From 8d1a15d20b13f0f9361dbbb6e5f5db15be4012fa Mon Sep 17 00:00:00 2001 From: Super User Date: Sun, 20 Apr 2025 23:59:49 +0800 Subject: [PATCH] fix CVE-2024-35195 https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 Signed-off-by: Super User --- backport-CVE-2024-35195.patch | 114 ++++++++++++++++++++++++++++++++++ python-pip.spec | 6 +- 2 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-35195.patch diff --git a/backport-CVE-2024-35195.patch b/backport-CVE-2024-35195.patch new file mode 100644 index 0000000..47afb95 --- /dev/null +++ b/backport-CVE-2024-35195.patch @@ -0,0 +1,114 @@ +From c0813a2d910ea6b4f8438b91d315b8d181302356 Mon Sep 17 00:00:00 2001 +From: Ian Stapleton Cordasco +Date: Sun, 3 Mar 2024 07:00:49 -0600 +Subject: [PATCH] Use TLS settings in selecting connection pool + +Previously, if someone made a request with `verify=False` then made a +request where they expected verification to be enabled to the same host, +they would potentially reuse a connection where TLS had not been +verified. + +This fixes that issue. +--- + src/pip/_vendor/requests/adapters.py | 58 +++++++++++++++++++++++++++- + 1 file changed, 57 insertions(+), 1 deletion(-) + +diff --git a/src/pip/_vendor/requests/adapters.py b/src/pip/_vendor/requests/adapters.py +index 10c1767..bbe5814 100644 +--- a/src/pip/_vendor/requests/adapters.py ++++ b/src/pip/_vendor/requests/adapters.py +@@ -8,6 +8,7 @@ and maintain connections. + + import os.path + import socket # noqa: F401 ++import typing + + from pip._vendor.urllib3.exceptions import ClosedPoolError, ConnectTimeoutError + from pip._vendor.urllib3.exceptions import HTTPError as _HTTPError +@@ -61,12 +62,38 @@ except ImportError: + raise InvalidSchema("Missing dependencies for SOCKS support.") + + ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 + DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter: + """The Base Transport Adapter""" + +@@ -328,6 +355,35 @@ class HTTPAdapter(BaseAdapter): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -451,7 +507,7 @@ class HTTPAdapter(BaseAdapter): + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +-- +2.43.0 + diff --git a/python-pip.spec b/python-pip.spec index c1364c2..c74d98e 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} Version: 23.3.1 -Release: 3 +Release: 4 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -19,6 +19,7 @@ Patch6001: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.pa Patch6002: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch Source10: pip-allow-older-versions.patch +Patch6003: backport-CVE-2024-35195.patch %description %{_description} @@ -134,6 +135,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf %{python_wheeldir}/%{python_wheelname} %changelog +* Sun Apr 20 2025 zhangliangpengkun - 23.3.1-4 +- DESC:Fix CVE-2024-35195 + * Mon Mar 31 2025 Wenlong Zhang - 23.3.1-3 - change the index-url for loongarch64 -- Gitee