powerel9
/
python-pip
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

update python3-pip version 

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 3 months ago
parent
0bc07301d6
commit
dab7f1d119
2 changed files with 102 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 78
      SOURCES/cve-2007-4559-tarfile.patch
  2. 27
      SPECS/python-pip.spec

78
SOURCES/cve-2007-4559-tarfile.patch
Unescape View File

@ -0,0 +1,78 @@
Minimal patch for pip

diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py
--- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100
+++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200
@@ -184,6 +184,13 @@
"outside target directory ({})"
)
raise InstallationError(message.format(filename, path, location))
+
+ # Call the `data` filter for its side effect (raising exception)
+ try:
+ tarfile.data_filter(member.replace(name=fn), location)
+ except tarfile.LinkOutsideDestinationError:
+ pass
+
if member.isdir():
ensure_dir(path)
elif member.issym():


Test from https://github.com/pypa/pip/pull/12214

diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py
--- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100
+++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200
@@ -167,6 +167,23 @@
test_tar = self.make_tar_file('test_tar.tar', files)
untar_file(test_tar, self.tempdir)
+ def test_unpack_tar_filter(self) -> None:
+ """
+ Test that the tarfile.data_filter is used to disallow dangerous
+ behaviour (PEP-721)
+ """
+ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar")
+ with tarfile.open(test_tar, "w") as mytar:
+ file_tarinfo = tarfile.TarInfo("bad-link")
+ file_tarinfo.type = tarfile.SYMTYPE
+ file_tarinfo.linkname = "../../../../pwn"
+ mytar.addfile(file_tarinfo, io.BytesIO(b""))
+ with pytest.raises(InstallationError) as e:
+ untar_file(test_tar, self.tempdir)
+
+ assert "is outside the destination" in str(e.value)
+
+
def test_unpack_tar_unicode(tmpdir):
test_tar = tmpdir / "test.tar"


Patch for vendored distlib from https://github.com/pypa/distlib/pull/201

diff --git a/distlib/util.py b/distlib/util.py
index e0622e4..4349d0b 100644
--- a/src/pip/_vendor/distlib/util.py
+++ b/src/pip/_vendor/distlib/util.py
@@ -1249,6 +1249,19 @@ def check_path(path):
for tarinfo in archive.getmembers():
if not isinstance(tarinfo.name, text_type):
tarinfo.name = tarinfo.name.decode('utf-8')
+
+ # Limit extraction of dangerous items, if this Python
+ # allows it easily. If not, just trust the input.
+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
+ def extraction_filter(member, path):
+ """Run tarfile.tar_fillter, but raise the expected ValueError"""
+ # This is only called if the current Python has tarfile filters
+ try:
+ return tarfile.tar_filter(member, path)
+ except tarfile.FilterError as exc:
+ raise ValueError(str(exc))
+ archive.extraction_filter = extraction_filter
+
archive.extractall(dest_dir)
finally:

27
SPECS/python-pip.spec
Unescape View File

@ -21,7 +21,7 @@


Name: python-%{srcname} Name: python-%{srcname}
Version: %{base_version}%{?prerel:~%{prerel}} Version: %{base_version}%{?prerel:~%{prerel}}
Release: 6%{?dist} Release: 8%{?dist}
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages


# We bundle a lot of libraries with pip, which itself is under MIT license. # We bundle a lot of libraries with pip, which itself is under MIT license.
@ -85,6 +85,14 @@ Patch5: nowarn-pip._internal.main.patch
# Upstream issue: https://github.com/pypa/packaging/issues/368 # Upstream issue: https://github.com/pypa/packaging/issues/368
Patch6: no-version-warning.patch Patch6: no-version-warning.patch


# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting
# - Minimal downstream-only patch, to be replaced by upstream solution
# proposed in https://github.com/pypa/pip/pull/12214
# - Test patch submitted upstream in the above pull request
# - Patch for vendored distlib, accepted upstream:
# https://github.com/pypa/distlib/pull/201
Patch7: cve-2007-4559-tarfile.patch

# Downstream only patch # Downstream only patch
# Users might have local installations of pip from using # Users might have local installations of pip from using
# `pip install --user --upgrade pip` on older/newer versions. # `pip install --user --upgrade pip` on older/newer versions.
@ -188,6 +196,10 @@ BuildRequires: python%{python3_pkgversion}-wheel
BuildRequires: ca-certificates BuildRequires: ca-certificates
Requires: ca-certificates Requires: ca-certificates


# pip has to require explicit version of python3 that provides
# filters in tarfile module (fix for CVE-2007-4559).
Requires: python3 >= 3.9.17-2

# This was previously required and we keep it recommended because a lot of # This was previously required and we keep it recommended because a lot of
# sdists installed via pip will try to import setuptools. # sdists installed via pip will try to import setuptools.
# But pip doesn't actually require setuptools. # But pip doesn't actually require setuptools.
@ -233,10 +245,11 @@ Requires: ca-certificates
Provides: %{name}-wheel = %{version}-%{release} Provides: %{name}-wheel = %{version}-%{release}
Obsoletes: %{name}-wheel < %{version}-%{release} Obsoletes: %{name}-wheel < %{version}-%{release}


# Older versions of python3-libs expect Python wheels at the old unversioned # Older versions of python3-libs (< 3.9.9-2) expect Python wheels at the old unversioned
# location, so we conflict with the old Python versions that wouldn't work with # location, so we conflict with the old Python versions that wouldn't work with
# the new wheel location. # the new wheel location.
Conflicts: python3-libs < 3.9.9-2 # Moreover, Python older than (3.9.16-2) does not provide tarfile filters (fix for CVE-2007-4559).
Conflicts: python3-libs < 3.9.17-2


# Virtual provides for the packages bundled by pip: # Virtual provides for the packages bundled by pip:
%{bundled 3} %{bundled 3}
@ -403,6 +416,14 @@ pytest_k='not completion and
%{python_wheel_dir}/%{python_wheel_name} %{python_wheel_dir}/%{python_wheel_name}


%changelog %changelog
* Wed Feb 14 2024 Lumír Balhar <lbalhar@redhat.com> - 21.2.3-8
- Require Python with tarfile filters
Resolves: RHEL-25451

* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 21.2.3-7
- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706)
Resolves: RHBZ#2207997

* Thu Feb 03 2022 Tomas Orsava <torsava@redhat.com> - 21.2.3-6 * Thu Feb 03 2022 Tomas Orsava <torsava@redhat.com> - 21.2.3-6
- Add automatically generated Obsoletes tag with the python39- prefix - Add automatically generated Obsoletes tag with the python39- prefix
for smoother upgrade from RHEL8 for smoother upgrade from RHEL8

Write Preview
Loading…
Cancel
Save