Your message dated Thu, 13 May 2021 07:26:59 +0000
with message-id <[email protected]>
and subject line unblock python-pip
has caused the Debian Bug report #988418,
regarding unblock: python-pip/20.3.4-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
988418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988418
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package python-pip
[ Reason ]
Pick up the security fix from #988399.
Apply another security update to pip itself. This has no CVE (yet?).
Also included: Minor improvements to autopkgtests, making them more
rugged and the result logs more readable.
[ Impact ]
A known security issue.
[ Tests ]
The package has basic autopkgtest coverage that ensures pip broadly
functions.
The affected code isn't covered by tests, but has been part of 2
upstream releases, without needing to be touched again.
[ Risks ]
pip is virtually a leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock python-pip/20.3.4-2
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/changelog 2021-05-12 08:39:26.000000000 -0400
@@ -1,3 +1,14 @@
+python-pip (20.3.4-2) unstable; urgency=medium
+
+ * Add myself to uploaders.
+ * Mark autopkgtests that use PyPI as needs-internet.
+ * Mark autopkgtests that use PyPI as allow-stderr. Retried http requests,
+ common in Ubuntu CI, will result in logging to stderr. set -e to catch
+ real errors.
+ * Security: Don't split git references on unicode separators.
+
+ -- Stefano Rivera <[email protected]> Wed, 12 May 2021 08:39:26 -0400
+
python-pip (20.3.4-1) unstable; urgency=medium
[ Stefano Rivera ]
diff -Nru python-pip-20.3.4/debian/control python-pip-20.3.4/debian/control
--- python-pip-20.3.4/debian/control 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/control 2021-05-12 08:39:26.000000000 -0400
@@ -4,6 +4,7 @@
Maintainer: Debian Python Team <[email protected]>
Uploaders: Carl Chenet <[email protected]>,
Scott Kitterman <[email protected]>,
+ Stefano Rivera <[email protected]>
Homepage: https://pip.pypa.io/en/stable/
Build-Depends: debhelper-compat (= 11),
dh-python,
diff -Nru python-pip-20.3.4/debian/patches/git-split-ascii.patch
python-pip-20.3.4/debian/patches/git-split-ascii.patch
--- python-pip-20.3.4/debian/patches/git-split-ascii.patch 1969-12-31
20:00:00.000000000 -0400
+++ python-pip-20.3.4/debian/patches/git-split-ascii.patch 2021-05-12
08:39:26.000000000 -0400
@@ -0,0 +1,40 @@
+From: Pradyun Gedam <[email protected]>
+Date: Tue, 11 May 2021 20:04:10 -0400
+Subject: Security: Don't split git references on unicode separators
+
+Previously, maliciously formatted tags could be used to hijack a
+commit-based pin. Using the fact that the split here allowed for
+all of unicode's whitespace characters as separators -- which git allows
+as a part of a tag name -- it is possible to force a different revision
+to be installed; if an attacker gains access to the repository.
+
+This change stops splitting the string on unicode characters, by forcing
+the splits to happen on newlines and ASCII spaces.
+
+Origin: upstream, https://github.com/pypa/pip/pull/9827
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 565961a..4423a91 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -149,9 +149,15 @@ class Git(VersionControl):
+ on_returncode='ignore',
+ )
+ refs = {}
+- for line in output.strip().splitlines():
++ # NOTE: We do not use splitlines here since that would split on other
++ # unicode separators, which can be maliciously used to install a
++ # different revision.
++ for line in output.strip().split("\n"):
++ line = line.rstrip("\r")
++ if not line:
++ continue
+ try:
+- sha, ref = line.split()
++ sha, ref = line.split(" ", maxsplit=2)
+ except ValueError:
+ # Include the offending line to simplify troubleshooting if
+ # this error ever occurs.
diff -Nru python-pip-20.3.4/debian/patches/series
python-pip-20.3.4/debian/patches/series
--- python-pip-20.3.4/debian/patches/series 2021-03-01 17:03:20.000000000
-0400
+++ python-pip-20.3.4/debian/patches/series 2021-05-12 08:39:26.000000000
-0400
@@ -9,3 +9,4 @@
debian-python2.7-sysconfig-workaround.patch
debug-command-for-unbundled.patch
str-version.patch
+git-split-ascii.patch
diff -Nru python-pip-20.3.4/debian/tests/control
python-pip-20.3.4/debian/tests/control
--- python-pip-20.3.4/debian/tests/control 2021-03-01 17:03:20.000000000
-0400
+++ python-pip-20.3.4/debian/tests/control 2021-05-12 08:39:26.000000000
-0400
@@ -1,8 +1,8 @@
Tests: pip3-root.sh
-Restrictions: breaks-testbed, needs-root
+Restrictions: allow-stderr, breaks-testbed, needs-internet, needs-root
Tests: pip3-user.sh
-Restrictions: breaks-testbed
+Restrictions: allow-stderr, breaks-testbed, needs-internet
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823358
Tests: pip3-editable.sh
diff -Nru python-pip-20.3.4/debian/tests/pip3-editable.sh
python-pip-20.3.4/debian/tests/pip3-editable.sh
--- python-pip-20.3.4/debian/tests/pip3-editable.sh 2021-03-01
17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-editable.sh 2021-05-12
08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
#!/bin/sh
+set -eu
+
export HOME=$AUTOPKGTEST_TMP
export PIP_DISABLE_PIP_VERSION_CHECK=1
diff -Nru python-pip-20.3.4/debian/tests/pip3-root.sh
python-pip-20.3.4/debian/tests/pip3-root.sh
--- python-pip-20.3.4/debian/tests/pip3-root.sh 2021-03-01 17:03:20.000000000
-0400
+++ python-pip-20.3.4/debian/tests/pip3-root.sh 2021-05-12 08:39:26.000000000
-0400
@@ -1,5 +1,7 @@
#!/bin/sh
+set -eux
+
export PIP_DISABLE_PIP_VERSION_CHECK=1
python3 -m pip install world
diff -Nru python-pip-20.3.4/debian/tests/pip3-user.sh
python-pip-20.3.4/debian/tests/pip3-user.sh
--- python-pip-20.3.4/debian/tests/pip3-user.sh 2021-03-01 17:03:20.000000000
-0400
+++ python-pip-20.3.4/debian/tests/pip3-user.sh 2021-05-12 08:39:26.000000000
-0400
@@ -1,5 +1,7 @@
#!/bin/sh
+set -eux
+
export HOME=$AUTOPKGTEST_TMP
export PATH=$PATH:$HOME/.local/bin
export PIP_DISABLE_PIP_VERSION_CHECK=1
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
