diff options
Diffstat (limited to 'meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch new file mode 100644 index 0000000000..a38ab57bc6 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch @@ -0,0 +1,48 @@ +From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 16 Jun 2022 09:52:43 +0530 +Subject: [PATCH] CVE-2021-3572 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b] +CVE: CVE-2021-3572 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + news/9827.bugfix.rst | 3 +++ + src/pip/_internal/vcs/git.py | 10 ++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + create mode 100644 news/9827.bugfix.rst + +diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst +new file mode 100644 +index 0000000..e0d27c3 +--- /dev/null ++++ b/news/9827.bugfix.rst +@@ -0,0 +1,3 @@ ++**SECURITY**: Stop splitting on unicode separators in git references, ++which could be maliciously used to install a different revision on the ++repository. +diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py +index 7483303..1b895f6 100644 +--- a/src/pip/_internal/vcs/git.py ++++ b/src/pip/_internal/vcs/git.py +@@ -137,9 +137,15 @@ class Git(VersionControl): + output = cls.run_command(['show-ref', rev], cwd=dest, + show_stdout=False, on_returncode='ignore') + refs = {} +- for line in output.strip().splitlines(): ++ # NOTE: We do not use splitlines here since that would split on other ++ # unicode separators, which can be maliciously used to install a ++ # different revision. ++ for line in output.strip().split("\n"): ++ line = line.rstrip("\r") ++ if not line: ++ continue + try: +- sha, ref = line.split() ++ ref_sha, ref_name = line.split(" ", maxsplit=2) + except ValueError: + # Include the offending line to simplify troubleshooting if + # this error ever occurs. +-- +2.25.1 + |