On Thu Feb 12, 2026 at 3:20 PM CET, Adarsh Jagadish Kamini wrote: > From: Adarsh Jagadish Kamini <[email protected]> > > Include the patch linked in the NVD report: > https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 > > Signed-off-by: Adarsh Jagadish Kamini <[email protected]> > --- > .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ > .../python/python3-pip_25.3.bb | 4 +- > 2 files changed, 58 insertions(+), 1 deletion(-) > create mode 100644 > meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > > diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > new file mode 100644 > index 0000000000..fa3ecfd6d0 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > @@ -0,0 +1,55 @@ > +From f3354dbf1fa59895cd06f310064d57b73f05426a Mon Sep 17 00:00:00 2001 > +From: Damian Shaw <[email protected]> > +Date: Fri, 30 Jan 2026 16:27:57 -0500 > +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath > + > +Use os.path.commonpath() instead of commonprefix() > + > +CVE: CVE-2026-1703 > + > +Upstream-Status: Backport > [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] > + > +Signed-off-by: Adarsh Jagadish Kamini <[email protected]> > +--- > + news/+1ee322a1.bugfix.rst | 1 + > + src/pip/_internal/utils/unpacking.py | 2 +- > + tests/unit/test_utils_unpacking.py | 2 ++ > + 3 files changed, 4 insertions(+), 1 deletion(-) > + create mode 100644 news/+1ee322a1.bugfix.rst > + > +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst > +new file mode 100644 > +index 000000000..edb1b320c > +--- /dev/null > ++++ b/news/+1ee322a1.bugfix.rst > +@@ -0,0 +1 @@ > ++Use a path-segment prefix comparison, not char-by-char. > +diff --git a/src/pip/_internal/utils/unpacking.py > b/src/pip/_internal/utils/unpacking.py > +index bc950ac93..b3f52e85e 100644 > +--- a/src/pip/_internal/utils/unpacking.py > ++++ b/src/pip/_internal/utils/unpacking.py > +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> > bool: > + abs_directory = os.path.abspath(directory) > + abs_target = os.path.abspath(target) > + > +- prefix = os.path.commonprefix([abs_directory, abs_target]) > ++ prefix = os.path.commonpath([abs_directory, abs_target]) > + return prefix == abs_directory > + > + > +diff --git a/tests/unit/test_utils_unpacking.py > b/tests/unit/test_utils_unpacking.py > +index 003cce148..582da9722 100644 > +--- a/tests/unit/test_utils_unpacking.py > ++++ b/tests/unit/test_utils_unpacking.py > +@@ -412,6 +412,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: > + (("parent/", "parent/sub"), True), > + # Test target outside parent > + (("parent/", "parent/../sub"), False), > ++ # Test target sub-string of parent > ++ (("parent/child", "parent/childfoo"), False), > + ], > + ) > + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None: > +-- > +2.44.0 > + > diff --git a/meta/recipes-devtools/python/python3-pip_25.3.bb > b/meta/recipes-devtools/python/python3-pip_25.3.bb > index bbc70e3eae..5a50722d6d 100644 > --- a/meta/recipes-devtools/python/python3-pip_25.3.bb > +++ b/meta/recipes-devtools/python/python3-pip_25.3.bb > @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = > "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ > > inherit pypi python_setuptools_build_meta > > -SRC_URI += "file://no_shebang_mangling.patch" > +SRC_URI += "file://no_shebang_mangling.patch \ > + file://CVE-2026-1703 \
File name should be CVE-2026-1703.patch. Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231111): https://lists.openembedded.org/g/openembedded-core/message/231111 Mute This Topic: https://lists.openembedded.org/mt/117774603/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
