From patchwork Mon Feb 9 14:01:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adarsh Jagadish Kamini X-Patchwork-Id: 80790 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21B23E81BD6 for ; Mon, 9 Feb 2026 15:08:20 +0000 (UTC) Received: from PA4PR04CU001.outbound.protection.outlook.com (PA4PR04CU001.outbound.protection.outlook.com [40.107.162.32]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.47940.1770645677833553644 for ; Mon, 09 Feb 2026 06:01:18 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=xAshj0CK; spf=pass (domain: est.tech, ip: 40.107.162.32, mailfrom: adarsh.jagadish.kamini@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=C0tO1AB7lnnCvrAemT+s5+5JE/M2dpQEKGn3I94dCRwJihlzZM1A4x1IYEUYXD25myYNq05k2tPZb/CFSuk9bpnBYnkx9MbcNquaxfiVFgM2Sv/9ElU3Y/2m0Ukx0GRJItj8yhQBhkAdDJMLRZln6bgIhuUvb/dNFIWZMk2qGnN+qiPCAoUDLN5anGKMsRFfArgh/y/dqC4ICDOfEXuesaX++H9//aeLzm4iEjZvV2zIQv1F+cl6J1lws8XBZHBeC1Che6VvxsfNZK9JYgJG7ghlwbBTF7+vz4fbLoEoF2Q2nGd6XSkBpl4uWAotBIfUsJMlVbU8yX2QElOrTMjIaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wQLpJapQDU9GSNRh8fE/kGYNTwvex7GVr4jrk4dO5A4=; b=BpX9Fe8dUvERCBwKcOgkBrEFUqa5TtEbIxItY0iTtzsAjVPolwXEGJeucJxUpxk0DAT3k9j/yy56kiAw5LNvH9nExXBuF/Wxt35DvzNF/mtELwwv3EXsoLsakWd9IUiVQWlVaINWIAZyhLHYCDo6W+A9HoaI0qHoFVpWkyC8bE0i7WfDL37Cxv9GZcdQZ3I0K3ryrw37jjwp8ugjvWJGynEIqfTMGfrSYYoMGBmuiKFUZWBAhIZoxTxDJ8hzUxrIXDH1u5fZmFxFpus2E0PPsBqdjd6Fwq4kZrgC/zZIrTMbPJxkVHCBmj42wWixSeJc+bJkMDS4Cqt1xV2aYtTLmw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wQLpJapQDU9GSNRh8fE/kGYNTwvex7GVr4jrk4dO5A4=; b=xAshj0CK0Efht7MOkQHAJCWf1Sb4feBpYyJKCb/r6f3yO5UG5LdIDccHIIMjCD83/Ylp34KpLLtQ86enZuCtMMnJDh93kweGjI9Ay17aqONUQ64vnkErh0ZTmKkErCOWq0E/ku7nNoSGvAo9XHuBjRnTaqryUlZFzaTWfbZL8EaoCAZo0KBFX7S6Hs51RDhsMadZJu+A+9wCaHqEMplZKLijpylaJDag1rfErpJcFN1qfUkXwl4g6ZT/J+1xzkoISjLOu7Tg1Kl5qiIRCrpLUbuTwSFlLT1JeXkjSmackgNZ1HuqhFWEV8oAZnP2iXEUI09AHloQPmyI0mt9sUko2g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AS8P189MB1672.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:396::9) by GV4P189MB3726.EURP189.PROD.OUTLOOK.COM (2603:10a6:150:2b6::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9587.17; Mon, 9 Feb 2026 14:01:12 +0000 Received: from AS8P189MB1672.EURP189.PROD.OUTLOOK.COM ([fe80::f147:85e5:34de:eeff]) by AS8P189MB1672.EURP189.PROD.OUTLOOK.COM ([fe80::f147:85e5:34de:eeff%5]) with mapi id 15.20.9587.017; Mon, 9 Feb 2026 14:01:12 +0000 From: "Adarsh Jagadish Kamini" To: openembedded-core@lists.openembedded.org CC: Adarsh Jagadish Kamini Subject: [OE-core][scarthgap][PATCH] python3-pip: patch CVE-2026-1703 Date: Mon, 9 Feb 2026 15:01:04 +0100 Message-ID: <20260209140108.33848-1-adarsh.jagadish.kamini@est.tech> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: LO4P265CA0182.