import UBI python-pip-9.0.3-24.el8

import UBI python-pip-9.0.3-23.el8_9.1
import UBI python-pip-9.0.3-23.el8
2024-05-22 14:42:11 +00:00 · 2024-04-02 18:19:39 +00:00 · 2023-11-14 20:02:14 +00:00 · 2022-05-10 11:40:14 +00:00 · 2021-12-07 18:54:33 +00:00 · 2021-09-10 03:02:48 +00:00
10 changed files with 771 additions and 25 deletions
--- a/SOURCES/CVE-2018-18074.patch
+++ b/SOURCES/CVE-2018-18074.patch
@ -0,0 +1,90 @@
+From ffbfdb53681207b23bcf67dd76368ad6185ade24 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 16 Jan 2020 07:06:09 +0100
+Subject: [PATCH] Fix for CVE-2018-18074
+
+This patch contains the fix for CVE-2018-18074 and
+a subsequent regression fix combined in one.
+---
+ sessions.py | 36 +++++++++++++++++++++++++++++-------
+ utils.py    |  1 +
+ 2 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/sessions.py b/sessions.py
+index 6570e73..4038047 100644
+--- a/sessions.py
+++ b/sessions.py
+@@ -29,7 +29,7 @@ from .adapters import HTTPAdapter
+ 
+ from .utils import (
+     requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies,
+-    get_auth_from_url, rewind_body
+    get_auth_from_url, rewind_body, DEFAULT_PORTS
+ )
+ 
+ from .status_codes import codes
+@@ -116,6 +116,32 @@ class SessionRedirectMixin(object):
+             return to_native_string(location, 'utf8')
+         return None
+ 
+
+    def should_strip_auth(self, old_url, new_url):
+        """Decide whether Authorization header should be removed when redirecting"""
+        old_parsed = urlparse(old_url)
+        new_parsed = urlparse(new_url)
+        if old_parsed.hostname != new_parsed.hostname:
+            return True
+        # Special case: allow http -> https redirect when using the standard
+        # ports. This isn't specified by RFC 7235, but is kept to avoid
+        # breaking backwards compatibility with older versions of requests
+        # that allowed any redirects on the same host.
+        if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
+                and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
+            return False
+
+        # Handle default port usage corresponding to scheme.
+        changed_port = old_parsed.port != new_parsed.port
+        changed_scheme = old_parsed.scheme != new_parsed.scheme
+        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
+        if (not changed_scheme and old_parsed.port in default_port
+                and new_parsed.port in default_port):
+            return False
+
+        # Standard case: root URI must match
+        return changed_port or changed_scheme
+
+     def resolve_redirects(self, resp, req, stream=False, timeout=None,
+                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+         """Receives a Response. Returns a generator of Responses or Requests."""
+@@ -232,14 +258,10 @@ class SessionRedirectMixin(object):
+         headers = prepared_request.headers
+         url = prepared_request.url
+ 
+-        if 'Authorization' in headers:
+        if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
+             # If we get redirected to a new host, we should strip out any
+             # authentication headers.
+-            original_parsed = urlparse(response.request.url)
+-            redirect_parsed = urlparse(url)
+-
+-            if (original_parsed.hostname != redirect_parsed.hostname):
+-                del headers['Authorization']
+            del headers['Authorization']
+ 
+         # .netrc might have more auth for us on our new host.
+         new_auth = get_netrc_auth(url) if self.trust_env else None
+diff --git a/utils.py b/utils.py
+index 5c47de9..5695ab0 100644
+--- a/utils.py
+++ b/utils.py
+@@ -38,6 +38,7 @@ NETRC_FILES = ('.netrc', '_netrc')
+ 
+ DEFAULT_CA_BUNDLE_PATH = certs.where()
+ 
+DEFAULT_PORTS = {'http': 80, 'https': 443}
+ 
+ if platform.system() == 'Windows':
+     # provide a proxy_bypass version on Windows without DNS lookups
+-- 
+2.24.1
+
--- a/SOURCES/CVE-2018-20060.patch
+++ b/SOURCES/CVE-2018-20060.patch
@ -0,0 +1,94 @@
+From c734f873270cf9ca414832423f7aad98443c379f Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 11:26:24 +0100
+Subject: [PATCH] CVE-2018-20060
