diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-06-20 10:20:09 +0530 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-06-24 23:57:45 +0100 |
| commit | 2ae3d4362871655e76f82de99cb48666aad40c41 (patch) | |
| tree | 1e20bc47ff0a461c4cdd4bac0a00e43c34e11c56 /meta/recipes-devtools/python | |
| parent | 5582ab6aae497fb03e6f0c5d5902ab13b70c5907 (diff) | |
| download | poky-2ae3d4362871655e76f82de99cb48666aad40c41.tar.gz | |
python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git references
Source: https://github.com/pypa/pip
MR: 113864
Type: Security Fix
Disposition: Backport from https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
ChangeID: 717948e217d6219d1f03afb4d984342d7dea4636
Description:
CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references.
(From OE-Core rev: 841a8fb5b6351f79a4d756232a544d1a6480c562)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
| -rw-r--r-- | meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | 48 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python3-pip_20.0.2.bb | 1 |
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch new file mode 100644 index 0000000000..a38ab57bc6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | |||
| @@ -0,0 +1,48 @@ | |||
| 1 | From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 3 | Date: Thu, 16 Jun 2022 09:52:43 +0530 | ||
| 4 | Subject: [PATCH] CVE-2021-3572 | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b] | ||
| 7 | CVE: CVE-2021-3572 | ||
| 8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 9 | --- | ||
| 10 | news/9827.bugfix.rst | 3 +++ | ||
| 11 | src/pip/_internal/vcs/git.py | 10 ++++++++-- | ||
| 12 | 2 files changed, 11 insertions(+), 2 deletions(-) | ||
| 13 | create mode 100644 news/9827.bugfix.rst | ||
| 14 | |||
| 15 | diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst | ||
| 16 | new file mode 100644 | ||
| 17 | index 0000000..e0d27c3 | ||
| 18 | --- /dev/null | ||
| 19 | +++ b/news/9827.bugfix.rst | ||
| 20 | @@ -0,0 +1,3 @@ | ||
| 21 | +**SECURITY**: Stop splitting on unicode separators in git references, | ||
| 22 | +which could be maliciously used to install a different revision on the | ||
| 23 | +repository. | ||
| 24 | diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py | ||
| 25 | index 7483303..1b895f6 100644 | ||
| 26 | --- a/src/pip/_internal/vcs/git.py | ||
| 27 | +++ b/src/pip/_internal/vcs/git.py | ||
| 28 | @@ -137,9 +137,15 @@ class Git(VersionControl): | ||
| 29 | output = cls.run_command(['show-ref', rev], cwd=dest, | ||
| 30 | show_stdout=False, on_returncode='ignore') | ||
| 31 | refs = {} | ||
| 32 | - for line in output.strip().splitlines(): | ||
| 33 | + # NOTE: We do not use splitlines here since that would split on other | ||
| 34 | + # unicode separators, which can be maliciously used to install a | ||
| 35 | + # different revision. | ||
| 36 | + for line in output.strip().split("\n"): | ||
| 37 | + line = line.rstrip("\r") | ||
| 38 | + if not line: | ||
| 39 | + continue | ||
| 40 | try: | ||
| 41 | - sha, ref = line.split() | ||
| 42 | + ref_sha, ref_name = line.split(" ", maxsplit=2) | ||
| 43 | except ValueError: | ||
| 44 | # Include the offending line to simplify troubleshooting if | ||
| 45 | # this error ever occurs. | ||
| 46 | -- | ||
| 47 | 2.25.1 | ||
| 48 | |||
diff --git a/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/meta/recipes-devtools/python/python3-pip_20.0.2.bb index 08738fb2f9..e24c6f4477 100644 --- a/meta/recipes-devtools/python/python3-pip_20.0.2.bb +++ b/meta/recipes-devtools/python/python3-pip_20.0.2.bb | |||
| @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e" | |||
| 6 | 6 | ||
| 7 | DEPENDS += "python3 python3-setuptools-native" | 7 | DEPENDS += "python3 python3-setuptools-native" |
| 8 | 8 | ||
| 9 | SRC_URI = "file://CVE-2021-3572.patch " | ||
| 9 | SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" | 10 | SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" |
| 10 | SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" | 11 | SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" |
| 11 | 12 | ||