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:311::12) To AS8P189MB1672.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:396::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P189MB1672:EE_|GV4P189MB3726:EE_ X-MS-Office365-Filtering-Correlation-Id: 0090bf1d-0101-4fd2-5f81-08de67e3aec2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016|13003099007; X-Microsoft-Antispam-Message-Info: yTLRGtI8r2O8F+SyYdoy3lpKmdR2aU+UbnBrXbgttHTp5CUD/fGEOzT6RJs0GZST4OeBojCkZjDRKsOQ+QAHZKizUpVTeF1yxa7o6Y0NU0Ld5L1tVR2HlSmOki22zwCrk0+O6JEi3EdwJ76hA/E+9HDQztiaV1cUD0fyBucp91sv4FqbCFNj4txZXBWc0LDki2nONTj1aE8R+KHzjYAw2lJXnBicWAFg/OdTaZVeTLrj9CAwS2klQIAAUIodL5I8ZyMxKdiYlhY3KjsazNFMGNdOHXLjlkj+mXDySk2BYAM6sSG22fNu6RNIfJm6021fNV7GuDa7rsknvu8tav1aTxz3W2nZpXoDKTrIcP+VJzgPUD0vSGDSojMkujL+N4OV4OGmeRubeSBIBl+VZUWkt2Q7hINwN3sFwjJ8cuncak8W6vNklTlFRCxOQJxsb4ggz5dZzITv1iuZ54hFivtG8OhkijDi/8foM8K+SNHTR/4snYI0WLf2cYadhOxa8E6CNi2ERJSUxgQph5TGLotKOCxVUAJHgrSTO3ebukF0mIUd4r0RxKPzcZ147nrQc/NlO7sTLAUrMCsS2j5pzUy52DJXPMUs/Vz+IkaClp3FE2ICUMt+32LeephFlw6KtbAvi6ILMiSW6LrD7LrjG6XokvB6uhwY1QP9m3PN+D/WQIXGRs2vhcBjpX2euHhDmqVs96dqrRW3gAnDzATK+QvIgwIVQzvsRJiW8MJhuCWZl4xQSEY0IBj/QYVvTJFlb6MpAuLdGabbqbYpdsXk74IX7cSgMgEmDgDm72YK6k5kTAWj1eEmi7CzeBMAnoh45z7UNRnEozhNmWnCF3iHcRzhQWlKE67HJby2CAfbg42yyZWGdRolElpGYdxZRnHeKYKZEBU3OLUX0w2oGFDFSKeAaEtulk6Qosb9E2QTaz08R7+NPcUkrhlpAwQ12OiJu3x7LAkKzpDd/WgHvyzeMPlkcEbIIY5v4LmAXG60gqy18D0FBee7wNTx5HBH8EbXhcArw15/DatM1Z5buAwtdh2H0vAdXRBOMUfRd5vkmvtyCO5EpQqXNNgCRGsQ8T1o8xlm6cpUAODPrnB0oScHKhvKTcc6zHh8gGLfcjowWBRwhVbtL+Y41UjQYkxqafxJKkVYZRjniVUh2OZ0p90+LFfjPpIgvzjzxoswYOzjEZLQG9M1M7yOEBsX/kgm2SgigHQ2O1YXuYndAdtcVWlisCTKFdBZ1WtrTjFBrVGr99GvPD+jiUSdVFutoUvS+aTv/U9vSyts9vOWiAKN8/0wcfsI6BhkfZbed95P2KEJA0l1WmzbsvUVIMb8i58SuYu0Fl5sSZd4e1tGxo6HlIblMJEvUreC1YTMpzP8nTubEAKEauUKiEpZ4MLJLzVQV6s6D7qxmU+rROfzY1Pp8WeIEYtSvDmqA82Ensja1as1RpcqZSuSzVezROYE0CcmzsuugTArTnPOi4KzAho11AQi8J8hqD3DFQYZm5VFgBH1/3GpaF9mOzBAtBJCGcHaattYI5Lc X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8P189MB1672.