[Medium] Patch python-virtualenv for CVE-2026-1703 & CVE-2026-24049 (#15983)

BinduSri-6522866 · web-flow · commit a799222f411c · 2026-03-26T10:11:03.000+05:30
diff --git a/SPECS/python-virtualenv/CVE-2026-1703v0.patch b/SPECS/python-virtualenv/CVE-2026-1703v0.patch
@@ -0,0 +1,35 @@
+From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+Upstream Patch Reference: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735.patch
+---
+ news/+1ee322a1.bugfix.rst        | 1 +
+ pip/_internal/utils/unpacking.py | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
+new file mode 100644
+index 0000000..edb1b32
+--- /dev/null
++++ b/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
++Use a path-segment prefix comparison, not char-by-char.
+diff --git a/pip/_internal/utils/unpacking.py b/pip/_internal/utils/unpacking.py
+index 78b5c13..0b26525 100644
+--- a/pip/_internal/utils/unpacking.py
++++ b/pip/_internal/utils/unpacking.py
+@@ -81,7 +81,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/python-virtualenv/CVE-2026-1703v1.patch b/SPECS/python-virtualenv/CVE-2026-1703v1.patch
@@ -0,0 +1,26 @@
+From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+Upstream Patch Reference: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735.patch
+---
+ pip/_internal/utils/unpacking.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pip/_internal/utils/unpacking.py b/pip/_internal/utils/unpacking.py
+index 875e30e..4abe64b 100644
+--- a/pip/_internal/utils/unpacking.py
++++ b/pip/_internal/utils/unpacking.py
+@@ -82,7 +82,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/python-virtualenv/CVE-2026-1703v2.patch b/SPECS/python-virtualenv/CVE-2026-1703v2.patch
@@ -0,0 +1,35 @@
+From 4c651b70d60ed91b13663bcda9b3ed41748d0124 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+Upstream Patch Reference: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735.patch
+---
+ news/+1ee322a1.bugfix.rst        | 1 +
+ pip/_internal/utils/unpacking.py | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 news/+1ee322a1.bugfix.rst
+
+diff --git a/news/+1ee322a1.bugfix.rst b/news/+1ee322a1.bugfix.rst
+new file mode 100644
+index 0000000..edb1b32
+--- /dev/null
++++ b/news/+1ee322a1.bugfix.rst
+@@ -0,0 +1 @@
++Use a path-segment prefix comparison, not char-by-char.
+diff --git a/pip/_internal/utils/unpacking.py b/pip/_internal/utils/unpacking.py
+index 7252dc2..4ce2b15 100644
+--- a/pip/_internal/utils/unpacking.py
++++ b/pip/_internal/utils/unpacking.py
+@@ -94,7 +94,7 @@ def is_within_directory(directory, target):
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/python-virtualenv/CVE-2026-24049v0.patch b/SPECS/python-virtualenv/CVE-2026-24049v0.patch
@@ -0,0 +1,35 @@
+From 7a7d2de96b22a9adf9208afcc9547e1001569fef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 22 Jan 2026 01:41:14 +0200
+Subject: [PATCH] Fixed security issue around wheel unpack (#675)
+
+A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+
+Fixes CVE-2026-24049.
+Upstream Patch Reference: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
+---
+ setuptools/_vendor/wheel/cli/unpack.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/setuptools/_vendor/wheel/cli/unpack.py b/setuptools/_vendor/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/setuptools/_vendor/wheel/cli/unpack.py
++++ b/setuptools/_vendor/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+-- 
+2.45.4
+
diff --git a/SPECS/python-virtualenv/CVE-2026-24049v1.patch b/SPECS/python-virtualenv/CVE-2026-24049v1.patch
@@ -0,0 +1,35 @@
+From 7a7d2de96b22a9adf9208afcc9547e1001569fef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 22 Jan 2026 01:41:14 +0200
+Subject: [PATCH] Fixed security issue around wheel unpack (#675)
+
+A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+
+Fixes CVE-2026-24049.
+Upstream Patch Reference: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
+---
+ wheel/cli/unpack.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wheel/cli/unpack.py b/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/wheel/cli/unpack.py
++++ b/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+-- 
+2.45.4
+
diff --git a/SPECS/python-virtualenv/CVE-2026-24049v2.patch b/SPECS/python-virtualenv/CVE-2026-24049v2.patch
@@ -0,0 +1,35 @@
+From 7a7d2de96b22a9adf9208afcc9547e1001569fef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
+Date: Thu, 22 Jan 2026 01:41:14 +0200
+Subject: [PATCH] Fixed security issue around wheel unpack (#675)
+
+A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
+
+Fixes CVE-2026-24049.
+Upstream Patch Reference: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
+---
+ wheel/cli/unpack.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wheel/cli/unpack.py b/wheel/cli/unpack.py
+index d48840e..83dc742 100644
+--- a/wheel/cli/unpack.py
++++ b/wheel/cli/unpack.py
+@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
+         destination = Path(dest) / namever
+         print(f"Unpacking to: {destination}...", end="", flush=True)
+         for zinfo in wf.filelist:
+-            wf.extract(zinfo, destination)
++            target_path = Path(wf.extract(zinfo, destination))
+ 
+             # Set permissions to the same values as they were set in the archive
+             # We have to do this manually due to
+             # https://github.com/python/cpython/issues/59999
+             permissions = zinfo.external_attr >> 16 & 0o777
+-            destination.joinpath(zinfo.filename).chmod(permissions)
++            target_path.chmod(permissions)
+ 
+     print("OK")
+-- 
+2.45.4
+
diff --git a/SPECS/python-virtualenv/python-virtualenv.spec b/SPECS/python-virtualenv/python-virtualenv.spec
@@ -1,7 +1,7 @@
 Summary:        Virtual Python Environment builder
 Name:           python-virtualenv
 Version:        20.26.6
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,12 @@ Patch1000:      CVE-2025-50181v0.patch
 Patch1001:      CVE-2025-50181v1.patch
 Patch1002:      CVE-2025-50181v2.patch
 Patch1003:      CVE-2025-50181v3.patch
+Patch1004:      CVE-2026-1703v0.patch
+Patch1005:      CVE-2026-1703v1.patch
+Patch1006:      CVE-2026-1703v2.patch
+Patch1007:      CVE-2026-24049v0.patch
+Patch1008:      CVE-2026-24049v1.patch
+Patch1009:      CVE-2026-24049v2.patch
 BuildArch:      noarch
 
