2 files changed, 39 insertions, 3 deletions
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch
new file mode 100644
index 0000000000..ef66a59021
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch
@@ -0,0 +1,34 @@
+From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001
+From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
+Date: Sun, 1 Oct 2023 14:10:25 +0100
+Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg
+This ensures that the resulting revision can not be misinterpreted as an
+option.
+Upstream-Status: Backport
+[https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4]
+CVE: CVE-2023-5752
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ src/pip/_internal/vcs/mercurial.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
+index 2a005e0..e440c12 100644
+--- a/src/pip/_internal/vcs/mercurial.py
+++ b/src/pip/_internal/vcs/mercurial.py
+@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
+ 
+     @staticmethod
+     def get_base_rev_args(rev: str) -> List[str]:
+-        return [rev]
+        return [f"-r={rev}"]
+ 
+     def fetch_new(
+         self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-pip_22.0.3.bb b/meta/recipes-devtools/python/python3-pip_22.0.3.bb
index 6e28b87ba3..28eab9c3de 100644
--- a/meta/recipes-devtools/python/python3-pip_22.0.3.bb
+++ b/meta/recipes-devtools/python/python3-pip_22.0.3.bb
@@ -34,9 +34,11 @@ LIC_FILES_CHKSUM = "\
 inherit pypi python_setuptools_build_meta
-SRC_URI += "file://0001-change-shebang-to-python3.patch"
+SRC_URI += "file://0001-change-shebang-to-python3.patch \
-SRC_URI += "file://no_shebang_mangling.patch"
+            file://no_shebang_mangling.patch \
-SRC_URI += "file://reproducible.patch"
+            file://reproducible.patch \
+            file://CVE-2023-5752.patch \
+           "
 SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"

diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch new file mode 100644 index 0000000000..ef66a59021 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2023-5752.patch
@@ -0,0 +1,34 @@
		1	From b16dd80c50deaa4753045d93ed281d348509293f Mon Sep 17 00:00:00 2001
		2	From: Pradyun Gedam <pradyunsg@users.noreply.github.com>
		3	Date: Sun, 1 Oct 2023 14:10:25 +0100
		4	Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg
		5
		6	This ensures that the resulting revision can not be misinterpreted as an
		7	option.
		8
		9	Upstream-Status: Backport
		10	[https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4]
		11
		12	CVE: CVE-2023-5752
		13
		14	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
		15	---
		16	src/pip/_internal/vcs/mercurial.py \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/src/pip/_internal/vcs/mercurial.py b/src/pip/_internal/vcs/mercurial.py
		20	index 2a005e0..e440c12 100644
		21	--- a/src/pip/_internal/vcs/mercurial.py
		22	+++ b/src/pip/_internal/vcs/mercurial.py
		23	@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
		24
		25	@staticmethod
		26	def get_base_rev_args(rev: str) -> List[str]:
		27	- return [rev]
		28	+ return [f"-r={rev}"]
		29
		30	def fetch_new(
		31	self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
		32	--
		33	2.25.1
		34


diff --git a/meta/recipes-devtools/python/python3-pip_22.0.3.bb b/meta/recipes-devtools/python/python3-pip_22.0.3.bb index 6e28b87ba3..28eab9c3de 100644 --- a/meta/recipes-devtools/python/python3-pip_22.0.3.bb +++ b/meta/recipes-devtools/python/python3-pip_22.0.3.bb
@@ -34,9 +34,11 @@ LIC_FILES_CHKSUM = "\
34		34
35	inherit pypi python_setuptools_build_meta	35	inherit pypi python_setuptools_build_meta
36		36
37	SRC_URI += "file://0001-change-shebang-to-python3.patch"	37	SRC_URI += "file://0001-change-shebang-to-python3.patch \
38	SRC_URI += "file://no_shebang_mangling.patch"	38	file://no_shebang_mangling.patch \
39	SRC_URI += "file://reproducible.patch"	39	file://reproducible.patch \
		40	file://CVE-2023-5752.patch \
		41	"
40		42
41	SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"	43	SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"
42		44