From 91d2bf596c869c3ffcca29354f23817aa4746206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= Date: Wed, 14 Feb 2024 15:42:59 +0100 Subject: [PATCH] Require Python with tarfile filters Resolves: RHEL-25453 --- python3.11-pip.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/python3.11-pip.spec b/python3.11-pip.spec index 7d80c99..24b861b 100644 --- a/python3.11-pip.spec +++ b/python3.11-pip.spec @@ -12,7 +12,7 @@ Name: python%{python3_pkgversion}-%{srcname} Version: %{base_version}%{?prerel:~%{prerel}} -Release: 4%{?dist} +Release: 5%{?dist} Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -207,7 +207,9 @@ Recommends: python%{python3_pkgversion}-setuptools Requires(postun): alternatives >= 1.19.1-1 # python3.11 installs the alternatives master symlink to which we attach a slave -Requires: python%{python3_pkgversion} +# pip has to require explicit version of python that provides +# filters in tarfile module (fix for CVE-2007-4559). +Requires: python%{python3_pkgversion} >= 3.11.4-3 Requires(post): python%{python3_pkgversion} Requires(postun): python%{python3_pkgversion} @@ -225,6 +227,8 @@ Packages" or "Pip Installs Python". %package -n %{python_wheel_pkg_prefix}-%{srcname}-wheel Summary: The pip wheel Requires: ca-certificates +# Older Python does not provide tarfile filters (fix for CVE-2007-4559). +Conflicts: python%{python3_pkgversion} < 3.11.4-3 # Virtual provides for the packages bundled by pip: %{bundled %{python3_pkgversion}} @@ -397,6 +401,10 @@ fi %{python_wheel_dir}/%{python_wheel_name} %changelog +* Wed Feb 14 2024 Tomáš Hrnčiar - 22.3.1-5 +- Require Python with tarfile filters +Resolves: RHEL-25453 + * Tue Aug 08 2023 Petr Viktorin - 22.3.1-4 - Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) Resolves: RHBZ#2218249