 +    return filename or default_filename
 +
 +
 def _download_http_url(link, session, temp_dir, hashes):
     """Download link url into temp_dir using provided session"""
     target_url = link.url.split('#', 1)[0]
@@ -864,10 +888,7 @@ def _download_http_url(link, session, temp_dir, hashes):
     # Have a look at the Content-Disposition header for a better guess
     content_disposition = resp.headers.get('content-disposition')
     if content_disposition:
 -        type, params = cgi.parse_header(content_disposition)
 -        # We use ``or`` here because we don't want to use an "empty" value
 -        # from the filename param.
 -        filename = params.get('filename') or filename
 +        filename = parse_content_disposition(content_disposition, filename)
     ext = splitext(filename)[1]
     if not ext:
         ext = mimetypes.guess_extension(content_type)
 -- 
 2.25.4
--- a/SOURCES/skip_yanked_releases.patch
+++ b/SOURCES/skip_yanked_releases.patch
@ -1,91 +0,0 @@
 From b97ef609100fbdd5895dab48cdab578dfeba396c Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Fri, 10 Sep 2021 13:38:40 +0200
 Subject: [PATCH 1/2] Implement handling of yanked_reason from the HTML anchor
 ---
 pip/index.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
 diff --git a/pip/index.py b/pip/index.py
 index f653f6e6a..ced52ce5a 100644
 --- a/pip/index.py
 +++ b/pip/index.py
@@ -865,7 +865,11 @@ class HTMLPage(object):
                 )
                 pyrequire = anchor.get('data-requires-python')
                 pyrequire = unescape(pyrequire) if pyrequire else None
 -                yield Link(url, self, requires_python=pyrequire)
 +                yanked_reason = anchor.get('data-yanked', default=None)
 +                # Empty or valueless attribute are both parsed as empty string
 +                if yanked_reason is not None:
 +                    yanked_reason = unescape(yanked_reason)
 +                yield Link(url, self, requires_python=pyrequire, yanked_reason=yanked_reason)
     _clean_re = re.compile(r'[^a-z0-9$&+,/:;=?@.#%_\\|-]', re.I)
@@ -879,7 +883,7 @@ class HTMLPage(object):
 class Link(object):
 -    def __init__(self, url, comes_from=None, requires_python=None):
 +    def __init__(self, url, comes_from=None, requires_python=None, yanked_reason=None):
         """
         Object representing a parsed link from https://pypi.python.org/simple/*
@@ -900,6 +904,8 @@ class Link(object):
         self.url = url
         self.comes_from = comes_from
         self.requires_python = requires_python if requires_python else None
 +        self.yanked_reason = yanked_reason
 +        self.yanked = yanked_reason is not None
     def __str__(self):
         if self.requires_python:
 -- 
 2.31.1
 From d8dc6ee5d6809736dce43dc1e57d497f9ff91f26 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Fri, 10 Sep 2021 13:43:22 +0200
 Subject: [PATCH 2/2] Skip all yanked candidates if possible
 ---
 pip/index.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 diff --git a/pip/index.py b/pip/index.py
 index ced52ce5a..823bbaf7d 100644
 --- a/pip/index.py
 +++ b/pip/index.py
@@ -489,6 +489,27 @@ class PackageFinder(object):
         if applicable_candidates:
             best_candidate = max(applicable_candidates,
                                  key=self._candidate_sort_key)
 +            # If we cannot find a non-yanked candidate,
 +            # use the best one and print a warning about it.
 +            # Otherwise, try to find another best candidate, ignoring
 +            # all the yanked releases.
