[MEDIUM] Patch for python-virtualenv CVE-2025-50181 (microsoft#14239)

aninda-al · web-flow · commit 9aca93bb2b7e · 2025-09-10T13:42:02.000+05:30
diff --git a/SPECS/python-virtualenv/CVE-2025-50181v0.patch b/SPECS/python-virtualenv/CVE-2025-50181v0.patch
@@ -0,0 +1,48 @@
+From e942dd93a09e2eb8a52097c76075d0a42be20f39 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Tue, 8 Jul 2025 10:53:14 -0400
+Subject: [PATCH] Address CVE-2025-50181-1
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index 14b10da..574b7de 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools)
+ 
+@@ -386,7 +402,7 @@ class PoolManager(RequestMethods):
+         if response.status == 303:
+             method = "GET"
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/python-virtualenv/CVE-2025-50181v1.patch b/SPECS/python-virtualenv/CVE-2025-50181v1.patch
@@ -0,0 +1,48 @@
+From 8275bde7d461c4d6cd44397529fcb75847eee97c Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Wed, 9 Jul 2025 22:12:03 -0400
+Subject: [PATCH] Address CVE-xxxx-yyyy
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index fb51bf7..a8de7c6 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools)
+ 
+@@ -389,7 +405,7 @@ class PoolManager(RequestMethods):
+             kw["body"] = None
+             kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/python-virtualenv/CVE-2025-50181v2.patch b/SPECS/python-virtualenv/CVE-2025-50181v2.patch
@@ -0,0 +1,48 @@
+From b9f02b9d46967b99beab18718c79e79e08304c89 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Tue, 8 Jul 2025 22:33:17 -0400
+Subject: [PATCH] Address CVE-2025-50181v2
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index fe5491c..d03b343 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -151,6 +151,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools,
+                                            dispose_func=lambda p: p.close())
+@@ -333,7 +349,7 @@ class PoolManager(RequestMethods):
+         if response.status == 303:
+             method = 'GET'
+ 
+-        retries = kw.get('retries')
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/python-virtualenv/CVE-2025-50181v3.patch b/SPECS/python-virtualenv/CVE-2025-50181v3.patch
@@ -0,0 +1,48 @@
+From 3d5efc9facfee6c0136bbe14e02000de2cfcef23 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Wed, 9 Jul 2025 07:33:05 -0400
+Subject: [PATCH] Address CVE-2025-50181v3
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
+---
+ pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pip/_vendor/urllib3/poolmanager.py b/pip/_vendor/urllib3/poolmanager.py
+index 242a2f8..c542cea 100644
+--- a/pip/_vendor/urllib3/poolmanager.py
++++ b/pip/_vendor/urllib3/poolmanager.py
+@@ -158,6 +158,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools, dispose_func=lambda p: p.close())
+ 
+@@ -340,7 +356,7 @@ class PoolManager(RequestMethods):
+         if response.status == 303:
+             method = "GET"
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/python-virtualenv/python-virtualenv.spec b/SPECS/python-virtualenv/python-virtualenv.spec
@@ -1,14 +1,18 @@
 Summary:        Virtual Python Environment builder
 Name:           python-virtualenv
 Version:        20.26.6
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://pypi.python.org/pypi/virtualenv
 Source0:        https://files.pythonhosted.org/packages/3f/40/abc5a766da6b0b2457f819feab8e9203cbeae29327bd241359f866a3da9d/virtualenv-20.26.6.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         0001-replace-to-flit.patch
+Patch1000:      CVE-2025-50181v0.patch
+Patch1001:      CVE-2025-50181v1.patch
+Patch1002:      CVE-2025-50181v2.patch
+Patch1003:      CVE-2025-50181v3.patch
 BuildArch:      noarch
 
 %description
@@ -20,6 +24,7 @@ BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools_scm
 BuildRequires:  python3-xml
 BuildRequires:  python3-wheel
+BuildRequires:  zip
 
 %if 0%{?with_check}
 BuildRequires:  python3-pip
@@ -38,7 +43,77 @@ Provides:       %{name}-doc = %{version}-%{release}
 virtualenv is a tool to create isolated Python environment.
 
