Patch python-pip for CVE-2026-6357

azurelinux-security · BinduSri-6522866 · commit e2b028d2d77c · 2026-05-08T04:28:15.000Z
diff --git a/SPECS/python-pip/CVE-2026-6357.patch b/SPECS/python-pip/CVE-2026-6357.patch
@@ -0,0 +1,371 @@
+From 4d3bacc72e85d03e3dd8c9fdb6e960774192c53c Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 4 May 2026 03:26:56 +0000
+Subject: [PATCH] Backport split pip self-version check into fetch(before) and
+ emit(after) phases; adjust context managers and tests; compute prompt based
+ on cached/remote and installer; skip check in install when pip is target
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/pypa/pip/pull/13923.patch
+---
+ src/pip/_internal/cli/base_command.py    | 11 ++--
+ src/pip/_internal/cli/index_command.py   | 35 +++++++++---
+ src/pip/_internal/commands/install.py    |  6 ++
+ src/pip/_internal/commands/list.py       | 13 +++--
+ src/pip/_internal/self_outdated_check.py | 73 ++++++++++++------------
+ tests/unit/test_base_command.py          |  8 +--
+ tests/unit/test_commands.py              |  9 ++-
+ 7 files changed, 93 insertions(+), 62 deletions(-)
+
+diff --git a/src/pip/_internal/cli/base_command.py b/src/pip/_internal/cli/base_command.py
+index bc1ab65..4d81124 100644
+--- a/src/pip/_internal/cli/base_command.py
++++ b/src/pip/_internal/cli/base_command.py
+@@ -6,8 +6,9 @@ import optparse
+ import os
+ import sys
+ import traceback
++import contextlib
+ from optparse import Values
+-from typing import List, Optional, Tuple
++from typing import List, Optional, Tuple, Iterator
+ 
+ from pip._vendor.rich import reconfigure
+ from pip._vendor.rich import traceback as rich_traceback
+@@ -78,7 +79,8 @@ class Command(CommandContextMixIn):
+     def add_options(self) -> None:
+         pass
+ 
+-    def handle_pip_version_check(self, options: Values) -> None:
++    @contextlib.contextmanager
++    def pip_version_check(self, options: Values, args: List[str]) -> Iterator[None]:
+         """
+         This is a no-op so that commands by default do not do the pip version
+         check.
+@@ -86,16 +88,15 @@ class Command(CommandContextMixIn):
+         # Make sure we do the pip version check if the index_group options
+         # are present.
+         assert not hasattr(options, "no_index")
++        yield
+ 
+     def run(self, options: Values, args: List[str]) -> int:
+         raise NotImplementedError
+ 
+     def _run_wrapper(self, level_number: int, options: Values, args: List[str]) -> int:
+         def _inner_run() -> int:
+-            try:
++            with self.pip_version_check(options, args):
+                 return self.run(options, args)
+-            finally:
+-                self.handle_pip_version_check(options)
+ 
+         if options.debug_mode:
+             rich_traceback.install(show_locals=True)
+diff --git a/src/pip/_internal/cli/index_command.py b/src/pip/_internal/cli/index_command.py
+index 226f8da..930f23a 100644
+--- a/src/pip/_internal/cli/index_command.py
++++ b/src/pip/_internal/cli/index_command.py
+@@ -9,8 +9,12 @@ so commands which don't always hit the network (e.g. list w/o --outdated or
+ import logging
+ import os
+ import sys
++import contextlib
+ from optparse import Values
+-from typing import TYPE_CHECKING, List, Optional
++from typing import TYPE_CHECKING, List, Optional, Iterator
++
++if TYPE_CHECKING:
++    from pip._internal.self_outdated_check import UpgradePrompt
+ 
+ from pip._vendor import certifi
+ 
+@@ -131,10 +135,16 @@ class SessionCommandMixin(CommandContextMixIn):
+         return session
+ 
+ 
+-def _pip_self_version_check(session: "PipSession", options: Values) -> None:
+-    from pip._internal.self_outdated_check import pip_self_version_check as check
++def _pip_self_version_check_fetch(session: "PipSession", options: Values) -> Optional["UpgradePrompt"]:
++    from pip._internal.self_outdated_check import pip_self_version_check_fetch
++
++    return pip_self_version_check_fetch(session, options)
++
+ 
+-    check(session, options)
++def _pip_self_version_check_emit(upgrade_prompt: Optional["UpgradePrompt"]) -> None:
++    from pip._internal.self_outdated_check import pip_self_version_check_emit
++
++    pip_self_version_check_emit(upgrade_prompt)
+ 
+ 
+ class IndexGroupCommand(Command, SessionCommandMixin):
+@@ -144,7 +154,8 @@ class IndexGroupCommand(Command, SessionCommandMixin):
+     This also corresponds to the commands that permit the pip version check.
+     """
+ 
+-    def handle_pip_version_check(self, options: Values) -> None:
++    @contextlib.contextmanager
++    def pip_version_check(self, options: Values, args: List[str]) -> Iterator[None]:
+         """
+         Do the pip version check if not disabled.
+ 
+@@ -154,17 +165,27 @@ class IndexGroupCommand(Command, SessionCommandMixin):
+         assert hasattr(options, "no_index")
+ 
+         if options.disable_pip_version_check or options.no_index:
++            yield
+             return
+ 
++        upgrade_prompt: Optional["UpgradePrompt"] = None
+         try:
+-            # Otherwise, check if we're using the latest version of pip available.
+             session = self._build_session(
+                 options,
+                 retries=0,
+                 timeout=min(5, options.timeout),
+             )
+             with session:
+-                _pip_self_version_check(session, options)
++                upgrade_prompt = _pip_self_version_check_fetch(session, options)
+         except Exception:
+             logger.warning("There was an error checking the latest version of pip.")
+             logger.debug("See below for error", exc_info=True)
++
++        try:
++            yield
++        finally:
++            try:
++                _pip_self_version_check_emit(upgrade_prompt)
++            except Exception:
++                logger.warning("There was an error checking the latest version of pip.")
++                logger.debug("See below for error", exc_info=True)
+diff --git a/src/pip/_internal/commands/install.py b/src/pip/_internal/commands/install.py
+index ad45a2f..298b92c 100644
+--- a/src/pip/_internal/commands/install.py
++++ b/src/pip/_internal/commands/install.py
+@@ -1,4 +1,10 @@
+ import errno
++from __future__ import annotations
++
++import contextlib
++from collections.abc import Iterator
++from pip._vendor.packaging.requirements import InvalidRequirement, Requirement
++
+ import json
+ import operator
+ import os
+diff --git a/src/pip/_internal/commands/list.py b/src/pip/_internal/commands/list.py
+index 82fc46a..ba00f82 100644
+--- a/src/pip/_internal/commands/list.py
++++ b/src/pip/_internal/commands/list.py
+@@ -1,7 +1,8 @@
+ import json
+ import logging
++import contextlib
+ from optparse import Values
+-from typing import TYPE_CHECKING, Generator, List, Optional, Sequence, Tuple, cast
++from typing import TYPE_CHECKING, Generator, List, Optional, Sequence, Tuple, cast, Iterator
+ 
+ from pip._vendor.packaging.utils import canonicalize_name
+ from pip._vendor.packaging.version import Version
+@@ -134,9 +135,13 @@ class ListCommand(IndexGroupCommand):
+         self.parser.insert_option_group(0, index_opts)
+         self.parser.insert_option_group(0, self.cmd_opts)
+ 
+-    def handle_pip_version_check(self, options: Values) -> None:
+-        if options.outdated or options.uptodate:
+-            super().handle_pip_version_check(options)
++    @contextlib.contextmanager
++    def pip_version_check(self, options: Values, args: List[str]) -> Iterator[None]:
++        if not (options.outdated or options.uptodate):
++            yield
++            return
++        with super().pip_version_check(options, args):
++            yield
+ 
+     def _build_package_finder(
+         self, options: Values, session: "PipSession"
+diff --git a/src/pip/_internal/self_outdated_check.py b/src/pip/_internal/self_outdated_check.py
+index f9a91af..fe0e0d2 100644
+--- a/src/pip/_internal/self_outdated_check.py
++++ b/src/pip/_internal/self_outdated_check.py
+@@ -1,5 +1,4 @@
+ import datetime
+-import functools
+ import hashlib
+ import json
+ import logging
+@@ -7,7 +6,7 @@ import optparse
+ import os.path
+ import sys
+ from dataclasses import dataclass
+-from typing import Any, Callable, Dict, Optional
++from typing import Any, Dict, Optional
+ 
+ from pip._vendor.packaging.version import Version
+ from pip._vendor.packaging.version import parse as parse_version
+@@ -26,7 +25,8 @@ from pip._internal.utils.entrypoints import (
+     get_best_invocation_for_this_python,
+ )
+ from pip._internal.utils.filesystem import adjacent_tmp_file, check_path_owner, replace
+-from pip._internal.utils.misc import ensure_dir
++from pip._internal.utils.misc import ensure_dir, check_externally_managed
++from pip._internal.exceptions import ExternallyManagedEnvironment
+ 
+ _WEEK = datetime.timedelta(days=7)
+ 
+@@ -149,14 +149,6 @@ class UpgradePrompt:
+         )
+ 
+ 
+-def was_installed_by_pip(pkg: str) -> bool:
+-    """Checks whether pkg was installed by pip
+-
+-    This is used not to display the upgrade message when pip is in fact
+-    installed by system package manager, such as dnf on Fedora.
+-    """
+-    dist = get_default_environment().get_distribution(pkg)
+-    return dist is not None and "pip" == dist.installer
+ 
+ 
+ def _get_current_remote_pip_version(
+@@ -187,28 +179,15 @@ def _get_current_remote_pip_version(
+     return str(best_candidate.version)
+ 
+ 
+-def _self_version_check_logic(
+-    *,
+-    state: SelfCheckState,
+-    current_time: datetime.datetime,
+-    local_version: Version,
+-    get_remote_version: Callable[[], Optional[str]],
++def _compute_upgrade_prompt(
++    local_version: Version, remote_version_str: str, installed_by_pip: bool
+ ) -> Optional[UpgradePrompt]:
+-    remote_version_str = state.get(current_time)
+-    if remote_version_str is None:
+-        remote_version_str = get_remote_version()
+-        if remote_version_str is None:
+-            logger.debug("No remote pip version found")
+-            return None
+-        state.set(remote_version_str, current_time)
+-
+     remote_version = parse_version(remote_version_str)
+     logger.debug("Remote version of pip: %s", remote_version)
+     logger.debug("Local version of pip:  %s", local_version)
++    logger.debug("Was pip installed by pip? %s", installed_by_pip)
+ 
+-    pip_installed_by_pip = was_installed_by_pip("pip")
+-    logger.debug("Was pip installed by pip? %s", pip_installed_by_pip)
+-    if not pip_installed_by_pip:
++    if not installed_by_pip:
+         return None  # Only suggest upgrade if pip is installed by pip.
+ 
+     local_version_is_older = (
+@@ -221,24 +200,44 @@ def _self_version_check_logic(
+     return None
+ 
+ 
+-def pip_self_version_check(session: PipSession, options: optparse.Values) -> None:
+-    """Check for an update for pip.
++def pip_self_version_check_fetch(
++    session: PipSession, options: optparse.Values
++) -> Optional[UpgradePrompt]:
++    """Compute the pip upgrade prompt, if any, before the command runs.
+ 
+     Limit the frequency of checks to once per week. State is stored either in
+     the active virtualenv or in the user's USER_CACHE_DIR keyed off the prefix
+     of the pip script path.
++
++    Pair with :func:`pip_self_version_check_emit`, which displays the prompt
++    after the command body runs.
