From patchwork Mon Jul 6 10:45:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Benjamin Robin (Schneider Electric)" X-Patchwork-Id: 91792 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 012FBC44501 for ; Mon, 6 Jul 2026 10:45:17 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.147379.1783334714864769544 for ; Mon, 06 Jul 2026 03:45:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=q+EwkxLA; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 403F91A0E8E for ; Mon, 6 Jul 2026 10:45:13 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 0EECF601A2; Mon, 6 Jul 2026 10:45:13 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 2F31711BBA00F; Mon, 6 Jul 2026 12:45:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1783334712; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=g5y1PH2vEAmyvduImqFJtJ3ad/q1rYp4LUON897QuEo=; b=q+EwkxLAuSyGw1yqXhR+m8dJBJevjmDC+tSl4qchKSbanT77nli3W5625QLTI3y+aNtCBR jUYH1OmQx99cLZuEWNmz4mbx36Q6DVmXqlCj0A7XbO0wrAN/x68SccZLdZiXaYk0lM70Fa 9GyVmPPPefPKvnlC+AibD3v6c+vIIj5ApdfYVGEMNwdRl2pW7esCRLy6ImEo8TRlJGHPcv FKltcYoSN1rzXn6EgXAAJPJq1GMb7RsE+dLg5WDZnYMK7Uxtfajwxgl9z10JLY/G5MRpAC 5Y78fzdXbHapPyXZie8LvXEzdC5BTMaxkdhV8W9QBKHiLjW4I7q05Zp2fIQxHg== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 06 Jul 2026 12:45:07 +0200 Subject: [PATCH 2/2] python3: fix CVE-2026-11972 MIME-Version: 1.0 Message-Id: <20260706-fix-cves-python-master-v1-2-9a2a86be5bfd@bootlin.com> References: <20260706-fix-cves-python-master-v1-0-9a2a86be5bfd@bootlin.com> In-Reply-To: <20260706-fix-cves-python-master-v1-0-9a2a86be5bfd@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: olivier.benjamin@bootlin.com, mathieu.dubois-briand@bootlin.com, pascal.eberhard@se.com, wahid.essid@se.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 10:45:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240241 When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer. Signed-off-by: Benjamin Robin (Schneider Electric) --- .../python/python3/CVE-2026-11972.patch | 59 ++++++++++++++++++++++ meta/recipes-devtools/python/python3_3.14.6.bb | 1 + 2 files changed, 60 insertions(+) diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch new file mode 100644 index 000000000000..7dc9c6697112 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch @@ -0,0 +1,59 @@ +From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 23 Jun 2026 15:13:30 +0200 +Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF + (GH-151982) + +CVE: CVE-2026-11972 +Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896] + +Signed-off-by: Benjamin Robin +--- + Lib/tarfile.py | 4 +++- + Lib/test/test_tarfile.py | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 63f23490e8a1..399f906efdff 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -524,7 +524,9 @@ def seek(self, pos=0): + if pos - self.pos >= 0: + blocks, remainder = divmod(pos - self.pos, self.bufsize) + for i in range(blocks): +- self.read(self.bufsize) ++ data = self.read(self.bufsize) ++ if not data: ++ break + self.read(remainder) + else: + raise StreamError("seeking backwards is not allowed") +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 0fc7413be8db..045377d620cc 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path): + with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter): + self.expect_exception(TypeError) # errorlevel is not int + ++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT]) ++ def test_getmembers_big_size(self, format): ++ # gh-151981: A loop in seek() for streaming files tried to read the ++ # declared number of blocks even at EOF ++ tinfo = tarfile.TarInfo("huge-file") ++ tinfo.size = 1 << 64 ++ bio = io.BytesIO() ++ # Write header without data ++ bio.write(tinfo.tobuf(format)) ++ ++ # Reset & try to get contents ++ bio.seek(0) ++ with tarfile.open(fileobj=bio, mode="r|") as tar: ++ with self.assertRaises(tarfile.ReadError): ++ tar.getmembers() ++ + + class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + testdir = os.path.join(TEMPDIR, "testoverwrite") +-- +2.54.0 diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb index 23fc152950ea..a45a4561339f 100644 --- a/meta/recipes-devtools/python/python3_3.14.6.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -23,6 +23,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-Update-test_sysconfig-for-posix_user-purelib.patch \ file://0001-prefer-valid-entrypoints.patch \ file://CVE-2026-11940.patch \ + file://CVE-2026-11972.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \