* [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 @ 2026-02-21 9:23 Adarsh Jagadish Kamini 2026-02-24 8:36 ` Yoann Congal 0 siblings, 1 reply; 4+ messages in thread From: Adarsh Jagadish Kamini @ 2026-02-21 9:23 UTC (permalink / raw) To: openembedded-core; +Cc: Adarsh Jagadish Kamini From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> --- .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ .../python/python3-pip_25.2.bb | 4 +- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch new file mode 100644 index 0000000000..68220f8294 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch @@ -0,0 +1,55 @@ +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001 +From: Damian Shaw <damian.peter.shaw@gmail.com> +Date: Fri, 30 Jan 2026 16:27:57 -0500 +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath + +Use os.path.commonpath() instead of commonprefix() + +CVE: CVE-2026-1703 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] + +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> +--- + news/+1ee322a1.bugfix.rst | 1 + + src/pip/_internal/utils/unpacking.py | 2 +- + tests/unit/test_utils_unpacking.py | 2 ++ + 3 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 news/+1ee322a1.bugfix.rst + +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst +new file mode 100644 +index 000000000..edb1b320c +--- /dev/null ++++ b/news/+1ee322a1.bugfix.rst +@@ -0,0 +1 @@ ++Use a path-segment prefix comparison, not char-by-char. +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 0ad3129ac..7cb3de3c4 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool: + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + +- prefix = os.path.commonprefix([abs_directory, abs_target]) ++ prefix = os.path.commonpath([abs_directory, abs_target]) + return prefix == abs_directory + + +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py +index 6f373b1ac..a3abcfeb0 100644 +--- a/tests/unit/test_utils_unpacking.py ++++ b/tests/unit/test_utils_unpacking.py +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: + (("parent/", "parent/sub"), True), + # Test target outside parent + (("parent/", "parent/../sub"), False), ++ # Test target sub-string of parent ++ (("parent/child", "parent/childfoo"), False), + ], + ) + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None: +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb index 350092d9ad..496eff1f15 100644 --- a/meta/recipes-devtools/python/python3-pip_25.2.bb +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ inherit pypi python_setuptools_build_meta -SRC_URI += "file://no_shebang_mangling.patch" +SRC_URI += "file://no_shebang_mangling.patch \ + file://CVE-2026-1703.patch \ + " SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2" -- 2.34.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 2026-02-21 9:23 [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 Adarsh Jagadish Kamini @ 2026-02-24 8:36 ` Yoann Congal 2026-02-24 9:15 ` Adarsh Jagadish Kamini 0 siblings, 1 reply; 4+ messages in thread From: Yoann Congal @ 2026-02-24 8:36 UTC (permalink / raw) To: adarsh.jagadish.kamini, openembedded-core On Sat Feb 21, 2026 at 10:23 AM CET, Adarsh Jagadish Kamini via lists.openembedded.org wrote: > From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > > Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 > > Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > --- > .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ > .../python/python3-pip_25.2.bb | 4 +- > 2 files changed, 58 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > > diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > new file mode 100644 > index 0000000000..68220f8294 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > @@ -0,0 +1,55 @@ > +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001 > +From: Damian Shaw <damian.peter.shaw@gmail.com> > +Date: Fri, 30 Jan 2026 16:27:57 -0500 > +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath > + > +Use os.path.commonpath() instead of commonprefix() > + > +CVE: CVE-2026-1703 > + > +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] > + > +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > +--- > + news/+1ee322a1.bugfix.rst | 1 + > + src/pip/_internal/utils/unpacking.py | 2 +- > + tests/unit/test_utils_unpacking.py | 2 ++ Looks like this patch does not apply: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/68/builds/3312/steps/13/logs/stdio ERROR: nativesdk-python3-pip-25.2-r0 do_patch: Applying patch 'CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/sources/pip-25.2' CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch patching file news/+1ee322a1.bugfix.rst patching file src/pip/_internal/utils/unpacking.py can't find file to patch at input line 44 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py |index 6f373b1ac..a3abcfeb0 100644 |--- a/tests/unit/test_utils_unpacking.py |+++ b/tests/unit/test_utils_unpacking.py -------------------------- No file to patch. Skipping patch. 1 out of 1 hunk ignored Patch CVE-2026-1703.patch does not apply (enforce with -f) stderr: ") Can you check please? Thanks! > + 3 files changed, 4 insertions(+), 1 deletion(-) > + create mode 100644 news/+1ee322a1.bugfix.rst > + > +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst > +new file mode 100644 > +index 000000000..edb1b320c > +--- /dev/null > ++++ b/news/+1ee322a1.bugfix.rst > +@@ -0,0 +1 @@ > ++Use a path-segment prefix comparison, not char-by-char. > +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py > +index 0ad3129ac..7cb3de3c4 100644 > +--- a/src/pip/_internal/utils/unpacking.py > ++++ b/src/pip/_internal/utils/unpacking.py > +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool: > + abs_directory = os.path.abspath(directory) > + abs_target = os.path.abspath(target) > + > +- prefix = os.path.commonprefix([abs_directory, abs_target]) > ++ prefix = os.path.commonpath([abs_directory, abs_target]) > + return prefix == abs_directory > + > + > +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py > +index 6f373b1ac..a3abcfeb0 100644 > +--- a/tests/unit/test_utils_unpacking.py > ++++ b/tests/unit/test_utils_unpacking.py > +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: > + (("parent/", "parent/sub"), True), > + # Test target outside parent > + (("parent/", "parent/../sub"), False), > ++ # Test target sub-string of parent > ++ (("parent/child", "parent/childfoo"), False), > + ], > + ) > + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None: > +-- > +2.34.1 > + > diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb > index 350092d9ad..496eff1f15 100644 > --- a/meta/recipes-devtools/python/python3-pip_25.2.bb > +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb > @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ > > inherit pypi python_setuptools_build_meta > > -SRC_URI += "file://no_shebang_mangling.patch" > +SRC_URI += "file://no_shebang_mangling.patch \ > + file://CVE-2026-1703.patch \ > + " > > SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2" > -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 2026-02-24 8:36 ` Yoann Congal @ 2026-02-24 9:15 ` Adarsh Jagadish Kamini 2026-02-24 13:51 ` Adarsh Jagadish Kamini 0 siblings, 1 reply; 4+ messages in thread From: Adarsh Jagadish Kamini @ 2026-02-24 9:15 UTC (permalink / raw) To: Yoann Congal, openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 5708 bytes --] Hi, Sorry, it was the wrong -p option. I will fix it in v4. Thanks! ________________________________ From: Yoann Congal <yoann.congal@smile.fr> Sent: Tuesday, February 24, 2026 09:36 To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 On Sat Feb 21, 2026 at 10:23 AM CET, Adarsh Jagadish Kamini via lists.openembedded.org wrote: > From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > > Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 > > Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > --- > .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ > .../python/python3-pip_25.2.bb | 4 +- > 2 files changed, 58 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > > diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > new file mode 100644 > index 0000000000..68220f8294 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > @@ -0,0 +1,55 @@ > +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001 > +From: Damian Shaw <damian.peter.shaw@gmail.com> > +Date: Fri, 30 Jan 2026 16:27:57 -0500 > +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath > + > +Use os.path.commonpath() instead of commonprefix() > + > +CVE: CVE-2026-1703 > + > +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] > + > +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > +--- > + news/+1ee322a1.bugfix.rst | 1 + > + src/pip/_internal/utils/unpacking.py | 2 +- > + tests/unit/test_utils_unpacking.py | 2 ++ Looks like this patch does not apply: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/68/builds/3312/steps/13/logs/stdio ERROR: nativesdk-python3-pip-25.2-r0 do_patch: Applying patch 'CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/sources/pip-25.2' CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch patching file news/+1ee322a1.bugfix.rst patching file src/pip/_internal/utils/unpacking.py can't find file to patch at input line 44 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py |index 6f373b1ac..a3abcfeb0 100644 |--- a/tests/unit/test_utils_unpacking.py |+++ b/tests/unit/test_utils_unpacking.py -------------------------- No file to patch. Skipping patch. 1 out of 1 hunk ignored Patch CVE-2026-1703.patch does not apply (enforce with -f) stderr: ") Can you check please? Thanks! > + 3 files changed, 4 insertions(+), 1 deletion(-) > + create mode 100644 news/+1ee322a1.bugfix.rst > + > +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst > +new file mode 100644 > +index 000000000..edb1b320c > +--- /dev/null > ++++ b/news/+1ee322a1.bugfix.rst > +@@ -0,0 +1 @@ > ++Use a path-segment prefix comparison, not char-by-char. > +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py > +index 0ad3129ac..7cb3de3c4 100644 > +--- a/src/pip/_internal/utils/unpacking.py > ++++ b/src/pip/_internal/utils/unpacking.py > +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool: > + abs_directory = os.path.abspath(directory) > + abs_target = os.path.abspath(target) > + > +- prefix = os.path.commonprefix([abs_directory, abs_target]) > ++ prefix = os.path.commonpath([abs_directory, abs_target]) > + return prefix == abs_directory > + > + > +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py > +index 6f373b1ac..a3abcfeb0 100644 > +--- a/tests/unit/test_utils_unpacking.py > ++++ b/tests/unit/test_utils_unpacking.py > +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: > + (("parent/", "parent/sub"), True), > + # Test target outside parent > + (("parent/", "parent/../sub"), False), > ++ # Test target sub-string of parent > ++ (("parent/child", "parent/childfoo"), False), > + ], > + ) > + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None: > +-- > +2.34.1 > + > diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb > index 350092d9ad..496eff1f15 100644 > --- a/meta/recipes-devtools/python/python3-pip_25.2.bb > +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb > @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ > > inherit pypi python_setuptools_build_meta > > -SRC_URI += "file://no_shebang_mangling.patch" > +SRC_URI += "file://no_shebang_mangling.patch \ > + file://CVE-2026-1703.patch \ > + " > > SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2" > -- Yoann Congal Smile ECS [-- Attachment #2: Type: text/html, Size: 9376 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 2026-02-24 9:15 ` Adarsh Jagadish Kamini @ 2026-02-24 13:51 ` Adarsh Jagadish Kamini 0 siblings, 0 replies; 4+ messages in thread From: Adarsh Jagadish Kamini @ 2026-02-24 13:51 UTC (permalink / raw) To: Yoann Congal, openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 6151 bytes --] Hi again, It was not -p option, there was another problem. Fixed it in v4 Thanks! ________________________________ From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Sent: Tuesday, February 24, 2026 10:15 To: Yoann Congal <yoann.congal@smile.fr>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 Hi, Sorry, it was the wrong -p option. I will fix it in v4. Thanks! ________________________________ From: Yoann Congal <yoann.congal@smile.fr> Sent: Tuesday, February 24, 2026 09:36 To: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 On Sat Feb 21, 2026 at 10:23 AM CET, Adarsh Jagadish Kamini via lists.openembedded.org wrote: > From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > > Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 > > Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > --- > .