mirror of
https://git.yoctoproject.org/poky
synced 2026-02-05 16:28:43 +01:00
53801adf75
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone" call
(ie "--config"). Controlling the Mercurial configuration can modify how
and which repository is installed. This vulnerability does not affect
users who aren't installing from Mercurial.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-5752
Upstream patches:
389cb799d0
(From OE-Core rev: 862c0338fba06077a26c775b49f993eac63762c9)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001
|
|
From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
|
|
Date: Sun, 1 Oct 2023 14:10:25 +0100
|
|
Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg
|
|
|
|
This ensures that the resulting revision can not be misinterpreted as an
|
|
option.
|
|
|
|
Upstream-Status: Backport
|
|
[https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4]
|
|
|
|
CVE: CVE-2023-5752
|
|
|
|
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
|
|
---
|
|
src/pip/_internal/vcs/mercurial.py | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
|
|
index 2a005e0..e440c12 100644
|
|
--- a/src/pip/_internal/vcs/mercurial.py
|
|
+++ b/src/pip/_internal/vcs/mercurial.py
|
|
@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
|
|
|
|
@staticmethod
|
|
def get_base_rev_args(rev: str) -> List[str]:
|
|
- return [rev]
|
|
+ return [f"-r={rev}"]
|
|
|
|
def fetch_new(
|
|
self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
|
|
--
|
|
2.25.1
|
|
|