[HIGH] Patch python3 for CVE-2025-6069, CVE-2025-4516, CVE-2025-50181, CVE-2023-5752, CVE-2023-45803 CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517, CVE-2025-4435 (microsoft#14180)

Co-authored-by: jslobodzian <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>

Author: 3 people

SPECS/python3/CVE-2023-45803.patch

@@ -0,0 +1,92 @@
+From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <[email protected]>
+Date: Tue, 17 Oct 2023 19:35:39 +0300
+Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36.patch
+---
+ pip/_vendor/urllib3/_collections.py   | 18 ++++++++++++++++++
+ pip/_vendor/urllib3/connectionpool.py |  5 +++++
+ pip/_vendor/urllib3/poolmanager.py    |  6 +++++-
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/_collections.py b/pip/_vendor/urllib3/_collections.py
+index da9857e..bceb845 100644
+--- a/pip/_vendor/urllib3/_collections.py
++++ b/pip/_vendor/urllib3/_collections.py
+@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
+         else:
+             return vals[1:]
+ 
++    def _prepare_for_method_change(self):
++        """
++        Remove content-specific header fields before changing the request
++        method to GET or HEAD according to RFC 9110, Section 15.4.
++        """
++        content_specific_headers = [
++            "Content-Encoding",
++            "Content-Language",
++            "Content-Location",
++            "Content-Type",
++            "Content-Length",
++            "Digest",
++            "Last-Modified",
++        ]
++        for header in content_specific_headers:
++            self.discard(header)
++        return self
++
+     # Backwards compatibility for httplib
+     getheaders = getlist
+     getallmatchingheaders = getlist
+diff --git a/pip/_vendor/urllib3/connectionpool.py b/pip/_vendor/urllib3/connectionpool.py
+index 7087392..d954e4b 100644
+--- a/pip/_vendor/urllib3/connectionpool.py
++++ b/pip/_vendor/urllib3/connectionpool.py
+@@ -9,6 +9,7 @@ import warnings
+ from socket import error as SocketError
+ from socket import timeout as SocketTimeout
+ 
++from ._collections import HTTPHeaderDict
+ from .connection import (
+     BaseSSLError,
+     BrokenPipeError,
+@@ -832,7 +833,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+         redirect_location = redirect and response.get_redirect_location()
+         if redirect_location:
+             if response.status == 303:
++                # Change the method according to RFC 9110, Section 15.4.4.
+                 method = "GET"
++                # And lose the body not to transfer anything sensitive.
++                body = None
++                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index 0e56754..3da5074 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -4,7 +4,7 @@ import collections
+ import functools
+ import logging
+ 
+-from ._collections import RecentlyUsedContainer
++from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
+ from .exceptions import (
+     LocationValueError,
+@@ -400,7 +400,11 @@ class PoolManager(RequestMethods):
+ 
+         # RFC 7231, Section 6.4.4
+         if response.status == 303:
++            # Change the method according to RFC 9110, Section 15.4.4.
+             method = "GET"
++            # And lose the body not to transfer anything sensitive.
++            kw["body"] = None
++            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+         retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+-- 
+2.34.1
+

SPECS/python3/CVE-2023-5752.patch

@@ -0,0 +1,28 @@
+From 389cb799d0da9a840749fcd14878928467ed49b4 Mon Sep 17 00:00:00 2001
+From: Pradyun Gedam <[email protected]>
+Date: Sun, 1 Oct 2023 14:10:25 +0100
+Subject: [PATCH] Use `-r=...` instead of `-r ...` for hg
+This ensures that the resulting revision can not be misinterpreted as an
+option.
+Upstream Patch Reference: https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4.patch
+
+---
+ .../pip/_internal/vcs/mercurial.py  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pip/_internal/vcs/mercurial.py b/pip/_internal/vcs/mercurial.py
+index 2a005e0..e440c12 100644
+--- a/pip/_internal/vcs/mercurial.py
++++ b/pip/_internal/vcs/mercurial.py
+@@ -31,7 +31,7 @@ class Mercurial(VersionControl):
+ 
+     @staticmethod
+     def get_base_rev_args(rev: str) -> List[str]:
+-        return [rev]
++        return [f"-r={rev}"]
+ 
+     def fetch_new(
+         self, dest: str, url: HiddenText, rev_options: RevOptions, verbosity: int
+-- 
+2.45.2
+