[Medium] Patch python-virtualenv for CVE-2025-50181, CVE-2026-24049, CVE-2026-1703#15951
Merged
kgodara912 merged 4 commits intomicrosoft:3.0-devfrom Mar 16, 2026
Merged
Conversation
microsoft-github-policy-service
Bot
added
Packaging
3.0-dev
Contributor
BinduSri-6522866
changed the title
Contributor
Author
mfrw
approved these changes
Mar 5, 2026
| abs_directory = os.path.abspath(directory) | ||
| abs_target = os.path.abspath(target) | ||
|
|
||
| - prefix = os.path.commonprefix([abs_directory, abs_target]) |
| abs_target = os.path.abspath(target) | ||
|
|
||
| - prefix = os.path.commonprefix([abs_directory, abs_target]) | ||
| + prefix = os.path.commonpath([abs_directory, abs_target]) |
| # https://github.com/python/cpython/issues/59999 | ||
| permissions = zinfo.external_attr >> 16 & 0o777 | ||
| - destination.joinpath(zinfo.filename).chmod(permissions) | ||
| + target_path.chmod(permissions) |
| # We have to do this manually due to | ||
| # https://github.com/python/cpython/issues/59999 | ||
| permissions = zinfo.external_attr >> 16 & 0o777 | ||
| - destination.joinpath(zinfo.filename).chmod(permissions) |
|
|
||
| def __init__(self, num_pools=10, headers=None, **connection_pool_kw): | ||
| RequestMethods.__init__(self, headers) | ||
| + if "retries" in connection_pool_kw: |
| # For the poolmanager.py under tests, it is archived inside a .whl file, which in turn is archived inside another .whl file, | ||
| # so, we need to unpack the outer .whl, then unpack the inner .whl, apply the patch, and then re-zip both levels. | ||
|
|
||
| echo "Manually Patching virtualenv-20.36.1/src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py" |
Member
There was a problem hiding this comment.
Can we please add a note above each of this to clarify what patch. Also a comment so that we can justify why we are duplicating code, as the two parts alsmost are similar.
Contributor
Author
There was a problem hiding this comment.
Affected code is present in archive(.whl) files in source tarball and even though patch is same for diffrent archives, same patch is not applicable for affected archives due to different versions. So same procedure is repeated for different archives.
mfrw
approved these changes
Mar 6, 2026
Kanishk-Bansal
added
the
ready-for-stable-review
kgodara912
approved these changes
Mar 16, 2026
Contributor
kgodara912
left a comment
kgodara912
left a comment
There was a problem hiding this comment.
The patches almost match with upstream references except unimportant files. The changes are included in final rpm whl files. Buddy build is successful. Though, there are other possible ways to fix this, like keeping only one version of setuptools and pip in virtualenv, but as such it should work.
BinduSri-6522866
added a commit
to BinduSri-6522866/azurelinux
that referenced
this pull request
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Patch python-virtualenv for CVE-2025-50181 [Medium]
Patch python-virtualenv for CVE-2026-24049 [Medium]
docs/news.rstandtests/commands/test_unpack.pyfiles are not present in python-virtualenv source tarball, so patch didn't apply for these two files.Patch python-virtualenv for CVE-2026-1703 [Low]
tests/unit/test_utils_unpacking.pyfile is not present in python-virtualenv source tar ball, so patch didn't apply.pip-25.3-py3-none-any.whlthenews/+1ee322a1.bugfix.rstnew path is not added from upstream patch to maintain compatibility with existing virtualenv cleanup behavior after tightening path validation logic (commonpath). This avoids leaving non-runtime artifacts in site-packages during pip uninstall and allows existing tests to pass without modifying test code.Change Log
Does this affect the toolchain?
NO
Links to CVEs
Test Methodology
Local Build:
python-virtualenv-20.36.1-2.azl3.src.rpm.log
python-virtualenv-20.36.1-2.azl3.src.rpm.test.log
Patch applies cleanly: