[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988418: marked as done (unblock: python-pip/20.3.4-2)

Your message dated Thu, 13 May 2021 07:26:59 +0000
with message-id <E1lh5kJ-0006v3-0j@respighi.debian.org>
and subject line unblock python-pip
has caused the Debian Bug report #988418,
regarding unblock: python-pip/20.3.4-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988418
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package python-pip

[ Reason ]
Pick up the security fix from #988399.

Apply another security update to pip itself. This has no CVE (yet?).

Also included: Minor improvements to autopkgtests, making them more
rugged and the result logs more readable.

[ Impact ]
A known security issue.

[ Tests ]
The package has basic autopkgtest coverage that ensures pip broadly
functions.

The affected code isn't covered by tests, but has been part of 2
upstream releases, without needing to be touched again.

[ Risks ]
pip is virtually a leaf package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-pip/20.3.4-2

diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/changelog	2021-05-12 08:39:26.000000000 -0400
@@ -1,3 +1,14 @@
+python-pip (20.3.4-2) unstable; urgency=medium
+
+  * Add myself to uploaders.
+  * Mark autopkgtests that use PyPI as needs-internet.
+  * Mark autopkgtests that use PyPI as allow-stderr. Retried http requests,
+    common in Ubuntu CI, will result in logging to stderr. set -e to catch
+    real errors.
+  * Security: Don't split git references on unicode separators.
+
+ -- Stefano Rivera <stefanor@debian.org>  Wed, 12 May 2021 08:39:26 -0400
+
 python-pip (20.3.4-1) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru python-pip-20.3.4/debian/control python-pip-20.3.4/debian/control
--- python-pip-20.3.4/debian/control	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/control	2021-05-12 08:39:26.000000000 -0400
@@ -4,6 +4,7 @@
 Maintainer: Debian Python Team <team+python@tracker.debian.org>
 Uploaders: Carl Chenet <chaica@debian.org>,
            Scott Kitterman <scott@kitterman.com>,
+           Stefano Rivera <stefanor@debian.org>
 Homepage: https://pip.pypa.io/en/stable/
 Build-Depends: debhelper-compat (= 11),
                dh-python,
diff -Nru python-pip-20.3.4/debian/patches/git-split-ascii.patch python-pip-20.3.4/debian/patches/git-split-ascii.patch
--- python-pip-20.3.4/debian/patches/git-split-ascii.patch	1969-12-31 20:00:00.000000000 -0400
+++ python-pip-20.3.4/debian/patches/git-split-ascii.patch	2021-05-12 08:39:26.000000000 -0400
@@ -0,0 +1,40 @@
+From: Pradyun Gedam <pradyunsg@gmail.com>
+Date: Tue, 11 May 2021 20:04:10 -0400
+Subject: Security: Don't split git references on unicode separators
+
+Previously, maliciously formatted tags could be used to hijack a
+commit-based pin. Using the fact that the split here allowed for
+all of unicode's whitespace characters as separators -- which git allows
+as a part of a tag name -- it is possible to force a different revision
+to be installed; if an attacker gains access to the repository.
+
+This change stops splitting the string on unicode characters, by forcing
+the splits to happen on newlines and ASCII spaces.
+
+Origin: upstream, https://github.com/pypa/pip/pull/9827
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 565961a..4423a91 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -149,9 +149,15 @@ class Git(VersionControl):
+             on_returncode='ignore',
+         )
+         refs = {}
+-        for line in output.strip().splitlines():
++        # NOTE: We do not use splitlines here since that would split on other
++        #       unicode separators, which can be maliciously used to install a
++        #       different revision.
++        for line in output.strip().split("\n"):
++            line = line.rstrip("\r")
++            if not line:
++                continue
+             try:
+-                sha, ref = line.split()
++                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
diff -Nru python-pip-20.3.4/debian/patches/series python-pip-20.3.4/debian/patches/series
--- python-pip-20.3.4/debian/patches/series	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/patches/series	2021-05-12 08:39:26.000000000 -0400
@@ -9,3 +9,4 @@
 debian-python2.7-sysconfig-workaround.patch
 debug-command-for-unbundled.patch
 str-version.patch
+git-split-ascii.patch
diff -Nru python-pip-20.3.4/debian/tests/control python-pip-20.3.4/debian/tests/control
--- python-pip-20.3.4/debian/tests/control	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/control	2021-05-12 08:39:26.000000000 -0400
@@ -1,8 +1,8 @@
 Tests: pip3-root.sh
-Restrictions: breaks-testbed, needs-root
+Restrictions: allow-stderr, breaks-testbed, needs-internet, needs-root
 
 Tests: pip3-user.sh
-Restrictions: breaks-testbed
+Restrictions: allow-stderr, breaks-testbed, needs-internet
 
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823358
 Tests: pip3-editable.sh
diff -Nru python-pip-20.3.4/debian/tests/pip3-editable.sh python-pip-20.3.4/debian/tests/pip3-editable.sh
--- python-pip-20.3.4/debian/tests/pip3-editable.sh	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-editable.sh	2021-05-12 08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -eu
+
 export HOME=$AUTOPKGTEST_TMP
 export PIP_DISABLE_PIP_VERSION_CHECK=1
 
diff -Nru python-pip-20.3.4/debian/tests/pip3-root.sh python-pip-20.3.4/debian/tests/pip3-root.sh
--- python-pip-20.3.4/debian/tests/pip3-root.sh	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-root.sh	2021-05-12 08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -eux
+
 export PIP_DISABLE_PIP_VERSION_CHECK=1
 
 python3 -m pip install world
diff -Nru python-pip-20.3.4/debian/tests/pip3-user.sh python-pip-20.3.4/debian/tests/pip3-user.sh
--- python-pip-20.3.4/debian/tests/pip3-user.sh	2021-03-01 17:03:20.000000000 -0400
+++ python-pip-20.3.4/debian/tests/pip3-user.sh	2021-05-12 08:39:26.000000000 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -eux
+
 export HOME=$AUTOPKGTEST_TMP
 export PATH=$PATH:$HOME/.local/bin
 export PIP_DISABLE_PIP_VERSION_CHECK=1

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: