From 2ae3d4362871655e76f82de99cb48666aad40c41 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati Date: Mon, 20 Jun 2022 10:20:09 +0530 Subject: python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git references Source: https://github.com/pypa/pip MR: 113864 Type: Security Fix Disposition: Backport from https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b ChangeID: 717948e217d6219d1f03afb4d984342d7dea4636 Description: CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references. (From OE-Core rev: 841a8fb5b6351f79a4d756232a544d1a6480c562) Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- .../python/python3-pip/CVE-2021-3572.patch | 48 ++++++++++++++++++++++ meta/recipes-devtools/python/python3-pip_20.0.2.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch (limited to 'meta/recipes-devtools/python') diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch new file mode 100644 index 0000000000..a38ab57bc6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch @@ -0,0 +1,48 @@ +From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 16 Jun 2022 09:52:43 +0530 +Subject: [PATCH] CVE-2021-3572 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b] +CVE: CVE-2021-3572 +Signed-off-by: Hitendra Prajapati +--- + news/9827.bugfix.rst | 3 +++ + src/pip/_internal/vcs/git.py | 10 ++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + create mode 100644 news/9827.bugfix.rst + +diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst +new file mode 100644 +index 0000000..e0d27c3 +--- /dev/null ++++ b/news/9827.bugfix.rst +@@ -0,0 +1,3 @@ ++**SECURITY**: Stop splitting on unicode separators in git references, ++which could be maliciously used to install a different revision on the ++repository. +diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py +index 7483303..1b895f6 100644 +--- a/src/pip/_internal/vcs/git.py ++++ b/src/pip/_internal/vcs/git.py +@@ -137,9 +137,15 @@ class Git(VersionControl): + output = cls.run_command(['show-ref', rev], cwd=dest, + show_stdout=False, on_returncode='ignore') + refs = {} +- for line in output.strip().splitlines(): ++ # NOTE: We do not use splitlines here since that would split on other ++ # unicode separators, which can be maliciously used to install a ++ # different revision. ++ for line in output.strip().split("\n"): ++ line = line.rstrip("\r") ++ if not line: ++ continue + try: +- sha, ref = line.split() ++ ref_sha, ref_name = line.split(" ", maxsplit=2) + except ValueError: + # Include the offending line to simplify troubleshooting if + # this error ever occurs. +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/meta/recipes-devtools/python/python3-pip_20.0.2.bb index 08738fb2f9..e24c6f4477 100644 --- a/meta/recipes-devtools/python/python3-pip_20.0.2.bb +++ b/meta/recipes-devtools/python/python3-pip_20.0.2.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e" DEPENDS += "python3 python3-setuptools-native" +SRC_URI = "file://CVE-2021-3572.patch " SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" -- cgit v1.2.3-54-g00ecf