* [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703
@ 2026-02-09 21:24 Adarsh Jagadish Kamini
2026-02-10 12:44 ` Mathieu Dubois-Briand
0 siblings, 1 reply; 4+ messages in thread
From: Adarsh Jagadish Kamini @ 2026-02-09 21:24 UTC (permalink / raw)
To: openembedded-core; +Cc: Adarsh Jagadish Kamini
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
---
.../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++
.../python/python3-pip_24.0.bb | 3 +-
2 files changed, 57 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
new file mode 100644
index 0000000000..8d34d2acb4
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
@@ -0,0 +1,55 @@
+From ed41e052ebe78fcf043c43ea05bf16f73dfbb581 Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Fri, 30 Jan 2026 16:27:57 -0500
+Subject: [PATCH] Merge pull request #13777 from sethmlarson/commonpath
+
+Use os.path.commonpath() instead of commonprefix()
+
+CVE: CVE-2026-1703
+
+Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ news/+1ee322a1.bugfix.rst | 1 +
+ src/pip/_internal/utils/unpacking.py | 2 +-
+ tests/unit/test_utils_unpacking.py | 2 ++
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
+new file mode 100644
+index 000000000..edb1b320c
+--- /dev/null
++++ b/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
++Use a path-segment prefix comparison, not char-by-char.
+diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
+index 78b5c13ce..0b26525fb 100644
+--- a/src/pip/_internal/utils/unpacking.py
++++ b/src/pip/_internal/utils/unpacking.py
+@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+ abs_directory = os.path.abspath(directory)
+ abs_target = os.path.abspath(target)
+
+- prefix = os.path.commonprefix([abs_directory, abs_target])
++ prefix = os.path.commonpath([abs_directory, abs_target])
+ return prefix == abs_directory
+
+
+diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
+index 1f0b59dbd..724ca0be8 100644
+--- a/tests/unit/test_utils_unpacking.py
++++ b/tests/unit/test_utils_unpacking.py
+@@ -202,6 +202,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
+ (("parent/", "parent/sub"), True),
+ # Test target outside parent
+ (("parent/", "parent/../sub"), False),
++ # Test target sub-string of parent
++ (("parent/child", "parent/childfoo"), False),
+ ],
+ )
+ def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None:
+--
+2.44.0
+
diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb b/meta/recipes-devtools/python/python3-pip_24.0.bb
index be4a29500a..83f8d869ac 100644
--- a/meta/recipes-devtools/python/python3-pip_24.0.bb
+++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
@@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
inherit pypi python_setuptools_build_meta
-SRC_URI += "file://no_shebang_mangling.patch"
+SRC_URI += "file://no_shebang_mangling.patch \
+ file://CVE-2026-1703.patch \"
SRC_URI[sha256sum] = "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"
--
2.44.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703
2026-02-09 21:24 [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703 Adarsh Jagadish Kamini
@ 2026-02-10 12:44 ` Mathieu Dubois-Briand
2026-02-10 15:33 ` Mathieu Dubois-Briand
2026-02-10 16:32 ` Adarsh Jagadish Kamini
0 siblings, 2 replies; 4+ messages in thread
From: Mathieu Dubois-Briand @ 2026-02-10 12:44 UTC (permalink / raw)
To: Adarsh Jagadish Kamini, openembedded-core
On Mon Feb 9, 2026 at 10:24 PM CET, Adarsh Jagadish Kamini wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
Hi Adarsh,
Thanks for your patch.
> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
> @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>
> inherit pypi python_setuptools_build_meta
>
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> + file://CVE-2026-1703.patch \"
There is an extra backslash before the ending quote.
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703
2026-02-10 12:44 ` Mathieu Dubois-Briand
@ 2026-02-10 15:33 ` Mathieu Dubois-Briand
2026-02-10 16:32 ` Adarsh Jagadish Kamini
1 sibling, 0 replies; 4+ messages in thread
From: Mathieu Dubois-Briand @ 2026-02-10 15:33 UTC (permalink / raw)
To: Adarsh Jagadish Kamini, openembedded-core
On Tue Feb 10, 2026 at 1:44 PM CET, Mathieu Dubois-Briand wrote:
> On Mon Feb 9, 2026 at 10:24 PM CET, Adarsh Jagadish Kamini wrote:
>> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>>
>> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>>
>> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>> ---
>
> Hi Adarsh,
>
> Thanks for your patch.
>
>> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
>> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
>> @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>>
>> inherit pypi python_setuptools_build_meta
>>
>> -SRC_URI += "file://no_shebang_mangling.patch"
>> +SRC_URI += "file://no_shebang_mangling.patch \
>> + file://CVE-2026-1703.patch \"
>
> There is an extra backslash before the ending quote.
>
> Thanks,
> Mathieu
Also, it looks like the patch itself does not apply cleanly:
ERROR: python3-pip-native-25.3-r0 do_patch: Applying patch '/srv/pokybuild/yocto-worker/buildtools/build/layers/openembedded-core/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-linux/python3-pip-native/25.3/sources/pip-25.3'
CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-linux/python3-pip-native/25.3/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch
patching file news/+1ee322a1.bugfix.rst
patching file src/pip/_internal/utils/unpacking.py
Hunk #1 succeeded at 83 (offset 2 lines).
can't find file to patch at input line 44
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
|index 1f0b59dbd..724ca0be8 100644
|--- a/tests/unit/test_utils_unpacking.py
|+++ b/tests/unit/test_utils_unpacking.py
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
Patch CVE-2026-1703.patch does not apply (enforce with -f)
stderr: ")
https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/3192
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703
2026-02-10 12:44 ` Mathieu Dubois-Briand
2026-02-10 15:33 ` Mathieu Dubois-Briand
@ 2026-02-10 16:32 ` Adarsh Jagadish Kamini
1 sibling, 0 replies; 4+ messages in thread
From: Adarsh Jagadish Kamini @ 2026-02-10 16:32 UTC (permalink / raw)
To: Mathieu Dubois-Briand, openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 1395 bytes --]
Hi,
Thanks for pointing out.
Fixed in v2
________________________________
From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Sent: Tuesday, February 10, 2026 1:44 PM
To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703
On Mon Feb 9, 2026 at 10:24 PM CET, Adarsh Jagadish Kamini wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
Hi Adarsh,
Thanks for your patch.
> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
> @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>
> inherit pypi python_setuptools_build_meta
>
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> + file://CVE-2026-1703.patch \"
There is an extra backslash before the ending quote.
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
[-- Attachment #2: Type: text/html, Size: 3593 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-10 20:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-09 21:24 [OE-core][master][PATCH] python3-pip: Backport fix CVE-2026-1703 Adarsh Jagadish Kamini
2026-02-10 12:44 ` Mathieu Dubois-Briand
2026-02-10 15:33 ` Mathieu Dubois-Briand
2026-02-10 16:32 ` Adarsh Jagadish Kamini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox