[AUTO-CHERRYPICK] Patch python3 for multiple CVEs in pip bundled wheel [High] - branch main (#13411)

CBL-Mariner-Bot · Ankita13-code · web-flow · commit ad67d53ec3a8 · 2025-04-15T17:54:36.000-04:00
Co-authored-by: Ankita Pareek &lt;56152556+Ankita13-code@users.noreply.github.com&gt;
diff --git a/SPECS/python3/CVE-2023-43804.patch b/SPECS/python3/CVE-2023-43804.patch
@@ -0,0 +1,28 @@
+From 76d52df7fe49be31a47503a8f77c4b172809fc9b Mon Sep 17 00:00:00 2001
+From: Ankita Pareek <ankitapareek@microsoft.com>
+Date: Fri, 11 Apr 2025 19:08:28 +0530
+Subject: [PATCH] python3: Address CVE-2023-43804 with a patch
+
+Upstream reference: https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
+
+Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
+---
+ _vendor/urllib3/util/retry.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/util/retry.py b/pip/_vendor/urllib3/util/retry.py
+index 2490d5e..4bc4fb0 100644
+--- a/pip/_vendor/urllib3/util/retry.py
++++ b/pip/_vendor/urllib3/util/retry.py
+@@ -235,7 +235,7 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie","Authorization"])
+ 
+     #: Maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+-- 
+2.34.1
+
diff --git a/SPECS/python3/CVE-2024-3651.patch b/SPECS/python3/CVE-2024-3651.patch
@@ -0,0 +1,60 @@
+From 9ffbb563891dc0826707dcf9124023b1d9372967 Mon Sep 17 00:00:00 2001
+From: Ankita Pareek <ankitapareek@microsoft.com>
+Date: Fri, 11 Apr 2025 14:34:28 +0530
+Subject: [PATCH] python3: Address CVE-2024-3651
+
+Upstream patch reference: https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
+
+Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
+---
+ _vendor/idna/core.py | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/pip/_vendor/idna/core.py b/pip/_vendor/idna/core.py
+index 4f30037..aea17ac 100644
+--- a/pip/_vendor/idna/core.py
++++ b/pip/_vendor/idna/core.py
+@@ -150,9 +150,11 @@ def valid_contextj(label: str, pos: int) -> bool:
+             joining_type = idnadata.joining_types.get(ord(label[i]))
+             if joining_type == ord('T'):
+                 continue
+-            if joining_type in [ord('L'), ord('D')]:
++            elif joining_type in [ord('L'), ord('D')]:
+                 ok = True
+                 break
++            else:
++                break
+ 
+         if not ok:
+             return False
+@@ -162,9 +164,11 @@ def valid_contextj(label: str, pos: int) -> bool:
+             joining_type = idnadata.joining_types.get(ord(label[i]))
+             if joining_type == ord('T'):
+                 continue
+-            if joining_type in [ord('R'), ord('D')]:
++            elif joining_type in [ord('R'), ord('D')]:
+                 ok = True
+                 break
++            else:
++                break
+         return ok
+ 
+     if cp_value == 0x200d:
+@@ -236,12 +240,8 @@ def check_label(label: Union[str, bytes, bytearray]) -> None:
+         if intranges_contain(cp_value, idnadata.codepoint_classes['PVALID']):
+             continue
+         elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTJ']):
+-            try:
+-                if not valid_contextj(label, pos):
+-                    raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format(
+-                        _unot(cp_value), pos+1, repr(label)))
+-            except ValueError:
+-                raise IDNAError('Unknown codepoint adjacent to joiner {} at position {} in {}'.format(
++            if not valid_contextj(label, pos):
++                raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format(
+                     _unot(cp_value), pos+1, repr(label)))
+         elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTO']):
+             if not valid_contexto(label, pos):
+-- 
+2.34.1
+
diff --git a/SPECS/python3/CVE-2024-37891.patch b/SPECS/python3/CVE-2024-37891.patch
@@ -0,0 +1,30 @@
+From b512887b5421844c0e4589e36241da5656b65d1b Mon Sep 17 00:00:00 2001
+From: Ankita Pareek <ankitapareek@microsoft.com>
+Date: Fri, 11 Apr 2025 19:14:27 +0530
+Subject: [PATCH] python3: Address CVE-2024-37891 with a patch
+
+Upstream reference: https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
+
+Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
+---
+ _vendor/urllib3/util/retry.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/util/retry.py b/pip/_vendor/urllib3/util/retry.py
+index 4bc4fb0..392553b 100644
+--- a/pip/_vendor/urllib3/util/retry.py
++++ b/pip/_vendor/urllib3/util/retry.py
+@@ -235,7 +235,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie","Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie","Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+-- 
+2.34.1
+
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,9 @@ Patch12:        CVE-2025-1795.patch
 # Patch for setuptools, resolved in 65.5.1
 Patch1000:      CVE-2022-40897.patch
 Patch1001:      CVE-2024-6345.patch
+Patch1002:      CVE-2024-3651.patch
+Patch1003:      CVE-2023-43804.patch
+Patch1004:      CVE-2024-37891.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@@ -238,6 +241,15 @@ patch %{buildroot}%{_libdir}/python%{majmin}/site-packages/setuptools/package_in
 echo 'Patching CVE-2024-6345 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py'
 patch -p1 %{buildroot}%{_libdir}/python%{majmin}/site-packages/setuptools/package_index.py < %{PATCH1001}
 
