* [PATCH 0/2] python3: fix CVE-2026-11940 and CVE-2026-11972
@ 2026-07-06 10:45 Benjamin Robin (Schneider Electric)
2026-07-06 10:45 ` [PATCH 1/2] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 10:45 ` [PATCH 2/2] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
0 siblings, 2 replies; 3+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 10:45 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
This series fixes the following CVEs:
- CVE-2026-11940
- CVE-2026-11972
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
Benjamin Robin (Schneider Electric) (2):
python3: fix CVE-2026-11940
python3: fix CVE-2026-11972
.../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++
.../python/python3/CVE-2026-11972.patch | 59 +++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 2 +
3 files changed, 128 insertions(+)
---
base-commit: 832bfebbc5651dcdb36508d584be2eac076e3dde
change-id: 20260706-fix-cves-python-master-847f3cd4c18a
Best regards,
--
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] python3: fix CVE-2026-11940
2026-07-06 10:45 [PATCH 0/2] python3: fix CVE-2026-11940 and CVE-2026-11972 Benjamin Robin (Schneider Electric)
@ 2026-07-06 10:45 ` Benjamin Robin (Schneider Electric)
2026-07-06 10:45 ` [PATCH 2/2] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
1 sibling, 0 replies; 3+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 10:45 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed
by a crafted archive where a hardlink references a symlink stored at a
deeper name than the hardlink itself.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 68 insertions(+)
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
new file mode 100644
index 000000000000..05a5802c3965
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
@@ -0,0 +1,67 @@
+From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 23 Jun 2026 15:58:47 +0200
+Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile`
+ hardlink-extraction fallback (GH-151559)
+
+CVE: CVE-2026-11940
+Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 3 +++
+ Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index e6734db24f64..63f23490e8a1 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath,
+ "makelink_with_filter: if filter_function is not None, "
+ + "extraction_root must also not be None")
+ try:
++ filter_function(
++ unfiltered.replace(name=tarinfo.name, deep=False),
++ extraction_root)
+ filtered = filter_function(unfiltered, extraction_root)
+ except _FILTER_ERRORS as cause:
+ raise LinkFallbackError(tarinfo, unfiltered.name) from cause
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index d974c7d46ec1..0fc7413be8db 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self):
+ self.expect_file("boom", symlink_to='../../link_here')
+ self.expect_file("c", symlink_to='b')
+
++ @symlink_test
++ def test_sneaky_hardlink_fallback_deep(self):
++ # (CVE-2026-11940)
++ with ArchiveMaker() as arc:
++ arc.add("a/b/s", symlink_to=os.path.join("..", "escape"))
++ arc.add("s", hardlink_to=os.path.join("a", "b", "s"))
++
++ with self.check_context(arc.open(), 'data'):
++ e = self.expect_exception(
++ tarfile.LinkFallbackError,
++ "link 's' would be extracted as a copy of "
++ + "'a/b/s', which was rejected")
++ self.assertIsInstance(e.__cause__,
++ tarfile.LinkOutsideDestinationError)
++
++ for filter in 'tar', 'fully_trusted':
++ with self.subTest(filter), self.check_context(arc.open(), filter):
++ if not os_helper.can_symlink():
++ self.expect_file("a/")
++ self.expect_file("a/b/")
++ else:
++ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape'))
++ self.expect_file("s", symlink_to=os.path.join('..', 'escape'))
++
+ @symlink_test
+ def test_exfiltration_via_symlink(self):
+ # (CVE-2025-4138)
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index 6dfd22fc0fb6..23fc152950ea 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
file://0001-Update-test_sysconfig-for-posix_user-purelib.patch \
file://0001-prefer-valid-entrypoints.patch \
+ file://CVE-2026-11940.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] python3: fix CVE-2026-11972
2026-07-06 10:45 [PATCH 0/2] python3: fix CVE-2026-11940 and CVE-2026-11972 Benjamin Robin (Schneider Electric)
2026-07-06 10:45 ` [PATCH 1/2] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
@ 2026-07-06 10:45 ` Benjamin Robin (Schneider Electric)
1 sibling, 0 replies; 3+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 10:45 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
When using the "tarfile" module with a file opened in "streaming mode"
(mode="r|") the tarfile module did not properly handle EOF, making archive
parsing take exponentially longer.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../python/python3/CVE-2026-11972.patch | 59 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 60 insertions(+)
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
new file mode 100644
index 000000000000..7dc9c6697112
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
@@ -0,0 +1,59 @@
+From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 23 Jun 2026 15:13:30 +0200
+Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF
+ (GH-151982)
+
+CVE: CVE-2026-11972
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 4 +++-
+ Lib/test/test_tarfile.py | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 63f23490e8a1..399f906efdff 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -524,7 +524,9 @@ def seek(self, pos=0):
+ if pos - self.pos >= 0:
+ blocks, remainder = divmod(pos - self.pos, self.bufsize)
+ for i in range(blocks):
+- self.read(self.bufsize)
++ data = self.read(self.bufsize)
++ if not data:
++ break
+ self.read(remainder)
+ else:
+ raise StreamError("seeking backwards is not allowed")
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 0fc7413be8db..045377d620cc 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path):
+ with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter):
+ self.expect_exception(TypeError) # errorlevel is not int
+
++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT])
++ def test_getmembers_big_size(self, format):
++ # gh-151981: A loop in seek() for streaming files tried to read the
++ # declared number of blocks even at EOF
++ tinfo = tarfile.TarInfo("huge-file")
++ tinfo.size = 1 << 64
++ bio = io.BytesIO()
++ # Write header without data
++ bio.write(tinfo.tobuf(format))
++
++ # Reset & try to get contents
++ bio.seek(0)
++ with tarfile.open(fileobj=bio, mode="r|") as tar:
++ with self.assertRaises(tarfile.ReadError):
++ tar.getmembers()
++
+
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+ testdir = os.path.join(TEMPDIR, "testoverwrite")
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index 23fc152950ea..a45a4561339f 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Update-test_sysconfig-for-posix_user-purelib.patch \
file://0001-prefer-valid-entrypoints.patch \
file://CVE-2026-11940.patch \
+ file://CVE-2026-11972.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-06 10:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-06 10:45 [PATCH 0/2] python3: fix CVE-2026-11940 and CVE-2026-11972 Benjamin Robin (Schneider Electric)
2026-07-06 10:45 ` [PATCH 1/2] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 10:45 ` [PATCH 2/2] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.