[Buildroot] [PATCH v2] package/python-pip: security bump to v25.2
Thomas Perale
thomas.perale at mind.be
Thu Oct 9 14:54:43 UTC 2025
In reply of:
> This fixes the following vulnerability:
> - CVE-2025-8869:
> When extracting a tar archive pip may not check symbolic links point
> into the extraction directory if the tarfile module doesn't implement
> PEP 706. Note that upgrading pip to a "fixed" version for this
> vulnerability doesn't fix all known vulnerabilities that are
> remediated by using a Python version that implements PEP 706. Note
> that this is a vulnerability in pip's fallback implementation of tar
> extraction for Python versions that don't implement PEP 706 and
> therefore are not secure to all vulnerabilities in the Python
> 'tarfile' module. If you're using a Python version that implements PEP
> 706 then pip doesn't use the "vulnerable" fallback code. Mitigations
> include upgrading to a version of pip that includes the fix, upgrading
> to a Python version that implements PEP 706 (Python >=3.9.17,
> >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
> inspecting source distributions (sdists) before installation as is
> already a best-practice.
> https://www.cve.org/CVERecord?id=CVE-2025-8869
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks
> ---
> Changes v1->v2:
> - Fix PYTHON_PIP_SITE that must be updated along the version bump
> ---
> package/python-pip/python-pip.hash | 4 ++--
> package/python-pip/python-pip.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/package/python-pip/python-pip.hash b/package/python-pip/python-pip.hash
> index f6b11ee26a..ad70f0da7b 100644
> --- a/package/python-pip/python-pip.hash
> +++ b/package/python-pip/python-pip.hash
> @@ -1,5 +1,5 @@
> # md5, sha256 from https://pypi.org/pypi/pip/json
> -md5 c698f55e2015dc7dbb5b77c6df1cc88a pip-25.0.tar.gz
> -sha256 8e0a97f7b4c47ae4a494560da84775e9e2f671d415d8d828e052efefb206b30b pip-25.0.tar.gz
> +md5 6d109857fa69274dacfc1d6528471eb5 pip-25.2.tar.gz
> +sha256 578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 pip-25.2.tar.gz
> # Locally computed sha256 checksums
> sha256 634300a669d49aeae65b12c6c48c924c51a4cdf3d1ff086dc3456dc8bcaa2104 LICENSE.txt
> diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
> index 9ffc0b66ea..02d7da6fe9 100644
> --- a/package/python-pip/python-pip.mk
> +++ b/package/python-pip/python-pip.mk
> @@ -4,9 +4,9 @@
> #
> ################################################################################
>
> -PYTHON_PIP_VERSION = 25.0
> +PYTHON_PIP_VERSION = 25.2
> PYTHON_PIP_SOURCE = pip-$(PYTHON_PIP_VERSION).tar.gz
> -PYTHON_PIP_SITE = https://files.pythonhosted.org/packages/47/3e/68beeeeb306ea20ffd30b3ed993f531d16cd884ec4f60c9b1e238f69f2af
> +PYTHON_PIP_SITE = https://files.pythonhosted.org/packages/20/16/650289cd3f43d5a2fadfd98c68bd1e1e7f2550a1a5326768cddfbcedb2c5
> PYTHON_PIP_SETUP_TYPE = setuptools
> PYTHON_PIP_LICENSE = MIT
> PYTHON_PIP_LICENSE_FILES = LICENSE.txt
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list