[OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

[OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

[Adarsh Jagadish Kamini]

From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>

Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
---
 .../python/python3-pip/CVE-2026-1703.patch    | 55 +++++++++++++++++++
 .../python/python3-pip_25.2.bb                |  4 +-
 2 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch

diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
new file mode 100644
index 0000000000..68220f8294
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
@@ -0,0 +1,55 @@
+From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001
+From: Damian Shaw <damian.peter.shaw@gmail.com>
+Date: Fri, 30 Jan 2026 16:27:57 -0500
+Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath
+
+Use os.path.commonpath() instead of commonprefix()
+
+CVE: CVE-2026-1703
+
+Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ news/+1ee322a1.bugfix.rst            | 1 +
+ src/pip/_internal/utils/unpacking.py | 2 +-
+ tests/unit/test_utils_unpacking.py   | 2 ++
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
+new file mode 100644
+index 000000000..edb1b320c
+--- /dev/null
++++ b/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
++Use a path-segment prefix comparison, not char-by-char.
+diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
+index 0ad3129ac..7cb3de3c4 100644
+--- a/src/pip/_internal/utils/unpacking.py
++++ b/src/pip/_internal/utils/unpacking.py
+@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
+index 6f373b1ac..a3abcfeb0 100644
+--- a/tests/unit/test_utils_unpacking.py
++++ b/tests/unit/test_utils_unpacking.py
+@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
+         (("parent/", "parent/sub"), True),
+         # Test target outside parent
+         (("parent/", "parent/../sub"), False),
++        # Test target sub-string of parent
++        (("parent/child", "parent/childfoo"), False),
+     ],
+ )
+ def test_is_within_directory(args: tuple[str, str], expected: bool) -> None:
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb
index 350092d9ad..496eff1f15 100644
--- a/meta/recipes-devtools/python/python3-pip_25.2.bb
+++ b/meta/recipes-devtools/python/python3-pip_25.2.bb
@@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
 
 inherit pypi python_setuptools_build_meta
 
-SRC_URI += "file://no_shebang_mangling.patch"
+SRC_URI += "file://no_shebang_mangling.patch \
+            file://CVE-2026-1703.patch \
+            "
 
 SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2"
 
-- 
2.34.1

Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

[Yoann Congal]

On Sat Feb 21, 2026 at 10:23 AM CET, Adarsh Jagadish Kamini via lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
>  .../python/python3-pip/CVE-2026-1703.patch    | 55 +++++++++++++++++++
>  .../python/python3-pip_25.2.bb                |  4 +-
>  2 files changed, 58 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
>
> diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> new file mode 100644
> index 0000000000..68220f8294
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> @@ -0,0 +1,55 @@
> +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001
> +From: Damian Shaw <damian.peter.shaw@gmail.com>
> +Date: Fri, 30 Jan 2026 16:27:57 -0500
> +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath
> +
> +Use os.path.commonpath() instead of commonprefix()
> +
> +CVE: CVE-2026-1703
> +
> +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> +---
> + news/+1ee322a1.bugfix.rst            | 1 +
> + src/pip/_internal/utils/unpacking.py | 2 +-
> + tests/unit/test_utils_unpacking.py   | 2 ++

Looks like this patch does not apply:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/68/builds/3312/steps/13/logs/stdio
  ERROR: nativesdk-python3-pip-25.2-r0 do_patch: Applying patch 'CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/sources/pip-25.2'
  CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch
  patching file news/+1ee322a1.bugfix.rst
  patching file src/pip/_internal/utils/unpacking.py
  can't find file to patch at input line 44
  Perhaps you used the wrong -p or --strip option?
  The text leading up to this was:
  --------------------------
  |diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
  |index 6f373b1ac..a3abcfeb0 100644
  |--- a/tests/unit/test_utils_unpacking.py
  |+++ b/tests/unit/test_utils_unpacking.py
  --------------------------
  No file to patch.  Skipping patch.
  1 out of 1 hunk ignored
  Patch CVE-2026-1703.patch does not apply (enforce with -f)
  stderr: ")

Can you check please?

Thanks!

