From c52f68f3ada04d0a3ca12bfdaa725997d880abbf Mon Sep 17 00:00:00 2001
From: xieyanlong <xieyanlong@kylinos.cn>
Date: Wed, 16 Jul 2025 11:13:55 +0800
Subject: [PATCH] Fix CVE-2024-47081

---
 backport-CVE-2024-47081.patch | 32 ++++++++++++++++++++++++++++++++
 python-pip.spec               |  6 +++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-47081.patch

diff --git a/backport-CVE-2024-47081.patch b/backport-CVE-2024-47081.patch
new file mode 100644
index 0000000..a2e0a3e
--- /dev/null
+++ b/backport-CVE-2024-47081.patch
@@ -0,0 +1,32 @@
+From b24e7b1b56490851fd2245084cf4bf906a1011dc Mon Sep 17 00:00:00 2001
+From: xieyanlong <xieyanlong@kylinos.cn>
+Date: Wed, 16 Jul 2025 11:03:04 +0800
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+Change-Id: Ia4309c3e039351f1394d8e6b14096ba262771705
+---
+ src/pip/_vendor/requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/src/pip/_vendor/requests/utils.py b/src/pip/_vendor/requests/utils.py
+index c1700d7..d6b27b9 100644
+--- a/src/pip/_vendor/requests/utils.py
++++ b/src/pip/_vendor/requests/utils.py
+@@ -192,13 +192,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+-- 
+2.33.0
+
diff --git a/python-pip.spec b/python-pip.spec
index 90ea5b0..be41f69 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        9
+Release:        10
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -24,6 +24,7 @@ Patch6004:      backport-fix-vulnerable-regex.patch
 Patch6005:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
 Patch6006:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
 Patch6007:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
+Patch6008:      backport-CVE-2024-47081.patch
 
 Source1:	pip-allow-older-versions.patch
 
@@ -161,6 +162,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Wed Jul 16 2025 xieyanlong <xieyanlong@kylinos.cn> - 20.2.2-10
+- Fix CVE-2024-47081
+
 * Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 20.2.2-9
 - Fix CVE-2023-45803 and CVE-2024-37891
 
-- 
Gitee