From 65f425654beb19722afed9c429beda3516aaabbf Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 24 Jul 2021 15:33:06 +0800 Subject: [PATCH] fix CVE-2021-3572 (cherry picked from commit d5e6980b8e4139aeef1a4f40c4d7761adfd5cb9d) --- backport-CVE-2021-3572.patch | 44 ++++++++++++++++++++++++++++++++++++ python-pip.spec | 7 +++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3572.patch diff --git a/backport-CVE-2021-3572.patch b/backport-CVE-2021-3572.patch new file mode 100644 index 0000000..0ece6a8 --- /dev/null +++ b/backport-CVE-2021-3572.patch @@ -0,0 +1,44 @@ +From ca832b2836e0bffa7cf95589acdcd71230f5834e Mon Sep 17 00:00:00 2001 +From: Pradyun Gedam +Date: Sat, 24 Apr 2021 10:13:15 +0100 +Subject: [PATCH] Don't split git references on unicode separators + +Reference:https://github.com/pypa/pip/commit/ca832b2836e0bffa7cf95589acdcd71230f5834e + +Previously, maliciously formatted tags could be used to hijack a +commit-based pin. Using the fact that the split here allowed for +all of unicode's whitespace characters as separators -- which git allows +as a part of a tag name -- it is possible to force a different revision +to be installed; if an attacker gains access to the repository. + +This change stops splitting the string on unicode characters, by forcing +the splits to happen on newlines and ASCII spaces. +--- + src/pip/_internal/vcs/git.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py +index a9c7fb6..b38625e 100644 +--- a/src/pip/_internal/vcs/git.py ++++ b/src/pip/_internal/vcs/git.py +@@ -142,9 +142,15 @@ class Git(VersionControl): + pass + + refs = {} +- for line in output.strip().splitlines(): ++ # NOTE: We do not use splitlines here since that would split on other ++ # unicode separators, which can be maliciously used to install a ++ # different revision. ++ for line in output.strip().split("\n"): ++ line = line.rstrip("\r") ++ if not line: ++ continue + try: +- sha, ref = line.split() ++ sha, ref = line.split(" ", maxsplit=2) + except ValueError: + # Include the offending line to simplify troubleshooting if + # this error ever occurs. +-- +1.8.3.1 + diff --git a/python-pip.spec b/python-pip.spec index 340d09e..0ada0b9 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} Version: 20.2.2 -Release: 1 +Release: 2 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -17,6 +17,8 @@ Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files.patch Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch +Patch6001: backport-CVE-2021-3572.patch + Source1: pip-allow-older-versions.patch %description %{_description} @@ -149,6 +151,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir} %{python_wheeldir}/%{python_wheelname} %changelog +* Sat Jul 24 2021 shixuantong - 20.2.2-2 +- fix CVE-2021-3572 + * Mon Aug 31 2020 wenzhanli - 20.2.2-1 - update to 20.2.2 -- Gitee