1 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch b/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch
new file mode 100644
index 0000000000..f85353668a
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch
@@ -0,0 +1,40 @@
+From 25c1b92b1add0b81afe2fc6f9e82f66738a2d800 Mon Sep 17 00:00:00 2001
+From: Trevor Gamblin <trevor.gamblin@windriver.com>
+Date: Thu, 22 Jul 2021 09:57:53 -0400
+Subject: [PATCH] Don't split git references on unicode separators
+Upstream-Status: Backport 
+(https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b)
+CVE: CVE-2021-3572
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 7483303a9..d706064e7 100644
+--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
+@@ -137,9 +137,15 @@ class Git(VersionControl):
+         output = cls.run_command(['show-ref', rev], cwd=dest,
+                                  show_stdout=False, on_returncode='ignore')
+         refs = {}
+-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
+             try:
+-                sha, ref = line.split()
+                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+-- 
+2.31.1

diff --git a/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch b/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch new file mode 100644 index 0000000000..f85353668a --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch
@@ -0,0 +1,40 @@
	1	From 25c1b92b1add0b81afe2fc6f9e82f66738a2d800 Mon Sep 17 00:00:00 2001
	2	From: Trevor Gamblin <trevor.gamblin@windriver.com>
	3	Date: Thu, 22 Jul 2021 09:57:53 -0400
	4	Subject: [PATCH] Don't split git references on unicode separators
	5
	6	Upstream-Status: Backport
	7	(https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b)
	8
	9	CVE: CVE-2021-3572
	10
	11	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
	12	---
	13	src/pip/_internal/vcs/git.py \| 10 ++++++++--
	14	1 file changed, 8 insertions(+), 2 deletions(-)
	15
	16	diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
	17	index 7483303a9..d706064e7 100644
	18	--- a/src/pip/_internal/vcs/git.py
	19	+++ b/src/pip/_internal/vcs/git.py
	20	@@ -137,9 +137,15 @@ class Git(VersionControl):
	21	output = cls.run_command(['show-ref', rev], cwd=dest,
	22	show_stdout=False, on_returncode='ignore')
	23	refs = {}
	24	- for line in output.strip().splitlines():
	25	+ # NOTE: We do not use splitlines here since that would split on other
	26	+ # unicode separators, which can be maliciously used to install a
	27	+ # different revision.
	28	+ for line in output.strip().split("\n"):
	29	+ line = line.rstrip("\r")
	30	+ if not line:
	31	+ continue
	32	try:
	33	- sha, ref = line.split()
	34	+ sha, ref = line.split(" ", maxsplit=2)
	35	except ValueError:
	36	# Include the offending line to simplify troubleshooting if
	37	# this error ever occurs.
	38	--
	39	2.31.1
	40