diff --git a/SOURCES/CVE-2021-3572.patch b/SOURCES/CVE-2021-3572.patch
new file mode 100644
index 0000000..b1d0a62
--- /dev/null
+++ b/SOURCES/CVE-2021-3572.patch
@@ -0,0 +1,53 @@
+Backport of https://github.com/pypa/pip/pull/9827 with parts of
+https://github.com/pypa/pip/pull/4690 to make it work with pip v9.0.1
+diff --git a/pip/vcs/git.py b/pip/vcs/git.py
+index 2187dd8..d1502f8 100644
+--- a/pip/vcs/git.py
++++ b/pip/vcs/git.py
+@@ -81,7 +81,7 @@ class Git(VersionControl):
+ and branches may need origin/ as a prefix.
+ Returns the SHA1 of the branch or tag if found.
+ """
+- revisions = self.get_short_refs(dest)
++ revisions = self.get_short_refs(dest, rev)
+
+ origin_rev = 'origin/%s' % rev
+ if origin_rev in revisions:
+@@ -171,12 +171,20 @@ class Git(VersionControl):
+ ['rev-parse', 'HEAD'], show_stdout=False, cwd=location)
+ return current_rev.strip()
+
+- def get_full_refs(self, location):
++ def get_full_refs(self, location, pattern=''):
+ """Yields tuples of (commit, ref) for branches and tags"""
+- output = self.run_command(['show-ref'],
++ output = self.run_command(['show-ref', pattern],
+ show_stdout=False, cwd=location)
+- for line in output.strip().splitlines():
+- commit, ref = line.split(' ', 1)
++ for line in output.split("\n"):
++ line = line.rstrip("\r")
++ if not line:
++ continue
++ try:
++ commit, ref = line.split(' ', 1)
++ except ValueError:
++ # Include the offending line to simplify troubleshooting if
++ # this error ever occurs.
++ raise ValueError(f'unexpected show-ref line: {line!r}')
+ yield commit.strip(), ref.strip()
+
+ def is_ref_remote(self, ref):
+@@ -200,10 +208,10 @@ class Git(VersionControl):
+ def get_refs(self, location):
+ return self.get_short_refs(location)
+
+- def get_short_refs(self, location):
++ def get_short_refs(self, location, pattern=''):
+ """Return map of named refs (branches or tags) to commit hashes."""
+ rv = {}
+- for commit, ref in self.get_full_refs(location):
++ for commit, ref in self.get_full_refs(location, pattern):
+ ref_name = None
+ if self.is_ref_remote(ref):
+ ref_name = ref[len('refs/remotes/'):]
diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec
index 11f0af1..36f242f 100644
--- a/SPECS/python-pip.spec
+++ b/SPECS/python-pip.spec
@@ -14,7 +14,7 @@
Name: python-%{srcname}
# When updating, update the bundled libraries versions bellow!
Version: 9.0.3
-Release: 19%{?dist}
+Release: 20%{?dist}
Summary: A tool for installing and managing Python packages
Group: Development/Libraries
@@ -116,6 +116,13 @@ Patch8: CVE-2018-18074.patch
Patch9: pip-directory-traversal-security-issue.patch
Patch10: pip-directory-traversal-security-issue-tests.patch
+# Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+# The patch is adjusted for older pip where it's necessary to also switch
+# the way pip gets revisions from git
+# Upstream PR: https://github.com/pypa/pip/pull/9827
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
+Patch11: CVE-2021-3572.patch
+
%global _description \
pip is a package management system used to install and manage software packages \
written in Python. Many packages can be found in the Python Package Index \
@@ -257,6 +264,7 @@ popd
%if %{with tests}
%patch10 -p1
%endif
+%patch11 -p1
# this goes together with patch4
rm pip/_vendor/certifi/*.pem
@@ -364,6 +372,10 @@ py.test-%{python3_version} -m 'not network'
%endif
%changelog
+* Mon Jun 07 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-20
+- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
+Resolves: rhbz#1962856
+
* Fri Jan 08 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-19
- Fix bash completion files and simplify spec
Resolves: rhbz#1904478