main/py3-wheel: fix CVE-2026-24049

Backport commit 7a7d2de for that.
2026-05-13 00:28:25 +02:00 · 2026-04-22 18:33:23 +00:00 · 2026-04-22 18:33:23 +00:00 · c18fba46ef
commit c18fba46ef
parent 06678323e2
2 changed files with 63 additions and 1 deletions
--- a/main/py3-wheel/APKBUILD
+++ b/main/py3-wheel/APKBUILD
@ -2,7 +2,7 @@
 # Maintainer: Peter Shkenev <santurysim@gmail.com>
 pkgname=py3-wheel
 pkgver=0.42.0
-pkgrel=1
+pkgrel=2
 pkgdesc="built-package format for Python"
 url="https://github.com/pypa/wheel"
 arch="noarch"
@ -16,6 +16,7 @@ checkdepends="py3-pytest py3-setuptools python3-dev"
 subpackages="$pkgname-pyc"
 source="https://files.pythonhosted.org/packages/source/w/wheel/wheel-$pkgver.tar.gz
 	use-system-packaging.patch
+	fix-cve-2026-24049.patch
 	"
 builddir="$srcdir"/wheel-$pkgver
 options="!check" # circular with pytest
@ -46,4 +47,5 @@ package() {
 sha512sums="
 4816261c0f6d8971a80665f66868ec9cb082f2189b6e31e083a0d3a6080e159f06a4152f44eda1147a2b907b5aead0f63bbac725aacb56bb8be13fc77da2b79c  wheel-0.42.0.tar.gz
 ce2081deefbbddf020a6e3fa4be7eed57f8cc53103fb4c7aa0fe2d129482d040df6b246768832979237f755d7af6f7779db085bc2c5d1485b25ffb26d302898e  use-system-packaging.patch
+13360436021eee98a873fb08356e190254c479b74bd83fa0a01f20ad0b7edf427066342d6a29b1924594fa3246900c8a46cb76de7e517d6b94500ed6e3bedcad  fix-cve-2026-24049.patch
 "
--- a/main/py3-wheel/fix-cve-2026-24049.patch
+++ b/main/py3-wheel/fix-cve-2026-24049.patch
@ -0,0 +1,60 @@
+commit 7a7d2de96b22a9adf9208afcc9547e1001569fef
+Author: Alex Grönholm <alex.gronholm@nextday.fi>
+Date:   Thu Jan 22 01:41:14 2026 +0200
+
+    Fixed security issue around wheel unpack (#675)
+    
+    A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+    
+    Fixes CVE-2026-24049.
+
+diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/src/wheel/cli/unpack.py
+++ b/src/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
+            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
+            target_path.chmod(permissions)
+ 
+     print("OK")
+diff --git a/tests/cli/test_unpack.py b/tests/cli/test_unpack.py
+index 366b374..38cfb41 100644
+--- a/tests/cli/test_unpack.py
+++ b/tests/cli/test_unpack.py
+@@ -54,3 +54,26 @@ def test_unpack_executable_bit(tmp_path: Path) -> None:
+     run_command("unpack", "--dest", tmp_path, wheel_path)
+     assert not script_path.is_dir()
+     assert stat.S_IMODE(script_path.stat().st_mode) == 0o755
+
+
+@pytest.mark.skipif(
+    platform.system() == "Windows", reason="Windows does not support chmod()"
+)
+def test_chmod_outside_unpack_tree(tmp_path_factory: TempPathFactory) -> None:
+    wheel_path = tmp_path_factory.mktemp("build") / "test-1.0-py3-none-any.whl"
+    with WheelFile(wheel_path, "w") as wf:
+        wf.writestr(
+            "test-1.0.dist-info/METADATA",
+            "Metadata-Version: 2.4\nName: test\nVersion: 1.0\n",
+        )
+        wf.writestr("../../system-file", b"malicious data")
+
+    extract_root_path = tmp_path_factory.mktemp("extract")
+    system_file = extract_root_path / "system-file"
+    extract_path = extract_root_path / "subdir"
+    system_file.write_bytes(b"important data")
+    system_file.chmod(0o755)
+    run_command("unpack", "--dest", extract_path, wheel_path)
+
+    assert system_file.read_bytes() == b"important data"
+    assert stat.S_IMODE(system_file.stat().st_mode) == 0o755