[AutoPR- Security] Patch python-pip for CVE-2026-1703 [LOW] (#15938)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Archana Shettigar <v-shettigara@microsoft.com>

Author: 3 people

SPECS/python-pip/CVE-2026-1703.patch

@@ -0,0 +1,41 @@
+From 351d71b3c284eef7e381cc42b1a9d545142ed095 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 30 Jan 2026 09:49:11 -0600
+Subject: [PATCH] Use os.path.commonpath() instead of commonprefix()
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735.patch
+---
+ src/pip/_internal/utils/unpacking.py | 2 +-
+ tests/unit/test_utils_unpacking.py   | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_internal/utils/unpacking.py b/src/pip/_internal/utils/unpacking.py
+index 03467e8..6bda973 100644
+--- a/src/pip/_internal/utils/unpacking.py
++++ b/src/pip/_internal/utils/unpacking.py
+@@ -82,7 +82,7 @@ def is_within_directory(directory: str, target: str) -> bool:
+     abs_directory = os.path.abspath(directory)
+     abs_target = os.path.abspath(target)
+ 
+-    prefix = os.path.commonprefix([abs_directory, abs_target])
++    prefix = os.path.commonpath([abs_directory, abs_target])
+     return prefix == abs_directory
+ 
+ 
+diff --git a/tests/unit/test_utils_unpacking.py b/tests/unit/test_utils_unpacking.py
+index d681fcb..313bd9e 100644
+--- a/tests/unit/test_utils_unpacking.py
++++ b/tests/unit/test_utils_unpacking.py
+@@ -412,6 +412,8 @@ def test_unpack_tar_unicode(tmpdir: Path) -> None:
+         (("parent/", "parent/sub"), True),
+         # Test target outside parent
+         (("parent/", "parent/../sub"), False),
++        # Test target sub-string of parent
++        (("parent/child", "parent/childfoo"), False),
+     ],
+ )
+ def test_is_within_directory(args: Tuple[str, str], expected: bool) -> None:
+-- 
+2.45.4
+

SPECS/python-pip/python-pip.spec

@@ -5,16 +5,17 @@ A tool for installing and managing Python packages}
 Summary:        A tool for installing and managing Python packages
 Name:           python-pip
 Version:        24.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause)
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://pip.pypa.io/
 Source0:        https://github.com/pypa/pip/archive/%{version}/%{srcname}-%{version}.tar.gz
-Patch0:		CVE-2024-37891.patch
-Patch1:		CVE-2025-8869.patch
+Patch0:         CVE-2024-37891.patch
+Patch1:         CVE-2025-8869.patch
 Patch2:         CVE-2025-50181.patch
+Patch3:         CVE-2026-1703.patch
 
 BuildArch:      noarch
 
@@ -58,7 +59,10 @@ BuildRequires:  python3-wheel
 %{python3_sitelib}/pip*
 
 %changelog
-* Tue Sep 30 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 24.2-4
+* Fri Feb 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 24.2-6
+- Patch for CVE-2026-1703
+
+* Tue Sep 30 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 24.2-5
 - Patch for CVE-2025-50181
 - Added %check
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -550,7 +550,7 @@ python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm
 python3-newt-0.52.23-1.azl3.aarch64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.2-5.azl3.noarch.rpm
+python3-pip-24.2-6.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -558,7 +558,7 @@ python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm
 python3-newt-0.52.23-1.azl3.x86_64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.2-5.azl3.noarch.rpm
+python3-pip-24.2-6.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm