Revert "[MEDIUM] Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702" (#15957)

Author: Kanishk-Bansal

SPECS/python-virtualenv/0001-replace-to-flit.patch

@@ -1,14 +1,14 @@
-From a778f8a379f75100d24159c4c3ffdbce4ff36e07 Mon Sep 17 00:00:00 2001
-From: Archana Shettigar <v-shettigara@microsoft.com>
-Date: Wed, 14 Jan 2026 15:30:01 +0530
+From efa2c18a0c114f2d32e2c101401b716e4ac9e6f4 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 26 Feb 2025 06:31:14 +0000
 Subject: [PATCH] replace-to-flit
 
 ---
  pyproject.toml | 23 ++++-------------------
  1 file changed, 4 insertions(+), 19 deletions(-)
 
 diff --git a/pyproject.toml b/pyproject.toml
-index 0a7ca00..03706b2 100644
+index fabf434..179525d 100644
 --- a/pyproject.toml
 +++ b/pyproject.toml
 @@ -1,9 +1,6 @@
@@ -41,9 +41,9 @@ index 0a7ca00..03706b2 100644
 -]
 +version = "3.10.0"
  dependencies = [
-   "distlib>=0.3.7,<1",
-   "filelock>=3.16.1,<4; python_version<'3.10'",
-@@ -99,16 +94,6 @@ entry-points."virtualenv.discovery".builtin = "virtualenv.discovery.builtin:Buil
+   "distlib<1,>=0.3.7",
+   "filelock<4,>=3.12.2",
+@@ -95,16 +90,6 @@ entry-points."virtualenv.discovery".builtin = "virtualenv.discovery.builtin:Buil
  entry-points."virtualenv.seed".app-data = "virtualenv.seed.embed.via_app_data.via_app_data:FromAppData"
  entry-points."virtualenv.seed".pip = "virtualenv.seed.embed.pip_invoke:PipInvoke"
 
@@ -58,8 +58,8 @@ index 0a7ca00..03706b2 100644
 -version.source = "vcs"
 -
  [tool.ruff]
+ target-version = "py37"
  line-length = 120
- format.preview = true
 -- 
-2.45.4
+2.45.2
 

SPECS/python-virtualenv/CVE-2025-50181v0.patch

@@ -0,0 +1,48 @@
+From e942dd93a09e2eb8a52097c76075d0a42be20f39 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Tue, 8 Jul 2025 10:53:14 -0400
+Subject: [PATCH] Address CVE-2025-50181-1
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index 14b10da..574b7de 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools)
+ 
+@@ -386,7 +402,7 @@ class PoolManager(RequestMethods):
+         if response.status == 303:
+             method = "GET"
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+

…S/python-virtualenv/CVE-2025-50181.patch …python-virtualenv/CVE-2025-50181v1.patchSPECS/python-virtualenv/CVE-2025-50181.patch renamed to SPECS/python-virtualenv/CVE-2025-50181v1.patch SPECS/python-virtualenv/CVE-2025-50181.patch renamed to SPECS/python-virtualenv/CVE-2025-50181v1.patch

@@ -1,7 +1,7 @@
-From 58ec34d3c1b0505961c7d17a7e89c8a5e8e701cb Mon Sep 17 00:00:00 2001
-From: Archana Shettigar <v-shettigara@microsoft.com>
-Date: Thu, 15 Jan 2026 16:20:25 +0530
-Subject: [PATCH] Address CVE-2025-50181v0
+From 8275bde7d461c4d6cd44397529fcb75847eee97c Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Wed, 9 Jul 2025 22:12:03 -0400
+Subject: [PATCH] Address CVE-xxxx-yyyy
 Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
 ---
  pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
@@ -44,5 +44,5 @@ index fb51bf7..a8de7c6 100644
              retries = Retry.from_int(retries, redirect=redirect)
 
 -- 
-2.45.4
+2.34.1
 

SPECS/python-virtualenv/CVE-2025-50181v2.patch

@@ -0,0 +1,48 @@
+From b9f02b9d46967b99beab18718c79e79e08304c89 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Tue, 8 Jul 2025 22:33:17 -0400
+Subject: [PATCH] Address CVE-2025-50181v2
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index fe5491c..d03b343 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -151,6 +151,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools,
+                                            dispose_func=lambda p: p.close())
+@@ -333,7 +349,7 @@ class PoolManager(RequestMethods):
+         if response.status == 303:
+             method = 'GET'
+ 
+-        retries = kw.get('retries')
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+

