Require Python with tarfile filters

Resolves: RHEL-25459
2024-02-16 12:06:35 +01:00 · 2024-02-16 12:06:35 +01:00 · a8f075a72e
commit a8f075a72e
parent 5299110293
1 changed files with 9 additions and 2 deletions
--- a/python3x-pip.spec
+++ b/python3x-pip.spec
@ -19,7 +19,7 @@

 Name:           python3x-%{srcname}
 Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        8%{?dist}
+Release:        8%{?dist}.1
 Summary:        A tool for installing and managing Python packages

 # We bundle a lot of libraries with pip, which itself is under MIT license.
@ -231,7 +231,9 @@ Recommends:     python%{python3_pkgversion}-setuptools
 # Require alternatives version that implements the --keep-foreign flag
 Requires(postun): alternatives >= 1.19.1-1
 # python39 installs the alternatives master symlink to which we attach a slave
-Requires: python%{python3_pkgversion}
+# pip has to require explicit version of python that provides
+# filters in tarfile module (fix for CVE-2007-4559).
+Requires: python%{python3_pkgversion} >= 3.9.17-2
 Requires(post): python%{python3_pkgversion}
 Requires(postun): python%{python3_pkgversion}

@ -260,6 +262,7 @@ A documentation for a tool for installing and managing Python packages
 %package -n python%{python3_pkgversion}-%{srcname}-wheel
 Summary:        The pip wheel
 Requires:       ca-certificates
+Conflicts:      python%{python3_pkgversion} < 3.9.17-2

 # Virtual provides for the packages bundled by pip:
 %{bundled %{python3_version}}
@ -467,6 +470,10 @@ fi
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Fri Feb 16 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 20.2.4-8.1
+- Require Python with tarfile filters
+Resolves: RHEL-25459
+
 * Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 20.2.4-8
 - Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
 Resolves: RHBZ#2218275