Skip to content

Fixed security issue around wheel unpack #675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
agronholm merged 4 commits into from
Jan 21, 2026
Merged

Fixed security issue around wheel unpack #675

agronholm merged 4 commits into from
Jan 21, 2026
+27 −2

Conversation

@agronholm
Copy link
Contributor

@agronholm agronholm commented Jan 21, 2026

A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.

@agronholm
Fixed security issue around wheel unpack
eecc825 
A maliciously crafted wheel could cause the permissions of a file outside the unpack tree to be altered.
@agronholm
Added the CVE to the changelog history entry
2c318c1
@agronholm
Merge branch 'main' into fix-unpack-chmod
08d383d
@henryiii
Copy link
Contributor

henryiii commented Jan 21, 2026

Spacing change in packaging 26.0, name @ <url>, is what's breaking the tests.

@codecov
Copy link

codecov bot commented Jan 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.20%. Comparing base (41418fa) to head (c967b66).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #675   +/-   ##
=======================================
  Coverage   53.20%   53.20%           
=======================================
  Files          13       13           
  Lines        1109     1109           
=======================================
  Hits          590      590           
  Misses        519      519

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@agronholm agronholm requested a review from henryiii January 21, 2026 23:33
henryiii
henryiii approved these changes Jan 21, 2026
View reviewed changes
Copy link
Contributor

@henryiii henryiii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice test.

@agronholm
Copy link
Contributor Author

agronholm commented Jan 21, 2026

Nice test.

Thanks. I wasn't initially sure if it'd get tripped by the security issue but it did in my local testing.

@agronholm agronholm merged commit 7a7d2de into main Jan 21, 2026
19 checks passed
@agronholm agronholm deleted the fix-unpack-chmod branch January 21, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@henryiii henryiii henryiii approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@agronholm @henryiii