SPECS/python-virtualenv/CVE-2025-50181v3.patch

@@ -0,0 +1,48 @@
+From 3d5efc9facfee6c0136bbe14e02000de2cfcef23 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Wed, 9 Jul 2025 07:33:05 -0400
+Subject: [PATCH] Address CVE-2025-50181v3
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index 242a2f8..c542cea 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -158,6 +158,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools, dispose_func=lambda p: p.close())
+ 
+@@ -340,7 +356,7 @@ class PoolManager(RequestMethods):
+         if response.status == 303:
+             method = "GET"
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+

SPECS/python-virtualenv/python-virtualenv.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "virtualenv-20.36.1.tar.gz": "8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"
+    "python-virtualenv-20.26.6.tar.gz": "280aede09a2a5c317e409a00102e7077c6432c5a38f0ef938e643805a7ad2c48"
   }
 }

SPECS/python-virtualenv/python-virtualenv.spec

@@ -1,15 +1,18 @@
 Summary:        Virtual Python Environment builder
 Name:           python-virtualenv
-Version:        20.36.1
-Release:        1%{?dist}
+Version:        20.26.6
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://pypi.python.org/pypi/virtualenv
-Source0:        https://files.pythonhosted.org/packages/aa/a3/4d310fa5f00863544e1d0f4de93bddec248499ccf97d4791bc3122c9d4f3/virtualenv-20.36.1.tar.gz
+Source0:        https://files.pythonhosted.org/packages/3f/40/abc5a766da6b0b2457f819feab8e9203cbeae29327bd241359f866a3da9d/virtualenv-20.26.6.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         0001-replace-to-flit.patch
-Patch1000:      CVE-2025-50181.patch
+Patch1000:      CVE-2025-50181v0.patch
+Patch1001:      CVE-2025-50181v1.patch
+Patch1002:      CVE-2025-50181v2.patch
+Patch1003:      CVE-2025-50181v3.patch
 BuildArch:      noarch
 
 %description
@@ -51,29 +54,66 @@ virtualenv is a tool to create isolated Python environment.
 # For the poolmanager.py under tests, it is archived inside a .whl file, which in turn is archived inside another .whl file,
 # so, we need to unpack the outer .whl, then unpack the inner .whl, apply the patch, and then re-zip both levels.
 
-echo "Manually Patching virtualenv-20.36.1/src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
-mkdir -p unpacked_pip-25.0.1-py3-none-any
-unzip src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl -d unpacked_pip-25.0.1-py3-none-any
-patch -p1 -d unpacked_pip-25.0.1-py3-none-any < %{PATCH1000}
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-24.0-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl -d unpacked_pip-24.0-py3-none-any
+patch -p1 -d unpacked_pip-24.0-py3-none-any < %{PATCH1000}
 # Remove the original file
-rm -f src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
+rm -f src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl
 # After patching, re-zip the contents back into a .whl
-pushd unpacked_pip-25.0.1-py3-none-any
-zip -r ../src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl *
+pushd unpacked_pip-24.0-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl *
 popd
-rm -rf unpacked_pip-25.0.1-py3-none-any
+rm -rf unpacked_pip-24.0-py3-none-any
 
