diff -Nru python-pip-20.0.2/debian/changelog python-pip-20.0.2/debian/changelog
--- python-pip-20.0.2/debian/changelog	2021-05-09 12:50:53.000000000 -0400
+++ python-pip-20.0.2/debian/changelog	2021-05-12 21:04:29.000000000 -0400
@@ -1,3 +1,9 @@
+python-pip (20.0.2-5ubuntu1.5) focal; urgency=medium
+
+  * Security: Don't split git references on unicode separators. (LP: #1926957)
+
+ -- Stefano Rivera <stefanor@ubuntu.com>  Wed, 12 May 2021 21:04:29 -0400
+
 python-pip (20.0.2-5ubuntu1.4) focal; urgency=medium
 
   * Look for pip config /etc (LP: #1914239)
diff -Nru python-pip-20.0.2/debian/patches/git-split-ascii.patch python-pip-20.0.2/debian/patches/git-split-ascii.patch
--- python-pip-20.0.2/debian/patches/git-split-ascii.patch	1969-12-31 20:00:00.000000000 -0400
+++ python-pip-20.0.2/debian/patches/git-split-ascii.patch	2021-05-12 21:04:29.000000000 -0400
@@ -0,0 +1,40 @@
+From: Pradyun Gedam <pradyunsg@gmail.com>
+Date: Tue, 11 May 2021 20:04:10 -0400
+Subject: Security: Don't split git references on unicode separators
+
+Previously, maliciously formatted tags could be used to hijack a
+commit-based pin. Using the fact that the split here allowed for
+all of unicode's whitespace characters as separators -- which git allows
+as a part of a tag name -- it is possible to force a different revision
+to be installed; if an attacker gains access to the repository.
+
+This change stops splitting the string on unicode characters, by forcing
+the splits to happen on newlines and ASCII spaces.
+
+Origin: upstream, https://github.com/pypa/pip/pull/9827
+---
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 7483303..d706064 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -137,9 +137,15 @@ class Git(VersionControl):
+         output = cls.run_command(['show-ref', rev], cwd=dest,
+                                  show_stdout=False, on_returncode='ignore')
+         refs = {}
+-        for line in output.strip().splitlines():
++        # NOTE: We do not use splitlines here since that would split on other
++        #       unicode separators, which can be maliciously used to install a
++        #       different revision.
++        for line in output.strip().split("\n"):
++            line = line.rstrip("\r")
++            if not line:
++                continue
+             try:
+-                sha, ref = line.split()
++                sha, ref = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
diff -Nru python-pip-20.0.2/debian/patches/series python-pip-20.0.2/debian/patches/series
--- python-pip-20.0.2/debian/patches/series	2021-05-09 12:50:53.000000000 -0400
+++ python-pip-20.0.2/debian/patches/series	2021-05-12 21:04:29.000000000 -0400
@@ -8,3 +8,4 @@
 add_pkg-resources_to_freeze.patch
 toml.patch
 config-in-etc.patch
+git-split-ascii.patch