From patchwork Tue Feb 17 13:08:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adarsh Jagadish Kamini X-Patchwork-Id: 81212 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6095CEF5872 for ; Tue, 17 Feb 2026 13:22:56 +0000 (UTC) Received: from GVXPR05CU001.outbound.protection.outlook.com (GVXPR05CU001.outbound.protection.outlook.com [52.101.83.6]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.11580.1771333717342812463 for ; Tue, 17 Feb 2026 05:08:37 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=cB9WL4vq; spf=pass (domain: est.tech, ip: 52.101.83.6, mailfrom: adarsh.jagadish.kamini@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=epgTejj7jbrZk82m3aIWTtzelVE9TegF3NzR2tndBhDBomLTk9WkR/A91uXxtQhMAAxX3xMvh9ym2a3O6UlomNY2NYyu+D7EuV3qJgVWU1d4SlH8HVS/wFVQF95qKcgXkqNuQJducu+0Zu6R/lL72pxh8A7iktf5yY/hX8wZf/56FurVHAVqEig+T3wy/6Q77mFvgRghxyTRf5qrw0Gk21vprDK4VAr8t0Dr5lO9eCo+x9iE2B9mX8T2tMCzdRQ9+wSrLtnZ0y2gvb9P3nY1H945knWXy00zP/1IueIjSMx2sduRZF4OLrEU9N8u716d56jDGRQTRZRnnKp87cpbew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D38rlLxmeuHSQ+NPAzKjBdch/QTNQuwfSvek0oSHN58=; b=GcJcC7sswCUa6Kvt6acMl1GzmdCsBB6VP49wgW7RCH5VmTKcStCs2ysG1V04vKZiClGrHbHvqrtHMpCXYSoF5fUdfo3KZf7Mv9oL2n/E8ABChVrit3cw0WVylTt4OpjbmB36CMlFvA88gGhS8nrEeKpTS9thks8aiBrhuWGbTyqXy5M/lI9NH19zk8/eSO20sOhWg3jkxltKmJn9npeSydbELLRfxuAlwOXm1IhM2D8yER7jsTotCVZ2KNn9yzd2u7iphMTOUeOHBXMrXdZJoCdppNa0kDs7U5ieugCQvicPxW/ZHOWw31yq758uwMqQdEo41hRM4b+zRLPGDdf+Dw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D38rlLxmeuHSQ+NPAzKjBdch/QTNQuwfSvek0oSHN58=; b=cB9WL4vqOyLdkYlY+KhR9x9ZlWWLFBqEwWS8lZfOI0pQOaGIRdItR62mri8kzj5ela0C8mXx0u3/lBRf7MNUSpKzQD3vWbGNmzNxSYUom8RldVpA+64w8lsVJZat030JBC/AXF+YTdUQvXonvVW/DvJwEc7AVyGwKH9S/PkEDJEA6VT3Kxzg351rVUXAFaac+5uaGVSOtDLgMxpA8esX5nd5DA64f8mYmgxPDBTgymeA0IxaP98Ti8cqhauSFHx0jUEy8eBnGIWPTs4meV+iDwOYcGUA7YQy67suqe0wxW5BO9g+XZ77CDaMoAVw+Ao9tLrsarFb1zT5kzq4WLj0Bg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AM9P189MB1666.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:305::16) by VI0P189MB2726.EURP189.PROD.OUTLOOK.COM (2603:10a6:800:21b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9611.16; Tue, 17 Feb 2026 13:08:31 +0000 Received: from AM9P189MB1666.EURP189.PROD.OUTLOOK.COM ([fe80::806f:3b74:7216:3e92]) by AM9P189MB1666.EURP189.PROD.OUTLOOK.COM ([fe80::806f:3b74:7216:3e92%4]) with mapi id 15.20.9611.013; Tue, 17 Feb 2026 13:08:31 +0000 From: "Adarsh Jagadish Kamini" To: openembedded-core@lists.openembedded.org CC: Adarsh Jagadish Kamini Subject: [OE-core][scarthgap][PATCH v3] python3-pip: Backport fix CVE-2026-1703 Date: Tue, 17 Feb 2026 14:08:17 +0100 Message-ID: <20260217130823.393314-1-adarsh.jagadish.kamini@est.tech> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: DU2PR04CA0159.eurprd04.prod.outlook.com (2603:10a6:10:2b0::14) To AM9P189MB1666.