SOURCES/CVE-2021-3572.patch

@@ -0,0 +1,53 @@
+Backport of https://github.com/pypa/pip/pull/9827 with parts of
+https://github.com/pypa/pip/pull/4690 to make it work with pip v9.0.1
+diff --git a/pip/vcs/git.py b/pip/vcs/git.py
+index 2187dd8..d1502f8 100644
+--- a/pip/vcs/git.py
++++ b/pip/vcs/git.py
+@@ -81,7 +81,7 @@ class Git(VersionControl):
+         and branches may need origin/ as a prefix.
+         Returns the SHA1 of the branch or tag if found.
+         """
+-        revisions = self.get_short_refs(dest)
++        revisions = self.get_short_refs(dest, rev)
+ 
+         origin_rev = 'origin/%s' % rev
+         if origin_rev in revisions:
+@@ -171,12 +171,20 @@ class Git(VersionControl):
+             ['rev-parse', 'HEAD'], show_stdout=False, cwd=location)
+         return current_rev.strip()
+ 
+-    def get_full_refs(self, location):
++    def get_full_refs(self, location, pattern=''):
+         """Yields tuples of (commit, ref) for branches and tags"""
+-        output = self.run_command(['show-ref'],
++        output = self.run_command(['show-ref', pattern],
+                                   show_stdout=False, cwd=location)
+-        for line in output.strip().splitlines():
+-            commit, ref = line.split(' ', 1)
++        for line in output.split("\n"):
++            line = line.rstrip("\r")
++            if not line:
++                continue
++            try:
++                commit, ref = line.split(' ', 1)
++            except ValueError:
++                # Include the offending line to simplify troubleshooting if
++                # this error ever occurs.
++                raise ValueError(f'unexpected show-ref line: {line!r}')
+             yield commit.strip(), ref.strip()
+ 
+     def is_ref_remote(self, ref):
+@@ -200,10 +208,10 @@ class Git(VersionControl):
+     def get_refs(self, location):
+         return self.get_short_refs(location)
+ 
+-    def get_short_refs(self, location):
++    def get_short_refs(self, location, pattern=''):
+         """Return map of named refs (branches or tags) to commit hashes."""
+         rv = {}
+-        for commit, ref in self.get_full_refs(location):
++        for commit, ref in self.get_full_refs(location, pattern):
+             ref_name = None
+             if self.is_ref_remote(ref):
+                 ref_name = ref[len('refs/remotes/'):]

SOURCES/cve-2007-4559-tarfile.patch

@@ -0,0 +1,47 @@
+Minimal patch for pip
+
+diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py
+--- a/pip/utils/__init__.py	2022-11-05 16:25:43.000000000 +0100
++++ b/pip/utils/__init__.py	2023-08-08 13:17:47.705613554 +0200
+@@ -559,6 +559,13 @@
+             if leading:
+                 fn = split_leading_dir(fn)[1]
+             path = os.path.join(location, fn)
++
++            # Call the `data` filter for its side effect (raising exception)
++            try:
++                tarfile.data_filter(member.replace(name=fn), location)
++            except tarfile.LinkOutsideDestinationError:
++                pass
++
+             if member.isdir():
+                 ensure_dir(path)
+             elif member.issym():
+
+
+Patch for vendored distlib from https://github.com/pypa/distlib/pull/201
+
+diff --git a/distlib/util.py b/distlib/util.py
+index e0622e4..4349d0b 100644
+--- a/pip/_vendor/distlib/util.py
++++ b/pip/_vendor/distlib/util.py
+@@ -1249,6 +1249,19 @@ def check_path(path):
+             for tarinfo in archive.getmembers():
+                 if not isinstance(tarinfo.name, text_type):
+                     tarinfo.name = tarinfo.name.decode('utf-8')
++
++        # Limit extraction of dangerous items, if this Python
++        # allows it easily. If not, just trust the input.
++        # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
++        def extraction_filter(member, path):
++            """Run tarfile.tar_fillter, but raise the expected ValueError"""
++            # This is only called if the current Python has tarfile filters
++            try:
++                return tarfile.tar_filter(member, path)
++            except tarfile.FilterError as exc:
++                raise ValueError(str(exc))
++        archive.extraction_filter = extraction_filter
++
+         archive.extractall(dest_dir)
+ 
+     finally:

