diff --git a/SOURCES/CVE-2024-53899.patch b/SOURCES/CVE-2024-53899.patch new file mode 100644 index 0000000..194902a --- /dev/null +++ b/SOURCES/CVE-2024-53899.patch @@ -0,0 +1,96 @@ +From 4543155aaad2225f514e24c5cbb655053c9b73ac Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Mon, 2 Dec 2024 10:00:55 +0100 +Subject: [PATCH] CVE-2024-53899 + +--- + virtualenv_embedded/activate.csh | 8 ++++---- + virtualenv_embedded/activate.fish | 8 ++++---- + virtualenv_embedded/activate.sh | 9 +++++---- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/virtualenv_embedded/activate.csh b/virtualenv_embedded/activate.csh +index 864865b..b1cf722 100644 +--- a/virtualenv_embedded/activate.csh ++++ b/virtualenv_embedded/activate.csh +@@ -7,15 +7,15 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA + # Unset irrelevant variables. + deactivate nondestructive + +-setenv VIRTUAL_ENV "__VIRTUAL_ENV__" ++setenv VIRTUAL_ENV __VIRTUAL_ENV__ + + set _OLD_VIRTUAL_PATH="$PATH" +-setenv PATH "$VIRTUAL_ENV/__BIN_NAME__:$PATH" ++setenv PATH "$VIRTUAL_ENV/"__BIN_NAME__":$PATH" + + + +-if ("__VIRTUAL_PROMPT__" != "") then +- set env_name = "__VIRTUAL_PROMPT__" ++if (__VIRTUAL_PROMPT__ != "") then ++ set env_name = __VIRTUAL_PROMPT__ + else + set env_name = `basename "$VIRTUAL_ENV"` + endif +diff --git a/virtualenv_embedded/activate.fish b/virtualenv_embedded/activate.fish +index 818739e..3a36403 100644 +--- a/virtualenv_embedded/activate.fish ++++ b/virtualenv_embedded/activate.fish +@@ -36,10 +36,10 @@ end + # Unset irrelevant variables. + deactivate nondestructive + +-set -gx VIRTUAL_ENV "__VIRTUAL_ENV__" ++set -gx VIRTUAL_ENV __VIRTUAL_ENV__ + + set -gx _OLD_VIRTUAL_PATH $PATH +-set -gx PATH "$VIRTUAL_ENV/__BIN_NAME__" $PATH ++set -gx PATH "$VIRTUAL_ENV"'/'__BIN_NAME__ $PATH + + # Unset `$PYTHONHOME` if set. + if set -q PYTHONHOME +@@ -61,8 +61,8 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT" + + # Prompt override provided? + # If not, just prepend the environment name. +- if test -n "__VIRTUAL_PROMPT__" +- printf '%s%s' "__VIRTUAL_PROMPT__" (set_color normal) ++ if test -n __VIRTUAL_PROMPT__ ++ printf '%s%s' __VIRTUAL_PROMPT__ (set_color normal) + else + printf '%s(%s) ' (set_color normal) (basename "$VIRTUAL_ENV") + end +diff --git a/virtualenv_embedded/activate.sh b/virtualenv_embedded/activate.sh +index 477b7ec..3b225e8 100644 +--- a/virtualenv_embedded/activate.sh ++++ b/virtualenv_embedded/activate.sh +@@ -40,11 +40,11 @@ deactivate () { + # unset irrelevant variables + deactivate nondestructive + +-VIRTUAL_ENV="__VIRTUAL_ENV__" ++VIRTUAL_ENV=__VIRTUAL_ENV__ + export VIRTUAL_ENV + + _OLD_VIRTUAL_PATH="$PATH" +-PATH="$VIRTUAL_ENV/__BIN_NAME__:$PATH" ++PATH="$VIRTUAL_ENV/"__BIN_NAME__":$PATH" + export PATH + + # unset PYTHONHOME if set +@@ -55,8 +55,9 @@ fi + + if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT-}" ] ; then + _OLD_VIRTUAL_PS1="$PS1" +- if [ "x__VIRTUAL_PROMPT__" != x ] ; then +- PS1="__VIRTUAL_PROMPT__$PS1" ++ if [ "x"__VIRTUAL_PROMPT__ != x ] ; then ++ PROMPT=__VIRTUAL_PROMPT__ ++ PS1="(${PROMPT}) $PS1" + else + PS1="(`basename \"$VIRTUAL_ENV\"`) $PS1" + fi +-- +2.47.1 + diff --git a/SPECS/python-virtualenv.spec b/SPECS/python-virtualenv.spec index 8cd0fd6..0b4567a 100644 --- a/SPECS/python-virtualenv.spec +++ b/SPECS/python-virtualenv.spec @@ -7,7 +7,7 @@ Name: python-virtualenv Version: 15.1.0 -Release: 22%{?dist} +Release: 23%{?dist} Summary: Tool to create isolated Python environments Group: Development/Languages @@ -57,6 +57,12 @@ Patch3: python3.10.patch # See https://bugzilla.redhat.com/show_bug.cgi?id=2165702 Patch4: python3.11-error.patch +# CVE-2024-53899 +# Quote template strings in activation scripts +# to prevent possible command injection. +# https://github.com/pypa/virtualenv/issues/2768 +Patch5: CVE-2024-53899.patch + BuildArch: noarch %if %{with python2} @@ -170,6 +176,7 @@ licensed under an MIT-style permissive license %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Remove the wheels provided by RPM packages and argparse as it's only required for python 2.6 rm virtualenv_support/pip-* @@ -270,6 +277,10 @@ fi %changelog +* Mon Dec 02 2024 Lumír Balhar - 15.1.0-23 +- Security fix for CVE-2024-53899 +Resolves: RHEL-68876 + * Wed Feb 01 2023 Miro Hrončok - 15.1.0-22 - Add a custom error message when users attempt to create Python 3.11+ virtual environments - Resolves: rhbz#2165702