Openembedded Core Discussions
 help / color / mirror / Atom feed
* [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs
@ 2026-07-06 11:00 Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
  To: openembedded-core
  Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
	wahid.essid, Benjamin Robin (Schneider Electric), Peter Marko,
	Richard Purdie

This series fixes the following CVEs:
 - CVE-2026-11940
 - CVE-2026-11972
 - CVE-2026-3276
 - CVE-2026-7210
 - CVE-2026-7774
 - CVE-2026-8328
 - CVE-2026-9669

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
Benjamin Robin (Schneider Electric) (2):
      python3: fix CVE-2026-11940
      python3: fix CVE-2026-11972

Peter Marko (1):
      python3: upgrade 3.14.5 -> 3.14.6

 ...x-ThreadingMock-call-count-race-condition.patch | 37 ------------
 .../python/python3/CVE-2026-11940.patch            | 67 ++++++++++++++++++++++
 .../python/python3/CVE-2026-11972.patch            | 59 +++++++++++++++++++
 .../{python3_3.14.5.bb => python3_3.14.6.bb}       |  9 ++-
 4 files changed, 130 insertions(+), 42 deletions(-)
---
base-commit: 5d1aa5c806c061a2994f4decb59016610f093213
change-id: 20260706-fix-cves-python-wrynose-076b5060a7be

Best regards,
--  
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>



^ permalink raw reply	[flat|nested] 4+ messages in thread

* [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6
  2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
  2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
  To: openembedded-core
  Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
	wahid.essid, Benjamin Robin (Schneider Electric), Peter Marko,
	Richard Purdie

From: Peter Marko <peter.marko@siemens.com>

Release notes: [1]

Resolves following CVEs from reports:
* CVE-2026-3276
* CVE-2026-7210
* CVE-2026-7774
* CVE-2026-8328
* CVE-2026-9669

Resolves also:
* shutil.move symlink-based bypass (CVE assignment unknown)

Removed obsolete CVE_STATUS entries.
Removed patch included in this release.

[1] https://docs.python.org/3/whatsnew/changelog.html#python-3-14-6-final
[2] https://security-tracker.debian.org/tracker/CVE-2026-7210

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 ...x-ThreadingMock-call-count-race-condition.patch | 37 ----------------------
 .../{python3_3.14.5.bb => python3_3.14.6.bb}       |  7 ++--
 2 files changed, 2 insertions(+), 42 deletions(-)

diff --git a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch b/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
deleted file mode 100644
index aba3188a59ae..000000000000
--- a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 388e023fe1197c1ffed374520ed45df4ac72b8f5 Mon Sep 17 00:00:00 2001
-From: Sai Sneha <saisneha196@gmail.com>
-Date: Thu, 21 May 2026 13:08:07 +0530
-Subject: [PATCH] Fix ThreadingMock call_count race condition
-
-ThreadingMock._increment_mock_call() was not thread-safe.
-Multiple threads calling the mock simultaneously could lose
-increments due to race conditions on call_count and other
-attributes.
-
-Fix by overriding _increment_mock_call in ThreadingMixin
-and wrapping it with the existing _mock_calls_events_lock.
-
-Upstream-Status: Backport [https://github.com/python/cpython/pull/150176]
-
-Signed-off-by: Sai Sneha <saisneha196@gmail.com>
----
- Lib/unittest/mock.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/Lib/unittest/mock.py b/Lib/unittest/mock.py
-index 16f3699e89..56cdc37942 100644
---- a/Lib/unittest/mock.py
-+++ b/Lib/unittest/mock.py
-@@ -3113,6 +3113,10 @@ def _mock_call(self, *args, **kwargs):
- 
-         return ret_value
- 
-+    def _increment_mock_call(self, /, *args, **kwargs):
-+        with self._mock_calls_events_lock:
-+            super()._increment_mock_call(*args, **kwargs)
-+
-     def wait_until_called(self, *, timeout=_timeout_unset):
-         """Wait until the mock object is called.
- 
--- 
-2.34.1
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.14.5.bb
rename to meta/recipes-devtools/python/python3_3.14.6.bb
index ed413dc1fe93..239c966065ce 100644
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,13 +35,12 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-Skip-flaky-test_default_timeout-tests.patch \
            file://0001-test_only_active_thread-skip-problematic-test.patch \
            file://0001-prefer-valid-entrypoints.patch \
-           file://0001-Fix-ThreadingMock-call-count-race-condition.patch \
            "
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
            "
 
-SRC_URI[sha256sum] = "7e32597b99e5d9a39abed35de4693fa169df3e5850d4c334337ffd6a19a36db6"
+SRC_URI[sha256sum] = "143b1dddefaec3bd2e21e3b839b34a2b7fb9842272883c576420d605e9f30c63"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -524,7 +523,5 @@ py3_sysroot_cleanup () {
 	rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
 }
 
-CVE_STATUS[CVE-2026-4786] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-5713] = "cpe-stable-backport: backported to v3.14.5"
 CVE_STATUS[CVE-2026-6019] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-6100] = "cpe-stable-backport: backported to v3.14.5"
+CVE_STATUS[CVE-2026-7210] = "cpe-stable-backport: backported to v3.14.6"

-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [wrynose][PATCH 2/3] python3: fix CVE-2026-11940
  2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
  2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
  To: openembedded-core
  Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
	wahid.essid, Benjamin Robin (Schneider Electric)

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed
by a crafted archive where a hardlink references a symlink stored at a
deeper name than the hardlink itself.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../python/python3/CVE-2026-11940.patch            | 67 ++++++++++++++++++++++
 meta/recipes-devtools/python/python3_3.14.6.bb     |  1 +
 2 files changed, 68 insertions(+)

diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
new file mode 100644
index 000000000000..05a5802c3965
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
@@ -0,0 +1,67 @@
+From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 23 Jun 2026 15:58:47 +0200
+Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile`
+ hardlink-extraction fallback (GH-151559)
+
+CVE: CVE-2026-11940
+Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py           |  3 +++
+ Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index e6734db24f64..63f23490e8a1 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath,
+                     "makelink_with_filter: if filter_function is not None, "
+                     + "extraction_root must also not be None")
+             try:
++                filter_function(
++                    unfiltered.replace(name=tarinfo.name, deep=False),
++                    extraction_root)
+                 filtered = filter_function(unfiltered, extraction_root)
+             except _FILTER_ERRORS as cause:
+                 raise LinkFallbackError(tarinfo, unfiltered.name) from cause
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index d974c7d46ec1..0fc7413be8db 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self):
+                     self.expect_file("boom", symlink_to='../../link_here')
+                     self.expect_file("c", symlink_to='b')
+
++    @symlink_test
++    def test_sneaky_hardlink_fallback_deep(self):
++        # (CVE-2026-11940)
++        with ArchiveMaker() as arc:
++            arc.add("a/b/s", symlink_to=os.path.join("..", "escape"))
++            arc.add("s", hardlink_to=os.path.join("a", "b", "s"))
++
++        with self.check_context(arc.open(), 'data'):
++            e = self.expect_exception(
++                tarfile.LinkFallbackError,
++                "link 's' would be extracted as a copy of "
++                + "'a/b/s', which was rejected")
++            self.assertIsInstance(e.__cause__,
++                                  tarfile.LinkOutsideDestinationError)
++
++        for filter in 'tar', 'fully_trusted':
++            with self.subTest(filter), self.check_context(arc.open(), filter):
++                if not os_helper.can_symlink():
++                    self.expect_file("a/")
++                    self.expect_file("a/b/")
++                else:
++                    self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape'))
++                    self.expect_file("s", symlink_to=os.path.join('..', 'escape'))
++
+     @symlink_test
+     def test_exfiltration_via_symlink(self):
+         # (CVE-2025-4138)
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index 239c966065ce..ffb7fb6e207d 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-Skip-flaky-test_default_timeout-tests.patch \
            file://0001-test_only_active_thread-skip-problematic-test.patch \
            file://0001-prefer-valid-entrypoints.patch \
+           file://CVE-2026-11940.patch \
            "
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \

-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [wrynose][PATCH 3/3] python3: fix CVE-2026-11972
  2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
  2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
  2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
  To: openembedded-core
  Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
	wahid.essid, Benjamin Robin (Schneider Electric)

When using the "tarfile" module with a file opened in "streaming mode"
(mode="r|") the tarfile module did not properly handle EOF, making archive
parsing take exponentially longer.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../python/python3/CVE-2026-11972.patch            | 59 ++++++++++++++++++++++
 meta/recipes-devtools/python/python3_3.14.6.bb     |  1 +
 2 files changed, 60 insertions(+)

diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
new file mode 100644
index 000000000000..7dc9c6697112
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
@@ -0,0 +1,59 @@
+From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 23 Jun 2026 15:13:30 +0200
+Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF
+ (GH-151982)
+
+CVE: CVE-2026-11972
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py           |  4 +++-
+ Lib/test/test_tarfile.py | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 63f23490e8a1..399f906efdff 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -524,7 +524,9 @@ def seek(self, pos=0):
+         if pos - self.pos >= 0:
+             blocks, remainder = divmod(pos - self.pos, self.bufsize)
+             for i in range(blocks):
+-                self.read(self.bufsize)
++                data = self.read(self.bufsize)
++                if not data:
++                    break
+             self.read(remainder)
+         else:
+             raise StreamError("seeking backwards is not allowed")
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 0fc7413be8db..045377d620cc 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path):
+         with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter):
+             self.expect_exception(TypeError)  # errorlevel is not int
+
++    @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT])
++    def test_getmembers_big_size(self, format):
++        # gh-151981: A loop in seek() for streaming files tried to read the
++        # declared number of blocks even at EOF
++        tinfo = tarfile.TarInfo("huge-file")
++        tinfo.size = 1 << 64
++        bio = io.BytesIO()
++        # Write header without data
++        bio.write(tinfo.tobuf(format))
++
++        # Reset & try to get contents
++        bio.seek(0)
++        with tarfile.open(fileobj=bio, mode="r|") as tar:
++            with self.assertRaises(tarfile.ReadError):
++                tar.getmembers()
++
+
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+     testdir = os.path.join(TEMPDIR, "testoverwrite")
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index ffb7fb6e207d..ec1fd7156bd9 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-test_only_active_thread-skip-problematic-test.patch \
            file://0001-prefer-valid-entrypoints.patch \
            file://CVE-2026-11940.patch \
+           file://CVE-2026-11972.patch \
            "
 SRC_URI:append:class-native = " \
            file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \

-- 
2.54.0



^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-06 11:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox