new file mode 100644
@@ -0,0 +1,124 @@
+From e0264a61119d551658d9445af38323ba94fc16db Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Thu, 22 Aug 2024 19:24:33 -0400
+Subject: [PATCH] CVE-2024-8088: Sanitize names in zipfile.Path. (GH-122906)
+
+Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
+CVE: CVE-2024-8088
+
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ Lib/test/test_zipfile.py | 17 ++++++
+ Lib/zipfile.py | 61 ++++++++++++++++++-
+ 2 files changed, 77 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py
+index 32c0170..a60dc11 100644
+--- a/Lib/test/test_zipfile.py
++++ b/Lib/test/test_zipfile.py
+@@ -3280,6 +3280,23 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf:
+ zipfile.Path(zf)
+ zf.extractall(source_path.parent)
+
++ def test_malformed_paths(self):
++ """
++ Path should handle malformed paths.
++ """
++ data = io.BytesIO()
++ zf = zipfile.ZipFile(data, "w")
++ zf.writestr("/one-slash.txt", b"content")
++ zf.writestr("//two-slash.txt", b"content")
++ zf.writestr("../parent.txt", b"content")
++ zf.filename = ''
++ root = zipfile.Path(zf)
++ assert list(map(str, root.iterdir())) == [
++ 'one-slash.txt',
++ 'two-slash.txt',
++ 'parent.txt',
++ ]
++
+
+ class StripExtraTests(unittest.TestCase):
+ # Note: all of the "z" characters are technically invalid, but up
+diff --git a/Lib/zipfile.py b/Lib/zipfile.py
+index 7d18bc2..cbac8d9 100644
+--- a/Lib/zipfile.py
++++ b/Lib/zipfile.py
+@@ -9,6 +9,7 @@ import io
+ import itertools
+ import os
+ import posixpath
++import re
+ import shutil
+ import stat
+ import struct
+@@ -2182,7 +2183,65 @@ def _difference(minuend, subtrahend):
+ return itertools.filterfalse(set(subtrahend).__contains__, minuend)
+
+
+-class CompleteDirs(ZipFile):
++class SanitizedNames:
++ """
++ ZipFile mix-in to ensure names are sanitized.
++ """
++
++ def namelist(self):
++ return list(map(self._sanitize, super().namelist()))
++
++ @staticmethod
++ def _sanitize(name):
++ r"""
++ Ensure a relative path with posix separators and no dot names.
++ Modeled after
++ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
++ but provides consistent cross-platform behavior.
++ >>> san = SanitizedNames._sanitize
++ >>> san('/foo/bar')
++ 'foo/bar'
++ >>> san('//foo.txt')
++ 'foo.txt'
++ >>> san('foo/.././bar.txt')
++ 'foo/bar.txt'
++ >>> san('foo../.bar.txt')
++ 'foo../.bar.txt'
++ >>> san('\\foo\\bar.txt')
++ 'foo/bar.txt'
++ >>> san('D:\\foo.txt')
++ 'D/foo.txt'
++ >>> san('\\\\server\\share\\file.txt')
++ 'server/share/file.txt'
++ >>> san('\\\\?\\GLOBALROOT\\Volume3')
++ '?/GLOBALROOT/Volume3'
++ >>> san('\\\\.\\PhysicalDrive1\\root')
++ 'PhysicalDrive1/root'
++ Retain any trailing slash.
++ >>> san('abc/')
++ 'abc/'
++ Raises a ValueError if the result is empty.
++ >>> san('../..')
++ Traceback (most recent call last):
++ ...
++ ValueError: Empty filename
++ """
++
++ def allowed(part):
++ return part and part not in {'..', '.'}
++
++ # Remove the drive letter.
++ # Don't use ntpath.splitdrive, because that also strips UNC paths
++ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
++ clean = bare.replace('\\', '/')
++ parts = clean.split('/')
++ joined = '/'.join(filter(allowed, parts))
++ if not joined:
++ raise ValueError("Empty filename")
++ return joined + '/' * name.endswith('/')
++
++
++class CompleteDirs(SanitizedNames, ZipFile):
+ """
+ A ZipFile subclass that ensures that implied directories
+ are always included in the namelist.
+--
+2.35.7
+
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://deterministic_imports.patch \
file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
file://0001-test_storlines-skip-due-to-load-variability.patch \
+ file://CVE-2024-8088.patch \
"
SRC_URI:append:class-native = " \