+
+---
+ poolmanager.py | 11 ++++++++++-
+ util/retry.py  | 12 +++++++++++-
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/poolmanager.py b/poolmanager.py
+index 4ae9174..bfa5115 100644
+--- a/poolmanager.py
+++ b/poolmanager.py
+@@ -312,8 +312,9 @@ class PoolManager(RequestMethods):
+ 
+         kw['assert_same_host'] = False
+         kw['redirect'] = False
+
+         if 'headers' not in kw:
+-            kw['headers'] = self.headers
+            kw['headers'] = self.headers.copy()
+ 
+         if self.proxy is not None and u.scheme == "http":
+             response = conn.urlopen(method, url, **kw)
+@@ -335,6 +336,14 @@ class PoolManager(RequestMethods):
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+        # Strip headers marked as unsafe to forward to the redirected location.
+        # Check remove_headers_on_redirect to avoid a potential network call within
+        # conn.is_same_host() which may use socket.gethostbyname() in the future.
+        if (retries.remove_headers_on_redirect
+                and not conn.is_same_host(redirect_location)):
+            for header in retries.remove_headers_on_redirect:
+                kw['headers'].pop(header, None)
+
+         try:
+             retries = retries.increment(method, url, response=response, _pool=conn)
+         except MaxRetryError:
+diff --git a/util/retry.py b/util/retry.py
+index c603cb4..0b83963 100644
+--- a/util/retry.py
+++ b/util/retry.py
+@@ -126,6 +126,11 @@ class Retry(object):
+         exhausted, to raise a MaxRetryError, or to return a response with a
+         response code in the 3xx range.
+ 
+    :param iterable remove_headers_on_redirect:
+        Sequence of headers to remove from the request when a response
+        indicating a redirect is returned before firing off the redirected
+        request
+
+     :param bool raise_on_status: Similar meaning to ``raise_on_redirect``:
+         whether we should raise an exception, or return a response,
+         if status falls in ``status_forcelist`` range and retries have
+@@ -144,6 +149,8 @@ class Retry(object):
+     DEFAULT_METHOD_WHITELIST = frozenset([
+         'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
+ 
+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
+
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Maximum backoff time.
+@@ -152,7 +159,8 @@ class Retry(object):
+     def __init__(self, total=10, connect=None, read=None, redirect=None, status=None,
+                  method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
+                  backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
+-                 history=None, respect_retry_after_header=True):
+                 history=None, respect_retry_after_header=True,
+                 remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
+ 
+         self.total = total
+         self.connect = connect
+@@ -171,6 +179,7 @@ class Retry(object):
+         self.raise_on_status = raise_on_status
+         self.history = history or tuple()
+         self.respect_retry_after_header = respect_retry_after_header
+        self.remove_headers_on_redirect = remove_headers_on_redirect
+ 
+     def new(self, **kw):
+         params = dict(
+@@ -182,6 +191,7 @@ class Retry(object):
+             raise_on_redirect=self.raise_on_redirect,
+             raise_on_status=self.raise_on_status,
+             history=self.history,
+            remove_headers_on_redirect=self.remove_headers_on_redirect,
+         )
+         params.update(kw)
+         return type(self)(**params)
+-- 
+2.24.1
+
--- a/SOURCES/CVE-2019-11236.patch
+++ b/SOURCES/CVE-2019-11236.patch
@ -0,0 +1,43 @@
+From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 11:14:58 +0100
+Subject: [PATCH] CVE-2019-9740
+
+---
+ util/url.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/util/url.py b/util/url.py
+index 6b6f996..2784c85 100644
+--- a/util/url.py
+++ b/util/url.py
+@@ -1,5 +1,6 @@
+ from __future__ import absolute_import
+ from collections import namedtuple
+import re
+ 
+ from ..exceptions import LocationParseError
+ 
+@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
+ # urllib3 infers URLs without a scheme (None) to be http.
+ NORMALIZABLE_SCHEMES = ('http', 'https', None)
+ 
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
+from ..packages.six.moves.urllib.parse import quote
+ 
+ class Url(namedtuple('Url', url_attrs)):
+     """
+@@ -155,6 +158,10 @@ def parse_url(url):
+         # Empty
+         return Url()
+ 
+    # Prevent CVE-2019-9740.
+    # adapted from https://github.com/python/cpython/pull/12755
+    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
+
+     scheme = None
+     auth = None
+     host = None
+-- 
+2.24.1
+
--- a/SOURCES/CVE-2019-11324.patch
+++ b/SOURCES/CVE-2019-11324.patch
@ -0,0 +1,26 @@
+From 54e768a6dbe3cadeb456dea37bbeaf6e1e17e87c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 10:47:27 +0100
+Subject: [PATCH] CVE-2019-11324 Certification mishandle when error should be
+ thrown
+
+---
+ util/ssl_.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/ssl_.py b/util/ssl_.py
+index 32fd9ed..f9f12ff 100644
+--- a/util/ssl_.py
+++ b/util/ssl_.py
+@@ -319,7 +319,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
+             if e.errno == errno.ENOENT:
+                 raise SSLError(e)
+             raise
+-    elif getattr(context, 'load_default_certs', None) is not None:
+    elif ssl_context is None and hasattr(context, 'load_default_certs'):
+         # try to load OS default certs; works well on Windows (require Python3.4+)
+         context.load_default_certs()
+ 
+-- 
+2.24.1
+
--- a/SOURCES/CVE-2021-3572.patch
+++ b/SOURCES/CVE-2021-3572.patch
@ -0,0 +1,53 @@
+Backport of https://github.com/pypa/pip/pull/9827 with parts of
+https://github.com/pypa/pip/pull/4690 to make it work with pip v9.0.1
+diff --git a/pip/vcs/git.py b/pip/vcs/git.py
+index 2187dd8..d1502f8 100644
+--- a/pip/vcs/git.py
+++ b/pip/vcs/git.py
+@@ -81,7 +81,7 @@ class Git(VersionControl):
+         and branches may need origin/ as a prefix.
+         Returns the SHA1 of the branch or tag if found.
+         """
+-        revisions = self.get_short_refs(dest)
+        revisions = self.get_short_refs(dest, rev)
+ 
+         origin_rev = 'origin/%s' % rev
+         if origin_rev in revisions:
+@@ -171,12 +171,20 @@ class Git(VersionControl):
+             ['rev-parse', 'HEAD'], show_stdout=False, cwd=location)
+         return current_rev.strip()
+ 
+-    def get_full_refs(self, location):
+    def get_full_refs(self, location, pattern=''):
+         """Yields tuples of (commit, ref) for branches and tags"""
+-        output = self.run_command(['show-ref'],
+        output = self.run_command(['show-ref', pattern],
+                                   show_stdout=False, cwd=location)
+-        for line in output.strip().splitlines():
+-            commit, ref = line.split(' ', 1)
+        for line in output.split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
+            try:
+                commit, ref = line.split(' ', 1)
+            except ValueError:
+                # Include the offending line to simplify troubleshooting if
+                # this error ever occurs.
+                raise ValueError(f'unexpected show-ref line: {line!r}')
+             yield commit.strip(), ref.strip()
+ 
+     def is_ref_remote(self, ref):
+@@ -200,10 +208,10 @@ class Git(VersionControl):
+     def get_refs(self, location):
+         return self.get_short_refs(location)
+ 
+-    def get_short_refs(self, location):
+    def get_short_refs(self, location, pattern=''):
+         """Return map of named refs (branches or tags) to commit hashes."""
+         rv = {}
+-        for commit, ref in self.get_full_refs(location):
+        for commit, ref in self.get_full_refs(location, pattern):
+             ref_name = None
+             if self.is_ref_remote(ref):
+                 ref_name = ref[len('refs/remotes/'):]
--- a/SOURCES/cve-2007-4559-tarfile.patch
+++ b/SOURCES/cve-2007-4559-tarfile.patch
@ -0,0 +1,47 @@
+Minimal patch for pip
+
+diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py
+--- a/pip/utils/__init__.py	2022-11-05 16:25:43.000000000 +0100
+++ b/pip/utils/__init__.py	2023-08-08 13:17:47.705613554 +0200
+@@ -559,6 +559,13 @@
+             if leading:
