From: Adarsh Jagadish Kamini <[email protected]> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
Signed-off-by: Adarsh Jagadish Kamini <[email protected]> --- .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ .../python/python3-pip_24.0.bb | 3 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch new file mode 100644 index 0000000000..8d34d2acb4 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch @@ -0,0 +1,55 @@ +From ed41e052ebe78fcf043c43ea05bf16f73dfbb581 Mon Sep 17 00:00:00 2001 +From: Damian Shaw <[email protected]> +Date: Fri, 30 Jan 2026 16:27:57 -0500 +Subject: [PATCH] Merge pull request #13777 from sethmlarson/commonpath + +Use os.path.commonpath() instead of commonprefix() + +CVE: CVE-2026-1703 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] + +Signed-off-by: Adarsh Jagadish Kamini <[email protected]> +--- + news/+1ee322a1.bugfix.rst | 1 + + src/pip/_internal/utils/unpacking.py | 2 +- + tests/unit/test_utils_unpacking.py | 2 ++ + 3 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 news/+1ee322a1.bugfix.rst + +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst +new file mode 100644 +index 000000000..edb1b320c +--- /dev/null ++++ b/news/+1ee322a1.bugfix.rst +@@ -0,0 +1 @@ ++Use a path-segment prefix comparison, not char-by-char. +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 78b5c13ce..0b26525fb 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool: + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + +- prefix = os.path.commonprefix([abs_directory, abs_target]) ++ prefix = os.path.commonpath([abs_directory, abs_target]) + return prefix == abs_directory + + +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py +index 1f0b59dbd..724ca0be8 100644 +--- a/tests/unit/test_utils_unpacking.py ++++ b/tests/unit/test_utils_unpacking.py +@@ -202,6 +202,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: + (("parent/", "parent/sub"), True), + # Test target outside parent + (("parent/", "parent/../sub"), False), ++ # Test target sub-string of parent ++ (("parent/child", "parent/childfoo"), False), + ], + ) + def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None: +-- +2.44.0 + diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb b/meta/recipes-devtools/python/python3-pip_24.0.bb index be4a29500a..83f8d869ac 100644 --- a/meta/recipes-devtools/python/python3-pip_24.0.bb +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ inherit pypi python_setuptools_build_meta -SRC_URI += "file://no_shebang_mangling.patch" +SRC_URI += "file://no_shebang_mangling.patch \ + file://CVE-2026-1703.patch \" SRC_URI[sha256sum] = "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2" -- 2.44.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230807): https://lists.openembedded.org/g/openembedded-core/message/230807 Mute This Topic: https://lists.openembedded.org/mt/117720306/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
