From c18fba46ef8722a7405b58fae7771d2e392cec87 Mon Sep 17 00:00:00 2001 From: Peter Shkenev Date: Wed, 22 Apr 2026 18:33:23 +0000 Subject: [PATCH] main/py3-wheel: fix CVE-2026-24049 Backport commit 7a7d2de for that. --- main/py3-wheel/APKBUILD | 4 +- main/py3-wheel/fix-cve-2026-24049.patch | 60 +++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 main/py3-wheel/fix-cve-2026-24049.patch diff --git a/main/py3-wheel/APKBUILD b/main/py3-wheel/APKBUILD index adf2df19127..9b093729321 100644 --- a/main/py3-wheel/APKBUILD +++ b/main/py3-wheel/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Peter Shkenev pkgname=py3-wheel pkgver=0.42.0 -pkgrel=1 +pkgrel=2 pkgdesc="built-package format for Python" url="https://github.com/pypa/wheel" arch="noarch" @@ -16,6 +16,7 @@ checkdepends="py3-pytest py3-setuptools python3-dev" subpackages="$pkgname-pyc" source="https://files.pythonhosted.org/packages/source/w/wheel/wheel-$pkgver.tar.gz use-system-packaging.patch + fix-cve-2026-24049.patch " builddir="$srcdir"/wheel-$pkgver options="!check" # circular with pytest @@ -46,4 +47,5 @@ package() { sha512sums=" 4816261c0f6d8971a80665f66868ec9cb082f2189b6e31e083a0d3a6080e159f06a4152f44eda1147a2b907b5aead0f63bbac725aacb56bb8be13fc77da2b79c wheel-0.42.0.tar.gz ce2081deefbbddf020a6e3fa4be7eed57f8cc53103fb4c7aa0fe2d129482d040df6b246768832979237f755d7af6f7779db085bc2c5d1485b25ffb26d302898e use-system-packaging.patch +13360436021eee98a873fb08356e190254c479b74bd83fa0a01f20ad0b7edf427066342d6a29b1924594fa3246900c8a46cb76de7e517d6b94500ed6e3bedcad fix-cve-2026-24049.patch " diff --git a/main/py3-wheel/fix-cve-2026-24049.patch b/main/py3-wheel/fix-cve-2026-24049.patch new file mode 100644 index 00000000000..98e11555c09 --- /dev/null +++ b/main/py3-wheel/fix-cve-2026-24049.patch @@ -0,0 +1,60 @@ +commit 7a7d2de96b22a9adf9208afcc9547e1001569fef +Author: Alex Grönholm +Date: Thu Jan 22 01:41:14 2026 +0200 + + Fixed security issue around wheel unpack (#675) + + A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered. + + Fixes CVE-2026-24049. + +diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py +index d48840e..83dc742 100644 +--- a/src/wheel/cli/unpack.py ++++ b/src/wheel/cli/unpack.py +@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None: + destination = Path(dest) / namever + print(f"Unpacking to: {destination}...", end="", flush=True) + for zinfo in wf.filelist: +- wf.extract(zinfo, destination) ++ target_path = Path(wf.extract(zinfo, destination)) + + # Set permissions to the same values as they were set in the archive + # We have to do this manually due to + # https://github.com/python/cpython/issues/59999 + permissions = zinfo.external_attr >> 16 & 0o777 +- destination.joinpath(zinfo.filename).chmod(permissions) ++ target_path.chmod(permissions) + + print("OK") +diff --git a/tests/cli/test_unpack.py b/tests/cli/test_unpack.py +index 366b374..38cfb41 100644 +--- a/tests/cli/test_unpack.py ++++ b/tests/cli/test_unpack.py +@@ -54,3 +54,26 @@ def test_unpack_executable_bit(tmp_path: Path) -> None: + run_command("unpack", "--dest", tmp_path, wheel_path) + assert not script_path.is_dir() + assert stat.S_IMODE(script_path.stat().st_mode) == 0o755 ++ ++ ++@pytest.mark.skipif( ++ platform.system() == "Windows", reason="Windows does not support chmod()" ++) ++def test_chmod_outside_unpack_tree(tmp_path_factory: TempPathFactory) -> None: ++ wheel_path = tmp_path_factory.mktemp("build") / "test-1.0-py3-none-any.whl" ++ with WheelFile(wheel_path, "w") as wf: ++ wf.writestr( ++ "test-1.0.dist-info/METADATA", ++ "Metadata-Version: 2.4\nName: test\nVersion: 1.0\n", ++ ) ++ wf.writestr("../../system-file", b"malicious data") ++ ++ extract_root_path = tmp_path_factory.mktemp("extract") ++ system_file = extract_root_path / "system-file" ++ extract_path = extract_root_path / "subdir" ++ system_file.write_bytes(b"important data") ++ system_file.chmod(0o755) ++ run_command("unpack", "--dest", extract_path, wheel_path) ++ ++ assert system_file.read_bytes() == b"important data" ++ assert stat.S_IMODE(system_file.stat().st_mode) == 0o755