+                 fn = split_leading_dir(fn)[1]
+             path = os.path.join(location, fn)
+
+            # Call the `data` filter for its side effect (raising exception)
+            try:
+                tarfile.data_filter(member.replace(name=fn), location)
+            except tarfile.LinkOutsideDestinationError:
+                pass
+
+             if member.isdir():
+                 ensure_dir(path)
+             elif member.issym():
+
+
+Patch for vendored distlib from https://github.com/pypa/distlib/pull/201
+
+diff --git a/distlib/util.py b/distlib/util.py
+index e0622e4..4349d0b 100644
+--- a/pip/_vendor/distlib/util.py
+++ b/pip/_vendor/distlib/util.py
+@@ -1249,6 +1249,19 @@ def check_path(path):
+             for tarinfo in archive.getmembers():
+                 if not isinstance(tarinfo.name, text_type):
+                     tarinfo.name = tarinfo.name.decode('utf-8')
+
+        # Limit extraction of dangerous items, if this Python
+        # allows it easily. If not, just trust the input.
+        # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
+        def extraction_filter(member, path):
+            """Run tarfile.tar_fillter, but raise the expected ValueError"""
+            # This is only called if the current Python has tarfile filters
+            try:
+                return tarfile.tar_filter(member, path)
+            except tarfile.FilterError as exc:
+                raise ValueError(str(exc))
+        archive.extraction_filter = extraction_filter
+
+         archive.extractall(dest_dir)
+ 
+     finally:
--- a/SOURCES/pip-directory-traversal-security-issue-tests.patch
+++ b/SOURCES/pip-directory-traversal-security-issue-tests.patch
@ -0,0 +1,122 @@
+From 7917dbda14ef64a5e7fdea48383a266577484ac8 Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Wed, 19 Aug 2020 12:51:16 +0200
+Subject: [PATCH 2/2] FIX #6413 pip install <url> allow directory traversal
+ (tests)
+
+---
+ tests/unit/test_download.py | 85 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 85 insertions(+)
+
+diff --git a/tests/unit/test_download.py b/tests/unit/test_download.py
+index ee4b11c..15f99ec 100644
+--- a/tests/unit/test_download.py
+++ b/tests/unit/test_download.py
+@@ -1,5 +1,6 @@
+ import hashlib
+ import os
+import sys
+ from io import BytesIO
+ from shutil import rmtree, copy
+ from tempfile import mkdtemp
+@@ -13,6 +14,7 @@ import pip
+ from pip.exceptions import HashMismatch
+ from pip.download import (
+     PipSession, SafeFileCache, path_to_url, unpack_http_url, url_to_path,
+    _download_http_url, parse_content_disposition, sanitize_content_filename,
+     unpack_file_url,
+ )
+ from pip.index import Link
+@@ -123,6 +125,89 @@ def test_unpack_http_url_bad_downloaded_checksum(mock_unpack_file):
+         rmtree(download_dir)
+ 
+ 
+@pytest.mark.parametrize("filename, expected", [
+    ('dir/file', 'file'),
+    ('../file', 'file'),
+    ('../../file', 'file'),
+    ('../', ''),
+    ('../..', '..'),
+    ('/', ''),
+])
+def test_sanitize_content_filename(filename, expected):
+    """
+    Test inputs where the result is the same for Windows and non-Windows.
+    """
+    assert sanitize_content_filename(filename) == expected
+
+
+@pytest.mark.parametrize("filename, win_expected, non_win_expected", [
+    ('dir\\file', 'file', 'dir\\file'),
+    ('..\\file', 'file', '..\\file'),
+    ('..\\..\\file', 'file', '..\\..\\file'),
+    ('..\\', '', '..\\'),
+    ('..\\..', '..', '..\\..'),
+    ('\\', '', '\\'),
+])
+def test_sanitize_content_filename__platform_dependent(
+    filename,
+    win_expected,
+    non_win_expected
+):
+    """
+    Test inputs where the result is different for Windows and non-Windows.
+    """
+    if sys.platform == 'win32':
+        expected = win_expected
+    else:
+        expected = non_win_expected
+    assert sanitize_content_filename(filename) == expected
+
+
+@pytest.mark.parametrize("content_disposition, default_filename, expected", [
+    ('attachment;filename="../file"', 'df', 'file'),
+])
+def test_parse_content_disposition(
+    content_disposition,
+    default_filename,
+    expected
+):
+    actual = parse_content_disposition(content_disposition, default_filename)
+    assert actual == expected
+
+
+def test_download_http_url__no_directory_traversal(tmpdir):
+    """
+    Test that directory traversal doesn't happen on download when the
+    Content-Disposition header contains a filename with a ".." path part.
+    """
+    mock_url = 'http://www.example.com/whatever.tgz'
+    contents = b'downloaded'
+    link = Link(mock_url)
+
+    session = Mock()
+    resp = MockResponse(contents)
+    resp.url = mock_url
+    resp.headers = {
+        # Set the content-type to a random value to prevent
+        # mimetypes.guess_extension from guessing the extension.
+        'content-type': 'random',
+        'content-disposition': 'attachment;filename="../out_dir_file"'
+    }
+    session.get.return_value = resp
+
+    download_dir = tmpdir.join('download')
+    os.mkdir(download_dir)
+    file_path, content_type = _download_http_url(
+        link,
+        session,
+        download_dir,
+        hashes=None,
+    )
+    # The file should be downloaded to download_dir.
+    actual = os.listdir(download_dir)
+    assert actual == ['out_dir_file']
+
+
+ @pytest.mark.skipif("sys.platform == 'win32'")
+ def test_path_to_url_unix():
+     assert path_to_url('/tmp/file') == 'file:///tmp/file'
+-- 
+2.25.4
+
--- a/SOURCES/pip-directory-traversal-security-issue.patch
+++ b/SOURCES/pip-directory-traversal-security-issue.patch
@ -0,0 +1,79 @@
+From 8044d9f2fbcb09f09a62b26ac1d8a134976bb2ac Mon Sep 17 00:00:00 2001
+From: gzpan123 <gzpan123@gmail.com>
+Date: Wed, 17 Apr 2019 21:25:45 +0800
+Subject: [PATCH 1/2] FIX #6413 pip install <url> allow directory traversal
+
+---
+ news/6413.bugfix |  3 +++
+ pip/download.py  | 31 ++++++++++++++++++++++++++-----
+ 2 files changed, 29 insertions(+), 5 deletions(-)
+ create mode 100644 news/6413.bugfix
+
+diff --git a/news/6413.bugfix b/news/6413.bugfix
+new file mode 100644
+index 0000000..68d0a72
+--- /dev/null
+++ b/news/6413.bugfix
+@@ -0,0 +1,3 @@
+Prevent ``pip install <url>`` from permitting directory traversal if e.g.
+a malicious server sends a ``Content-Disposition`` header with a filename
+containing ``../`` or ``..\\``.
+diff --git a/pip/download.py b/pip/download.py
+index 039e55a..b3d169b 100644
+--- a/pip/download.py
+++ b/pip/download.py
+@@ -54,7 +54,8 @@ __all__ = ['get_file_content',
+            'is_url', 'url_to_path', 'path_to_url',
+            'is_archive_file', 'unpack_vcs_link',
+            'unpack_file_url', 'is_vcs_url', 'is_file_url',
+-           'unpack_http_url', 'unpack_url']
+           'unpack_http_url', 'unpack_url',
+           'parse_content_disposition', 'sanitize_content_filename']
+ 
+ 
+ logger = logging.getLogger(__name__)
+@@ -824,6 +825,29 @@ def unpack_url(link, location, download_dir=None,
+         write_delete_marker_file(location)
+ 
+ 
+def sanitize_content_filename(filename):
+    # type: (str) -> str
+    """
+    Sanitize the "filename" value from a Content-Disposition header.
+    """
+    return os.path.basename(filename)
+
+
+def parse_content_disposition(content_disposition, default_filename):
+    # type: (str, str) -> str
+    """
+    Parse the "filename" value from a Content-Disposition header, and
+    return the default filename if the result is empty.
+    """
+    _type, params = cgi.parse_header(content_disposition)
+    filename = params.get('filename')
+    if filename:
+        # We need to sanitize the filename to prevent directory traversal
+        # in case the filename contains ".." path parts.
+        filename = sanitize_content_filename(filename)
+    return filename or default_filename
+
+
+ def _download_http_url(link, session, temp_dir, hashes):
+     """Download link url into temp_dir using provided session"""
+     target_url = link.url.split('#', 1)[0]
+@@ -864,10 +888,7 @@ def _download_http_url(link, session, temp_dir, hashes):
+     # Have a look at the Content-Disposition header for a better guess
+     content_disposition = resp.headers.get('content-disposition')
+     if content_disposition:
+-        type, params = cgi.parse_header(content_disposition)
+-        # We use ``or`` here because we don't want to use an "empty" value
