poky/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch

From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Thu, 16 Jun 2022 09:52:43 +0530
Subject: [PATCH] CVE-2021-3572

Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b]
CVE: CVE-2021-3572
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 news/9827.bugfix.rst         |  3 +++
 src/pip/_internal/vcs/git.py | 10 ++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 news/9827.bugfix.rst

diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
new file mode 100644
index 0000000..e0d27c3
--- /dev/null
+++ b/news/9827.bugfix.rst
@@ -0,0 +1,3 @@
+**SECURITY**: Stop splitting on unicode separators in git references,
+which could be maliciously used to install a different revision on the
+repository.
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
index 7483303..1b895f6 100644
--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
@@ -137,9 +137,15 @@ class Git(VersionControl):
         output = cls.run_command(['show-ref', rev], cwd=dest,
                                  show_stdout=False, on_returncode='ignore')
         refs = {}
-        for line in output.strip().splitlines():
+        # NOTE: We do not use splitlines here since that would split on other
+        #       unicode separators, which can be maliciously used to install a
+        #       different revision.
+        for line in output.strip().split("\n"):
+            line = line.rstrip("\r")
+            if not line:
+                continue
             try:
-                sha, ref = line.split()
+                ref_sha, ref_name = line.split(" ", maxsplit=2)
             except ValueError:
                 # Include the offending line to simplify troubleshooting if
                 # this error ever occurs.
-- 
2.25.1