helium-3rd-party/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky synced 2026-04-02 02:49:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

python3-pip: Fix CVE-2026-1703

Browse Source 
Pick patch according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-1703
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703
[3] https://github.com/pypa/pip/pull/13777

(From OE-Core rev: 0535436a9ceedcf690001cd705be753de4e4915f)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Vijay Anusuri 2026-03-11 16:31:01 +05:30 committed by Paul Barker
parent dde51fb77f
commit b0c2d6dfec
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
meta/recipes-devtools/python/python3-pip/CVE-2026-1703.patch Normal file
View File

@ -0,0 +1,37 @@
From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 30 Jan 2026 09:49:11 -0600
Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
Upstream-Status: Backport [https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124]
CVE: CVE-2026-1703
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
news/+1ee322a1.bugfix.rst | 1 +
src/pip/_internal/utils/unpacking.py | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
create mode 100644 news/+1ee322a1.bugfix.rst
diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
new file mode 100644
index 0000000..edb1b32
--- /dev/null
+++ b/news/+1ee322a1.bugfix.rst
@@ -0,0 +1 @@
+Use a path-segment prefix comparison, not char-by-char.
diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
index 5f63f97..3cebbf7 100644
--- a/src/pip/_internal/utils/unpacking.py
+++ b/src/pip/_internal/utils/unpacking.py
@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool:
abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target)
- prefix = os.path.commonprefix([abs_directory, abs_target])
+ prefix = os.path.commonpath([abs_directory, abs_target])
return prefix == abs_directory
--
2.25.1

1
meta/recipes-devtools/python/python3-pip_22.0.3.bb
View File

@ -38,6 +38,7 @@ SRC_URI += "file://0001-change-shebang-to-python3.patch \
file://no_shebang_mangling.patch \ file://no_shebang_mangling.patch \
file://reproducible.patch \ file://reproducible.patch \
file://CVE-2023-5752.patch \ file://CVE-2023-5752.patch \
file://CVE-2026-1703.patch \
" "
SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0" SRC_URI[sha256sum] = "f29d589df8c8ab99c060e68ad294c4a9ed896624f6368c5349d70aa581b333d0"