1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
new file mode 100644
index 0000000000..a38ab57bc6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
@@ -0,0 +1,48 @@
+From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 16 Jun 2022 09:52:43 +0530
+Subject: [PATCH] CVE-2021-3572
+Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b]
+CVE: CVE-2021-3572
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ news/9827.bugfix.rst         |  3 +++
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 news/9827.bugfix.rst
+diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
+new file mode 100644
+index 0000000..e0d27c3
+--- /dev/null
+++ b/news/9827.bugfix.rst
+@@ -0,0 +1,3 @@
+**SECURITY**: Stop splitting on unicode separators in git references,
+which could be maliciously used to install a different revision on the
+repository.
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 7483303..1b895f6 100644
+--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
+@@ -137,9 +137,15 @@ class Git(VersionControl):
+         output = cls.run_command(['show-ref', rev], cwd=dest,
+                                  show_stdout=False, on_returncode='ignore')
+         refs = {}
+-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
+             try:
+-                sha, ref = line.split()
+                ref_sha, ref_name = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch new file mode 100644 index 0000000000..a38ab57bc6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
@@ -0,0 +1,48 @@
	1	From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Thu, 16 Jun 2022 09:52:43 +0530
	4	Subject: [PATCH] CVE-2021-3572
	5
	6	Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b]
	7	CVE: CVE-2021-3572
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9	---
	10	news/9827.bugfix.rst \| 3 +++
	11	src/pip/_internal/vcs/git.py \| 10 ++++++++--
	12	2 files changed, 11 insertions(+), 2 deletions(-)
	13	create mode 100644 news/9827.bugfix.rst
	14
	15	diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
	16	new file mode 100644
	17	index 0000000..e0d27c3
	18	--- /dev/null
	19	+++ b/news/9827.bugfix.rst
	20	@@ -0,0 +1,3 @@
	21	+SECURITY: Stop splitting on unicode separators in git references,
	22	+which could be maliciously used to install a different revision on the
	23	+repository.
	24	diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
	25	index 7483303..1b895f6 100644
	26	--- a/src/pip/_internal/vcs/git.py
	27	+++ b/src/pip/_internal/vcs/git.py
	28	@@ -137,9 +137,15 @@ class Git(VersionControl):
	29	output = cls.run_command(['show-ref', rev], cwd=dest,
	30	show_stdout=False, on_returncode='ignore')
	31	refs = {}
	32	- for line in output.strip().splitlines():
	33	+ # NOTE: We do not use splitlines here since that would split on other
	34	+ # unicode separators, which can be maliciously used to install a
	35	+ # different revision.
	36	+ for line in output.strip().split("\n"):
	37	+ line = line.rstrip("\r")
	38	+ if not line:
	39	+ continue
	40	try:
	41	- sha, ref = line.split()
	42	+ ref_sha, ref_name = line.split(" ", maxsplit=2)
	43	except ValueError:
	44	# Include the offending line to simplify troubleshooting if
	45	# this error ever occurs.
	46	--
	47	2.25.1
	48