Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
python-pip.22056
CVE-2021-3572-split-unicode-separators.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-3572-split-unicode-separators.patch of Package python-pip.22056
From ca832b2836e0bffa7cf95589acdcd71230f5834e Mon Sep 17 00:00:00 2001 From: Pradyun Gedam <pradyunsg@users.noreply.github.com> Date: Sat, 24 Apr 2021 10:13:15 +0100 Subject: [PATCH 1/2] Don't split git references on unicode separators Previously, maliciously formatted tags could be used to hijack a commit-based pin. Using the fact that the split here allowed for all of unicode's whitespace characters as separators -- which git allows as a part of a tag name -- it is possible to force a different revision to be installed; if an attacker gains access to the repository. This change stops splitting the string on unicode characters, by forcing the splits to happen on newlines and ASCII spaces. --- news/9827.bugfix.rst | 3 +++ src/pip/_internal/vcs/git.py | 10 ++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) --- /dev/null +++ b/news/9827.bugfix.rst @@ -0,0 +1,3 @@ +**SECURITY**: Stop splitting on unicode separators in git references, +which could be maliciously used to install a different revision on the +repository. --- a/src/pip/_internal/vcs/git.py +++ b/src/pip/_internal/vcs/git.py @@ -137,9 +137,15 @@ class Git(VersionControl): output = cls.run_command(['show-ref', rev], cwd=dest, show_stdout=False, on_returncode='ignore') refs = {} - for line in output.strip().splitlines(): + # NOTE: We do not use splitlines here since that would split on other + # unicode separators, which can be maliciously used to install a + # different revision. + for line in output.strip().split("\n"): + line = line.rstrip("\r") + if not line: + continue try: - sha, ref = line.split() + sha, ref = line.split(" ", maxsplit=2) except ValueError: # Include the offending line to simplify troubleshooting if # this error ever occurs.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor