diff --git a/0001-use-pip-loongarch.conf-on-loongarch64.patch b/0001-use-pip-loongarch.conf-on-loongarch64.patch deleted file mode 100644 index 2e22a764eba65f5f9405329350c0b48042ae6276..0000000000000000000000000000000000000000 --- a/0001-use-pip-loongarch.conf-on-loongarch64.patch +++ /dev/null @@ -1,50 +0,0 @@ -From db095b8f44332d2418aed63c745ffe117bee09c0 Mon Sep 17 00:00:00 2001 -From: Jingyun Hua -Date: Tue, 26 Jul 2022 02:40:38 +0000 -Subject: [PATCH] use pip-loongarch.conf on loongarch64. - -Signed-off-by: Jingyun Hua ---- - src/pip/_internal/configuration.py | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/pip/_internal/configuration.py b/src/pip/_internal/configuration.py -index 858c660..1d9709a 100644 ---- a/src/pip/_internal/configuration.py -+++ b/src/pip/_internal/configuration.py -@@ -19,6 +19,7 @@ import locale - import logging - import os - import sys -+import platform - - from pip._vendor.six.moves import configparser - -@@ -76,6 +77,7 @@ kinds = enum( - - CONFIG_BASENAME = 'pip.ini' if WINDOWS else 'pip.conf' - -+os_arch = platform.machine() - - def get_configuration_files(): - global_config_files = [ -@@ -84,7 +86,15 @@ def get_configuration_files(): - ] - - site_config_file = os.path.join(sys.prefix, CONFIG_BASENAME) -- legacy_config_file = os.path.join( -+ -+ if os_arch == 'loongarch64': -+ user_conf = os.path.join(expanduser('~'),'.pip/pip.conf') -+ if os.path.exists(user_conf): -+ legacy_config_file = user_conf -+ else: -+ legacy_config_file = '/etc/pip38/pip-loongarch.conf' -+ else: -+ legacy_config_file = os.path.join( - expanduser('~'), - 'pip' if WINDOWS else '.pip', - CONFIG_BASENAME, --- -2.27.0 - diff --git a/cve-2007-4559-tarfile.patch b/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000000000000000000000000000000000000..3008a794c5b3b96e1d19a16dcc902ffe15c5ba1c --- /dev/null +++ b/cve-2007-4559-tarfile.patch @@ -0,0 +1,78 @@ +Minimal patch for pip + +diff -rU3 pip-orig/src/pip/_internal/utils/unpacking.py pip/src/pip/_internal/utils/unpacking.py +--- pip-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 +@@ -184,6 +184,13 @@ + raise InstallationError( + message.format(filename, path, location) + ) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Test from https://github.com/pypa/pip/pull/12214 + +diff -rU3 pip-orig/tests/unit/test_utils_unpacking.py pip/tests/unit/test_utils_unpacking.py +--- pip-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 +@@ -171,6 +171,23 @@ + test_tar = self.make_tar_file('test_tar.tar', files) + untar_file(test_tar, self.tempdir) + ++ def test_unpack_tar_filter(self) -> None: ++ """ ++ Test that the tarfile.data_filter is used to disallow dangerous ++ behaviour (PEP-721) ++ """ ++ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") ++ with tarfile.open(test_tar, "w") as mytar: ++ file_tarinfo = tarfile.TarInfo("bad-link") ++ file_tarinfo.type = tarfile.SYMTYPE ++ file_tarinfo.linkname = "../../../../pwn" ++ mytar.addfile(file_tarinfo, io.BytesIO(b"")) ++ with pytest.raises(InstallationError) as e: ++ untar_file(test_tar, self.tempdir) ++ ++ assert "is outside the destination" in str(e.value) ++ ++ + + @pytest.mark.parametrize('args, expected', [ + # Test the second containing the first. + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/pip-loongarch.conf b/pip-loongarch.conf deleted file mode 100644 index fd77def5ba76999eaf35282ded8010919afa7038..0000000000000000000000000000000000000000 --- a/pip-loongarch.conf +++ /dev/null @@ -1,8 +0,0 @@ -[global] -timeout = 60 -index-url = https://pypi.loongnix.cn/loongson/pypi -extra-index-url = https://pypi.org/simple -[install] -trusted-host = - pypi.loongnix.cn - pypi.org diff --git a/python3x-pip.spec b/python3x-pip.spec index 66aa1b19d11150aa993bc07a4a4397064c2d4ccd..eb8d7e4803459006fb1492abc5f83a2a38997465 100644 --- a/python3x-pip.spec +++ b/python3x-pip.spec @@ -11,13 +11,12 @@ %endif %global bashcompdir %(pkg-config --variable=completionsdir bash-completion 2>/dev/null) -%define anolis_release .0.1 Name: python3x-%{srcname} # When updating, update the bundled libraries versions bellow! # You can use vendor_meta.sh in the dist git repo Version: 19.3.1 -Release: 6%{anolis_release}%{?dist} +Release: 7%{?dist} Summary: A tool for installing and managing Python packages # We bundle a lot of libraries with pip, which itself is under MIT license. @@ -71,8 +70,6 @@ Source1: https://github.com/pypa/pypa-docs-theme/archive/%{pypa_theme_com Source2: https://github.com/python/python-docs-theme/archive/2018.2.tar.gz %endif -Source100: pip-loongarch.conf - # Downstream only patch # Emit a warning to the user if pip install is run with root privileges # Issue upstream: https://github.com/pypa/pip/issues/4288 @@ -108,7 +105,14 @@ Patch7: CVE-2021-33503.patch # https://github.com/pypa/pip/pull/7873 Patch8: fix-tmpdir-infinite-recursion.patch -Patch1000: 0001-use-pip-loongarch.conf-on-loongarch64.patch +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Test patch submitted upstream in the above pull request +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch9: cve-2007-4559-tarfile.patch + # Downstream only patch # Users might have local installations of pip from using # `pip install --user --upgrade pip` on older/newer versions. @@ -265,7 +269,7 @@ popd %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch1000 -p1 +%patch9 -p1 # this goes together with patch4 rm src/pip/_vendor/certifi/*.pem @@ -279,6 +283,11 @@ ln -s %{python_wheeldir} tests/data/common_wheels rm -v src/pip/_vendor/distlib/*.exe sed -i '/\.exe/d' setup.py +# Backports for Python 2 +rm src/pip/_vendor/distlib/_backport/shutil.py +rm src/pip/_vendor/distlib/_backport/tarfile.py + + %build %py3_build_wheel @@ -302,9 +311,6 @@ rm docs/build/html/.buildinfo --root %{buildroot} \ --no-deps -install -d %{buildroot}%{_sysconfdir}/pip38 -install %{SOURCE100} %{buildroot}%{_sysconfdir}/pip38 - %if %{with doc} pushd docs/build/man install -d %{buildroot}%{_mandir}/man1 @@ -414,7 +420,6 @@ fi %{_bindir}/pip%{python3_version} %{_bindir}/pip-%{python3_version} %{python3_sitelib}/pip* -%{_sysconfdir}/pip38/* %dir %{bashcompdir} %{bashcompdir}/pip3.8 %ghost %{_bindir}/pip3 @@ -434,8 +439,9 @@ fi %{python_wheeldir}/%{python_wheelname} %changelog -* Fri Jun 23 2023 huajingyun - 19.3.1-6.0.1 -- Add pypi.loongnix.cn +* Tue Aug 08 2023 Petr Viktorin - 19.3.1-6 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHBZ#2218267 * Tue May 24 2022 Orion Poplawski - 19.3.1-6 - Backport patch to fix infinite recursion with pip wheel with $TMPDIR in $PWD