From patchwork Mon Jul 6 11:00:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Benjamin Robin (Schneider Electric)" X-Patchwork-Id: 91795 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84A55C44503 for ; Mon, 6 Jul 2026 11:00:47 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.147665.1783335638420090329 for ; Mon, 06 Jul 2026 04:00:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=xWi8jBwo; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 312674E40CAD; Mon, 6 Jul 2026 11:00:36 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id F2866601A2; Mon, 6 Jul 2026 11:00:35 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 9918411BBA04C; Mon, 6 Jul 2026 13:00:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1783335635; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=kgj735z3Figb1ZeMqJ0/uouPwywbTlrpWqF0P3gXYFE=; b=xWi8jBwoNNgEkliZpawPVW9AmTLl8A/2zSOw9kR7l9gm9mMCTugFMBzGXqj7Amdfs/U4Co dS+NQpEetg830Te3uioQBNW4EP0RLrsbx4qfNii48qfWpZHetdxkfmm+IBdryS1kiCySGX zX2Ui90HOuR4GG04oo62Rw6Vkfc0QZLi1Fh5GVkfZcs5G1WhcZ332120Er1HOZesgmQU6r lzi+p8kIgnuJHL9gXsN80NZ8G/mwcSWMiRH3Whuxtji1boQh5ALzNdq5w4jWEVdP+yeFC8 La71q8GW37XdHjJfc5qwv5VF6iXs2oF58E+cBNWHBkYBAJSupoRt+0IYpOCC4Q== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 06 Jul 2026 13:00:24 +0200 Subject: [wrynose][PATCH 1/3] python3: upgrade 3.14.5 -> 3.14.6 MIME-Version: 1.0 Message-Id: <20260706-fix-cves-python-wrynose-v1-1-b53e09c2b62a@bootlin.com> References: <20260706-fix-cves-python-wrynose-v1-0-b53e09c2b62a@bootlin.com> In-Reply-To: <20260706-fix-cves-python-wrynose-v1-0-b53e09c2b62a@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: olivier.benjamin@bootlin.com, mathieu.dubois-briand@bootlin.com, pascal.eberhard@se.com, wahid.essid@se.com, "Benjamin Robin (Schneider Electric)" , Peter Marko , Richard Purdie X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 11:00:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240249 From: Peter Marko Release notes: [1] Resolves following CVEs from reports: * CVE-2026-3276 * CVE-2026-7210 * CVE-2026-7774 * CVE-2026-8328 * CVE-2026-9669 Resolves also: * shutil.move symlink-based bypass (CVE assignment unknown) Removed obsolete CVE_STATUS entries. Removed patch included in this release. [1] https://docs.python.org/3/whatsnew/changelog.html#python-3-14-6-final [2] https://security-tracker.debian.org/tracker/CVE-2026-7210 Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- ...x-ThreadingMock-call-count-race-condition.patch | 37 ---------------------- .../{python3_3.14.5.bb => python3_3.14.6.bb} | 7 ++-- 2 files changed, 2 insertions(+), 42 deletions(-) diff --git a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch b/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch deleted file mode 100644 index aba3188a59ae..000000000000 --- a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 388e023fe1197c1ffed374520ed45df4ac72b8f5 Mon Sep 17 00:00:00 2001 -From: Sai Sneha -Date: Thu, 21 May 2026 13:08:07 +0530 -Subject: [PATCH] Fix ThreadingMock call_count race condition - -ThreadingMock._increment_mock_call() was not thread-safe. -Multiple threads calling the mock simultaneously could lose -increments due to race conditions on call_count and other -attributes. - -Fix by overriding _increment_mock_call in ThreadingMixin -and wrapping it with the existing _mock_calls_events_lock. - -Upstream-Status: Backport [https://github.com/python/cpython/pull/150176] - -Signed-off-by: Sai Sneha ---- - Lib/unittest/mock.