Re: [OE-core][scarthgap][PATCH] python3-pip: patch CVE-2026-1703

Mon, 09 Feb 2026 14:30:20 -0800 

Hi Yoann Congal,

I have now submitted the backport fix for this CVE-2026-1703 for whinlatter and 
master.

Thanks!
________________________________
From: Yoann Congal <[email protected]>
Sent: Monday, February 9, 2026 4:53 PM
To: Adarsh Jagadish Kamini <[email protected]>; 
[email protected] 
<[email protected]>
Subject: Re: [OE-core][scarthgap][PATCH] python3-pip: patch CVE-2026-1703

On Mon Feb 9, 2026 at 3:01 PM CET, Adarsh Jagadish Kamini via 
lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <[email protected]>
>
> Include the patch linked in the NVD report: 
> https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> ---
>  .../python/python3-pip/CVE-2026-1703.patch    | 55 +++++++++++++++++++
>  .../python/python3-pip_24.0.bb                |  3 +-
>  2 files changed, 57 insertions(+), 1 deletion(-)
>  create mode 100644 
> meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch

Hello,

As fas as I can tell, this patch was merged in pip v26.0, but master and
kirkstone are on v25.x. So, this patch is also needed there and I can't
merge on scarthgap until this is fixed on master&whinlatter.

Can you send a patch to fix CVE-2026-1703 on these branches (either a
backport or an upgrade) ?

Thanks!

>
> diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch 
> b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> new file mode 100644
> index 0000000000..8d34d2acb4
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> @@ -0,0 +1,55 @@
> +From ed41e052ebe78fcf043c43ea05bf16f73dfbb581 Mon Sep 17 00:00:00 2001
> +From: Damian Shaw <[email protected]>
> +Date: Fri, 30 Jan 2026 16:27:57 -0500
> +Subject: [PATCH] Merge pull request #13777 from sethmlarson/commonpath
> +
> +Use os.path.commonpath() instead of commonprefix()
> +
> +CVE: CVE-2026-1703
> +
> +Upstream-Status: Backport 
> [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> +---
> + news/+1ee322a1.bugfix.rst            | 1 +
> + src/pip/_internal/utils/unpacking.py | 2 +-
> + tests/unit/test_utils_unpacking.py   | 2 ++
> + 3 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 news/+1ee322a1.bugfix.rst
> +
> +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
> +new file mode 100644
> +index 000000000..edb1b320c
> +--- /dev/null
> ++++ b/news/+1ee322a1.bugfix.rst
> +@@ -0,0 +1 @@
> ++Use a path-segment prefix comparison, not char-by-char.
> +diff --git a/src/pip/_internal/utils/unpacking.py 
> b/src/pip/_internal/utils/unpacking.py
> +index 78b5c13ce..0b26525fb 100644
> +--- a/src/pip/_internal/utils/unpacking.py
> ++++ b/src/pip/_internal/utils/unpacking.py
> +@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> 
> bool:
> +     abs_directory = os.path.abspath(directory)
> +     abs_target = os.path.abspath(target)
> +
> +-    prefix = os.path.commonprefix([abs_directory, abs_target])
> ++    prefix = os.path.commonpath([abs_directory, abs_target])
> +     return prefix == abs_directory
> +
> +
> +diff --git a/tests/unit/test_utils_unpacking.py 
> b/tests/unit/test_utils_unpacking.py
> +index 1f0b59dbd..724ca0be8 100644
> +--- a/tests/unit/test_utils_unpacking.py
> ++++ b/tests/unit/test_utils_unpacking.py
> +@@ -202,6 +202,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
> +         (("parent/", "parent/sub"), True),
> +         # Test target outside parent
> +         (("parent/", "parent/../sub"), False),
> ++        # Test target sub-string of parent
> ++        (("parent/child", "parent/childfoo"), False),
> +     ],
> + )
> + def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None:
> +--
> +2.44.0
> +
> diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb 
> b/meta/recipes-devtools/python/python3-pip_24.0.bb
> index be4a29500a..83f8d869ac 100644
> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
> @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = 
> "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>
>  inherit pypi python_setuptools_build_meta
>
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> +            file://CVE-2026-1703.patch \"
>
>  SRC_URI[sha256sum] = 
> "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"
>


--
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230817): 
https://lists.openembedded.org/g/openembedded-core/message/230817
Mute This Topic: https://lists.openembedded.org/mt/117720306/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to