diff --git a/backport-CVE-2020-14422.patch b/backport-CVE-2020-14422.patch new file mode 100644 index 0000000000000000000000000000000000000000..a145e87ba9d46b3f11e9d75ada0797d58e0454d6 --- /dev/null +++ b/backport-CVE-2020-14422.patch @@ -0,0 +1,43 @@ +From b30ee26e366bf509b7538d79bfec6c6d38d53f28 Mon Sep 17 00:00:00 2001 +From: Ravi Teja P +Date: Mon, 29 Jun 2020 23:09:29 +0530 +Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and + IPv6Interface (GH-21033) + +The __hash__() methods of classes IPv4Interface and IPv6Interface had issue +of generating constant hash values of 32 and 128 respectively causing hash collisions. +The fix uses the hash() function to generate hash values for the objects +instead of XOR operation + +Reference:https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28 +Conflict:NA + +--- + src/pip/_vendor/ipaddress.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/pip/_vendor/ipaddress.py b/src/pip/_vendor/ipaddress.py +index 3e6f9e499..19dfc4cdb 100644 +--- a/src/pip/_vendor/ipaddress.py ++++ b/src/pip/_vendor/ipaddress.py +@@ -1536,7 +1536,7 @@ class IPv4Interface(IPv4Address): + return False + + def __hash__(self): +- return self._ip ^ self._prefixlen ^ int(self.network.network_address) ++ return hash((self._ip, self._prefixlen, int(self.network.network_address))) + + __reduce__ = _IPAddressBase.__reduce__ + +@@ -2229,7 +2229,7 @@ class IPv6Interface(IPv6Address): + return False + + def __hash__(self): +- return self._ip ^ self._prefixlen ^ int(self.network.network_address) ++ return hash((self._ip, self._prefixlen, int(self.network.network_address))) + + __reduce__ = _IPAddressBase.__reduce__ + +-- +2.21.0 + diff --git a/python-pip.spec b/python-pip.spec index 16b17f77be35649df1b6a481cd871132d2bd02d4..8724b91ef8b6f1643f15e3789e76604e158765c6 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} Version: 20.2.2 -Release: 5 +Release: 6 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -19,6 +19,7 @@ Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2021-3572.patch Patch6002: backport-CVE-2021-33503.patch +Patch6003: backport-CVE-2020-14422.patch Source1: pip-allow-older-versions.patch @@ -156,6 +157,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir} %{python_wheeldir}/%{python_wheelname} %changelog +* Fri Sep 16 2022 yanglongkang - 20.2.2-6 +- fix CVE-2020-14422 + * Fri Sep 09 2022 renhongxun - 20.2.2-5 - fix CVE-2021-33503