SOURCES/skip_yanked_releases.patch

@@ -0,0 +1,91 @@
+From b97ef609100fbdd5895dab48cdab578dfeba396c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 10 Sep 2021 13:38:40 +0200
+Subject: [PATCH 1/2] Implement handling of yanked_reason from the HTML anchor
+
+---
+ pip/index.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/pip/index.py b/pip/index.py
+index f653f6e6a..ced52ce5a 100644
+--- a/pip/index.py
++++ b/pip/index.py
+@@ -865,7 +865,11 @@ class HTMLPage(object):
+                 )
+                 pyrequire = anchor.get('data-requires-python')
+                 pyrequire = unescape(pyrequire) if pyrequire else None
+-                yield Link(url, self, requires_python=pyrequire)
++                yanked_reason = anchor.get('data-yanked', default=None)
++                # Empty or valueless attribute are both parsed as empty string
++                if yanked_reason is not None:
++                    yanked_reason = unescape(yanked_reason)
++                yield Link(url, self, requires_python=pyrequire, yanked_reason=yanked_reason)
+ 
+     _clean_re = re.compile(r'[^a-z0-9$&+,/:;=?@.#%_\\|-]', re.I)
+ 
+@@ -879,7 +883,7 @@ class HTMLPage(object):
+ 
+ class Link(object):
+ 
+-    def __init__(self, url, comes_from=None, requires_python=None):
++    def __init__(self, url, comes_from=None, requires_python=None, yanked_reason=None):
+         """
+         Object representing a parsed link from https://pypi.python.org/simple/*
+ 
+@@ -900,6 +904,8 @@ class Link(object):
+         self.url = url
+         self.comes_from = comes_from
+         self.requires_python = requires_python if requires_python else None
++        self.yanked_reason = yanked_reason
++        self.yanked = yanked_reason is not None
+ 
+     def __str__(self):
+         if self.requires_python:
+-- 
+2.31.1
+
+From d8dc6ee5d6809736dce43dc1e57d497f9ff91f26 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 10 Sep 2021 13:43:22 +0200
+Subject: [PATCH 2/2] Skip all yanked candidates if possible
+
+---
+ pip/index.py | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/pip/index.py b/pip/index.py
+index ced52ce5a..823bbaf7d 100644
+--- a/pip/index.py
++++ b/pip/index.py
+@@ -489,6 +489,27 @@ class PackageFinder(object):
+         if applicable_candidates:
+             best_candidate = max(applicable_candidates,
+                                  key=self._candidate_sort_key)
++            # If we cannot find a non-yanked candidate,
++            # use the best one and print a warning about it.
++            # Otherwise, try to find another best candidate, ignoring
++            # all the yanked releases.
++            if getattr(best_candidate.location, "yanked", False):
++                nonyanked_candidates = [
++                    c for c in applicable_candidates
++                    if not getattr(c.location, "yanked", False)
++                ]
++
++                if set(nonyanked_candidates):
++                    best_candidate = max(nonyanked_candidates,
++                                         key=self._candidate_sort_key)
++                else:
++                    warning_message = (
++                        "WARNING: The candidate selected for download or install "
++                        "is a yanked version: '{}' candidate (version {} at {})"
++                    ).format(best_candidate.project, best_candidate.version, best_candidate.location)
++                    if best_candidate.location.yanked_reason:
++                        warning_message += "\nReason for being yanked: {}".format(best_candidate.location.yanked_reason)
++                    logger.warning(warning_message)
+         else:
+             best_candidate = None
+ 
+-- 
+2.31.1
+

SPECS/python-pip.spec

@@ -14,7 +14,7 @@
 Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        19%{?dist}
+Release:        24%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 Group:          Development/Libraries
@@ -116,6 +116,26 @@ Patch8:         CVE-2018-18074.patch
 Patch9:         pip-directory-traversal-security-issue.patch
 Patch10:        pip-directory-traversal-security-issue-tests.patch
 
+# Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+# The patch is adjusted for older pip where it's necessary to also switch
+# the way pip gets revisions from git
+# Upstream PR: https://github.com/pypa/pip/pull/9827
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
+Patch11:        CVE-2021-3572.patch
+
+# Downstream-only implementation of support of yanked releases
+# PEP 592 - Adding "Yank" Support to the Simple API:
+#   https://www.python.org/dev/peps/pep-0592/
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135
+Patch12:        skip_yanked_releases.patch
+
+# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
+# - Minimal downstream-only patch, to be replaced by upstream solution
+#   proposed in https://github.com/pypa/pip/pull/12214
+# - Patch for vendored distlib, accepted upstream:
+#   https://github.com/pypa/distlib/pull/201
+Patch13:         cve-2007-4559-tarfile.patch
+
 %global _description \
 pip is a package management system used to install and manage software packages \
 written in Python. Many packages can be found in the Python Package Index \
@@ -151,6 +171,9 @@ Requires:  platform-python-setuptools
 
 BuildRequires:  ca-certificates
 Requires:       ca-certificates
+# pip has to require explicit version of platform-python that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires:       platform-python >= 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # See the python2 list above for instructions.
@@ -203,6 +226,8 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package -n python3-%{srcname}-wheel
 Summary:        The pip wheel
+# Older Python does not provide tarfile filters (fix for CVE-2007-4559).
+Conflicts:      platform-python < 3.6.8-55
 
 # Virtual provides for the packages bundled by pip.
 # You can find the versions in pip/_vendor/vendor.txt file.
@@ -257,6 +282,9 @@ popd
 %if %{with tests}
 %patch10 -p1
 %endif
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 
 # this goes together with patch4
 rm pip/_vendor/certifi/*.pem
@@ -268,6 +296,13 @@ sed -i '1d' pip/__init__.py
 # Remove ordereddict as it is only required for python <= 2.6
 rm pip/_vendor/ordereddict.py
 
+# Remove windows executable binaries
+rm -v pip/_vendor/distlib/*.exe
+sed -i '/\.exe/d' setup.py
+
+# Backports for Python 2
+rm pip/_vendor/distlib/_backport/tarfile.py
+rm pip/_vendor/distlib/_backport/shutil.py
 
 %build
 %if %{without bootstrap}
@@ -364,6 +399,26 @@ py.test-%{python3_version} -m 'not network'
 %endif
 
 %changelog
+* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-24
+- Require Python with tarfile filters
+Resolves: RHEL-25446
+
+* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 9.0.3-23
+- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
+Resolves: RHBZ#2218241
+
+* Wed Oct 06 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-22
+- Remove bundled windows executables
+- Resolves: rhbz#2006788
+
+* Tue Oct 05 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-21
+- Support of yanked releases
+Resolves: rhbz#2000135
+
+* Mon Jun 07 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-20
+- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+Resolves: rhbz#1962856
+
 * Fri Jan 08 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-19
 - Fix bash completion files and simplify spec
 Resolves: rhbz#1904478