[Buildroot] [PATCH v2] package/python-pip: security bump to v25.2

Titouan Christophe titouan.christophe at mind.be
Thu Oct 2 15:06:28 UTC 2025 

This fixes the following vulnerability:
- CVE-2025-8869:
    When extracting a tar archive pip may not check symbolic links point
    into the extraction directory if the tarfile module doesn't implement
    PEP 706. Note that upgrading pip to a "fixed" version for this
    vulnerability doesn't fix all known vulnerabilities that are
    remediated by using a Python version that implements PEP 706.  Note
    that this is a vulnerability in pip's fallback implementation of tar
    extraction for Python versions that don't implement PEP 706 and
    therefore are not secure to all vulnerabilities in the Python
    'tarfile' module. If you're using a Python version that implements PEP
    706 then pip doesn't use the "vulnerable" fallback code.  Mitigations
    include upgrading to a version of pip that includes the fix, upgrading
    to a Python version that implements PEP 706 (Python >=3.9.17,
    >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
    inspecting source distributions (sdists) before installation as is
    already a best-practice.
    https://www.cve.org/CVERecord?id=CVE-2025-8869

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
Changes v1->v2:
- Fix PYTHON_PIP_SITE that must be updated along the version bump
---
 package/python-pip/python-pip.hash | 4 ++--
 package/python-pip/python-pip.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-pip/python-pip.hash b/package/python-pip/python-pip.hash
index f6b11ee26a..ad70f0da7b 100644
--- a/package/python-pip/python-pip.hash
+++ b/package/python-pip/python-pip.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/pip/json
-md5  c698f55e2015dc7dbb5b77c6df1cc88a  pip-25.0.tar.gz
-sha256  8e0a97f7b4c47ae4a494560da84775e9e2f671d415d8d828e052efefb206b30b  pip-25.0.tar.gz
+md5  6d109857fa69274dacfc1d6528471eb5  pip-25.2.tar.gz
+sha256  578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2  pip-25.2.tar.gz
 # Locally computed sha256 checksums
 sha256  634300a669d49aeae65b12c6c48c924c51a4cdf3d1ff086dc3456dc8bcaa2104  LICENSE.txt
diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
index 9ffc0b66ea..02d7da6fe9 100644
--- a/package/python-pip/python-pip.mk
+++ b/package/python-pip/python-pip.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_PIP_VERSION = 25.0
+PYTHON_PIP_VERSION = 25.2
 PYTHON_PIP_SOURCE = pip-$(PYTHON_PIP_VERSION).tar.gz
-PYTHON_PIP_SITE = https://files.pythonhosted.org/packages/47/3e/68beeeeb306ea20ffd30b3ed993f531d16cd884ec4f60c9b1e238f69f2af
+PYTHON_PIP_SITE = https://files.pythonhosted.org/packages/20/16/650289cd3f43d5a2fadfd98c68bd1e1e7f2550a1a5326768cddfbcedb2c5
 PYTHON_PIP_SETUP_TYPE = setuptools
 PYTHON_PIP_LICENSE = MIT
 PYTHON_PIP_LICENSE_FILES = LICENSE.txt
-- 
2.51.0

More information about the buildroot mailing list