packages/python-pip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!129 [sync] PR-128: fix CVE-2020-14422

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1
This commit is contained in:
openeuler-ci-bot 2022-09-16 03:24:57 +00:00 committed by Gitee
commit cd2da8f2a1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-CVE-2020-14422.patch Normal file
View File

@ -0,0 +1,43 @@
From b30ee26e366bf509b7538d79bfec6c6d38d53f28 Mon Sep 17 00:00:00 2001
From: Ravi Teja P <rvteja92@gmail.com>
Date: Mon, 29 Jun 2020 23:09:29 +0530
Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
IPv6Interface (GH-21033)
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
Reference:https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28
Conflict:NA
---
src/pip/_vendor/ipaddress.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pip/_vendor/ipaddress.py b/src/pip/_vendor/ipaddress.py
index 3e6f9e499..19dfc4cdb 100644
--- a/src/pip/_vendor/ipaddress.py
+++ b/src/pip/_vendor/ipaddress.py
@@ -1536,7 +1536,7 @@ class IPv4Interface(IPv4Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
@@ -2229,7 +2229,7 @@ class IPv6Interface(IPv6Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
--
2.21.0

6
python-pip.spec
View File

@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
Name: python-%{srcname} Name: python-%{srcname}
Version: 20.2.2 Version: 20.2.2
Release: 5 Release: 6
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
URL: http://www.pip-installer.org URL: http://www.pip-installer.org
@ -19,6 +19,7 @@ Patch3: remove-existing-dist-only-if-path-conflicts.patch
Patch6000: dummy-certifi.patch Patch6000: dummy-certifi.patch
Patch6001: backport-CVE-2021-3572.patch Patch6001: backport-CVE-2021-3572.patch
Patch6002: backport-CVE-2021-33503.patch Patch6002: backport-CVE-2021-33503.patch
Patch6003: backport-CVE-2020-14422.patch
Source1: pip-allow-older-versions.patch Source1: pip-allow-older-versions.patch
@ -156,6 +157,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
%{python_wheeldir}/%{python_wheelname} %{python_wheeldir}/%{python_wheelname}
%changelog %changelog
* Fri Sep 16 2022 yanglongkang<yanglongkang@h-partners.com> - 20.2.2-6
- fix CVE-2020-14422
* Fri Sep 09 2022 renhongxun<renhongxun@h-partners.com> - 20.2.2-5 * Fri Sep 09 2022 renhongxun<renhongxun@h-partners.com> - 20.2.2-5
- fix CVE-2021-33503 - fix CVE-2021-33503