 %description
@@ -58,6 +64,8 @@ echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-
 mkdir -p unpacked_pip-24.0-py3-none-any
 unzip src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl -d unpacked_pip-24.0-py3-none-any
 patch -p1 -d unpacked_pip-24.0-py3-none-any < %{PATCH1000}
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl/pip/_internal/utils/unpacking.py"
+patch -p1 -d unpacked_pip-24.0-py3-none-any < %{PATCH1004}
 # Remove the original file
 rm -f src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl
 # After patching, re-zip the contents back into a .whl
@@ -70,6 +78,8 @@ echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-
 mkdir -p unpacked_pip-24.2-py3-none-any
 unzip src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl -d unpacked_pip-24.2-py3-none-any
 patch -p1 -d unpacked_pip-24.2-py3-none-any < %{PATCH1001}
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl/pip/_internal/utils/unpacking.py"
+patch -p1 -d unpacked_pip-24.2-py3-none-any < %{PATCH1005}
 # Remove the original file
 rm -f src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl
 # After patching, re-zip the contents back into a .whl
@@ -102,6 +112,8 @@ echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pi
 mkdir -p unpacked_pip-19.3.1-py2.py3-none-any
 unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl -d unpacked_pip-19.3.1-py2.py3-none-any
 patch -p1 -d unpacked_pip-19.3.1-py2.py3-none-any < %{PATCH1003}
+echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl/pip/_internal/utils/unpacking.py"
+patch -p1 -d unpacked_pip-19.3.1-py2.py3-none-any < %{PATCH1006}
 # Repack the inner wheel
 rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
 pushd unpacked_pip-19.3.1-py2.py3-none-any
@@ -115,6 +127,36 @@ pushd unpacked_virtualenv-16.7.9-py2.py3-none-any
 zip -r ../tests/unit/create/unpacked_virtualenv-16.7.9-py2.py3-none-any *
 popd
 
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/setuptools-75.1.0-py3-none-any.whl/setuptools/_vendor/wheel/cli/unpack.py"
+mkdir -p unpacked_setuptools-75.1.0-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/setuptools-75.1.0-py3-none-any.whl -d unpacked_setuptools-75.1.0-py3-none-any
+patch -p1 -d unpacked_setuptools-75.1.0-py3-none-any < %{PATCH1007}
+rm -f src/virtualenv/seed/wheels/embed/setuptools-75.1.0-py3-none-any.whl
+pushd unpacked_setuptools-75.1.0-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/setuptools-75.1.0-py3-none-any.whl *
+popd
+rm -rf unpacked_setuptools-75.1.0-py3-none-any
+
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/wheel-0.42.0-py3-none-any.whl/wheel/cli/unpack.py"
+mkdir -p unpacked_wheel-0.42.0-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/wheel-0.42.0-py3-none-any.whl -d unpacked_wheel-0.42.0-py3-none-any
+patch -p1 -d unpacked_wheel-0.42.0-py3-none-any < %{PATCH1008}
+rm -f src/virtualenv/seed/wheels/embed/wheel-0.42.0-py3-none-any.whl
+pushd unpacked_wheel-0.42.0-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/wheel-0.42.0-py3-none-any.whl *
+popd
+rm -rf unpacked_wheel-0.42.0-py3-none-any
+
+echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/wheel-0.44.0-py3-none-any.whl/wheel/cli/unpack.py"
+mkdir -p unpacked_wheel-0.44.0-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/wheel-0.44.0-py3-none-any.whl -d unpacked_wheel-0.44.0-py3-none-any
+patch -p1 -d unpacked_wheel-0.44.0-py3-none-any < %{PATCH1009}
+rm -f src/virtualenv/seed/wheels/embed/wheel-0.44.0-py3-none-any.whl
+pushd unpacked_wheel-0.44.0-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/wheel-0.44.0-py3-none-any.whl *
+popd
+rm -rf unpacked_wheel-0.44.0-py3-none-any
+
 %generate_buildrequires
 
 %build
@@ -136,6 +178,9 @@ tox -e py
 %{_bindir}/virtualenv
 
 %changelog
+* Tue Feb 24 2026 BinduSri Adabala <v-badabala@microsoft.com> - 20.26.6-3
+- Patch for CVE-2026-1703 & CVE-2026-24049
+
 * Wed Jul 09 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 20.26.6-2
 - Add patch to fix CVE-2025-50181 in urllib3 poolmanager.py
 
