Fix CVE-2026-1703, bsc#1257599

Add CVE-2026-1703.patch upstream patch (bsc#1257599, CVE-2026-1703, gh#pypa/pip#13777)
2026-02-03 11:41:17 +01:00
parent afcd75293a
commit fa2b2a55e3
3 changed files with 52 additions and 0 deletions
--- a/CVE-2026-1703.patch
+++ b/CVE-2026-1703.patch
@@ -0,0 +1,44 @@
+From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+---
+ news/+1ee322a1.bugfix.rst            | 1 +
+ src/pip/_internal/utils/unpacking.py | 2 +-
+ tests/unit/test_utils_unpacking.py   | 2 ++
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+Index: pip-25.0.1/news/+1ee322a1.bugfix.rst
+===================================================================
+--- /dev/null
+++ pip-25.0.1/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
+Use a path-segment prefix comparison, not char-by-char.
+Index: pip-25.0.1/src/pip/_internal/utils/unpacking.py
+===================================================================
+--- pip-25.0.1.orig/src/pip/_internal/utils/unpacking.py
+++ pip-25.0.1/src/pip/_internal/utils/unpacking.py
+@@ -82,7 +82,7 @@ def is_within_directory(directory: str,
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
+    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+Index: pip-25.0.1/tests/unit/test_utils_unpacking.py
+===================================================================
+--- pip-25.0.1.orig/tests/unit/test_utils_unpacking.py
+++ pip-25.0.1/tests/unit/test_utils_unpacking.py
+@@ -270,6 +270,8 @@ def test_unpack_tar_unicode(tmpdir: Path
+         (("parent/", "parent/sub"), True),
+         # Test target outside parent
+         (("parent/", "parent/../sub"), False),
+        # Test target sub-string of parent
+        (("parent/child", "parent/childfoo"), False),
+     ],
+ )
+ def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None:
--- a/python-pip.changes
+++ b/python-pip.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Feb  3 10:21:50 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2026-1703.patch upstream patch 
+  (bsc#1257599, CVE-2026-1703, gh#pypa/pip#13777)
+
 -------------------------------------------------------------------
 Thu Apr 17 12:40:51 UTC 2025 - Felix Stegmeier <felix.stegmeier@suse.com>

--- a/python-pip.spec
+++ b/python-pip.spec
@@ -47,6 +47,8 @@ Patch0:         pip-shipped-requests-cabundle.patch
 Patch1:         distutils-reproducible-compile.patch
 # PATCH-FIX-OPENSUSE: deal missing ca-certificates as "ssl not available"
 Patch2:         disable-ssl-context-in-buildenv.patch
+# PATCH-FIX-UPSTREAM CVE-2026-1703.patch gh#pypa/pip#13777
+Patch3:         CVE-2026-1703.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module setuptools >= 40.8.0}
 # The rpm python-wheel build is bootstrap friendly since 0.42