| From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001 |
| From: Hitendra Prajapati <hprajapati@mvista.com> |
| Date: Thu, 16 Jun 2022 09:52:43 +0530 |
| Subject: [PATCH] CVE-2021-3572 |
| |
| Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b] |
| CVE: CVE-2021-3572 |
| Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| --- |
| news/9827.bugfix.rst | 3 +++ |
| src/pip/_internal/vcs/git.py | 10 ++++++++-- |
| 2 files changed, 11 insertions(+), 2 deletions(-) |
| create mode 100644 news/9827.bugfix.rst |
| |
| diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst |
| new file mode 100644 |
| index 0000000..e0d27c3 |
| --- /dev/null |
| +++ b/news/9827.bugfix.rst |
| @@ -0,0 +1,3 @@ |
| +**SECURITY**: Stop splitting on unicode separators in git references, |
| +which could be maliciously used to install a different revision on the |
| +repository. |
| diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py |
| index 7483303..1b895f6 100644 |
| --- a/src/pip/_internal/vcs/git.py |
| +++ b/src/pip/_internal/vcs/git.py |
| @@ -137,9 +137,15 @@ class Git(VersionControl): |
| output = cls.run_command(['show-ref', rev], cwd=dest, |
| show_stdout=False, on_returncode='ignore') |
| refs = {} |
| - for line in output.strip().splitlines(): |
| + # NOTE: We do not use splitlines here since that would split on other |
| + # unicode separators, which can be maliciously used to install a |
| + # different revision. |
| + for line in output.strip().split("\n"): |
| + line = line.rstrip("\r") |
| + if not line: |
| + continue |
| try: |
| - sha, ref = line.split() |
| + ref_sha, ref_name = line.split(" ", maxsplit=2) |
| except ValueError: |
| # Include the offending line to simplify troubleshooting if |
| # this error ever occurs. |
| -- |
| 2.25.1 |
| |