Upgrade urllib3 to 1.25.3, requests to 2.22.0

- Fix urllib3 CVE-2019-11324 (#1774595) - Fix urllib3 CVE-2019-11236 (#1775363)
2020-01-02 11:26:24 +01:00 · 2020-01-02 11:26:24 +01:00 · afb5be3c75
parent 46d2457dea
commit afb5be3c75
3 changed files with 4737 additions and 3 deletions
--- a/python-pip.spec
+++ b/python-pip.spec
@ -23,7 +23,7 @@ Name:           python-%{srcname}
 # When updating, update the bundled libraries versions bellow!
 # You can use vendor_meta.sh in the dist git repo
 Version:        19.0.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        A tool for installing and managing Python packages

 # We bundle a lot of libraries with pip, which itself is under MIT license.
@ -50,6 +50,7 @@ Summary:        A tool for installing and managing Python packages
 # idna: BSD
 # urllib3: MIT
 # certifi: MPLv2.0
+# rfc3986: ASL 2.0
 # setuptools: MIT
 # webencodings: BSD

@ -107,6 +108,19 @@ Patch4:         dummy-certifi.patch
 # https://github.com/pypa/pip/pull/6728
 Patch6:         python39.patch

+# Upgrade urllib3 to 1.25.3
+# This bundles rfc3986
+# https://github.com/pypa/pip/commit/0d620c4a03a8b3765ec45785299244e1a494d750
+# CVE-2019-11324: Certification mishandle when error should be thrown
+# https://bugzilla.redhat.com/show_bug.cgi?id=1774595
+# CVE-2019-11236: CRLF injection due to not encoding the '\r\n' sequence
+# https://bugzilla.redhat.com/show_bug.cgi?id=1775363
+Patch7:         urllib3-1.25.3.patch
+
+# Upgrade requests to 2.22.0 (needed for urllib3 1.25.3)
+# https://github.com/pypa/pip/commit/8e8d28dd8ecc9226ea4e0f75d54151df90f4d78e
+Patch8:         requests-2.22.0.patch
+
 # Downstream only patch
 # Users might have local installations of pip from using
 # `pip install --user --upgrade pip` on older/newer versions.
@ -154,11 +168,12 @@ Provides: bundled(python%{1}dist(pep517)) = 0.5.0
 Provides: bundled(python%{1}dist(progress)) = 1.4
 Provides: bundled(python%{1}dist(pyparsing)) = 2.3.1
 Provides: bundled(python%{1}dist(pytoml)) = 0.1.20
-Provides: bundled(python%{1}dist(requests)) = 2.21.0
+Provides: bundled(python%{1}dist(requests)) = 2.22.0
 Provides: bundled(python%{1}dist(retrying)) = 1.3.3
 Provides: bundled(python%{1}dist(setuptools)) = 40.6.3
 Provides: bundled(python%{1}dist(six)) = 1.12.0
-Provides: bundled(python%{1}dist(urllib3)) = 1.24.1
+Provides: bundled(python%{1}dist(urllib3)) = 1.25.3
+Provides: bundled(python%{1}dist(rfc3986)) = 1.3.2
 Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
 }

@ -300,6 +315,8 @@ popd
 %patch3 -p1
 %patch4 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1

 # this goes together with patch4
 rm src/pip/_vendor/certifi/*.pem
@ -520,6 +537,11 @@ ln -sf %{buildroot}%{_bindir}/pip3 _bin/pip
 %endif

 %changelog
+* Thu Jan 02 2020 Miro Hrončok <mhroncok@redhat.com> - 19.0.3-6
+- Upgrade urllib3 to 1.25.3, requests to 2.22.0
+- Fix urllib3 CVE-2019-11324 (#1774595)
+- Fix urllib3 CVE-2019-11236 (#1775363)
+
 * Mon Nov 25 2019 Miro Hrončok <mhroncok@redhat.com> - 19.0.3-5
 - Make python-pip-wheel work with Python 3.9

