diff options
Diffstat (limited to 'meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch new file mode 100644 index 0000000000..a38ab57bc6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 16 Jun 2022 09:52:43 +0530 | ||
4 | Subject: [PATCH] CVE-2021-3572 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b] | ||
7 | CVE: CVE-2021-3572 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | news/9827.bugfix.rst | 3 +++ | ||
11 | src/pip/_internal/vcs/git.py | 10 ++++++++-- | ||
12 | 2 files changed, 11 insertions(+), 2 deletions(-) | ||
13 | create mode 100644 news/9827.bugfix.rst | ||
14 | |||
15 | diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst | ||
16 | new file mode 100644 | ||
17 | index 0000000..e0d27c3 | ||
18 | --- /dev/null | ||
19 | +++ b/news/9827.bugfix.rst | ||
20 | @@ -0,0 +1,3 @@ | ||
21 | +**SECURITY**: Stop splitting on unicode separators in git references, | ||
22 | +which could be maliciously used to install a different revision on the | ||
23 | +repository. | ||
24 | diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py | ||
25 | index 7483303..1b895f6 100644 | ||
26 | --- a/src/pip/_internal/vcs/git.py | ||
27 | +++ b/src/pip/_internal/vcs/git.py | ||
28 | @@ -137,9 +137,15 @@ class Git(VersionControl): | ||
29 | output = cls.run_command(['show-ref', rev], cwd=dest, | ||
30 | show_stdout=False, on_returncode='ignore') | ||
31 | refs = {} | ||
32 | - for line in output.strip().splitlines(): | ||
33 | + # NOTE: We do not use splitlines here since that would split on other | ||
34 | + # unicode separators, which can be maliciously used to install a | ||
35 | + # different revision. | ||
36 | + for line in output.strip().split("\n"): | ||
37 | + line = line.rstrip("\r") | ||
38 | + if not line: | ||
39 | + continue | ||
40 | try: | ||
41 | - sha, ref = line.split() | ||
42 | + ref_sha, ref_name = line.split(" ", maxsplit=2) | ||
43 | except ValueError: | ||
44 | # Include the offending line to simplify troubleshooting if | ||
45 | # this error ever occurs. | ||
46 | -- | ||
47 | 2.25.1 | ||
48 | |||