[scarthgap,06/12] python3-wheel: fix CVE-2026-24049

Message ID	20260409061639.1688205-7-jinfeng.wang.cn@windriver.com
State	New
Headers	show Return-Path: <Jinfeng.Wang.CN@windriver.com> ip: 205.220.166.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) From: <jinfeng.wang.cn@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [scarthgap][PATCH 06/12] python3-wheel: fix CVE-2026-24049 Date: Thu, 9 Apr 2026 14:16:33 +0800 Message-ID: <20260409061639.1688205-7-jinfeng.wang.cn@windriver.com> In-Reply-To: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com> References: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	Fix multiple CVEs \| expand [scarthgap,00/12] Fix multiple CVEs [scarthgap,01/12] gi-docgen: fix CVE-2025-11687 [scarthgap,02/12] libsoup: fix CVE-2025-14523/CVE-2025-32049 [scarthgap,03/12] libsoup-2.4: fix CVE-2025-14523/CVE-2025-32049 [scarthgap,04/12] python3-ply: fix CVE-2025-56005 [scarthgap,05/12] python3-pyasn1: fix CVE-2026-23490 [scarthgap,06/12] python3-wheel: fix CVE-2026-24049 [scarthgap,07/12] gnupg: fix CVE-2026-24882 [scarthgap,08/12] libxml2: Fix CVE-2026-1757 [scarthgap,09/12] python3-pyasn1: fix CVE-2026-30922 [scarthgap,10/12] busybox: fix CVE-2026-26157 and CVE-2026-26158 [scarthgap,11/12] zlib: upgrade 1.3.1 -> 1.3.2 [scarthgap,12/12] libpcap: 1.10.4 -> 1.10.6

Message ID

20260409061639.1688205-7-jinfeng.wang.cn@windriver.com

State

New

Headers

From: <jinfeng.wang.cn@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [scarthgap][PATCH 06/12] python3-wheel: fix CVE-2026-24049
Date: Thu, 9 Apr 2026 14:16:33 +0800
Message-ID: <20260409061639.1688205-7-jinfeng.wang.cn@windriver.com>
In-Reply-To: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com>
References: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

Fix multiple CVEs | expand

Commit Message

Wang, Jinfeng (CN) April 9, 2026, 6:16 a.m. UTC

From: Guocai He <guocai.he.cn@windriver.com>

Backport patch to fix CVE-2026-24049 per reference [1] [2].

[1] https://security-tracker.debian.org/tracker/CVE-2026-24049
[2] https://github.com/pypa/wheel/commit/7a7d2de96b

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
---
 .../python/python3-wheel/CVE-2026-24049.patch | 73 +++++++++++++++++++
 .../python/python3-wheel_0.42.0.bb            |  2 +
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-wheel/CVE-2026-24049.patch

diff --git a/meta/recipes-devtools/python/python3-wheel/CVE-2026-24049.patch b/meta/recipes-devtools/python/python3-wheel/CVE-2026-24049.patch
new file mode 100644
index 0000000000..89a848c100
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-wheel/CVE-2026-24049.patch
@@ -0,0 +1,73 @@ 
+From 363aef740d670c37d76b6fd86e2a28886de23f45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 22 Jan 2026 01:41:14 +0200
+Subject: [PATCH] Fixed security issue around wheel unpack (#675)
+
+A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+
+Fixes CVE-2026-24049.
+
+CVE: CVE-2026-24049
+
+In test case, the API "run_command" is not defined and use "unpack" directly.
+ 
+Upstream-Status: Backport [https://github.com/pypa/wheel/commit/7a7d2de96b]
+
+Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
+---
+ src/wheel/cli/unpack.py  |  4 ++--
+ tests/cli/test_unpack.py | 22 ++++++++++++++++++++++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/src/wheel/cli/unpack.py
++++ b/src/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+diff --git a/tests/cli/test_unpack.py b/tests/cli/test_unpack.py
+index ae584af..96d1391 100644
+--- a/tests/cli/test_unpack.py
++++ b/tests/cli/test_unpack.py
+@@ -34,3 +34,25 @@ def test_unpack_executable_bit(tmp_path):
+     unpack(str(wheel_path), str(tmp_path))
+     assert not script_path.is_dir()
+     assert stat.S_IMODE(script_path.stat().st_mode) == 0o755
++
++@pytest.mark.skipif(
++    platform.system() == "Windows", reason="Windows does not support chmod()"
++)
++def test_chmod_outside_unpack_tree(tmp_path_factory: TempPathFactory) -> None:
++    wheel_path = tmp_path_factory.mktemp("build") / "test-1.0-py3-none-any.whl"
++    with WheelFile(wheel_path, "w") as wf:
++        wf.writestr(
++            "test-1.0.dist-info/METADATA",
++            "Metadata-Version: 2.4\nName: test\nVersion: 1.0\n",
++        )
++        wf.writestr("../../system-file", b"malicious data")
++
++    extract_root_path = tmp_path_factory.mktemp("extract")
++    system_file = extract_root_path / "system-file"
++    extract_path = extract_root_path / "subdir"
++    system_file.write_bytes(b"important data")
++    system_file.chmod(0o755)
++    unpack(str(wheel_path), str(extract_path))
++
++    assert system_file.read_bytes() == b"important data"
++    assert stat.S_IMODE(system_file.stat().st_mode) == 0o755
+--
+2.34.1
+
diff --git a/meta/recipes-devtools/python/python3-wheel_0.42.0.bb b/meta/recipes-devtools/python/python3-wheel_0.42.0.bb
index 807888e6c0..934f258a93 100644
--- a/meta/recipes-devtools/python/python3-wheel_0.42.0.bb
+++ b/meta/recipes-devtools/python/python3-wheel_0.42.0.bb
@@ -8,6 +8,8 @@  SRC_URI[sha256sum] = "c45be39f7882c9d34243236f2d63cbd58039e360f85d0913425fbd7cee
 
 inherit python_flit_core pypi
 
+SRC_URI += "file://CVE-2026-24049.patch"
+
 BBCLASSEXTEND = "native nativesdk"
 
 # This used to use the bootstrap install which didn't compile. Until we bump the

[scarthgap,06/12] python3-wheel: fix CVE-2026-24049

Commit Message

Patch