--- a/requests-2.22.0.patch
+++ b/requests-2.22.0.patch
@ -0,0 +1,91 @@
+From 8e8d28dd8ecc9226ea4e0f75d54151df90f4d78e Mon Sep 17 00:00:00 2001
+From: Pradyun Gedam <pradyunsg@gmail.com>
+Date: Sat, 20 Jul 2019 09:31:48 +0530
+Subject: [PATCH] Upgrade requests to 2.22.0
+
+---
+ news/requests.vendor                    | 1 +
+ src/pip/_vendor/requests/__init__.py    | 4 ++--
+ src/pip/_vendor/requests/__version__.py | 6 +++---
+ src/pip/_vendor/requests/api.py         | 4 ++--
+ src/pip/_vendor/vendor.txt              | 1 +
+ 5 files changed, 9 insertions(+), 7 deletions(-)
+ create mode 100644 news/requests.vendor
+
+diff --git a/news/requests.vendor b/news/requests.vendor
+new file mode 100644
+index 0000000000..aac729b0e1
+--- /dev/null
+++ b/news/requests.vendor
+@@ -0,0 +1 @@
+Upgrade requests to 2.22.0
+diff --git a/src/pip/_vendor/requests/__init__.py b/src/pip/_vendor/requests/__init__.py
+index 80c4ce1d21..1d30e3e063 100644
+--- a/src/pip/_vendor/requests/__init__.py
+++ b/src/pip/_vendor/requests/__init__.py
+@@ -57,10 +57,10 @@ def check_compatibility(urllib3_version, chardet_version):
+     # Check urllib3 for compatibility.
+     major, minor, patch = urllib3_version  # noqa: F811
+     major, minor, patch = int(major), int(minor), int(patch)
+-    # urllib3 >= 1.21.1, <= 1.24
+    # urllib3 >= 1.21.1, <= 1.25
+     assert major == 1
+     assert minor >= 21
+-    assert minor <= 24
+    assert minor <= 25
+ 
+     # Check chardet for compatibility.
+     major, minor, patch = chardet_version.split('.')[:3]
+diff --git a/src/pip/_vendor/requests/__version__.py b/src/pip/_vendor/requests/__version__.py
+index f5b5d03671..9844f740ab 100644
+--- a/src/pip/_vendor/requests/__version__.py
+++ b/src/pip/_vendor/requests/__version__.py
+@@ -5,10 +5,10 @@
+ __title__ = 'requests'
+ __description__ = 'Python HTTP for Humans.'
+ __url__ = 'http://python-requests.org'
+-__version__ = '2.21.0'
+-__build__ = 0x022100
+__version__ = '2.22.0'
+__build__ = 0x022200
+ __author__ = 'Kenneth Reitz'
+ __author_email__ = 'me@kennethreitz.org'
+ __license__ = 'Apache 2.0'
+-__copyright__ = 'Copyright 2018 Kenneth Reitz'
+__copyright__ = 'Copyright 2019 Kenneth Reitz'
+ __cake__ = u'\u2728 \U0001f370 \u2728'
+diff --git a/src/pip/_vendor/requests/api.py b/src/pip/_vendor/requests/api.py
+index abada96d46..ef71d0759e 100644
+--- a/src/pip/_vendor/requests/api.py
+++ b/src/pip/_vendor/requests/api.py
+@@ -19,7 +19,7 @@ def request(method, url, **kwargs):
+     :param method: method for the new :class:`Request` object.
+     :param url: URL for the new :class:`Request` object.
+     :param params: (optional) Dictionary, list of tuples or bytes to send
+-        in the body of the :class:`Request`.
+        in the query string for the :class:`Request`.
+     :param data: (optional) Dictionary, list of tuples, bytes, or file-like
+         object to send in the body of the :class:`Request`.
+     :param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
+@@ -65,7 +65,7 @@ def get(url, params=None, **kwargs):
+ 
+     :param url: URL for the new :class:`Request` object.
+     :param params: (optional) Dictionary, list of tuples or bytes to send
+-        in the body of the :class:`Request`.
+        in the query string for the :class:`Request`.
+     :param \*\*kwargs: Optional arguments that ``request`` takes.
+     :return: :class:`Response <Response>` object
+     :rtype: requests.Response
+diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
+index bcf579515e..e5542fbc5e 100644
+--- a/src/pip/_vendor/vendor.txt
+++ b/src/pip/_vendor/vendor.txt
+@@ -12,7 +12,7 @@ pep517==0.5.0
+ progress==1.4
+ pyparsing==2.3.1
+ pytoml==0.1.20
+-requests==2.21.0
+requests==2.22.0
+     certifi==2018.11.29
+     chardet==3.0.4
+     idna==2.8
--- a/urllib3-1.25.3.patch
+++ b/urllib3-1.25.3.patch