[Buildroot] [git commit branch/2021.05.x] package/python-pip: backport security fix for CVE-2021-3572

Peter Korsgaard peter at korsgaard.com
Mon Oct 4 21:03:52 UTC 2021


commit: https://git.buildroot.net/buildroot/commit/?id=daf17b865c5ee274d2d0475887b8b3b2b3066d6f
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.05.x

Backport the following security fix from the upstream 21.1 release fixing
CVE-2021-3572:

https://github.com/pypa/pip/pull/9827

Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
(cherry picked from commit cf949134b7371e23c4a8b44fc8b1d646628dfbce)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 ...plit-git-references-on-unicode-separators.patch | 45 ++++++++++++++++++++++
 package/python-pip/python-pip.mk                   |  3 ++
 2 files changed, 48 insertions(+)

diff --git a/package/python-pip/0001-Don-t-split-git-references-on-unicode-separators.patch b/package/python-pip/0001-Don-t-split-git-references-on-unicode-separators.patch
new file mode 100644
index 0000000000..0e591550d3
--- /dev/null
+++ b/package/python-pip/0001-Don-t-split-git-references-on-unicode-separators.patch
@@ -0,0 +1,45 @@
+From 62300cf398faacdd0e490b0a1400dec2558612bf Mon Sep 17 00:00:00 2001
+From: Pradyun Gedam <pradyunsg at users.noreply.github.com>
+Date: Sat, 24 Apr 2021 10:13:15 +0100
+Subject: [PATCH] Don't split git references on unicode separators
+
+Previously, maliciously formatted tags could be used to hijack a
+commit-based pin. Using the fact that the split here allowed for
+all of unicode's whitespace characters as separators -- which git allows
+as a part of a tag name -- it is possible to force a different revision
+to be installed; if an attacker gains access to the repository.
+
+This change stops splitting the string on unicode characters, by forcing
+the splits to happen on newlines and ASCII spaces.
+
+(cherry picked from commit ca832b2836e0bffa7cf95589acdcd71230f5834e)
+Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 7483303a9..d706064e7 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -137,9 +137,15 @@ class Git(VersionControl):
+         output = cls.run_command(['show-ref', rev], cwd=dest,
+                                  show_stdout=False, on_returncode='ignore')
+         refs = {}
+-        for line in output.strip().splitlines():
++        # NOTE: We do not use splitlines here since that would split on other
++        #       unicode separators, which can be maliciously used to install a
++        #       different revision.
++        for line in output.strip().split("\n"):
++            line = line.rstrip("\r")
++            if not line:
++                continue
+             try:
+-                sha, ref = line.split()
++                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+-- 
+2.20.1
+
diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
index 71f76e2842..e37d526a73 100644
--- a/package/python-pip/python-pip.mk
+++ b/package/python-pip/python-pip.mk
@@ -14,4 +14,7 @@ PYTHON_PIP_LICENSE_FILES = LICENSE.txt
 PYTHON_PIP_CPE_ID_VENDOR = pypa
 PYTHON_PIP_CPE_ID_PRODUCT = pip
 
+#0001-Don-t-split-git-references-on-unicode-separators.patch
+PYTHON_PIP_IGNORE_CVES += CVE-2021-3572
+
 $(eval $(python-package))


More information about the buildroot mailing list