rpms / python-pip

Clone
Source Code
GIT

#135 [F39]Security fix for CVE-2023-5752
Merged 16 days ago by cstratak. Opened 17 days ago by cstratak.
rpms/ cstratak/python-pip f39_CVE-2023-5752  into  f39

file added
+115 
@@ -0,0 +1,115 @@ 
 

+ From 018b129371db152450cbf1ac7bff401707de94ef Mon Sep 17 00:00:00 2001
 

+ From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
 

+ Date: Sun, 1 Oct 2023 14:10:25 +0100
 

+ Subject: [PATCH 1/3] Use `-r=...` instead of `-r ...` for hg
 

+ 

+ This ensures that the resulting revision can not be misinterpreted as an
 

+ option.
 

+ ---
 

+  src/pip/_internal/vcs/mercurial.py | 2 +-
 

+  tests/unit/test_vcs.py             | 2 +-
 

+  2 files changed, 2 insertions(+), 2 deletions(-)
 

+ 

+ diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
 

+ index 4595960..e440c12 100644
 

+ --- a/src/pip/_internal/vcs/mercurial.py
 

+ +++ b/src/pip/_internal/vcs/mercurial.py
 

+ @@ -31,7 +31,7 @@ class Mercurial(VersionControl):
 

+  

+      @staticmethod
 

+      def get_base_rev_args(rev: str) -> List[str]:
 

+ -        return ["-r", rev]
 

+ +        return [f"-r={rev}"]
 

+  

+      def fetch_new(
 

+          self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
 

+ diff --git a/tests/unit/test_vcs.py b/tests/unit/test_vcs.py
 

+ index 38daaa0..9afd022 100644
 

+ --- a/tests/unit/test_vcs.py
 

+ +++ b/tests/unit/test_vcs.py
 

+ @@ -66,7 +66,7 @@ def test_rev_options_repr() -> None:
 

+          # First check VCS-specific RevOptions behavior.
 

+          (Bazaar, [], ["-r", "123"], {}),
 

+          (Git, ["HEAD"], ["123"], {}),
 

+ -        (Mercurial, [], ["-r", "123"], {}),
 

+ +        (Mercurial, [], ["-r=123"], {}),
 

+          (Subversion, [], ["-r", "123"], {}),
 

+          # Test extra_args.  For this, test using a single VersionControl class.
 

+          (
 

+ -- 

+ 2.44.0
 

+ 

+ 

+ From d5bbf9df3672bc5c4ed4cfddcbf05e9286324443 Mon Sep 17 00:00:00 2001
 

+ From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
 

+ Date: Sun, 1 Oct 2023 13:49:06 +0100
 

+ Subject: [PATCH 2/3] newspaper:
 

+ 

+ ---
 

+  news/12306.bugfix.rst | 1 +
 

+  1 file changed, 1 insertion(+)
 

+  create mode 100644 news/12306.bugfix.rst
 

+ 

+ diff --git a/news/12306.bugfix.rst b/news/12306.bugfix.rst
 

+ new file mode 100644
 

+ index 0000000..eb6eeca
 

+ --- /dev/null
 

+ +++ b/news/12306.bugfix.rst
 

+ @@ -0,0 +1 @@
 

+ +Use ``-r=...`` instead of ``-r ...`` to specify references with Mercurial.
 

+ -- 

+ 2.44.0
 

+ 

+ 

+ From 27c8f2a8cdaf4580e2b0f3010ebaf0471ccd5197 Mon Sep 17 00:00:00 2001
 

+ From: efflamlemaillet <6533295+efflamlemaillet@users.noreply.github.com>
 

+ Date: Fri, 27 Oct 2023 11:08:17 +0200
 

+ Subject: [PATCH 3/3] Fix hg: "parse error at 0: not a prefix:" (#12373)
 

+ 

+ Use two hypen argument `--rev=` instead of `-r=`
 

+ 

+ Co-authored-by: Efflam Lemaillet <elemaillet@logilab.fr>
 

+ Co-authored-by: Pradyun Gedam <pradyunsg@gmail.com>
 

+ ---
 

+  news/370392cf-52cd-402c-b402-06d2ff398f89.bugfix.rst | 1 +
 

+  src/pip/_internal/vcs/mercurial.py                   | 2 +-
 

+  tests/unit/test_vcs.py                               | 2 +-
 

+  3 files changed, 3 insertions(+), 2 deletions(-)
 

