From be2232653c9341a3daf0f637f75c01c3b5962568 Mon Sep 17 00:00:00 2001
From: xieyanlong <xieyanlong@kylinos.cn>
Date: Wed, 16 Jul 2025 13:16:29 +0800
Subject: [PATCH] Fix CVE-2024-47081

---
 backport-CVE-2024-47081.patch | 32 ++++++++++++++++++++++++++++++++
 python-pip.spec               |  6 +++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-47081.patch

diff --git a/backport-CVE-2024-47081.patch b/backport-CVE-2024-47081.patch
new file mode 100644
index 0000000..48c89a2
--- /dev/null
+++ b/backport-CVE-2024-47081.patch
@@ -0,0 +1,32 @@
+From 20f6e924c799462f7a43ac5d098a164fd8d2326b Mon Sep 17 00:00:00 2001
+From: xieyanlong <xieyanlong@kylinos.cn>
+Date: Wed, 16 Jul 2025 11:50:01 +0800
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+Change-Id: If5f8914007e6892ed97c2d0100d099e91c3c594b
+---
+ src/pip/_vendor/requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/src/pip/_vendor/requests/utils.py b/src/pip/_vendor/requests/utils.py
+index fcb9966..abffd5b 100644
+--- a/src/pip/_vendor/requests/utils.py
++++ b/src/pip/_vendor/requests/utils.py
+@@ -204,13 +204,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+-- 
+2.33.0
+
diff --git a/python-pip.spec b/python-pip.spec
index 519094b..01454ec 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        21.3.1
-Release:        8
+Release:        9
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -26,6 +26,7 @@ Patch6006:      backport-0005-CVE-2024-3651.patch
 Patch6007:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
 Patch6008:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
 Patch6009:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
+Patch6010:      backport-CVE-2024-47081.patch
 
 Source10: 	pip-allow-older-versions.patch
 
@@ -135,6 +136,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Wed Jul 16 2025 xieyanlong <xieyanlong@kylinos.cn> - 21.3.1-9
+- Fix CVE-2024-47081
+
 * Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-8
 - Fix CVE-2023-45803 and CVE-2024-37891
 
-- 
Gitee