-echo "Manually Patching virtualenv-20.36.1/src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
-mkdir -p unpacked_pip-25.3-py3-none-any
-unzip src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl -d unpacked_pip-25.3-py3-none-any
-patch -p1 -d unpacked_pip-25.3-py3-none-any < %{PATCH1000}
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-24.2-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl -d unpacked_pip-24.2-py3-none-any
+patch -p1 -d unpacked_pip-24.2-py3-none-any < %{PATCH1001}
 # Remove the original file
-rm -f src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl
+rm -f src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl
 # After patching, re-zip the contents back into a .whl
-pushd unpacked_pip-25.3-py3-none-any
-zip -r ../src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl *
+pushd unpacked_pip-24.2-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl *
+popd
+rm -rf unpacked_pip-24.2-py3-none-any
+
+echo "Manually Patching the poolmanager.py under tests, it needs to be unpacked from a .whl file, which is inside another .whl file"
+# unpack the outer wheel
+mkdir -p unpacked_virtualenv-16.7.9-py2.py3-none-any
+unzip tests/unit/create/virtualenv-16.7.9-py2.py3-none-any.whl -d unpacked_virtualenv-16.7.9-py2.py3-none-any
+
+# This is the pip-19.1.1 wheel that is archived inside the virtualenv_support directory of the outer wheel
+# We need to unpack it, apply the patch, and then re-zip it
+echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+# unpack the inner wheel
+mkdir -p unpacked_pip-19.1.1-py2.py3-none-any
+unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl -d unpacked_pip-19.1.1-py2.py3-none-any
+patch -p1 -d unpacked_pip-19.1.1-py2.py3-none-any < %{PATCH1002}
+rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
+pushd unpacked_pip-19.1.1-py2.py3-none-any
+zip -r ../unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl *
+popd
+rm -rf unpacked_pip-19.1.1-py2.py3-none-any
+
+# Now, we need to patch the pip-19.3.1 wheel that is archived inside the virtualenv_support directory of the outer wheel
+# We need to unpack it, apply the patch, and then re-zip it
+echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-19.3.1-py2.py3-none-any
+unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl -d unpacked_pip-19.3.1-py2.py3-none-any
+patch -p1 -d unpacked_pip-19.3.1-py2.py3-none-any < %{PATCH1003}
+# Repack the inner wheel
+rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
+pushd unpacked_pip-19.3.1-py2.py3-none-any
+zip -r ../unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl *
+popd
+rm -rf unpacked_pip-19.3.1-py2.py3-none-any
+
+# Repack the outer wheel
+rm -f tests/unit/create/virtualenv-16.7.9-py2.py3-none-any.whl
+pushd unpacked_virtualenv-16.7.9-py2.py3-none-any
+zip -r ../tests/unit/create/unpacked_virtualenv-16.7.9-py2.py3-none-any *
 popd
-rm -rf unpacked_pip-25.3-py3-none-any
 
 %generate_buildrequires
 
@@ -86,7 +126,7 @@ rm -rf unpacked_pip-25.3-py3-none-any
 %check
 pip3 install 'tox>=3.27.1,<4.0.0'
 # skip "test_can_build_c_extensions" tests since they fail on python3_version >= 3.12. See https://src.fedoraproject.org/rpms/python-virtualenv/blob/rawhide/f/python-virtualenv.spec#_153
-export PYTEST_ADDOPTS='-k "not test_can_build_c_extensions"'
+sed -i 's/coverage run -m pytest {posargs:--junitxml {toxworkdir}\/junit\.{envname}\.xml tests --int}/coverage run -m pytest {posargs:--junitxml {toxworkdir}\/junit\.{envname}\.xml tests -k "not test_can_build_c_extensions" --int}/g' tox.ini
 tox -e py
 
 %files -n python3-virtualenv
@@ -96,9 +136,6 @@ tox -e py
 %{_bindir}/virtualenv
 
 %changelog
-* Thu Jan 15 2026 Archana Shettigar <v-shettigara@microsoft.com> - 20.36.1-1
-- Upgrade to 20.36.1 for CVE-2026-22702
-
 * Wed Jul 09 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 20.26.6-2
 - Add patch to fix CVE-2025-50181 in urllib3 poolmanager.py
 

cgmanifest.json

@@ -24914,8 +24914,8 @@
         "type": "other",
         "other": {
           "name": "python-virtualenv",
-          "version": "20.36.1",
-          "downloadUrl": "https://files.pythonhosted.org/packages/aa/a3/4d310fa5f00863544e1d0f4de93bddec248499ccf97d4791bc3122c9d4f3/virtualenv-20.36.1.tar.gz"
+          "version": "20.26.6",
+          "downloadUrl": "https://files.pythonhosted.org/packages/3f/40/abc5a766da6b0b2457f819feab8e9203cbeae29327bd241359f866a3da9d/virtualenv-20.26.6.tar.gz"
         }
       }
     },