+  create mode 100644 news/370392cf-52cd-402c-b402-06d2ff398f89.bugfix.rst
 

+ 

+ diff --git a/news/370392cf-52cd-402c-b402-06d2ff398f89.bugfix.rst b/news/370392cf-52cd-402c-b402-06d2ff398f89.bugfix.rst
 

+ new file mode 100644
 

+ index 0000000..76a8e6b
 

+ --- /dev/null
 

+ +++ b/news/370392cf-52cd-402c-b402-06d2ff398f89.bugfix.rst
 

+ @@ -0,0 +1 @@
 

+ +Fix mercurial revision "parse error": use ``--rev={ref}`` instead of ``-r={ref}``
 

+ diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
 

+ index e440c12..c183d41 100644
 

+ --- a/src/pip/_internal/vcs/mercurial.py
 

+ +++ b/src/pip/_internal/vcs/mercurial.py
 

+ @@ -31,7 +31,7 @@ class Mercurial(VersionControl):
 

+  

+      @staticmethod
 

+      def get_base_rev_args(rev: str) -> List[str]:
 

+ -        return [f"-r={rev}"]
 

+ +        return [f"--rev={rev}"]
 

+  

+      def fetch_new(
 

+          self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
 

+ diff --git a/tests/unit/test_vcs.py b/tests/unit/test_vcs.py
 

+ index 9afd022..8512357 100644
 

+ --- a/tests/unit/test_vcs.py
 

+ +++ b/tests/unit/test_vcs.py
 

+ @@ -66,7 +66,7 @@ def test_rev_options_repr() -> None:
 

+          # First check VCS-specific RevOptions behavior.
 

+          (Bazaar, [], ["-r", "123"], {}),
 

+          (Git, ["HEAD"], ["123"], {}),
 

+ -        (Mercurial, [], ["-r=123"], {}),
 

+ +        (Mercurial, [], ["--rev=123"], {}),
 

+          (Subversion, [], ["-r", "123"], {}),
 

+          # Test extra_args.  For this, test using a single VersionControl class.
 

+          (
 

+ -- 

+ 2.44.0
 

+

file modified
+12 -1 
@@ -14,7 +14,7 @@ 
 

  

  Name:           python-%{srcname}
 

  Version:        %{base_version}%{?prerel:~%{prerel}}
 

- Release:        1%{?dist}
 

+ Release:        2%{?dist}
 

  Summary:        A tool for installing and managing Python packages
 

  

  # We bundle a lot of libraries with pip, which itself is under MIT license.
 
@@ -83,6 +83,13 @@ 
 

  # Upstream issue: https://github.com/pypa/packaging/issues/368
 

  Patch:          no-version-warning.patch
 

  

+ # Security fix for CVE-2023-5752:
 

+ # Mercurial configuration injectable in repo revision when installing via pip
 

+ # Resolved upstream:
 

+ # https://github.com/pypa/pip/commit/1082eb12622b20d101d2864111dd9a591dd6c2f5
 

+ # https://github.com/pypa/pip/commit/6dbd9c68f085c5bf304247bf7c7933842092efb2
 

+ Patch:          CVE-2023-5752.patch
 

+ 

  %description
 

  pip is a package management system used to install and manage software packages
 

  written in Python. Many packages can be found in the Python Package Index
 
@@ -361,6 +368,10 @@ 
 

  %{python_wheel_dir}/%{python_wheel_name}
 

  

  %changelog
 

+ * Wed Apr 17 2024 Charalampos Stratakis <cstratak@redhat.com> - 23.2.1-2
 

+ - Security fix for CVE-2023-5752
 

+ Resolves: rhbz#2263291
 

+ 

  * Fri Aug 04 2023 Miro Hrončok <mhroncok@redhat.com> - 23.2.1-1
 

  - Update to 23.2.1
 

  Resolves: rhbz#2223082

Resolves: rhbz#2263291

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/996b71903f2c4680a32c6fa5cf9ffcb2

The patch and the spec looks good to me. We might need the second patch changing -r --rev for f40 as well.

The patch and the spec looks good to me. We might need the second patch changing -r --rev for f40 as well.

This is already included in F40 as the fix was backported to pip 23.3.2: https://github.com/pypa/pip/pull/12438/commits/3f9c9f919ed5ef845aaf0880e64b73b992b7aab8

Pull-Request has been merged by cstratak
16 days ago
Metadata
None
No Tags
Changes Summary 2
+115
file added
CVE-2023-5752.patch
+12 -1
file changed
python-pip.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.