From: Vijay Anusuri <[email protected]> Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-1703 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703 [3] https://github.com/pypa/pip/pull/13777 Signed-off-by: Vijay Anusuri <[email protected]> --- .../python/python3-pip/CVE-2026-1703.patch | 37 +++++++++++++++++++ .../python/python3-pip_22.0.3.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch new file mode 100644 index 0000000000..7a9bc1c9af --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch @@ -0,0 +1,37 @@ +From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <[email protected]> +Date: Fri, 30 Jan 2026 09:49:11 -0600 +Subject: [PATCH] Use os.path.commonpath() instead of commonprefix() + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124] +CVE: CVE-2026-1703 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + news/+1ee322a1.bugfix.rst | 1 + + src/pip/_internal/utils/unpacking.py | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 news/+1ee322a1.bugfix.rst + +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst +new file mode 100644 +index 0000000..edb1b32 +--- /dev/null ++++ b/news/+1ee322a1.bugfix.rst +@@ -0,0 +1 @@ ++Use a path-segment prefix comparison, not char-by-char. +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 5f63f97..3cebbf7 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool: + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + +- prefix = os.path.commonprefix([abs_directory, abs_target]) ++ prefix = os.path.commonpath([abs_directory, abs_target]) + return prefix == abs_directory + + +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-pip_22.0.3.bb b/meta/recipes-devtools/python/python3-pip_22.0.3.bb index 28eab9c3de..e49be58839 100644 --- a/meta/recipes-devtools/python/python3-pip_22.0.3.bb +++ b/meta/recipes-devtools/python/python3-pip_22.0.3.bb @@ -38,6 +38,7 @@ SRC_URI += "file://0001-change-shebang-to-python3.patch \ file://no_shebang_mangling.patch \ file://reproducible.patch \ file://CVE-2023-5752.patch \ + file://CVE-2026-1703.patch \ " SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232866): https://lists.openembedded.org/g/openembedded-core/message/232866 Mute This Topic: https://lists.openembedded.org/mt/118257977/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
