From: "Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>
To: "Adarsh Jagadish Kamini" <adarsh.jagadish.kamini@est.tech>,
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703
Date: Tue, 10 Feb 2026 16:33:22 +0100 [thread overview]
Message-ID: <DGBE3COW47Z0.2VS4GOSGLUYML@bootlin.com> (raw)
In-Reply-To: <DGBAHPIIQHXZ.1LY6EAM6X7Y2P@bootlin.com>
On Tue Feb 10, 2026 at 1:44 PM CET, Mathieu Dubois-Briand wrote:
> On Mon Feb 9, 2026 at 10:24 PM CET, Adarsh Jagadish Kamini wrote:
>> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>>
>> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>>
>> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>> ---
>
> Hi Adarsh,
>
> Thanks for your patch.
>
>> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
>> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
>> @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>>
>> inherit pypi python_setuptools_build_meta
>>
>> -SRC_URI += "file://no_shebang_mangling.patch"
>> +SRC_URI += "file://no_shebang_mangling.patch \
>> + file://CVE-2026-1703.patch \"
>
> There is an extra backslash before the ending quote.
>
> Thanks,
> Mathieu
Also, it looks like the patch itself does not apply cleanly:
ERROR: python3-pip-native-25.3-r0 do_patch: Applying patch '/srv/pokybuild/yocto-worker/buildtools/build/layers/openembedded-core/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-linux/python3-pip-native/25.3/sources/pip-25.3'
CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-linux/python3-pip-native/25.3/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch
patching file news/+1ee322a1.bugfix.rst
patching file src/pip/_internal/utils/unpacking.py
Hunk #1 succeeded at 83 (offset 2 lines).
can't find file to patch at input line 44
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
|index 1f0b59dbd..724ca0be8 100644
|--- a/tests/unit/test_utils_unpacking.py
|+++ b/tests/unit/test_utils_unpacking.py
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
Patch CVE-2026-1703.patch does not apply (enforce with -f)
stderr: ")
https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/3192
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-02-10 15:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 21:24 [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703 Adarsh Jagadish Kamini
2026-02-10 12:44 ` Mathieu Dubois-Briand
2026-02-10 15:33 ` Mathieu Dubois-Briand [this message]
2026-02-10 16:32 ` Adarsh Jagadish Kamini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGBE3COW47Z0.2VS4GOSGLUYML@bootlin.com \
--to=mathieu.dubois-briand@bootlin.com \
--cc=adarsh.jagadish.kamini@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox