packages/python-pip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-14422

Browse Source 
(cherry picked from commit 8623bc761978856586ceed35397f5d37bf78478a)
This commit is contained in:
markeryang 2022-09-16 10:05:26 +08:00 committed by openeuler-sync-bot
parent fb715b3b49
commit ef6221829e
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-CVE-2020-14422.patch Normal file
View File

@ -0,0 +1,43 @@
From b30ee26e366bf509b7538d79bfec6c6d38d53f28 Mon Sep 17 00:00:00 2001
From: Ravi Teja P <rvteja92@gmail.com>
Date: Mon, 29 Jun 2020 23:09:29 +0530
Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
IPv6Interface (GH-21033)
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
Reference:https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28
Conflict:NA
---
src/pip/_vendor/ipaddress.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pip/_vendor/ipaddress.py b/src/pip/_vendor/ipaddress.py
index 3e6f9e499..19dfc4cdb 100644
--- a/src/pip/_vendor/ipaddress.py
+++ b/src/pip/_vendor/ipaddress.py
@@ -1536,7 +1536,7 @@ class IPv4Interface(IPv4Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
@@ -2229,7 +2229,7 @@ class IPv6Interface(IPv6Address):
return False
def __hash__(self):
- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
__reduce__ = _IPAddressBase.__reduce__
--
2.21.0

6
python-pip.spec
View File

@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
Name: python-%{srcname}
Version: 20.2.2
Release: 5
Release: 6
Summary: A tool for installing and managing Python packages
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
URL: http://www.pip-installer.org
@ -19,6 +19,7 @@ Patch3: remove-existing-dist-only-if-path-conflicts.patch
Patch6000: dummy-certifi.patch
Patch6001: backport-CVE-2021-3572.patch
Patch6002: backport-CVE-2021-33503.patch
Patch6003: backport-CVE-2020-14422.patch
Source1: pip-allow-older-versions.patch
@ -156,6 +157,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
%{python_wheeldir}/%{python_wheelname}
%changelog
* Fri Sep 16 2022 yanglongkang<yanglongkang@h-partners.com> - 20.2.2-6
- fix CVE-2020-14422
* Fri Sep 09 2022 renhongxun<renhongxun@h-partners.com> - 20.2.2-5
- fix CVE-2021-33503