> + 3 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 news/+1ee322a1.bugfix.rst
> +
> +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
> +new file mode 100644
> +index 000000000..edb1b320c
> +--- /dev/null
> ++++ b/news/+1ee322a1.bugfix.rst
> +@@ -0,0 +1 @@
> ++Use a path-segment prefix comparison, not char-by-char.
> +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
> +index 0ad3129ac..7cb3de3c4 100644
> +--- a/src/pip/_internal/utils/unpacking.py
> ++++ b/src/pip/_internal/utils/unpacking.py
> +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool:
> +     abs_directory = os.path.abspath(directory)
> +     abs_target = os.path.abspath(target)
> + 
> +-    prefix = os.path.commonprefix([abs_directory, abs_target])
> ++    prefix = os.path.commonpath([abs_directory, abs_target])
> +     return prefix == abs_directory
> + 
> + 
> +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
> +index 6f373b1ac..a3abcfeb0 100644
> +--- a/tests/unit/test_utils_unpacking.py
> ++++ b/tests/unit/test_utils_unpacking.py
> +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
> +         (("parent/", "parent/sub"), True),
> +         # Test target outside parent
> +         (("parent/", "parent/../sub"), False),
> ++        # Test target sub-string of parent
> ++        (("parent/child", "parent/childfoo"), False),
> +     ],
> + )
> + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None:
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb
> index 350092d9ad..496eff1f15 100644
> --- a/meta/recipes-devtools/python/python3-pip_25.2.bb
> +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb
> @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>  
>  inherit pypi python_setuptools_build_meta
>  
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> +            file://CVE-2026-1703.patch \
> +            "
>  
>  SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2"
>  


-- 
Yoann Congal
Smile ECS

Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

[Adarsh Jagadish Kamini]

[-- Attachment #1: Type: text/plain, Size: 5708 bytes --]

Hi,
Sorry, it was the wrong -p option.

I will fix it in v4.

Thanks!
________________________________
From: Yoann Congal <yoann.congal@smile.fr>
Sent: Tuesday, February 24, 2026 09:36
To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

On Sat Feb 21, 2026 at 10:23 AM CET, Adarsh Jagadish Kamini via lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
>  .../python/python3-pip/CVE-2026-1703.patch    | 55 +++++++++++++++++++
>  .../python/python3-pip_25.2.bb                |  4 +-
>  2 files changed, 58 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
>
> diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> new file mode 100644
> index 0000000000..68220f8294
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> @@ -0,0 +1,55 @@
> +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001
> +From: Damian Shaw <damian.peter.shaw@gmail.com>
> +Date: Fri, 30 Jan 2026 16:27:57 -0500
> +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath
> +
> +Use os.path.commonpath() instead of commonprefix()
> +
> +CVE: CVE-2026-1703
> +
> +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> +---
> + news/+1ee322a1.bugfix.rst            | 1 +
> + src/pip/_internal/utils/unpacking.py | 2 +-
> + tests/unit/test_utils_unpacking.py   | 2 ++

Looks like this patch does not apply:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/68/builds/3312/steps/13/logs/stdio
  ERROR: nativesdk-python3-pip-25.2-r0 do_patch: Applying patch 'CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/sources/pip-25.2'
  CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch
  patching file news/+1ee322a1.bugfix.rst
  patching file src/pip/_internal/utils/unpacking.py
  can't find file to patch at input line 44
  Perhaps you used the wrong -p or --strip option?
  The text leading up to this was:
  --------------------------
  |diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
  |index 6f373b1ac..a3abcfeb0 100644
  |--- a/tests/unit/test_utils_unpacking.py
  |+++ b/tests/unit/test_utils_unpacking.py
  --------------------------
  No file to patch.  Skipping patch.
  1 out of 1 hunk ignored
  Patch CVE-2026-1703.patch does not apply (enforce with -f)
  stderr: ")

Can you check please?

Thanks!

> + 3 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 news/+1ee322a1.bugfix.rst
> +
> +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
> +new file mode 100644
> +index 000000000..edb1b320c
> +--- /dev/null
> ++++ b/news/+1ee322a1.bugfix.rst
> +@@ -0,0 +1 @@
> ++Use a path-segment prefix comparison, not char-by-char.
> +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
> +index 0ad3129ac..7cb3de3c4 100644
> +--- a/src/pip/_internal/utils/unpacking.py
> ++++ b/src/pip/_internal/utils/unpacking.py
> +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool:
> +     abs_directory = os.path.abspath(directory)
> +     abs_target = os.path.abspath(target)
> +
> +-    prefix = os.path.commonprefix([abs_directory, abs_target])
> ++    prefix = os.path.commonpath([abs_directory, abs_target])
> +     return prefix == abs_directory
> +
> +
> +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
> +index 6f373b1ac..a3abcfeb0 100644
> +--- a/tests/unit/test_utils_unpacking.py
> ++++ b/tests/unit/test_utils_unpacking.py
> +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
> +         (("parent/", "parent/sub"), True),
> +         # Test target outside parent
> +         (("parent/", "parent/../sub"), False),
> ++        # Test target sub-string of parent
> ++        (("parent/child", "parent/childfoo"), False),
> +     ],
> + )
> + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None:
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb
> index 350092d9ad..496eff1f15 100644
> --- a/meta/recipes-devtools/python/python3-pip_25.2.bb
> +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb
> @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>
>  inherit pypi python_setuptools_build_meta
>
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> +            file://CVE-2026-1703.patch \
> +            "
>
>  SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2"
>


--
Yoann Congal
Smile ECS


[-- Attachment #2: Type: text/html, Size: 9376 bytes --]

Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

[Adarsh Jagadish Kamini]

[-- Attachment #1: Type: text/plain, Size: 6151 bytes --]

Hi again,
It was not -p option, there was another problem.

Fixed it in v4

Thanks!
________________________________
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Sent: Tuesday, February 24, 2026 10:15
To: Yoann Congal <yoann.congal@smile.fr>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

Hi,
Sorry, it was the wrong -p option.

I will fix it in v4.

Thanks!
________________________________
From: Yoann Congal <yoann.congal@smile.fr>
Sent: Tuesday, February 24, 2026 09:36
To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703

On Sat Feb 21, 2026 at 10:23 AM CET, Adarsh Jagadish Kamini via lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
>
> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>
> Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> ---
>  .../python/python3-pip/CVE-2026-1703.patch    | 55 +++++++++++++++++++
>  .../python/python3-pip_25.2.bb                |  4 +-
>  2 files changed, 58 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
>
> diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> new file mode 100644
> index 0000000000..68220f8294
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch
> @@ -0,0 +1,55 @@
> +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001
> +From: Damian Shaw <damian.peter.shaw@gmail.com>
> +Date: Fri, 30 Jan 2026 16:27:57 -0500
> +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath
> +
> +Use os.path.commonpath() instead of commonprefix()
> +
> +CVE: CVE-2026-1703
> +
> +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
> +---
> + news/+1ee322a1.bugfix.rst            | 1 +
> + src/pip/_internal/utils/unpacking.py | 2 +-
> + tests/unit/test_utils_unpacking.py   | 2 ++

Looks like this patch does not apply:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/68/builds/3312/steps/13/logs/stdio
  ERROR: nativesdk-python3-pip-25.2-r0 do_patch: Applying patch 'CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/sources/pip-25.2'
  CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch
  patching file news/+1ee322a1.bugfix.rst
  patching file src/pip/_internal/utils/unpacking.py
  can't find file to patch at input line 44
  Perhaps you used the wrong -p or --strip option?
  The text leading up to this was:
  --------------------------
  |diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
  |index 6f373b1ac..a3abcfeb0 100644
  |--- a/tests/unit/test_utils_unpacking.py
  |+++ b/tests/unit/test_utils_unpacking.py
  --------------------------
  No file to patch.  Skipping patch.
  1 out of 1 hunk ignored
  Patch CVE-2026-1703.patch does not apply (enforce with -f)
  stderr: ")

Can you check please?

Thanks!

> + 3 files changed, 4 insertions(+), 1 deletion(-)
> + create mode 100644 news/+1ee322a1.bugfix.rst
> +
> +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
> +new file mode 100644
> +index 000000000..edb1b320c
> +--- /dev/null
> ++++ b/news/+1ee322a1.bugfix.rst
> +@@ -0,0 +1 @@
> ++Use a path-segment prefix comparison, not char-by-char.
> +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
> +index 0ad3129ac..7cb3de3c4 100644
> +--- a/src/pip/_internal/utils/unpacking.py
> ++++ b/src/pip/_internal/utils/unpacking.py
> +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool:
> +     abs_directory = os.path.abspath(directory)
> +     abs_target = os.path.abspath(target)
> +
> +-    prefix = os.path.commonprefix([abs_directory, abs_target])
> ++    prefix = os.path.commonpath([abs_directory, abs_target])
> +     return prefix == abs_directory
> +
> +
> +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
> +index 6f373b1ac..a3abcfeb0 100644
> +--- a/tests/unit/test_utils_unpacking.py
> ++++ b/tests/unit/test_utils_unpacking.py
> +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
> +         (("parent/", "parent/sub"), True),
> +         # Test target outside parent
> +         (("parent/", "parent/../sub"), False),
> ++        # Test target sub-string of parent
> ++        (("parent/child", "parent/childfoo"), False),
> +     ],
> + )
> + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None:
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb
> index 350092d9ad..496eff1f15 100644
> --- a/meta/recipes-devtools/python/python3-pip_25.2.bb
> +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb
> @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>
>  inherit pypi python_setuptools_build_meta
>
> -SRC_URI += "file://no_shebang_mangling.patch"
> +SRC_URI += "file://no_shebang_mangling.patch \
> +            file://CVE-2026-1703.patch \
> +            "
>
>  SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2"
>


--
Yoann Congal
Smile ECS


[-- Attachment #2: Type: text/html, Size: 11218 bytes --]