[Buildroot] [2025.02.x, PATCH 2/2] package/python-wheel: patch CVE-2026-24049

[Thomas Perale via buildroot <buildroot@buildroot.org>]

Fixes the following vulnerability:

- CVE-2026-24049:
    wheel is a command line tool for manipulating Python wheel files, as
    defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack
    function is vulnerable to file permission modification through
    mishandling of file permissions after extraction. The logic blindly
    trusts the filename from the archive header for the chmod operation,
    even though the extraction process itself might have sanitized the
    path. Attackers can craft a malicious wheel file that, when unpacked,
    changes the permissions of critical system files (e.g., /etc/passwd,
    SSH keys, config files), allowing for Privilege Escalation or
    arbitrary code execution by modifying now-writable scripts. This issue
    has been fixed in version 0.46.2.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2026-24049
  - https://github.com/advisories/GHSA-8rrh-rw8j-w5fx

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...d-security-issue-around-wheel-unpack.patch | 35 +++++++++++++++++++
 package/python-wheel/python-wheel.mk          |  3 ++
 2 files changed, 38 insertions(+)
 create mode 100644 package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch

diff --git a/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch b/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
new file mode 100644
index 0000000000..8640dfa291
--- /dev/null
+++ b/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
@@ -0,0 +1,35 @@
+From 7a7d2de96b22a9adf9208afcc9547e1001569fef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 22 Jan 2026 01:41:14 +0200
+Subject: [PATCH] Fixed security issue around wheel unpack (#675)
+
+A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+
+CVE: CVE-2026-24049
+Upstream: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
+[thomas: change filename, remove tests]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/wheel/cli/unpack.py |  4 ++--
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
+index d48840e6e..83dc7423f 100644
+--- a/src/wheel/cli/unpack.py
++++ b/src/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+
diff --git a/package/python-wheel/python-wheel.mk b/package/python-wheel/python-wheel.mk
index 417db7c167..ae02d21feb 100644
--- a/package/python-wheel/python-wheel.mk
+++ b/package/python-wheel/python-wheel.mk
@@ -13,4 +13,7 @@ PYTHON_WHEEL_LICENSE_FILES = LICENSE.txt
 PYTHON_WHEEL_CPE_ID_VENDOR = wheel_project
 PYTHON_WHEEL_CPE_ID_PRODUCT = wheel
 
+# 0001-fixed-security-issue-around-wheel-unpack.patch
+PYTHON_WHEEL_IGNORE_CVES += CVE-2026-24049
+
 $(eval $(host-python-package))
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot