mirror of
https://git.yoctoproject.org/poky
synced 2026-03-21 22:59:40 +01:00
b0c2d6dfec
Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-1703 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703 [3] https://github.com/pypa/pip/pull/13777 (From OE-Core rev: 0535436a9ceedcf690001cd705be753de4e4915f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
|
|
From: Seth Michael Larson <seth@python.org>
|
|
Date: Fri, 30 Jan 2026 09:49:11 -0600
|
|
Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
|
|
|
|
Upstream-Status: Backport [https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124]
|
|
CVE: CVE-2026-1703
|
|
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
|
|
---
|
|
news/+1ee322a1.bugfix.rst | 1 +
|
|
src/pip/_internal/utils/unpacking.py | 2 +-
|
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
|
create mode 100644 news/+1ee322a1.bugfix.rst
|
|
|
|
diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
|
|
new file mode 100644
|
|
index 0000000..edb1b32
|
|
--- /dev/null
|
|
+++ b/news/+1ee322a1.bugfix.rst
|
|
@@ -0,0 +1 @@
|
|
+Use a path-segment prefix comparison, not char-by-char.
|
|
diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
|
|
index 5f63f97..3cebbf7 100644
|
|
--- a/src/pip/_internal/utils/unpacking.py
|
|
+++ b/src/pip/_internal/utils/unpacking.py
|
|
@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool:
|
|
abs_directory = os.path.abspath(directory)
|
|
abs_target = os.path.abspath(target)
|
|
|
|
- prefix = os.path.commonprefix([abs_directory, abs_target])
|
|
+ prefix = os.path.commonpath([abs_directory, abs_target])
|
|
return prefix == abs_directory
|
|
|
|
|
|
--
|
|
2.25.1
|
|
|