[AutoPR- Security] Patch python-requests for CVE-2026-25645 [MEDIUM] (#16349)

azurelinux-security · AkarshHCL · web-flow · commit 51828d91daf7 · 2026-03-30T20:43:29.000+05:30
Co-authored-by: Akarsh Chaudhary &lt;v-akarshc@microsoft.com&gt;
diff --git a/SPECS/python-requests/CVE-2026-25645.patch b/SPECS/python-requests/CVE-2026-25645.patch
@@ -0,0 +1,38 @@
+From 2eab2a6fb330a595bc2943f23618da8d68a5a66e Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Mar 2026 08:57:56 -0600
+Subject: [PATCH] Merge commit from fork
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7.patch
+---
+ requests/utils.py | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/requests/utils.py b/requests/utils.py
+index 502c7bc..e0fcdbc 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -282,12 +282,13 @@ def extract_zipped_paths(path):
+         return path
+ 
+     # we have a valid zip archive and a valid member of that archive
+-    tmp = tempfile.gettempdir()
+-    extracted_path = os.path.join(tmp, member.split("/")[-1])
+-    if not os.path.exists(extracted_path):
+-        # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition
+-        with atomic_open(extracted_path) as file_handler:
+-            file_handler.write(zip_file.read(member))
++    suffix = os.path.splitext(member.split("/")[-1])[-1]
++    fd, extracted_path = tempfile.mkstemp(suffix=suffix)
++    try:
++        os.write(fd, zip_file.read(member))
++    finally:
++        os.close(fd)
++
+     return extracted_path
+ 
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/python-requests/python-requests.spec b/SPECS/python-requests/python-requests.spec
@@ -1,7 +1,7 @@
 Summary:        Awesome Python HTTP Library That's Actually Usable
 Name:           python-requests
 Version:        2.31.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            http://python-requests.org
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
 Patch0:         CVE-2024-35195.patch
 Patch1:         CVE-2024-47081.patch
+Patch2:         CVE-2026-25645.patch
 BuildArch:      noarch
 
 %description
@@ -60,11 +61,11 @@ perform the simplest of tasks.
 %py3_install
 
 %check
-pip3 install tox
+pip3 install --ignore-installed tox
 # 2.1.0+ versions of "markupsafe" make test fail.
 # No fix from upstream in version 2.28.1: https://github.com/psf/requests/commit/3ed60078e2376c847ba0b0c9d564af522623c5ba
 sed -i "/wheel/amarkupsafe==2.0.1" requirements-dev.txt
-LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
+LANG=en_US.UTF-8 python3 -m tox -e py%{python3_version_nodots}
 
 %files -n python3-requests
 %defattr(-,root,root)
@@ -73,6 +74,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
 %{python3_sitelib}/*
 
 %changelog
+* Mon Mar 30 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.31.0-4
+- Patch for CVE-2026-25645
+
 * Tue Jun 17 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 2.31.0-3
 - Add patch for CVE-2024-47081
 
