[Buildroot] [2025.02.x, PATCH 2/2] package/python-wheel: patch CVE-2026-24049
Thomas Perale
thomas.perale at mind.be
Fri Mar 27 10:02:20 UTC 2026
In reply of:
> Fixes the following vulnerability:
>
> - CVE-2026-24049:
> wheel is a command line tool for manipulating Python wheel files, as
> defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack
> function is vulnerable to file permission modification through
> mishandling of file permissions after extraction. The logic blindly
> trusts the filename from the archive header for the chmod operation,
> even though the extraction process itself might have sanitized the
> path. Attackers can craft a malicious wheel file that, when unpacked,
> changes the permissions of critical system files (e.g., /etc/passwd,
> SSH keys, config files), allowing for Privilege Escalation or
> arbitrary code execution by modifying now-writable scripts. This issue
> has been fixed in version 0.46.2.
>
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2026-24049
> - https://github.com/advisories/GHSA-8rrh-rw8j-w5fx
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to 2025.02.x. Thanks
> ---
> ...d-security-issue-around-wheel-unpack.patch | 35 +++++++++++++++++++
> package/python-wheel/python-wheel.mk | 3 ++
> 2 files changed, 38 insertions(+)
> create mode 100644 package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
>
> diff --git a/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch b/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
> new file mode 100644
> index 0000000000..8640dfa291
> --- /dev/null
> +++ b/package/python-wheel/0001-fixed-security-issue-around-wheel-unpack.patch
> @@ -0,0 +1,35 @@
> +From 7a7d2de96b22a9adf9208afcc9547e1001569fef Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm at nextday.fi>
> +Date: Thu, 22 Jan 2026 01:41:14 +0200
> +Subject: [PATCH] Fixed security issue around wheel unpack (#675)
> +
> +A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
> +
> +CVE: CVE-2026-24049
> +Upstream: https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef.patch
> +[thomas: change filename, remove tests]
> +Signed-off-by: Thomas Perale <thomas.perale at mind.be>
> +---
> + src/wheel/cli/unpack.py | 4 ++--
> + 3 files changed, 27 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/wheel/cli/unpack.py b/src/wheel/cli/unpack.py
> +index d48840e6e..83dc7423f 100644
> +--- a/src/wheel/cli/unpack.py
> ++++ b/src/wheel/cli/unpack.py
> +@@ -19,12 +19,12 @@ def unpack(path: str, dest: str = ".") -> None:
> + destination = Path(dest) / namever
> + print(f"Unpacking to: {destination}...", end="", flush=True)
> + for zinfo in wf.filelist:
> +- wf.extract(zinfo, destination)
> ++ target_path = Path(wf.extract(zinfo, destination))
> +
> + # Set permissions to the same values as they were set in the archive
> + # We have to do this manually due to
> + # https://github.com/python/cpython/issues/59999
> + permissions = zinfo.external_attr >> 16 & 0o777
> +- destination.joinpath(zinfo.filename).chmod(permissions)
> ++ target_path.chmod(permissions)
> +
> + print("OK")
> +
> diff --git a/package/python-wheel/python-wheel.mk b/package/python-wheel/python-wheel.mk
> index 417db7c167..ae02d21feb 100644
> --- a/package/python-wheel/python-wheel.mk
> +++ b/package/python-wheel/python-wheel.mk
> @@ -13,4 +13,7 @@ PYTHON_WHEEL_LICENSE_FILES = LICENSE.txt
> PYTHON_WHEEL_CPE_ID_VENDOR = wheel_project
> PYTHON_WHEEL_CPE_ID_PRODUCT = wheel
>
> +# 0001-fixed-security-issue-around-wheel-unpack.patch
> +PYTHON_WHEEL_IGNORE_CVES += CVE-2026-24049
> +
> $(eval $(host-python-package))
> --
> 2.53.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list