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/Lib/unittest/mock.py b/Lib/unittest/mock.py -index 16f3699e89..56cdc37942 100644 ---- a/Lib/unittest/mock.py -+++ b/Lib/unittest/mock.py -@@ -3113,6 +3113,10 @@ def _mock_call(self, *args, **kwargs): - - return ret_value - -+ def _increment_mock_call(self, /, *args, **kwargs): -+ with self._mock_calls_events_lock: -+ super()._increment_mock_call(*args, **kwargs) -+ - def wait_until_called(self, *, timeout=_timeout_unset): - """Wait until the mock object is called. - --- -2.34.1 diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.6.bb similarity index 98% rename from meta/recipes-devtools/python/python3_3.14.5.bb rename to meta/recipes-devtools/python/python3_3.14.6.bb index ed413dc1fe93..239c966065ce 100644 --- a/meta/recipes-devtools/python/python3_3.14.5.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -35,13 +35,12 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-Skip-flaky-test_default_timeout-tests.patch \ file://0001-test_only_active_thread-skip-problematic-test.patch \ file://0001-prefer-valid-entrypoints.patch \ - file://0001-Fix-ThreadingMock-call-count-race-condition.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ " -SRC_URI[sha256sum] = "7e32597b99e5d9a39abed35de4693fa169df3e5850d4c334337ffd6a19a36db6" +SRC_URI[sha256sum] = "143b1dddefaec3bd2e21e3b839b34a2b7fb9842272883c576420d605e9f30c63" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" @@ -524,7 +523,5 @@ py3_sysroot_cleanup () { rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test } -CVE_STATUS[CVE-2026-4786] = "cpe-stable-backport: backported to v3.14.5" -CVE_STATUS[CVE-2026-5713] = "cpe-stable-backport: backported to v3.14.5" CVE_STATUS[CVE-2026-6019] = "cpe-stable-backport: backported to v3.14.5" -CVE_STATUS[CVE-2026-6100] = "cpe-stable-backport: backported to v3.14.5" +CVE_STATUS[CVE-2026-7210] = "cpe-stable-backport: backported to v3.14.6" From patchwork Mon Jul 6 11:00:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Benjamin Robin (Schneider Electric)" X-Patchwork-Id: 91796 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 529BEC44502 for ; Mon, 6 Jul 2026 11:00:47 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.148597.1783335638840533315 for ; Mon, 06 Jul 2026 04:00:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=xWflCrFR; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 09D69C8EC77 for ; Mon, 6 Jul 2026 11:00:50 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 01498601A2; Mon, 6 Jul 2026 11:00:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id BA4BD11BBA097; Mon, 6 Jul 2026 13:00:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1783335636; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=zOGusyK9bvf56LbB9AsxuyUm0S1sHgYfFua4g4uanyk=; b=xWflCrFRxudwlbXLz168JTnKA6oqtqaSI2Dl6UcPg3WcfZRp8DJkbTmoascGMSEEKnS8Kz H8svN6Ykf4wlxIKEy2PgigdLunq/jX8V4fwQ0VUgQ0r/O/rr4Lut5mlTGjigPeWN4vQpW7 ycb03VjZ8h+jdA9vmZY3PJQ6W4SI35lBDsh717Q8i4WU1zjTainYz5QUlueoNs1GGHhpkm fHKMqViKzFV4AuLMry7pFEuidrE9ZL/6wA5fplGU8TieaH/PmXVNR8Y48ffnW2PfS91GW5 FP4+IrAdS0AlfNwddcIhTNvaOvVVG8K/BZNHeJPTbdHAR4vj1cd9raC47Eabkw== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 06 Jul 2026 13:00:25 +0200 Subject: [wrynose][PATCH 2/3] python3: fix CVE-2026-11940 MIME-Version: 1.0 Message-Id: <20260706-fix-cves-python-wrynose-v1-2-b53e09c2b62a@bootlin.com> References: <20260706-fix-cves-python-wrynose-v1-0-b53e09c2b62a@bootlin.com> In-Reply-To: <20260706-fix-cves-python-wrynose-v1-0-b53e09c2b62a@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: olivier.benjamin@bootlin.com, mathieu.dubois-briand@bootlin.com, pascal.eberhard@se.com, wahid.essid@se.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 11:00:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240250 tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. Signed-off-by: Benjamin Robin (Schneider Electric) --- .../python/python3/CVE-2026-11940.patch | 67 ++++++++++++++++++++++ meta/recipes-devtools/python/python3_3.14.6.bb | 1 + 2 files changed, 68 insertions(+) diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch new file mode 100644 index 000000000000..05a5802c3965 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch @@ -0,0 +1,67 @@ +From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 23 Jun 2026 15:58:47 +0200 +Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile` + hardlink-extraction fallback (GH-151559) + +CVE: CVE-2026-11940 +Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f] + +Signed-off-by: Benjamin Robin +--- + Lib/tarfile.py | 3 +++ + Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index e6734db24f64..63f23490e8a1 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath, + "makelink_with_filter: if filter_function is not None, " + + "extraction_root must also not be None") + try: ++ filter_function( ++ unfiltered.replace(name=tarinfo.name, deep=False), ++ extraction_root) + filtered = filter_function(unfiltered, extraction_root) + except _FILTER_ERRORS as cause: + raise LinkFallbackError(tarinfo, unfiltered.name) from cause +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index d974c7d46ec1..0fc7413be8db 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self): + self.expect_file("boom", symlink_to='../../link_here') + self.expect_file("c", symlink_to='b') + ++ @symlink_test ++ def test_sneaky_hardlink_fallback_deep(self): ++ # (CVE-2026-11940) ++ with ArchiveMaker() as arc: ++ arc.add("a/b/s", symlink_to=os.path.join("..", "escape")) ++ arc.add("s", hardlink_to=os.path.join("a", "b", "s")) ++ ++ with self.check_context(arc.open(), 'data'): ++ e = self.expect_exception( ++ tarfile.LinkFallbackError, ++ "link 's' would be extracted as a copy of " ++ + "'a/b/s', which was rejected") ++ self.assertIsInstance(e.__cause__, ++ tarfile.LinkOutsideDestinationError) ++ ++ for filter in 'tar', 'fully_trusted': ++ with self.subTest(filter), self.check_context(arc.open(), filter): ++ if not os_helper.can_symlink(): ++ self.expect_file("a/") ++ self.expect_file("a/b/") ++ else: ++ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape')) ++ self.expect_file("s", symlink_to=os.path.join('..', 'escape')) ++ + @symlink_test + def test_exfiltration_via_symlink(self): + # (CVE-2025-4138) +-- +2.54.0 diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb index 239c966065ce..ffb7fb6e207d 100644 --- a/meta/recipes-devtools/python/python3_3.14.6.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-Skip-flaky-test_default_timeout-tests.patch \ file://0001-test_only_active_thread-skip-problematic-test.patch \ file://0001-prefer-valid-entrypoints.patch \ + file://CVE-2026-11940.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \ From patchwork Mon Jul 6 11:00:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Benjamin Robin (Schneider Electric)" X-Patchwork-Id: 91794 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A2FAC43458 for ; Mon, 6 Jul 2026 11:00:47 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.147666.1783335639611385526 for ; Mon, 06 Jul 2026 04:00:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=yy51QNUH; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id EE832C8EC78; Mon, 6 Jul 2026 11:00:50 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id C0BBC601A2; Mon, 6 Jul 2026 11:00:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id CAEC811BBA04C; Mon, 6 Jul 2026 13:00:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1783335637; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=nX03XSmc8NiOwLTC8fjOYwaSyrnMrKjqqiA8Mkkb+r4=; b=yy51QNUHSEQ6dq8Hbi71Zbi5CgF3cpdzzVjLaKwdmS4pEsWsEylGQxLHbBY5zYgMuodJxY