From ba56bdeb8b4bcf3af508d5ea087896d19ad47e57 Mon Sep 17 00:00:00 2001
From: zhuhongbo <zhuhongbo@uniontech.com>
Date: Fri, 27 Dec 2024 10:15:58 +0800
Subject: [PATCH] cve: fix CVE-2024-53899

---
 cve-fix-CVE-2024-53899.patch | 96 ++++++++++++++++++++++++++++++++++++
 python-virtualenv.spec       |  7 ++-
 2 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 cve-fix-CVE-2024-53899.patch

diff --git a/cve-fix-CVE-2024-53899.patch b/cve-fix-CVE-2024-53899.patch
new file mode 100644
index 0000000..f02bd9f
--- /dev/null
+++ b/cve-fix-CVE-2024-53899.patch
@@ -0,0 +1,96 @@
+From 4543155aaad2225f514e24c5cbb655053c9b73ac Mon Sep 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Tue, 17 Dec 2024 21:44:32 +0800
+Subject: [PATCH] cve: fix CVE-2024-53899
+
+---
+ virtualenv_embedded/activate.csh  | 8 ++++----
+ virtualenv_embedded/activate.fish | 8 ++++----
+ virtualenv_embedded/activate.sh   | 9 +++++----
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/virtualenv_embedded/activate.csh b/virtualenv_embedded/activate.csh
+index 864865b..b1cf722 100644
+--- a/virtualenv_embedded/activate.csh
++++ b/virtualenv_embedded/activate.csh
+@@ -7,15 +7,15 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA
+ # Unset irrelevant variables.
+ deactivate nondestructive
+ 
+-setenv VIRTUAL_ENV "__VIRTUAL_ENV__"
++setenv VIRTUAL_ENV __VIRTUAL_ENV__
+ 
+ set _OLD_VIRTUAL_PATH="$PATH"
+-setenv PATH "$VIRTUAL_ENV/__BIN_NAME__:$PATH"
++setenv PATH "$VIRTUAL_ENV/"__BIN_NAME__":$PATH"
+ 
+ 
+ 
+-if ("__VIRTUAL_PROMPT__" != "") then
+-    set env_name = "__VIRTUAL_PROMPT__"
++if (__VIRTUAL_PROMPT__ != "") then
++    set env_name = __VIRTUAL_PROMPT__
+ else
+     set env_name = `basename "$VIRTUAL_ENV"`
+ endif
+diff --git a/virtualenv_embedded/activate.fish b/virtualenv_embedded/activate.fish
+index 818739e..3a36403 100644
+--- a/virtualenv_embedded/activate.fish
++++ b/virtualenv_embedded/activate.fish
+@@ -36,10 +36,10 @@ end
+ # Unset irrelevant variables.
+ deactivate nondestructive
+ 
+-set -gx VIRTUAL_ENV "__VIRTUAL_ENV__"
++set -gx VIRTUAL_ENV __VIRTUAL_ENV__
+ 
+ set -gx _OLD_VIRTUAL_PATH $PATH
+-set -gx PATH "$VIRTUAL_ENV/__BIN_NAME__" $PATH
++set -gx PATH "$VIRTUAL_ENV"'/'__BIN_NAME__ $PATH
+ 
+ # Unset `$PYTHONHOME` if set.
+ if set -q PYTHONHOME
+@@ -61,8 +61,8 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
+ 
+         # Prompt override provided?
+         # If not, just prepend the environment name.
+-        if test -n "__VIRTUAL_PROMPT__"
+-            printf '%s%s' "__VIRTUAL_PROMPT__" (set_color normal)
++        if test -n __VIRTUAL_PROMPT__
++            printf '%s%s' __VIRTUAL_PROMPT__ (set_color normal)
+         else
+             printf '%s(%s) ' (set_color normal) (basename "$VIRTUAL_ENV")
+         end
+diff --git a/virtualenv_embedded/activate.sh b/virtualenv_embedded/activate.sh
+index 477b7ec..3b225e8 100644
+--- a/virtualenv_embedded/activate.sh
++++ b/virtualenv_embedded/activate.sh
+@@ -40,11 +40,11 @@ deactivate () {
+ # unset irrelevant variables
+ deactivate nondestructive
+ 
+-VIRTUAL_ENV="__VIRTUAL_ENV__"
++VIRTUAL_ENV=__VIRTUAL_ENV__
+ export VIRTUAL_ENV
+ 
+ _OLD_VIRTUAL_PATH="$PATH"
+-PATH="$VIRTUAL_ENV/__BIN_NAME__:$PATH"
++PATH="$VIRTUAL_ENV/"__BIN_NAME__":$PATH"
+ export PATH
+ 
+ # unset PYTHONHOME if set
+@@ -55,8 +55,9 @@ fi
+ 
+ if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT-}" ] ; then
+     _OLD_VIRTUAL_PS1="$PS1"
+-    if [ "x__VIRTUAL_PROMPT__" != x ] ; then
+-        PS1="__VIRTUAL_PROMPT__$PS1"
++    if [ "x"__VIRTUAL_PROMPT__ != x ] ; then
++        PROMPT=__VIRTUAL_PROMPT__
++        PS1="(${PROMPT}) $PS1"
+     else
+         PS1="(`basename \"$VIRTUAL_ENV\"`) $PS1"
+     fi
+-- 
+2.47.1
+
diff --git a/python-virtualenv.spec b/python-virtualenv.spec
index deec25f..4850dfb 100644
--- a/python-virtualenv.spec
+++ b/python-virtualenv.spec
@@ -1,6 +1,6 @@
 Name:           python-virtualenv
 Version:        15.1.0
-Release:        7%{?dist}
+Release:        7%{?dist}.1
 Summary:        Tool to create isolated Python environments
 
 Group:          Development/Languages
@@ -44,6 +44,7 @@ Patch5:         dont-fail-on-missing-requests-cert.patch
 # Fix CVE-2019-20916: directory traversal in _download_http_url() function within the bundled pip wheel
 # Backported from upstream: https://github.com/pypa/pip/pull/6418
 Patch6:         CVE-2019-20916.patch
+Patch7:         cve-fix-CVE-2024-53899.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -97,6 +98,7 @@ zip -d pip-9.0.1-py2.py3-none-any.whl pip/_vendor/requests/cacert.pem
 rm -rf pip/ pip-9.0.1.dist-info/
 popd  # out of virtualenv_support
 %patch5 -p1
+%patch7 -p1
 
 %build
 # Build code
@@ -135,6 +137,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Dec 13 2024 zhuhongbo <zhuhongbo@uniontech.com> - 15.1.0-7.1
+- cve: fix CVE-2024-53899
+
 * Tue May 17 2022 Lumír Balhar <lbalhar@redhat.com> - 15.1.0-7
 - Security fix for CVE-2019-20916 for the bundled pip wheel
 Resolves: rhbz#1868135
-- 
Gitee