Bug#988418: unblock: python-pip/20.3.4-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package python-pip
[ Reason ]
Pick up the security fix from #988399.
Apply another security update to pip itself. This has no CVE (yet?).
Also included: Minor improvements to autopkgtests, making them more
rugged and the result logs more readable.
[ Impact ]
A known security issue.
[ Tests ]
The package has basic autopkgtest coverage that ensures pip broadly
functions.
The affected code isn't covered by tests, but has been part of 2
upstream releases, without needing to be touched again.
[ Risks ]
pip is virtually a leaf package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock python-pip/20.3.4-2
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/changelog 2021-05-12 08:39:26.000000000 -0400
@@ -1,3 +1,14 @@
+python-pip (20.3.4-2) unstable; urgency=medium
+
+ * Add myself to uploaders.
+ * Mark autopkgtests that use PyPI as needs-internet.
+ * Mark autopkgtests that use PyPI as allow-stderr. Retried http requests,
+ common in Ubuntu CI, will result in logging to stderr. set -e to catch
+ real errors.
+ * Security: Don't split git references on unicode separators.
+
+ -- Stefano Rivera <stefanor@debian.org> Wed, 12 May 2021 08:39:26 -0400
+
python-pip (20.3.4-1) unstable; urgency=medium
[ Stefano Rivera ]
diff -Nru python-pip-20.3.4/debian/control python-pip-20.3.4/debian/control
--- python-pip-20.3.4/debian/control 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/control 2021-05-12 08:39:26.000000000 -0400
@@ -4,6 +4,7 @@
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Uploaders: Carl Chenet <chaica@debian.org>,
Scott Kitterman <scott@kitterman.com>,
+ Stefano Rivera <stefanor@debian.org>
Homepage: https://pip.pypa.io/en/stable/
Build-Depends: debhelper-compat (= 11),
dh-python,
diff -Nru python-pip-20.3.4/debian/patches/git-split-ascii.patch python-pip-20.3.4/debian/patches/git-split-ascii.patch
--- python-pip-20.3.4/debian/patches/git-split-ascii.patch 1969-12-31 20:00:00.000000000 -0400
+++ python-pip-20.3.4/debian/patches/git-split-ascii.patch 2021-05-12 08:39:26.000000000 -0400
@@ -0,0 +1,40 @@
+From: Pradyun Gedam <pradyunsg@gmail.com>
+Date: Tue, 11 May 2021 20:04:10 -0400
+Subject: Security: Don't split git references on unicode separators
+
+Previously, maliciously formatted tags could be used to hijack a
+commit-based pin. Using the fact that the split here allowed for
+all of unicode's whitespace characters as separators -- which git allows
+as a part of a tag name -- it is possible to force a different revision
+to be installed; if an attacker gains access to the repository.
+
+This change stops splitting the string on unicode characters, by forcing
+the splits to happen on newlines and ASCII spaces.
+
+Origin: upstream, https://github.com/pypa/pip/pull/9827
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 565961a..4423a91 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -149,9 +149,15 @@ class Git(VersionControl):
+ on_returncode='ignore',
+ )
+ refs = {}
+- for line in output.strip().splitlines():
++ # NOTE: We do not use splitlines here since that would split on other
++ # unicode separators, which can be maliciously used to install a
++ # different revision.
++ for line in output.strip().split("\n"):
++ line = line.rstrip("\r")
++ if not line:
++ continue
+ try:
+- sha, ref = line.split()
++ sha, ref = line.split(" ", maxsplit=2)
+ except ValueError:
+ # Include the offending line to simplify troubleshooting if
+ # this error ever occurs.
diff -Nru python-pip-20.3.4/debian/patches/series python-pip-20.3.4/debian/patches/series
--- python-pip-20.3.4/debian/patches/series 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/patches/series 2021-05-12 08:39:26.000000000 -0400
@@ -9,3 +9,4 @@
debian-python2.7-sysconfig-workaround.patch
debug-command-for-unbundled.patch
str-version.patch
+git-split-ascii.patch
diff -Nru python-pip-20.3.4/debian/tests/control python-pip-20.3.4/debian/tests/control
--- python-pip-20.3.4/debian/tests/control 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/control 2021-05-12 08:39:26.000000000 -0400
@@ -1,8 +1,8 @@
Tests: pip3-root.sh
-Restrictions: breaks-testbed, needs-root
+Restrictions: allow-stderr, breaks-testbed, needs-internet, needs-root
Tests: pip3-user.sh
-Restrictions: breaks-testbed
+Restrictions: allow-stderr, breaks-testbed, needs-internet
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823358
Tests: pip3-editable.sh
diff -Nru python-pip-20.3.4/debian/tests/pip3-editable.sh python-pip-20.3.4/debian/tests/pip3-editable.sh
--- python-pip-20.3.4/debian/tests/pip3-editable.sh 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-editable.sh 2021-05-12 08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
#!/bin/sh
+set -eu
+
export HOME=$AUTOPKGTEST_TMP
export PIP_DISABLE_PIP_VERSION_CHECK=1
diff -Nru python-pip-20.3.4/debian/tests/pip3-root.sh python-pip-20.3.4/debian/tests/pip3-root.sh
--- python-pip-20.3.4/debian/tests/pip3-root.sh 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-root.sh 2021-05-12 08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
#!/bin/sh
+set -eux
+
export PIP_DISABLE_PIP_VERSION_CHECK=1
python3 -m pip install world
diff -Nru python-pip-20.3.4/debian/tests/pip3-user.sh python-pip-20.3.4/debian/tests/pip3-user.sh
--- python-pip-20.3.4/debian/tests/pip3-user.sh 2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-user.sh 2021-05-12 08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
#!/bin/sh
+set -eux
+
export HOME=$AUTOPKGTEST_TMP
export PATH=$PATH:$HOME/.local/bin
export PIP_DISABLE_PIP_VERSION_CHECK=1
Reply to: