!158 fix CVE-2023-45803 and CVE-2024-37891

From: @yangyuan32 
Reviewed-by: @zhuchunyi 
Signed-off-by: @zhuchunyi

backport-CVE-2020-14422.patch

@@ -0,0 +1,43 @@
+From b30ee26e366bf509b7538d79bfec6c6d38d53f28 Mon Sep 17 00:00:00 2001
+From: Ravi Teja P <rvteja92@gmail.com>
+Date: Mon, 29 Jun 2020 23:09:29 +0530
+Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
+ IPv6Interface (GH-21033)
+ 
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+ 
+Reference:https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28
+Conflict:NA
+ 
+---
+ src/pip/_vendor/ipaddress.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/src/pip/_vendor/ipaddress.py b/src/pip/_vendor/ipaddress.py
+index 3e6f9e499..19dfc4cdb 100644
+--- a/src/pip/_vendor/ipaddress.py
++++ b/src/pip/_vendor/ipaddress.py
+@@ -1536,7 +1536,7 @@ class IPv4Interface(IPv4Address):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+@@ -2229,7 +2229,7 @@ class IPv6Interface(IPv6Address):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+-- 
+2.21.0
+

backport-CVE-2021-33503.patch

@@ -0,0 +1,42 @@
+From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Wed, 26 May 2021 10:43:12 -0500
+Subject: [PATCH] Improve performance of sub-authority splitting in URL
+
+---
+ src/pip/_vendor/urllib3/util/url.py |  8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/url.py b/src/pip/_vendor/urllib3/util/url.py
+index 6ff238f..81a03da 100644
+--- a/src/pip/_vendor/urllib3/util/url.py
++++ b/src/pip/_vendor/urllib3/util/url.py
+@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
+ BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
+ ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
+ 
+-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+     REG_NAME_PAT,
+     IPV4_PAT,
+     IPV6_ADDRZ_PAT,
+ )
+-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
+ 
+ UNRESERVED_CHARS = set(
+     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"
+@@ -365,7 +365,9 @@ def parse_url(url):
+             scheme = scheme.lower()
+ 
+         if authority:
+-            auth, host, port = SUBAUTHORITY_RE.match(authority).groups()
++            auth, _, host_port = authority.rpartition("@")
++            auth = auth or None
++            host, port = _HOST_PORT_RE.match(host_port).groups()
+             if auth and normalize_uri:
+                 auth = _encode_invalid_chars(auth, USERINFO_CHARS)
+             if port == "":
+-- 
+1.8.3.1
+

backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch

@@ -0,0 +1,31 @@
+From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Mon, 2 Oct 2023 11:43:46 -0500
+Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+
+Conflict:Files test_retry.py,test_retry_deprecated.py ,and test_poolmaner.py do not exit.Therefore,no test case is involved.
+Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index ee30c91..545e876 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
++++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -154,7 +154,7 @@ class Retry(object):
+ 
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Authorization"])
++    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie","Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+-- 
+2.33.0
+

backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch

@@ -0,0 +1,98 @@
+From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Tue, 17 Oct 2023 19:35:39 +0300
+Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
+
+Conflict:Files dummyserver/handlers.py, test/with_dummyserver/test_connectionpool.py
+and test/with_dummyserver/test_poolmanager.py do not exist. Therefore, no dummy server
+and test case is involved.
+Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
+
+---
+ src/pip/_vendor/urllib3/_collections.py   | 18 ++++++++++++++++++
+ src/pip/_vendor/urllib3/connectionpool.py |  6 +++++-
+ src/pip/_vendor/urllib3/poolmanager.py    |  7 +++++--
+ 3 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
+index 019d151..8b3f0f7 100644
+--- a/src/pip/_vendor/urllib3/_collections.py
++++ b/src/pip/_vendor/urllib3/_collections.py
+@@ -267,6 +267,24 @@ class HTTPHeaderDict(MutableMapping):
+         else:
+             return vals[1:]
+ 
++    def _prepare_for_method_change(self):
++        """
++        Remove content-specific header fields before changing the request
++        method to GET or HEAD according to RFC 9110, Section 15.4.
++        """
++        content_specific_headers = [
++            "Content-Encoding",
++            "Content-Language",
++            "Content-Location",
++            "Content-Type",
++            "Content-Length",
++            "Digest",
++            "Last-Modified",
++        ]
++        for header in content_specific_headers:
++            self.discard(header)
++        return self
++
+     # Backwards compatibility for httplib
+     getheaders = getlist
+     getallmatchingheaders = getlist
+diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
+index 5f044db..539eb04 100644
+--- a/src/pip/_vendor/urllib3/connectionpool.py
++++ b/src/pip/_vendor/urllib3/connectionpool.py
+@@ -7,7 +7,7 @@ import warnings
+ from socket import error as SocketError, timeout as SocketTimeout
+ import socket
+ 
+-
++from ._collections import HTTPHeaderDict
+ from .exceptions import (
+     ClosedPoolError,
+     ProtocolError,
+@@ -769,7 +769,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+         redirect_location = redirect and response.get_redirect_location()
+         if redirect_location:
+             if response.status == 303:
++                # Change the method according to RFC 9110, Section 15.4.4.
+                 method = "GET"
++                # And lose the body not to transfer anything sensitive.
++                body = None
++                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
+index e2bd3bd..c30c5e0 100644
+--- a/src/pip/_vendor/urllib3/poolmanager.py
++++ b/src/pip/_vendor/urllib3/poolmanager.py
+@@ -4,7 +4,7 @@ import functools
+ import logging
+ import warnings
+ 
+-from ._collections import RecentlyUsedContainer
++from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool
+ from .connectionpool import port_by_scheme
+ from .exceptions import (
+@@ -342,9 +342,12 @@ class PoolManager(RequestMethods):
+         # Support relative URLs for redirecting.
+         redirect_location = urljoin(url, redirect_location)
+ 
+-        # RFC 7231, Section 6.4.4
+         if response.status == 303:
++            # Change the method according to RFC 9110, Section 15.4.4.
+             method = "GET"
++            # And lose the body not to transfer anything sensitive.
++            kw["body"] = None
++            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+         retries = kw.get("retries")
+         if not isinstance(retries, Retry):
+--

backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch

@@ -0,0 +1,31 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+Conflict:Files test/test_retry.py and test/with_dummyserver/test_poolmanager.py do not
+exist. Therefore, no test case is involved.
+Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index 545e876..b4a2d3d 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
++++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -154,7 +154,9 @@ class Retry(object):
+ 
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie","Authorization"])
++    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+-- 

backport-fix-vulnerable-regex.patch

@@ -0,0 +1,25 @@
+From 254e668eef34ca21005634a2bdba9d9a74deaa26 Mon Sep 17 00:00:00 2001
+From: M00nL1ght <69127692+SCH227@users.noreply.github.com>
+Date: Tue, 30 Aug 2022 05:51:29 +0300
+Subject: [PATCH] Fix vulnerable regex
+
+Implement exclusive RE searches to avoid backtracking
+---
+ src/pip/_internal/models/wheel.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/models/wheel.py b/src/pip/_internal/models/wheel.py
+index 35c70375539..a5dc12bdd63 100644
+--- a/src/pip/_internal/models/wheel.py
++++ b/src/pip/_internal/models/wheel.py
+@@ -13,8 +13,8 @@ class Wheel:
+     """A wheel file"""
+ 
+     wheel_file_re = re.compile(
+-        r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.*?))
+-        ((-(?P<build>\d[^-]*?))?-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)
++        r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]*?))
++        ((-(?P<build>\d[^-]*?))?-(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>[^\s-]+?)
+         \.whl|\.dist-info)$""",
+         re.VERBOSE
+     )

python-pip.spec

@@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        4
+Release:        9
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -18,6 +18,12 @@ Patch2:         emit-a-warning-when-running-with-root-privileges.patch
 Patch3:         remove-existing-dist-only-if-path-conflicts.patch
 Patch6000:      dummy-certifi.patch
 Patch6001:      backport-CVE-2021-3572.patch
+Patch6002:      backport-CVE-2021-33503.patch
+Patch6003:      backport-CVE-2020-14422.patch
+Patch6004:      backport-fix-vulnerable-regex.patch
+Patch6005:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
+Patch6006:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
+Patch6007:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 
 Source1:	pip-allow-older-versions.patch
 
@@ -155,6 +161,21 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 20.2.2-9
+- Fix CVE-2023-45803 and CVE-2024-37891
+
+* Wed Jun 26 2024 zhangruifang <zhangruifang@h-partners.com> - 20.2.2-8
+- Fix CVE-2023-43804
+
+* Wed Dec 13 2023 yanglongkang <yanglongkang@h-partners.com> - 20.2.2-7
+- Fix vulnerable regex
+
+* Fri Sep 16 2022 yanglongkang<yanglongkang@h-partners.com> - 20.2.2-6
+- fix CVE-2020-14422
+
+* Fri Sep 09 2022 renhongxun<renhongxun@h-partners.com> - 20.2.2-5
+- fix CVE-2021-33503
+
 * Sat Aug 23 2021 shixuantong<shixuantong@huawei.com> - 20.2.2-4
 - delete bounded certificate