 +            if getattr(best_candidate.location, "yanked", False):
 +                nonyanked_candidates = [
 +                    c for c in applicable_candidates
 +                    if not getattr(c.location, "yanked", False)
 +                ]
 +
 +                if set(nonyanked_candidates):
 +                    best_candidate = max(nonyanked_candidates,
 +                                         key=self._candidate_sort_key)
 +                else:
 +                    warning_message = (
 +                        "WARNING: The candidate selected for download or install "
 +                        "is a yanked version: '{}' candidate (version {} at {})"
 +                    ).format(best_candidate.project, best_candidate.version, best_candidate.location)
 +                    if best_candidate.location.yanked_reason:
 +                        warning_message += "\nReason for being yanked: {}".format(best_candidate.location.yanked_reason)
 +                    logger.warning(warning_message)
         else:
             best_candidate = None
 -- 
 2.31.1
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@ -9,12 +9,17 @@
 %global python3_wheeldir %{_datadir}/python3-wheels
 %endif
 # Note that with disabled python3, bashcomp2 will be disabled as well because
 # bashcompdir will point to a different path than with python3 enabled.
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 %if "%{bashcompdir}" != "%{_sysconfdir}/bash_completion.d"
 %global bashcomp2 1
 %endif
 Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        24%{?dist}
+Release:        15%{?dist}
 Summary:        A tool for installing and managing Python packages
 Group:          Development/Libraries
@ -58,7 +63,7 @@ BuildRequires:  bzr
 # git clone https://github.com/pypa/pip && cd pip
 # git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/
 %if %{with tests}
-Source1:        pip-%{version}-tests.tar.gz
+Source1:        pip-9.0.1-tests.tar.gz
 %endif
 # Patch until the following issue gets implemented upstream:
@ -85,57 +90,6 @@ Patch3:         pip-nowarn-upgrade.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1655255
 Patch4:         dummy-certifi.patch
 # Patch for CVE in the bundled urllib3
 # CVE-2018-20060 Cross-host redirect does not remove Authorization header allow for credential exposure
 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20060
 Patch5:         CVE-2018-20060.patch
 # Patch for CVE in the bundled urllib3
 # CVE-2019-11236 CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11236
 Patch6:         CVE-2019-11236.patch
 # Patch for CVE in the bundled urllib3
 # CVE-2019-11324 Certification mishandle when error should be thrown
 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11324
 Patch7:         CVE-2019-11324.patch
 # Patch for CVE in the bundled requests
 # CVE-2018-18074 Redirect from HTTPS to HTTP does not remove Authorization header
 # This patch fixes both the CVE
 # https://bugzilla.redhat.com/show_bug.cgi?id=1643829
 # and the subsequent regression
 # https://github.com/psf/requests/pull/4851
 Patch8:         CVE-2018-18074.patch
 # Patch for pip install <url> allow directory traversal, leading to arbitrary file write
 # - Upstream PR: https://github.com/pypa/pip/pull/6418/files
 # - Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1868016
 # Patch9 fixes the issue
 # Patch10 adds unit tests for the issue
 Patch9:         pip-directory-traversal-security-issue.patch
 Patch10:        pip-directory-traversal-security-issue-tests.patch
 # Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
 # The patch is adjusted for older pip where it's necessary to also switch
 # the way pip gets revisions from git
 # Upstream PR: https://github.com/pypa/pip/pull/9827
 # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
 Patch11:        CVE-2021-3572.patch
 # Downstream-only implementation of support of yanked releases
 # PEP 592 - Adding "Yank" Support to the Simple API:
 #   https://www.python.org/dev/peps/pep-0592/
 # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135
 Patch12:        skip_yanked_releases.patch
 # CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
 # - Minimal downstream-only patch, to be replaced by upstream solution
 #   proposed in https://github.com/pypa/pip/pull/12214
 # - Patch for vendored distlib, accepted upstream:
 #   https://github.com/pypa/distlib/pull/201
 Patch13:         cve-2007-4559-tarfile.patch
 %global _description \
 pip is a package management system used to install and manage software packages \
 written in Python. Many packages can be found in the Python Package Index \
@ -171,9 +125,6 @@ Requires:  platform-python-setuptools
 BuildRequires:  ca-certificates
 Requires:       ca-certificates
 # pip has to require explicit version of platform-python that provides
 # filters in tarfile module (fix for CVE-2007-4559).
 Requires:       platform-python >= 3.6.8-55
 # Virtual provides for the packages bundled by pip.
 # See the python2 list above for instructions.
@ -226,8 +177,6 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package -n python3-%{srcname}-wheel
 Summary:        The pip wheel
 # Older Python does not provide tarfile filters (fix for CVE-2007-4559).
 Conflicts:      platform-python < 3.6.8-55
 # Virtual provides for the packages bundled by pip.
 # You can find the versions in pip/_vendor/vendor.txt file.
@ -269,26 +218,8 @@ tar -xf %{SOURCE1}
 %patch3 -p1
 %patch4 -p1
 # Patching of bundled libraries
 pushd pip/_vendor/urllib3
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 popd
 pushd pip/_vendor/requests
 %patch8 -p1
 popd
 %patch9 -p1
 %if %{with tests}
 %patch10 -p1
 %endif
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 # this goes together with patch4
 rm pip/_vendor/certifi/*.pem
 rm pip/_vendor/requests/*.pem
 sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
 sed -i '1d' pip/__init__.py
@ -296,13 +227,6 @@ sed -i '1d' pip/__init__.py
 # Remove ordereddict as it is only required for python <= 2.6
 rm pip/_vendor/ordereddict.py
 # Remove windows executable binaries
 rm -v pip/_vendor/distlib/*.exe
 sed -i '/\.exe/d' setup.py
 # Backports for Python 2
 rm pip/_vendor/distlib/_backport/tarfile.py
 rm pip/_vendor/distlib/_backport/shutil.py
 %build
 %if %{without bootstrap}
@ -338,8 +262,20 @@ mkdir -p %{buildroot}%{bashcompdir}
 PYTHONPATH=%{buildroot}%{python3_sitelib} \
    %{buildroot}%{_bindir}/pip3 completion --bash \
    > %{buildroot}%{bashcompdir}/pip3
-
+pips2=pip
-sed -i -e "s/^\\(complete.*\\) pip\$/\\1 pip3 pip-3 pip3.6 pip-3.6/" \
+pips3=pip3
 for pip in %{buildroot}%{_bindir}/pip*; do
    pip=$(basename $pip)
    case $pip in
        pip3?*)
            pips3="$pips3 $pip"
 %if 0%{?bashcomp2}
            ln -s pip-%{python3_version} %{buildroot}%{bashcompdir}/$pip
 %endif
            ;;
    esac
 done
 sed -i -e "s/^\\(complete.*\\) pip\$/\\1 $pips3/" \
    -e s/_pip_completion/_pip3_completion/ \
    %{buildroot}%{bashcompdir}/pip3
@ -381,7 +317,10 @@ py.test-%{python3_version} -m 'not network'
 %{_bindir}/pip%{python3_version}
 %{_bindir}/pip-%{python3_version}
 %dir %{bashcompdir}
-%{bashcompdir}/pip*
+%{bashcompdir}/pip3*
 %if 0%{?bashcomp2}
 %dir %(dirname %{bashcompdir})
 %endif
 %if %{with doc}
 %files doc
@ -399,46 +338,6 @@ py.test-%{python3_version} -m 'not network'
 %endif
 %changelog
 * Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-24
 - Require Python with tarfile filters
 Resolves: RHEL-25446
 * Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 9.0.3-23
 - Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
 Resolves: RHBZ#2218241
 * Wed Oct 06 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-22
 - Remove bundled windows executables
 - Resolves: rhbz#2006788
 * Tue Oct 05 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-21
 - Support of yanked releases
 Resolves: rhbz#2000135
 * Mon Jun 07 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-20
 - Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
 Resolves: rhbz#1962856
 * Fri Jan 08 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-19
 - Fix bash completion files and simplify spec
 Resolves: rhbz#1904478
 * Wed Aug 19 2020 Tomas Orsava <torsava@redhat.com> - 9.0.3-18
 - Patch for pip install <url> allow directory traversal, leading to arbitrary file write
 Resolves: rhbz#1868016
 * Wed Mar 04 2020 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-17
 - Remove unused CA bundle from the bundled requests library
 Resolves: rhbz#1775200
 * Mon Jan 13 2020 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-16
 - Add four new patches for CVEs in bundled urllib3 and requests
 CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
 Resolves: rhbz#1649153
 Resolves: rhbz#1700824
 Resolves: rhbz#1702473
 Resolves: rhbz#1643829
 * Thu Jun 06 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-15
 - Create python-pip-wheel package with the wheel
 Resolves: rhbz#1718031