diff --git a/SOURCES/CVE-2021-3572.patch b/SOURCES/CVE-2021-3572.patch new file mode 100644 index 0000000..b1d0a62 --- /dev/null +++ b/SOURCES/CVE-2021-3572.patch @@ -0,0 +1,53 @@ +Backport of https://github.com/pypa/pip/pull/9827 with parts of +https://github.com/pypa/pip/pull/4690 to make it work with pip v9.0.1 +diff --git a/pip/vcs/git.py b/pip/vcs/git.py +index 2187dd8..d1502f8 100644 +--- a/pip/vcs/git.py ++++ b/pip/vcs/git.py +@@ -81,7 +81,7 @@ class Git(VersionControl): + and branches may need origin/ as a prefix. + Returns the SHA1 of the branch or tag if found. + """ +- revisions = self.get_short_refs(dest) ++ revisions = self.get_short_refs(dest, rev) + + origin_rev = 'origin/%s' % rev + if origin_rev in revisions: +@@ -171,12 +171,20 @@ class Git(VersionControl): + ['rev-parse', 'HEAD'], show_stdout=False, cwd=location) + return current_rev.strip() + +- def get_full_refs(self, location): ++ def get_full_refs(self, location, pattern=''): + """Yields tuples of (commit, ref) for branches and tags""" +- output = self.run_command(['show-ref'], ++ output = self.run_command(['show-ref', pattern], + show_stdout=False, cwd=location) +- for line in output.strip().splitlines(): +- commit, ref = line.split(' ', 1) ++ for line in output.split("\n"): ++ line = line.rstrip("\r") ++ if not line: ++ continue ++ try: ++ commit, ref = line.split(' ', 1) ++ except ValueError: ++ # Include the offending line to simplify troubleshooting if ++ # this error ever occurs. ++ raise ValueError(f'unexpected show-ref line: {line!r}') + yield commit.strip(), ref.strip() + + def is_ref_remote(self, ref): +@@ -200,10 +208,10 @@ class Git(VersionControl): + def get_refs(self, location): + return self.get_short_refs(location) + +- def get_short_refs(self, location): ++ def get_short_refs(self, location, pattern=''): + """Return map of named refs (branches or tags) to commit hashes.""" + rv = {} +- for commit, ref in self.get_full_refs(location): ++ for commit, ref in self.get_full_refs(location, pattern): + ref_name = None + if self.is_ref_remote(ref): + ref_name = ref[len('refs/remotes/'):] diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index 11f0af1..36f242f 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -14,7 +14,7 @@ Name: python-%{srcname} # When updating, update the bundled libraries versions bellow! Version: 9.0.3 -Release: 19%{?dist} +Release: 20%{?dist} Summary: A tool for installing and managing Python packages Group: Development/Libraries @@ -116,6 +116,13 @@ Patch8: CVE-2018-18074.patch Patch9: pip-directory-traversal-security-issue.patch Patch10: pip-directory-traversal-security-issue-tests.patch +# Patch for CVE-2021-3572 - pip incorrectly handled unicode separators in git references +# The patch is adjusted for older pip where it's necessary to also switch +# the way pip gets revisions from git +# Upstream PR: https://github.com/pypa/pip/pull/9827 +# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856 +Patch11: CVE-2021-3572.patch + %global _description \ pip is a package management system used to install and manage software packages \ written in Python. Many packages can be found in the Python Package Index \ @@ -257,6 +264,7 @@ popd %if %{with tests} %patch10 -p1 %endif +%patch11 -p1 # this goes together with patch4 rm pip/_vendor/certifi/*.pem @@ -364,6 +372,10 @@ py.test-%{python3_version} -m 'not network' %endif %changelog +* Mon Jun 07 2021 Lumír Balhar - 9.0.3-20 +- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references +Resolves: rhbz#1962856 + * Fri Jan 08 2021 Lumír Balhar - 9.0.3-19 - Fix bash completion files and simplify spec Resolves: rhbz#1904478