+     """
+     installed_dist = get_default_environment().get_distribution("pip")
+     if not installed_dist:
+-        return
++        return None
++    try:
++        check_externally_managed()
++    except ExternallyManagedEnvironment:
++        return None
+ 
+-    upgrade_prompt = _self_version_check_logic(
+-        state=SelfCheckState(cache_dir=options.cache_dir),
+-        current_time=datetime.datetime.now(datetime.timezone.utc),
++    state = SelfCheckState(cache_dir=options.cache_dir)
++    current_time = datetime.datetime.now(datetime.timezone.utc)
++    remote_version_str = state.get(current_time)
++    if remote_version_str is None:
++        remote_version_str = _get_current_remote_pip_version(session, options)
++        if remote_version_str is None:
++            logger.debug("No remote pip version found")
++            return None
++        state.set(remote_version_str, current_time)
++
++    return _compute_upgrade_prompt(
+         local_version=installed_dist.version,
+-        get_remote_version=functools.partial(
+-            _get_current_remote_pip_version, session, options
+-        ),
++        remote_version_str=remote_version_str,
++        installed_by_pip=installed_dist.installer == "pip",
+     )
++
++
++def pip_self_version_check_emit(upgrade_prompt: Optional[UpgradePrompt]) -> None:
++    """Emit the upgrade prompt captured by :func:`pip_self_version_check_fetch`."""
+     if upgrade_prompt is not None:
+         logger.warning("%s", upgrade_prompt, extra={"rich": True})
+diff --git a/tests/unit/test_base_command.py b/tests/unit/test_base_command.py
+index f9fae65..5fdf94a 100644
+--- a/tests/unit/test_base_command.py
++++ b/tests/unit/test_base_command.py
+@@ -97,14 +97,14 @@ class TestCommand:
+         assert "Traceback (most recent call last):" in stderr
+ 
+ 
+-@patch("pip._internal.cli.index_command.Command.handle_pip_version_check")
+-def test_handle_pip_version_check_called(mock_handle_version_check: Mock) -> None:
++@patch("pip._internal.cli.index_command.Command.pip_version_check")
++def test_pip_version_check_called(mock_version_check: Mock) -> None:
+     """
+-    Check that Command.handle_pip_version_check() is called.
++    Check that ``Command.pip_version_check()`` wraps the command body.
+     """
+     cmd = FakeCommand()
+     cmd.main([])
+-    mock_handle_version_check.assert_called_once()
++    mock_version_check.assert_called_once()
+ 
+ 
+ def test_log_command_success(fixed_time: None, tmpdir: Path) -> None:
+diff --git a/tests/unit/test_commands.py b/tests/unit/test_commands.py
+index 9d5aefe..7e944ce 100644
+--- a/tests/unit/test_commands.py
++++ b/tests/unit/test_commands.py
+@@ -87,8 +87,8 @@ def test_index_group_commands() -> None:
+         (True, True, False),
+     ],
+ )
+-@mock.patch("pip._internal.cli.index_command._pip_self_version_check")
+-def test_index_group_handle_pip_version_check(
++@mock.patch("pip._internal.cli.index_command._pip_self_version_check_fetch")
++def test_index_group_pip_version_check(
+     mock_version_check: mock.Mock,
+     command_name: str,
+     disable_pip_version_check: bool,
+@@ -96,9 +96,8 @@ def test_index_group_handle_pip_version_check(
+     expected_called: bool,
+ ) -> None:
+     """
+-    Test whether pip_self_version_check() is called when
+-    handle_pip_version_check() is called, for each of the
+-    IndexGroupCommand classes.
++    Test whether self-version check is performed when ``pip_version_check()``
++    is called, for each of the IndexGroupCommand classes.
+     """
+     command = create_command(command_name)
+     options = command.parser.get_default_values()
+-- 
+2.45.4
+
diff --git a/SPECS/python-pip/python-pip.spec b/SPECS/python-pip/python-pip.spec
@@ -5,7 +5,7 @@ A tool for installing and managing Python packages}
 Summary:        A tool for installing and managing Python packages
 Name:           python-pip
 Version:        24.2
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause)
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Patch1:         CVE-2025-8869.patch
 Patch2:         CVE-2025-50181.patch
 Patch3:         CVE-2026-1703.patch
 Patch4:         CVE-2026-3219.patch
+Patch5:         CVE-2026-6357.patch
 
 BuildArch:      noarch
 
@@ -60,6 +61,9 @@ BuildRequires:  python3-wheel
 %{python3_sitelib}/pip*
 
 %changelog
+* Fri May 08 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 24.2-8
+- Patch for CVE-2026-6357
+
 * Wed Apr 22 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 24.2-7
 - Patch for CVE-2026-3219
 
