import python3x-pip-20.2.4-4.module+el8.5.0+11356+97293569

2021-06-11 05:02:28 +00:00 · 2021-06-11 05:02:28 +00:00 · 832f709c48
commit 832f709c48
parent 03c96ee5cd
2 changed files with 46 additions and 3 deletions
--- a/SOURCES/CVE-2021-3572.patch
+++ b/SOURCES/CVE-2021-3572.patch
@ -0,0 +1,34 @@
+From d135e45152a88b896b1d3e8770d5d59f694c2419 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 8 Jun 2021 10:08:49 +0200
+Subject: [PATCH] CVE-2021-3572
+
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index a9c7fb6..b38625e 100644
+--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
+@@ -142,9 +142,15 @@ class Git(VersionControl):
+             pass
+ 
+         refs = {}
+-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
+             try:
+-                sha, ref = line.split()
+                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+-- 
+2.31.1
+
--- a/SPECS/python3x-pip.spec
+++ b/SPECS/python3x-pip.spec
@ -19,7 +19,7 @@

 Name:           python3x-%{srcname}
 Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A tool for installing and managing Python packages

 # We bundle a lot of libraries with pip, which itself is under MIT license.
@ -97,6 +97,11 @@ Patch4:         dummy-certifi.patch
 # this warning is juts moot. Also, the warning breaks CPython test suite.
 Patch5:         nowarn-pip._internal.main.patch

+# Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+# Upstream PR: https://github.com/pypa/pip/pull/9827
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
+Patch6:         CVE-2021-3572.patch
+
 # Downstream only patch
 # Users might have local installations of pip from using
 # `pip install --user --upgrade pip` on older/newer versions.
@ -218,7 +223,7 @@ Requires(postun): python%{python3_pkgversion}
 # Virtual provides for the packages bundled by pip:
 %{bundled %{python3_version}}

-%{crypt_compat_recommends %{python3_version}}
+%{crypt_compat_recommends %{python3_pkgversion}}

 %description -n python%{python3_pkgversion}-%{srcname}
 pip is a package management system used to install and manage software packages
@ -244,7 +249,7 @@ Requires:       ca-certificates
 # Virtual provides for the packages bundled by pip:
 %{bundled %{python3_version}}

-%{crypt_compat_recommends %{python3_version}}
+%{crypt_compat_recommends %{python3_pkgversion}}

 %description -n python%{python3_pkgversion}-%{srcname}-wheel
 A Python wheel of pip to use with venv.
@ -439,6 +444,10 @@ fi
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Tue Jun 08 2021 Lumír Balhar <lbalhar@redhat.com> - 20.2.4-4
+- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+Resolves: rhbz#1962856
+
 * Wed Jan 06 2021 Tomas Orsava <torsava@redhat.com> - 20.2.4-3
 - Convert from Fedora to the python39 module in RHEL8
 - Resolves: rhbz#1877430