packages/python-pip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-3572

Browse Source
This commit is contained in:
shixuantong 2021-07-24 16:58:11 +08:00
parent 3e3b7c8d6f
commit cc0f93c801
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
backport-CVE-2021-3572.patch Normal file
View File

@ -0,0 +1,44 @@
From ca832b2836e0bffa7cf95589acdcd71230f5834e Mon Sep 17 00:00:00 2001
From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
Date: Sat, 24 Apr 2021 10:13:15 +0100
Subject: [PATCH] Don't split git references on unicode separators
Reference:https://github.com/pypa/pip/commit/ca832b2836e0bffa7cf95589acdcd71230f5834e
Previously, maliciously formatted tags could be used to hijack a
commit-based pin. Using the fact that the split here allowed for
all of unicode's whitespace characters as separators -- which git allows
as a part of a tag name -- it is possible to force a different revision
to be installed; if an attacker gains access to the repository.
This change stops splitting the string on unicode characters, by forcing
the splits to happen on newlines and ASCII spaces.
---
src/pip/_internal/vcs/git.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
index 1831aed..37be66c 100644
--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
@@ -143,9 +143,15 @@ class Git(VersionControl):
pass
refs = {}
- for line in output.strip().splitlines():
+ # NOTE: We do not use splitlines here since that would split on other
+ # unicode separators, which can be maliciously used to install a
+ # different revision.
+ for line in output.strip().split("\n"):
+ line = line.rstrip("\r")
+ if not line:
+ continue
try:
- sha, ref = line.split()
+ sha, ref = line.split(" ", maxsplit=2)
except ValueError:
# Include the offending line to simplify troubleshooting if
# this error ever occurs.
--
1.8.3.1

7
python-pip.spec
View File

@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
Name: python-%{srcname} Name: python-%{srcname}
Version: 20.3.3 Version: 20.3.3
Release: 1 Release: 2
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
URL: http://www.pip-installer.org URL: http://www.pip-installer.org
@ -16,6 +16,8 @@ Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files.patch
Patch2: emit-a-warning-when-running-with-root-privileges.patch Patch2: emit-a-warning-when-running-with-root-privileges.patch
Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch3: remove-existing-dist-only-if-path-conflicts.patch
Patch6000: dummy-certifi.patch Patch6000: dummy-certifi.patch
Patch6001: backport-CVE-2021-3572.patch
Source10: pip-allow-older-versions.patch Source10: pip-allow-older-versions.patch
%description %{_description} %description %{_description}
@ -113,6 +115,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
%{python_wheeldir}/%{python_wheelname} %{python_wheeldir}/%{python_wheelname}
%changelog %changelog
* Sat Jul 24 2021 shixuantong<shixuantong@huawei.com> - 20.3.3-2
- fix CVE-2021-3572
* Tue Feb 02 2021 shixuantong<shixuantong@huawei.com> - 20.3.3-1 * Tue Feb 02 2021 shixuantong<shixuantong@huawei.com> - 20.3.3-1
- upgrade version to 20.3.3 - upgrade version to 20.3.3