import python3x-pip-20.2.4-4.module+el8.5.0+11356+97293569

SOURCES/CVE-2021-3572.patch

@@ -0,0 +1,34 @@
+From d135e45152a88b896b1d3e8770d5d59f694c2419 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 8 Jun 2021 10:08:49 +0200
+Subject: [PATCH] CVE-2021-3572
+
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index a9c7fb6..b38625e 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -142,9 +142,15 @@ class Git(VersionControl):
+             pass
+ 
+         refs = {}
+-        for line in output.strip().splitlines():
++        # NOTE: We do not use splitlines here since that would split on other
++        #       unicode separators, which can be maliciously used to install a
++        #       different revision.
++        for line in output.strip().split("\n"):
++            line = line.rstrip("\r")
++            if not line:
++                continue
+             try:
+-                sha, ref = line.split()
++                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+-- 
+2.31.1
+

SPECS/python3x-pip.spec

@@ -19,7 +19,7 @@
 
 Name:           python3x-%{srcname}
 Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A tool for installing and managing Python packages
 
 # We bundle a lot of libraries with pip, which itself is under MIT license.
@@ -97,6 +97,11 @@ Patch4:         dummy-certifi.patch
 # this warning is juts moot. Also, the warning breaks CPython test suite.
 Patch5:         nowarn-pip._internal.main.patch
 
+# Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+# Upstream PR: https://github.com/pypa/pip/pull/9827
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
+Patch6:         CVE-2021-3572.patch
+
 # Downstream only patch
 # Users might have local installations of pip from using
 # `pip install --user --upgrade pip` on older/newer versions.
@@ -218,7 +223,7 @@ Requires(postun): python%{python3_pkgversion}
 # Virtual provides for the packages bundled by pip:
 %{bundled %{python3_version}}
 
-%{crypt_compat_recommends %{python3_version}}
+%{crypt_compat_recommends %{python3_pkgversion}}
 
 %description -n python%{python3_pkgversion}-%{srcname}
 pip is a package management system used to install and manage software packages
@@ -244,7 +249,7 @@ Requires:       ca-certificates
 # Virtual provides for the packages bundled by pip:
 %{bundled %{python3_version}}
 
-%{crypt_compat_recommends %{python3_version}}
+%{crypt_compat_recommends %{python3_pkgversion}}
 
 %description -n python%{python3_pkgversion}-%{srcname}-wheel
 A Python wheel of pip to use with venv.
@@ -439,6 +444,10 @@ fi
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Tue Jun 08 2021 Lumír Balhar <lbalhar@redhat.com> - 20.2.4-4
+- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+Resolves: rhbz#1962856
+
 * Wed Jan 06 2021 Tomas Orsava <torsava@redhat.com> - 20.2.4-3
 - Convert from Fedora to the python39 module in RHEL8
 - Resolves: rhbz#1877430