 %prep
-%autosetup -p1 -n virtualenv-%{version}
+# Adding -N to enable manual patching, needed for CVE-2025-50181 
+%autosetup -p1 -n virtualenv-%{version} -N
+%patch0 -p1
+
+# Manual patching for CVE-2025-50181
+# This patch is needed to fix the issue with urllib3 poolmanager.py
+# The poolmanager.py file is located in 4 different places and each is of different version so the same patch cannot be applied to all of them.
+# For the poolmanager.py under src, it is archived inside a .whl file, so we need to unpack it, apply the patch, and then re-zip it.
+# For the poolmanager.py under tests, it is archived inside a .whl file, which in turn is archived inside another .whl file,
+# so, we need to unpack the outer .whl, then unpack the inner .whl, apply the patch, and then re-zip both levels.
+
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-24.0-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl -d unpacked_pip-24.0-py3-none-any
+patch -p1 -d unpacked_pip-24.0-py3-none-any < %{PATCH1000}
+# Remove the original file
+rm -f src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl
+# After patching, re-zip the contents back into a .whl
+pushd unpacked_pip-24.0-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl *
+popd
+rm -rf unpacked_pip-24.0-py3-none-any
+
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-24.2-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl -d unpacked_pip-24.2-py3-none-any
+patch -p1 -d unpacked_pip-24.2-py3-none-any < %{PATCH1001}
+# Remove the original file
+rm -f src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl
+# After patching, re-zip the contents back into a .whl
+pushd unpacked_pip-24.2-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl *
+popd
+rm -rf unpacked_pip-24.2-py3-none-any
+
+echo "Manually Patching the poolmanager.py under tests, it needs to be unpacked from a .whl file, which is inside another .whl file"
+# unpack the outer wheel
+mkdir -p unpacked_virtualenv-16.7.9-py2.py3-none-any
+unzip tests/unit/create/virtualenv-16.7.9-py2.py3-none-any.whl -d unpacked_virtualenv-16.7.9-py2.py3-none-any
+
+# This is the pip-19.1.1 wheel that is archived inside the virtualenv_support directory of the outer wheel
+# We need to unpack it, apply the patch, and then re-zip it
+echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+# unpack the inner wheel
+mkdir -p unpacked_pip-19.1.1-py2.py3-none-any
+unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl -d unpacked_pip-19.1.1-py2.py3-none-any
+patch -p1 -d unpacked_pip-19.1.1-py2.py3-none-any < %{PATCH1002}
+rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
+pushd unpacked_pip-19.1.1-py2.py3-none-any
+zip -r ../unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl *
+popd
+rm -rf unpacked_pip-19.1.1-py2.py3-none-any
+
+# Now, we need to patch the pip-19.3.1 wheel that is archived inside the virtualenv_support directory of the outer wheel
+# We need to unpack it, apply the patch, and then re-zip it
+echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-19.3.1-py2.py3-none-any
+unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl -d unpacked_pip-19.3.1-py2.py3-none-any
+patch -p1 -d unpacked_pip-19.3.1-py2.py3-none-any < %{PATCH1003}
+# Repack the inner wheel
+rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
+pushd unpacked_pip-19.3.1-py2.py3-none-any
+zip -r ../unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl *
+popd
+rm -rf unpacked_pip-19.3.1-py2.py3-none-any
+
+# Repack the outer wheel
+rm -f tests/unit/create/virtualenv-16.7.9-py2.py3-none-any.whl
+pushd unpacked_virtualenv-16.7.9-py2.py3-none-any
+zip -r ../tests/unit/create/unpacked_virtualenv-16.7.9-py2.py3-none-any *
+popd
 
 %generate_buildrequires
 
@@ -61,6 +136,9 @@ tox -e py
 %{_bindir}/virtualenv
 
 %changelog
+* Wed Jul 09 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 20.26.6-2
+- Add patch to fix CVE-2025-50181 in urllib3 poolmanager.py
+
 * Wed Feb 26 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 20.26.6-1
 - Auto-upgrade to 20.26.6 - for CVE-2024-53899 [High]
 - Remove previously applied patches
