6 changed files with 176 additions and 6 deletions
--- a/CVE-2026-1998.patch
+++ b/CVE-2026-1998.patch
@@ -0,0 +1,144 @@
+From 570744d06c5ba9dba59b4c3f432ca4f0abd396b6 Mon Sep 17 00:00:00 2001
+From: Damien George <damien@micropython.org>
+Date: Mon, 12 Jan 2026 11:04:09 +1100
+Subject: [PATCH] py/runtime: Make import-all support non-modules via
+ __dict__/__all__.
+
+Prior to this fix, `mp_import_all()` assumed that its argument was exactly
+a native module instance.  That would lead to a crash if something else was
+passed in, eg a user class via a custom `__import__` implementation or by
+writing to `sys.modules`.
+
+MicroPython already supports injecting non-module objects into the import
+machinery, so it makes sense to round out that implementation by supporting
+`from x import *` where `x` is a non-module object.
+
+Fixes issue #18639.
+
+Signed-off-by: Damien George <damien@micropython.org>
+---
+ py/runtime.c                          | 21 ++++++---
+ tests/basics/import_star_nonmodule.py | 65 +++++++++++++++++++++++++++
+ 2 files changed, 81 insertions(+), 5 deletions(-)
+ create mode 100644 tests/basics/import_star_nonmodule.py
+
+diff --git a/py/runtime.c b/py/runtime.c
+index 8d7e11e5f0dab..3fc35c8c2daf6 100644
+--- a/py/runtime.c
+++ b/py/runtime.c
+@@ -1592,19 +1592,19 @@ mp_obj_t mp_import_from(mp_obj_t module, qstr name) {
+ void mp_import_all(mp_obj_t module) {
+     DEBUG_printf("import all %p\n", module);
+ 
+-    mp_map_t *map = &mp_obj_module_get_globals(module)->map;
+    mp_obj_t dest[2];
+ 
+     #if MICROPY_MODULE___ALL__
+-    mp_map_elem_t *elem = mp_map_lookup(map, MP_OBJ_NEW_QSTR(MP_QSTR___all__), MP_MAP_LOOKUP);
+-    if (elem != NULL) {
+
+    mp_load_method_maybe(module, MP_QSTR___all__, dest);
+    if (dest[0] != MP_OBJ_NULL) {
+         // When __all__ is defined, we must explicitly load all specified
+         // symbols, possibly invoking the module __getattr__ function
+         size_t len;
+         mp_obj_t *items;
+-        mp_obj_get_array(elem->value, &len, &items);
+        mp_obj_get_array(dest[0], &len, &items);
+         for (size_t i = 0; i < len; i++) {
+             qstr qname = mp_obj_str_get_qstr(items[i]);
+-            mp_obj_t dest[2];
+             mp_load_method(module, qname, dest);
+             mp_store_name(qname, dest[0]);
+         }
+@@ -1612,8 +1612,19 @@ void mp_import_all(mp_obj_t module) {
+     }
+     #endif
+ 
+    #if MICROPY_CPYTHON_COMPAT
+    // Load the dict from the module.  In MicroPython, if __dict__ is
+    // available then it always returns a native mp_obj_dict_t instance.
+    mp_load_method(module, MP_QSTR___dict__, dest);
+    #else
+    // Without MICROPY_CPYTHON_COMPAT __dict__ is not available, so just
+    // assume the given module is actually an mp_obj_module_t instance.
+    dest[0] = MP_OBJ_FROM_PTR(mp_obj_module_get_globals(module));
+    #endif
+
+     // By default, the set of public names includes all names found in the module's
+     // namespace which do not begin with an underscore character ('_')
+    mp_map_t *map = mp_obj_dict_get_map(dest[0]);
+     for (size_t i = 0; i < map->alloc; i++) {
+         if (mp_map_slot_is_filled(map, i)) {
+             // Entry in module global scope may be generated programmatically
+diff --git a/tests/basics/import_star_nonmodule.py b/tests/basics/import_star_nonmodule.py
+new file mode 100644
+index 0000000000000..8a98ef26ce544
+--- /dev/null
+++ b/tests/basics/import_star_nonmodule.py
+@@ -0,0 +1,65 @@
+# Test "from x import *" where x is something other than a module.
+
+import sys
+
+try:
+    next(iter([]), 42)
+except TypeError:
+    # Two-argument version of next() not supported.  We are probably not at
+    # MICROPY_CONFIG_ROM_LEVEL_BASIC_FEATURES which is needed for "import *".
+    print("SKIP")
+    raise SystemExit
+
+print("== test with a class as a module ==")
+
+
+class M:
+    x = "a1"
+
+    def __init__(self):
+        self.x = "a2"
+
+
+sys.modules["mod"] = M
+from mod import *
+
+print(x)
+
+sys.modules["mod"] = M()
+from mod import *
+
+print(x)
+
+print("== test with a class as a module that overrides __all__ ==")
+
+
+class M:
+    __all__ = ("y",)
+    x = "b1"
+    y = "b2"
+
+    def __init__(self):
+        self.__all__ = ("x",)
+        self.x = "b3"
+        self.y = "b4"
+
+
+sys.modules["mod"] = M
+x = None
+from mod import *
+
+print(x, y)
+
+sys.modules["mod"] = M()
+from mod import *
+
+print(x, y)
+
+print("== test with objects that don't have a __dict__ ==")
+
+sys.modules["mod"] = 1
+try:
+    from mod import *
+    # MicroPython raises AttributeError, CPython raises ImportError.
+except (AttributeError, ImportError):
+    print("ImportError")
--- a/micropython-1.26.0.tar.xz
+++ b/micropython-1.26.0.tar.xz
--- a/micropython-1.26.1.tar.xz
+++ b/micropython-1.26.1.tar.xz
--- a/micropython.changes
+++ b/micropython.changes
@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Fri Feb  6 16:13:57 UTC 2026 - Dominik Heidler <dheidler@suse.de>
+
+- Add CVE-2026-1998.patch for CVE-2026-1998 / bsc#1257803
+
+-------------------------------------------------------------------
+Mon Oct 27 13:58:27 UTC 2025 - Dominik Heidler <dheidler@suse.de>
+
+- Version 1.26.1
+  * esp32: update esp_tinyusb component to v1.7.6
+  * tools: add an environment variable MICROPY_MAINTAINER_BUILD
+  * esp32: add IDF Component Lockfiles to git repo
+  * shared/tinyusb: fix hang from new tx_overwritabe_if_not_connected flag
+  * shared/tinyusb/mp_usbd_cdc: rewrite USB CDC TX loop
+  * tools/mpremote: don't apply Espressif DTR/RTS quirk to TinyUSB CDC dev
+
+-------------------------------------------------------------------
+Mon Oct 27 12:49:06 UTC 2025 - Dominik Heidler <dheidler@suse.de>
+
+- Fix building on single core systems
+  * Skip tests/thread/stress_schedule.py when single core system detected
+
 -------------------------------------------------------------------
 Wed Oct 22 12:19:48 UTC 2025 - Dominik Heidler <dheidler@suse.de>

