From 5c819bd888b643b309c06ebcd4fbd981f0817224 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 Nov 2023 03:53:28 +0000 Subject: [PATCH] import UBI python3.11-pip-22.3.1-4.el8 --- SOURCES/cve-2007-4559-tarfile.patch | 78 +++++++++++++++++++++++++++++ SPECS/python3.11-pip.spec | 68 +++++++++++++++---------- 2 files changed, 120 insertions(+), 26 deletions(-) create mode 100644 SOURCES/cve-2007-4559-tarfile.patch diff --git a/SOURCES/cve-2007-4559-tarfile.patch b/SOURCES/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000..0073fc1 --- /dev/null +++ b/SOURCES/cve-2007-4559-tarfile.patch @@ -0,0 +1,78 @@ +Minimal patch for pip + +diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py +--- pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip-22.3.1/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 +@@ -184,6 +184,13 @@ + "outside target directory ({})" + ) + raise InstallationError(message.format(filename, path, location)) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Test from https://github.com/pypa/pip/pull/12214 + +diff -rU3 pip-22.3.1-orig/tests/unit/test_utils_unpacking.py pip-22.3.1/tests/unit/test_utils_unpacking.py +--- pip-22.3.1-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip-22.3.1/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 +@@ -171,6 +171,23 @@ + test_tar = self.make_tar_file("test_tar.tar", files) + untar_file(test_tar, self.tempdir) + ++ def test_unpack_tar_filter(self) -> None: ++ """ ++ Test that the tarfile.data_filter is used to disallow dangerous ++ behaviour (PEP-721) ++ """ ++ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") ++ with tarfile.open(test_tar, "w") as mytar: ++ file_tarinfo = tarfile.TarInfo("bad-link") ++ file_tarinfo.type = tarfile.SYMTYPE ++ file_tarinfo.linkname = "../../../../pwn" ++ mytar.addfile(file_tarinfo, io.BytesIO(b"")) ++ with pytest.raises(InstallationError) as e: ++ untar_file(test_tar, self.tempdir) ++ ++ assert "is outside the destination" in str(e.value) ++ ++ + + def test_unpack_tar_unicode(tmpdir: Path) -> None: + test_tar = tmpdir / "test.tar" + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/SPECS/python3.11-pip.spec b/SPECS/python3.11-pip.spec index 8f607fa..7d80c99 100644 --- a/SPECS/python3.11-pip.spec +++ b/SPECS/python3.11-pip.spec @@ -12,7 +12,7 @@ Name: python%{python3_pkgversion}-%{srcname} Version: %{base_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 4%{?dist} Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -81,6 +81,14 @@ Patch2: nowarn-pip._internal.main.patch # Upstream issue: https://github.com/pypa/packaging/issues/368 Patch3: no-version-warning.patch +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Test patch submitted upstream in the above pull request +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch4: cve-2007-4559-tarfile.patch + # Downstream only patch # Users might have local installations of pip from using # `pip install --user --upgrade pip` on older/newer versions. @@ -389,34 +397,42 @@ fi %{python_wheel_dir}/%{python_wheel_name} %changelog +* Tue Aug 08 2023 Petr Viktorin - 22.3.1-4 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHBZ#2218249 + +* Mon Mar 06 2023 Lumír Balhar - 22.3.1-3 +- Fix changelog to contain Fedora contributors +Resolves: RHEL-232 + * Mon Jan 30 2023 Charalampos Stratakis - 22.3.1-2 - Add BuildRequires on python3.11-rpm-macros * Wed Aug 03 2022 Charalampos Stratakis - 22.3.1-1 - Initial package - Fedora contributions by: - # Bill Nottingham - # Charalampos Stratakis - # David Malcolm - # Dennis Gilmore - # Jon Ciesla - # Karolina Surma - # Kevin Fenzi - # Kevin Kofler - # Luke Macken - # Lumir Balhar - # Marcel Plch - # Matej Stuchlik - # Michal Cyprian - # Miro Hrončok - # Orion Poplawski - # Pádraig Brady - # Peter Halliday - # Petr Viktorin - # Robert Kuska - # Slavek Kabrda - # Tim Flink - # Tomáš Hrnčiar - # Tomas Orsava - # Toshio Kuratomi - # Ville Skyttä + Bill Nottingham + Charalampos Stratakis + David Malcolm + Dennis Gilmore + Jon Ciesla + Karolina Surma + Kevin Fenzi + Kevin Kofler + Luke Macken + Lumir Balhar + Marcel Plch + Matej Stuchlik + Michal Cyprian + Miro Hrončok + Orion Poplawski + Pádraig Brady + Peter Halliday + Petr Viktorin + Robert Kuska + Slavek Kabrda + Tim Flink + Tomáš Hrnčiar + Tomas Orsava + Toshio Kuratomi + Ville Skyttä