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ > .../python/python3-pip_25.2.bb | 4 +- > 2 files changed, 58 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > > diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > new file mode 100644 > index 0000000000..68220f8294 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch > @@ -0,0 +1,55 @@ > +From 34bdfa654f2d3f9d036fb2abb28c175182a3da5c Mon Sep 17 00:00:00 2001 > +From: Damian Shaw <damian.peter.shaw@gmail.com> > +Date: Fri, 30 Jan 2026 16:27:57 -0500 > +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath > + > +Use os.path.commonpath() instead of commonprefix() > + > +CVE: CVE-2026-1703 > + > +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] > + > +Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> > +--- > + news/+1ee322a1.bugfix.rst | 1 + > + src/pip/_internal/utils/unpacking.py | 2 +- > + tests/unit/test_utils_unpacking.py | 2 ++ Looks like this patch does not apply: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/68/builds/3312/steps/13/logs/stdio ERROR: nativesdk-python3-pip-25.2-r0 do_patch: Applying patch 'CVE-2026-1703.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/sources/pip-25.2' CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86-64/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-python3-pip/25.2/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch CVE-2026-1703.patch patching file news/+1ee322a1.bugfix.rst patching file src/pip/_internal/utils/unpacking.py can't find file to patch at input line 44 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py |index 6f373b1ac..a3abcfeb0 100644 |--- a/tests/unit/test_utils_unpacking.py |+++ b/tests/unit/test_utils_unpacking.py -------------------------- No file to patch. Skipping patch. 1 out of 1 hunk ignored Patch CVE-2026-1703.patch does not apply (enforce with -f) stderr: ") Can you check please? Thanks! > + 3 files changed, 4 insertions(+), 1 deletion(-) > + create mode 100644 news/+1ee322a1.bugfix.rst > + > +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst > +new file mode 100644 > +index 000000000..edb1b320c > +--- /dev/null > ++++ b/news/+1ee322a1.bugfix.rst > +@@ -0,0 +1 @@ > ++Use a path-segment prefix comparison, not char-by-char. > +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py > +index 0ad3129ac..7cb3de3c4 100644 > +--- a/src/pip/_internal/utils/unpacking.py > ++++ b/src/pip/_internal/utils/unpacking.py > +@@ -83,7 +83,7 @@ def is_within_directory(directory: str, target: str) -> bool: > + abs_directory = os.path.abspath(directory) > + abs_target = os.path.abspath(target) > + > +- prefix = os.path.commonprefix([abs_directory, abs_target]) > ++ prefix = os.path.commonpath([abs_directory, abs_target]) > + return prefix == abs_directory > + > + > +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py > +index 6f373b1ac..a3abcfeb0 100644 > +--- a/tests/unit/test_utils_unpacking.py > ++++ b/tests/unit/test_utils_unpacking.py > +@@ -269,6 +269,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: > + (("parent/", "parent/sub"), True), > + # Test target outside parent > + (("parent/", "parent/../sub"), False), > ++ # Test target sub-string of parent > ++ (("parent/child", "parent/childfoo"), False), > + ], > + ) > + def test_is_within_directory(args: tuple[str, str], expected: bool) -> None: > +-- > +2.34.1 > + > diff --git a/meta/recipes-devtools/python/python3-pip_25.2.bb b/meta/recipes-devtools/python/python3-pip_25.2.bb > index 350092d9ad..496eff1f15 100644 > --- a/meta/recipes-devtools/python/python3-pip_25.2.bb > +++ b/meta/recipes-devtools/python/python3-pip_25.2.bb > @@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ > > inherit pypi python_setuptools_build_meta > > -SRC_URI += "file://no_shebang_mangling.patch" > +SRC_URI += "file://no_shebang_mangling.patch \ > + file://CVE-2026-1703.patch \ > + " > > SRC_URI[sha256sum] = "578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2" > -- Yoann Congal Smile ECS [-- Attachment #2: Type: text/html, Size: 11218 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-24 13:58 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-21 9:23 [OE-core][whinlatter][PATCH v3] python3-pip: Backport fix CVE-2026-1703 Adarsh Jagadish Kamini 2026-02-24 8:36 ` Yoann Congal 2026-02-24 9:15 ` Adarsh Jagadish Kamini 2026-02-24 13:51 ` Adarsh Jagadish Kamini
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox