On Tue Feb 10, 2026 at 5:33 PM CET, Adarsh Jagadish Kamini via
lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <[email protected]>
>
> Include the patch linked in the NVD report:
> https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> ---
> .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++
> .../python/python3-pip_24.0.bb | 4 +-
> 2 files changed, 58 insertions(+), 1 deletion(-)
> create mode 100644
> meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
Hello,
That patch does not apply cleanly on whinlatter:
ERROR: python3-pip-native-25.2-r0 do_patch: Applying patch
'CVE-2026-1703.patch' on target directory
'/srv/pokybuild/yocto-worker/beaglebone/build/build/tmp/work/x86_64-linux/python3-pip-native/25.2/sources/pip-25.2'
CmdError('quilt --quiltrc
/srv/pokybuild/yocto-worker/beaglebone/build/build/tmp/work/x86_64-linux/python3-pip-native/25.2/recipe-sysroot-native/etc/quiltrc
push', 0, "stdout: Applying patch CVE-2026-1703.patch
patching file news/+1ee322a1.bugfix.rst
patching file src/pip/_internal/utils/unpacking.py
Hunk #1 succeeded at 83 (offset 2 lines).
can't find file to patch at input line 44
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/tests/unit/test_utils_unpacking.py
b/tests/unit/test_utils_unpacking.py
|index 1f0b59dbd..724ca0be8 100644
|--- a/tests/unit/test_utils_unpacking.py
|+++ b/tests/unit/test_utils_unpacking.py
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
Patch CVE-2026-1703.patch does not apply (enforce with -f)
stderr: ")
Can you get it merged on master before making a new request for a
backport on whinlatter?
Thanks!
> diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> new file mode 100644
> index 0000000000..8d34d2acb4
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> @@ -0,0 +1,55 @@
> +From ed41e052ebe78fcf043c43ea05bf16f73dfbb581 Mon Sep 17 00:00:00 2001
> +From: Damian Shaw <[email protected]>
> +Date: Fri, 30 Jan 2026 16:27:57 -0500
> +Subject: [PATCH] Merge pull request #13777 from sethmlarson/commonpath
> +
> +Use os.path.commonpath() instead of commonprefix()
> +
> +CVE: CVE-2026-1703
> +
> +Upstream-Status: Backport
> [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> +---
> + news/+1ee322a1.bugfix.rst | 1 +
> + src/pip/_internal/utils/unpacking.py | 2 +-
> + tests/unit/test_utils_unpacking.py | 2 ++
> + 3 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 news/+1ee322a1.bugfix.rst
> +
> +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
> +new file mode 100644
> +index 000000000..edb1b320c
> +--- /dev/null
> ++++ b/news/+1ee322a1.bugfix.rst
> +@@ -0,0 +1 @@
> ++Use a path-segment prefix comparison, not char-by-char.
> +diff --git a/src/pip/_internal/utils/unpacking.py
> b/src/pip/_internal/utils/unpacking.py
> +index 78b5c13ce..0b26525fb 100644
> +--- a/src/pip/_internal/utils/unpacking.py
> ++++ b/src/pip/_internal/utils/unpacking.py
> +@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) ->
> bool:
> + abs_directory = os.path.abspath(directory)
> + abs_target = os.path.abspath(target)
> +
> +- prefix = os.path.commonprefix([abs_directory, abs_target])
> ++ prefix = os.path.commonpath([abs_directory, abs_target])
> + return prefix == abs_directory
> +
> +
> +diff --git a/tests/unit/test_utils_unpacking.py
> b/tests/unit/test_utils_unpacking.py
> +index 1f0b59dbd..724ca0be8 100644
> +--- a/tests/unit/test_utils_unpacking.py
> ++++ b/tests/unit/test_utils_unpacking.py
> +@@ -202,6 +202,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
> + (("parent/", "parent/sub"), True),
> + # Test target outside parent
> + (("parent/", "parent/../sub"), False),
> ++ # Test target sub-string of parent
> ++ (("parent/child", "parent/childfoo"), False),
> + ],
> + )
> + def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None:
> +--
> +2.44.0
> +
> diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb
> b/meta/recipes-devtools/python/python3-pip_24.0.bb
> index be4a29500a..35428260c3 100644
> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
> @@ -31,7 +31,9 @@ LIC_FILES_CHKSUM =
> "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>
> inherit pypi python_setuptools_build_meta
>
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> + file://CVE-2026-1703.patch \
> + "
>
> SRC_URI[sha256sum] =
> "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"
>
--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231016):
https://lists.openembedded.org/g/openembedded-core/message/231016
Mute This Topic: https://lists.openembedded.org/mt/117744707/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
