It was discovered that pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. References: https://packetstormsecurity.com/files/162712/USN-4961-1.txt
Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 1962857] Created python-virtualenv tracking bugs for this issue: Affects: fedora-all [bug 1962858]
(In reply to Pedro Sampaio from comment #1) > Created python-virtualenv tracking bugs for this issue: > > Affects: fedora-all [bug 1962858] Why python-virtualenv?
(In reply to Miro Hrončok from comment #2) > (In reply to Pedro Sampaio from comment #1) > > Created python-virtualenv tracking bugs for this issue: > > > > Affects: fedora-all [bug 1962858] > > Why python-virtualenv? Our package manifests flagged python-pip being embedded in python-virtualenv.
Could you please update the package manifests? python-pip is not embedded in python-virtualenv since Fedora 31. python-pip is however embedded in several other Fedora packages: Fedora 32: $ repoquery -q --repo={fedora,updates} --releasever 32 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source pipenv-2018.11.26-13.fc32.src.rpm python34-3.4.10-11.fc32.src.rpm Fedora 33: $ repoquery -q --repo={fedora,updates} --releasever 33 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source jython-2.7.1-14.fc33.src.rpm pipenv-2020.8.13-1.fc33.src.rpm pypy-7.3.1-2.fc33.src.rpm python2.7-2.7.18-8.fc33.src.rpm python3.5-3.5.10-5.fc33.src.rpm Fedora 34: $ repoquery -q --repo={fedora,updates} --releasever 34 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source jython-2.7.1-16.fc34.src.rpm pipenv-2020.11.15-2.fc34.src.rpm pypy-7.3.1-3.fc34.src.rpm python2.7-2.7.18-9.fc34.src.rpm python3.5-3.5.10-5.fc34.src.rpm Fedora 35 (Rawhide): $ repoquery -q --repo=rawhide --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source pipenv-2020.11.15-2.fc35.src.rpm pypy-7.3.1-3.fc34.src.rpm python2.7-2.7.18-10.fc35.src.rpm python3.5-3.5.10-5.fc35.src.rpm Thanks.
Upstream PR: https://github.com/pypa/pip/pull/9827 Upstream commit: https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b
After a deep investigation of this issue in older pip versions in SCL, I've discovered that the older pip versions are not vulnerable when used with Python 2. The reason is that the output from git commands like `git show-ref` is processed as bytes and therefore methods like `splitlines` ignore Unicode characters. See the different implementation of console_to_str for different Pythons: https://github.com/pypa/pip/blob/281eb61b09d87765d7c2b92f6982b3fe76ccb0af/pip/compat/__init__.py#L70-L90 For example, pip 8.1.2 in combination with Python 3.6 is vulnerable: $ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Collecting git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Cloning https://github.com/frenzymadness/CVE-2021-3572.git (to original_version) to /tmp/pip-docgjnth-build … ValueError: not enough values to unpack (expected 2, got 1) $ pip install git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Collecting git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Cloning https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git (to original_version) to /tmp/pip-u2t8sr1v-build … Successfully installed cve-2021-3572-9999.0 <- vulnerable version but when I use the same version of pip with Python 2: $ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Collecting git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Cloning https://github.com/frenzymadness/CVE-2021-3572.git (to original_version) to /tmp/pip-FdQt3Z-build Installing collected packages: cve-2021-3572 Running setup.py install for cve-2021-3572 ... done Successfully installed cve-2021-3572-1.0 <- correct version $ pip install git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Collecting git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Cloning https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git (to original_version) to /tmp/pip-BRA1UZ-build Installing collected packages: cve-2021-3572 Running setup.py install for cve-2021-3572 ... done Successfully installed cve-2021-3572-1.0 <- correct version The output of the git command where a unicode character is at the end of the line looks like this in Python 2 (the last line only): '78d66bca804c673ae8458fcd264dc9be6622ea6f refs/tags/original_version\xe2\x80\xa8\n' but the bytes are not there in Python 3: '78d66bca804c673ae8458fcd264dc9be6622ea6f refs/tags/original_version\n' The same applies to the tags with an unicode character in the middle of the tags' name. Python 2, where it's only one line: '4bf1a91683406ace8b3f5a6032932b2f5e575c71 refs/tags/original_version\xe2\x80\xa8a\xe2\x80\x80a/original_version\n' and Python 3, where the split happens and the result are two lines: '4bf1a91683406ace8b3f5a6032932b2f5e575c71 refs/tags/original_version\u2028a\u2000a/original_version\n'
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3572
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4455 https://access.redhat.com/errata/RHSA-2021:4455