[MEDIUM] Upgrade python-wheel to 0.46.3 for CVE-2026-24049 (#15898)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: archana25-ms

SPECS/python-wheel/Use-vendored-packaging-to-canonicalize-requirements.patch

@@ -0,0 +1,38 @@
+From c35c77748f7ed54c0deee7dcf874a7acb4856008 Mon Sep 17 00:00:00 2001
+From: Archana Shettigar <v-shettigara@microsoft.com>
+Date: Tue, 3 Feb 2026 12:59:16 +0530
+Subject: [PATCH] Use vendored packaging to canonicalize requirements
+Upstream Reference Patch: https://github.com/pypa/wheel/commit/4ec2ae368bb30b0a92617824f833ae615aca18cf
+
+---
+ tests/test_metadata.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/test_metadata.py b/tests/test_metadata.py
+index db0ab0c..3719c6f 100644
+--- a/tests/test_metadata.py
++++ b/tests/test_metadata.py
+@@ -12,9 +12,9 @@ def test_pkginfo_to_metadata(tmp_path: Path) -> None:
+         ("Metadata-Version", "2.1"),
+         ("Name", "spam"),
+         ("Version", "0.1"),
+-        ("Requires-Dist", "pip @ https://github.com/pypa/pip/archive/1.3.1.zip"),
++        ("Requires-Dist", "pip@ https://github.com/pypa/pip/archive/1.3.1.zip"),
+         ("Requires-Dist", 'pywin32; sys_platform == "win32"'),
+-        ("Requires-Dist", 'foo @ http://host/foo.zip ; sys_platform == "win32"'),
++        ("Requires-Dist", 'foo@ http://host/foo.zip ; sys_platform == "win32"'),
+         ("Provides-Extra", "signatures"),
+         (
+             "Requires-Dist",
+@@ -22,7 +22,7 @@ def test_pkginfo_to_metadata(tmp_path: Path) -> None:
+         ),
+         ("Provides-Extra", "empty_extra"),
+         ("Provides-Extra", "extra"),
+-        ("Requires-Dist", 'bar @ http://host/bar.zip ; extra == "extra"'),
++        ("Requires-Dist", 'bar@ http://host/bar.zip ; extra == "extra"'),
+         ("Provides-Extra", "faster-signatures"),
+         ("Requires-Dist", 'ed25519ll; extra == "faster-signatures"'),
+         ("Provides-Extra", "rest"),
+-- 
+2.45.4
+

SPECS/python-wheel/python-wheel.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "wheel-0.43.0.tar.gz": "23060d7cc8afafc2930554624b4bae7d58031830672048622c926675ab91e3b0"
+  "wheel-0.46.3.tar.gz": "36327d3bba035d9c3509421a42b59914fe9aab79d894b21cb9be17353abf6d2c"
  }
-}
+}

SPECS/python-wheel/python-wheel.spec

@@ -1,15 +1,17 @@
 # The function of bootstrap is that it disables the wheel subpackage
 %bcond_with bootstrap
+%global pypi_name wheel
 %bcond main_python 1
 Summary:        Built-package format for Python
 Name:           python-%{pypi_name}
-Version:        0.43.0
+Version:        0.46.3
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/pypa/wheel
 Source0:        %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz
+Patch0:         Use-vendored-packaging-to-canonicalize-requirements.patch
 %global pypi_name wheel
 %global python_wheel_name %{pypi_name}-%{version}-py3-none-any.whl
 %global python_wheeldir %{_datadir}/python-wheels
@@ -58,6 +60,9 @@ A Python wheel of wheel to use with virtualenv.
 %prep
 %autosetup -n %{pypi_name}-%{version} -p1
 
+# flit_core expects [project].license to be a table/dict, not a string
+sed -i 's/^license = "MIT"$/license = { text = "MIT" }/' pyproject.toml
+
 %generate_buildrequires
 %pyproject_buildrequires
 
@@ -115,6 +120,9 @@ pip3 install iniconfig
 %endif
 
 %changelog
+* Wed Jan 28 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.46.3-1
+- Updated to 0.46.3 to fix CVE-2026-24049
+
 * Fri May 10 2024 Betty Lakes <bettylakes@microsoft.com> - 0.43.0-1
 - Updated to 0.43.0
 

cgmanifest.json

@@ -25573,8 +25573,8 @@
         "type": "other",
         "other": {
           "name": "python-wheel",
-          "version": "0.43.0",
-          "downloadUrl": "https://github.com/pypa/wheel/archive/0.43.0/wheel-0.43.0.tar.gz"
+          "version": "0.46.3",
+          "downloadUrl": "https://github.com/pypa/wheel/archive/0.46.3/wheel-0.46.3.tar.gz"
         }
       }
     },

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -530,7 +530,7 @@ procps-ng-lang-4.0.4-1.azl3.aarch64.rpm
 pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm
-python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
+python-wheel-wheel-0.46.3-1.azl3.noarch.rpm
 python3-3.12.9-9.azl3.aarch64.rpm
 python3-audit-3.1.2-1.azl3.aarch64.rpm
 python3-cracklib-2.9.11-1.azl3.aarch64.rpm
@@ -557,7 +557,7 @@ python3-rpm-generators-14-11.azl3.noarch.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-test-3.12.9-9.azl3.aarch64.rpm
 python3-tools-3.12.9-9.azl3.aarch64.rpm
-python3-wheel-0.43.0-1.azl3.noarch.rpm
+python3-wheel-0.46.3-1.azl3.noarch.rpm
 readline-8.2-2.azl3.aarch64.rpm
 readline-debuginfo-8.2-2.azl3.aarch64.rpm
 readline-devel-8.2-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -538,7 +538,7 @@ procps-ng-lang-4.0.4-1.azl3.x86_64.rpm
 pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm
-python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
+python-wheel-wheel-0.46.3-1.azl3.noarch.rpm
 python3-3.12.9-9.azl3.x86_64.rpm
 python3-audit-3.1.2-1.azl3.x86_64.rpm
 python3-cracklib-2.9.11-1.azl3.x86_64.rpm
@@ -565,7 +565,7 @@ python3-rpm-generators-14-11.azl3.noarch.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-test-3.12.9-9.azl3.x86_64.rpm
 python3-tools-3.12.9-9.azl3.x86_64.rpm
-python3-wheel-0.43.0-1.azl3.noarch.rpm
+python3-wheel-0.46.3-1.azl3.noarch.rpm
 readline-8.2-2.azl3.x86_64.rpm
 readline-debuginfo-8.2-2.azl3.x86_64.rpm
 readline-devel-8.2-2.azl3.x86_64.rpm