SOURCES/CVE-2018-18074.patch

@@ -0,0 +1,90 @@
+From ffbfdb53681207b23bcf67dd76368ad6185ade24 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 16 Jan 2020 07:06:09 +0100
+Subject: [PATCH] Fix for CVE-2018-18074
+
+This patch contains the fix for CVE-2018-18074 and
+a subsequent regression fix combined in one.
+---
+ sessions.py | 36 +++++++++++++++++++++++++++++-------
+ utils.py    |  1 +
+ 2 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/sessions.py b/sessions.py
+index 6570e73..4038047 100644
+--- a/sessions.py
++++ b/sessions.py
+@@ -29,7 +29,7 @@ from .adapters import HTTPAdapter
+ 
+ from .utils import (
+     requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies,
+-    get_auth_from_url, rewind_body
++    get_auth_from_url, rewind_body, DEFAULT_PORTS
+ )
+ 
+ from .status_codes import codes
+@@ -116,6 +116,32 @@ class SessionRedirectMixin(object):
+             return to_native_string(location, 'utf8')
+         return None
+ 
++
++    def should_strip_auth(self, old_url, new_url):
++        """Decide whether Authorization header should be removed when redirecting"""
++        old_parsed = urlparse(old_url)
++        new_parsed = urlparse(new_url)
++        if old_parsed.hostname != new_parsed.hostname:
++            return True
++        # Special case: allow http -> https redirect when using the standard
++        # ports. This isn't specified by RFC 7235, but is kept to avoid
++        # breaking backwards compatibility with older versions of requests
++        # that allowed any redirects on the same host.
++        if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
++                and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
++            return False
++
++        # Handle default port usage corresponding to scheme.
++        changed_port = old_parsed.port != new_parsed.port
++        changed_scheme = old_parsed.scheme != new_parsed.scheme
++        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
++        if (not changed_scheme and old_parsed.port in default_port
++                and new_parsed.port in default_port):
++            return False
++
++        # Standard case: root URI must match
++        return changed_port or changed_scheme
++
+     def resolve_redirects(self, resp, req, stream=False, timeout=None,
+                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+         """Receives a Response. Returns a generator of Responses or Requests."""
+@@ -232,14 +258,10 @@ class SessionRedirectMixin(object):
+         headers = prepared_request.headers
+         url = prepared_request.url
+ 
+-        if 'Authorization' in headers:
++        if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
+             # If we get redirected to a new host, we should strip out any
+             # authentication headers.
+-            original_parsed = urlparse(response.request.url)
+-            redirect_parsed = urlparse(url)
+-
+-            if (original_parsed.hostname != redirect_parsed.hostname):
+-                del headers['Authorization']
++            del headers['Authorization']
+ 
+         # .netrc might have more auth for us on our new host.
+         new_auth = get_netrc_auth(url) if self.trust_env else None
+diff --git a/utils.py b/utils.py
+index 5c47de9..5695ab0 100644
+--- a/utils.py
++++ b/utils.py
+@@ -38,6 +38,7 @@ NETRC_FILES = ('.netrc', '_netrc')
+ 
+ DEFAULT_CA_BUNDLE_PATH = certs.where()
+ 
++DEFAULT_PORTS = {'http': 80, 'https': 443}
+ 
+ if platform.system() == 'Windows':
+     # provide a proxy_bypass version on Windows without DNS lookups
+-- 
+2.24.1
+

SOURCES/CVE-2018-20060.patch

@@ -0,0 +1,94 @@
+From c734f873270cf9ca414832423f7aad98443c379f Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 11:26:24 +0100
+Subject: [PATCH] CVE-2018-20060
+
+---
+ poolmanager.py | 11 ++++++++++-
+ util/retry.py  | 12 +++++++++++-
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/poolmanager.py b/poolmanager.py
+index 4ae9174..bfa5115 100644
+--- a/poolmanager.py
++++ b/poolmanager.py
+@@ -312,8 +312,9 @@ class PoolManager(RequestMethods):
+ 
+         kw['assert_same_host'] = False
+         kw['redirect'] = False
++
+         if 'headers' not in kw:
+-            kw['headers'] = self.headers
++            kw['headers'] = self.headers.copy()
+ 
+         if self.proxy is not None and u.scheme == "http":
+             response = conn.urlopen(method, url, **kw)
+@@ -335,6 +336,14 @@ class PoolManager(RequestMethods):
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
++        # Strip headers marked as unsafe to forward to the redirected location.
++        # Check remove_headers_on_redirect to avoid a potential network call within
++        # conn.is_same_host() which may use socket.gethostbyname() in the future.
++        if (retries.remove_headers_on_redirect
++                and not conn.is_same_host(redirect_location)):
++            for header in retries.remove_headers_on_redirect:
++                kw['headers'].pop(header, None)
++
+         try:
+             retries = retries.increment(method, url, response=response, _pool=conn)
+         except MaxRetryError:
+diff --git a/util/retry.py b/util/retry.py
+index c603cb4..0b83963 100644
+--- a/util/retry.py
++++ b/util/retry.py
+@@ -126,6 +126,11 @@ class Retry(object):
+         exhausted, to raise a MaxRetryError, or to return a response with a
+         response code in the 3xx range.
+ 
++    :param iterable remove_headers_on_redirect:
++        Sequence of headers to remove from the request when a response
++        indicating a redirect is returned before firing off the redirected
++        request
++
+     :param bool raise_on_status: Similar meaning to ``raise_on_redirect``:
+         whether we should raise an exception, or return a response,
+         if status falls in ``status_forcelist`` range and retries have
+@@ -144,6 +149,8 @@ class Retry(object):
+     DEFAULT_METHOD_WHITELIST = frozenset([
+         'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
+ 
++    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
++
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Maximum backoff time.
+@@ -152,7 +159,8 @@ class Retry(object):
+     def __init__(self, total=10, connect=None, read=None, redirect=None, status=None,
+                  method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
+                  backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
+-                 history=None, respect_retry_after_header=True):
++                 history=None, respect_retry_after_header=True,
++                 remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
+ 
+         self.total = total
+         self.connect = connect
+@@ -171,6 +179,7 @@ class Retry(object):
+         self.raise_on_status = raise_on_status
+         self.history = history or tuple()
+         self.respect_retry_after_header = respect_retry_after_header
++        self.remove_headers_on_redirect = remove_headers_on_redirect
+ 
+     def new(self, **kw):
+         params = dict(
+@@ -182,6 +191,7 @@ class Retry(object):
+             raise_on_redirect=self.raise_on_redirect,
+             raise_on_status=self.raise_on_status,
+             history=self.history,
++            remove_headers_on_redirect=self.remove_headers_on_redirect,
+         )
+         params.update(kw)
+         return type(self)(**params)
+-- 
+2.24.1
+

SOURCES/CVE-2019-11236.patch

@@ -0,0 +1,43 @@
+From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 11:14:58 +0100
+Subject: [PATCH] CVE-2019-9740
+
+---
+ util/url.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/util/url.py b/util/url.py
+index 6b6f996..2784c85 100644
+--- a/util/url.py
++++ b/util/url.py
+@@ -1,5 +1,6 @@
+ from __future__ import absolute_import
+ from collections import namedtuple
++import re
+ 
+ from ..exceptions import LocationParseError
+ 
+@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
+ # urllib3 infers URLs without a scheme (None) to be http.
+ NORMALIZABLE_SCHEMES = ('http', 'https', None)
+ 
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++from ..packages.six.moves.urllib.parse import quote
+ 
+ class Url(namedtuple('Url', url_attrs)):
+     """
+@@ -155,6 +158,10 @@ def parse_url(url):
+         # Empty
+         return Url()
+ 
++    # Prevent CVE-2019-9740.
++    # adapted from https://github.com/python/cpython/pull/12755
++    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
++
+     scheme = None
+     auth = None
+     host = None
+-- 
+2.24.1
+

SOURCES/CVE-2019-11324.patch

@@ -0,0 +1,26 @@
+From 54e768a6dbe3cadeb456dea37bbeaf6e1e17e87c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 10:47:27 +0100
+Subject: [PATCH] CVE-2019-11324 Certification mishandle when error should be
+ thrown
+
+---
+ util/ssl_.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/ssl_.py b/util/ssl_.py
+index 32fd9ed..f9f12ff 100644
+--- a/util/ssl_.py
++++ b/util/ssl_.py
+@@ -319,7 +319,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
+             if e.errno == errno.ENOENT:
+                 raise SSLError(e)
+             raise
+-    elif getattr(context, 'load_default_certs', None) is not None:
++    elif ssl_context is None and hasattr(context, 'load_default_certs'):
+         # try to load OS default certs; works well on Windows (require Python3.4+)
+         context.load_default_certs()
+ 
+-- 
+2.24.1
+

SOURCES/pip-directory-traversal-security-issue-tests.patch

@@ -0,0 +1,122 @@
+From 7917dbda14ef64a5e7fdea48383a266577484ac8 Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Wed, 19 Aug 2020 12:51:16 +0200
+Subject: [PATCH 2/2] FIX #6413 pip install <url> allow directory traversal
+ (tests)
+
+---
+ tests/unit/test_download.py | 85 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 85 insertions(+)
+
+diff --git a/tests/unit/test_download.py b/tests/unit/test_download.py
+index ee4b11c..15f99ec 100644
+--- a/tests/unit/test_download.py
++++ b/tests/unit/test_download.py
+@@ -1,5 +1,6 @@
+ import hashlib
+ import os
++import sys
+ from io import BytesIO
+ from shutil import rmtree, copy
+ from tempfile import mkdtemp
+@@ -13,6 +14,7 @@ import pip
+ from pip.exceptions import HashMismatch
+ from pip.download import (
+     PipSession, SafeFileCache, path_to_url, unpack_http_url, url_to_path,
++    _download_http_url, parse_content_disposition, sanitize_content_filename,
+     unpack_file_url,
+ )
+ from pip.index import Link
+@@ -123,6 +125,89 @@ def test_unpack_http_url_bad_downloaded_checksum(mock_unpack_file):
+         rmtree(download_dir)
+ 
+ 
++@pytest.mark.parametrize("filename, expected", [
++    ('dir/file', 'file'),
++    ('../file', 'file'),
++    ('../../file', 'file'),
++    ('../', ''),
++    ('../..', '..'),
++    ('/', ''),
++])
++def test_sanitize_content_filename(filename, expected):
++    """
++    Test inputs where the result is the same for Windows and non-Windows.
++    """
++    assert sanitize_content_filename(filename) == expected
++
++
++@pytest.mark.parametrize("filename, win_expected, non_win_expected", [
++    ('dir\\file', 'file', 'dir\\file'),
++    ('..\\file', 'file', '..\\file'),
++    ('..\\..\\file', 'file', '..\\..\\file'),
++    ('..\\', '', '..\\'),
++    ('..\\..', '..', '..\\..'),
++    ('\\', '', '\\'),
++])
++def test_sanitize_content_filename__platform_dependent(
++    filename,
++    win_expected,
++    non_win_expected
++):
++    """
++    Test inputs where the result is different for Windows and non-Windows.
++    """
++    if sys.platform == 'win32':
++        expected = win_expected
++    else:
++        expected = non_win_expected
++    assert sanitize_content_filename(filename) == expected
++
++
++@pytest.mark.parametrize("content_disposition, default_filename, expected", [
++    ('attachment;filename="../file"', 'df', 'file'),
++])
++def test_parse_content_disposition(
++    content_disposition,
++    default_filename,
++    expected
++):
++    actual = parse_content_disposition(content_disposition, default_filename)
++    assert actual == expected
++
++
++def test_download_http_url__no_directory_traversal(tmpdir):
++    """
++    Test that directory traversal doesn't happen on download when the
++    Content-Disposition header contains a filename with a ".." path part.
++    """
++    mock_url = 'http://www.example.com/whatever.tgz'
++    contents = b'downloaded'
++    link = Link(mock_url)
++
++    session = Mock()
++    resp = MockResponse(contents)
++    resp.url = mock_url
++    resp.headers = {
++        # Set the content-type to a random value to prevent
++        # mimetypes.guess_extension from guessing the extension.
++        'content-type': 'random',
++        'content-disposition': 'attachment;filename="../out_dir_file"'
++    }
++    session.get.return_value = resp
++
++    download_dir = tmpdir.join('download')
++    os.mkdir(download_dir)
++    file_path, content_type = _download_http_url(
++        link,
++        session,
++        download_dir,
++        hashes=None,
++    )
++    # The file should be downloaded to download_dir.
++    actual = os.listdir(download_dir)
++    assert actual == ['out_dir_file']
++
++
+ @pytest.mark.skipif("sys.platform == 'win32'")
+ def test_path_to_url_unix():
+     assert path_to_url('/tmp/file') == 'file:///tmp/file'
+-- 
+2.25.4
+

SOURCES/pip-directory-traversal-security-issue.patch

@@ -0,0 +1,79 @@
+From 8044d9f2fbcb09f09a62b26ac1d8a134976bb2ac Mon Sep 17 00:00:00 2001
+From: gzpan123 <gzpan123@gmail.com>
+Date: Wed, 17 Apr 2019 21:25:45 +0800
+Subject: [PATCH 1/2] FIX #6413 pip install <url> allow directory traversal
+
+---
+ news/6413.bugfix |  3 +++
+ pip/download.py  | 31 ++++++++++++++++++++++++++-----
+ 2 files changed, 29 insertions(+), 5 deletions(-)
+ create mode 100644 news/6413.bugfix
+
+diff --git a/news/6413.bugfix b/news/6413.bugfix
+new file mode 100644
+index 0000000..68d0a72
+--- /dev/null
++++ b/news/6413.bugfix
+@@ -0,0 +1,3 @@
++Prevent ``pip install <url>`` from permitting directory traversal if e.g.
++a malicious server sends a ``Content-Disposition`` header with a filename
++containing ``../`` or ``..\\``.
+diff --git a/pip/download.py b/pip/download.py
+index 039e55a..b3d169b 100644
+--- a/pip/download.py
++++ b/pip/download.py
+@@ -54,7 +54,8 @@ __all__ = ['get_file_content',
+            'is_url', 'url_to_path', 'path_to_url',
+            'is_archive_file', 'unpack_vcs_link',
+            'unpack_file_url', 'is_vcs_url', 'is_file_url',
+-           'unpack_http_url', 'unpack_url']
++           'unpack_http_url', 'unpack_url',
++           'parse_content_disposition', 'sanitize_content_filename']
+ 
+ 
+ logger = logging.getLogger(__name__)
+@@ -824,6 +825,29 @@ def unpack_url(link, location, download_dir=None,
+         write_delete_marker_file(location)
+ 
+ 
++def sanitize_content_filename(filename):
++    # type: (str) -> str
++    """
++    Sanitize the "filename" value from a Content-Disposition header.
++    """
++    return os.path.basename(filename)
++
++
++def parse_content_disposition(content_disposition, default_filename):
++    # type: (str, str) -> str
++    """
++    Parse the "filename" value from a Content-Disposition header, and
++    return the default filename if the result is empty.
++    """
++    _type, params = cgi.parse_header(content_disposition)
++    filename = params.get('filename')
++    if filename:
++        # We need to sanitize the filename to prevent directory traversal
++        # in case the filename contains ".." path parts.
++        filename = sanitize_content_filename(filename)
++    return filename or default_filename
++
++
+ def _download_http_url(link, session, temp_dir, hashes):
+     """Download link url into temp_dir using provided session"""
+     target_url = link.url.split('#', 1)[0]
+@@ -864,10 +888,7 @@ def _download_http_url(link, session, temp_dir, hashes):
+     # Have a look at the Content-Disposition header for a better guess
+     content_disposition = resp.headers.get('content-disposition')
+     if content_disposition:
+-        type, params = cgi.parse_header(content_disposition)
+-        # We use ``or`` here because we don't want to use an "empty" value
+-        # from the filename param.
+-        filename = params.get('filename') or filename
++        filename = parse_content_disposition(content_disposition, filename)
+     ext = splitext(filename)[1]
+     if not ext:
+         ext = mimetypes.guess_extension(content_type)
+-- 
+2.25.4
+

