import UBI python3x-pip-20.2.4-8.module+el8.9.0+21344+82807453.1
This commit is contained in:
parent
8de24281b4
commit
762e052c91
|
@ -0,0 +1,78 @@
|
|||
Minimal patch for pip
|
||||
|
||||
diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py
|
||||
--- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100
|
||||
+++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200
|
||||
@@ -184,6 +184,13 @@
|
||||
raise InstallationError(
|
||||
message.format(filename, path, location)
|
||||
)
|
||||
+
|
||||
+ # Call the `data` filter for its side effect (raising exception)
|
||||
+ try:
|
||||
+ tarfile.data_filter(member.replace(name=fn), location)
|
||||
+ except tarfile.LinkOutsideDestinationError:
|
||||
+ pass
|
||||
+
|
||||
if member.isdir():
|
||||
ensure_dir(path)
|
||||
elif member.issym():
|
||||
|
||||
|
||||
Test from https://github.com/pypa/pip/pull/12214
|
||||
|
||||
diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py
|
||||
--- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100
|
||||
+++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200
|
||||
@@ -171,6 +171,23 @@
|
||||
test_tar = self.make_tar_file('test_tar.tar', files)
|
||||
untar_file(test_tar, self.tempdir)
|
||||
|
||||
+ def test_unpack_tar_filter(self) -> None:
|
||||
+ """
|
||||
+ Test that the tarfile.data_filter is used to disallow dangerous
|
||||
+ behaviour (PEP-721)
|
||||
+ """
|
||||
+ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar")
|
||||
+ with tarfile.open(test_tar, "w") as mytar:
|
||||
+ file_tarinfo = tarfile.TarInfo("bad-link")
|
||||
+ file_tarinfo.type = tarfile.SYMTYPE
|
||||
+ file_tarinfo.linkname = "../../../../pwn"
|
||||
+ mytar.addfile(file_tarinfo, io.BytesIO(b""))
|
||||
+ with pytest.raises(InstallationError) as e:
|
||||
+ untar_file(test_tar, self.tempdir)
|
||||
+
|
||||
+ assert "is outside the destination" in str(e.value)
|
||||
+
|
||||
+
|
||||
|
||||
@pytest.mark.parametrize('args, expected', [
|
||||
# Test the second containing the first.
|
||||
|
||||
|
||||
Patch for vendored distlib from https://github.com/pypa/distlib/pull/201
|
||||
|
||||
diff --git a/distlib/util.py b/distlib/util.py
|
||||
index e0622e4..4349d0b 100644
|
||||
--- a/src/pip/_vendor/distlib/util.py
|
||||
+++ b/src/pip/_vendor/distlib/util.py
|
||||
@@ -1249,6 +1249,19 @@ def check_path(path):
|
||||
for tarinfo in archive.getmembers():
|
||||
if not isinstance(tarinfo.name, text_type):
|
||||
tarinfo.name = tarinfo.name.decode('utf-8')
|
||||
+
|
||||
+ # Limit extraction of dangerous items, if this Python
|
||||
+ # allows it easily. If not, just trust the input.
|
||||
+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
|
||||
+ def extraction_filter(member, path):
|
||||
+ """Run tarfile.tar_fillter, but raise the expected ValueError"""
|
||||
+ # This is only called if the current Python has tarfile filters
|
||||
+ try:
|
||||
+ return tarfile.tar_filter(member, path)
|
||||
+ except tarfile.FilterError as exc:
|
||||
+ raise ValueError(str(exc))
|
||||
+ archive.extraction_filter = extraction_filter
|
||||
+
|
||||
archive.extractall(dest_dir)
|
||||
|
||||
finally:
|
|
@ -19,7 +19,7 @@
|
|||
|
||||
Name: python3x-%{srcname}
|
||||
Version: %{base_version}%{?prerel:~%{prerel}}
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}.1
|
||||
Summary: A tool for installing and managing Python packages
|
||||
|
||||
# We bundle a lot of libraries with pip, which itself is under MIT license.
|
||||
|
@ -107,6 +107,14 @@ Patch6: CVE-2021-3572.patch
|
|||
# Upstream fix: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
|
||||
Patch7: CVE-2021-33503.patch
|
||||
|
||||
# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
|
||||
# - Minimal downstream-only patch, to be replaced by upstream solution
|
||||
# proposed in https://github.com/pypa/pip/pull/12214
|
||||
# - Test patch submitted upstream in the above pull request
|
||||
# - Patch for vendored distlib, accepted upstream:
|
||||
# https://github.com/pypa/distlib/pull/201
|
||||
Patch8: cve-2007-4559-tarfile.patch
|
||||
|
||||
# Downstream only patch
|
||||
# Users might have local installations of pip from using
|
||||
# `pip install --user --upgrade pip` on older/newer versions.
|
||||
|
@ -223,7 +231,9 @@ Recommends: python%{python3_pkgversion}-setuptools
|
|||
# Require alternatives version that implements the --keep-foreign flag
|
||||
Requires(postun): alternatives >= 1.19.1-1
|
||||
# python39 installs the alternatives master symlink to which we attach a slave
|
||||
Requires: python%{python3_pkgversion}
|
||||
# pip has to require explicit version of python that provides
|
||||
# filters in tarfile module (fix for CVE-2007-4559).
|
||||
Requires: python%{python3_pkgversion} >= 3.9.17-2
|
||||
Requires(post): python%{python3_pkgversion}
|
||||
Requires(postun): python%{python3_pkgversion}
|
||||
|
||||
|
@ -252,6 +262,7 @@ A documentation for a tool for installing and managing Python packages
|
|||
%package -n python%{python3_pkgversion}-%{srcname}-wheel
|
||||
Summary: The pip wheel
|
||||
Requires: ca-certificates
|
||||
Conflicts: python%{python3_pkgversion} < 3.9.17-2
|
||||
|
||||
# Virtual provides for the packages bundled by pip:
|
||||
%{bundled %{python3_version}}
|
||||
|
@ -290,6 +301,11 @@ sed -i -e 's/csv23/csv/g' tests/lib/wheel.py
|
|||
rm -v src/pip/_vendor/distlib/*.exe
|
||||
sed -i '/\.exe/d' setup.py
|
||||
|
||||
# Backports for Python 2
|
||||
rm src/pip/_vendor/distlib/_backport/shutil.py
|
||||
rm src/pip/_vendor/distlib/_backport/tarfile.py
|
||||
|
||||
|
||||
%build
|
||||
%py3_build_wheel
|
||||
|
||||
|
@ -454,6 +470,14 @@ fi
|
|||
%{python_wheeldir}/%{python_wheelname}
|
||||
|
||||
%changelog
|
||||
* Fri Feb 16 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 20.2.4-8.1
|
||||
- Require Python with tarfile filters
|
||||
Resolves: RHEL-25459
|
||||
|
||||
* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 20.2.4-8
|
||||
- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
|
||||
Resolves: RHBZ#2218275
|
||||
|
||||
* Thu Oct 14 2021 Charalampos Stratakis <cstratak@redhat.com> - 20.2.4-7
|
||||
- Remove bundled windows executables
|
||||
- Resolves: rhbz#2006790
|
||||
|
|
Loading…
Reference in New Issue