diff options
| author | Jiaying Song <jiaying.song.cn@windriver.com> | 2024-11-25 15:46:11 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-02 06:23:20 -0800 |
| commit | 53801adf752419eb84504f007af4fdbe0cd43ce1 (patch) | |
| tree | 11c9f1717a91fef5800d9d6b50a263ebff215ec2 /meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch | |
| parent | 4ec499266e90c103f8b764c4c998eb0302e11fc1 (diff) | |
| download | poky-53801adf752419eb84504f007af4fdbe0cd43ce1.tar.gz | |
python3-pip: fix CVE-2023-5752
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone" call
(ie "--config"). Controlling the Mercurial configuration can modify how
and which repository is installed. This vulnerability does not affect
users who aren't installing from Mercurial.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-5752
Upstream patches:
https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4
(From OE-Core rev: 862c0338fba06077a26c775b49f993eac63762c9)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch')
| -rw-r--r-- | meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch new file mode 100644 index 0000000000..ef66a59021 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Pradyun Gedam <pradyunsg@users.noreply.github.com> | ||
| 3 | Date: Sun, 1 Oct 2023 14:10:25 +0100 | ||
| 4 | Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg | ||
| 5 | |||
| 6 | This ensures that the resulting revision can not be misinterpreted as an | ||
| 7 | option. | ||
| 8 | |||
| 9 | Upstream-Status: Backport | ||
| 10 | [https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4] | ||
| 11 | |||
| 12 | CVE: CVE-2023-5752 | ||
| 13 | |||
| 14 | Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> | ||
| 15 | --- | ||
| 16 | src/pip/_internal/vcs/mercurial.py | 2 +- | ||
| 17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 18 | |||
| 19 | diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py | ||
| 20 | index 2a005e0..e440c12 100644 | ||
| 21 | --- a/src/pip/_internal/vcs/mercurial.py | ||
| 22 | +++ b/src/pip/_internal/vcs/mercurial.py | ||
| 23 | @@ -31,7 +31,7 @@ class Mercurial(VersionControl): | ||
| 24 | |||
| 25 | @staticmethod | ||
| 26 | def get_base_rev_args(rev: str) -> List[str]: | ||
| 27 | - return [rev] | ||
| 28 | + return [f"-r={rev}"] | ||
| 29 | |||
| 30 | def fetch_new( | ||
| 31 | self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int | ||
| 32 | -- | ||
| 33 | 2.25.1 | ||
| 34 | |||