diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-06-20 10:20:09 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-06-24 23:57:45 +0100 |
commit | 2ae3d4362871655e76f82de99cb48666aad40c41 (patch) | |
tree | 1e20bc47ff0a461c4cdd4bac0a00e43c34e11c56 /meta/recipes-devtools | |
parent | 5582ab6aae497fb03e6f0c5d5902ab13b70c5907 (diff) | |
download | poky-2ae3d4362871655e76f82de99cb48666aad40c41.tar.gz |
python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git references
Source: https://github.com/pypa/pip
MR: 113864
Type: Security Fix
Disposition: Backport from https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
ChangeID: 717948e217d6219d1f03afb4d984342d7dea4636
Description:
CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references.
(From OE-Core rev: 841a8fb5b6351f79a4d756232a544d1a6480c562)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | 48 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3-pip_20.0.2.bb | 1 |
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch new file mode 100644 index 0000000000..a38ab57bc6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 16 Jun 2022 09:52:43 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3572 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b] | ||
7 | CVE: CVE-2021-3572 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | news/9827.bugfix.rst | 3 +++ | ||
11 | src/pip/_internal/vcs/git.py | 10 ++++++++-- | ||
12 | 2 files changed, 11 insertions(+), 2 deletions(-) | ||
13 | create mode 100644 news/9827.bugfix.rst | ||
14 | |||
15 | diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst | ||
16 | new file mode 100644 | ||
17 | index 0000000..e0d27c3 | ||
18 | --- /dev/null | ||
19 | +++ b/news/9827.bugfix.rst | ||
20 | @@ -0,0 +1,3 @@ | ||
21 | +**SECURITY**: Stop splitting on unicode separators in git references, | ||
22 | +which could be maliciously used to install a different revision on the | ||
23 | +repository. | ||
24 | diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py | ||
25 | index 7483303..1b895f6 100644 | ||
26 | --- a/src/pip/_internal/vcs/git.py | ||
27 | +++ b/src/pip/_internal/vcs/git.py | ||
28 | @@ -137,9 +137,15 @@ class Git(VersionControl): | ||
29 | output = cls.run_command(['show-ref', rev], cwd=dest, | ||
30 | show_stdout=False, on_returncode='ignore') | ||
31 | refs = {} | ||
32 | - for line in output.strip().splitlines(): | ||
33 | + # NOTE: We do not use splitlines here since that would split on other | ||
34 | + # unicode separators, which can be maliciously used to install a | ||
35 | + # different revision. | ||
36 | + for line in output.strip().split("\n"): | ||
37 | + line = line.rstrip("\r") | ||
38 | + if not line: | ||
39 | + continue | ||
40 | try: | ||
41 | - sha, ref = line.split() | ||
42 | + ref_sha, ref_name = line.split(" ", maxsplit=2) | ||
43 | except ValueError: | ||
44 | # Include the offending line to simplify troubleshooting if | ||
45 | # this error ever occurs. | ||
46 | -- | ||
47 | 2.25.1 | ||
48 | |||
diff --git a/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/meta/recipes-devtools/python/python3-pip_20.0.2.bb index 08738fb2f9..e24c6f4477 100644 --- a/meta/recipes-devtools/python/python3-pip_20.0.2.bb +++ b/meta/recipes-devtools/python/python3-pip_20.0.2.bb | |||
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e" | |||
6 | 6 | ||
7 | DEPENDS += "python3 python3-setuptools-native" | 7 | DEPENDS += "python3 python3-setuptools-native" |
8 | 8 | ||
9 | SRC_URI = "file://CVE-2021-3572.patch " | ||
9 | SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" | 10 | SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" |
10 | SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" | 11 | SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" |
11 | 12 | ||