SPECS/python2-pip.spec

@@ -19,7 +19,7 @@
 Name:           python2-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 Version:        9.0.3
-Release:        15%{?dist}
+Release:        19%{?dist}
 Summary:        A tool for installing and managing Python 2 packages
 
 Group:          Development/Libraries
@@ -55,7 +55,7 @@ Source0:        https://files.pythonhosted.org/packages/source/p/%{srcname}/%{sr
 # git clone https://github.com/pypa/pip && cd pip
 # git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/
 %if %{with tests}
-Source1:        pip-9.0.1-tests.tar.gz
+Source1:        pip-%{version}-tests.tar.gz
 %endif
 # Manpage generated by sphinx from source tarball
 # cd pip-9.0.3/docs && make man && cp _build/man/pip.1 ../../pip2.1
@@ -86,6 +86,37 @@ Patch3:         pip-nowarn-upgrade.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1655253
 Patch4:         dummy-certifi.patch
 
+# Patch for CVE in the bundled urllib3
+# CVE-2018-20060 Cross-host redirect does not remove Authorization header allow for credential exposure
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20060
+Patch5:         CVE-2018-20060.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2019-11236 CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11236
+Patch6:         CVE-2019-11236.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2019-11324 Certification mishandle when error should be thrown
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11324
+Patch7:         CVE-2019-11324.patch
+
+# Patch for CVE in the bundled requests
+# CVE-2018-18074 Redirect from HTTPS to HTTP does not remove Authorization header
+# This patch fixes both the CVE
+# https://bugzilla.redhat.com/show_bug.cgi?id=1643829
+# and the subsequent regression
+# https://github.com/psf/requests/pull/4851
+Patch8:         CVE-2018-18074.patch
+
+# Patch for pip install <url> allow directory traversal, leading to arbitrary file write
+# - Upstream PR: https://github.com/pypa/pip/pull/6418/files
+# - Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1870184
+# Patch9 fixes the issue
+# Patch10 adds unit tests for the issue
+Patch9:         pip-directory-traversal-security-issue.patch
+Patch10:        pip-directory-traversal-security-issue-tests.patch
+
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
 %if %{with tests}
@@ -186,8 +217,23 @@ tar -xf %{SOURCE1}
 %patch3 -p1
 %patch4 -p1
 
+# Patching of bundled libraries
+pushd pip/_vendor/urllib3
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+popd
+pushd pip/_vendor/requests
+%patch8 -p1
+popd
+%patch9 -p1
+%if %{with tests}
+%patch10 -p1
+%endif
+
 # this goes together with patch4
 rm pip/_vendor/certifi/*.pem
+rm pip/_vendor/requests/*.pem
 sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
 
 sed -i '1d' pip/__init__.py
@@ -195,6 +241,9 @@ sed -i '1d' pip/__init__.py
 # Remove ordereddict as it is only required for python <= 2.6
 rm pip/_vendor/ordereddict.py
 
+# Remove windows executable binaries
+rm -v pip/_vendor/distlib/*.exe
+sed -i '/\.exe/d' setup.py
 
 %build
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
@@ -310,6 +359,26 @@ py.test-%{python2_version} -m 'not network'
 %endif
 
 %changelog
+* Thu Oct 14 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-19
+- Remove bundled windows executables
+- Resolves: rhbz#2006792
+
+* Wed Aug 19 2020 Tomas Orsava <torsava@redhat.com> - 9.0.3-18
+- Patch for pip install <url> allow directory traversal, leading to arbitrary file write
+Resolves: rhbz#1870184
+
+* Mon Mar 16 2020 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-17
+- Remove unused CA bundle from the bundled requests library
+Resolves: rhbz#1775194
+
+* Tue Jan 14 2020 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-16
+- Add four new patches for CVEs in bundled urllib3 and requests
+CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
+Resolves: rhbz#1649153
+Resolves: rhbz#1700824
+Resolves: rhbz#1702473
+Resolves: rhbz#1643829
+
 * Thu Oct 24 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-15
 - Use the system level root certificate instead of the one bundled in certifi
 Resolves: rhbz#1659551