+# Manually patch CVE-2024-3651 which is a bundled wheel for pip. We can only update the source code after install
+echo 'Patching CVE-2024-3651 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/pip/_vendor/idna/core.py'
+patch -p1 %{buildroot}%{_libdir}/python%{majmin}/site-packages/pip/_vendor/idna/core.py < %{PATCH1002}
+echo 'Patching CVE-2023-43804 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/pip/_vendor/urllib3/util/retry.py'
+patch -p1 %{buildroot}%{_libdir}/python%{majmin}/site-packages/pip/_vendor/urllib3/util/retry.py < %{PATCH1003}
+echo 'Patching CVE-2024-37891 in bundled wheel file %{_libdir}/python%{majmin}/site-packages/pip/_vendor/urllib3/util/retry.py'
+patch -p1 %{buildroot}%{_libdir}/python%{majmin}/site-packages/pip/_vendor/urllib3/util/retry.py < %{PATCH1004}
+
+
 # Windows executables get installed by pip and setuptools- we don't need these.
 find %{buildroot}%{_libdir}/python%{majmin}/site-packages -name '*.exe' -delete -print
 
@@ -338,6 +350,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Fri Apr 11 2025 Ankita Pareek <ankitapareek@microsoft.com> - 3.9.19-13
+- Add patch for CVE-2024-3651, CVE-2023-43804 and CVE-2024-37891 in the bundled pip wheel
+
 * Fri Mar 07 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 3.9.19-12
 - Add patch for CVE-2025-1795
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm
 ca-certificates-2.0.0-19.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-22.cm2.aarch64.rpm
-python3-3.9.19-12.cm2.aarch64.rpm
-python3-devel-3.9.19-12.cm2.aarch64.rpm
-python3-libs-3.9.19-12.cm2.aarch64.rpm
-python3-setuptools-3.9.19-12.cm2.noarch.rpm
+python3-3.9.19-13.cm2.aarch64.rpm
+python3-devel-3.9.19-13.cm2.aarch64.rpm
+python3-libs-3.9.19-13.cm2.aarch64.rpm
+python3-setuptools-3.9.19-13.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm
 ca-certificates-2.0.0-19.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-22.cm2.x86_64.rpm
-python3-3.9.19-12.cm2.x86_64.rpm
-python3-devel-3.9.19-12.cm2.x86_64.rpm
-python3-libs-3.9.19-12.cm2.x86_64.rpm
-python3-setuptools-3.9.19-12.cm2.noarch.rpm
+python3-3.9.19-13.cm2.x86_64.rpm
+python3-devel-3.9.19-13.cm2.x86_64.rpm
+python3-libs-3.9.19-13.cm2.x86_64.rpm
+python3-setuptools-3.9.19-13.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.19-12.cm2.aarch64.rpm
+python3-3.9.19-13.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.19-12.cm2.aarch64.rpm
+python3-curses-3.9.19-13.cm2.aarch64.rpm
 python3-Cython-0.29.33-2.cm2.aarch64.rpm
-python3-debuginfo-3.9.19-12.cm2.aarch64.rpm
-python3-devel-3.9.19-12.cm2.aarch64.rpm
+python3-debuginfo-3.9.19-13.cm2.aarch64.rpm
+python3-devel-3.9.19-13.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-7.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.19-12.cm2.aarch64.rpm
+python3-libs-3.9.19-13.cm2.aarch64.rpm
 python3-libxml2-2.10.4-6.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.19-12.cm2.noarch.rpm
+python3-pip-3.9.19-13.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.19-12.cm2.noarch.rpm
-python3-test-3.9.19-12.cm2.aarch64.rpm
-python3-tools-3.9.19-12.cm2.aarch64.rpm
+python3-setuptools-3.9.19-13.cm2.noarch.rpm
+python3-test-3.9.19-13.cm2.aarch64.rpm
+python3-tools-3.9.19-13.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.19-12.cm2.x86_64.rpm
+python3-3.9.19-13.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.19-12.cm2.x86_64.rpm
+python3-curses-3.9.19-13.cm2.x86_64.rpm
 python3-Cython-0.29.33-2.cm2.x86_64.rpm
-python3-debuginfo-3.9.19-12.cm2.x86_64.rpm
-python3-devel-3.9.19-12.cm2.x86_64.rpm
+python3-debuginfo-3.9.19-13.cm2.x86_64.rpm
+python3-devel-3.9.19-13.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-7.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.19-12.cm2.x86_64.rpm
+python3-libs-3.9.19-13.cm2.x86_64.rpm
 python3-libxml2-2.10.4-6.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-3.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.19-12.cm2.noarch.rpm
+python3-pip-3.9.19-13.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.19-12.cm2.noarch.rpm
-python3-test-3.9.19-12.cm2.x86_64.rpm
-python3-tools-3.9.19-12.cm2.x86_64.rpm
+python3-setuptools-3.9.19-13.cm2.noarch.rpm
+python3-test-3.9.19-13.cm2.x86_64.rpm
+python3-tools-3.9.19-13.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm
