[Medium] patch python-pip for CVE-2025-50181 (microsoft#14370)

Author: jykanase

SPECS/python-pip/CVE-2025-50181.patch

@@ -0,0 +1,103 @@
+From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <[email protected]>
+Date: Wed, 18 Jun 2025 16:25:01 +0300
+Subject: [PATCH] Merge commit from fork
+
+* Apply Quentin's suggestion
+
+Co-authored-by: Quentin Pradet <[email protected]>
+
+* Add tests for disabled redirects in the pool manager
+
+* Add a possible fix for the issue with not raised `MaxRetryError`
+
+* Make urllib3 handle redirects instead of JS when JSPI is used
+
+* Fix info in the new comment
+
+* State that redirects with XHR are not controlled by urllib3
+
+* Remove excessive params from new test requests
+
+* Add tests reaching max non-0 redirects
+
+* Test redirects with Emscripten
+
+* Fix `test_merge_pool_kwargs`
+
+* Add a changelog entry
+
+* Parametrize tests
+
+* Drop a fix for Emscripten
+
+* Apply Seth's suggestion to docs
+
+Co-authored-by: Seth Michael Larson <[email protected]>
+
+* Use a minor release instead of the patch one
+
+Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857.patch
+---
+ src/pip/_vendor/urllib3/poolmanager.py | 30 +++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
+index fb51bf7..9cbcb6c 100644
+--- a/src/pip/_vendor/urllib3/poolmanager.py
++++ b/src/pip/_vendor/urllib3/poolmanager.py
+@@ -3,6 +3,7 @@ from __future__ import absolute_import
+ import collections
+ import functools
+ import logging
++import typing
+ 
+ from ._collections import HTTPHeaderDict, RecentlyUsedContainer
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
+@@ -168,9 +169,32 @@ class PoolManager(RequestMethods):
+     proxy = None
+     proxy_config = None
+ 
+-    def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+-        RequestMethods.__init__(self, headers)
++    def __init__(
++        self,
++        num_pools: int = 10,
++        headers: typing.Mapping[str, str] | None = None,
++        **connection_pool_kw: typing.Any,
++    ) -> None:
++        super().__init__(headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
++
++        self.pools: RecentlyUsedContainer[PoolKey, HTTPConnectionPool]
+         self.pools = RecentlyUsedContainer(num_pools)
+ 
+         # Locally set the pool classes and keys so other PoolManagers can
+@@ -389,7 +413,7 @@ class PoolManager(RequestMethods):
+             kw["body"] = None
+             kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+-- 
+2.45.2
+

SPECS/python-pip/python-pip.spec

@@ -5,7 +5,7 @@ A tool for installing and managing Python packages}
 Summary:        A tool for installing and managing Python packages
 Name:           python-pip
 Version:        24.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause)
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,9 +14,14 @@ URL:            https://pip.pypa.io/
 Source0:        https://github.com/pypa/pip/archive/%{version}/%{srcname}-%{version}.tar.gz
 Patch0:		CVE-2024-37891.patch
 Patch1:		CVE-2025-8869.patch
+Patch2:         CVE-2025-50181.patch
 
 BuildArch:      noarch
 
+%if 0%{?with_check}
+BuildRequires:  git
+%endif
+
 %description    %{_description}
 
 %package -n python3-pip
@@ -53,6 +58,10 @@ BuildRequires:  python3-wheel
 %{python3_sitelib}/pip*
 
 %changelog
+* Tue Sep 30 2025 Jyoti Kanase <[email protected]> - 24.2-4
+- Patch for CVE-2025-50181
+- Added %check
+
 * Mon Sep 29 2025 Azure Linux Security Servicing Account <[email protected]> - 24.2-4
 - Patch for CVE-2025-8869
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -549,7 +549,7 @@ python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm
 python3-newt-0.52.23-1.azl3.aarch64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.2-4.azl3.noarch.rpm
+python3-pip-24.2-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -557,7 +557,7 @@ python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm
 python3-newt-0.52.23-1.azl3.x86_64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.2-4.azl3.noarch.rpm
+python3-pip-24.2-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm