When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone" call
(ie "--config"). Controlling the Mercurial configuration can modify how
and which repository is installed. This vulnerability does not affect
users who aren't installing from Mercurial.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-5752
Upstream patches:
389cb799d0
(From OE-Core rev: 862c0338fba06077a26c775b49f993eac63762c9)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pip installed wheels are not reproducible currently. The direct_url
files encode an installation path and the installed wheels compile
the python files at their location, not their final install location
which is incorrect.
To fix this, simply disable the direct_urls and pass the "root" to
the python compile function to strip that path out of the compiled
files.
(From OE-Core rev: 2c74d5346e7581949fbdebc4744c8317236221c3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch pip to disable shebang mangling and also force the python executable
to be python3 from the environment when building anything for the target
(or nativesdk).
(From OE-Core rev: 8ceb0bec18422818dcdb0efecec08ed155dc4715)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
21.1.2 contains a fix for CVE-2021-3572
(e46bdda971)
The LICENSE.txt signature changed due to an update to the copyright
dates, but the terms are the same.
Also update 0001-change-shebang-to-python3.patch to cover all files in
pip's src directory, since we need to ensure compatibility.
Finally, fix the ordering of the "inherit" and "SRC_URI" lines so that
devtool will correctly identify that there is a new version upstream.
(From OE-Core rev: 2135167ca86ff9d112ef3e71f5320c775d075b6c)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
we have offcially dropped python2, so it is possible
that our code run on python3 only host, so change
shebang to python3 to avoid error like:
python: command not found
(From OE-Core rev: 4a4fabaa8f6915513a3b1ef2268c402e96eca888)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
