diff -Nru python-pip-9.0.1/debian/changelog python-pip-9.0.1/debian/changelog --- python-pip-9.0.1/debian/changelog 2020-10-22 10:40:50.000000000 -0400 +++ python-pip-9.0.1/debian/changelog 2021-04-30 14:11:12.000000000 -0400 @@ -1,3 +1,10 @@ +python-pip (9.0.1-2.3~ubuntu1.18.04.5) bionic; urgency=medium + + * Fix handling of requests exceptions when dependencies are debundled. + (LP: #1833229) + + -- Stefano Rivera Fri, 30 Apr 2021 14:11:12 -0400 + python-pip (9.0.1-2.3~ubuntu1.18.04.4) bionic-security; urgency=medium * SECURITY UPDATE: directory traversal on pip install diff -Nru python-pip-9.0.1/debian/patches/debundled-requests-exceptions.patch python-pip-9.0.1/debian/patches/debundled-requests-exceptions.patch --- python-pip-9.0.1/debian/patches/debundled-requests-exceptions.patch 1969-12-31 20:00:00.000000000 -0400 +++ python-pip-9.0.1/debian/patches/debundled-requests-exceptions.patch 2021-04-30 14:11:12.000000000 -0400 @@ -0,0 +1,23 @@ +From: Chih-Hsuan Yen +Date: Fri, 30 Apr 2021 14:09:50 -0400 +Subject: Fix handling of requests exceptions when dependencies are debundled. + +Origin: upstream, https://github.com/pypa/pip/pull/6373 +Bug-Upstream: https://github.com/pypa/pip/issues/7486 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1833229 +--- + pip/_vendor/__init__.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/pip/_vendor/__init__.py b/pip/_vendor/__init__.py +index 8e76ab8..d093ffb 100644 +--- a/pip/_vendor/__init__.py ++++ b/pip/_vendor/__init__.py +@@ -77,6 +77,7 @@ if DEBUNDLED: + vendored("progress") + vendored("retrying") + vendored("requests") ++ vendored("requests.exceptions") + vendored("requests.packages") + vendored("requests.packages.urllib3") + vendored("requests.packages.urllib3._collections") diff -Nru python-pip-9.0.1/debian/patches/series python-pip-9.0.1/debian/patches/series --- python-pip-9.0.1/debian/patches/series 2020-10-22 10:40:26.000000000 -0400 +++ python-pip-9.0.1/debian/patches/series 2021-04-30 14:11:12.000000000 -0400 @@ -7,3 +7,5 @@ use-unvendored-urllib3.diff bug1822842.patch CVE-2019-20916.patch +debundled-requests-exceptions.patch +skip-vendored-import.patch diff -Nru python-pip-9.0.1/debian/patches/skip-vendored-import.patch python-pip-9.0.1/debian/patches/skip-vendored-import.patch --- python-pip-9.0.1/debian/patches/skip-vendored-import.patch 1969-12-31 20:00:00.000000000 -0400 +++ python-pip-9.0.1/debian/patches/skip-vendored-import.patch 2021-04-30 14:11:12.000000000 -0400 @@ -0,0 +1,72 @@ +From: Chih-Hsuan Yen +Date: Fri, 30 Apr 2021 14:40:29 -0400 +Subject: Ensure all pip._vendor.* modules are mapped to debundled + correspondences (#6113) + +With the original `vendored()` implementation and such an initialization sequence: + +``` +vendored("packaging") +vendored("packaging.version") +``` + +In `sys.modules`, `pip._vendor.packaging` is correctly connected to the debundled `packagi +ng`, while `pip._vendor.packaging.version` is not, as the latter is `__import__`ed from the ex +isting `pip._vendor.packaging` module. That results in the same issue as https://github.com/py +pa/pip/issues/5429 - `pip._vendor.packaging.version.Version` and `packaging.version.Version` c +annot be compared. + +This patch attempts to fix this issue by skipping `__import__` from the vendored name. Thi +s is safe because `vendored()` is called only when `DEBUNDLED = True`, and vendored libraries +are already deleted as per [debundling instructions](https://github.com/pypa/pip/blob/master/s +rc/pip/_vendor/README.rst#debundling). + +Origin: upstream, https://github.com/pypa/pip/pull/6113 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1833229 +--- + pip/_vendor/__init__.py | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/pip/_vendor/__init__.py b/pip/_vendor/__init__.py +index d093ffb..62d8951 100644 +--- a/pip/_vendor/__init__.py ++++ b/pip/_vendor/__init__.py +@@ -30,24 +30,21 @@ def vendored(modulename): + vendored_name = "{0}.{1}".format(__name__, modulename) + + try: +- __import__(vendored_name, globals(), locals(), level=0) ++ __import__(modulename, globals(), locals(), level=0) + except ImportError: +- try: +- __import__(modulename, globals(), locals(), level=0) +- except ImportError: +- # We can just silently allow import failures to pass here. If we +- # got to this point it means that ``import pip._vendor.whatever`` +- # failed and so did ``import whatever``. Since we're importing this +- # upfront in an attempt to alias imports, not erroring here will +- # just mean we get a regular import error whenever pip *actually* +- # tries to import one of these modules to use it, which actually +- # gives us a better error message than we would have otherwise +- # gotten. +- pass +- else: +- sys.modules[vendored_name] = sys.modules[modulename] +- base, head = vendored_name.rsplit(".", 1) +- setattr(sys.modules[base], head, sys.modules[modulename]) ++ # We can just silently allow import failures to pass here. If we ++ # got to this point it means that ``import pip._vendor.whatever`` ++ # failed and so did ``import whatever``. Since we're importing this ++ # upfront in an attempt to alias imports, not erroring here will ++ # just mean we get a regular import error whenever pip *actually* ++ # tries to import one of these modules to use it, which actually ++ # gives us a better error message than we would have otherwise ++ # gotten. ++ pass ++ else: ++ sys.modules[vendored_name] = sys.modules[modulename] ++ base, head = vendored_name.rsplit(".", 1) ++ setattr(sys.modules[base], head, sys.modules[modulename]) + + + # If we're operating in a debundled setup, then we want to go ahead and trigger