Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package python-pip [ Reason ] Pick up the security fix from #988399. Apply another security update to pip itself. This has no CVE (yet?). Also included: Minor improvements to autopkgtests, making them more rugged and the result logs more readable. [ Impact ] A known security issue. [ Tests ] The package has basic autopkgtest coverage that ensures pip broadly functions. The affected code isn't covered by tests, but has been part of 2 upstream releases, without needing to be touched again. [ Risks ] pip is virtually a leaf package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock python-pip/20.3.4-2
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog --- python-pip-20.3.4/debian/changelog 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/changelog 2021-05-12 08:39:26.000000000 -0400 @@ -1,3 +1,14 @@ +python-pip (20.3.4-2) unstable; urgency=medium + + * Add myself to uploaders. + * Mark autopkgtests that use PyPI as needs-internet. + * Mark autopkgtests that use PyPI as allow-stderr. Retried http requests, + common in Ubuntu CI, will result in logging to stderr. set -e to catch + real errors. + * Security: Don't split git references on unicode separators. + + -- Stefano Rivera <stefa...@debian.org> Wed, 12 May 2021 08:39:26 -0400 + python-pip (20.3.4-1) unstable; urgency=medium [ Stefano Rivera ] diff -Nru python-pip-20.3.4/debian/control python-pip-20.3.4/debian/control --- python-pip-20.3.4/debian/control 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/control 2021-05-12 08:39:26.000000000 -0400 @@ -4,6 +4,7 @@ Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Uploaders: Carl Chenet <cha...@debian.org>, Scott Kitterman <sc...@kitterman.com>, + Stefano Rivera <stefa...@debian.org> Homepage: https://pip.pypa.io/en/stable/ Build-Depends: debhelper-compat (= 11), dh-python, diff -Nru python-pip-20.3.4/debian/patches/git-split-ascii.patch python-pip-20.3.4/debian/patches/git-split-ascii.patch --- python-pip-20.3.4/debian/patches/git-split-ascii.patch 1969-12-31 20:00:00.000000000 -0400 +++ python-pip-20.3.4/debian/patches/git-split-ascii.patch 2021-05-12 08:39:26.000000000 -0400 @@ -0,0 +1,40 @@ +From: Pradyun Gedam <pradyu...@gmail.com> +Date: Tue, 11 May 2021 20:04:10 -0400 +Subject: Security: Don't split git references on unicode separators + +Previously, maliciously formatted tags could be used to hijack a +commit-based pin. Using the fact that the split here allowed for +all of unicode's whitespace characters as separators -- which git allows +as a part of a tag name -- it is possible to force a different revision +to be installed; if an attacker gains access to the repository. + +This change stops splitting the string on unicode characters, by forcing +the splits to happen on newlines and ASCII spaces. + +Origin: upstream, https://github.com/pypa/pip/pull/9827 +--- + src/pip/_internal/vcs/git.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py +index 565961a..4423a91 100644 +--- a/src/pip/_internal/vcs/git.py ++++ b/src/pip/_internal/vcs/git.py +@@ -149,9 +149,15 @@ class Git(VersionControl): + on_returncode='ignore', + ) + refs = {} +- for line in output.strip().splitlines(): ++ # NOTE: We do not use splitlines here since that would split on other ++ # unicode separators, which can be maliciously used to install a ++ # different revision. ++ for line in output.strip().split("\n"): ++ line = line.rstrip("\r") ++ if not line: ++ continue + try: +- sha, ref = line.split() ++ sha, ref = line.split(" ", maxsplit=2) + except ValueError: + # Include the offending line to simplify troubleshooting if + # this error ever occurs. diff -Nru python-pip-20.3.4/debian/patches/series python-pip-20.3.4/debian/patches/series --- python-pip-20.3.4/debian/patches/series 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/patches/series 2021-05-12 08:39:26.000000000 -0400 @@ -9,3 +9,4 @@ debian-python2.7-sysconfig-workaround.patch debug-command-for-unbundled.patch str-version.patch +git-split-ascii.patch diff -Nru python-pip-20.3.4/debian/tests/control python-pip-20.3.4/debian/tests/control --- python-pip-20.3.4/debian/tests/control 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/tests/control 2021-05-12 08:39:26.000000000 -0400 @@ -1,8 +1,8 @@ Tests: pip3-root.sh -Restrictions: breaks-testbed, needs-root +Restrictions: allow-stderr, breaks-testbed, needs-internet, needs-root Tests: pip3-user.sh -Restrictions: breaks-testbed +Restrictions: allow-stderr, breaks-testbed, needs-internet # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823358 Tests: pip3-editable.sh diff -Nru python-pip-20.3.4/debian/tests/pip3-editable.sh python-pip-20.3.4/debian/tests/pip3-editable.sh --- python-pip-20.3.4/debian/tests/pip3-editable.sh 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/tests/pip3-editable.sh 2021-05-12 08:39:26.000000000 -0400 @@ -1,5 +1,7 @@ #!/bin/sh +set -eu + export HOME=$AUTOPKGTEST_TMP export PIP_DISABLE_PIP_VERSION_CHECK=1 diff -Nru python-pip-20.3.4/debian/tests/pip3-root.sh python-pip-20.3.4/debian/tests/pip3-root.sh --- python-pip-20.3.4/debian/tests/pip3-root.sh 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/tests/pip3-root.sh 2021-05-12 08:39:26.000000000 -0400 @@ -1,5 +1,7 @@ #!/bin/sh +set -eux + export PIP_DISABLE_PIP_VERSION_CHECK=1 python3 -m pip install world diff -Nru python-pip-20.3.4/debian/tests/pip3-user.sh python-pip-20.3.4/debian/tests/pip3-user.sh --- python-pip-20.3.4/debian/tests/pip3-user.sh 2021-03-01 17:03:20.000000000 -0400 +++ python-pip-20.3.4/debian/tests/pip3-user.sh 2021-05-12 08:39:26.000000000 -0400 @@ -1,5 +1,7 @@ #!/bin/sh +set -eux + export HOME=$AUTOPKGTEST_TMP export PATH=$PATH:$HOME/.local/bin export PIP_DISABLE_PIP_VERSION_CHECK=1