From dab7f1d119ba2b9044bb83de9114033e4774abfd Mon Sep 17 00:00:00 2001 From: Toshaan Bharvani Date: Fri, 16 Aug 2024 14:30:46 +0200 Subject: [PATCH] update python3-pip version Signed-off-by: Toshaan Bharvani --- SOURCES/cve-2007-4559-tarfile.patch | 78 +++++++++++++++++++++++++++++ SPECS/python-pip.spec | 27 ++++++++-- 2 files changed, 102 insertions(+), 3 deletions(-) create mode 100644 SOURCES/cve-2007-4559-tarfile.patch diff --git a/SOURCES/cve-2007-4559-tarfile.patch b/SOURCES/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000..4a27a8b --- /dev/null +++ b/SOURCES/cve-2007-4559-tarfile.patch @@ -0,0 +1,78 @@ +Minimal patch for pip + +diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py +--- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 +@@ -184,6 +184,13 @@ + "outside target directory ({})" + ) + raise InstallationError(message.format(filename, path, location)) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Test from https://github.com/pypa/pip/pull/12214 + +diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py +--- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 +@@ -167,6 +167,23 @@ + test_tar = self.make_tar_file('test_tar.tar', files) + untar_file(test_tar, self.tempdir) + ++ def test_unpack_tar_filter(self) -> None: ++ """ ++ Test that the tarfile.data_filter is used to disallow dangerous ++ behaviour (PEP-721) ++ """ ++ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") ++ with tarfile.open(test_tar, "w") as mytar: ++ file_tarinfo = tarfile.TarInfo("bad-link") ++ file_tarinfo.type = tarfile.SYMTYPE ++ file_tarinfo.linkname = "../../../../pwn" ++ mytar.addfile(file_tarinfo, io.BytesIO(b"")) ++ with pytest.raises(InstallationError) as e: ++ untar_file(test_tar, self.tempdir) ++ ++ assert "is outside the destination" in str(e.value) ++ ++ + + def test_unpack_tar_unicode(tmpdir): + test_tar = tmpdir / "test.tar" + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index f3dbe55..c458aa1 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -21,7 +21,7 @@ Name: python-%{srcname} Version: %{base_version}%{?prerel:~%{prerel}} -Release: 6%{?dist} +Release: 8%{?dist} Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -85,6 +85,14 @@ Patch5: nowarn-pip._internal.main.patch # Upstream issue: https://github.com/pypa/packaging/issues/368 Patch6: no-version-warning.patch +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Test patch submitted upstream in the above pull request +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch7: cve-2007-4559-tarfile.patch + # Downstream only patch # Users might have local installations of pip from using # `pip install --user --upgrade pip` on older/newer versions. @@ -188,6 +196,10 @@ BuildRequires: python%{python3_pkgversion}-wheel BuildRequires: ca-certificates Requires: ca-certificates +# pip has to require explicit version of python3 that provides +# filters in tarfile module (fix for CVE-2007-4559). +Requires: python3 >= 3.9.17-2 + # This was previously required and we keep it recommended because a lot of # sdists installed via pip will try to import setuptools. # But pip doesn't actually require setuptools. @@ -233,10 +245,11 @@ Requires: ca-certificates Provides: %{name}-wheel = %{version}-%{release} Obsoletes: %{name}-wheel < %{version}-%{release} -# Older versions of python3-libs expect Python wheels at the old unversioned +# Older versions of python3-libs (< 3.9.9-2) expect Python wheels at the old unversioned # location, so we conflict with the old Python versions that wouldn't work with # the new wheel location. -Conflicts: python3-libs < 3.9.9-2 +# Moreover, Python older than (3.9.16-2) does not provide tarfile filters (fix for CVE-2007-4559). +Conflicts: python3-libs < 3.9.17-2 # Virtual provides for the packages bundled by pip: %{bundled 3} @@ -403,6 +416,14 @@ pytest_k='not completion and %{python_wheel_dir}/%{python_wheel_name} %changelog +* Wed Feb 14 2024 Lumír Balhar - 21.2.3-8 +- Require Python with tarfile filters +Resolves: RHEL-25451 + +* Tue Aug 08 2023 Petr Viktorin - 21.2.3-7 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHBZ#2207997 + * Thu Feb 03 2022 Tomas Orsava - 21.2.3-6 - Add automatically generated Obsoletes tag with the python39- prefix for smoother upgrade from RHEL8