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: AEI2GKM+NzZyzcOHwmpPCPqeD5fhiZtd0DZiGRPNLrMoKhF05BWVC1UFaGDF3PJDN7mY1FstQlEhqZbO52ib63HrVWGkdfAxk4leka5tdaxsvL7Hfg6JibZTX4JGvfeHzsP7JPRon7REPRz/O0CchLb+yG2AKK/46wjrWCVKlPyIvHSsToahneyVEq0XFqAbkLsLMWtSFHcQYfW3urQ5EJ/WYJXyTf3TdarAqOGy0QF0gBfsYAqEnvysX66WcqCAcuU4qmtdaRk7e8EJXmdgOjjwxMeLiMSkMc9NdUUybTNWA88pnyKcI9eZ4AP1mUA3AeZHDjYO0ZjJdBBgop/rInSjmXVReD78iiQDLT7iA9ysneeEwxuh0Ud6uJHoYjuvIKazyVV1laBu9u4DJyN370XYgANHPFG7G7ptrfOQoYEMl9qXkkf9qjZmNIyOxGw7tI7vK0yL2an9iL77IfNPfsZjzi0JAXSJTDvUx9EByoJo5eMXSKOJVcEzo4qaHqau0+JJKwxYWzG7BFUuOLVCQIGqPmvm2OsnwA35CMfnF1Z10fHBXpu647/DHQhRCBI8ZQo1xtSGnOrZYCzZKxOJd4rBWALdYNWBUvzkI6aTPvKkLAfpFgCAcWO2/rgDMWR4lLmpqXdeHCps9GTdBeTkXuEXLgiejdEVQcfYN90b6+7vyjB/sR8HAXTaLwy6b+l4C3hpfnlZCzH0hUY53bOxsnVTAE7LHmphisGk/IKHixilEt73ue0ABTh4um5CDbEqlKxLI+8STU8veFMDIq5YaWJlOv3PrHT265Alj3HIuyg0cdK09s8tA+bA0eMT4RWIJRKp0p3zQoR3vhVxfdE1Pl/M22TnrLHFFZ60R99CVcV8kISSsSbYGkUp0BNZ+1jdOkxqwsjLSNBFdHrBQwAF8hHFoViWpACxRtr0VKvWCivM2yOqurJWB1GmE5cMpAPHFp5We+fNCJwhhtCjrKFW0/EdTvbQ5EChhq8mdFOhBOiS2Otd122sIG5JyZtkR4q/4j4OPUpqtVgF8MxTbulhCutgzTC3flEEx40Q1rUIsMzpwSWfe1U1rnqbcvWOXacnru/xrrg4uKQnLcXkwixpq21av/7pIRkGuQ4XasJdQCQBmMqcPwXKYWQT2aZ5bbommZSyWY6UBHNCJseq6OJk3ImBizI0ShQINWHJb5VmUwECom6aR7xETeYaVE70HWdrUtzTchhOx0VYbjose4sWehhmNCdKrVXRFmG6zOI6KWglnr/wQrO9XEkOiUOQwJeA7PCT6OCL7cpG8qW+hh0Cil3CRAWdU9aZBJ7lY83M+Ml2xEYqvDU/AtMabyxUXTpf3EnIyq2W580Hzy1Y8ZE1Xt3rdcfU7+yOMi2g+pGcIKk6+PdILmxReENVm9gP9sdV8YHTLbzN7b6EK1WeF8rYrbaLeRbYuQZKyd51p1KV9kWDgFQW87vJjDm136H4G1yWhAiBm5R9CBcGyvIpX7M1mA7DZLQ/M2JzRQB5CZ4ywlO/gxOFaoFFTEh9YQEjumL0ts4fkcSDXBYzobmJW0CfkqPb24Vz9hJza0Eu+a/NNYLZ2ys+souaNbB5JVhIuD3JPlvKWUb6BtK4HrSpmWFKDLSgmALfWD8JEv6FRsUvzcM7+mzxmr4QH6ojY55ibEGdXzZi6j5mhKRsu3D2VqINLj5vvA7u33fSAxEKeh6Wvgd06RaTIha7dZDBdLKH1JL6aNQ1yu3BYlt79v+fy/YZxv8yMidWr3hxj4Y9yIquB1k= X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 0090bf1d-0101-4fd2-5f81-08de67e3aec2 X-MS-Exchange-CrossTenant-AuthSource: AS8P189MB1672.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2026 14:01:12.1631 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JmsYwj3NCAJLB32p06Yed/RzbDtGAGuBko2tNS29zOkArzgugq8u++gKpYRnbvGL2P2Cbz4f52NXvSn7Odhaigs6gK/eVTrCzouwr8ETp9w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV4P189MB3726 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Feb 2026 15:08:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230807 From: Adarsh Jagadish Kamini Include the patch linked in the NVD report: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 Signed-off-by: Adarsh Jagadish Kamini --- .../python/python3-pip/CVE-2026-1703.patch | 55 +++++++++++++++++++ .../python/python3-pip_24.0.bb | 3 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch new file mode 100644 index 0000000000..8d34d2acb4 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch @@ -0,0 +1,55 @@ +From ed41e052ebe78fcf043c43ea05bf16f73dfbb581 Mon Sep 17 00:00:00 2001 +From: Damian Shaw +Date: Fri, 30 Jan 2026 16:27:57 -0500 +Subject: [PATCH] Merge pull request #13777 from sethmlarson/commonpath + +Use os.path.commonpath() instead of commonprefix() + +CVE: CVE-2026-1703 + +Upstream-Status: Backport [https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735] + +Signed-off-by: Adarsh Jagadish Kamini +--- + news/+1ee322a1.bugfix.rst | 1 + + src/pip/_internal/utils/unpacking.py | 2 +- + tests/unit/test_utils_unpacking.py | 2 ++ + 3 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 news/+1ee322a1.bugfix.rst + +diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst +new file mode 100644 +index 000000000..edb1b320c +--- /dev/null ++++ b/news/+1ee322a1.bugfix.rst +@@ -0,0 +1 @@ ++Use a path-segment prefix comparison, not char-by-char. +diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py +index 78b5c13ce..0b26525fb 100644 +--- a/src/pip/_internal/utils/unpacking.py ++++ b/src/pip/_internal/utils/unpacking.py +@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool: + abs_directory = os.path.abspath(directory) + abs_target = os.path.abspath(target) + +- prefix = os.path.commonprefix([abs_directory, abs_target]) ++ prefix = os.path.commonpath([abs_directory, abs_target]) + return prefix == abs_directory + + +diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py +index 1f0b59dbd..724ca0be8 100644 +--- a/tests/unit/test_utils_unpacking.py ++++ b/tests/unit/test_utils_unpacking.py +@@ -202,6 +202,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None: + (("parent/", "parent/sub"), True), + # Test target outside parent + (("parent/", "parent/../sub"), False), ++ # Test target sub-string of parent ++ (("parent/child", "parent/childfoo"), False), + ], + ) + def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None: +-- +2.44.0 + diff --git a/meta/recipes-devtools/python/python3-pip_24.0.bb b/meta/recipes-devtools/python/python3-pip_24.0.bb index be4a29500a..83f8d869ac 100644 --- a/meta/recipes-devtools/python/python3-pip_24.0.bb +++ b/meta/recipes-devtools/python/python3-pip_24.0.bb @@ -31,7 +31,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=63ec52baf95163b597008bb46db68030 \ inherit pypi python_setuptools_build_meta -SRC_URI += "file://no_shebang_mangling.patch" +SRC_URI += "file://no_shebang_mangling.patch \ + file://CVE-2026-1703.patch \" SRC_URI[sha256sum] = "ea9bd1a847e8c5774a5777bb398c19e80bcd4e2aa16a4b301b718fe6f593aba2"