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:305::16) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P189MB1666:EE_|VI0P189MB2726:EE_ X-MS-Office365-Filtering-Correlation-Id: 72ddba65-2e08-4a7b-2272-08de6e25a615 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|13003099007; X-Microsoft-Antispam-Message-Info: 0neyDCrOMhPtXcGZnnBJHsCJT4L0Scj2kq7wo+bxyEnsaAXXs6ySJaGRnmolfs59u6ruEzKxWvnRwuDxDftHtkex9wAq3Ua/OKrBde4nS32fvrxXTVPyRULvCZAeKPNq3dm7NPQ34w3zTkFpakrktKp3ZiwaywG6yevUuEGALICk4koVxj1kqVteEfqhh45biJGbBixGWcS/+ClPAWq7hLI6xeS/txQvp7ml5wVXAEY2DKvZBrlkboFT0B9QfibCIKfXlrGT4PuQLj/nJQeW6IeFpII3mPxxrjk4EmRbM5wZtk6dgFsaj1ZRD0gBFVp3asDW1JttDOB5TAFjm6/j17aRAH/I8q9IqC4u8l3NbKb2oa9N3KyqYDaJD+vxWltVj+s2H6Z3dfEaD566GkqhG8XD7TuRJnAZC6ViYnQx4yjo+e0O8eAQ4zncTc33I5PQju3NE/cuul+ZgE3M7Uu9I3YIt2779sL7EF9SFe4diKbzWJHoG9V5QvWueGmhwQmvXowmYyWV1cC3C13RmK7NXjZVMFNzyx5BkUwrO2DqN/HbjHpYMf4q7ElIOxy2/bMxsucwsQNau+PUdMg7azDrw3yvBuQAnlL5VmJeWxFzJsDiBToLMvthdWG8wfujLfV0J7FtqgXitglXIz12xC8hIVrwC63GGY0Aev1gZ5OypHdUS+eAbZpjcffWiRlsiFFHh/n/NDrOO9fHKn+NthjJ+4NMxkcc1HA1whhXDX0vJAiEM813J5xcLhKCuoidNHdnuvZ/37Y/TtBbaF0xgEPtZM3xxs6iDaxAGcHwM5hpCfBJcI0XN2ow8LXJUMLySqeZk4K2KxgAhfrWyS46OLutgLhl+ENHciwBmNA/3Nk4eTwBOe8pRnTcEzl1m3uq8piBgeH2pfmTAjhsRPpYZYM54DoSf4uKjHOi5Cli9LohUizJzCeFUq95PZKM7d8lHBzbFOpnQUjRFE5D31YooBKJcm3cMQE0m8lN9+q0ZizEhV8aZfmEh3DmxF6tGD1kbAZPkuWH7MgQx8iSPWiOAWlrAs77Boe2WQsr50s64sV8XUgUqgDfDIQ1FGKKi8qOSvCFqtRxKrb2zEDINjOIBamsuzsxtCApOmGGSWOeOXdrYr5pysTLXWO/+QIsXeIGCWS2B1i5+mDTPwpmle6di0dlWvc3z3iMGyhlQimVzbB11nWrzLb/JHVRKjy67Jg1VHSu5KI3W/ZdtmKhQAvxHkYNwAghr+8HcTjMRUYxZQsyGyVmjq54ywce/frrOTe9Jhq1kvK0f7zi4nnucszVBIdi/gD062U50/wh+r9Ryp8mWfyWTZQm2KA8M8UqmoW4l9bnL1sTCxSLX1abb5SuOmaqGV1/OrGRPOwwzJ8Ggec9e6txfNfHJHvZBi20nU12h+qikhLgMeY0i9Y474bGUa/iZ6oNud006ZNW2UUAks9tSz3za1eHzqEkxRCxNV+Y5C+vi3CWa3baub06UPhxu51yVVW0OEhjzd4KzffAQ2hR3dVMHUEsrkp4TegBIIdsCIHgBHRVhk9yFkfNzkfk8meWTwnx+ez13tQxhQQF4b7gAbQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P189MB1666.