Fix vulnerable regex

(cherry picked from commit 04a0f8ab0aaf45871abbb5516685007fce4d80d3)
2023-12-13 11:39:51 +08:00 · 2023-12-13 11:39:51 +08:00 · 47e6ed90fd
commit 47e6ed90fd
parent cd2da8f2a1
2 changed files with 30 additions and 1 deletions
--- a/backport-fix-vulnerable-regex.patch
+++ b/backport-fix-vulnerable-regex.patch
@ -0,0 +1,25 @@
+From 254e668eef34ca21005634a2bdba9d9a74deaa26 Mon Sep 17 00:00:00 2001
+From: M00nL1ght <69127692+SCH227@users.noreply.github.com>
+Date: Tue, 30 Aug 2022 05:51:29 +0300
+Subject: [PATCH] Fix vulnerable regex
+
+Implement exclusive RE searches to avoid backtracking
+---
+ src/pip/_internal/models/wheel.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/models/wheel.py b/src/pip/_internal/models/wheel.py
+index 35c70375539..a5dc12bdd63 100644
+--- a/src/pip/_internal/models/wheel.py
+++ b/src/pip/_internal/models/wheel.py
+@@ -13,8 +13,8 @@ class Wheel:
+     """A wheel file"""
+ 
+     wheel_file_re = re.compile(
+-        r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.*?))
+-        ((-(?P<build>\d[^-]*?))?-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)
+        r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]*?))
+        ((-(?P<build>\d[^-]*?))?-(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>[^\s-]+?)
+         \.whl|\.dist-info)$""",
+         re.VERBOSE
+     )
--- a/python-pip.spec
+++ b/python-pip.spec
@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        6
+Release:        7
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@ -20,6 +20,7 @@ Patch6000:      dummy-certifi.patch
 Patch6001:      backport-CVE-2021-3572.patch
 Patch6002:      backport-CVE-2021-33503.patch
 Patch6003:      backport-CVE-2020-14422.patch
+Patch6004:      backport-fix-vulnerable-regex.patch

 Source1:	pip-allow-older-versions.patch

@ -157,6 +158,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Wed Dec 13 2023 yanglongkang <yanglongkang@h-partners.com> - 20.2.2-7
+- Fix vulnerable regex
+
 * Fri Sep 16 2022 yanglongkang<yanglongkang@h-partners.com> - 20.2.2-6
 - fix CVE-2020-14422