From f803fbadb334b842d08c14358749c664b4b58e69 Mon Sep 17 00:00:00 2001
From: Linux_zhang <zhangruifang1@h-partners.com>
Date: Mon, 22 Dec 2025 17:13:06 +0800
Subject: [PATCH] Fix CVE-2025-66418

(cherry picked from commit ea11bf61106885b74a8b64661d25e6775d9c2b88)
---
 backport-CVE-2025-66418.patch | 42 +++++++++++++++++++++++++++++++++++
 python-pip.spec               |  6 ++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-66418.patch

diff --git a/backport-CVE-2025-66418.patch b/backport-CVE-2025-66418.patch
new file mode 100644
index 0000000..83b4a5e
--- /dev/null
+++ b/backport-CVE-2025-66418.patch
@@ -0,0 +1,42 @@
+From 24d7b67eac89f94e11003424bcf0d8f7b72222a8 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Fri, 5 Dec 2025 16:41:33 +0200
+Subject: [PATCH] Merge commit from fork
+
+* Add a hard-coded limit for the decompression chain
+
+* Reuse new list
+
+Reference:https://github.com/urllib3/urllib3/commit/24d7b67e.patch
+
+---
+ src/pip/_vendor/urllib3/response.py | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/response.py b/src/pip/_vendor/urllib3/response.py
+index 8909f84..da340fe 100644
+--- a/src/pip/_vendor/urllib3/response.py
++++ b/src/pip/_vendor/urllib3/response.py
+@@ -129,8 +129,18 @@ class MultiDecoder(object):
+         they were applied.
+     """
+ 
++    # Maximum allowed number of chained HTTP encodings in the
++    # Content-Encoding header.
++    max_decode_links = 5
++
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
++        encodings = [m.strip() for m in modes.split(",")]
++        if len(encodings) > self.max_decode_links:
++            raise DecodeError(
++                "Too many content encodings in the chain: "
++                f"{len(encodings)} > {self.max_decode_links}"
++            )
++        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
+-- 
+2.43.0
+
diff --git a/python-pip.spec b/python-pip.spec
index 3862709..e0e534b 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        23.3.1
-Release:        6
+Release:        7
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -20,6 +20,7 @@ Patch6002:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redi
 Patch6003:      backport-CVE-2024-47081.patch
 Patch6004:      backport-CVE-2025-50181.patch
 Patch6005:      backport-CVE-2025-8869.patch
+Patch6006:		backport-CVE-2025-66418.patch
 
 Source10: 	pip-allow-older-versions.patch
 
@@ -137,6 +138,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Mon Dec 22 2025 Linux_zhang <zhangruifang@h-partners.com> - 23.3.1-7
+- Fix CVE-2025-66418
+
 * Tue Nov 25 2025 chenjianhu <chenjianhu@kylinos.cn> - 23.3.1-6
 - Fix CVE-2025-8869
 
-- 
Gitee