!157 fix CVE-2023-45803 CVE-2024-37891

From: @zhangruifang2020 Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-06-26 07:40:00 +00:00 · 2024-06-26 07:40:00 +00:00 · 1fc7922296
commit 1fc7922296
parent cd025c48fe 6b3faa9496
3 changed files with 129 additions and 1 deletions
--- a/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+++ b/backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
@ -0,0 +1,94 @@
+From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Tue, 17 Oct 2023 19:35:39 +0300
+Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
+
+---
+ src/pip/_vendor/urllib3/_collections.py                  | 18 ++++++++++++++++++
+ src/pip/_vendor/urllib3/connectionpool.py                |  5 +++++
+ src/pip/_vendor/urllib3/poolmanager.py                   |  7 +++++--
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
+index da9857e9..bceb8451 100644
+--- a/src/pip/_vendor/urllib3/_collections.py
+++ b/src/pip/_vendor/urllib3/_collections.py
+@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
+         else:
+             return vals[1:]
+ 
+    def _prepare_for_method_change(self):
+        """
+        Remove content-specific header fields before changing the request
+        method to GET or HEAD according to RFC 9110, Section 15.4.
+        """
+        content_specific_headers = [
+            "Content-Encoding",
+            "Content-Language",
+            "Content-Location",
+            "Content-Type",
+            "Content-Length",
+            "Digest",
+            "Last-Modified",
+        ]
+        for header in content_specific_headers:
+            self.discard(header)
+        return self
+
+     # Backwards compatibility for httplib
+     getheaders = getlist
+     getallmatchingheaders = getlist
+diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
+index 96844d93..5a6adcbd 100644
+--- a/src/pip/_vendor/urllib3/connectionpool.py
+++ b/src/pip/_vendor/urllib3/connectionpool.py
+@@ -9,6 +9,7 @@ import warnings
+ from socket import error as SocketError
+ from socket import timeout as SocketTimeout
+ 
+from ._collections import HTTPHeaderDict
+ from .connection import (
+     BaseSSLError,
+     BrokenPipeError,
+@@ -843,7 +844,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+         redirect_location = redirect and response.get_redirect_location()
+         if redirect_location:
+             if response.status == 303:
+                # Change the method according to RFC 9110, Section 15.4.4.
+                 method = "GET"
+                # And lose the body not to transfer anything sensitive.
+                body = None
+                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
+index 14b10daf..fb51bf7d 100644
+--- a/src/pip/_vendor/urllib3/poolmanager.py
+++ b/src/pip/_vendor/urllib3/poolmanager.py
+@@ -4,7 +4,7 @@ import collections
+ import functools
+ import logging
+ 
+-from ._collections import RecentlyUsedContainer
+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
+ from .exceptions import (
+     LocationValueError,
+@@ -382,9 +382,12 @@ class PoolManager(RequestMethods):
+         # Support relative URLs for redirecting.
+         redirect_location = urljoin(url, redirect_location)
+ 
+-        # RFC 7231, Section 6.4.4
+         if response.status == 303:
+            # Change the method according to RFC 9110, Section 15.4.4.
+             method = "GET"
+            # And lose the body not to transfer anything sensitive.
+            kw["body"] = None
+            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+         retries = kw.get("retries")
+         if not isinstance(retries, Retry):
+-- 
+2.33.0
+
--- a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
+++ b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
@ -0,0 +1,29 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index c7c0427..7e438b9 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
+++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -217,7 +217,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+-- 
+2.33.0
+
--- a/python-pip.spec
+++ b/python-pip.spec
@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        21.3.1
-Release:        7
+Release:        8
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@ -24,6 +24,8 @@ Patch6004:      backport-0003-CVE-2024-3651.patch
 Patch6005:      backport-0004-CVE-2024-3651.patch
 Patch6006:      backport-0005-CVE-2024-3651.patch
 Patch6007:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
+Patch6008:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+Patch6009:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch

 Source10: 	pip-allow-older-versions.patch

@ -133,6 +135,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Wed Jun 26 2024 zhangruifang <zhangruifang@h-partners.com> - 21.3.1-8
+- fix CVE-2023-45803 CVE-2024-37891
+
 * Mon Jun 17 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-7
 - fix CVE-2023-43804