Narcissus/shredos.x86_64
2
0
Fork 1
mirror of https://github.com/PartialVolume/shredos.x86_64.git synced 2026-02-20 17:42:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

First commit of Shredos v2021.08.2_19_x86-64_0.32.014

Browse Source
This commit is contained in:
PartialVolume
2021-11-23 23:01:30 +00:00
commit 49625f0571
12651 changed files with 532695 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
package/python-pip/0001-Don-t-split-git-references-on-unicode-separators.patch Normal file
View File

@@ -0,0 +1,45 @@
From 62300cf398faacdd0e490b0a1400dec2558612bf Mon Sep 17 00:00:00 2001
From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
Date: Sat, 24 Apr 2021 10:13:15 +0100
Subject: [PATCH] Don't split git references on unicode separators
Previously, maliciously formatted tags could be used to hijack a
commit-based pin. Using the fact that the split here allowed for
all of unicode's whitespace characters as separators -- which git allows
as a part of a tag name -- it is possible to force a different revision
to be installed; if an attacker gains access to the repository.
This change stops splitting the string on unicode characters, by forcing
the splits to happen on newlines and ASCII spaces.
(cherry picked from commit ca832b2836e0bffa7cf95589acdcd71230f5834e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
src/pip/_internal/vcs/git.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
index 7483303a9..d706064e7 100644
--- a/src/pip/_internal/vcs/git.py
+++ b/src/pip/_internal/vcs/git.py
@@ -137,9 +137,15 @@ class Git(VersionControl):
output = cls.run_command(['show-ref', rev], cwd=dest,
show_stdout=False, on_returncode='ignore')
refs = {}
- for line in output.strip().splitlines():
+ # NOTE: We do not use splitlines here since that would split on other
+ # unicode separators, which can be maliciously used to install a
+ # different revision.
+ for line in output.strip().split("\n"):
+ line = line.rstrip("\r")
+ if not line:
+ continue
try:
- sha, ref = line.split()
+ sha, ref = line.split(" ", maxsplit=2)
except ValueError:
# Include the offending line to simplify troubleshooting if
# this error ever occurs.
--
2.20.1

10
package/python-pip/Config.in Normal file
View File

@@ -0,0 +1,10 @@
config BR2_PACKAGE_PYTHON_PIP
bool "python-pip"
select BR2_PACKAGE_PYTHON_HASHLIB if BR2_PACKAGE_PYTHON # runtime
select BR2_PACKAGE_PYTHON_SETUPTOOLS # runtime
select BR2_PACKAGE_PYTHON_SSL if BR2_PACKAGE_PYTHON # runtime
select BR2_PACKAGE_PYTHON3_SSL if BR2_PACKAGE_PYTHON3 # runtime
help
The PyPA recommended tool for installing Python packages.
https://pip.pypa.io/

5
package/python-pip/python-pip.hash Normal file
View File

@@ -0,0 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/pip/json
md5 7d42ba49b809604f0df3d55df1c3fd86 pip-20.0.2.tar.gz
sha256 7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f pip-20.0.2.tar.gz
# Locally computed sha256 checksums
sha256 5ba21fbb0964f936ad7d15362d1ed6d4931cc8c8f9ff2d4d91190e109be74431 LICENSE.txt

20
package/python-pip/python-pip.mk Normal file
View File

@@ -0,0 +1,20 @@
################################################################################
#
# python-pip
#
################################################################################
# Please keep in sync with package/python3-pip/python3-pip.mk
PYTHON_PIP_VERSION = 20.0.2
PYTHON_PIP_SOURCE = pip-$(PYTHON_PIP_VERSION).tar.gz
PYTHON_PIP_SITE = https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f
PYTHON_PIP_SETUP_TYPE = setuptools
PYTHON_PIP_LICENSE = MIT
PYTHON_PIP_LICENSE_FILES = LICENSE.txt
PYTHON_PIP_CPE_ID_VENDOR = pypa
PYTHON_PIP_CPE_ID_PRODUCT = pip
#0001-Don-t-split-git-references-on-unicode-separators.patch
PYTHON_PIP_IGNORE_CVES += CVE-2021-3572
$(eval $(python-package))