+-        # from the filename param.
+-        filename = params.get('filename') or filename
+        filename = parse_content_disposition(content_disposition, filename)
+     ext = splitext(filename)[1]
+     if not ext:
+         ext = mimetypes.guess_extension(content_type)
+-- 
+2.25.4
+
--- a/SOURCES/skip_yanked_releases.patch
+++ b/SOURCES/skip_yanked_releases.patch
@ -0,0 +1,91 @@
+From b97ef609100fbdd5895dab48cdab578dfeba396c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 10 Sep 2021 13:38:40 +0200
+Subject: [PATCH 1/2] Implement handling of yanked_reason from the HTML anchor
+
+---
+ pip/index.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/pip/index.py b/pip/index.py
+index f653f6e6a..ced52ce5a 100644
+--- a/pip/index.py
+++ b/pip/index.py
+@@ -865,7 +865,11 @@ class HTMLPage(object):
+                 )
+                 pyrequire = anchor.get('data-requires-python')
+                 pyrequire = unescape(pyrequire) if pyrequire else None
+-                yield Link(url, self, requires_python=pyrequire)
+                yanked_reason = anchor.get('data-yanked', default=None)
+                # Empty or valueless attribute are both parsed as empty string
+                if yanked_reason is not None:
+                    yanked_reason = unescape(yanked_reason)
+                yield Link(url, self, requires_python=pyrequire, yanked_reason=yanked_reason)
+ 
+     _clean_re = re.compile(r'[^a-z0-9$&+,/:;=?@.#%_\\|-]', re.I)
+ 
+@@ -879,7 +883,7 @@ class HTMLPage(object):
+ 
+ class Link(object):
+ 
+-    def __init__(self, url, comes_from=None, requires_python=None):
+    def __init__(self, url, comes_from=None, requires_python=None, yanked_reason=None):
+         """
+         Object representing a parsed link from https://pypi.python.org/simple/*
+ 
+@@ -900,6 +904,8 @@ class Link(object):
+         self.url = url
+         self.comes_from = comes_from
+         self.requires_python = requires_python if requires_python else None
+        self.yanked_reason = yanked_reason
+        self.yanked = yanked_reason is not None
+ 
+     def __str__(self):
+         if self.requires_python:
+-- 
+2.31.1
+
+From d8dc6ee5d6809736dce43dc1e57d497f9ff91f26 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 10 Sep 2021 13:43:22 +0200
+Subject: [PATCH 2/2] Skip all yanked candidates if possible
+
+---
+ pip/index.py | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/pip/index.py b/pip/index.py
+index ced52ce5a..823bbaf7d 100644
+--- a/pip/index.py
+++ b/pip/index.py
+@@ -489,6 +489,27 @@ class PackageFinder(object):
+         if applicable_candidates:
+             best_candidate = max(applicable_candidates,
+                                  key=self._candidate_sort_key)
+            # If we cannot find a non-yanked candidate,
+            # use the best one and print a warning about it.
+            # Otherwise, try to find another best candidate, ignoring
+            # all the yanked releases.
+            if getattr(best_candidate.location, "yanked", False):
+                nonyanked_candidates = [
+                    c for c in applicable_candidates
+                    if not getattr(c.location, "yanked", False)
+                ]
+
+                if set(nonyanked_candidates):
+                    best_candidate = max(nonyanked_candidates,
+                                         key=self._candidate_sort_key)
+                else:
+                    warning_message = (
+                        "WARNING: The candidate selected for download or install "
+                        "is a yanked version: '{}' candidate (version {} at {})"
+                    ).format(best_candidate.project, best_candidate.version, best_candidate.location)
+                    if best_candidate.location.yanked_reason:
+                        warning_message += "\nReason for being yanked: {}".format(best_candidate.location.yanked_reason)
+                    logger.warning(warning_message)
+         else:
+             best_candidate = None
+ 
+-- 
+2.31.1
+
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@ -9,17 +9,12 @@
 %global python3_wheeldir %{_datadir}/python3-wheels
 %endif