DcuhEbHyA4NUr3J2ZA8SeUjBuLjeH3yrDgM06gDBOS7VYP56wYQU5R77tBng0EGu2O7IIP md3inE3x+t5VduWjGmammTZeavwg+pXGHzm2WUcOS4yRiPAGNmbsIrlYP5xhJsIgvBXXyM 7QnE6nj+xPnNJkeuCi29V9LYtJqljG7KlQAZO1l6InHgoMloel0Ju18cNQAm8SaNjCPJlq pwknstEoOubbg3v7Mds85/o5WteWYKdD5Glj/EsiGpGP8w0MfzriXaj6Z7xYuw== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 06 Jul 2026 13:00:26 +0200 Subject: [wrynose][PATCH 3/3] python3: fix CVE-2026-11972 MIME-Version: 1.0 Message-Id: <20260706-fix-cves-python-wrynose-v1-3-b53e09c2b62a@bootlin.com> References: <20260706-fix-cves-python-wrynose-v1-0-b53e09c2b62a@bootlin.com> In-Reply-To: <20260706-fix-cves-python-wrynose-v1-0-b53e09c2b62a@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: olivier.benjamin@bootlin.com, mathieu.dubois-briand@bootlin.com, pascal.eberhard@se.com, wahid.essid@se.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 06 Jul 2026 11:00:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240251 When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer. Signed-off-by: Benjamin Robin (Schneider Electric) --- .../python/python3/CVE-2026-11972.patch | 59 ++++++++++++++++++++++ meta/recipes-devtools/python/python3_3.14.6.bb | 1 + 2 files changed, 60 insertions(+) diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch new file mode 100644 index 000000000000..7dc9c6697112 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch @@ -0,0 +1,59 @@ +From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 23 Jun 2026 15:13:30 +0200 +Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF + (GH-151982) + +CVE: CVE-2026-11972 +Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896] + +Signed-off-by: Benjamin Robin +--- + Lib/tarfile.py | 4 +++- + Lib/test/test_tarfile.py | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 63f23490e8a1..399f906efdff 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -524,7 +524,9 @@ def seek(self, pos=0): + if pos - self.pos >= 0: + blocks, remainder = divmod(pos - self.pos, self.bufsize) + for i in range(blocks): +- self.read(self.bufsize) ++ data = self.read(self.bufsize) ++ if not data: ++ break + self.read(remainder) + else: + raise StreamError("seeking backwards is not allowed") +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 0fc7413be8db..045377d620cc 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path): + with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter): + self.expect_exception(TypeError) # errorlevel is not int + ++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT]) ++ def test_getmembers_big_size(self, format): ++ # gh-151981: A loop in seek() for streaming files tried to read the ++ # declared number of blocks even at EOF ++ tinfo = tarfile.TarInfo("huge-file") ++ tinfo.size = 1 << 64 ++ bio = io.BytesIO() ++ # Write header without data ++ bio.write(tinfo.tobuf(format)) ++ ++ # Reset & try to get contents ++ bio.seek(0) ++ with tarfile.open(fileobj=bio, mode="r|") as tar: ++ with self.assertRaises(tarfile.ReadError): ++ tar.getmembers() ++ + + class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + testdir = os.path.join(TEMPDIR, "testoverwrite") +-- +2.54.0 diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb index ffb7fb6e207d..ec1fd7156bd9 100644 --- a/meta/recipes-devtools/python/python3_3.14.6.bb +++ b/meta/recipes-devtools/python/python3_3.14.6.bb @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_only_active_thread-skip-problematic-test.patch \ file://0001-prefer-valid-entrypoints.patch \ file://CVE-2026-11940.patch \ + file://CVE-2026-11972.patch \ " SRC_URI:append:class-native = " \ file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \