From 762e052c91fe8832b3c17170661d80b7a88dcf92 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Wed, 3 Apr 2024 14:02:48 +0000 Subject: [PATCH] import UBI python3x-pip-20.2.4-8.module+el8.9.0+21344+82807453.1 --- SOURCES/cve-2007-4559-tarfile.patch | 78 +++++++++++++++++++++++++++++ SPECS/python3x-pip.spec | 28 ++++++++++- 2 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 SOURCES/cve-2007-4559-tarfile.patch diff --git a/SOURCES/cve-2007-4559-tarfile.patch b/SOURCES/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000..3008a79 --- /dev/null +++ b/SOURCES/cve-2007-4559-tarfile.patch @@ -0,0 +1,78 @@ +Minimal patch for pip + +diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py +--- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 +@@ -184,6 +184,13 @@ + raise InstallationError( + message.format(filename, path, location) + ) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Test from https://github.com/pypa/pip/pull/12214 + +diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py +--- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 +@@ -171,6 +171,23 @@ + test_tar = self.make_tar_file('test_tar.tar', files) + untar_file(test_tar, self.tempdir) + ++ def test_unpack_tar_filter(self) -> None: ++ """ ++ Test that the tarfile.data_filter is used to disallow dangerous ++ behaviour (PEP-721) ++ """ ++ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") ++ with tarfile.open(test_tar, "w") as mytar: ++ file_tarinfo = tarfile.TarInfo("bad-link") ++ file_tarinfo.type = tarfile.SYMTYPE ++ file_tarinfo.linkname = "../../../../pwn" ++ mytar.addfile(file_tarinfo, io.BytesIO(b"")) ++ with pytest.raises(InstallationError) as e: ++ untar_file(test_tar, self.tempdir) ++ ++ assert "is outside the destination" in str(e.value) ++ ++ + + @pytest.mark.parametrize('args, expected', [ + # Test the second containing the first. + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/SPECS/python3x-pip.spec b/SPECS/python3x-pip.spec index b12910a..4cf653c 100644 --- a/SPECS/python3x-pip.spec +++ b/SPECS/python3x-pip.spec @@ -19,7 +19,7 @@ Name: python3x-%{srcname} Version: %{base_version}%{?prerel:~%{prerel}} -Release: 7%{?dist} +Release: 8%{?dist}.1 Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -107,6 +107,14 @@ Patch6: CVE-2021-3572.patch # Upstream fix: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec Patch7: CVE-2021-33503.patch +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Test patch submitted upstream in the above pull request +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch8: cve-2007-4559-tarfile.patch + # Downstream only patch # Users might have local installations of pip from using # `pip install --user --upgrade pip` on older/newer versions. @@ -223,7 +231,9 @@ Recommends: python%{python3_pkgversion}-setuptools # Require alternatives version that implements the --keep-foreign flag Requires(postun): alternatives >= 1.19.1-1 # python39 installs the alternatives master symlink to which we attach a slave -Requires: python%{python3_pkgversion} +# pip has to require explicit version of python that provides +# filters in tarfile module (fix for CVE-2007-4559). +Requires: python%{python3_pkgversion} >= 3.9.17-2 Requires(post): python%{python3_pkgversion} Requires(postun): python%{python3_pkgversion} @@ -252,6 +262,7 @@ A documentation for a tool for installing and managing Python packages %package -n python%{python3_pkgversion}-%{srcname}-wheel Summary: The pip wheel Requires: ca-certificates +Conflicts: python%{python3_pkgversion} < 3.9.17-2 # Virtual provides for the packages bundled by pip: %{bundled %{python3_version}} @@ -290,6 +301,11 @@ sed -i -e 's/csv23/csv/g' tests/lib/wheel.py rm -v src/pip/_vendor/distlib/*.exe sed -i '/\.exe/d' setup.py +# Backports for Python 2 +rm src/pip/_vendor/distlib/_backport/shutil.py +rm src/pip/_vendor/distlib/_backport/tarfile.py + + %build %py3_build_wheel @@ -454,6 +470,14 @@ fi %{python_wheeldir}/%{python_wheelname} %changelog +* Fri Feb 16 2024 Tomáš Hrnčiar - 20.2.4-8.1 +- Require Python with tarfile filters +Resolves: RHEL-25459 + +* Tue Aug 08 2023 Petr Viktorin - 20.2.4-8 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHBZ#2218275 + * Thu Oct 14 2021 Charalampos Stratakis - 20.2.4-7 - Remove bundled windows executables - Resolves: rhbz#2006790