diff --git a/backport-CVE-2018-20225.patch b/backport-CVE-2018-20225.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c6320a8fbffcfa103434aae86d428b5ac9fc979 --- /dev/null +++ b/backport-CVE-2018-20225.patch @@ -0,0 +1,45 @@ +From 65cd205185b3795e671824df36a4309bca6b09ef Mon Sep 17 00:00:00 2001 +From: root +Date: Fri, 9 Apr 2021 15:27:31 +0800 +Subject: [PATCH] huawei-add-risk-warning-in-extra-index-url-for-CVE-2018-20225 + +--- + src/pip/_internal/cli/cmdoptions.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/pip/_internal/cli/cmdoptions.py b/src/pip/_internal/cli/cmdoptions.py +index ed42c5f..4a4e36e 100644 +--- a/src/pip/_internal/cli/cmdoptions.py ++++ b/src/pip/_internal/cli/cmdoptions.py +@@ -15,6 +15,7 @@ from __future__ import absolute_import + import os + import textwrap + import warnings ++import logging + from distutils.util import strtobool + from functools import partial + from optparse import SUPPRESS_HELP, Option, OptionGroup +@@ -34,6 +35,7 @@ if MYPY_CHECK_RUNNING: + from optparse import OptionParser, Values + from pip._internal.cli.parser import ConfigOptionParser + ++logger = logging.getLogger(__name__) + + def raise_option_error(parser, option, msg): + # type: (OptionParser, Option, str) -> None +@@ -324,6 +326,12 @@ index_url = partial( + + def extra_index_url(): + # type: () -> Option ++ logger.warning( ++ "WARNING: When the --extra-index-url option is used, " ++ "the installation package is downloaded from an unverified URL. " ++ "Exercise caution when using this option." ++ ) ++ + return Option( + '--extra-index-url', + dest='extra_index_urls', +-- +2.23.0 + diff --git a/python-pip.spec b/python-pip.spec index c007dae5c8f923f8f07ee18646b6d9bce6499f2c..613036af2a979394c0b256401a0d9068b0ffd2ea 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} Version: 20.2.2 -Release: 4 +Release: 5 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -18,6 +18,7 @@ Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch +Patch6002: backport-CVE-2018-20225.patch Source1: pip-allow-older-versions.patch @@ -155,6 +156,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir} %{python_wheeldir}/%{python_wheelname} %changelog +* Mon Jan 24 2022 tianwei - 20.2.2-5 +- fix CVE-2018-20225 + * Sat Aug 23 2021 shixuantong - 20.2.2-4 - delete bounded certificate