On Tue Feb 10, 2026 at 1:44 PM CET, Mathieu Dubois-Briand wrote:
> On Mon Feb 9, 2026 at 10:24 PM CET, Adarsh Jagadish Kamini wrote:
>> From: Adarsh Jagadish Kamini <[email protected]>
>>
>> Include the patch linked in the NVD report:
>> https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735
>>
>> Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
>> ---
>
> Hi Adarsh,
>
> Thanks for your patch.
>
>> --- a/meta/recipes-devtools/python/python3-pip_24.0.bb
>> +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb
>> @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM =
>> "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \
>>
>> inherit pypi python_setuptools_build_meta
>>
>> -SRC_URI += "file://no_shebang_mangling.patch"
>> +SRC_URI += "file://no_shebang_mangling.patch \
>> + file://CVE-2026-1703.patch \"
>
> There is an extra backslash before the ending quote.
>
> Thanks,
> Mathieu
Also, it looks like the patch itself does not apply cleanly:
ERROR: python3-pip-native-25.3-r0 do_patch: Applying patch
'/srv/pokybuild/yocto-worker/buildtools/build/layers/openembedded-core/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch'
on target directory
'/srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-linux/python3-pip-native/25.3/sources/pip-25.3'
CmdError('quilt --quiltrc
/srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-linux/python3-pip-native/25.3/recipe-sysroot-native/etc/quiltrc
push', 0, "stdout: Applying patch CVE-2026-1703.patch
patching file news/+1ee322a1.bugfix.rst
patching file src/pip/_internal/utils/unpacking.py
Hunk #1 succeeded at 83 (offset 2 lines).
can't find file to patch at input line 44
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/tests/unit/test_utils_unpacking.py
b/tests/unit/test_utils_unpacking.py
|index 1f0b59dbd..724ca0be8 100644
|--- a/tests/unit/test_utils_unpacking.py
|+++ b/tests/unit/test_utils_unpacking.py
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
Patch CVE-2026-1703.patch does not apply (enforce with -f)
stderr: ")
https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/3192
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230911):
https://lists.openembedded.org/g/openembedded-core/message/230911
Mute This Topic: https://lists.openembedded.org/mt/117728696/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-