diff --git a/cve-2007-4559-tarfile.patch b/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000..0073fc1 --- /dev/null +++ b/cve-2007-4559-tarfile.patch @@ -0,0 +1,78 @@ +Minimal patch for pip + +diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py +--- pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip-22.3.1/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 +@@ -184,6 +184,13 @@ + "outside target directory ({})" + ) + raise InstallationError(message.format(filename, path, location)) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Test from https://github.com/pypa/pip/pull/12214 + +diff -rU3 pip-22.3.1-orig/tests/unit/test_utils_unpacking.py pip-22.3.1/tests/unit/test_utils_unpacking.py +--- pip-22.3.1-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip-22.3.1/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 +@@ -171,6 +171,23 @@ + test_tar = self.make_tar_file("test_tar.tar", files) + untar_file(test_tar, self.tempdir) + ++ def test_unpack_tar_filter(self) -> None: ++ """ ++ Test that the tarfile.data_filter is used to disallow dangerous ++ behaviour (PEP-721) ++ """ ++ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") ++ with tarfile.open(test_tar, "w") as mytar: ++ file_tarinfo = tarfile.TarInfo("bad-link") ++ file_tarinfo.type = tarfile.SYMTYPE ++ file_tarinfo.linkname = "../../../../pwn" ++ mytar.addfile(file_tarinfo, io.BytesIO(b"")) ++ with pytest.raises(InstallationError) as e: ++ untar_file(test_tar, self.tempdir) ++ ++ assert "is outside the destination" in str(e.value) ++ ++ + + def test_unpack_tar_unicode(tmpdir: Path) -> None: + test_tar = tmpdir / "test.tar" + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/python3.12-pip.spec b/python3.12-pip.spec index c6ecbc4..3cb574e 100644 --- a/python3.12-pip.spec +++ b/python3.12-pip.spec @@ -13,7 +13,7 @@ Name: python%{python3_pkgversion}-%{srcname} Version: %{base_version}%{?prerel:~%{prerel}} -Release: 3%{?dist} +Release: 4%{?dist} Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -73,6 +73,13 @@ Patch2: nowarn-pip._internal.main.patch # Upstream issue: https://github.com/pypa/packaging/issues/368 Patch3: no-version-warning.patch +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Test patch submitted upstream in the above pull request +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch4: cve-2007-4559-tarfile.patch # Virtual provides for the packages bundled by pip. # You can generate it with: @@ -287,6 +294,10 @@ pytest_k='not completion' %{python_wheel_dir}/%{python_wheel_name} %changelog +* Fri Feb 16 2024 Charalampos Stratakis - 23.2.1-4 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHEL-25737 + * Thu Jan 25 2024 Miro HronĨok - 23.2.1-3 - Don't RPM Provide pip - Remove a superfluous RPM Conflict with python-pip