* [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs
@ 2026-07-06 11:00 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric), Peter Marko,
Richard Purdie
This series fixes the following CVEs:
- CVE-2026-11940
- CVE-2026-11972
- CVE-2026-3276
- CVE-2026-7210
- CVE-2026-7774
- CVE-2026-8328
- CVE-2026-9669
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
Benjamin Robin (Schneider Electric) (2):
python3: fix CVE-2026-11940
python3: fix CVE-2026-11972
Peter Marko (1):
python3: upgrade 3.14.5 -> 3.14.6
...x-ThreadingMock-call-count-race-condition.patch | 37 ------------
.../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++
.../python/python3/CVE-2026-11972.patch | 59 +++++++++++++++++++
.../{python3_3.14.5.bb => python3_3.14.6.bb} | 9 ++-
4 files changed, 130 insertions(+), 42 deletions(-)
---
base-commit: 5d1aa5c806c061a2994f4decb59016610f093213
change-id: 20260706-fix-cves-python-wrynose-076b5060a7be
Best regards,
--
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric), Peter Marko,
Richard Purdie
From: Peter Marko <peter.marko@siemens.com>
Release notes: [1]
Resolves following CVEs from reports:
* CVE-2026-3276
* CVE-2026-7210
* CVE-2026-7774
* CVE-2026-8328
* CVE-2026-9669
Resolves also:
* shutil.move symlink-based bypass (CVE assignment unknown)
Removed obsolete CVE_STATUS entries.
Removed patch included in this release.
[1] https://docs.python.org/3/whatsnew/changelog.html#python-3-14-6-final
[2] https://security-tracker.debian.org/tracker/CVE-2026-7210
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
...x-ThreadingMock-call-count-race-condition.patch | 37 ----------------------
.../{python3_3.14.5.bb => python3_3.14.6.bb} | 7 ++--
2 files changed, 2 insertions(+), 42 deletions(-)
diff --git a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch b/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
deleted file mode 100644
index aba3188a59ae..000000000000
--- a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 388e023fe1197c1ffed374520ed45df4ac72b8f5 Mon Sep 17 00:00:00 2001
-From: Sai Sneha <saisneha196@gmail.com>
-Date: Thu, 21 May 2026 13:08:07 +0530
-Subject: [PATCH] Fix ThreadingMock call_count race condition
-
-ThreadingMock._increment_mock_call() was not thread-safe.
-Multiple threads calling the mock simultaneously could lose
-increments due to race conditions on call_count and other
-attributes.
-
-Fix by overriding _increment_mock_call in ThreadingMixin
-and wrapping it with the existing _mock_calls_events_lock.
-
-Upstream-Status: Backport [https://github.com/python/cpython/pull/150176]
-
-Signed-off-by: Sai Sneha <saisneha196@gmail.com>
----
- Lib/unittest/mock.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/Lib/unittest/mock.py b/Lib/unittest/mock.py
-index 16f3699e89..56cdc37942 100644
---- a/Lib/unittest/mock.py
-+++ b/Lib/unittest/mock.py
-@@ -3113,6 +3113,10 @@ def _mock_call(self, *args, **kwargs):
-
- return ret_value
-
-+ def _increment_mock_call(self, /, *args, **kwargs):
-+ with self._mock_calls_events_lock:
-+ super()._increment_mock_call(*args, **kwargs)
-+
- def wait_until_called(self, *, timeout=_timeout_unset):
- """Wait until the mock object is called.