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 5PWAFeXsgRm+rV5Vjl5LT+dlJS2W324EXPCU/WpvYHqRWE3Uxc6HXDIatr9LubsUKEQ5WVVFf8WY4Ba/zrIUmH3OR+GMno9Y1mvW9chDCfs5QiKPM3FUUQj7wNCwNy25HqFQdzvVAw39sb7mSl5zTiggggzmfwJeMrFygrPMcZmL1//7rqZBEFtGQJafNorxdmP/PNn2aPdsPV4sto2dukwOhBfROthesAnFqiQ/WnxdhN5yAGX9s670FM5lHlccXfRU8DAY9twb4IUf5tYYEOGGPvteANbKjZsbSo3i3FThQoYqd+48PVTsGrey8+ob8hleC3bcnddSyHuRBuCYNi6bfk1ccbNnqGqX0V2ekrk0zX87TcIy0kcZ0I4l//Ic9IIfuWVxJB/Esvy9aaxJbJqq1uDQezjT800BVVB0B95n4M9kJsSF76B9of/9m4cFZsFaO8dRsSgQx4OAtxVmsdXPJMMDYBgCyqDoB0CaBCyyfw03UwPdetAc6sdYKLkx6KztoSDUCBxiBD2gf5AB0kFEIyi36Qn4scwfXJSZLTy8Z1qIJeqV5xooQ9Ib60wIeIc4URl/jqZLDCVdbtxLcsfr3j3izQu3q91GbfmXmz/DxrphBnbUgUynap4SoXjstx35MudGDph3MYSFMeOym5C4e7l76VxjfE7hMwI8w/d/9Pc5uTRnyvdvKzZ29s5BgqFeRs1FmPf58xj1CV/Rx+JhCDU/g1WdQnBshtdA+VKJ3Qud5LngZbz5nqLHNO2UGxNEs4gypB34Gp6YUcaGZ//1LOqZLFJ5ZtwDNBFhGKVe7kbwpCqE2vIjBWQ7LHwvuqNL64rDWXovsS1nc+aG3NNuLbCOpeGzsVDKuu1BxXE/iartH77aO2z95ax196VTlb7hsDppNY/1AGH/J6PJUJdRSz74yh6Xt7Z7MpddV5pCfYymQiz4gApQHz2sl/s2x86njmiF6S03/BeLbFgjIJzkD+Ki9OJI7MFXu5g4bxlQz7cPhD6VXYJwQ5EvM662WRhT1JffmUe9TS38NeLENLXjOXvApntVuXeqX685B3Z/I0vEEL3+XC/5ZBleq1dwjAKNJSf3cBK0B/n6ZYc3G3jnGSfU+DpokXkeJYb4O9uCvDAP0p7vvBXfi70g+6qMFJMex5/hYkjSrAUosdujPw0T0lnHXMtimVsAiWTLMAniv2QoEdfd9MHhVS0kVf99pI+xhMqecva71jDwVu7pMM9AnRoioFDiVpamoQw0SoZgYXegnzQWdEZKcyHIYFXUCF9Hrb+diIpBhsmvpnZYcuTJJnmw78+aekTw6jhEUZ6iyHYuugi6rSZcchkPlw+M0QlTBjLWOG9SGOwRyLaUaw94XQAp7b4fjP3DvEeDciQe9weMYj3zH3nljByQ3c6m8hG+OmAeYnsc9ND01BkoO7biyqNPTTlSsZftfd+2yMTyxivnHaEszVkFvRoHWF9TwSLPu/BHqBIf+inflPXiqeYucyPeXw5d61+Djpn9k8JpXi6ncdHj1CHZe1wDpFHFRz6G43DzKQ8qBBCwQL8+pr5Xbj73Vo8zbDMkgAWy+AvNTwD1DOKQKSOr1OWPwFU+qH90bFOWnnmmF6CRFCiN8TB2OWUgqetCmczXf+kFo3AQLUI55kwlROHYzr0I8ogPmmswH3rcU2NYZifdwaNSsPkTmu915YYac4S4a3l2I8WF4SXih71bkr9eSTml2/tQhIrtgjaCv0oihzyEVRYE6EUiw4vhWmMEcfJWDDSZJaE= X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 72ddba65-2e08-4a7b-2272-08de6e25a615 X-MS-Exchange-CrossTenant-AuthSource: AM9P189MB1666.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2026 13:08:31.3957 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NusrNMkBqsJepawiccfEoSBs6VybWpIe3YJWjIFoQSO8a9G+7rx04Ez85+XTDgyXb602eXMyK3HQYfxjDAF+FHQaY1dEii1pde7OiP1XMfA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0P189MB2726 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 17 Feb 2026 13:22:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231255 From: Adarsh Jagadish Kamini Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 Signed-off-by: Adarsh Jagadish Kamini --- .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ .../python/python3-pip_24.0.bb | 4 +- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch new file mode 100644 index 0000000000..a30475319c --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch @@ -0,0 +1,55 @@ +From 2a89ce91220e50c1b667bd9d5075e1fd10c1fed2 Mon Sep 17 00:00:00 2001 +From: Damian Shaw +Date: Fri, 30 Jan 2026 16:27:57 -0500 +Subject: [PATCH v3] Merge pull request #13777 from sethmlarson/commonpath + +Use os.path.commonpath() instead of commonprefix() + +CVE: CVE-2026-1703 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] + +Signed-off-by: Adarsh Jagadish Kamini +--- + news/+1ee322a1.bugfix.rst | 1 + + src/pip/_internal/utils/unpacking.py | 2 +- + tests/unit/test_utils_unpacking.py | 2 ++ + 3 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 news/+1ee322a1.bugfix.rst + +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst +new file mode 100644 +index 000000000..edb1b320c +--- /dev/null ++++ b/news/+1ee322a1.bugfix.rst +@@ -0,0 +1 @@ ++Use a path-segment prefix comparison, not char-by-char. +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 78b5c13ce..0b26525fb 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool: + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + +- prefix = os.path.commonprefix([abs_directory, abs_target]) ++ prefix = os.path.commonpath([abs_directory, abs_target]) + return prefix == abs_directory + + +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py +index 1f0b59dbd..724ca0be8 100644 +--- a/tests/unit/test_utils_unpacking.py ++++ b/tests/unit/test_utils_unpacking.py +@@ -202,6 +202,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: + (("parent/", "parent/sub"), True), + # Test target outside parent + (("parent/", "parent/../sub"), False), ++ # Test target sub-string of parent ++ (("parent/child", "parent/childfoo"), False), + ], + ) + def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None: +-- +2.44.4 + diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb b/meta/recipes-devtools/python/python3-pip_24.0.bb index be4a29500a..35428260c3 100644 --- a/meta/recipes-devtools/python/python3-pip_24.0.bb +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb @@ -31,7 +31,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ inherit pypi python_setuptools_build_meta -SRC_URI += "file://no_shebang_mangling.patch" +SRC_URI += "file://no_shebang_mangling.patch \ + file://CVE-2026-1703.patch \ + " SRC_URI[sha256sum] = "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"