import python-virtualenv-15.1.0-23.module+el8.10.0+22619+61b70790

SOURCES/CVE-2024-53899.patch

@@ -0,0 +1,96 @@
+From 4543155aaad2225f514e24c5cbb655053c9b73ac Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 2 Dec 2024 10:00:55 +0100
+Subject: [PATCH] CVE-2024-53899
+
+---
+ virtualenv_embedded/activate.csh  | 8 ++++----
+ virtualenv_embedded/activate.fish | 8 ++++----
+ virtualenv_embedded/activate.sh   | 9 +++++----
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/virtualenv_embedded/activate.csh b/virtualenv_embedded/activate.csh
+index 864865b..b1cf722 100644
+--- a/virtualenv_embedded/activate.csh
++++ b/virtualenv_embedded/activate.csh
+@@ -7,15 +7,15 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA
+ # Unset irrelevant variables.
+ deactivate nondestructive
+ 
+-setenv VIRTUAL_ENV "__VIRTUAL_ENV__"
++setenv VIRTUAL_ENV __VIRTUAL_ENV__
+ 
+ set _OLD_VIRTUAL_PATH="$PATH"
+-setenv PATH "$VIRTUAL_ENV/__BIN_NAME__:$PATH"
++setenv PATH "$VIRTUAL_ENV/"__BIN_NAME__":$PATH"
+ 
+ 
+ 
+-if ("__VIRTUAL_PROMPT__" != "") then
+-    set env_name = "__VIRTUAL_PROMPT__"
++if (__VIRTUAL_PROMPT__ != "") then
++    set env_name = __VIRTUAL_PROMPT__
+ else
+     set env_name = `basename "$VIRTUAL_ENV"`
+ endif
+diff --git a/virtualenv_embedded/activate.fish b/virtualenv_embedded/activate.fish
+index 818739e..3a36403 100644
+--- a/virtualenv_embedded/activate.fish
++++ b/virtualenv_embedded/activate.fish
+@@ -36,10 +36,10 @@ end
+ # Unset irrelevant variables.
+ deactivate nondestructive
+ 
+-set -gx VIRTUAL_ENV "__VIRTUAL_ENV__"
++set -gx VIRTUAL_ENV __VIRTUAL_ENV__
+ 
+ set -gx _OLD_VIRTUAL_PATH $PATH
+-set -gx PATH "$VIRTUAL_ENV/__BIN_NAME__" $PATH
++set -gx PATH "$VIRTUAL_ENV"'/'__BIN_NAME__ $PATH
+ 
+ # Unset `$PYTHONHOME` if set.
+ if set -q PYTHONHOME
+@@ -61,8 +61,8 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
+ 
+         # Prompt override provided?
+         # If not, just prepend the environment name.
+-        if test -n "__VIRTUAL_PROMPT__"
+-            printf '%s%s' "__VIRTUAL_PROMPT__" (set_color normal)
++        if test -n __VIRTUAL_PROMPT__
++            printf '%s%s' __VIRTUAL_PROMPT__ (set_color normal)
+         else
+             printf '%s(%s) ' (set_color normal) (basename "$VIRTUAL_ENV")
+         end
+diff --git a/virtualenv_embedded/activate.sh b/virtualenv_embedded/activate.sh
+index 477b7ec..3b225e8 100644
+--- a/virtualenv_embedded/activate.sh
++++ b/virtualenv_embedded/activate.sh
+@@ -40,11 +40,11 @@ deactivate () {
+ # unset irrelevant variables
+ deactivate nondestructive
+ 
+-VIRTUAL_ENV="__VIRTUAL_ENV__"
++VIRTUAL_ENV=__VIRTUAL_ENV__
+ export VIRTUAL_ENV
+ 
+ _OLD_VIRTUAL_PATH="$PATH"
+-PATH="$VIRTUAL_ENV/__BIN_NAME__:$PATH"
++PATH="$VIRTUAL_ENV/"__BIN_NAME__":$PATH"
+ export PATH
+ 
+ # unset PYTHONHOME if set
+@@ -55,8 +55,9 @@ fi
+ 
+ if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT-}" ] ; then
+     _OLD_VIRTUAL_PS1="$PS1"
+-    if [ "x__VIRTUAL_PROMPT__" != x ] ; then
+-        PS1="__VIRTUAL_PROMPT__$PS1"
++    if [ "x"__VIRTUAL_PROMPT__ != x ] ; then
++        PROMPT=__VIRTUAL_PROMPT__
++        PS1="(${PROMPT}) $PS1"
+     else
+         PS1="(`basename \"$VIRTUAL_ENV\"`) $PS1"
+     fi
+-- 
+2.47.1
+

SPECS/python-virtualenv.spec

@@ -7,7 +7,7 @@
 
 Name:           python-virtualenv
 Version:        15.1.0
-Release:        22%{?dist}
+Release:        23%{?dist}
 Summary:        Tool to create isolated Python environments
 
 Group:          Development/Languages
@@ -57,6 +57,12 @@ Patch3: python3.10.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=2165702
 Patch4: python3.11-error.patch
 
+# CVE-2024-53899
+# Quote template strings in activation scripts
+# to prevent possible command injection.
+# https://github.com/pypa/virtualenv/issues/2768
+Patch5: CVE-2024-53899.patch
+
 BuildArch:      noarch
 
 %if %{with python2}
@@ -170,6 +176,7 @@ licensed under an MIT-style permissive license
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 # Remove the wheels provided by RPM packages and argparse as it's only required for python 2.6
 rm virtualenv_support/pip-*
@@ -270,6 +277,10 @@ fi
 
 
 %changelog
+* Mon Dec 02 2024 Lumír Balhar <lbalhar@redhat.com> - 15.1.0-23
+- Security fix for CVE-2024-53899
+Resolves: RHEL-68876
+
 * Tue Dec 12 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 15.1.0-22
 - Rebuilt for MSVSphere 8.8