mirror of
https://git.yoctoproject.org/poky
synced 2026-02-06 16:56:37 +01:00
ad768575b1
Backport the body of a fix for CVE-2021-3572 since hardknott carries 20.0.2, and the delta between it and the latest 21.1.3 is more than just bugfixes. CVE: CVE-2021-3572 (From OE-Core rev: fb7a2af241795b82f121381cea6f4b56ce948ebf) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
From 25c1b92b1add0b81afe2fc6f9e82f66738a2d800 Mon Sep 17 00:00:00 2001
|
|
From: Trevor Gamblin <trevor.gamblin@windriver.com>
|
|
Date: Thu, 22 Jul 2021 09:57:53 -0400
|
|
Subject: [PATCH] Don't split git references on unicode separators
|
|
|
|
Upstream-Status: Backport
|
|
(https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b)
|
|
|
|
CVE: CVE-2021-3572
|
|
|
|
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
|
|
---
|
|
src/pip/_internal/vcs/git.py | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
|
|
index 7483303a9..d706064e7 100644
|
|
--- a/src/pip/_internal/vcs/git.py
|
|
+++ b/src/pip/_internal/vcs/git.py
|
|
@@ -137,9 +137,15 @@ class Git(VersionControl):
|
|
output = cls.run_command(['show-ref', rev], cwd=dest,
|
|
show_stdout=False, on_returncode='ignore')
|
|
refs = {}
|
|
- for line in output.strip().splitlines():
|
|
+ # NOTE: We do not use splitlines here since that would split on other
|
|
+ # unicode separators, which can be maliciously used to install a
|
|
+ # different revision.
|
|
+ for line in output.strip().split("\n"):
|
|
+ line = line.rstrip("\r")
|
|
+ if not line:
|
|
+ continue
|
|
try:
|
|
- sha, ref = line.split()
|
|
+ sha, ref = line.split(" ", maxsplit=2)
|
|
except ValueError:
|
|
# Include the offending line to simplify troubleshooting if
|
|
# this error ever occurs.
|
|
--
|
|
2.31.1
|
|
|