--- a/micropython.spec
+++ b/micropython.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package micropython
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %{?sle15_python_module_pythons}

 Name:           micropython
-Version:        1.26.0
+Version:        1.26.1
 Release:        0
 Summary:        Implementation of Python 3 with very low memory footprint
 License:        MIT
@@ -28,6 +28,7 @@ URL:            https://micropython.org/
 Source0:        %{name}-%{version}.tar.xz
 Source1:        prepare.sh
 Source2:        https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.5/mbedtls-3.6.5.tar.bz2#/mbedtls-3.6.5.tar.bz2
+Patch0:         CVE-2026-1998.patch
 BuildRequires:  openssl
 BuildRequires:  pkgconfig
 BuildRequires:  python3
@@ -113,6 +114,8 @@ install -m755 -D -v tools/mpy-tool.py %{buildroot}%{_bindir}/mpy-tool
 # https://github.com/micropython/micropython/pull/6024
 rm -f tests/float/float_parse.py
 rm -f tests/float/float_parse_doubleprec.py
+# fails on single core systems
+[ "$(grep core.id /proc/cpuinfo | wc -l)" == 1 ] && rm -f tests/thread/stress_schedule.py
 %endif
 export MICROPY_CPYTHON3=python%python_version
 make -C ports/unix PYTHON=%{_bindir}/python%python_version V=1 test
--- a/prepare.sh
+++ b/prepare.sh
@@ -7,7 +7,7 @@ set -e

 version=$(rpmspec --query micropython.spec | head -1 | cut -d- -f2)

-rm -fv micropython-*.tar.xz
+osc rm -fv micropython-*.tar.xz
 wget "https://micropython.org/resources/source/micropython-${version}.tar.xz" -O "micropython-${version}.tar.xz"
 tar xf "micropython-${version}.tar.xz"
 pushd "micropython-${version}"
@@ -34,3 +34,4 @@ popd
 popd
 tar caf "micropython-${version}.tar.xz" "micropython-${version}"
 rm -r "micropython-${version}"
+osc add micropython-*.tar.xz