From a746b823862221f78122a11b4920cb859510391f Mon Sep 17 00:00:00 2001 From: rwx403335 Date: Fri, 9 Sep 2022 16:53:15 +0800 Subject: [PATCH] fix CVE-2021-33503 --- backport-CVE-2021-33503.patch | 42 +++++++++++++++++++++++++++++++++++ python-pip.spec | 6 ++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-33503.patch diff --git a/backport-CVE-2021-33503.patch b/backport-CVE-2021-33503.patch new file mode 100644 index 0000000..d2f91ea --- /dev/null +++ b/backport-CVE-2021-33503.patch @@ -0,0 +1,42 @@ +From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Wed, 26 May 2021 10:43:12 -0500 +Subject: [PATCH] Improve performance of sub-authority splitting in URL + +--- + src/pip/_vendor/urllib3/util/url.py | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/pip/_vendor/urllib3/util/url.py b/src/pip/_vendor/urllib3/util/url.py +index 6ff238f..81a03da 100644 +--- a/src/pip/_vendor/urllib3/util/url.py ++++ b/src/pip/_vendor/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -365,7 +365,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +-- +1.8.3.1 + diff --git a/python-pip.spec b/python-pip.spec index c007dae..16b17f7 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} Version: 20.2.2 -Release: 4 +Release: 5 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -18,6 +18,7 @@ Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch +Patch6002: backport-CVE-2021-33503.patch Source1: pip-allow-older-versions.patch @@ -155,6 +156,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir} %{python_wheeldir}/%{python_wheelname} %changelog +* Fri Sep 09 2022 renhongxun - 20.2.2-5 +- fix CVE-2021-33503 + * Sat Aug 23 2021 shixuantong - 20.2.2-4 - delete bounded certificate -- Gitee