-# Note that with disabled python3, bashcomp2 will be disabled as well because
-# bashcompdir will point to a different path than with python3 enabled.
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
-%if "%{bashcompdir}" != "%{_sysconfdir}/bash_completion.d"
-%global bashcomp2 1
-%endif

 Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        15%{?dist}
+Release:        24%{?dist}
 Summary:        A tool for installing and managing Python packages

 Group:          Development/Libraries
@ -63,7 +58,7 @@ BuildRequires:  bzr
 # git clone https://github.com/pypa/pip && cd pip
 # git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/
 %if %{with tests}
-Source1:        pip-9.0.1-tests.tar.gz
+Source1:        pip-%{version}-tests.tar.gz
 %endif

 # Patch until the following issue gets implemented upstream:
@ -90,6 +85,57 @@ Patch3:         pip-nowarn-upgrade.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1655255
 Patch4:         dummy-certifi.patch

+# Patch for CVE in the bundled urllib3
+# CVE-2018-20060 Cross-host redirect does not remove Authorization header allow for credential exposure
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20060
+Patch5:         CVE-2018-20060.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2019-11236 CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11236
+Patch6:         CVE-2019-11236.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2019-11324 Certification mishandle when error should be thrown
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11324
+Patch7:         CVE-2019-11324.patch
+
+# Patch for CVE in the bundled requests
+# CVE-2018-18074 Redirect from HTTPS to HTTP does not remove Authorization header
+# This patch fixes both the CVE
+# https://bugzilla.redhat.com/show_bug.cgi?id=1643829
+# and the subsequent regression
+# https://github.com/psf/requests/pull/4851
+Patch8:         CVE-2018-18074.patch
+
+# Patch for pip install <url> allow directory traversal, leading to arbitrary file write
+# - Upstream PR: https://github.com/pypa/pip/pull/6418/files
+# - Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1868016
+# Patch9 fixes the issue
+# Patch10 adds unit tests for the issue
+Patch9:         pip-directory-traversal-security-issue.patch
+Patch10:        pip-directory-traversal-security-issue-tests.patch
+
+# Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+# The patch is adjusted for older pip where it's necessary to also switch
+# the way pip gets revisions from git
+# Upstream PR: https://github.com/pypa/pip/pull/9827
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
+Patch11:        CVE-2021-3572.patch
+
+# Downstream-only implementation of support of yanked releases
+# PEP 592 - Adding "Yank" Support to the Simple API:
+#   https://www.python.org/dev/peps/pep-0592/
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135
+Patch12:        skip_yanked_releases.patch
+
+# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
+# - Minimal downstream-only patch, to be replaced by upstream solution
+#   proposed in https://github.com/pypa/pip/pull/12214
+# - Patch for vendored distlib, accepted upstream:
+#   https://github.com/pypa/distlib/pull/201
+Patch13:         cve-2007-4559-tarfile.patch
+
 %global _description \
 pip is a package management system used to install and manage software packages \
 written in Python. Many packages can be found in the Python Package Index \
@ -125,6 +171,9 @@ Requires:  platform-python-setuptools

 BuildRequires:  ca-certificates
 Requires:       ca-certificates
+# pip has to require explicit version of platform-python that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires:       platform-python >= 3.6.8-55

 # Virtual provides for the packages bundled by pip.
 # See the python2 list above for instructions.
@ -177,6 +226,8 @@ A documentation for a tool for installing and managing Python packages
 %if %{without bootstrap}
 %package -n python3-%{srcname}-wheel
 Summary:        The pip wheel
+# Older Python does not provide tarfile filters (fix for CVE-2007-4559).
+Conflicts:      platform-python < 3.6.8-55

 # Virtual provides for the packages bundled by pip.
 # You can find the versions in pip/_vendor/vendor.txt file.
@ -218,8 +269,26 @@ tar -xf %{SOURCE1}
 %patch3 -p1
 %patch4 -p1

+# Patching of bundled libraries
+pushd pip/_vendor/urllib3
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+popd
+pushd pip/_vendor/requests
+%patch8 -p1
+popd
+%patch9 -p1
+%if %{with tests}
+%patch10 -p1
+%endif
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+
 # this goes together with patch4
 rm pip/_vendor/certifi/*.pem
+rm pip/_vendor/requests/*.pem
 sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt

 sed -i '1d' pip/__init__.py
@ -227,6 +296,13 @@ sed -i '1d' pip/__init__.py
 # Remove ordereddict as it is only required for python <= 2.6
 rm pip/_vendor/ordereddict.py

+# Remove windows executable binaries
+rm -v pip/_vendor/distlib/*.exe
+sed -i '/\.exe/d' setup.py
+
+# Backports for Python 2
+rm pip/_vendor/distlib/_backport/tarfile.py
+rm pip/_vendor/distlib/_backport/shutil.py

 %build
 %if %{without bootstrap}
@ -262,20 +338,8 @@ mkdir -p %{buildroot}%{bashcompdir}
 PYTHONPATH=%{buildroot}%{python3_sitelib} \
    %{buildroot}%{_bindir}/pip3 completion --bash \
    > %{buildroot}%{bashcompdir}/pip3
-pips2=pip
-pips3=pip3
-for pip in %{buildroot}%{_bindir}/pip*; do
-    pip=$(basename $pip)
-    case $pip in
-        pip3?*)
-            pips3="$pips3 $pip"
-%if 0%{?bashcomp2}
-            ln -s pip-%{python3_version} %{buildroot}%{bashcompdir}/$pip
-%endif
-            ;;
-    esac
-done
-sed -i -e "s/^\\(complete.*\\) pip\$/\\1 $pips3/" \
+
+sed -i -e "s/^\\(complete.*\\) pip\$/\\1 pip3 pip-3 pip3.6 pip-3.6/" \
    -e s/_pip_completion/_pip3_completion/ \
    %{buildroot}%{bashcompdir}/pip3

@ -317,10 +381,7 @@ py.test-%{python3_version} -m 'not network'
 %{_bindir}/pip%{python3_version}
 %{_bindir}/pip-%{python3_version}
 %dir %{bashcompdir}
-%{bashcompdir}/pip3*
-%if 0%{?bashcomp2}
-%dir %(dirname %{bashcompdir})
-%endif
+%{bashcompdir}/pip*

 %if %{with doc}
 %files doc
@ -338,6 +399,46 @@ py.test-%{python3_version} -m 'not network'
 %endif

 %changelog
+* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-24
+- Require Python with tarfile filters
+Resolves: RHEL-25446
+
+* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 9.0.3-23
+- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
+Resolves: RHBZ#2218241
+
+* Wed Oct 06 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-22
+- Remove bundled windows executables
+- Resolves: rhbz#2006788
+
+* Tue Oct 05 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-21
+- Support of yanked releases
+Resolves: rhbz#2000135
+
+* Mon Jun 07 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-20
+- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+Resolves: rhbz#1962856
+
+* Fri Jan 08 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-19
+- Fix bash completion files and simplify spec
+Resolves: rhbz#1904478
+
+* Wed Aug 19 2020 Tomas Orsava <torsava@redhat.com> - 9.0.3-18
+- Patch for pip install <url> allow directory traversal, leading to arbitrary file write
+Resolves: rhbz#1868016
+
+* Wed Mar 04 2020 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-17
+- Remove unused CA bundle from the bundled requests library
+Resolves: rhbz#1775200
+
+* Mon Jan 13 2020 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-16
+- Add four new patches for CVEs in bundled urllib3 and requests
+CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
+Resolves: rhbz#1649153
+Resolves: rhbz#1700824
+Resolves: rhbz#1702473
+Resolves: rhbz#1643829
+
 * Thu Jun 06 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-15
 - Create python-pip-wheel package with the wheel
 Resolves: rhbz#1718031
Author	SHA1	Message	Date
eabdullin	c74f6201d4	import UBI python-pip-9.0.3-24.el8	2024-05-22 14:42:11 +00:00
eabdullin	535bf24126	import UBI python-pip-9.0.3-23.el8_9.1	2024-04-02 18:19:39 +00:00
eabdullin	db5b778012	import UBI python-pip-9.0.3-23.el8	2023-11-14 20:02:14 +00:00
CentOS Sources	48d53d5165	import python-pip-9.0.3-22.el8	2022-05-10 11:40:14 +00:00
CentOS Sources	534a9dde4e	import python-pip-9.0.3-20.el8	2021-12-07 18:54:33 +00:00
CentOS Sources	7ba5d2a0e0	import python-pip-9.0.3-19.el8	2021-09-10 03:02:48 +00:00
CentOS Sources	26ba5aef18	import python-pip-9.0.3-18.el8	2021-09-10 03:02:45 +00:00
CentOS Sources	e2c7f229dd	import python-pip-9.0.3-16.el8	2021-09-10 03:02:42 +00:00