fix CVE-2021-33503

2022-09-09 16:53:15 +08:00 · 2022-09-09 16:53:15 +08:00 · a746b82386
commit a746b82386
parent 020c6f34f2
2 changed files with 47 additions and 1 deletions
--- a/backport-CVE-2021-33503.patch
+++ b/backport-CVE-2021-33503.patch
@ -0,0 +1,42 @@
+From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Wed, 26 May 2021 10:43:12 -0500
+Subject: [PATCH] Improve performance of sub-authority splitting in URL
+
+---
+ src/pip/_vendor/urllib3/util/url.py |  8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/url.py b/src/pip/_vendor/urllib3/util/url.py
+index 6ff238f..81a03da 100644
+--- a/src/pip/_vendor/urllib3/util/url.py
+++ b/src/pip/_vendor/urllib3/util/url.py
+@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
+ BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
+ ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
+ 
+-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+     REG_NAME_PAT,
+     IPV4_PAT,
+     IPV6_ADDRZ_PAT,
+ )
+-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
+_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
+ 
+ UNRESERVED_CHARS = set(
+     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"
+@@ -365,7 +365,9 @@ def parse_url(url):
+             scheme = scheme.lower()
+ 
+         if authority:
+-            auth, host, port = SUBAUTHORITY_RE.match(authority).groups()
+            auth, _, host_port = authority.rpartition("@")
+            auth = auth or None
+            host, port = _HOST_PORT_RE.match(host_port).groups()
+             if auth and normalize_uri:
+                 auth = _encode_invalid_chars(auth, USERINFO_CHARS)
+             if port == "":
+-- 
+1.8.3.1
+
--- a/python-pip.spec
+++ b/python-pip.spec
@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        4
+Release:        5
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@ -18,6 +18,7 @@ Patch2:         emit-a-warning-when-running-with-root-privileges.patch
 Patch3:         remove-existing-dist-only-if-path-conflicts.patch
 Patch6000:      dummy-certifi.patch
 Patch6001:      backport-CVE-2021-3572.patch
+Patch6002:      backport-CVE-2021-33503.patch

 Source1:	pip-allow-older-versions.patch

@ -155,6 +156,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Fri Sep 09 2022 renhongxun<renhongxun@h-partners.com> - 20.2.2-5
+- fix CVE-2021-33503
+
 * Sat Aug 23 2021 shixuantong<shixuantong@huawei.com> - 20.2.2-4
 - delete bounded certificate