From: Jiaying Song <jiaying.song...@windriver.com> When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
References: https://nvd.nist.gov/vuln/detail/CVE-2023-5752 Upstream patches: https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4 Signed-off-by: Jiaying Song <jiaying.song...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../python/python3-pip/CVE-2023-5752.patch | 34 +++++++++++++++++++ .../python/python3-pip_22.0.3.bb | 8 +++-- 2 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch new file mode 100644 index 0000000000..ef66a59021 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch @@ -0,0 +1,34 @@ +From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001 +From: Pradyun Gedam <pradyu...@users.noreply.github.com> +Date: Sun, 1 Oct 2023 14:10:25 +0100 +Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg + +This ensures that the resulting revision can not be misinterpreted as an +option. + +Upstream-Status: Backport +[https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4] + +CVE: CVE-2023-5752 + +Signed-off-by: Jiaying Song <jiaying.song...@windriver.com> +--- + src/pip/_internal/vcs/mercurial.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py +index 2a005e0..e440c12 100644 +--- a/src/pip/_internal/vcs/mercurial.py ++++ b/src/pip/_internal/vcs/mercurial.py +@@ -31,7 +31,7 @@ class Mercurial(VersionControl): + + @staticmethod + def get_base_rev_args(rev: str) -> List[str]: +- return [rev] ++ return [f"-r={rev}"] + + def fetch_new( + self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-pip_22.0.3.bb b/meta/recipes-devtools/python/python3-pip_22.0.3.bb index 6e28b87ba3..28eab9c3de 100644 --- a/meta/recipes-devtools/python/python3-pip_22.0.3.bb +++ b/meta/recipes-devtools/python/python3-pip_22.0.3.bb @@ -34,9 +34,11 @@ LIC_FILES_CHKSUM = "\ inherit pypi python_setuptools_build_meta -SRC_URI += "file://0001-change-shebang-to-python3.patch" -SRC_URI += "file://no_shebang_mangling.patch" -SRC_URI += "file://reproducible.patch" +SRC_URI += "file://0001-change-shebang-to-python3.patch \ + file://no_shebang_mangling.patch \ + file://reproducible.patch \ + file://CVE-2023-5752.patch \ + " SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#207943): https://lists.openembedded.org/g/openembedded-core/message/207943 Mute This Topic: https://lists.openembedded.org/mt/109811156/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