-
---
-2.34.1
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.14.5.bb
rename to meta/recipes-devtools/python/python3_3.14.6.bb
index ed413dc1fe93..239c966065ce 100644
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,13 +35,12 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Skip-flaky-test_default_timeout-tests.patch \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
- file://0001-Fix-ThreadingMock-call-count-race-condition.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
"
-SRC_URI[sha256sum] = "7e32597b99e5d9a39abed35de4693fa169df3e5850d4c334337ffd6a19a36db6"
+SRC_URI[sha256sum] = "143b1dddefaec3bd2e21e3b839b34a2b7fb9842272883c576420d605e9f30c63"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -524,7 +523,5 @@ py3_sysroot_cleanup () {
rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
}
-CVE_STATUS[CVE-2026-4786] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-5713] = "cpe-stable-backport: backported to v3.14.5"
CVE_STATUS[CVE-2026-6019] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-6100] = "cpe-stable-backport: backported to v3.14.5"
+CVE_STATUS[CVE-2026-7210] = "cpe-stable-backport: backported to v3.14.6"
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [wrynose][PATCH 2/3] python3: fix CVE-2026-11940
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed
by a crafted archive where a hardlink references a symlink stored at a
deeper name than the hardlink itself.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 68 insertions(+)
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
new file mode 100644
index 000000000000..05a5802c3965
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
@@ -0,0 +1,67 @@
+From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 23 Jun 2026 15:58:47 +0200
+Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile`
+ hardlink-extraction fallback (GH-151559)
+
+CVE: CVE-2026-11940
+Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 3 +++
+ Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index e6734db24f64..63f23490e8a1 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath,
+ "makelink_with_filter: if filter_function is not None, "
+ + "extraction_root must also not be None")
+ try:
++ filter_function(
++ unfiltered.replace(name=tarinfo.name, deep=False),
++ extraction_root)
+ filtered = filter_function(unfiltered, extraction_root)
+ except _FILTER_ERRORS as cause:
+ raise LinkFallbackError(tarinfo, unfiltered.name) from cause
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index d974c7d46ec1..0fc7413be8db 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self):
+ self.expect_file("boom", symlink_to='../../link_here')
+ self.expect_file("c", symlink_to='b')
+
++ @symlink_test
++ def test_sneaky_hardlink_fallback_deep(self):
++ # (CVE-2026-11940)
++ with ArchiveMaker() as arc:
++ arc.add("a/b/s", symlink_to=os.path.join("..", "escape"))
++ arc.add("s", hardlink_to=os.path.join("a", "b", "s"))
++
++ with self.check_context(arc.open(), 'data'):
++ e = self.expect_exception(
++ tarfile.LinkFallbackError,
++ "link 's' would be extracted as a copy of "
++ + "'a/b/s', which was rejected")
++ self.assertIsInstance(e.__cause__,
++ tarfile.LinkOutsideDestinationError)
++
++ for filter in 'tar', 'fully_trusted':
++ with self.subTest(filter), self.check_context(arc.open(), filter):
++ if not os_helper.can_symlink():
++ self.expect_file("a/")
++ self.expect_file("a/b/")
++ else:
++ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape'))
++ self.expect_file("s", symlink_to=os.path.join('..', 'escape'))
++
+ @symlink_test
+ def test_exfiltration_via_symlink(self):
+ # (CVE-2025-4138)
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index 239c966065ce..ffb7fb6e207d 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Skip-flaky-test_default_timeout-tests.patch \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
+ file://CVE-2026-11940.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [wrynose][PATCH 3/3] python3: fix CVE-2026-11972
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
@ 2026-07-06 11:00 ` Benjamin Robin (Schneider Electric)
2 siblings, 0 replies; 4+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-07-06 11:00 UTC (permalink / raw)
To: openembedded-core
Cc: olivier.benjamin, mathieu.dubois-briand, pascal.eberhard,
wahid.essid, Benjamin Robin (Schneider Electric)
When using the "tarfile" module with a file opened in "streaming mode"
(mode="r|") the tarfile module did not properly handle EOF, making archive
parsing take exponentially longer.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
.../python/python3/CVE-2026-11972.patch | 59 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 60 insertions(+)
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
new file mode 100644
index 000000000000..7dc9c6697112
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
@@ -0,0 +1,59 @@
+From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 23 Jun 2026 15:13:30 +0200
+Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF
+ (GH-151982)
+
+CVE: CVE-2026-11972
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 4 +++-
+ Lib/test/test_tarfile.py | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 63f23490e8a1..399f906efdff 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -524,7 +524,9 @@ def seek(self, pos=0):
+ if pos - self.pos >= 0:
+ blocks, remainder = divmod(pos - self.pos, self.bufsize)
+ for i in range(blocks):
+- self.read(self.bufsize)
++ data = self.read(self.bufsize)
++ if not data:
++ break
+ self.read(remainder)
+ else:
+ raise StreamError("seeking backwards is not allowed")
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 0fc7413be8db..045377d620cc 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path):
+ with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter):
+ self.expect_exception(TypeError) # errorlevel is not int
+
++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT])
++ def test_getmembers_big_size(self, format):
++ # gh-151981: A loop in seek() for streaming files tried to read the
++ # declared number of blocks even at EOF
++ tinfo = tarfile.TarInfo("huge-file")
++ tinfo.size = 1 << 64
++ bio = io.BytesIO()
++ # Write header without data
++ bio.write(tinfo.tobuf(format))
++
++ # Reset & try to get contents
++ bio.seek(0)
++ with tarfile.open(fileobj=bio, mode="r|") as tar:
++ with self.assertRaises(tarfile.ReadError):
++ tar.getmembers()
++
+
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+ testdir = os.path.join(TEMPDIR, "testoverwrite")
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index ffb7fb6e207d..ec1fd7156bd9 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
file://CVE-2026-11940.patch \
+ file://CVE-2026-11972.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-06 11:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-06 11:00 [wrynose][PATCH 0/3] python3: upgrade 3.14.5 -> 3.14.6 and fix CVEs Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 Benjamin Robin (Schneider Electric)
2026-07-06 11:00 ` [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 Benjamin Robin (Schneider Electric)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox